3. PwC
March 11, 2016
Why are we talking about this?
Threat Intelligence in Cyber Risk Programs •
1
4. PwC
March 11, 2016
Today, every organization endeavouring to improve its cyber
posture is following the trend of adapting to various security
solutions…. Unfortunately many still face security incidents
Section 1 – Why are we talking about this?
Threat Intelligence in Cyber Risk Programs •
2
Our study shows that Indian organizations
detected more incidents over the previous
year, shooting up from an average of 2,895
incidents to 6,284 incidents a year.
117%
Source: PwC India GSISS 2015
Estimated average financial loss as a
result of security incident per survey
respondent: India (USD)
5. PwC
March 11, 2016
Section 1 – Why are we talking about this?
Threat Intelligence in Cyber Risk Programs •
3
We believe it is possible not only adapt to these increasing incidents
but grow stronger because of them. A new type of organization -
‘The antifragile’
6. PwC
March 11, 2016
Section 1 – Why are we talking about this?
Threat Intelligence in Cyber Risk Programs •
4
“Some things benefit from shocks; they
thrive and grow when exposed to
volatility, randomness, disorder, and
stressors” – Antifragile, Nassim Nicholas Taleb
Nature is full of anti-fragile systems. The human muscles are a good example of anti-
fragile system. The more they are subjected to bouts of stress, the stronger they grow.
7. PwC
March 11, 2016
The mechanism of antifragility is about early discovery,
response and improving resistance.
Section 1 – Why are we talking about this?
Threat Intelligence in Cyber Risk Programs •
5
1 2 3
Early discovery of existence of known and
unknown threat vectors in the environment is
important to prevent its spread and causing
damage.
It is important to contain spread, assess damage,
analyze characteristics of the threat and finally
eardicate the threat.
Codify the learnings into mechanisms to detect
or prevent recurrence of the threat vector. Share
with others and learn from others.
Early Discovery
Rapid Response
Threat Resistance
All antifragile systems found in nature work on these principles including human muscles,
vaccinations, human society etc.
8. PwC
March 11, 2016
We already have threat
intelligence!!!
Threat Intelligence in Cyber Risk Programs •
6
9. PwC
March 11, 2016
Threat = Capability to Cause Harm
Intelligence = Information, Analysis & Context
Threat Intelligence = Information, its Analysis
and Context Regarding ‘Things’ that might cause
Harm
What is threat intelligence?
Section 2 – We already have threat intelligence!!!
Threat Intelligence in Cyber Risk Programs •
7
10. PwC
March 11, 2016
Types of Threat Intelligence
Section 2 – We already have threat intelligence!!!
Threat Intelligence in Cyber Risk Programs •
8
High Level
Information on
changing risks
Attacker
methodologies,
tools and
tactics
Details of
incoming
attack
Indicators of
Specific
Malware
Low LevelHigh Level
ShortTermLongTerm
Area of Enterprise Focus
11. PwC
March 11, 2016
Threat Intelligence Explained
Section 2 – We already have threat intelligence!!!
Threat Intelligence in Cyber Risk Programs •
9
Strategic Threat
Intelligence
• Target Audience is The Board, Executive Management
• Focus on changing risks, high level topics: Geopolitics, Foreign
markets, Cultural background
• Vision timeframe: years
Tactical Threat
Intelligence
• Target Audience: System Admins, Pen Testers, Hunters
• Focus on TTPs (tactics, techniques, procedures, tools etc.), C2
behaviour etc.
• Vision timeframe: Weeks to Months
Operational Threat
Intelligence
• Target Audience: strategic security teams
• Focus on Threat Actors, Nation-State actors, future attacks etc.
Based on infiltrating Threat Actor groups
• Vision timeframe: Hours to Months
Technical Threat
Intelligence
• Target Audience: SOC, IR, Firewall Admins
• Focus on Indicators of compromise, malware domains, artefacts,
signatures etc.
