Threat Perspectives

From a consulting and a financial services view

Jacky Fox & Gina Dollard
 Threat perspectives
Author name her

What is Cyber TI and how can you use

it?
Definition - Threat intelligence is evidence-based knowledge,
Ta
gic
term

cti
Longterm

te

including context, mechanisms, indicators, implications and actionable

ca
High level in-
tra

Attacker l
formation on methodologies advice, about an existing or emerging menace or hazard to assets that
use S

changing risk
use Long

and tactics.
can be used to inform decisions regarding the subject's response to that
use

The board Architects and

Admins menace or hazard. Gartner 2013
Details of Indicators of
Immediateuse

specific specific
incoming malware.
Expectation - Understanding the threat landscape from a dynamic and
Immediate

Op attacks. SOC staff strategic perspective helps an organisation to prepare for and react
l
ica

e ra
Defenders
appropriately to Cyber events
n

tio
ch

na
Te

l
HighLevel
High Level LowLevel
Low Level
High Level Low Level
 Threat perspectives
Author name her

Some Current Challenges

• TI is poorly understood e.g. threat feeds vs threat intelligence

• Immature partial implementations – a lot are missing

information sharing and strategic input

• Application of TI needs a lot of human input we are a long

way from fully automated TI

• Security is viewed as an overhead so all initiatives need to

have KPIs that show value

• Noise… reaction required? Yes/None/Urgent

 Threat perspectives
Author name her

Operational Internally generated Analysis

•
information &
IOC hunters – Darktrace Information sharing
• End Point Protection • Sectoral – Financial services,
• Security Operation public sector
intelligence feeds • Vulnerability Management •
•
Geographic – local CERT
NIS Directive

Generic external Organisation specific

• Open source • Branded “mybank” information
• Subscription based - X-Force, Digital • Social media
Shadows, Deepsight • Boards
• Raw e.g. XSS • Dark web
• Indicators of compromise (IOCs) • Customer or organisation phishing
• Tactics techniques and procedures TTPs campaigns
.
 Threat perspectives
Author name her

Use case examples

Threat Analysis
• Phishing detection
• Incident Response knowledge base Projection Collection

• Vulnerability prioritisation
• Brand monitoring
Dissemination Processing
• Fraud detection

Validation Analysis & Production

 Threat perspectives
Author name her

Organisation-specific Attack Based Threat Hunting

Hypothetical scenario
Login to a cloud service from a non-corporate device to steal data

Predict and estimate the footprint Produce

Unusual IP/Machine name/OS/Geolocation/time/volume/authorisation failures/upload
Custom
Enact or hypothesise and gather artefacts
Inspect logs, ID markers, registry
IOCs
Block/Alert/Pass?
CEO new phone? Attacker stealing data? Brute force attack?

Learnings
Additional logs, if only we had blocked file downloads from new Geolocations
 Threat Perspectives Sources: Deloitte Threat Intelligence & Analysis
program

Author name her LEVEL OF CONCERN

HIGH MED LOW

TOP ATTACK VECTORS TOP ADVERSARY GROUPS

Ve
ry Ve

gh
Ve

gh
ry
t

hi
en

hi
ry
gh

hi
hi
rr

ry
gh
hi

ry
Cu

Ve
O
gh

Ve
Data breach Phishing cc
ur In

ty
Im Nation state
ng

ct
en te

li
pa

bi
entity
gi

pa ce nt

pa
er

Im
ct
Em

Ca
Social Malware Organized Corporate
engineering Ransomware espionage groups
Malware Ve crime groups
targeting ry Ve
Ve
Disruption of

w
re

lo ry

lo

lo
ry
company devices
tu

Communications w Insider lo

ry

ry
lo
Fu

(DDOS) w

Ve

Ve
or applications to Legacy technology
w
Exploit
reach clients fails to provide Botnets kits Hacktivists
adequate protection Network Devices Physical
and stability in the Misconfiguration actions Lone-wolf cyber
GDPR face of new attacks Web Cyber
criminals
Application espionage
compliance Script Kiddie
Firewall Attacks Data
Misconfiguration breaches

Unaddressed
Software Researcher/
Ransomware Spam journalist
takes Vulnerabilities
applications
hostage

