hello. Welcome to the next module in the Cyber Threat Intelligence Course.
Now we're going to talk about strategic threat Intelligence, as I mentioned earlier.
timeframes are longer than what we would expect for tactical or operational
Depending on who you ask, strategic timelines could be a year, maybe two years, even after three years,
because the organization needs to focus on the longer term objectives of remaining in business, remaining viable, being able to support the mission and so on.
So we'll start off by looking at the role
the analyst's role, that is,
and we'll touch a little bit on
configuration management or change management, as it's sometimes called.
Well, look a little bit at the
some tools that you can use for recording events,
and then we'll have some information about sharing
data from incidents.
So starting off with our rule
we're thinking about for the strategic analyst
has relates to threat. Intelligence is the long term defense of the organization.
What is it that the analysts could do
when looking at the bigger picture and
and trying to understand
the trends that are in the industry, the trends that are in the threat landscape.
What kind of vulnerabilities have been discovered recently?
pointing in a certain direction because some new technologies in use or there's some other changes in the business climate. For instance, it could be a lot of reasons why, in longer term view
is going to be significantly different
than the midterm or short term view. It relies on different indicators and different sources of information as well.
But ultimately, the job of the
the Strategic Threat analyst
Intel that could be consumed by senior management.
Senior manager needs this Intel in order to make risk based decisions such as. Do we need more staff? Do we need more training for our staff?
Do we have sufficient technology solutions? In place
are the countermeasures that we currently have effective
so that that Intel that gets produced consumed helps, too,
to inform management
two. Best make the decision that suits their organizations business objectives,
and we see this here as well, trying to focus on the alignment of the business goals with the production and consumption of intel. This is an important aspect because
there may be cases where intelligence gets produced thought it may not be relevant
or perhaps intelligence is available, but
it's not in alignment with what the business actually does, what the organization actually does.
So therefore, it may have less value.
You always want to try to think about the what business does and what the goals of the production of intelligence
are, so that there's no deviation or at least the deviation is
is small. And the last thing would be to think about
how this all relates to the risks
to the organization. Overall, for instance, if if an organization is spending lots and lots of money
and they're they're building up their their manpower
to handle what they perceive to be increasing levels of risk. If that organization is also avoiding spending money on the training that staff because they'd rather hire someone new,
then send everybody to a class,
then that's That would be an indication of some deviation from the goals of the organization and an area where some gap analysis might take place.
It could be determined, for instance, that that
maybe some of that money is miss allocated,
and some of it should be spent on training instead of
on additional staff.
that's what risk based decision making is all about. The senior management needs to get that kind of information
so that they can look at the big picture and decide what's best, all right. So if we think about threat modeling,
there's some really good resource is that we see on the right side of the screen here.
But the basic idea for threat modeling
scenarios. Sometimes these scenarios are completely fictional.
They're just brainstorming exercises
that are done in order to better understand the types of situations where
threat actor threat agent may take advantage of a vulnerability.
In that vein, we could think about
doings, doings, assessments and other kinds of actions
to determine what the resilience might be. Two different types of threats.
So trying to define the scope of the assessment
modeling systems themselves,
looking at what threats might exist, what vulnerabilities might exist.
You also would consider perhaps the probability of these threats
If the threat takes place, you might also consider its impact, and then some determination of risk can be considered
based on the history of a certain type of threat.
Granted, there are certain threats that
may not have any history. It could be something that's brand new to the environment,
especially when the threats are not. And for cereal,
a non adversarial threat would be an act of nature, something like an earthquake or flood
Even a mistake that's made by someone
within the organization could be considered non adversarial because
there was no malicious intent, even though damage or other problems resulted from that action taking place.
Adversarial threats are more obvious. Someone's trying to cause damage. You're trying to steal information. They're trying to disrupt or destroy some capability.
So all these bees are threat modeling
actions then helped to develop a better plan for dealing with threats when they're discovered.
So let's have a quick look at some of these documents.
This has some great guidance in these areas.
They have their 800 deaths. 30 document.
the only part of it that we're gonna actually look at is the
The appendices near the end
make a little bit larger,
so risk assessments. This involves threat. Not only
it's fairly recent. 2012.
And like many of those documents, it goes through
outline. What kind of material did
the document describes?
So goes to the basics of risk management
the different steps, like preparing for doing the work, creating a road map,
sharing that information and then maintaining it long term.
But what you can do is start with Appendix D. If you wanted to use this for a threat modeling exercise,
we can see that you begin by considering
that's usable within the three tiers of your organization.
The organization level is Yura Senior Management There, a tier one.
Your mission and business processes are a cure, too.
And infrastructure your actual information systems aren't Tier three,
and they can share information up and down, depending on how your organization's structured.
What's nice about this guy is that it gives you a little bit of a starting point. You can consider what are the typical sources of threats. Adversarial threats that could be not adversarial threats.
When it's an adversary, you're concerned with capability, intentions and targeting.
When it's not an adversary, it's just a range of effects. How big is the earthquake help help. Pervasive is the flood, and so
so they give you some nice starting points to look at,
and then you can rate these things.
They provide different scales. There's a qualitative scale which just uses words
and then semi quantitative, which uses numeric ranges for those
words that are otherwise describing the different levels.
So we think about what is the capability of the adversary. What is their intention?
What are they targeting?
Sometimes these are just estimates
because maybe this hasn't this threat actually hasn't happened yet.
the analysis of the threat modeling exercise is doing a lot of what if scenarios and trying to give it best
guess as to what would happen
off their give some information about non adversarial threat sources
and help her base if they might be
and effectively. When you're done with that section, all you're doing is producing some columns for a row on a spreadsheet, and we could see the columns here
for Abbas, General Threat sources or not adversarial threat sources.
Then he was onto the threat events themselves,
skip over that little section
and missed very helpfully gives a pretty long list of possible
We see reconnaissance crafting attack tools,
delivering, installing malicious capabilities.
Exit I'm sorry, exploit and compromise.
Conducting an attack
achieving results says lot different choices here. Maintaining your set of capabilities can coordinating a campaign which we talked about earlier
Then there's not adversarial
acts of nature accidents and so on.
Once you're done looking at all those, then you can think about their relevance. Is that something that's confirmed? Expected, predicted possible in someone,
and you fill out your columns in your spreadsheet,
you could do a lot of this with other kinds of tools by that simple spreadsheet will suffice.
Then you consider vulnerabilities and predisposing conditions.
So if the vulnerability happens, how bad would it be? That's what you're trying to determine. Here
again. You fill out your columns and spreadsheets,
and it gives you starting points for the predisposing conditions.
For instance, there could be a miss configuration. There could be missing patches that could be a
offense that's too short.
Any of these things might
enhanced the ability of a threat agent
to exploit a weakness.
So you're trying again to estimate their the importance of these different
presupposing conditions As you evaluate the risk.
How pervasive is the prettiest? Most conditions is going to affect everything. Some of your assets
make those estimates as well.
Then we look at the probability, or the likelihood
that the event will actually take place
and just give some nice scales here. It's almost certain, highly likely, somewhat unlikely
for non adversarial threats. You have to consider how many times per year something might happen,
like floods and earthquakes and tornadoes. There is some
perhaps predictable frequency that these things happen. So
maybe a different kind of subject matter expert might be required.
Then the the likelihood of an adverse impact is considered. If the event happens, how bad will it be?
And you can cross reference the likelihood of the adverse impact,
with the likelihood of that happening at all to arrive at some overall likelihood,
it's a nice way to compare two pieces of information to try to get a better understanding of what's really involved
Sorry not last. Second to last.
We have the impact section,
and this says, will the impact the heart operations harmed assets, individuals, other organizations or even the nation.
And so there's some examples here of those different kinds of impacts. You can consider
different threats and the different vulnerabilities and predisposing conditions and probability to think about. How bad would that really be
then That's rated. So the impact of the threat events will be bridged on this scale,
and you fill out your rose and rather your columns in the spreadsheet.
Then we finally get to the final appendix, which is the determination of risk.
So because we estimated the level impact, an estimated likely that we can cross reference that and say that the overall level of risk is
and then that level of risk could be also categorized
by saying that it's very high. It's hides moderate, so
well, this is all done.
spreadsheet with all these columns that we see here
or that we see in the other section
for each individual threat that was analyzed.
So this is one of the ways that missed,
approaches this material,
and it's a great way to get started if you have not done threat modeling before