Time
4 hours 8 minutes
Difficulty
Intermediate
CEU/CPE
4

Video Description

Module 8 consists of a single video but it's a comprehensive overview of the requirements for putting a properly run CTI program in place. Dean goes over the procedures for handling incident response. Events may come from devices such as an IDS or SEIM device. Sysadmins raise the alert flag but it's important that CTI analysts follow proper incident response procedures. The last thing any organization wants or needs is to waste time and money responding to false positives. Senior leadership must be involved. This includes not only being in the notification chain but also being an advocate for the CTI program within the organization. Open lines of communication are critical and regular and ad hoc meetings must be part of the CTI program. The video concludes with a discussion of tools and security products. These resources are essential in support of any CTI program. Dean reviews the various types and offerings.

Video Transcription

00:04
Hello, I'm Gene Pompilio.
00:05
Welcome to the next module. In our introduction to Cyber Threat Intelligence,
00:10
this module, we're gonna be looking a little bit at the requirements for a C. T. I program within a typical organization.
00:18
So some of these steps are required because the
00:22
the organization may be to prepare itself properly
00:25
to handle all the different responsibilities and rolls which will be created by properly run C T. I program.
00:32
Well, consider some different sources of data,
00:35
and then we'll touch on
00:37
some
00:38
key ingredients to success with security products.
00:42
First of all, I think about
00:44
how your organisation handles incident response. Currently,
00:49
uh,
00:50
it could be that your organization mostly operates from events coming from a SIM device for 90 s
00:57
and
00:58
you have a security engineer or other
01:00
system administrators of some sort who are
01:03
raising the flag occasionally saying we've got a problem. We need to look into something.
01:08
We need to
01:11
invoke our incident response procedures
01:14
so
01:15
there could be some refinement of incident response policies and procedures
01:19
that would make a lot of sense. Before engaging in a C t. I program,
01:23
for instance, there may be certain thresholds or criteria that are defined
01:27
so that the organization can reliably decide when
01:32
certain events constitute an incident and when they don't.
01:36
As I mentioned
01:37
a few times in previous discussions,
01:40
it's important for the organization to have clear
01:42
rules, and they should advocate the resource is towards investigating an incident so that time and money
01:49
an effort is not wasted by,
01:53
you know, a false positive effectively,
01:57
you're senior leadership also needs to be involved.
02:00
This is more than just financial support, although that's
02:02
you know often the foundation of support
02:07
paying. For
02:07
analysts paying for training, paying for software and hardware
02:12
is only part of the solution.
02:15
Senior leadership also needs to be advocating for the benefits of C T. I program.
02:22
This means that they are representing the best interest of the teams that are working on this,
02:28
the sexuality and
02:30
also going to bat for them when there's a push back against
02:34
budgeting or some other
02:36
type of obstacles.
02:39
Inevitably, there will be new policies created when the C T. I program is designed,
02:46
and senior leadership should have a lot of input here. They may not understand all of the technical details. That's why they bring in subject matter experts in order to fill them in and explain
02:55
certain concepts.
02:58
But
02:59
the executives and senior leadership still needs to be ultimately responsible for making sure the program succeeds and is effective,
03:07
so they must weigh in on some of this considerations when the program is being developed and designed.
03:14
One of these aspects is communications.
03:17
An effective communications plan means that all the stakeholders are aware that C. T. Ai program's operational.
03:24
Maybe you have to create some
03:28
some extensions to an organizational chart,
03:30
or there's some other kind of
03:32
policies and procedures that are written up
03:36
and distributed to all the stakeholders.
03:38
This way they're aware of that
03:39
the program is working and they have some points of contact
03:44
when they have questions or when they get involved in actual incident.
03:47
Now the
03:49
the structure for how information is shared or how the communications plan functions
03:54
could take various different shapes and sizes.
03:58
For instance, there may be a regularly scheduled weekly meeting,
04:01
which is what I mostly used to it and its situations. I've been it.
04:05
You occasionally have other meetings that are informal throughout the week
04:11
in order to touch base on various topics that are under investigation, very situations that are under investigation,
04:18
so that's expected to be a
04:20
a normal occurrence.
04:21
Some organizations
04:24
treat their entire communications plan as very informal,
04:28
and people always find out that there's anything important going on when there's been, ah, large incident.
04:33
Otherwise, no news is good news, and that approach works fine for certain organizations.
04:39
But most larger organizations are probably going to have a standing meeting,
04:44
typically on a Friday from my experience.
04:46
That way you can discuss what's happened that week
04:48
and also discuss
04:49
what might need to be done over the weekend or even next week in preparation for additional activities. There are ongoing
05:00
now. We talked about data sources a few different times, as far as
05:04
which ones are appropriate, which ones are credible.
05:08
But we we need to think about the preparation for policies and procedures to be created, So
05:15
trying to examine different types of activity makes a lot of sense to say OK, we've
05:19
we've seen a large amount of data get get expatriated from our environment.
05:25
As I mentioned the last model that could be copying website, it could be
05:29
copying data from a database that's been affected by sequel injection attacks.
05:34
Or maybe there's activity that indicates that that day
05:39
an initial penetration of an intruder has now spread to other systems,
05:43
so someone might be moving laterally or even vertically
05:46
to gain access to higher level functions within the environment.
05:51
There should be some attention p to these broad categories of
05:56
of suspicious activity.
05:59
One of the more important ones, too. It would be credentials
06:01
and something as simple as getting an alert when
06:05
there's been an attempt log in as administrator or log in his route.
06:10
Maybe that's prohibited by your policies in your in your security configuration. So when an event like that occurs,
06:16
it automatically should be
06:18
considered suspicious.
06:20
Or perhaps you've got a evidence of
06:25
credentials being used for someone that has already left the organization.
06:29
Somehow their account is still active, and someone's using it again, very suspicious and should be investigated.
06:36
No,
06:38
it may not be up to the analyst to determine when incident response is actually appropriate.
06:44
Most likely, a manager or some other kind of
06:47
higher level decision maker will make that determination.
06:50
But that doesn't mean that an analyst cannot,
06:54
uh,
06:55
rather than animals can avoid immediate response when there has been some indication of a problem.
07:01
The job, of course, as we've already discussed, is too.
07:04
Identify all the relevant information and start investigating to determine if
07:10
the events are truly part of a C K C seven scenario,
07:14
or is it just a false positive event
07:17
that was unanticipated and now needs to be ruled out in the future?
07:21
That's a big part of the job, and it's a challenging part of the job as well.
07:26
Some organizations use
07:28
various recording equipment
07:30
to reconstruct any traffic that's tribe traverse their perimeter.
07:35
There were some companies back in
07:39
my production support days that were using tools like Net, VCR
07:43
and uh,
07:44
other
07:45
similar tools
07:46
where they record all the Internet traffic in and out of an organization through their perimeter.
07:51
You could set these things up inside the perimeter as well, but
07:55
generally it's at the perimeter so that you can get the
07:59
the best
08:00
evidence for something happening that really did come from the outside or came from inside and went through the perimeter to the Internet
08:07
and depending on the sophistication level, these tools you can look at each individual session looking each individual packet
08:15
and makes a determination as to whether or not you've got a real event
08:18
that constitutes a real events rather that constitute incident
08:24
when these things happen there frequently. Meetings held
08:26
either as part of incident response or triage
08:31
or
08:31
lessons learned
08:33
where individuals that have subject matter expertise are brought in.
08:37
Two.
08:39
Discover on make assessments as to how bad is the actual situation. How much damage was done?
08:45
Have we contained the problem?
08:46
Has this spread to other organizations or partners or
08:50
any of our downstream customers? For instance,
08:54
these are all good conversations to have
08:56
that helps the organization
08:58
better understand where they are in the process in what might need to be done next.
09:07
As we all know, lots of vendors create security products, and service is
09:11
so
09:13
there's a expectation of a certain methodology when
09:16
trying to introduce something new into the environment.
09:20
Sometimes vendors will will often provide a
09:24
Blundell to say okay. If you buy our product,
09:28
we'll also bundle in some free training.
09:31
Or maybe the training is at a discount because you're purchasing their software or their hardware
09:35
or subscribing to a service
09:39
that could be really useful because Who better to train?
09:41
The the analysts are the engineers or the administrators, then the vendor who designed
09:46
these? The product.
09:48
Sometimes the vendors, even often serve, offer certifications of their products,
09:54
and that may have some value.
09:56
Or it might be more important or more appropriate, rather, to get an industry certification like a
10:03
firewall, engineer or amount. Where. Engineer malware. Reverse engineer Our analyst
10:11
These are It's a mixed bag aspires. What's most appropriate for your organization. Your leadership will certainly have opinions on this,
10:18
so it's good to explore the different possibilities.
10:22
Sometimes vendors will offer a free trial,
10:26
and that way you can get the product
10:28
into your environment. You can start
10:31
trying to prove that it's actually useful.
10:33
You know, maybe you, you do some estimates on
10:37
the return on investment. If we spend this money
10:41
that we are expected to gain some benefit,
10:43
we're expected to save money on incident response costs.
10:48
Business impact analysis is also part of this
10:52
overall methodology as well, because
10:54
you might have to make the case to your management to say well,
10:58
if we if we don't have this capability for if we can't detect and respond appropriately to certain types of threats.
11:05
And here is the impact to the organization
11:07
could be a very large scale events like lawsuits and
11:11
regulatory fines.
11:13
Or it could just be lost. Customers that
11:16
have have lost faith in the organization's products and service is now they're they're leaving
11:22
to go get do their business somewhere else.
11:24
These are interesting variations, and they're good conversations to have, especially when the cost of a product or service is very large.
11:33
And then there's ongoing
11:33
considerations of support contracts,
11:37
maintenance, perhaps for hardware,
11:41
and these things could really add up. So it's good to lay the ground work properly.
11:45
And to prove that that you did the analysis correctly,
11:48
then the product can be evaluated. It could be shown to be effective
11:52
and someone
11:54
that the decision making capability for that to release that budget might decide. Okay, well,
12:01
this looks like a good idea. We're gonna actually go forward with it.
12:03
All right? That concludes the module. Hope you enjoyed it. See, in the next one

Up Next

Intro to Cyber Threat Intelligence

The CTI course consists of 12 information-packed modules. CTI is a critical function within any organization that involves roles like analysts, methodologies, tools, teams, and policies. From threat analysis to the Cyber Kill Chain, learn it here.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor