Cyber Threat Intelligence - Alexandre Dulaunoy
Cyber Threat IntelligenceAn analysis of an intelligence led, threat centric, approach to Cyber Securitystrategy within the UK Banking and Payment Services sectorA Research Whitepaper
ContentsVersion 1.12 Cyber Threat Intelligence Research Paper
This report is divided into four sections:1.02.0Summary4Research Paper:Cyber Threat Intelligence6High Priority TargetsData, Information & IntelligenceBig Data AnalyticsIntelligenceKey Principles911121313Research Review14An overview of the rationale, key principles and characteristics fora cyber threat intelligence capability.A detailed analysis summarising of key industry and academic research detailing therequirements for a collaborative and federated cyber threat intelligence capability.3.0A technical analysis including a feasibility study.Common Issues in Cyber SecurityCyber ThreatSharingCyber WarfareCyber Kill ChainTactical, Operational & Strategic Cyber IntelligenceThe Intelligence CycleDirectionCollectionStandard Technical Reports Using ModulesProcessingSearch, Visualisation & AnalysisSituational Awareness & UnderstandingPrinciples of IntelligenceSuitably Qualified & Experienced PersonnelDisseminationConclusion4.0Technical ciples and ConceptsFusion Node NetworkArea of Intelligence Interest (AOII) & Area or Intelligence Responsibility (AOIR)Course of Action (COA) AnalysisStandardised Report FormatsFurther Research and Briefing ResourcesVendor Cyber Threat Intelligence & Security ServicesVendor Search, Visualisation & Analysis ToolsCyber Security ReportingCISO ResourcesCase 3383939404142434546A further separate appendix is also available:5.0A Criminological ReviewThis document references academic studies of cyber security used in production of theresearch paper.Cyber Threat Intelligence Research Paper 3
Section 1.0Summary“Insanity: doing the samething over and overagain and expectingdifferent results”Albert Einstein(1879-1955)4 Cyber Threat Intelligence Research Paper
Banking and Payment Services represents one of several high priority targets for ComputerNetwork Attacks (CNA). CNA has arguably become the most prevalent medium of the threatto confidentiality, integrity and availability of retail, corporate and investment banking.It also represents a strategic threat to the payment systems and services that constitutethe cortex of a hyper-connected and interdependent financial system.Further investment in technologicaldefences is no longer proving effectiveagainst high end CNA threats. Thesehighly organised, sophisticated andnetworked attacks are the variants thatrepeatedly penetrate Computer NetworkDefences (CND). The consequences ofthese attacks are evolving from simplyintrusive, to disruptive and eventuallydestructive as the value of CND erodesfrom porous to inverted and eventuallyto virtual. Technological hardwareand software defences remain thebedrock of effective cyber securitystrategy, mitigating the majority of lesssophisticated attacks. However, a cybersecurity strategy founded on thesemeasures alone will not be effective inthe future.This paperadvocates thecreation of acollaborative andfederated cyberthreat intelligencecapability as thecapstone to an effective cyber securitystrategy. This would improve theprotection of retail, corporate andinvestment banking networks by allowingsecurity managers to prioritisevulnerability patching. It would operatewithin existing information sharing forumsas well as national and internationalgovernance initiatives to achieve a levelof cyber security that cannot beachieved by any single institution alone.The aggregation of attack, anomalousand decline data reports, into a singlesecure environment that affordsanonymity to all contributing financialinstitutions would, for the first time,achieve a Common Operating Picture(COP) of all CNA attacks and anomalousdata across all areas of Banking andPayment Services. Separating datasubmissions into retail, corporate andinvestment profiles would allow a detailedElectronic Pattern of Life (EPoL) of CNAto be discerned for each form of CNAtarget. Moreover, creation of “big data”in these variants would also allowElectronic Finger Printing (EFP) of CNATechniques, Tactics and Procedures(TTPs) offering potential collateralbenefits by aligning corporate securityeducation and training to the mostdamaging and prevalent attacks andinforming the design or refinement offuture CND architecture.This initiative buildsupon the lessonsidentified from theBanking and PaymentServices initiative tocombat fraud and thedesign and evolution ofthe FinancialIntelligence SharingService (FISS). Theownership of both the function and dataof this entity remains under the fullcontrol of contributing institutions.A Banking and Payment Services CyberThreat Intelligence (CTI) capability willalso provide a docking point for lawenforcement and the regulator withoutthe reputational risk associated withcurrent single institutional bi-lateralarrangements. A collaborative andfederated capability also represents themost cost effective arrangement toincrease the effectiveness and efficiencyof existing cyber security measures.The potential to achieve understanding of a novel and complex problem is optimised by seeing the whole problem,whether at the centre or the edge of the issue.Cyber Threat Intelligence Research Paper 5
Section 2.0Research Paper:Cyber Threat Intelligence“He who defendseverything,defends nothing”Frederick the Great(1712-1786)6 Cyber Threat Intelligence Research Paper
For decades cyber security has predominantly constitutedthe software and hardware controls of Computer NetworkDefence (CND). CND is maintained and enhanced by regularimprovements and software “patching”, collectively knownas cyber hygiene.This “technology led” approach tocyber security has focused on “targethardening” aspiring to create a strongperimeter of interlocking hardware andsoftware defences to make illegitimateintrusion complex and difficult. Thisapproach has, in the past, achievedmitigation, but not deterrence, ofthe majority of cyber attacks againstfinancial institutions, variously estimatedat 88-89% of attacks1.However, these attacks, those that havebeen stopped, are not the threats thatcause the damage. Although ComputerNetwork Defence and rigorous cyberhygiene remains fundamental to anycyber security strategy, it no longerconstituents a complete response to theComputer Network Attack (CNA) threat.An “intelligence led” strategy is nowrequired to counter the agile andinnovative industrialisation of cyberattack techniques, malware and exploitkits2. The increasing threat of cybernetwork attack entities originates fromthe cascade of increasingly sophisticatedapplications used by both organisedcriminal and state sponsored, or enabled,cyber attack capabilities. This has ledto the commoditisation of cyber attackcapabilities into hacker tool kits that arecommercially traded on the dark web.Cyber attackers are also exploiting publiclyavailable information, including socialmedia, to target carefully crafted phishingattacks against financial managementinstitution staff, customers and companiesin their supply chain, in order to circumventnetwork cyber defences.TraditionalAdvancedBroadTargetedKnown &PatchableUnknown orphicThe characteristics and nature of the transformation in the malware threat1 Online Trust Alliance and RSA. US Senate and UK Government reporting places the figure at 80%.2 Kaspersky Security Bulletin 2013. http://media.kaspersky.com/pdf/KSB 2013 EN.pdf IBM Cyber Security Intelligence Index. ographic/cybersecurityindex.html Verizon Data breach Investigations report 2013. http://www.verizonenterprise.com/DBIR/2013/Cyber Threat Intelligence Research Paper 7
Research Paper: Cyber Threat IntelligenceThe threat of Cyber Network Attack(CNA) is developing and operating fasterthan Computer Network Defences (CND)can respond. The increased CNA threatis outpacing traditional technologyled, target-centric, approaches tocyber security strategy. The cyberthreat spectrum is becoming a morechallenging operating environment,in which adversary attack capability3,intent and opportunity4 are all increasing.Cover tracksand remainundetectedDefinetargetFind access ioninitiatedBuild eesTest tActDecideCapabilityThe agility and processes of cyber network attack methodologiesbeCyckCapability gaptatraCybeencefer dTimeThe strategic imbalance of cyber network attack against cybernetwork defenceIf it has not already occurred then verysoon a capability gap will exist that allowscyber network attacks to penetratefinancial institutions and paymentssystems at unprecedented levels,threatening confidentiality, integrity andavailability5. The Banking and PaymentServices sector is now exposed to avariety of actors and capabilities, someof whom operate below the detectioncapability6 of even advanced cybernetwork defences and surveillance of anysingle organisation or institution7.3 Currently Intrusive and Disruptive, but potentially the “Internet of things” or machine to machine communication will facilitate further Destructive attacks. (RSA)4 The growth of mobile platforms in the UK Banking and Payment Services retail, corporate and investment banking landscapes considerably complicates an alreadycomplex threat environment.5 RSA define the protection afforded by traditional CND as porous (2007), inverted (2013) and virtual by 2020. (https://www.youtube.com/watch?v R31Ez1XJEeI)6 Verizon term this “low and slow” to describe advanced persistent threats with a low digital forensic signature.7 This has been a key feature of the recent UK Banking and Payment Services exercise, Waking Shark ty/Banking and Payment Servicesc/Documents/wakingshark2report.pdf8 Cyber Threat Intelligence Research Paper
State sponsored attacks againstSaudi Aramco, the Stuxnet sabotageof Iranian centrifuges, sustainednetwork phishing attacks by organisedcrime threat networks, allegations ofindustrial espionage against Chinesetelecommunications providers andthe evolution of the ZEUS exploit allprovide high profile indicators of acongested and highly contested cyberoperational space.The cyber domain represents a furtherchallenge to security managers, in thata single individual can command theskills and support base to representa hazard across the entire threatspectrum.High Priority TargetsBanking and Payment Services remains ahigh priority target and a key element ofthe Critical National Infrastructure of thestates it serves with investment, corporateand retail operations. Payments systemsare the central nervous system ofglobal Banking and Payment Servicesinter-dependence. The PaymentsCouncil believes that the UK Bankingand Payment Services sector requires acollaborative and federated Cyber ThreatIntelligence (CTI) capability in order toprovide a Common Operating Picture(COP) of the covert and clandestinecyber threat networks conducting cybernetwork attacks (CNA) against financialinstitutions and key elements of thesupply chain.State sponsoredState enabledTerrorismSabotageCorporate sponsoredSubversionCorporate enabledSponsored individualEnabled individualEspionageCrimeAttack vectors and resources available to a cyber attackerCyber Threat Intelligence Research Paper 9
Research Paper: Cyber Threat IntelligenceDefence & SecurityLegalInsider Threat Rogue Employee Malicious Sub-contractor Social engineering expert Funded placement Criminal break-in Dual-use software installationEnergyInvestmentTrusted Connections Stolen VPN credentials Hijacked roaming hosts B2B connection tapping Partner system breaches Externally hosted system breaches Grey market network ialHigh threat sectors in relation to Banking and Payment ServicesInstitutions at risk of cyber attacksoperate in key sectors; Defence &Security, Energy, Telecommunicationsand Banking and Payment Services9have individually embraced initiativessuch as the HM Government sponsoredCyber Information Sharing Partnership(CISP). They have also established sectorinformation sharing forums to exchangedata on the operational characteristicsof the cyber attacks against theirsystems. These are necessary to focuson the particular threats prevalent ineach sector. For example the challengeof the exfiltration of intellectualcopyright and protectively markedmaterial from the secure networks ofinstitutions in the Defence and Securitysector, is very different to the subversionand illegitimate use of communicationnetworks that Telecommunicationscorporations must counter. A commonthreat in Banking and Payment Servicesis theft, but confidentiality and integrity isa key consideration for payment systemsand their customers in investment,corporate and retail banking operations.The Payments Council believes thatthere is a complimentary role forindustry centric, cyber threat intelligencegenerating capabilities within acollaborative network of informationsharing nodes. These entities willenhance the defensive capabilitiesof the sponsoring and supportedinstitutions. They will also provide dataof sufficient granularity and integrity toprovide investigatory start points for lawenforcement. These nodes will oxygenatethe exchange of information betweensectors to provide a more evaluatedand nuanced strategic understanding ofthe cyber threat spectrum from criminaland subversive sources. This intelligenceled strategy, in partnership with lawenforcement agencies, seeks to disruptand degrade those cyber attackers andtheir supporting networks that representa significant threat.9 The Legal sector is emerging as a fifth critical area, as cyber criminals target these firms to breach the cyber defences of institutions operating in the other key sectors.10 Cyber Threat Intelligence Research Paper
cessing andExploitationIntelligenceAnalysis andProductionRelationship between data, information and intelligenceData, Information & IntelligenceThe distinction that is fundamental tothis concept is the difference betweendata, or simply exchanging informationbetween institutions, and generatingcyber threat intelligence. The latterrequires both sector and operationspecific data that has been collected ina systematic and systemic methodology,evaluated and codified to an agreedand interoperable standard. This isvital if the quantitative and qualitativemateriel necessary for objectiveanalysis, using specialist analytical tools,is to be achieved. The codified datawould be derived from cyber attacks,suspicious cyber activity (anomalousactivity) and declined data againstinvestment, corporate and retail bankingnetworks. This focused approach is akey prerequisite for achieving the bestpossible “signal” of highly sophisticatedcyber attacks from the “noise” of daily,legitimate cyber traffic and illegitimatelow end cyber network attacks that aredetected and countered by current CND.A “Hierarchy of Data” is perhaps themost accessible way of appreciatingthe utility of different collection andprocessing techniques, the value tothe end user and the resource cost ofcollection and processing in a cyberthreat intelligence context. Taking aBanking and Payment Services sectorspecific focus (high noise, low signal) ithas been demonstrated that information,whilst useful qualitatively, does notilluminate the breadth or depth of thethreat spectrum. US Intelligence Doctrine(JP 2-010) illustrates the relationshipbetween data, information andintelligence as a series of lenses.Each lens should be considered aprocessing or refinement procedure thatallows indicators and warnings tobe distilled for the available sources.Data, collected and processedsystemically and systematically fromsources assessed as pertinent, even coreto the objective of the analysis, offersgreater insight, but arguably not foresight.Data analytics using Search, Visualisationand Analysis (SV&A) tools allows trendanalysis and patterns of behaviour to bediscerned from even fragmentary datasets over time. Aggregating data into asingle secure environment, a “data lake”,offers the potential to employ big dataanalytic tools.10 Joint Publication 2-0, Joint Intelligence dated 22 Oct 2013.Cyber Threat Intelligence Research Paper 11
