Time
4 hours 8 minutes
Difficulty
Intermediate
CEU/CPE
4

Video Description

In Module 6 we concern ourselves with the longer timeframes of Strategic Threat Intelligence (STI). These timeframes are longer than those of operational or tactical threat intelligence. This is due to the longer term objectives of STI, and as a result, the analyst's role is different in the STI domain. The analyst's role with respect to STI is focused on the long term defense of the organization. This requires a big picture view of the threat landscape, recent events such as changes in the business or the introduction of new technologies. The analyst is tasked with producing intel for use by senior management to guide strategic decision making. Threat modeling plays a prominent role in STI. It involves creating scenarios and brain-storming exercises in order to understand vulnerabilities that can be exploited. Dean concludes the video by presenting an overview of the NIST SP 800-30 document that covers threat response guidelines.

Video Transcription

00:04
hello. Welcome to the next module in the Cyber Threat Intelligence Course.
00:08
Now we're going to talk about strategic threat Intelligence, as I mentioned earlier.
00:14
Strategic
00:15
timeframes are longer than what we would expect for tactical or operational
00:20
threat intelligence.
00:22
Depending on who you ask, strategic timelines could be a year, maybe two years, even after three years,
00:30
because the organization needs to focus on the longer term objectives of remaining in business, remaining viable, being able to support the mission and so on.
00:39
So we'll start off by looking at the role
00:41
the analyst's role, that is,
00:43
and we'll touch a little bit on
00:45
configuration management or change management, as it's sometimes called.
00:50
Well, look a little bit at the
00:53
some tools that you can use for recording events,
00:57
and then we'll have some information about sharing
00:59
data from incidents.
01:00
So starting off with our rule
01:03
we're thinking about for the strategic analyst
01:06
has relates to threat. Intelligence is the long term defense of the organization.
01:11
What is it that the analysts could do
01:14
when looking at the bigger picture and
01:17
and trying to understand
01:19
the trends that are in the industry, the trends that are in the threat landscape.
01:25
What kind of vulnerabilities have been discovered recently?
01:27
This all might be
01:29
pointing in a certain direction because some new technologies in use or there's some other changes in the business climate. For instance, it could be a lot of reasons why, in longer term view
01:40
is going to be significantly different
01:42
than the midterm or short term view. It relies on different indicators and different sources of information as well.
01:49
But ultimately, the job of the
01:53
the Strategic Threat analyst
01:55
is to produce
01:56
Intel that could be consumed by senior management.
02:00
Senior manager needs this Intel in order to make risk based decisions such as. Do we need more staff? Do we need more training for our staff?
02:07
Do we have sufficient technology solutions? In place
02:12
are the countermeasures that we currently have effective
02:15
and so on
02:17
so that that Intel that gets produced consumed helps, too,
02:22
to inform management
02:24
two. Best make the decision that suits their organizations business objectives,
02:30
and we see this here as well, trying to focus on the alignment of the business goals with the production and consumption of intel. This is an important aspect because
02:40
there may be cases where intelligence gets produced thought it may not be relevant
02:46
for the
02:49
for the business,
02:50
or perhaps intelligence is available, but
02:53
it's not in alignment with what the business actually does, what the organization actually does.
02:59
So therefore, it may have less value.
03:01
You always want to try to think about the what business does and what the goals of the production of intelligence
03:07
are, so that there's no deviation or at least the deviation is
03:12
is small. And the last thing would be to think about
03:15
how this all relates to the risks
03:16
to the organization. Overall, for instance, if if an organization is spending lots and lots of money
03:23
on staff
03:25
and they're they're building up their their manpower
03:30
to handle what they perceive to be increasing levels of risk. If that organization is also avoiding spending money on the training that staff because they'd rather hire someone new,
03:40
then send everybody to a class,
03:44
then that's That would be an indication of some deviation from the goals of the organization and an area where some gap analysis might take place.