• Vision timeframe: Hours to years
12. PwC
March 11, 2016
The Pyramid of Pain
Section 2 – We already have threat intelligence!!!
Threat Intelligence in Cyber Risk Programs •
10
Hash Values / IP Address
Domains
System Artifacts
TTPs
Tools
Pyramid of Pain (for the attacker)
- David J. Bianco
Tough
Challenging
Annoying
Easy
Trivial
Indicators of
Compromise
Developed by Client /
PwC’s Cyber Threat
Intelligence team
Indicators of
Compromise
provided by most
OEM’s and Anti-
virus providers
13. PwC
March 11, 2016
Where do you get the Threat Intelligence?
Section 2 – We already have threat intelligence!!!
Threat Intelligence in Cyber Risk Programs •
11
Hash Values / IP Address
Domains
System Artifacts
TTPs
Tools
A number of Open-
source and
Commercial Feeds
Develop from known
malware behaviour.
Analyse malware to
understand variants,
families, CnC
domains and threat
actors
14. PwC
March 11, 2016
Technical & Tactical TI – Looking at the indicators
Section 2 – We already have threat intelligence!!!
Threat Intelligence in Cyber Risk Programs •
12
MD5 / Sha-1
Hash
Filename of
Initial
Malware
Files
Dropped by
Malware
Registry
Keys
created by
malware
Well
Written
Yara Rule
Trivial Difficult
IP Address Domain
Name
Exact URL
accessed
Algorithm
for
generating
Radom
domain
Exact
Command
Channel
Structure
16. PwC
March 11, 2016
1. Collate and Curate Threat Feeds: Use a platform to collate and
curate threat feeds, distribute it to various detection systems. Maintain
the intelligence system by adding your own threat Intelligence
2. Tactical Intelligence: Generate tactical intelligence for malware
variants prevalent in your environment. Use tactical intelligence
generated by communities, peers and professional agencies.
3. Sharing: Share your new threat intelligence with local and global
communities. Submit malware samples, submit new indicators, and share
the CnC information.
1. Run a Threat Intelligence Program
Section 3 – Using Threat Intelligence
Threat Intelligence in Cyber Risk Programs •
14
17. PwC
March 11, 2016
2. Use technical and tactical TI to detect Compromises
Section 3 – Using Threat Intelligence
Threat Intelligence in Cyber Risk Programs •
15
Active Discovery 1. Use enriched and curated Technical
TI at Gateways, SIEMs and Domain
Controllers to detect compromises
2. Use Tactical TI to analyse host
compromises by collecting system
and memory artefacts
3. Use Tactical TI by conducting static
and dynamic analysis of suspicious
file samples
4. Use honeypots to actively detect
lateral movement
18. PwC
March 11, 2016
3. Respond to compromises while leveraging Tactical
Indicators
Section 3 – Using Threat Intelligence
Threat Intelligence in Cyber Risk Programs •
16
1. Develop Tactical Threat Indicators
for detected compromises and
unknown malware
2. Use the TI to “hunt” for malware
and eradicate it
3. Build Threat Intelligence database of
detected malware
Cyber Response
19. PwC
March 11, 2016
- brought to you by PwC’s Active Defence Services
Section 3 – Using Threat Intelligence
Threat Intelligence in Cyber Risk Programs •
17
PwC CIRCA
Cyber Incident
Response and
compromise
assessment
platform
04
PwC Nethunt
Network level
compromise
assessment and
hunting platform
with flow and
packet analysis
02
PwC TIP
Threat Intelligence
platform for threat
feeds aggregation,
selection,
visualization, and
sharing.
01
LAMPS
Large –scale
Automated
Malware Analysis
Platform
03
Active Discovery
PwC’s Active Defence Services helps organizations
detect, analyse and monitor advanced threats
supported by team of Malware Analysts, Data
Scientists and Incident Responders.
PwC ADS Platforms