NOTABLE CYBER SECURITY EVENTS KEY TAKEAWAYS

• Legacy technology is susceptible to attack. Threat actors develop capabilities and change their attack vectors to take the least difficult approach into your
• Ransomware disrupts businesses globally. company. For this sector we observed high profile actors targeting for monetary gain, while hacktivism focused on
• Unaddressed software vulnerabilities can weaken disruption. Tracking industry trends can assist in understanding attack vector changes and form protective mitigation
 Threat perspectives
Author name her
Putting some of the pieces together (not exclusive)

Real Threat Intelligence? IR Playbooks

External, generic and
organisation specific playbooks,
MITRE framework
Existing RCMs Strategic threat analysis
Control information, risk Actors, Vectors and
treatment and residual risk scenarios
register

Threat
Intelligence

Critical Asset register Operational information

Value based list of critical Information feeds, generic
assets prioritised to be able VM programme IOCs, specific, sectoral,
to inform threat actions Penetration & vulnerability threat hunt IOCs
management data, patch lag
information
TIBER-EU
A brief introduction
 Threat Perspectives

• ECB May 2018 What is TIBER-EU?

• Threat intelligence based ethical red teaming.
• Production systems
• Identify critical functions e.g. payment services, ATMs
• Mimic tactics, techniques and procedures of real actors insiders or external
• Each regulator can decide to use –EU or to localise TIBER-NL
• Input from tiber-nl (November 2017) & CBEST
• Avoid repeated tests from different bodies via mutual recognition
• Don’t give a pass or fail status – just findings to provide insight and improve posture
• Financial stability of greater EU economy
• Oversight mechanism
• The benefit of cross jurisdictional testing accepted across borders by way of mutual recognition
 Threat Perspectives

Who is involved?
• Must be conducted by independent third parties not internal red teams
• A test involves the entity, regulator, external threat intelligence and external red team
• Blue team (who don’t know the test is being conducted)
• White team – internal PM type role

• Financial sector entities definition for TIBER-EU:

• Payment systems, Central Securities depositories, central counterparty clearing houses, trade repositories, credit rating
agencies, stock exchanges, securities settlement platforms, banks, payment institutions, insurance companies, asset
management companies and other critical service providers.
• Not limited to financial institutions
• The lead authority decides in any jurisdiction who must or should undertake a test
 Threat Perspectives

Preparation phase
• Scope determined and signed off by the board and the regulator

• Critical function identification/confirmation

• Identification of flags

• Qualified Threat Intelligence and Red teams procured? Tender process

• Confidentiality protocols

• Secure document transfer

 Threat Perspectives

Risk Management for TIBER-EU?

• Testing on production systems
• Qualifications of TI & RT providers
• Call out of activities that are not allowed during testing e.g. blackmail, bribing, uncontrolled CIA attacks
• Risk and control framework
• Clear escalation procedures and stop button
• Use of code names
• Footprinting risks when mimicking real life attack
• People reconnaissance
• Dark web
• Use of social engineering and under cover
 Threat Perspectives

Testing phase
Threats:
• Generic Threat Landscape (TTPs, Actors & Vulnerabilities) – this can be produced by authorities, other agencies or
third party, ISACs etc. and updated annually
• General Threat Landscape of national financial sector threat
• Targeted threat intelligence report to incorporate business overview, threat register & recent attacks
• TTI includes attack surfaces, actors & scenarios
• Estimated effort 5 weeks should be broad and deep input using e.g. OSINT and HUMINT

This feeds into

• The red team test plan to inform the chosen flags and targets
• Reconnaissance –use of TI report and other footprinting
• Weaponisation – selection of tools for targets
• Delivery – launch
• Exploitation – actively breaking in,
• Ownership & lateral movement
• Always time limited so if roadblocks are met hints can be given
• Good governance and comms should be in place during the testing
 Threat Perspectives

Closure phase
• Red team preliminary test results report
• Blue team are informed of the test and a 360 view is analysed
• Remediation planning controls, policies, education etc. budgets
• Learnings
TI in practice
Gina Dollard
 Threat Perspectives

So what does it mean?

TIBER- EU Framework

“Intelligence-led red team tests mimic the tactics, techniques and procedures
(TTPs) of real-life threat actors who, on the basis of threat intelligence, are
perceived as posing a genuine threat to entities. An intelligence-led red team
tests the use of a variety of techniques to simulate an attack on an entities
critical functions (CFs) and underlying systems (i.e. its people, process and
technologies). It helps an entity to assess its protection, detection and response
capabilities”
 Threat Perspectives

Threat Actor Capabilities

Insider
Organized Criminals Hacktivists State-Sponsored
Unintentional (Error) or
Phishing Cyber Vandalism ‘APT’-style Attacks
intentional Malicious)
Malicious Insiders DDoS Custom malware/exploits
Data Breach
Commodity Malware Reputational Damage Spear Phishing
Lost/Stolen IP
 Threat Perspectives

Security Program

Threat
Strategy & Security Risk & Threat &
Intelligence Identity &
Governance Architecture Compliance Vulnerability
& Incident Access Mgt.
Mgt. Mgt.
Mgt.
 Threat Perspectives

Kill Chain Analysis

 Task: Identify the Attackers’ Step by Step Process
 Goal: Disrupting Attackers’ operations

Actions &
Recon Weaponise Delivery Exploitation Installation C2
Objectives

  Mechanism  Technical or 
Motivation  Configuration Persistence  Communication  What the adversary
 Preparation of Delivery human?  Characteristics
 Packaging between victim does when they have
 Infection  Applications of change & adversary control of the system
Vector affected  Acquiring
 Method & additional
Characteristics components
 Threat Perspectives

MITRE ATT&CK MATRIX

 Builds on the Kill Chain
 Provides deeper level of granularity

Actions &
Recon Weaponise Delivery Exploitation Installation C2
Objectives

 Technical or human?  Persistence  Communication  What the adversary does

 Mechanism of Delivery  Applications affected 
 Motivation  Configuration Characteristics of between victim & when they have control of
 Infection Vector  Method &
 change adversary the system
 Preparation Packaging
Characteristics  Acquiring additional
components

MITRE ATT&CK: MITRE ATT&CK: MITRE ATT&CK: MITRE ATT&CK: MITRE ATT&CK: MITRE ATT&CK: MITRE ATT&CK:
 Active Scanning  Malware  Spearphishing  Local Job Scheduling  Application  Data Obfuscation  Email Collection
 Passive Scanning  Scripting Attachment/Link  Scripting Shimming  Domain Fronting  Data from Local
 Determine  Service Execution  Exploit Public-  Rundll32  Hooking  Web Service System/Network
Domain and IP Facing Application  Login Items Share
Address Space  Supply Chain
 Analyze Third- Compromise
Party IT Footprint
 Threat Perspectives

Layered Security Controls

Actions &
Recon Weaponise Delivery Exploitation Installation C2
Objectives

 Persistence  Communication  What the adversary does

 Mechanism of Delivery  Technical or human?
between victim & when they have control of
 Motivation  Configuration  Infection Vector  Applications affected  Characteristics of
 change adversary the system
 Preparation Packaging  Method &
Characteristics  Acquiring additional
components
MITRE ATT&CK: MITRE ATT&CK: MITRE ATT&CK: MITRE ATT&CK: MITRE ATT&CK: MITRE ATT&CK:
MITRE ATT&CK:
 Malware  Local Job Scheduling   Data Obfuscation  Email Collection
 Active Scanning  Spearphishing Application Shimming
 Scripting  Scripting   Domain Fronting  Data from Local
 Passive Scanning Attachment/Link Hooking
  Service Execution  Exploit Public-Facing  Rundll32  Login Items  Web Service System/Network Share
Determine Domain
and IP Address Space Application
 Analyze Third-Party  Supply Chain
IT Footprint Compromise

Security Controls: Security Controls: Security Controls: Security Controls: Security Controls: Security Controls:
 Policies &  Threat &  Anti-Virus  Anti-Virus  Anti-Virus  IDS
Procedures Vulnerability  Web Proxy  EDR  EDR  Web proxy
 Firewall Mgt.  Mobile Device  IDS  Policies &  Firewalls
 Cyber Awareness Mgt. Procedures  EDR
Training  Directory
Services
 Threat Perspectives

Defensive Security Capabilities

 Threat Perspectives

Intelligence-led Testing
 Should be a nightmare!
 Help identify strengths and weaknesses
 Used to enrich Threat Intelligence
 Threat Perspectives

Get Real!
 Informed Stakeholders
 IT – fit issues,
 Security Teams – improve capabilities
 Invested Stakeholders
 Lessons learned
 Set expectations
 Advocate for investment
 Threat Perspectives

Where to next?
 Automation
 Improve speed
 Augment capabilities

 Orchestration
 Eliminate repetitive, mundane tasks
 Automate responses
 Prioritise security events
 Threat Perspectives

Getting it Right

Defenders 100%: Attackers 1%