03:53
It could be determined, for instance, that that
03:54
maybe some of that money is miss allocated,
03:58
and some of it should be spent on training instead of
04:00
on additional staff.
04:01
But
04:02
that's what risk based decision making is all about. The senior management needs to get that kind of information
04:09
so that they can look at the big picture and decide what's best, all right. So if we think about threat modeling,
04:15
there's some really good resource is that we see on the right side of the screen here.
04:19
But the basic idea for threat modeling
04:23
is to try to create
04:25
scenarios. Sometimes these scenarios are completely fictional.
04:29
They're just brainstorming exercises
04:31
that are done in order to better understand the types of situations where
04:38
a
04:39
threat actor threat agent may take advantage of a vulnerability.
04:44
In that vein, we could think about
04:46
doings, doings, assessments and other kinds of actions
04:50
to determine what the resilience might be. Two different types of threats.
04:56
So trying to define the scope of the assessment
04:59
modeling systems themselves,
05:00
looking at what threats might exist, what vulnerabilities might exist.
05:05
You also would consider perhaps the probability of these threats
05:10
taking place.
05:12
If the threat takes place, you might also consider its impact, and then some determination of risk can be considered
05:17
based on the history of a certain type of threat.
05:21
Granted, there are certain threats that
05:24
may not have any history. It could be something that's brand new to the environment,
05:29
especially when the threats are not. And for cereal,
05:32
a non adversarial threat would be an act of nature, something like an earthquake or flood
05:38
or tornado.
05:40
Even a mistake that's made by someone
05:44
within the organization could be considered non adversarial because
05:46
there was no malicious intent, even though damage or other problems resulted from that action taking place.
05:54
Adversarial threats are more obvious. Someone's trying to cause damage. You're trying to steal information. They're trying to disrupt or destroy some capability.
06:02
So all these bees are threat modeling
06:06
actions then helped to develop a better plan for dealing with threats when they're discovered.
06:13
So let's have a quick look at some of these documents.
06:15
This has some great guidance in these areas.
06:18
They have their 800 deaths. 30 document.
06:24
Now, this document,
06:25
the only part of it that we're gonna actually look at is the
06:30
The appendices near the end
06:33
make a little bit larger,
06:35
so risk assessments. This involves threat. Not only
06:41
the end,
06:42
it's fairly recent. 2012.
06:46
And like many of those documents, it goes through
06:48
a pretty thorough
06:51
outline. What kind of material did
06:55
the
06:56
the document describes?
06:58
So goes to the basics of risk management
07:00
the different steps, like preparing for doing the work, creating a road map,
07:04
sharing that information and then maintaining it long term.
07:12
But what you can do is start with Appendix D. If you wanted to use this for a threat modeling exercise,
07:17
we can see that you begin by considering
07:21
the information
07:23
that's usable within the three tiers of your organization.
07:26
The organization level is Yura Senior Management There, a tier one.
07:30
Your mission and business processes are a cure, too.
07:32
And infrastructure your actual information systems aren't Tier three,
07:38
and they can share information up and down, depending on how your organization's structured.
07:44
What's nice about this guy is that it gives you a little bit of a starting point. You can consider what are the typical sources of threats. Adversarial threats that could be not adversarial threats.
07:56
When it's an adversary, you're concerned with capability, intentions and targeting.
08:01
When it's not an adversary, it's just a range of effects. How big is the earthquake help help. Pervasive is the flood, and so
08:09
so they give you some nice starting points to look at,
08:11
and then you can rate these things.
08:15
They provide different scales. There's a qualitative scale which just uses words
08:18
and then semi quantitative, which uses numeric ranges for those
08:24
words that are otherwise describing the different levels.
08:28
So we think about what is the capability of the adversary. What is their intention?
08:35
What are they targeting?
08:37
Sometimes these are just estimates
08:39
because maybe this hasn't this threat actually hasn't happened yet.
08:43
So
08:43
the analysis of the threat modeling exercise is doing a lot of what if scenarios and trying to give it best
08:50
guess as to what would happen
08:54
also
08:54
off their give some information about non adversarial threat sources
09:00
and help her base if they might be
09:01
and effectively. When you're done with that section, all you're doing is producing some columns for a row on a spreadsheet, and we could see the columns here
09:09
for Abbas, General Threat sources or not adversarial threat sources.
09:13
Then he was onto the threat events themselves,
09:16
skip over that little section
09:18
and missed very helpfully gives a pretty long list of possible
09:24
types of threats.
09:26
We see reconnaissance crafting attack tools,
09:31
delivering, installing malicious capabilities.
09:35
Exit I'm sorry, exploit and compromise.
09:39
Conducting an attack
09:45
achieving results says lot different choices here. Maintaining your set of capabilities can coordinating a campaign which we talked about earlier
09:54
Then there's not adversarial
09:56
acts of nature accidents and so on.
10:00
Once you're done looking at all those, then you can think about their relevance. Is that something that's confirmed? Expected, predicted possible in someone,
10:09
and you fill out your columns in your spreadsheet,
10:13
you could do a lot of this with other kinds of tools by that simple spreadsheet will suffice.
10:18
Then you consider vulnerabilities and predisposing conditions.
10:22
So if the vulnerability happens, how bad would it be? That's what you're trying to determine. Here
10:28
again. You fill out your columns and spreadsheets,
10:31
and it gives you starting points for the predisposing conditions.
10:35
For instance, there could be a miss configuration. There could be missing patches that could be a
10:41
offense that's too short.
10:43
Any of these things might
10:45
enhanced the ability of a threat agent
10:48
to exploit a weakness.
10:50
So you're trying again to estimate their the importance of these different
10:54
presupposing conditions As you evaluate the risk.
10:58
How pervasive is the prettiest? Most conditions is going to affect everything. Some of your assets
11:03
make those estimates as well.
11:07
Then we look at the probability, or the likelihood
11:09
that the event will actually take place
11:13
and just give some nice scales here. It's almost certain, highly likely, somewhat unlikely
11:20
for non adversarial threats. You have to consider how many times per year something might happen,
11:24
like floods and earthquakes and tornadoes. There is some
11:28
perhaps predictable frequency that these things happen. So
11:31
maybe a different kind of subject matter expert might be required.
11:35
Then the the likelihood of an adverse impact is considered. If the event happens, how bad will it be?
11:41
And you can cross reference the likelihood of the adverse impact,
11:45
with the likelihood of that happening at all to arrive at some overall likelihood,
11:50
it's a nice way to compare two pieces of information to try to get a better understanding of what's really involved
11:56
and then the last
11:58
Sorry not last. Second to last.
12:01
We have the impact section,
12:03
and this says, will the impact the heart operations harmed assets, individuals, other organizations or even the nation.
12:13
And so there's some examples here of those different kinds of impacts. You can consider
12:18
different threats and the different vulnerabilities and predisposing conditions and probability to think about. How bad would that really be
12:26
then That's rated. So the impact of the threat events will be bridged on this scale,
12:30
and you fill out your rose and rather your columns in the spreadsheet.
12:35
Then we finally get to the final appendix, which is the determination of risk.
12:39
So because we estimated the level impact, an estimated likely that we can cross reference that and say that the overall level of risk is
12:48
so
12:52
and then that level of risk could be also categorized
12:54
by saying that it's very high. It's hides moderate, so
13:00
well, this is all done.
13:01
You should have
13:03
a
13:03
spreadsheet with all these columns that we see here
13:07
or that we see in the other section
13:09
for each individual threat that was analyzed.
13:13
So this is one of the ways that missed,
13:16
um
13:18
approaches this material,
13:18
and it's a great way to get started if you have not done threat modeling before

Up Next

Intro to Cyber Threat Intelligence

The CTI course consists of 12 information-packed modules. CTI is a critical function within any organization that involves roles like analysts, methodologies, tools, teams, and policies. From threat analysis to the Cyber Kill Chain, learn it here.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor