Practical Cyber Intelligence

Good afternoon everybody. Good afternoon. My name is Wilson Fisha. Um I wasn't intending to talk about this today. Uh, we had a speaker had a substantial conscience, but this is a statement that I gave to the Republic of South Korea's cyber track. So, I figured this would probably be a good venue to talk about this stuff in any way. So, um, about 4 years ago, I wrote a book called Practical Cyber Intelligence. I had somebody Oh sorry.

Yeah. So about four years ago, I I saw a bunch of issues with um the cyber security organizations that I was working with um in that they were not able to communicate effectively across um the organizations partly because they were siloed. Uh, and it really it really made me angst and anxious and just like we could do it so much better. And so I put this book together um based off of what I learned in Afghanistan uh being a communications officer. Um, I was responsible for 117 Marines and we were all on the south of Colony Province in southern Afghanistan. and we were able to look at an entire battlefield and able to communicate across um one

another to in order to make uh missions happen. So it was really important to see how it wasn't just the IT team that was connecting to one another and making sure that people talk. It was also supply. It was also operations. It was, you know, different battalions making sure that information went up and information went down. And so when I first wrote this, cyber threat intelligence was like the only intelligence that you heard of, right? But now people have kind of changed that um since then. But yeah, everybody says CTI is intelligence. Well, the way that I look at it is that you have different forms of information coming from different sources. That raw data that's

turned into information and the information is turned then turn make intelligence, right? Because you have to make it actionable. So, uh this is the agenda. Hopefully, I can make it through this this whole thing. There's a lot of slides. I'll I'll talk to talk to you about who I am, where I'm from, what is practical cyber intelligence, the udaloop. I'm pretty sure everybody's heard of that. Um, a different view on F3 AAD. Um, a framework and capability maturity model that integrates inputs and outputs from key functions in an information security organization and the idea of communicating uh with the potential for exploitability based on cyber intelligence. Lots. So, um, again, I was in the Marines. I first started enlisted. I was

a musician and then I got my college degree and they said we're going to make you I officer and so there I was on the front lines in Afghanistan. Um I did that for a bit and then I went to the reserves and then went to the Army National Guard where I w I ended up being the uh the captain of uh the cyber defense team cyber network defense team of North Carolina National Guard and eventually retired out of there. Um I spent a lot of time in the private sector uh doing defense manufacturing as a DoD contractor and now I have my own consultancy and you know just doing governance risk and compliance and

helping out a lot of different organizations uh become more secure. So that's what I'm doing now. Um and reality of a cyber us the reality of a security professional is really interesting because a lot of people um look at it it's just like man it's really overwhelming there's so many things so many so much data is coming at us that we're not able to sort through it um we're resource constrained and we have so many security tools so like I said before when I first when I first wrote this I was like all right we have a vulnerability management team they have all the scanners right and they have a security compliance uh tool and it's doing scans based on security

configurations but we're not talking to each other saying hey we have vulnerabilities here we have compliance issues here what are we doing there's a lot of issues here why are we why aren't we fixing that and then you start adding it's like well you want you want to be top of the line best and breed uh cyber security organization let's add C, you know, let's add well, you know, the best antivirus, whatever. Um, it it became more and more confusing because a lot of people were just taking all this information. It was just slammed and you see CISOs just like like please don't fire me, you know, it's it was like that all the time. And so what I wanted to do

is try to explain that there is a difference between you know getting data and turning it into information turning into knowledge right and then getting getting to wisdom right because the goal is to make an eth decision right to make a decision based on information that's relevant and actionable. Make sense? So instead of just getting a bunch of scans, a b bunch of monthly reports, it's actually taking that information and turning into something to say, all right, I know that we're a resource, but the thing is is like this is this poses the most risk to the organization. This is the most valuable asset to the organization. maybe we should probably focus our efforts here first instead of

oh my god I got to plug bunch holes right that's how it is so my definition of quality decision making is the production of accurate relevant and timely information uh that's key to good decision making good decisions require good information that is derived from raw facts um it's key to business survival in global market and so I asked how can I leverage my military experience to provide quality decision making capability to my team. So much like a military organization, we have different sections like we have S2 which is you know intelligence, G2 which is intelligence at a higher level and J2 which is intelligence at a higher at a higher level the joint level the cyber

