Running head: CYBER THREAT INTELLIGENCE PLAN - ASSIGNMENT 7 1

Cyber Threat Intelligence Plan

Kevin Splittgerber

University of San Diego – CSOL580

https://youtu.be/rcz7vk23B3Q
CYBER THREAT INTELLIGENCE PLAN - ASSIGNMENT 7 2

Executive Summary

Splitt Ventures is emerging as an industry leader in the autonomous vehicle industry.

Thus, is a potential target of attack for a wide array of threat actors. From the insider to a nation

state, the threats that need to be addressed with a Cyber Security Program (CSP) are both varying

and formidable. To ensure that the CSP is capable of meeting this challenge and is cost

effective, the plan must be evidence-based. Therefore, it is the intent of this document to set

forth a Cyber Security Threat Intelligence Plan to identify risks, credible threats, and create a

process that produces actionable intelligence for the consumers in the organization.

Introduction

Cyber threat intelligence is a process that is tailored to an organization based on the

market, industry and the surface area exposed by the organization. The result of the process

provides visibility of the various threats to the organization, the potential assets the threat actors

are targeting and informs the organization’s response to the identified threats and assets.

Strategy

Development of the Cyber Threat Intelligence

Plan involves taking inventory of the potential threat

actors that would target the organization and the

organization’s assets that must be protected.

Understanding the threat actors, their capabilities and

known methods and behaviors, sometimes known as

tactics, techniques and procedures (TTP), informs the

strategy for collecting information from many available sources. The analysis phase takes the

gathered information and scrubs out irrelevant, outdated, duplicated alerts and then categorizes
CYBER THREAT INTELLIGENCE PLAN - ASSIGNMENT 7 3

and prioritizes indicators that are relevant based on the organization’s identified risks and the

threat landscape in which the organization operates. The analysis is then turned into intelligence

reports where it is distributed to the various consumers in the organization. The consumers use

the intelligence to tailor detection tools to alert for conditions identified in the intelligence

reports and decide what actions to take.

CYBER THREAT INTELLIGENCE PLAN - ASSIGNMENT 7 4

Threat Actors

Understanding the threat actors and the overall threat landscape the organization operates

in provides insight into the capabilities that our cyber security plan should be aware of. The

following table provided by The Cybersecurity & Infrastructure Security Agency (CISA, N.D.).

Type Characterized By Motivation Methods

Insider Employees, contractors, third Financial Misuse of authorized access
party services, current or past Gain, Revenge to spaces, networks,
with legitimate access to applications, information, etc.
networks, systems or data

Nation Groups commissioned or Political, Zero-day exploits, complex

State directly employed by a country espionage, war collection of malwares into
or receive direction and an exploit
support by a country.
Sometimes referred to as
Advanced Persistent Threats or
APTs

Cyber Sometimes referred to as Financial gain Social engineering, phishing,

Criminal Advanced Persistent Threats malware

Hacktivist Groups with a political cause, Political Social engineering,

s prefer high profile targets to causes Distributed Denial of Service
generate publicity (DDOS), doxing – release of
sensitive information, website
defacement

Adversarial Threat Analysis - Tesla

Tesla is perhaps the company with the greatest chance for being number one or two in the

autonomous vehicle industry. Tesla is an American automaker based in Palo Alto, CA and

already has extensive expertise in the space. Tesla’s entire line of luxury electric vehicles has

“Autopilot” mode available, featuring the capability to self-drive and navigate in real-world

traffic conditions from point a to point b. As of November 2018, Tesla’s vehicles have traveled

over 3 billion miles in auto pilot mode activated (Tesla, 2018). For comparison, Waymo, a
CYBER THREAT INTELLIGENCE PLAN - ASSIGNMENT 7 5

major competitor in the space and owned by Google, has only logged 5 million miles in real

world driving conditions.

In addition to Tesla’s formidable capabilities, their vehicles are a status symbol and

represent the sector’s bleeding edge of technology. This is due in part to their previous

accomplishments but also the company’s numerous advancements in related technologies,

including the recent announcement in next-generation electric vehicle (E.V.) battery units that

boast twice the performance at the same cost of current technologies (Mullaney, 2020).

