00:04
Hello, I'm Gene Pompilio.
00:05
Welcome to the next module. In our introduction to Cyber Threat Intelligence,
00:10
this module, we're gonna be looking a little bit at the requirements for a C. T. I program within a typical organization.
00:18
So some of these steps are required because the
00:22
the organization may be to prepare itself properly
00:25
to handle all the different responsibilities and rolls which will be created by properly run C T. I program.
00:32
Well, consider some different sources of data,
00:35
and then we'll touch on
00:38
key ingredients to success with security products.
00:42
First of all, I think about
00:44
how your organisation handles incident response. Currently,
00:50
it could be that your organization mostly operates from events coming from a SIM device for 90 s
00:58
you have a security engineer or other
01:00
system administrators of some sort who are
01:03
raising the flag occasionally saying we've got a problem. We need to look into something.
01:11
invoke our incident response procedures
01:15
there could be some refinement of incident response policies and procedures
01:19
that would make a lot of sense. Before engaging in a C t. I program,
01:23
for instance, there may be certain thresholds or criteria that are defined
01:27
so that the organization can reliably decide when
01:32
certain events constitute an incident and when they don't.
01:37
a few times in previous discussions,
01:40
it's important for the organization to have clear
01:42
rules, and they should advocate the resource is towards investigating an incident so that time and money
01:49
an effort is not wasted by,
01:53
you know, a false positive effectively,
01:57
you're senior leadership also needs to be involved.
02:00
This is more than just financial support, although that's
02:02
you know often the foundation of support
02:07
analysts paying for training, paying for software and hardware
02:12
is only part of the solution.
02:15
Senior leadership also needs to be advocating for the benefits of C T. I program.
02:22
This means that they are representing the best interest of the teams that are working on this,
02:30
also going to bat for them when there's a push back against
02:34
budgeting or some other
02:39
Inevitably, there will be new policies created when the C T. I program is designed,
02:46
and senior leadership should have a lot of input here. They may not understand all of the technical details. That's why they bring in subject matter experts in order to fill them in and explain
02:59
the executives and senior leadership still needs to be ultimately responsible for making sure the program succeeds and is effective,
03:07
so they must weigh in on some of this considerations when the program is being developed and designed.
03:14
One of these aspects is communications.
03:17
An effective communications plan means that all the stakeholders are aware that C. T. Ai program's operational.
03:24
Maybe you have to create some
03:28
some extensions to an organizational chart,
03:30
or there's some other kind of
03:32
policies and procedures that are written up
03:36
and distributed to all the stakeholders.
03:38
This way they're aware of that
03:39
the program is working and they have some points of contact
03:44
when they have questions or when they get involved in actual incident.
03:49
the structure for how information is shared or how the communications plan functions
03:54
could take various different shapes and sizes.
03:58
For instance, there may be a regularly scheduled weekly meeting,
04:01
which is what I mostly used to it and its situations. I've been it.
04:05
You occasionally have other meetings that are informal throughout the week
04:11
in order to touch base on various topics that are under investigation, very situations that are under investigation,
04:18
so that's expected to be a
04:20
a normal occurrence.
04:24
treat their entire communications plan as very informal,
04:28
and people always find out that there's anything important going on when there's been, ah, large incident.
04:33
Otherwise, no news is good news, and that approach works fine for certain organizations.
04:39
But most larger organizations are probably going to have a standing meeting,
04:44
typically on a Friday from my experience.
04:46
That way you can discuss what's happened that week
04:49
what might need to be done over the weekend or even next week in preparation for additional activities. There are ongoing
05:00
now. We talked about data sources a few different times, as far as
05:04
which ones are appropriate, which ones are credible.
05:08
But we we need to think about the preparation for policies and procedures to be created, So
05:15
trying to examine different types of activity makes a lot of sense to say OK, we've
05:19
we've seen a large amount of data get get expatriated from our environment.
05:25
As I mentioned the last model that could be copying website, it could be
05:29
copying data from a database that's been affected by sequel injection attacks.
05:34
Or maybe there's activity that indicates that that day
05:39
an initial penetration of an intruder has now spread to other systems,
05:43
so someone might be moving laterally or even vertically
05:46
to gain access to higher level functions within the environment.
05:51
There should be some attention p to these broad categories of
05:56
of suspicious activity.
05:59
One of the more important ones, too. It would be credentials
06:01
and something as simple as getting an alert when
06:05
there's been an attempt log in as administrator or log in his route.
06:10
Maybe that's prohibited by your policies in your in your security configuration. So when an event like that occurs,
06:16
it automatically should be
06:18
considered suspicious.
06:20
Or perhaps you've got a evidence of
06:25
credentials being used for someone that has already left the organization.
06:29
Somehow their account is still active, and someone's using it again, very suspicious and should be investigated.
06:38
it may not be up to the analyst to determine when incident response is actually appropriate.
06:44
Most likely, a manager or some other kind of
06:47
higher level decision maker will make that determination.
06:50
But that doesn't mean that an analyst cannot,
06:55
rather than animals can avoid immediate response when there has been some indication of a problem.
07:01
The job, of course, as we've already discussed, is too.
07:04
Identify all the relevant information and start investigating to determine if
07:10
the events are truly part of a C K C seven scenario,
07:14
or is it just a false positive event
07:17
that was unanticipated and now needs to be ruled out in the future?
07:21
That's a big part of the job, and it's a challenging part of the job as well.
07:26
Some organizations use
07:28
various recording equipment
07:30
to reconstruct any traffic that's tribe traverse their perimeter.
07:35
There were some companies back in
07:39
my production support days that were using tools like Net, VCR
07:46
where they record all the Internet traffic in and out of an organization through their perimeter.
07:51
You could set these things up inside the perimeter as well, but
07:55
generally it's at the perimeter so that you can get the
08:00
evidence for something happening that really did come from the outside or came from inside and went through the perimeter to the Internet
08:07
and depending on the sophistication level, these tools you can look at each individual session looking each individual packet
08:15
and makes a determination as to whether or not you've got a real event
08:18
that constitutes a real events rather that constitute incident
08:24
when these things happen there frequently. Meetings held
08:26
either as part of incident response or triage
08:33
where individuals that have subject matter expertise are brought in.
08:39
Discover on make assessments as to how bad is the actual situation. How much damage was done?
08:45
Have we contained the problem?
08:46
Has this spread to other organizations or partners or
08:50
any of our downstream customers? For instance,
08:54
these are all good conversations to have
08:56
that helps the organization
08:58
better understand where they are in the process in what might need to be done next.
09:07
As we all know, lots of vendors create security products, and service is
09:13
there's a expectation of a certain methodology when
09:16
trying to introduce something new into the environment.
09:20
Sometimes vendors will will often provide a
09:24
Blundell to say okay. If you buy our product,
09:28
we'll also bundle in some free training.
09:31
Or maybe the training is at a discount because you're purchasing their software or their hardware
09:35
or subscribing to a service
09:39
that could be really useful because Who better to train?
09:41
The the analysts are the engineers or the administrators, then the vendor who designed
09:48
Sometimes the vendors, even often serve, offer certifications of their products,
09:54
and that may have some value.
09:56
Or it might be more important or more appropriate, rather, to get an industry certification like a
10:03
firewall, engineer or amount. Where. Engineer malware. Reverse engineer Our analyst
10:11
These are It's a mixed bag aspires. What's most appropriate for your organization. Your leadership will certainly have opinions on this,
10:18
so it's good to explore the different possibilities.
10:22
Sometimes vendors will offer a free trial,
10:26
and that way you can get the product
10:28
into your environment. You can start
10:31
trying to prove that it's actually useful.
10:33
You know, maybe you, you do some estimates on
10:37
the return on investment. If we spend this money
10:41
that we are expected to gain some benefit,
10:43
we're expected to save money on incident response costs.
10:48
Business impact analysis is also part of this
10:52
overall methodology as well, because
10:54
you might have to make the case to your management to say well,
10:58
if we if we don't have this capability for if we can't detect and respond appropriately to certain types of threats.
11:05
And here is the impact to the organization
11:07
could be a very large scale events like lawsuits and
11:13
Or it could just be lost. Customers that
11:16
have have lost faith in the organization's products and service is now they're they're leaving
11:22
to go get do their business somewhere else.
11:24
These are interesting variations, and they're good conversations to have, especially when the cost of a product or service is very large.
11:33
And then there's ongoing
11:33
considerations of support contracts,
11:37
maintenance, perhaps for hardware,
11:41
and these things could really add up. So it's good to lay the ground work properly.
11:45
And to prove that that you did the analysis correctly,
11:48
then the product can be evaluated. It could be shown to be effective
11:54
that the decision making capability for that to release that budget might decide. Okay, well,
12:01
this looks like a good idea. We're gonna actually go forward with it.
12:03
All right? That concludes the module. Hope you enjoyed it. See, in the next one