Ctrl+Alt+Defeat: Using Threat Intelligence To Navigate The Cyber Battlefield

cool so my name is sfia and today we're talking bit a little bit about a threat intelligence um so this talk has done the rounds if you have seen it before I will not be offended if you walk out halfway not much has changed um but today we'll be talking about threat intelligence and how you can implement it into different departments and your organization and how it's actually beneficial for everyone not just um technical people or non-technical people and how it can help improve sort of the posture of a business as well so who am I my name is safia I'm I'm the a strategic for intelligence team lead in Industries I'm a Crest certified

threat intelligence manager as well um I previously was a pent tester so I spent about two years doing lots of apis and maybe some external lymph and then I got Bor of that that I moved into car hacking did that throughout a year and a half got Bor of that and I moved into FR intelligence where I'm not bored yet so hopefully I I'll stay stay around for time to come um so I'm also an admin of the ladies of chelham hacking Society so if you are local we do have our next meeting soon on the 9th of September if you fancy going up country a bit into Shel him I am a security Queens

co-founder as well so security Queens is a platform and blog that I founded during covid with two other women in Industry where we wanted to promote free accessible learning material for anyone wanting to up skill in cyber security I was there a team captain for team UK at the European cyber security challenge um on team three times which is just a big CTF really it's good fun um won a bunch of stuff in industry and um according to channel 4 TV certified cyber Security Experts I even got the fancy SLE with that as well um so a little bit about what we're going to be talking about today so um this is quite a high Lev

talk if you don't know much about threat intelligence or perhaps you want to learn more about it so we'll do a brief inter um introduction to cyber threat intelligence a snap capure of the Cyber threat landscape and why we need CTI to combat that the benefits of a good CTI program in your organization and how organizations can use CTI to fight those cyber battles so thinking about how we can advance it with technology um combating common problems we find in the CTI field and also embracing CTI for the future using scary things like Ai and machine learning and hopefully it all go to time we'll have some time for questions at the end so what is threat intelligence um so

when I first started threat intelligence I didn't really know what I was doing I was just a bit bored and wanted something new to do um so I just Googled it as you do and um lots and lots of diagrams and words and numbers and it was quite confusing really because I was like this might be a bad idea it looks all very confusing all lots of like new Buzz wordss new acronyms and it's all very scary um but so we're going to try to dispel that and actually simplify it a little bit more to make threat intelligence more appealing so what really is threat intelligence so to help explain threat intelligence I found this

really good definition um and it's basically the process of collecting analyzing and sharing information about cyber threats so you want to collect that data you want to process it you want to extract actionable intelligence from that to try understand a threat actors motive Target and attack behaviors so what threat intelligence does is help us become more reactive and sorry more proactive to cyber threats rather than reactive so instead of oh God we're hacked what do we do now is what can we do to prevent ourselves getting hacked in an Ideal World anyways um and to help explain it I've got this lovely triangle which explains the different tiers of cyber threat intelligence as well so the first one we're going to

talk about is the Strategic levels so this is the team that I sit in currently at my company and what we want to focus on is the high level intelligence so um who are the bad people and why are they doing it um so we want to do an overview of the organization's threat landscape why we might be a Target usually it's Financial motivation so they want money or they want to steal data sell on for money or they want to steal access to sell on for money um so we want to understand why we might be a Target and who might be targeting us so this helps all the big cheeses that top of a business decide things

like budget policy resource allocation um and it's primary primarily non-technical so you're taking all that lovely technical knowledge and Technical um intelligence and trying to translate that into a business need and a business understanding usually shed in the form of reports or briefings so you know big CEOs don't have time to read 200 Page reports so we have to condense that quite a lot into maybe a one or two page report and it focuses on the long-term strategy of a business so we want to think about how we can make our business and organization more robust for the future so operational is the next level of intelligence down and it focuses on something called ttps so ttps is tactics

techniques and procedures and this is how a threat actor is attacking our organization so you want to identify what kind of capability they have what opportunities they have what intent they have um what tools they might be using and Method timing and nature of an attack so we want to identify things like ioc's um indicators of compromise to help respond to those threats and usually an operational team will use those types of intelligence to work with things like instant response or other defense teams in an organization so this helps us attribute certain types of attacks to certain adversary and threat actor groups um and um intelligence might include detailed TTP information that can be used in

other departments in an organization so if we think of instant response the security Operation Center um we've got it managers that kind of understand that technical information and sometimes threat Hunters that can take that information and go for looking for those threats as well and finally we'll talk about tactical threat intelligence and this is quite a simple kind of layer and is what is it so we want to know things like um what the attack actually is so things like Network logs and it's machine readable usually so it can be filled into things like TI feeds and automated um to to fill those out so intelligence may be shared in the form of apis just for the for ease um it

uses things called sticks and taxi which is standards for th intelligence information which I won't go into don't want to bore you it's still quite early and I think lots of you got sore heads so we won't go into that um but what it is is basically it's just raw data that hasn't been analyzed IP addresses file hashes we think this is bad what can we do from that um but what those information that information can give us is Real Time alerts so if we do find a dodgy IP address we can then issue an alert or firewall rule firewall rule against that and it focuses on the immediate future what can we do now to prevent it

what can we do at this very second um so again using things like I sock any seam software that you might have or any IDs IPS software that you might have as well and we'll talk a little bit about the threat intelligence life cycle as well so anytime you want to implement sort of a threat intelligence activity or program into your organization we follow something called the threat intelligence life cycle which um depending on what source you goes through is either a five or six-stage process um but for the for today I guess we'll be following the five stage and um we'll go through is each phase why it's important and how it feeds through into

the next phase of that cycle so the first one planning objectives and Direction fairly self-explanatory you want to plan your threat intelligence activity so you want to Define your strategy your requirements why you're doing it who needs to be involved what deliverables you want from it and what your objectives are what you want to achieve in that entire sort of activity you've got data collection so there's no intelligence without data one of my favorite sayings in CTI um and what we can do is collect it from loads of different sources so we have internal sources such as Network logs or maybe packets and we've also to got external sources so things like news media open

source intelligence and we want to combine that and just collect as much data as we can but not too much data and I'll go into why in a little bit after we get all this amazing data we then want to process it so we're not just looking at numbers and words so this might be formatting it into a spreadsheet this might be removing false positives um this might be removing things that we don't think are necessary for the strength Hance exercise um but we just wanted to make it a little bit easier for us to understand for the next phase of the FR intelligence life cycle analysis and production so this is when we have our nice data set that's

all clean and it's in a spreadsheet maybe you've got by chart um and we want to analyze it and extract actionable intelligence that can benefit us for our threat intelligence activity and then produce it somehow so we might have decided in the first stage that we want a report or we want a slideshow or we want just a nice spreadsheet and we want to create that deliverable um using all the the lovely data that we have but also analyzing it to create it as [Music] too and then we need to share the data there's no point going through all this work if you don't share it with anyone so making sure you're including all the

stakeholders that would benefit from it um cut phones are not necessary but if you would like to use them I'm not going to blame you but we need to make sure we share it shout about it um because there's no point going through all this hard work and then just putting it in a draw [Music] somewhere and finally feedback Lessons Learned looking back at the threat activity what went well what didn't go well did we miss anything and what we can do to improve our next threat intelligence activity so threat intelligence has gone through a bit of an evolution so I've picked out a few milestones in the past or few years that have um marked the

importance of th intelligence and why why it's important to us in the present day so in 1988 the first um cir team is established people kind of um they understand there's a need to respond a need to kind of understand the the breaches what's going on um and then in the 1990s to 2000s we see a rise in cyber crime so people start to see phrases like fishing ransomware dos attacks and organizations begin to recognize the need for intelligence to actually try to protect themselves against that in 2010 there's um a few high-profile breaches and um people start to understand the need for ttps exactly to then strengthen their defenses and be more specific about

their strategy against these Tas threat actors or adversaries so just a few there there was 2014 had the Sony Pictures breach um 2016 the supposed interference with the election and of of course the in ransomware epidemic which really put a spotlight on ransomware and in an Ideal World going forward in the 2020s CTI is considered quite essential for most organizations and it includes sort of gathering that information analyzing it and sharing it about those threats so yeah now why do we need CTI so here's a very very quick snapshot into the UK cyber threat landscape this is the UK so we've got three things and this is very simplified obviously there's a lot of complex things going on in the Cyber

threat landscape but I've just picked out three sort of big ones to talk to you about today so first of all cyber crime so Ransom is obviously a big thing we always see it in the news and unfortunately a lot of organizations a lot across loads of different Industries are getting popped um so there's a nice sort of graph at the bottom there and at the top um showing the target sectors of um ransomware actors you got Ransom were cases as well so a bit of fluctuation but still still quite High um so there was obviously the British Library hack that was actually the listing 20 Bitcoins for all that data on the dark web you've got JD Sports that were

unfortunately popped as well and even the police so it's a bad thing but we we're we're trying to make progress there online fraud so we've got the Tinder sendler really really great documentary if you haven't seen that on on Netflix um people unfortunately falling for things like Facebook Marketplace scams or um like text messages saying you need to pay for your parcel that kind of thing and a big one with AI as well as deep fakes so cloning either um voices or using AI to clone a face or something to to try mimic and imitate a person and R to got access brokers so behind most Ransom activities they also try to um sell that access that they've

gained to that company so the aim is to break in and basically sell to the highest bidder so there's loads of sectors that are impacted but there's quite a big focus on Industrials so we think about construction energy manufacturing so you can see there there's a few listings of um oh yeah I've got local admin price 2,500 and these are all sort of form pastes that have been taken from the dark web we've also got activism so a lot of activism is sort of low-level denial of service trying to operationally disrupt different companies different governments um but groups such as Kut have been focused on um Ukraine allies so unfortunately with the geopolitical tensions between Ukraine and Russia this

has kind of allowed lots of pro-russian activism groups to to kind of stand up against that so you can see in that screenshot there um that's actually them asking people to kind of Target the UK Healthcare seor so quite scary we've Bic got Pro Palestinian groups targeting education and financial organizations in the west um continue use of Brant somewhere but we've also got the use of access Brokers as well and finally nation states so nation states a very complex topic so I won't go too much into it but what we're particularly worried is a lot about supply chain um so indicators and early warnings of um supply chain attacks um to generate potential Global disruptions

so we had obviously solar winds that happened the absolute chaos that that caused um this usually involves um Co prepositioning so it's not just ah there's a I don't know sh Port open on the internet I'm just going to go hack it it's a lot of a strategy there's lots of resources and Financial in um sort of investment into that um so when we think about nation states we're thinking maybe about Russia Iran North Korea they have um historically deployed things like destructive malware um there was the M mod breach as well um so improving hum operations trying to profile Target Nations too but it's not all doom and gloom so we'll talk a bit about the benefits of

threat intelligence how we can combat those types of threats so a non-exhaustive list the number one being it empowers organizations and makes them feel more confident in their ability to proactively protect themselves but also react to situations as they happen so not only anticipate and react to their threat but improving their strategy for mitigation and defense it enriches knowledge about the threat actors themselves um the scenarios and the type of attack vectors they might use so by attributing different attack behaviors to certain threat actors they then can shape their strategy around that but also promoting collaborative knowledge around sharing that information with either sector specific sharing centers or within their organization um so supporting instant

response programs and strategies I've mentioned this a few times but helping feed into those blue team activities promoting continuous learning because the cyber security world is constantly changing and so with the threats so we need to keep on our toes constantly learning what's happening out there um tracking new vulnerabilities and bugs tracking what new tools they're using and it enables us to analyze those threats as well to understand the sort of bigger picture and finally the long-term goal of saving costs this is like very very very simplified fewer breaches less money spent that is the goal so how do we integrate threat intelligence to fight those cyber battles we'll talk about the St and insurance response because I've

mentioned this quite a few times in my um presentation so far but is one of the sort of end deliverable teams that usually make use of this information the most so in my current role I talk a lot to the inst response teams and how we can use our information to help with their activities so there's a lovely diagram there of how TI feeds might feed into the different things that the sock do um but threat intelligence can basically help them make those um decisions in the instant response process so trying those alerts maybe we can help with that identifying false positives maybe our intelligence could help botom that out that kind of thing so as we find things we can issue

alerts to the sock or the instant response team for new behaviors so so cool they're using this tool now or this is a domain they're using send that along and then they can do what they need to do so types of ioc's Might include file hashes so file based indicators network based indicators so things like IP addresses or domain names behavioral indicators just dodgy stuff happening on your your computer really or artifact based indicators so things like registry keys um or configuration files but threat intelligence platforms also known as tips can be used to help kind of with this collaboration and this communication channel so by sort of sharing a tip with the sock or the

instant response team we can help curate this information and have a curated feed to make it real time and accessible for everyone with the latest threats essentially ioc's can help security teams detect and prevent the Cyber threats and attacks more efficiently and again hopefully minimizing damage at the organization I sound very positive but I'm not sure we we'll see how it goes so now we'll talk a little bit about tips so what a threat intelligence platform and feed does it basically combines intelligence from loads of different sources and loads of different feeds so by using a tip we can help automatically generate alerts for an organization so it takes that load off the human aspect of threat intelligence

as well but most importantly it allows a realtime continuous flow of information that's continuously updated by all the upstate stuff happening in the world so it's great thing tips can be integrated with seam Solutions benefits include sharing sharing the data um collecting and analyzing the data enabling that collaboration and information sharing during the instance but um the thing that I really like about this little definition here it makes sure that defenses are updated and ready so we want to focus on that upto-date portion of that data making sure that flow of information is constantly coming through and P blog continuously um being informed now this is something I work with quite a lot and it's a really great

thing to know if you're a pentest or red team working s of offensive security and that's integrating threat intelligence into threat intelligence Le pent testing so intelligence-led pent testing helps basically use fr intelligence to emulate adversary Behavior so two tasks are achieved um one we can do a threat profile of that act or adversary that might be attacking an organization um so the tester whilst they're doing their hacking um can help profile that and then Target the critical assets that an adversary might and then we sort of fine team that attack strategy to mimic a real world adversary so applying the ttps to attack the organization if we want want to mimic lock bits or if we want to mimic a

certain nation state for example um so what regular pen testing does it does not consider TI It kind of focuses on a methodology and if you think about like OS top 10 or you might have your own sort of cheat sheet to work through um and it might rely on standard Frameworks processes and test efficacy but intelligence Le Pen testing relies on the ti output to shape the way you attack a business that's the main difference there where every phase of the CTI activity is sped into the pen testing assessment so benefits of this includes it kind of mimics The Real World um it it helps an organization to have good adversary perception um it's really

effective in combating adversaries and it allows them to have a more holistic sort of stance when they think about their their defenses and their strategy so information sharing as well you got to share the information that's one thing I want you to know taking away from this presentation so information sharing communities and networks give organizations access to real time and relevant information um so that could affect them so there's a little graph at the bottom that shows all the different industry specific sharing centers um and it brings together industry Academia and government into the into the same room so they can talk about all the things they're finding and all the things they they want to share

so um there's loads of different isacs we call them um so there's Aviation Automotive Financial Community defense um but essentially it's just bringing the the like-minded folk into the room and being able to share that information um threat hunting which I've mentioned a few times um I don't know much about threat hunting which is why this is a very blank page but essentially it's allowing to the threat Hunters to use the information we're finding in the threat intelligence activity to um help them identify threats within their Network so if you kind of look at this little cycle here we can provide them with that data in the sort of collect data phase and then they can go

on to trying to identify those threats um I'm going to mention it again but it's also providing them with upto-date data that's actually relevant to the team and the organization as well so how can we use all these wonderful things and advancement with technology of course I have to talk about AI Mach learning because if I didn't it wouldn't be a cyber conference so we will talk about it and the great thing about machine learning in AI is that we can use it to improve analytics then CTI so by using AI we can do fast response to threats and we can sort of shape the model to be either supervised or unsup devised to create that output

that we want it could also help reduce bias which can be often association with human analytics one thing that we're very very aware of in sort of CTI is that we have our own biases and we have our own sort of thoughts and opinions which can actually influence the way we analyze data and the way we present deliverables if you take that sort of human aspect out of it we could hopefully reduce that we can also do Predictive Analytics as well which is quite fancy um but a problem we have is we have a lot of um risk of human error and false positives because of the amount of data we collect I can only look at so many spreadsheets

before I lose my marbles but um AI kind of takes that away takes that sort of weight off my shoulders they can use that to also identify patterns in really large data sets automate processes such as detection and alerts but also improve information sharing as well so trying to identify the type of information to share kind of removing some of the ethical and legal implications around sharing that data with people and establishing the trust between two parties but I found this really good diagram that kind of shows how AI can help that life cycle we were talking about um so you can see they're collecting it could help um collect the the right type of data to try reduce the

false positives and the processing of the data we have to do in the next phase um passing and normalizing and structuring that data as well helping analyze it without bias um personalize deliverables to different stakeholders from threat intelligence activity and also using customer feedback to shape what we can improve in the next one but as always we alwaysed to have challenges with CTI um it wouldn't be all Sunshine rainbows if it was cyber so we have to think about what could potentially go wrong and how we can sort of help that something I still struggle with is just things are always changing but that's quite good because I get bored quite easily I mean I've worked in three

Specialties and I'm like five years into my career so um it works me because I'm constantly having to learn things and adapt um and the good thing well good thing about Cy security is bad things are always happening so you have to constantly think about all the new things happening how we can prevent it how we can um learn to kind of protect ourselves with these evolving threats so if see of like 1980s we had like the first round somewhere and now we look into the 2010s we kind of think about more complex social engineering attacks which might lead to ransomware and the multifaceted sort of adversary attack Pass that might happen in an organization too much data when I end up

with hundreds of thousands of lines of spreadsheets and just numbers it's just way too much I did not need that much data and then I end up looking like this because I'm just too flustered so um data is good we need data but we we need to try not sort of be over encumbered with data um because then we can sort of lose the plot and cry for a little bit but we get back it's [Music] fine stay called to buy in I have a lot of people say to me like oh we don't need CTR we've already got security program um I think a lot of people when they say CTI they think oh we need to

set up a new team we need to hire more people when you do new thing when actually it's something that you can already adopt in an organization it's loads of things that you can sort of bring in and sort of implement into your existing teams so kind of trying to phrase that in business terminology of the the numbers the financial aspect there the resource allocation and how it might play out for them so we need to embrace C for the future what can organizations do so some of you might be in a position to make these decisions or at least have a voice into recommending these decisions to your to your company um so integration

with Security operation would be my number one sort of recommendation so trying to work with the blue team people in the organization so this will help enhance that threat detection but also that response and mitigation capability too monitoring and Analysis so even talking to your it team that kind of watches the estate to see what's happening establishing mechanisms to enable that continuous monitoring but also analyzing for any emerging threats that might be happening in your it estate um or attack patterns like dodgy behaviors that you can then attribute to certain adversaries information sharing so fostering that culture or sharing information in an organization um so not just keeping it to yourselves or keeping it to your own team if your team finds

something really cool um or something really bad then sharing that information with others so they can they can use that going forward automation so data can be tedious if you want to implement automated processes that might be a way um so implementing automation to at least improve the processing of the data or even disseminating it so I've worked with organizations that for example have automated threat alerts if a cvu comes out that's I don't know eight or higher they'll automatically issue an alert for that so just a very simple example customizing forat intelligence um a 200 Page report won't work for a CEO but then a onepage business drgon report won't work for your stock team so

you have to make sure that you're tailoring that deliverable and that end output to the stakeholder so they can get the most information and most use out of it working with instant response so learning um sort of providing input into their playbooks and regularly updating instant response response plans to reflect the latest threat intelligence regularly threat hunting so proactively looking for those threats using up to- dat threat intelligence within the organizations Network staying informed about certain regulations and standards so I know the financial sort of Industry have um certain regulations around threat intelligence LED pen pen testing I think ISO 27,00 01 now has something about threat intelligence so just keeping informed about that making sure that

