Title: Welcome to the world of Cyber Threat Intelligence! Abstract: Welcome to the world of Cyber Threat Intelligence (CTI)! During this presentation, we will discuss about some of the basic concepts within CTI domain and we will have a look at the current threat landscape as observed from the trenches. The presentation is split into 3 parts: a) Intro to CTI, b) A view at the current threat landscape, and c) CTI analyst skillset. Short Bio: Andreas Sfakianakis is a Cyber Threat Intelligence and Incident Response professional and works for Standard and Poors' CTI team. He is also a member of ENISA’s CTI Stakeholders’ Group and Incident Response Working Group. He is the author of a number of CTI reports and an instructor of CTI. In the past, Andreas has worked within the Financial and Oil & Gas sectors as well as an external reviewer for European Commission. Andreas' Twitter handle is @asfakian and his website is www.threatintel.eu

1. Welcome to the world of
Cyber Threat Intelligence!
Andreas Sfakianakis - Guest Lecture at DTU - 27/04/2021
Image:
EclecticIQ

2. whoami
CTI Lead EMEA @ S&P Global
CTI @ Financial and Oil & Gas
sectors
ENISA, FIRST.org, SANS, European
Commission
Twitter: @asfakian Website:
www.threatintel.eu

3. Outline
• Intro to CTI
• A view at the Threat
Landscape
• CTI Analyst Skillset
References for this lecture can be found here:
https://threatintelblog.files.wordpress.com/2021/04/dtu_cti_101_andreas_sfakianakis_references.pdf

4. Intro to Cyber Threat Intelligence
Image:
Katie Nickels

5. How old is
Cyber Threat Intelligence?

6. When everything started in CTI!

7. From Intelligence to Cyber Threat Intelligence
Reference:

8. CTI, IR and SecOps
CYBER THREAT
INTELLIGENCE
INCIDENT RESPONSE
SECURITY
OPERATIONS
Adoption Early adoption phase
Mainstream since
~2010
Mainstream since
~2005
Focus
External threat
monitoring
Security incidents
and risk escalation
Notable security
event monitoring
Best practices
Evolving best
practices
Mature best
practices
Mature best
practices
Technology
enablement
Evolving technology
enablement
Mature technology
enablement
Mature
technology
enablement
Reference:
EclecticIQ

9. Timeline of important events in CTI history
1989
Cuckoo’s
Egg
2009
Operation
Aurora
2010
Stuxnet
2011
LM Kill
Chain
2013
APT1
Report
2013
Pyramid of
Pain
2013
Snowden
Leaks
2014
Heart
Bleed
2015
ATT&CK
2016
The
Shadow
Brokers /
US
Elections
2017
Wanna Cry
/
Petya
APT Becomes Mainstream
Wider CTI Adoption

10. CTI Hype Cycle
Reference:
We are here!

11. How would you
consume or generate
(cyber threat) intelligence?

12. Reference:
Joe Slowik

13. Repeat after me

14. Let me introduce you to the intelligence cycle
All models are wrong, but some are useful (especially within corporate environments)

15. Intelligence Direction
We are here !

16. Questions to be answered
• How do you identify which threats are relevant to your organisation?
• How do you prioritize to which threats to spend time on?
• Has your CTI team identified and connected with its stakeholders?
• How does your analysis bring value to the CyberDefence and your
organisation?
“CTI teams should not do intelligence for intelligence’s sake; it costs money and time”

17. Intelligence Requirements
• Intelligence requirements are enduring questions that consumers of
intelligence need answers to.
• Answer critical questions intelligence customers care about
(not what YOU care about).
Reference: Sergio Caltagirone

18. CONFIDENTIAL
CTI Focus and Stakeholders
Tactical
Intelligence
Security Engineering
SOC Team
Operational
Intelligence
Incident Responders
Threat Hunters
Vulnerability Management
Red Team
Fraud Team
Sys Admins
IT Managers
Strategic
Intelligence
C-Suite /
Executives
Group Security
Risk Managers
Business Stakeholders
Regional Stakeholders
IT Architects
https://www.youtube.com/watch?v=kGqnCR6XOhQ

19. CONFIDENTIAL
Reference:
Katie Nickels

20. A Simple Threat Model
Reference:
SANS

21. Intelligence Collection
We are here !

22. Where would you go to collect data
for cyber threat intelligence?

23. Intelligence Collection Sources
• Internal Security Incident Data
• (Listen to your enemy, for God is talking. ~ Jewish Proverb)
• Internal Log Data Lake
• Internal Stakeholders
• Corporate Security/Business
• Vendor Reports
• Sharing Communities, ISACs
• Governmental Sources
• OSINT
• IOC Feeds
Reference:
Scott J Roberts
https://medium.com/@sroberts/intelligence-collection-priorities-a80fa3ed73cd

24. Intelligence Processing
We are here !

25. Data versus Intelligence
• Data is a piece of information, a
fact, or a statistic.
Data is something that describes
something that is.
• Intelligence is derived from a
process of collecting, processing,
and analyzing data.
• The difference between data
and true intelligence is analysis.
Reference:
Joint Publication 2-0

