A humble, yet agile 4-step framework for operational CTI

oh thank you i'm going to start if anybody's uh hitchhiking i get to the galaxy uh happy towel day if not you should read the book uh so yeah today i'm going to be talking about my master's degree project it has a different title but it is a humble and jet article and i'm going to get in a little bit more into that so first who am i my name is lorena carthy wilmot i am a senior advisor for the section of digital police work in the region is digital political bed and which is a part of the joint unit for investigations and intelligence and i work for the east police district in nilstrom i used to be as you have seen many pwc people here today i used to be the head of the forensics lab at pwc i have a bachelor in digital forensics you if there's anything that you can get out of today is that i love forensics just gonna put that out there and uh hopefully in june i'm gonna be receiving my master's degree in cyber security i was born and raised in peru and well norway is home and i'm deaf so if you do have questions when we meet afterwards uh just make sure that you face me when you speak and that's pretty much it and if i ask you a bunch of questions a bunch of times to repeat yourself just please do it uh yes and that's my doggy so i thought it was important to bring her into the slides as you all know the opinions opinions are my own this presentation is based on my masters but it's only for educational purposes and um yeah even the slides are mine nothing here is either pwc or or the police yes so my degree it's called turning intelligence into action and it's an agile four-phase framework for operational cyber threat intelligence and the reason why i chose this which is very i would say is very far away from forensics but also it's a little bit more high level when it comes to cyber security and it's because i wanted something that it was challenging but also that i could actually be honest with myself and say i know nothing about this so how about i actually learn it and uh i was able to sat down during lunch with enough for not on hopefully i meant to say an awesome car worker and discuss this topic and yeah that's how i got into it in cyber threat intelligence is a widely discussed subject you hear threat intelligence everywhere especially in cyber security um it was interesting and relatively new is what i mean with um the fact that we hear a lot but it kind of is becoming more of a buzzword and so is the whole agile thing which i thought oh how about i also learn about that why not and he was aligned to my personal goals which is uh challenged myself in a new topic and also in expanding um [Music] what i do because forensics is a very niche subject so with threat intelligence i was able to expand and learn more and actually you know have discussions with really awesome people that work in this field and also also it's very fun to work and learn about but yes we hear about threats all the time right that's why we're here because we work with that and thankfully the reason that there are threats is the reason that we have a job which is great but um but the thing is that threat is not it's not just about having a threat and not doing anything about it it's a whole subject around it it's actually having an action towards that threat either an action or not action which i'm going to go into a loop later but now first because i have i'm using all this threat and intelligence and all that and threat i'm just going to try to give you a little um what's intelligence under 60 seconds don't tell me because i didn't test it but it's pretty much what we do every day intelligence can be seen in a very simple example which is for example today when we woke up hopefully most of us check our phones and check the weather we decide what to bring what to not bring so either an umbrella or a jacket or like or a thick coat or stuff like that so you make a lot of decisions based on the information that you're getting and in that case it will be the weather app based on that you make the decisions and then you come um today and then you realize well it's norway so you're gonna have to prepare for absolutely everything we had sun at some point so that's pretty much intelligence is a whole process of using the data that you obtain into making um into deciding what to do or what not to do in very bro uh pains i would say um [Music] there are three levels of abstraction and the first one is tactical which is very specific is that's where we're looking at the iocs and all that like indicators and compromise ips and all stuff and that's mostly for and by network defenders and threat hunters that's where we obtain ttp reports threat behaviors analytics all that the next one is operational which is kind of like that one that joins this to the one that i'm gonna mention later but it's also by incident response stock leadership regular leadership and the delivery method is usually hunting detection collection management it's a little a little more logistic and the last one is a strategic which is um for and by four i would say management and leadership and these are risk assessments and business context so these three are supposed you i will say that you cannot just have one of them to be able to gather and act on intelligence you actually need this to work together very nicely to get forward uh what i focus mostly in this person in my research is in the operational part which is kind of like the one that joins these two yes and now agile i'm going to say it under 30 seconds because i'm pretty sure nobody wants to hear about aja israel it's a methodology it's for software development and it works great but what i like is that it's he has this map this these methodologies or steps or things that you can apply for for many things and that's the reason why i wanted to i started actually reading about cybersecurity and agile methodology and how we can work together so i thought why not make something along those lines so it's all about you know you have that um process which you plan you plan design develop test release feedback so you can actually apply the hygiene methodology to anything that you do you in your life but in this case i put it on cyber threat intelligence ah let's see so yeah i thought first oh how about agile threat intelligence and i was like no because i'm not really gonna focus that much on the agile thing so for that i decided instead to make a framework and with a framework i had some goals or some objectives i wanted to really create something that is easy to apply but mostly that you can really um identify threats whilst ci is still fresh i mean as in your knowledge how much you know about cyber intelligence and how much you're willing to put money and time into it the next goal was to apply the key elements from aj methodology into the way you're going to be working with your intelligence next goal was to really make an easily hdpc lemon squeezy framework