HOW DO YOU PREDICT THE THREAT LANDSCAPE? Janne Pirttilahti Director, New Services, F-Secure Cyber Security Services
HOW DO YOU PREDICT THE THREAT LANDSCAPE?
Janne Pirttilahti
Director, New Services, F-Secure Cyber Security Services
2
Holistic cyber security
Definitions
Why predictive capabilities matter
Predictive approach to cyber threats
Threat intelligence
Recommendations
AGENDA
CYBER SECURITY IS A PROCESS
3
Understand your risk, know your attack surface,
uncover weak spots
React to breaches,mitigate the damage,
analyze and learn
Minimize attack surface, prevent incidents
Recognize incidents and threats, isolate and
contain them
CYBER SECURITY IS A PROCESS
4
Understand your risk, know your attack surface,
uncover weak spots
React to breaches,mitigate the damage,
analyze and learn
Minimize attack surface, prevent incidents
Recognize incidents and threats, isolate and
contain them
PREDICT\Pri-`dikt\
To declare or indicate in advance; especially : foretell on the basis of observation, experience, or scientific reason
Source: Merriam Webster
5
6
Top three behaviors that impact us?
What do future attacks look like?
Where to invest next?
How to train our people?
How to prepare oneself and for what?
PREDICTIVE CAPABILITIES ARE NEEDED TO ANSWER MANY QUESTIONS
PRIORITIZE.BE PREPARED.
7
MARSH & MCLENNAN CYBER HANDBOOK:
MOST ORGANIZATIONS NOT ADEQUATELY PREPARED FOR
CYBER ATTACK
8
9
10
11
12 Source: www.databreaches.net
13
October
14
October
November
PREDICTIVE APPROACH TO CYBER THREATS
15
2) ACTIONABLE THREAT INTELLIGENCE
PROACTIVELY ANTICIPATE NEW ATTACKS
1) ASSET & VULNERABILITY MANAGEMENT
UNDERSTAND THE CURRENT STATE OF YOUR SYSTEMS
THE FOUNDATION OF ACTIONABLE INTELLIGENCE IS TO KNOW YOUR OWN
SYSTEMS
16
THREAT INTELLIGENCE:FOREWARNED IS
FOREARMED
17
18
“Threat intelligence is evidence-based knowledge (e.g. context, mechanisms, indicators, implications
and action-oriented advice) about existing or emerging menaces or hazards to assets.
CISOs should plan for current threats, as well as those that could emerge in the long term (e.g. in three
years).”
Gartner, February 2016
19
CDN
STIXTAXII
OSINT
HUMINT
TLP
IOC
CTI
IOA
DGA
MD5 MRTI
ISAC
ISAO CTIIC
NCCIC
TTPTAP
SHA1
OTX
SIEM
CISAIODEF OPENIOC
CYBOX
YARA
Technical Intel
Adversary Intel
Vulnerability Intel
Breach Monitoring
TIP
Strategic Intel
Data Enrichment
20
STRATEGIC / EXECUTIVE LEVEL
THE DIFFERENT LEVELS OF THREAT INTELLIGENCE
– Strategic, high level information of changing risk– Geopolitics, Foreign Markets, Cultural Background– Vision timeframe: years
21
OPERATIONAL / TACTICAL
STRATEGIC / EXECUTIVE LEVEL
THE DIFFERENT LEVELS OF THREAT INTELLIGENCE
– Strategic, high level information of changing risk– Geopolitics, Foreign Markets, Cultural Background– Vision timeframe: years
– Details of specific incoming risk: who, what, when? – Attacker’s methods, tools and tactics, their modus operandi – Early warnings of incoming attacks– Vision timeframe: months, weeks, hours
22
OPERATIONAL / TACTICAL
STRATEGIC / EXECUTIVE LEVEL
TECHNICAL
THE DIFFERENT LEVELS OF THREAT INTELLIGENCE
– Strategic, high level information of changing risk– Geopolitics, Foreign Markets, Cultural Background– Vision timeframe: years
– Details of specific incoming risk: who, what, when? – Attacker’s methods, tools and tactics, their modus operandi – Early warnings of incoming attacks– Vision timeframe: months, weeks, hours
– Specific IOCs (for SIEM, FW, etc. integration)– More data, less intel– Automated processing is paramount – Vision timeframe: hours, minutes (but also long lasting)
MANY ORGANIZATIONS START WITH FREE SOLUTIONS.
23
24
25
NOTHING BEATS AN EXPERT.
26
PROCURING STRATEGICALLY RELEVANT INTELLIGENCE IS
EXTRAVAGANT.
27
STRATEGICALLY RELEVANT DATA IS UNIQUE TO EACH COMPANY
28
All threat data:Vulnerability feeds
Exploit kit feedsMalicious software feeds
Indicators of compromise feedsBad IP address feeds
Botnet activities feedsDNS changes feeds
Reputation feeds (URL & content)Known threat actor behavior data
All ”breadcrumb” data from company personnel
…Global
landscape
Business area landscape
Possibly relevant data
Strategically important data
EVEN ACTIONABLE INTELLIGENCE IS
ONLY WORTH IT WITH PROCESSES IN PLACE TO EFFECTIVELY ACT ON IT.
29
CYBER SECURITY IS A PROCESS
30
Understand your risk, know your attack surface,
uncover weak spots
React to breaches,mitigate the damage,
analyze and learn
Minimize attack surface, prevent incidents
Recognize incidents and threats, isolate and
contain them
Understanding your own environment is the foundation
31
CLOSING WORDS
Understanding your own environment is the foundation
There are both commercial and free options available
32
CLOSING WORDS
Understanding your own environment is the foundation
There are both commercial and free options available
Start from figuring out what benefits you the most
33
CLOSING WORDS
Understanding your own environment is the foundation
There are both commercial and free options available
Start from figuring out what benefits you the most
Threat Intelligence can strengthen your security posture
34
CLOSING WORDS
QUESTIONS & ANSWERS
35
f-secure.com