CTI Capability Maturity Model - Europa

CTI Capability Maturity Model2018 CTI-EU, Brussels November 2018MARCO LOURENCO - ENISA Cyber Security Analyst LeadEuropean Union Agency for Network and Information Security

WhoamiStarted as data forensics analyst for the financial sectorduring the 90s. Worked with Interpol in criminalinvestigation system projects in early 2000s. With EuropeanExternal Action Service as CISO in mid 2000s. UnitedNations and Microsoft as regional manager in EMEA duringthe last 10 years working with government agencies incyber threat intelligence. Since this year in ENISA as cybersecurity analyst lead.CTI Capability Maturity Model Marco Lourenco2

CTI Capability Maturity Model Marco Lourenco3

CTI entsmanagementScope managementCollectionProcessing and ProductionIngestion of structuredinformation & dataCTI production managementIngestion of unstructuredinformation & dataReal-time productionResources managementDisseminationDisclosure policy controlPeriodic productionExternal reportingInternal reportingEvaluationRequirements evaluationCTI Capability Maturity Model Marco LourencoProcess evaluation4

Aligned and relevant to stakeholders and thebusiness.CTI Capability Maturity Model Marco Lourenco5

Promote a better understand of the threats targetingthe organization.CTI Capability Maturity Model Marco Lourenco6

Produce actionable advice that can be acted uponand influence decisions.CTI Capability Maturity Model Marco Lourenco7

Promotes learning and improvementCTI Capability Maturity Model Marco Lourenco8

A Model for assessing current and desired maturitystate of the capabilities required to produce cyberthreat intelligence.CTI Capability Maturity Model Marco Lourenco9

Maturity levelsDescriptivePredictiveLEVEL 1 - InitialUnpredictable and reactiveLEVEL 2 - ManagedDeveloped but inconsistent,often reactiveLEVEL 4 - OptimizedFocus on processimprovementLEVEL 3 - RepeatableProcesses measured andcontrolledPre-emptiveCTI Capability Maturity Model Marco Lourenco10

Maturity scorecard - planningStakeholdersmanagementType/levelScope managementInitialRequirementsmanagementResources managementManagedRepeatableStrategicBoard and seniormanagers unaware ofwhat CTI is and theteam responsible for itBoard and seniormanagers aware,occasional CTI is offeredrarely, if ever, acteduponThreat intelligencepushed by team on bigissues; board receivesand considersInformationThreat intelligence a routinepart of decision-making, withadvice sought on all majordecisionsOperationalNo tasking to identifyactvity-related attacksor groups who planattacks openlyBroad tasking to identifywhether attacks areoccurring as a result ofactivitiesSpecific tasking toinvestigate a group oractivity-related attackDevelop capabilities wherethere is indication of a returnon investmentTacticalConsumption ofunstructured externalinformation from feedsand news articles.Regular access to threatdata and informationfrom CTI suppliers.Correlation of externaland internal threatdata.Integration of external threatdata sources with SIEM.TechnicalNo specificrequirements fortechnical threatintelligenceRequirements arebroad, such as consumeall publically availablefeedsRequirements arespecific and relevant.IoCs for a specificgroupResults of evaluation are anactive part of requirementsetting and management ofthe processCTI Capability Maturity Model Marco LourencoOptimized11

Maturity scorecard - collectionIngestion of structuredinformation & dataType/levelInitialIngestion of unstructuredinformation & dataManagedRepeatableOptimizedStrategicNoneSmall number of sourcesconsumed. A focus on‘overview’ style articles orreading other people’sanalysis on the same topicOperationalAttempt toanalyze datafrom activityrelated attacksAttempts made to find anactivity or eventcorrelated to attack typesActivity-related attacksregularly predicted, but nocoordinated responseActivities that result in attacksrobustly understood, andappropriate monitoring in place.Response planned;TacticalNo tacticalinformationcollectedIrregular decision makingon source acquisition.Mostly open- or sourcesof unknown reputationRegular decision makingon source acquisition andre-alignment. Wider rangeof mostly reputablesourcesEstablished procures to acquire,evaluate and re-alignmentsources.No collectionAd-hoc collection, e.g.from occasional reports.Indicators are manuallyactioned, e.g. by loggingonto hosts to check forregistry paths or lookingat firewall logs.Collection from publicfeeds. Automatic searchingfor host-based indictorsacross the whole infra,probably utilising thirdparty software.TechnicalCTI Capability Maturity Model Marco LourencoA focus on reputable,well-known sources ofinformation in key areas.Large range of sources,including economic, sociopolitical, foreign languagejournals, press articles, andproducts of other CTI types.Collection from public feeds, andprivate feeds such as sharingrelationships. Indicators of alltypes automatically searched forin network traffic and on hosts;12