26. Threat Intelligence Platforms
2012
MISP
2012
CIF
2014
CRITs
2015
Threat Note
2016
MineMeld
2017
Yeti
2018
OpenCTI
2012
MISP
2012
AlienVault OTX
2015 Micro Focus
Threat Central
2015
IBM X-Force
Exchange
2015
Facebook Threat
Exchange
2013
ThreatConnect
2013
Anomali
2014
EclecticIQ
2015
ThreatQuotient
2016
TruSTAR
2016
Cyware
2018
Analyst1
Open Source Commercial Community Exchange Platforms

27. The Analyst’s Dream: Data Into Buckets

28. Intrusion Analysis
Frameworks 101
• Kill Chain
• Diamond Model
• ATT&CK Framework

30. Diamond
Model of
Intrusion
Analysis
Malware
TTPs
Domains
IP addresses
Email addresses
Systems targeted
People targeted
Sectors targeted
Personas
Human fingerprints

32. Intelligence Analysis
We are here !

34. Cognitive Biases

35. Overcoming Biases

36. Intelligence Dissemination
We are here !

37. Collection
Analysis
?
ACTION
Reference:
Christian Paredes

38. Reference:
Amy Bejtlich

39. Words of Estimative Probability

40. TLP (Traffic Light Protocol)

41. Intelligence Feedback
We are here !

42. Wrapping
up
From intelligence to CTI
Intelligence cycle
Basic CTI concepts and
frameworks

43. End of the 1st part of the presentation
Questions?

44. A view at the Threat Landscape

46. The human behind the keyboard

48. Ransomware

49. Ransomware Trends
• Target is the whole organisation
• Data exfiltration before ransomware
payload
• Public shaming sites
• Cold-calling victims
• Ransomware cartels
• Interconnected cybercrime ecosystem
• The role of insurance companies
• OFAC guidance on ransom payment

50. How much is the average
ransom payment?

53. How long does it take to get
ransomwared?

54. Reference:
DFIRReport

55. As a network defender, how can you
detect and respond to ransomware?

56. State Sponsored Threat Groups

57. What does the term APT mean?

58. Reference: Recorded Future
• Advanced
• Persistent
• Threat
APT
2010
APT goes mainstream

59. When everything started! (version 2)

60. External Threat Intelligence Services Q4 2020
Source:
Forrester

61. I SEE threat intelligence Reports
Threat intelligence REPORTS EVERYWHERE

62. Bears, Pandas, Kittens and the rest

63. FireEye APT Groups
• FireEye’s list of sophisticated actors and naming conventions looks like
this:
• APT0-27, 30/31, 40/41 = China
• APT28/29 = Russia
• APT32 = Vietnam
• APT33/34/35/39 = Iran
• APT36 = Pakistan
• APT37/38 = North Korea
>2k UNCs threat groups

64. CrowdStrike APT Groups
*Adversary map from 2014

66. Reference:
Joe Slowik

67. How do states do attribution?
What sources do they use?

69. On attribution
• Type of attribution
• Person? Organisation?
Country? Threat group?
• Technology enablement
• False flags
• Usage of open-source offensive tools

70. APT Research

71. Geopolitics and Cyber
• Adversary intent
• Geopolitical signaling
• Geopolitical shaping

72. Wrapping
up
Ransomware threat
State sponsored threats
Threat group tracking

73. CTI Analyst Skillset

75. Reference:
Henry Jiang

76. CTI Analyst Skillset
Reference:

77. Cyber Threat Intel Analyst Tradecraft
Reference:

78. Threat Intelligence Paths
Reference:
Amy Bejtlich
Law
Enforcement
National
Security
Military
Intelligence
Journalism Data Science Cybersecurity

79. Maintaining
External
Situational
Awareness
RSS Aggregator (e.g., Feedly, Inoreader)
Twitter (plus Twitter lists)
Nuzzel
Reddit
Podcasts (e.g., CyberWire)
Newsletter Team (e.g., TC Dragon News Bytes)
Strategic sources (e.g., Economist, CFR, etc.)
Weekly Summaries (e.g., This Week in 4n6)
Threat Intelligence Reports
ISACs
Trust Groups (e.g., Slack channels, mailing lists)
Threat Intelligence vendors

80. Maintaining
Internal
Situational
Awareness
Incident ticketing system
Phishing campaigns
Signature hits and alerts
Failed intrusions
Hunting/red team findings
Critical vulnerabilities
Business strategy and updates
Internal events

81. Continuous
Education
Self-initiated
CTFs
Academic programs
Certifications
Online training material
Conferences
Books
Audiobooks

82. If you gonna read
2 articles…
• A Cyber Threat Intelligence
Self-Study Plan: Part 1
• FAQs on Getting Started in
Cyber Threat Intelligence
https://medium.com/@likethecoins

83. Wrapping
up
Lifelong learner
Communication skills are critical
Be part of the community
Try different CTI perspectives

84. Final Thoughts
•Remember the process of the intelligence cycle
•Discussion on the evolving cyber threat landscape:
major cybercrime and state sponsored threats
•Diverse skillset of the CTI analyst

85. Thank you!
Andreas Sfakianakis
@asfakian
threatintel.eu
References for this lecture can be found here:
https://threatintelblog.files.wordpress.com/2021/04/dtu_cti_101_andreas_sfakianakis_references.pdf