something that you can really learn and adopt and if you actually get really good at it then you can go into a different framework that's the whole point of frameworks they're not supposed to be just boxes supposed to be ways of doing things and the next one was to be able to by using the framework that i make you can identify threats and categorize them also that so following all these things easy using agile and um clearly identifying threats but then i realized there's so many other brain works so where was i gonna start and i start with just grabbing a bunch of them and creating the four fame face framework i call it something as simple as four phase framework because i didn't want it to have a very fancy name or anything super long that at the end it's more name that it's actually you know the framework my idea was to really have it very simple something that you can get started and not to be you know losing yourself in terms and terminology and all that so i go i use it by 4p framework and these are the other all the other frames that i have grabbed something from to be able to make my own from the trike threat model which i me i in my project i go through every each of them each of them uh but in general i just grab the fact that the track threat model is open source it works the data flows and it has them in the goal of enumeration with the octave one um it's also based it only has three phases it's practical and it's very cia focused then with the ntctf which i think is this cyber threat methodologies also called that by the american government um it'll it's also has only very four faces and it focuses a lot on common language which i took for my own framework and then mitre and lockheed skill chain it's just about i just kind of focus on the flow and the simplicity of how these very known and widely used frameworks provide so by applying the cyber threat intelligence by applying agile methodology to cyber threat intelligence i was able to first put together two columns and that is in the agile has different elements but the ones that kind of to have more meaning to me when it comes to intelligence was for example identify ambiguity and with that i translate it into my own framework by recognizing the threat so that's phase one then uh inter iterative i read that word i don't pronounce it out loud and splitting and that is kind of like making into small pieces to be able to identify the target with time boxing um it's about you know just focus on what is important here and without outcomes is really about acting on the results now that you have identified your threat what are you going to do with that because it's about putting your money where your mouth is right so phase one recognize the threat phase two identify the target phase three is prioritize the threat and phase four is act on the results so i'm not gonna go and read the entire slide on this one because it's only 20 minutes but uh with the phase one i it's mostly focusing on what is a target what is the impact of a target and what should be done but very broadly very simple and you just have to answer some questions for yourself so to be able to start identifying this thread because it's not i mean if you have only linux systems and the threat is going around on windows then it's really a threat for you probably not the next one is about understanding the phase two is identify the target and it's about uh understanding the organization's crown jewels the infrastructure the stakeholders as well as the resources and systems and in this phase i only have two main questions that you should be able to answer to move forward to the next phase and it really works by if you can answer the questions in the in the first phase with yes and no and because that that's as simple as i wanted to be and if you have more yeses and knows then you can actually move into the next one and then be able to start understanding okay this is actually this is actually a thread that is that i should be paying attention to then it comes to prioritizing the threat because not all threats are the same some are more um damaging than others um it's kind of it's like cereal days for example are bad threats but if you don't know then you cannot do much about it so here i have way more questions but it really is to be able to say okay now that i understand that there's a threat for my organization um and um and then find that the target is something that i have really where i have my crown jewels on then i can actually apply um then i can actually move forward to the next phase and i made it into score then again very simple just to be able to be easily applied and easily use and uh yeah so here's more into the how the threat level adapt and in which category of the um cyber threat intelligence level i would say it feel it falls into so it's about an action or an action or communication that you will have to to stakeholders and then last phase is about acting on the results like i say you really need to do something with information that you have gathered in the example of the weather you either bring a jacket or you don't bring a jacket so that's an action or a known action and once you have answered all the questions which again they're simple to ask but also give you a really good view on what is a thread and how important it is to organization then you can actually make a list of actions or non-actions so that is the four phase framework i have some lessons learned and that is that right cyber threat intelligence is really fun i really enjoy learning about it i don't know if i would lose some i will stop doing what i'm doing for my everyday job for threat intelligence yet but for now it's good i also learned that if you create yet i know the framework doesn't mean that it could but it also doesn't mean that it's needed for me it was because i was able to learn about um cyber trading intelligence and i also feel like if any small team or organization would like to use it first of all that would be great but also it's a really good starting point and yes it was a great way to learn and intelligence thrives from collaboration so i believe though it should be continue to be that way i know that there uh i mean do not comment on the fact that um intelligence is just shared between some group of people and yeah that's pretty much it and even the concepts on intelligence and all that is you know as a person that understand computers getting into the the field just to see what was happening was a little intimidating so i think we actually have to continue making it into a more collect collaborative field and um yes cyber threat intelligence was out of my comfort zone i prefer forensics but it was really good right and yes so i did this project while i was working full time at pwc and it was very challenging because i have very little time to enjoy my little baby there but uh i mean she has to go to college at some point so i need to do it so that's me uh thank you [Applause]