Tactical Threat Intelligence Requirements | Cybrary

Video Activity

Create Free Account

Module 8 consists of a single video but it's a comprehensive overview of the requirements for putting a properly run CTI program in place. Dean goes over the procedures for handling incident response. Events may come from devices such as an IDS or SEIM device. Sysadmins raise the alert flag but it's important that CTI analysts follow proper inciden...

Sign up with

Or

Already have an account? Sign In »

Time

4 hours 8 minutes

Difficulty

Intermediate

CEU/CPE

4

Create Free Account

Module 8 consists of a single video but it's a comprehensive overview of the requirements for putting a properly run CTI program in place. Dean goes over the procedures for handling incident response. Events may come from devices such as an IDS or SEIM device. Sysadmins raise the alert flag but it's important that CTI analysts follow proper incident response procedures. The last thing any organization wants or needs is to waste time and money responding to false positives. Senior leadership must be involved. This includes not only being in the notification chain but also being an advocate for the CTI program within the organization. Open lines of communication are critical and regular and ad hoc meetings must be part of the CTI program. The video concludes with a discussion of tools and security products. These resources are essential in support of any CTI program. Dean reviews the various types and offerings.

00:04

Hello, I'm Gene Pompilio.

00:05

Welcome to the next module. In our introduction to Cyber Threat Intelligence,

00:10

this module, we're gonna be looking a little bit at the requirements for a C. T. I program within a typical organization.

00:18

So some of these steps are required because the

00:22

the organization may be to prepare itself properly

00:25

to handle all the different responsibilities and rolls which will be created by properly run C T. I program.

00:32

Well, consider some different sources of data,

00:35

and then we'll touch on

00:37

some

00:38

key ingredients to success with security products.

00:42

First of all, I think about

00:44

how your organisation handles incident response. Currently,

00:49

uh,

00:50

it could be that your organization mostly operates from events coming from a SIM device for 90 s

00:57

and

00:58

you have a security engineer or other

01:00

system administrators of some sort who are

01:03

raising the flag occasionally saying we've got a problem. We need to look into something.

01:08

We need to

01:11

invoke our incident response procedures

01:14

so

01:15

there could be some refinement of incident response policies and procedures

01:19

that would make a lot of sense. Before engaging in a C t. I program,

01:23

for instance, there may be certain thresholds or criteria that are defined

01:27

so that the organization can reliably decide when

01:32

certain events constitute an incident and when they don't.

01:36

As I mentioned

01:37

a few times in previous discussions,

01:40

it's important for the organization to have clear

01:42

rules, and they should advocate the resource is towards investigating an incident so that time and money

01:49

an effort is not wasted by,

01:53

you know, a false positive effectively,

01:57

you're senior leadership also needs to be involved.

02:00

This is more than just financial support, although that's

02:02

you know often the foundation of support

02:07

paying. For

02:07

analysts paying for training, paying for software and hardware

02:12

is only part of the solution.

02:15

Senior leadership also needs to be advocating for the benefits of C T. I program.

02:22

This means that they are representing the best interest of the teams that are working on this,

02:28

the sexuality and

02:30

also going to bat for them when there's a push back against

02:34

budgeting or some other

02:36

type of obstacles.

02:39

Inevitably, there will be new policies created when the C T. I program is designed,

02:46

and senior leadership should have a lot of input here. They may not understand all of the technical details. That's why they bring in subject matter experts in order to fill them in and explain

02:55

certain concepts.

02:58

But

02:59

the executives and senior leadership still needs to be ultimately responsible for making sure the program succeeds and is effective,

03:07

so they must weigh in on some of this considerations when the program is being developed and designed.

03:14

One of these aspects is communications.

03:17

An effective communications plan means that all the stakeholders are aware that C. T. Ai program's operational.

03:24

Maybe you have to create some

03:28

some extensions to an organizational chart,

03:30

or there's some other kind of

03:32

policies and procedures that are written up

03:36

and distributed to all the stakeholders.

03:38

This way they're aware of that

03:39

the program is working and they have some points of contact

03:44

when they have questions or when they get involved in actual incident.

03:47

Now the

03:49

the structure for how information is shared or how the communications plan functions

03:54

could take various different shapes and sizes.

03:58

For instance, there may be a regularly scheduled weekly meeting,

04:01

which is what I mostly used to it and its situations. I've been it.

04:05

You occasionally have other meetings that are informal throughout the week

04:11

in order to touch base on various topics that are under investigation, very situations that are under investigation,

04:18

so that's expected to be a

04:20

a normal occurrence.

04:21

Some organizations

04:24

treat their entire communications plan as very informal,

04:28

and people always find out that there's anything important going on when there's been, ah, large incident.

04:33

Otherwise, no news is good news, and that approach works fine for certain organizations.

04:39

But most larger organizations are probably going to have a standing meeting,

04:44

typically on a Friday from my experience.

04:46

That way you can discuss what's happened that week

04:48

and also discuss

04:49

what might need to be done over the weekend or even next week in preparation for additional activities. There are ongoing

05:00

now. We talked about data sources a few different times, as far as

05:04

which ones are appropriate, which ones are credible.

05:08

But we we need to think about the preparation for policies and procedures to be created, So

05:15

trying to examine different types of activity makes a lot of sense to say OK, we've

05:19

we've seen a large amount of data get get expatriated from our environment.

05:25

As I mentioned the last model that could be copying website, it could be

05:29

copying data from a database that's been affected by sequel injection attacks.

05:34

Or maybe there's activity that indicates that that day

05:39

an initial penetration of an intruder has now spread to other systems,

05:43

so someone might be moving laterally or even vertically

05:46

to gain access to higher level functions within the environment.