Research Paper: Cyber Threat IntelligenceBig Data Analyticsbeginning to be realised. The relationshipbetween business intelligence and dataanalytics as a foundation of cyber threatintelligence is illustrated below13. Bigdata analytics will provide the electronicPattern on Life (ePoL) and ElectronicFinger Printing (EFP) of high end cybernetwork attacks against banking andpayment systems targets.Big Data, articulated the volume,velocity, variety and veracity11, can beanalysed at rest (batch processing) orin motion (stream processing). Batchprocessing is used for large volumesof data (Petabytes) on long lead times(hours), whereas stream processing ismore useful for smaller volumes of data(Gigabytes and Terabytes) on shorterlead times (seconds and minutes). Thevolume of data generation is increasingexponentially with a correspondingincrease in the speed of transmission ordissemination. It is estimated that 90%of data in existence was generated in thelast 2 years12. Data is now collected andused in ways not even considered evena few years ago and in both structuredformats and unstructured. The increasingmaturity of Big Data analytical tools,notably HADOOP at Version 2.3.0 (20February 2014, a batch processingtool), is beginning to match stakeholderexpectations. Influenced by a decreasein data storage costs, flexibility of datacentres and cloud storage the value thatlarge data sets, known as “data lakes”,can provide to security intelligence isInitially it is envisaged batch processing,where HADOOP is rapidly emerging as thedominant open source tool, will be usedto provide ePOL and EFP that underpinsCyber Threat Intelligence. However,stream processing is rapidly evolving andoffers the potential to achieve near realtime “tactical tip offs” of emerging attackpatterns as the ambition of scale andspeed of processing potential increases,beyond the scope of traditional SecurityIncident and Event Management (SIEM)tools. Cardenas et al (2013) referenceapplications in APT profiling that aredirectly relevant to the cyber threatintelligence concept. Similarly they detailSymantec’s work to create a WorldwideIntelligence Network Environment (WINE)which is consistent with the matrix ofintelligence fusion node model.How can wemake it happen?Value ofAnalytics( )What willhappen?Why did The value and complexity of big data analytics11 Veracity is attributed to an IBM definition, but is a useful addition for considering the use of big data as the basis of a cyber threat intelligence capability.12 s-big-data.html13 Pivotal Software Inc.12 Cyber Threat Intelligence Research Paper
IntelligenceKey PrinciplesIntelligence is data that provides bothinsight and foresight to the end user anda degree of understanding of complexsituations by consideration of theprovenance, pedigree and context of thesource material, the processing methodsand the documents that verify thefindings. Arguably the most demandinglevels of information collaboration andveracity constitute evidence. This is themost demanding material to collect andp
a cyber threat intelligence capability. 2.0 Research Paper: Cyber Threat Intelligence 6 A detailed analysis summarising of key industry and academic research detailing the requirements for a collaborative and federated cyber threat intelligence capability. High Priority Targets 9 Data, Information & Intelligence 11 Big Data Analytics 12
Shared third-party threat information via the Cyber Threat Alliance further enriches this knowledge base. The Cyber Threat Alliance is a consortium of 174 different threat intelligence and threat feed providers that crowdsource and share threat intelligence. Cyber Threat Alliance processes more than 500,000 file samples and 350,000 URLs daily.
fenders to explore threat intelligence sharing capabilities and construct effective defenses against the ever-changing cyber threat landscape. The authors in [17] and [18] identify gaps in existing technologies and introduce the Cyber Threat Intelli-gence model (CTI) and a related cyber threat intelligence on-tology approach, respectively.
The Cyber Threat Framework supports the characterization and categorization of cyber threat information through the use of standardized language. The Cyber Threat Framework categorizes the activity in increasing “layers” of detail (1- 4) as available in the intelligence reporting.
What is Cyber Threat Intelligence and how is it used? . As organisations of all shapes and sizes globally increasingly adopt a Risk-based approach to managing cyber threats in line with best-practice, there has been a commensurate rise to prominence of cyber threat intelligence. . involve sign
Cyber Vigilance Cyber Security Cyber Strategy Foreword Next Three fundamental drivers that drive growth and create cyber risks: Managing cyber risk to grow and protect business value The Deloitte CSF is a business-driven, threat-based approach to conducting cyber assessments based on an organization's specific business, threats, and capabilities.
The Cyber Threat Framework supports the characterization and categorization of cyber threat information through the use of standardized language. The Cyber Threat Framework categorizes the activity in increasing “layers” of detail (1- 4) as available in the intelligence reporting.
these changes is to build an effective threat intelligence program. Threat intelligence has already become a key component of security operations established by companies of varying sizes across all industries and geographies. Provided in human‑readable and machine‑readable formats, threat intelligence can support security
Awards Q and A This document provides answers to some of the frequently asked questions about the National Apprenticeship Awards. If you would like more information or help with your entry, you can email us at entries@appawards.co.uk or call the helpline on 0800 954 88 96.