um cyber security organization you have a cyber threat intelligence in the military you have different levels right like I talked about this is these are all sections that make up a military unit. S1, S2, S3, S4, S6. And they all support the commander in making their decisions. Right? The flow down of military requirements. This is just an example. From the division level from marine side, from the division level, the general gives their guidance. The commanders in fact, they flow it down to regiment level and they flow it down to the title. Whatever this this person wants, the commander's intent is quite subordinate to the units are supposed to do. So information needs to flow up and flow down. Everybody kind

of understand that so far. So when I look at intelligence, it's not just cyber threat intelligence. I look at intelligence is vulnerability management team is a source of intelligence. Uh people that are handling instant response is a source of intelligence. Uh it's the same thing in business operations. Operations, finance, something intelligence um make up the factors that allow you allow business owners, CEOs to make decisions. Shouldn't it be the same with cyber security? So I came up with this crazy definition. Cyber intelligence is the ability to gain knowledge about an enterprise and its existing conditions and capabilities in order to determine the possible actions of an adversary. when exploiting inherent critical vulnerabilities. It uses multiple information security

disciplines, threat intelligence, rolling management, security, configuration management, incident response and so on and tool sets to gather information about the network through monitoring and reporting to provide decision makers at all levels to prior prioritize justifications. Everybody got that? So yeah, it's you got so much information, we need to make it actionable, right? And we need we need our commanders to make decisions because what happens is that you have so much information, people just make the wrong decisions or they don't make any decisions at all.

So once again this is uh same thing a funnel of different intelligence sources making cyber intelligence. Now how do we how do we look at it from um the cyber security aspect? We look at from a raw from raw data like scan results tool reports logging events to information KPIs pattern recognition and then we start we start analyzing it from a risk perspective risk analysis processes option development mitigation and then decision making ultimately that's what we want. We want wisdom. So what is practical cyber intelligence?

>> So when I think of all the reports that our our analysts get, they get just a million reports. And this is this is what it feels like to a lot of the stakeholders is that they're just drowning in in de drowning in reports. And it's just you're incapable of making a decision. So what do we need to do? We need to make it obviously practical. So I kind of call this the spider is that when we have a security operating center um the main thing that we want to do here is we have a security state analysis and that you have different you have different input um inputs like from your red team from your vulnerability discover

discovery detection team continuous monitoring um security content management instant response and governance. So you have all these different functions within these different capabilities that are within a cyber security organization and you start putting it together with what the business looks like as far as priorities. You look at people, product, process and partners and you see how it drives the priorities. It what drives your priorities should be driving your risk mitigation strategies for your businesses.

And for anybody that's in the military, everybody should know what SMEAC is. Um, what is the situation? What is our mission? How well are we executing? What do we need to do? Our admin logistics, and how are we going to communicate to our stakeholders? Command and control.

Okay. I'm going to take I'm going to stop and we talk for 12 minutes. Anybody lost? I'm lost.

Okay. So, again, this is how I how I look at everything. Um, just because, you know, I'm a creature of habit. I look at everything from a military standpoint is that the commander is going to give me an intent, right? He's going to say, "Hey, this is what we need to do, right?" and I'm going to need to gather intelligence about what this this commander needs, right? And then I'm going to have to give it to them and then they're going to have to make some kind of risk analysis and they're going to have to make a decision. This is how I think. So it's the same thing when we look at it from an organizational look at it

from the very top. It's like what's the organization's mission? What are the critical assets? what are the crown jewels, the crown rule applications, so forth and so on. And then you start focusing your intelligence gathering um capabilities based on priority of assets and risk to the organization there thereby um improving your cyber intelligence so that you give it to your CIOS, your CS, CISOs, your leaders so they can make a risk analysis and so they can make a decision. Make sense? And it all starts with smart goals. Specific, measurable, achievable, realistic, and timely. Um, how many people have seen bad smart goals like it should be complete, not consistent, not useful, and out of date. Right? When we look at when we

look at intelligence products, we want um our our leaders or even ourselves to make a decision, they need they need we need to be able to anticipate them. They need to be timely. They need to be accurate. We have to be able to use them. They have to be complete. They have to be relevant, objective, and available. So, in the military, we have a thing called priority information requirements. Um just like uh like your crown jewels and your critical assets, each of them are rent, right? Some things like, okay, well, we could do without that crown jewel for maybe 24 hours, but if we lose this, we're done, right? It's the same thing with information requirements.