05:51

There should be some attention p to these broad categories of

05:56

of suspicious activity.

05:59

One of the more important ones, too. It would be credentials

06:01

and something as simple as getting an alert when

06:05

there's been an attempt log in as administrator or log in his route.

06:10

Maybe that's prohibited by your policies in your in your security configuration. So when an event like that occurs,

06:16

it automatically should be

06:18

considered suspicious.

06:20

Or perhaps you've got a evidence of

06:25

credentials being used for someone that has already left the organization.

06:29

Somehow their account is still active, and someone's using it again, very suspicious and should be investigated.

06:36

No,

06:38

it may not be up to the analyst to determine when incident response is actually appropriate.

06:44

Most likely, a manager or some other kind of

06:47

higher level decision maker will make that determination.

06:50

But that doesn't mean that an analyst cannot,

06:54

uh,

06:55

rather than animals can avoid immediate response when there has been some indication of a problem.

07:01

The job, of course, as we've already discussed, is too.

07:04

Identify all the relevant information and start investigating to determine if

07:10

the events are truly part of a C K C seven scenario,

07:14

or is it just a false positive event

07:17

that was unanticipated and now needs to be ruled out in the future?

07:21

That's a big part of the job, and it's a challenging part of the job as well.

07:26

Some organizations use

07:28

various recording equipment

07:30

to reconstruct any traffic that's tribe traverse their perimeter.

07:35

There were some companies back in

07:39

my production support days that were using tools like Net, VCR

07:43

and uh,

07:44

other

07:45

similar tools

07:46

where they record all the Internet traffic in and out of an organization through their perimeter.

07:51

You could set these things up inside the perimeter as well, but

07:55

generally it's at the perimeter so that you can get the

07:59

the best

08:00

evidence for something happening that really did come from the outside or came from inside and went through the perimeter to the Internet

08:07

and depending on the sophistication level, these tools you can look at each individual session looking each individual packet

08:15

and makes a determination as to whether or not you've got a real event

08:18

that constitutes a real events rather that constitute incident

08:24

when these things happen there frequently. Meetings held

08:26

either as part of incident response or triage

08:31

or

08:31

lessons learned

08:33

where individuals that have subject matter expertise are brought in.

08:37

Two.

08:39

Discover on make assessments as to how bad is the actual situation. How much damage was done?

08:45

Have we contained the problem?

08:46

Has this spread to other organizations or partners or

08:50

any of our downstream customers? For instance,

08:54

these are all good conversations to have

08:56

that helps the organization

08:58

better understand where they are in the process in what might need to be done next.

09:07

As we all know, lots of vendors create security products, and service is

09:11

so

09:13

there's a expectation of a certain methodology when

09:16

trying to introduce something new into the environment.

09:20

Sometimes vendors will will often provide a

09:24

Blundell to say okay. If you buy our product,

09:28

we'll also bundle in some free training.

09:31

Or maybe the training is at a discount because you're purchasing their software or their hardware

09:35

or subscribing to a service

09:39

that could be really useful because Who better to train?

09:41

The the analysts are the engineers or the administrators, then the vendor who designed

09:46

these? The product.

09:48

Sometimes the vendors, even often serve, offer certifications of their products,

09:54

and that may have some value.

09:56

Or it might be more important or more appropriate, rather, to get an industry certification like a

10:03

firewall, engineer or amount. Where. Engineer malware. Reverse engineer Our analyst

10:11

These are It's a mixed bag aspires. What's most appropriate for your organization. Your leadership will certainly have opinions on this,

10:18

so it's good to explore the different possibilities.

10:22

Sometimes vendors will offer a free trial,

10:26

and that way you can get the product

10:28

into your environment. You can start

10:31

trying to prove that it's actually useful.

10:33

You know, maybe you, you do some estimates on

10:37

the return on investment. If we spend this money

10:41

that we are expected to gain some benefit,

10:43

we're expected to save money on incident response costs.

10:48

Business impact analysis is also part of this

10:52

overall methodology as well, because

10:54

you might have to make the case to your management to say well,

10:58

if we if we don't have this capability for if we can't detect and respond appropriately to certain types of threats.

11:05

And here is the impact to the organization

11:07

could be a very large scale events like lawsuits and

11:11

regulatory fines.

11:13

Or it could just be lost. Customers that

11:16

have have lost faith in the organization's products and service is now they're they're leaving

11:22

to go get do their business somewhere else.

11:24

These are interesting variations, and they're good conversations to have, especially when the cost of a product or service is very large.

11:33

And then there's ongoing

11:33

considerations of support contracts,

11:37

maintenance, perhaps for hardware,

11:41

and these things could really add up. So it's good to lay the ground work properly.

11:45

And to prove that that you did the analysis correctly,

11:48

then the product can be evaluated. It could be shown to be effective

11:52

and someone

11:54

that the decision making capability for that to release that budget might decide. Okay, well,

12:01

this looks like a good idea. We're gonna actually go forward with it.

12:03

All right? That concludes the module. Hope you enjoyed it. See, in the next one

Cyber Kill Chain Analysis - CKC7 Deep Dive

Cyber Kill Chain Analysis - IOC Identification

Cyber Kill Chain Analysis - Putting the Pieces Together

Cyber Kill Chain Management - Handling Simultaneous Intrusions

Cyber Kill Chain Management - Managing Multiple CKCs

The CTI course consists of 12 information-packed modules. CTI is a critical function within any organization that involves roles like analysts, methodologies, tools, teams, and policies. From threat analysis to the Cyber Kill Chain, learn it here.

CEO of SteppingStone Solutions