you're in line with those upto-date regulations and standards and investing in Ai and machine learning to make your lives easier if you want I'm not going to force you to um so keeping up to date with how it could benefit your organization and your existing processes or how you can create those new processes and that is me I've rattled through that quite quickly it was quite high level um but be open to any questions I think we've got about 10 minutes am I on time we're on time eight eight minutes but thank you so much so yeah feel free to reach out oh we've got a question at the back at the back at the

back so I'm a teacher which help the shouting very interested in in this area but I'm expert I'll be very interested in hearing from you about your thought about how this fits within not just the 100 companies where see that you have all these teams set up easy to see that happening but within smmes and in education sector how do how do companies that are very tiny or organizations have this kind of infrastructure get started so that's it's that's a million dollar question really isn't it because we can always throw loads of money into a solution but it still might not work for a business and when we think about smaller businesses or perhaps entities

that don't have access to those financial resources CTI is actually a really great space to work in because of the amount of free and accessible resources and the amount of implementation of existing processes you can use so for example set one side one day a week aside just to look about new threats sets up an automated feed loads of feeds of free of charge and you can tailor it to your business even using something like that's better than nothing and then as you learn more mature as an organization then you can think about okay that person can just do the fun stuff but then it's also about sharing that information I think lots of people get scared by the term cyber

threat intelligence because they think oh I don't have the money for that I don't have the people for that or specialty but actually it's it's a joint effort of just you know keeping in in tune with what's happening in the world utilizing those free resources and like making everyone kind of contribute into that process as well yeah is any other questions yeah oh oh yes where's that voice coming from it's coming from the back everywhere so first of all thank you very much it was a great talk um I have a question so uh sometimes when you decide to publish it's a really a big moral decision is it so how do you how do you manage it how do you um decide

when to publish a zero day you know without um shutting down Western cyber uh counter terrorism how do you decided it it is quite a fine line isn't it because you want to be able to help but then actually providing that data especially in a public space could be weaponized by by someone bad so kind of leaning on what Ken said earlier about responsible disclosure um my my first sort of goto would be always try talk to them directly in sort of a side conversation rather than posting on the internet for everyone to hear but um I think it's quite difficult to gauge whether it's worth sharing or not it's better safe than sorry right it's better to share

something and go they go oh that's not too bad rather than I'm not going to share that and then a month later they get popped and everything goes bad so um I think as humans it's good to sort of trust our gut instinct but for me I think it's always worth having that conversation anyways or sharing that information anyways through these isacs or whichever um and if they decide uh that's not used for us that's fine um but I think a lot of businesses have different risk appetites as well so one thing might be detrimental to a business will be nothing to another so it's just good to have that conversation um and to share it anyways and what they do with

that is is up to them well I think

yeah um are there any certifications or any places to that you recommend looking into to learn more about CTR um if you've got Deep Pockets Sans do some Great Courses but other than that and there's also cciaa so cross registered trance analyst that's a really great entry level one um to get under your belt if you did want to move into the CTI Fields um there's some great sort of like things like udemy courses loads of literature you can get into um CTI is kind of unique in its way that you can't really measure your your capability because things are always changing in a CTI but it's great to have that analytical mindset which is what a lot

of these certifications do just one last Quick One y yep hi [Music] for question ask is saying stage using more machine learning but isn't one of the R don't you have the downside of if fake fake information is put through that classes a bit of a bias 100% yeah so that is risk obviously that you um when using AI models um using lots of people lie on the internet lots of people lie in their data sets so um I think if you were to use AI or machine learning in your organization it would still be good to do a little pre sort of QA of like where are the sources can and we trust them not it's just some person on the

internet but are they from a reputable government department or whatever um and it's sort of making sure that we can trust where that data is coming from before feeding it into our program I think that' be the number one for that but before we finish my rookie is sat right there come see her talk 230 on track too other than that thank you very much are you going I am yeah I am going to be around