Commanders need to make um a decision based off of risks that pose the um the most impact to the organization. risks meaning you know the bad things that happen or uh if they're doing offensive operations they're looking for if this situation happen if A happens and B happens I need to know it right away so we can take action right away right it's the same thing here from a strategic level um we create priority information requirements they ask only one question they focus on a specific fact event or activity and they provide intelligence required to support single decision Now, Napoleon uh used intelligence a lot um during during the time that he was around. He sent out his scouts to

find out exactly what the terrain looks like. I want to know what the terrain look like uh looks like. I want to know what seasons it rains. I want to know um where the troops are staying, whatever. So he could start putting putting the ducks in a row so he can make a decision and then punch the enemy in the throat. Pretty much it's the same thing here is that we need to be able to have those same anticip anticipatory uh priority information requirements from the strategic level from our our leadership to say this is what I'm looking for and drive it down decentraliz well delegate it to your operational level into your tactical levels and say this is what I'm

looking for this is why I'm looking for this is what I want this is how I want it make sense So when we start looking at um the requirements from each of these uh each of these uh groups senior leadership intelligence program the board security team leads we start creating a list a master information requirements list and we start prioritizing that list and then we start putting them into the highest priority and this is good to good to know. This is F, you know, probably important, but you know, we're not really focused on this and this this stuff's just not valid. So now we're now we're prioritizing all these information departments so that leadership can make

a decision. And what does that look like? I need to slow down. All right, crazy talk. Wilson's talking. So for instance, information requirement one, information requirement two, you have different teams that that have different inputs and different outputs that need to go to each of these um each of these requirements. The requirements follow the typical intelligence cycle is that when they are collected, they're refined, they're produced into the intelligence and then it's disseminated to your your upper level leadership. Sometimes your IT operations team doesn't need to um well in this case it does don't need to be for information requirement one but sometimes these three three um three teams would be required to make information requirement

to why is this important to know is because you don't want you don't want um people to be allocating their resources to collecting information that's not going to mean anything. So that's why you focus on these two teams to be able to provide the information requirements uh for to fulfill the requirements for one and sometimes they don't need to do for requirement two. And what we do is what we're trying to do is we're trying to increase our decision making cycle and what we call the military observe orient decide and act. Who has not heard this term before? Great. So I'm not going to spend any more time on it. So when we look when we look at how the

hoodaloop and the cyber chill uh cyber killchain all interacts like we know that observe is reconnaissance orient the side is weaponization delivery and then sorry weaponization act is delivery exploitation isolation command control and actions on objective is observed and so from an adversary p uh perspective We want from an ad adversar's perspective, we want we want the defense to not be able to figure out how to break this chain. But from our perspective, we need to be able as a defense as a defensive organization is to make sure that information is flowing so we can break their chain because uh what is it? The definition of war is two opposing wills trying to uh push one

trying to impose the will on another. In order for you to impose your will on another, you need to be able to think faster than they do. And the way that you're going to think faster than they do is by decreasing your decision-m cycle. And that's how you deal with cyber cyber intelligence.

So what does that what does that mean? All right. From CIS control number one, um, a lot a lot of what we we could look at at least glean from this is that we know that we need to have um we need to have at least the most accurate inventory that we can. Um, I think that we the 80% solution. So if we look at it from a strategic level, can we say in our organization that we have 80% of our inventory accounted for? Right? And the reason why I say it's important um to have at least 80% is because if you're making decisions based off 50% that means that you have 50% then you're you're missing out on a um