Maturity scorecard - productionCTI production managementType/LevelReal-time productionInitialManagedPeriodic productionRepeatableOptimizedStrategicNo analysis; anysourcesconsumed arereported directlySome analysis ofsources andverification of contentof overview articles.Analysis leading to insightthat supports publicallyavailable reviews andcommentary.Deep analysis, leading toInsight. Mapped to business in away that takes into accountfinancial drivers, structure andintentions of the organizationOperationalNo analysis,intelligence fromsources isintegrated directlyAdvanced correlationand trends analysis.Application anddatabase activitymonitorSome analysis of sourcesand verification of contentof overview articles. Someattempt made to map togeneral businessesThreats are proactively andstrategically managed from acentral register; Continuousresearch is proactively performedto understand known threatsBasic understanding ofattack flow, actors, andtools.Knowledgebasemaintained of how avariety of campaigns thathave targeted theorganisation’s industryfunctioned at each stage ofattack.Expert-level knowledgemaintained on all keyattack groups. User behavior andentity analysis. This includesbreakdown of tools used, how keystages of the attack are executed.Network-based indicatorsare automaticallyinvestigated by networkdevicesIndicators of all types automaticallysearched for in network traffic andon hosts; new indicators thatbecome available are used tosearch through log data forhistorical signs of compromise 13TacticalNo integration ofexternal data orinformation intothe analysis.Indicators aremanually actioned by aNo application ofstaff member, e.g. byindicators tologging onto hosts toTechnicalorganizationcheck for registrypaths or looking atCTI Capability Maturity Model Marco Lourencofirewall logs.

Maturity scorecard - evaluationRequirements chnicalProcess evaluationInitialManagedRepeatableOptimizedCTI not involvedin strategicdecisionsCTI considered butgenerally disregardedCTI generally used in thedecisions. such asincreased security budgetto mitigatea risk.No evaluationReport prepared,identifying how manyalerts were produced byoperational threatintelligence and whetherthey were plausibleFormal process definedfor evaluating the successand failure of individualcasesEfforts robustly evaluated, withundetected attacks (wheredetection should have beenpossible) subject to root causeanalysisNo evaluationRandom evaluation of thequality of CTI through aad-hoc review processTechnical evaluation ofCTIComplete review process of theCTINo evaluationMonthly report preparedof how many alerts werea result of indicators fromspecific sourcesMonthly report identifieswhether verified alertswere generated as aresult of an indicator thatwas also detected byother mechanisms(Same as previous). Incidentsthat emerge are analysed toidentify whether technicalthreat intelligence should haveallowed detection sooner.CTI Capability Maturity Model Marco LourencoCTI occasionally changesdecisions and regularly affectshow those decisions areImplemented14

Maturity scorecard - disseminationDisclosure policy controlType/LevelExternal reportingInitialInternal reportingManagedRepeatableOptimizedStrategicCTI is not sharedwith strategicstakeholders.Sharing with individuals atsimilar organisations. Boardand senior managers haveaccess to CTI but notconsidered as decision tool.Reputation and trustexists on the CTIoutcomes but lacksunderstanding on how touse it.CTI consumed as part ofdecision-making, withadvice sought on allmajor decisions.OperationalNodissemination.CTI is shared with operationalstakeholders but no actionsproduced.CTI shared withoperational stakeholdersand actions are taken.CTI is fully integratedwith the operationalenvironment.CTI is shared externally butwithout any specific criteria.No specific attempts to mapattacker MO to organizationalweaknessesCTI is shared with specificindividuals at otherorganisations, who wouldbe involved in respondingto an attack.Other organisations havebeen successfully alerted,allowing them to betterprotect themselves as aresult.Informal sharing with a limitedaudience, e.g. emailAutomated sharing ofverified indicatorsAutomated sharing ofverified indicators thathave been semination.CTI Capability Maturity Model Marco Lourenco15

CTI maturityDESCRIPTIVERisk ManagementInitial – level 1PREDICTIVEManaged– Level 2PRE-EMPTIVERepeatable – Level 3Optimized – Level 4CTI is fullyintegratedwith theoperationalenvironmentAttempt toanalyze datafrom activityrelated attacksAccess to logsAdvancedcorrelationand ttacks regularlypredicted, but nocoordinatedresponseAdaptivethreatPattern recognition detectionand outlierdetectionBase infrastructureCTI Capability Maturity Model Marco LourencoEnhanced visibilityPre-emptiveresponseCorrelation ofexternal andinternal threatdata.Deep analysis,leading toInsights.Business-centricActive threatmonitoringActive threatmanagement16

Metric - Evaluating the impact of arativeCTI Capability Maturity Model Marco Lourenco17

Key takeaways An organization can be at different levels of maturity for thedifferent types of CTI and capabilities; There is no CTI fits-all. A CTI product can meet therequirement of specific stakeholder. CTI is only shareable depending on the organization’sdisclosure policy; CTI can be acknowledged by certain stakeholders andactionable by others; Not all CTI is verifiable, depends on the resources available. Depending on the organization preparedness to implementcertain capabilities, the decision to produce CTI internally oroutsourced should be conducted as earliest as possible.CTI Capability Maturity Model Marco Lourenco18

Thank you for your attentionPO Box 1309, 710 01 Heraklion, GreeceTel: 30 28 14 40 eu

considered as decision tool. Reputation and trust exists on the CTI outcomes but lacks understanding on how to use it. CTI consumed as part of decision-making, with advice sought on all major decisions. Operational No dissemination. CTI is shared with operational stakeholders but no actions produced.