Viability of Threat

Tesla’s viability of a threat is strong in both near and long term. Tesla invests heavily in

research and development, if current performance over the rest of the sector is an indicator, their

research and development is paying dividends. According to Tesla’s 2020 10K filing, they are

expending $1.343 billion, or roughly 5.5% of total gross revenue on research and development.

Investment in future operations and expansion has created significant debt obligations over the

next 5 years in the amount of $33.5 billion, nearly half of this is contractual purchase obligation

for lithium ion batteries produced by Panasonic (Tesla, 2020). Matching or exceeding Tesla’s

investment into research and development will be important to position

ThreatQuotient Threat Intelligence

The ThreatQuotient Threat Intelligence platform supports the Security Operation Center

(SOC), threat intelligence and incident response. This product solves the problem of information

overload, alert fatigue and complicated coordination between security teams for addressing

vulnerabilities, and incidents (ThreatQuotient, 2020). The alternative to purchasing this service

would be development of an in-house solution to perform the same tasks. This would involve

hiring several software engineers and quality assurance team members and invest months or
CYBER THREAT INTELLIGENCE PLAN - ASSIGNMENT 7 6

years of development. Estimate a similar annual cost as an in-house third-party threat

monitoring team.

Expected return on investment is also measured in avoidance of loss, but also measured

in an increase in security operations efficiency, coordination, and reduced time to mitigating

system vulnerabilities. After procuring the system, the projected time to reaching operation is

measured in weeks, and a return on investment is measured in months (ThreatQuotient, 2020).

Risk Reduction Plan

The proposed Risk Reduction Plan is a set of tasks that will take place regularly to ensure

that it is effective in its purpose, maintained and modified to meet new requirements as the

organization and its strategic goals change. To effectively reduce the risks, an inventory of the

organization, its assets and tools must be created. This includes:

 Company insiders: employees, contractors, supply chain vendors and service

providers
 intellectual property
 public and private websites, and integration endpoints
 networks and its segments
 applications
 hardware
 security policies and procedures

Each of the above should have details for every attribute including installation date,

maintenance schedule, risk profile, impact of a loss to Confidentiality, Integrity or Availability,

disaster recovery. Patch management plans for each element above (as appropriate) will be

created with responsible parties assigned. Incident response teams will regularly test disaster

recovery plans and modify as necessary to ensure that outages caused by a loss or incident is

minimized. Security policies and procedures are reviewed and specialized training for

employees, contractors and other insiders is required. Documentation of completed security

CYBER THREAT INTELLIGENCE PLAN - ASSIGNMENT 7 7

training is to be maintained and all insiders must comply. Testing for effectiveness of this plan

and the system is of utmost importance. Third party penetration testing will be conducted to test

employee’s ability to defend against phishing and social engineering. In addition penetration

testers will test the applications and networks for security and the security tool’s ability to detect

their attack attempts.

Conclusion

Risks to the organization are not set in stone and the threat landscape is ever changing.

The recommended process above is a proactive, risk-based approach that is cost effective and

will create a security mindset within the organization to ensure the security needs of the future

will be addressed based on evidence.

CYBER THREAT INTELLIGENCE PLAN - ASSIGNMENT 7 8

References

CISA. (n.d.). Cyber Threat Source Descriptions. Retrieved August 31, 2020, from https://us-
cert.cisa.gov/ics/content/cyber-threat-source-descriptions

Mullaney, T. (2020, June 30). Tesla and the science behind the next-generation, lower-cost,
'million-mile' electric-car battery. Retrieved August 15, 2020, from
https://www.cnbc.com/2020/06/30/tesla-and-the-science-of-low-cost-next-gen-ev-million-
mile-battery.html

Tesla. (2018, November 28). As of today Tesla owners have driven 1 billion (!) miles with
Autopilot engaged pic.twitter.com/16jMYrAZ7u. Retrieved August 20, 2020, from
https://twitter.com/Tesla/status/1067810392322109441

Tesla. (2020). Form 10-k 2020. Retrieved August 19,2020 from

https://ir.tesla.com/node/20456/html

ThreatQuotient. (2020, July 19). Threat Intelligence Platform Overview. Retrieved August 9,
2020, from https://www.threatq.com/threat-intelligence-platform/