Hello, I'm Gene Pompilio.
Welcome to the next module. In our introduction to Cyber Threat Intelligence,
this module, we're gonna be looking a little bit at the requirements for a C. T. I program within a typical organization.
So some of these steps are required because the
the organization may be to prepare itself properly
to handle all the different responsibilities and rolls which will be created by properly run C T. I program.
Well, consider some different sources of data,
and then we'll touch on
key ingredients to success with security products.
First of all, I think about
how your organisation handles incident response. Currently,
it could be that your organization mostly operates from events coming from a SIM device for 90 s
you have a security engineer or other
system administrators of some sort who are
raising the flag occasionally saying we've got a problem. We need to look into something.
invoke our incident response procedures
there could be some refinement of incident response policies and procedures
that would make a lot of sense. Before engaging in a C t. I program,
for instance, there may be certain thresholds or criteria that are defined
so that the organization can reliably decide when
certain events constitute an incident and when they don't.
a few times in previous discussions,
it's important for the organization to have clear
rules, and they should advocate the resource is towards investigating an incident so that time and money
an effort is not wasted by,
you know, a false positive effectively,
you're senior leadership also needs to be involved.
This is more than just financial support, although that's
you know often the foundation of support
analysts paying for training, paying for software and hardware
is only part of the solution.
Senior leadership also needs to be advocating for the benefits of C T. I program.
This means that they are representing the best interest of the teams that are working on this,
also going to bat for them when there's a push back against
budgeting or some other
Inevitably, there will be new policies created when the C T. I program is designed,
and senior leadership should have a lot of input here. They may not understand all of the technical details. That's why they bring in subject matter experts in order to fill them in and explain
the executives and senior leadership still needs to be ultimately responsible for making sure the program succeeds and is effective,
so they must weigh in on some of this considerations when the program is being developed and designed.
One of these aspects is communications.
An effective communications plan means that all the stakeholders are aware that C. T. Ai program's operational.
Maybe you have to create some
some extensions to an organizational chart,
or there's some other kind of
policies and procedures that are written up
and distributed to all the stakeholders.
This way they're aware of that
the program is working and they have some points of contact
when they have questions or when they get involved in actual incident.
the structure for how information is shared or how the communications plan functions
could take various different shapes and sizes.
For instance, there may be a regularly scheduled weekly meeting,
which is what I mostly used to it and its situations. I've been it.
You occasionally have other meetings that are informal throughout the week
in order to touch base on various topics that are under investigation, very situations that are under investigation,
so that's expected to be a
a normal occurrence.
treat their entire communications plan as very informal,
and people always find out that there's anything important going on when there's been, ah, large incident.
Otherwise, no news is good news, and that approach works fine for certain organizations.
But most larger organizations are probably going to have a standing meeting,
typically on a Friday from my experience.
That way you can discuss what's happened that week
what might need to be done over the weekend or even next week in preparation for additional activities. There are ongoing
now. We talked about data sources a few different times, as far as
which ones are appropriate, which ones are credible.
But we we need to think about the preparation for policies and procedures to be created, So
trying to examine different types of activity makes a lot of sense to say OK, we've
we've seen a large amount of data get get expatriated from our environment.
As I mentioned the last model that could be copying website, it could be
copying data from a database that's been affected by sequel injection attacks.
Or maybe there's activity that indicates that that day
an initial penetration of an intruder has now spread to other systems,
so someone might be moving laterally or even vertically
to gain access to higher level functions within the environment.
There should be some attention p to these broad categories of
of suspicious activity.
One of the more important ones, too. It would be credentials
and something as simple as getting an alert when
there's been an attempt log in as administrator or log in his route.
Maybe that's prohibited by your policies in your in your security configuration. So when an event like that occurs,
it automatically should be
Or perhaps you've got a evidence of
credentials being used for someone that has already left the organization.
Somehow their account is still active, and someone's using it again, very suspicious and should be investigated.
it may not be up to the analyst to determine when incident response is actually appropriate.
Most likely, a manager or some other kind of
higher level decision maker will make that determination.
But that doesn't mean that an analyst cannot,
rather than animals can avoid immediate response when there has been some indication of a problem.
The job, of course, as we've already discussed, is too.
Identify all the relevant information and start investigating to determine if
the events are truly part of a C K C seven scenario,
or is it just a false positive event
that was unanticipated and now needs to be ruled out in the future?
That's a big part of the job, and it's a challenging part of the job as well.
Some organizations use
various recording equipment
to reconstruct any traffic that's tribe traverse their perimeter.
There were some companies back in
my production support days that were using tools like Net, VCR
where they record all the Internet traffic in and out of an organization through their perimeter.
You could set these things up inside the perimeter as well, but
generally it's at the perimeter so that you can get the
evidence for something happening that really did come from the outside or came from inside and went through the perimeter to the Internet
and depending on the sophistication level, these tools you can look at each individual session looking each individual packet
and makes a determination as to whether or not you've got a real event
that constitutes a real events rather that constitute incident
when these things happen there frequently. Meetings held
either as part of incident response or triage
where individuals that have subject matter expertise are brought in.
Discover on make assessments as to how bad is the actual situation. How much damage was done?
Have we contained the problem?
Has this spread to other organizations or partners or
any of our downstream customers? For instance,
these are all good conversations to have
that helps the organization
better understand where they are in the process in what might need to be done next.
As we all know, lots of vendors create security products, and service is
there's a expectation of a certain methodology when
trying to introduce something new into the environment.
Sometimes vendors will will often provide a
Blundell to say okay. If you buy our product,
we'll also bundle in some free training.
Or maybe the training is at a discount because you're purchasing their software or their hardware
or subscribing to a service
that could be really useful because Who better to train?
The the analysts are the engineers or the administrators, then the vendor who designed
Sometimes the vendors, even often serve, offer certifications of their products,
and that may have some value.
Or it might be more important or more appropriate, rather, to get an industry certification like a
firewall, engineer or amount. Where. Engineer malware. Reverse engineer Our analyst
These are It's a mixed bag aspires. What's most appropriate for your organization. Your leadership will certainly have opinions on this,
so it's good to explore the different possibilities.
Sometimes vendors will offer a free trial,
and that way you can get the product
into your environment. You can start
trying to prove that it's actually useful.
You know, maybe you, you do some estimates on
the return on investment. If we spend this money
that we are expected to gain some benefit,
we're expected to save money on incident response costs.
Business impact analysis is also part of this
overall methodology as well, because
you might have to make the case to your management to say well,
if we if we don't have this capability for if we can't detect and respond appropriately to certain types of threats.
And here is the impact to the organization
could be a very large scale events like lawsuits and
Or it could just be lost. Customers that
have have lost faith in the organization's products and service is now they're they're leaving
to go get do their business somewhere else.
These are interesting variations, and they're good conversations to have, especially when the cost of a product or service is very large.
And then there's ongoing
considerations of support contracts,
maintenance, perhaps for hardware,
and these things could really add up. So it's good to lay the ground work properly.
And to prove that that you did the analysis correctly,
then the product can be evaluated. It could be shown to be effective
that the decision making capability for that to release that budget might decide. Okay, well,
this looks like a good idea. We're gonna actually go forward with it.
All right? That concludes the module. Hope you enjoyed it. See, in the next one