risk risk decision-m um opportunity. So from here it's like we need to make sure uh in an organization do we have an 80% assurance on the inventory and control of our hardware? >> Right. How do how does how does um and that that's the requirement that needs to be reported down to all of the the lower levels. How is that broken down to region, division, security operations, IT operations? Are they all communicating with each other? Are they all interacting with each other to make that happen? Does that break down even further from the tactical level at the country business team and the local IT level? Are those inventory are those inventories being reported up and are

they accurate? Are they all going to an organization CNDB? >> Yes, ma'am. >> Just a quick question. Where did the 80% come from? That was just a number or is it something? >> Um, so, uh, where did the 80% come from? >> 20% seems like a large percentage. I forgot you said it's like the 80% solution is better than it's something that we use in the military. It's um you can't make a decision based off 100%. So if you have 80% is better than it's better than nothing, right? Um one of the things that we learned in the military is like we're not going to have all the answers. We're not going to have all the data in

front of us, but what what data that we do have, we should we should be able to make decision on it. So they said 80%. And I said yes sir. Yes ma'am. And it didn't go any deeper than that.

So this requirement goes down right and it's the same thing that that the flow up the flow up requirements the decision making and the reporting the data and the intelligence also needs to go back up. Make sense?

All right. um the intelligence process. And when we talked about that uh in this in the slide that had the the arrow that went horizontal is that we have to have planning direction. What we need to know what we need to do and how we will do it. Collection. Um we're not just going to collect from anything. We're going to collect from the things that matter. Uh processing the consolidation of information into a report. Analysis and production. understanding the whole picture to answer the original task in the dissemination providing the written analysis to stakeholders in the way that they wanted and at the time of this is where we start getting into um the F3A process. Uh so but we'll just

talk about the cyber kill chain and the intelligence processing is in phase one in preparation. How do we limit the exposure to our critical information? Um how do we how how can they exploit vulnerabilities to these systems? Phase two, how do we monitor malicious payloads and exploitation attempts? Who has the administrative privileges to install software? So as we go through these, think about how many teams it would take to fulfill this this critical requirement for this priority information requirement. This this requirement, this required, this require is it the instant response team or is it just the sock? No, there's several people. Imagine if you had all the information. It was all wrapped in one thing be like this is where our critical

vulnerabilities are and this is where we need to fix our stuff. stop. I would say another word for

so when I think about F3A, F3A is um uh I would say it's the intelligence cycle slash operating cycle of special special operations unit is that they they find the target by identifying locating it. They fixate on it so they know where it's where it's it's about. They finish the target, capture, kill it with the assigned resources, exploit it, exploit information gathered during the mission from available sources, analyze information to find additional targets to take action on. So we utilize these source resources at an operational factor level to enable more fluid defense of the network. And the the way that strategic decision- making is is really slow. But as you go further down the the rungs in an organization,

decision making needs to happen a lot faster in order to sorry, operations needs to happen happen a lot faster. Information needs to be brought up to the strategic level a lot quicker in order for our leaders to make decisions. So this is what I put together in regards to um how smaller teams and smaller units should act within an organization. So at the tactical level, this is what we're trying to report on is how do we how do we fill these things and how do we bring that up to the operational level as fast as we can. Whereas uh intelligence the intelligence cycle uh was only applicable to strategic and operational levels. So what it looks like is looks like

this. So as you have the process and you have the F3D process on the operational and technical levels here. So you can see planning direction they say collect this stuff they find it they do it they analyze it and they shoot it back this way so it's a constant cycle so this is how we make our loop smaller um all right so I'm going to walk through this so our p is where are critical applications where are the applications located I need to know the app name region and country and then it goes through the intelligence process right so now it comes down and says okay where are critical applications where are they where are they located and we need to

know it like this now it's going to go through the F3 process all right at A region AP pack New Zealand app B region Apac Australia see region a pack and right on down the line right so now like for instance these are two different regional areas now it's going back up to the strategic level

sorry does that make sense to everybody All right.

Take a break because it's 3:29. Any questions so far? Awesome. Keep on going. All right. I love capability maturity models because it gives you kind of the target to work work towards um especially when it comes to like cyber intelligence um and information security and how we can fit it in. So, we look at initial phases. Hey, uh, initial phase is, "Oh my god, I don't know what's going on, right?" And then, uh, phase two is like, "Oh my god, I don't know what's going on." And I kind of do. Phase B is, "Okay, I think we're getting it together." And then phase phase C is, "Okay, I think I think we're good. I think we're good."

Of course, there's going to be a phase D, phase E, phase F. We want everything to be iterative, but at least we have something to go off of, some target to move towards because the worst thing you have is a just we need to get from A to B and you don't have any kind of steps to get to where

um cyber intelligence this is phase um initial phase is everything's uh everything is going to the stakeholder a bunch of reports and they're like, "Oh my god, I don't know what's going on." And they're trying to mitigate the risk. That doesn't work out so well. Then it goes to okay we have maybe we have a software um and maybe we have these different functions that are within the organization and they're providing different courses and maybe they're providing different reports to um the person and maybe we're making risk mitigation decisions but still a lot of information. Now we're starting to get more formalized. All right. Now we have a sock. the sock maybe says hey this is

what I want to see from the security state analysis and from security state analysis says hey the sock is reporting they need to see these things from these teams right and now they have to consolidate report of this team now this team also sends it to to IT guy that's the poor soul that's patching a thousand patches and he needs to know which one's to patch first which to test Right? It's the same thing with um you know security operations center with a report from instant response. This is what we need to know because they have the Ps um and uh incident response is reporting to or providing a report or the other way to instant response. This

is this is what's going on. This is this is what we need um we're seeing. Um, and so everybody kind of get the picture here, right? You can tell sock yada yada yada. And then you get page C or now we're starting to get into dashboards. Um, security operations center is now seeing things in a single creative glass. I love that. Um, reports are coming from multiple teams. multiple teams are providing what security state analysis needs for the sock to make a decision on. Um maybe these teams have their own single pane of glass dashboard and this person here is able to make a decision based off reports to make risk risk decisions for their

organization.

And then from an enterprise standpoint, spider good rag charts, single painted glass, yada yada yada, wrist stack boards and that's it. Back up. Okay. Yes. Listen, if you can go back to ABC um the maturity model.

>> Yeah. So what do you think where we go in the uh phase D in the next few years? What what kind of bullet can we expect there? Let's say in a perfect scenario that they see. So phase speed to me would look well that's that's a great question. Um as we kind of move forward as a like a cyber security organization as new technologies develop we're always just constantly clear like we're going to be between maybe A and B and C. Um D would be like we're constantly moving towards this this target. we're able to uh proactively anticipate um like let's just say from a procurement process point of view like it is planning to

uh procure a different tool we're able to um say okay we know that this is going to happen in regards to if we break this tool online we're able to mitigate any kind of threats we already have the security configurations on that or maybe there's a murder, right? We know that they're coming on. Um, an organization is coming on and we need to understand, we're able to provide them uh, hey, this is this is our risk strategy. What do you got? And we're able to anticipate things um, going forward. So, we could plug them in faster. >> Does that make sense? >> Oh, yeah. I'll just anticipate AI, you know, better risk. So maybe that would

even eliminate one of the coolies or you know help the sense what else got I know it's crazy talk but this is stuff I think about every day. >> Anyways um I'm here >> does it make sense? But you're a vet, right? You understand this makes sense. This is life, right? It's just like I got a top down requirement. The boss says I need this. I'm going to go 80% solution. >> So, and that's and that's the way that I think, right? And do I wish do I wish that I could just tell people what the sandwich is going to do? I wish, but it doesn't happen that way. However we can, you know, we can move towards a model

that we can communicate across and break down silos through communication with each other by getting relevant information so people can make decisions. And so it's not so much so much to ask, but

not >> Yeah. I mean, yeah. I mean, it really is. I mean, um, how why is it difficult to get the face C? It's because you have politics, you have rules, you have regulations, you have idiots, right? That's just how it is, right? But the thing is is that we know that there's a phase C, >> right? We need to move towards that phase C. If we don't move towards that phase C, that we're always going to be stuck with the status quo >> here, right? So, does that answer your question? >> I just never seen it. I was just wondering

the gold at the end of the rainbow. Keep on chasing. >> Okay, cool. Well, thank you for your time. I appreciate it.