Intelligence Led Corporate Security Programs - FIRST

Intelligence Led CorporateSecurity ProgramsWhy a Business Needs to Setup a Cyber ThreatAnalysis UnitIan Cook16th Annual ComputerSecurityIncident HandlingConferenceBudapest, HungaryJune 13-18, 2004

How Much Security? The most critical question that securitymanagers ask is how should they allocate thelimited resources. Where are the threats?How much security is needed?How much residual risk?Where is the balance? A Cyber Intelligence Program based on provenGovernment Intelligence processes can helpanswer these questions2

The Game Has ChangedIncreased riskCyberspace is rapidly growing and has become partof the way we conduct our lives. Acceleratingnumber of new threats and vulnerabilities thatappear faster than vendors can fix and patches canbe deployed. There is no PerimeterIncreased complexityTechnologies have grown increasing complex sothat all the ways systems could be compromised byan attacker cannot be predicted.Constant changeNetworks, business requirements and riskscontinuously change and degrade security. Behaviorbanned today is promoted tomorrowInformation volumeDaily volume of security information and intelligenceis greater than most organizations can effectivelyprocess and analyzeLimited expertiseFew companies have the necessary in-housesecurity expertise. The enemy has become moresophisticated, organized and better resourced.3

Time in Which to Make Decisions Decreasing Vulnerabilities Increasing Patches proliferating Days between Alert and exploitdecreasing– Nimda 331 Days– Blaster 21 Days– Witty 36 0005002164170199819992000200120022003Source: CERT Time to Propagate decreasing– Code Red 5 Days– Slammer 87 Minutes– Witty45 Minutes Exploits are more sophisticated Speed of attacks results in widespread damage in little time4

Intelligence Led Decision Making Those making security related decisions have often beentaking an uncoordinated, uninformed, and unplannedapproach to security It’s difficult to manage what you don’t know about orunderstand (Most Organizations spend less than 250 for every 1 millionrevenue on security.) Security Decisions should be based on facts, not intuition An Intelligence Program will:– Identify the need for action– Provide the insight and context for deciding among courses of action(value added analysis)– Provide information/assessment on the effectiveness of pursuing theselected course of action5

Intelligence Led Decision Making: Phishing Phishing Attack StagesMonitor NewDomainsincludingCompanyname SitescontainingCompanyname andrequestingID &Password PhishingemailscontainingCompanyname Seed fakesites withaccountdetails andmonitoraccounts6

Anti Phishing Tool Workflow7

Prototype Email Phishing Threat Analyzer8

Intelligence Defined Intelligence is the product thatresults or the knowledge that isderived from cyclical processingof informationUnited States Intelligence – An Encyclopaedia Cyber Intelligence is thesystematic and broad-scaleexamination of Internet activity toassess, predict and understandcurrent and prospective behaviorson the Internet.9

Tenets of IntelligenceIntelligence must be: Timely - Late intelligence is asuseless as no intelligence. Accurate – Must be unbiasedand based on fact Usable – Understandable andspecific to current need. Complete - Must identify all the adversary’s capabilities,identify all available courses of action and forecast futureadversary actions and intentions. Relevant - Must focus on current need.10

Questions Decision Makers Ask Where are our weaknesses and vulnerabilitiesWhat threats/adversaries existWhat tools/capabilities attackers haveWho’s targeting us and does it matterWhich potential threats may be imminent– Are we vulnerable?– Are we an attractive Target– What impact might an attack have A CyberIntelligenceProgram based onprovenGovernmentIntelligenceprocesses can helpanswer thesequestionsHow do our Threats compare to those of our competitorsWhat are our competitors doingWhat's being said about us and by whomWhat safeguards / countermeasures can we deployWhat actions we should take11

Situational Awareness Decision Makers need to understand the “big picture”of their Security posture Having the right information helps Decision Makerstake actions that balance security and cost. Situational Awareness Requires: Perception Comprehension Projection– What’s Happening Now– Is it Important– What could happen Next Intelligence Output Requires:––––Right ContentRight TimeRight Place and PeopleRight Form12

Understand Information Needs Get a clear understanding of DecisionMakers information needs/timescales. What decisions need to be made? Why do the decisions need to bemade? When do the decisions need to bemade? Who will be using the intelligence tomake the decisions? Is the intelligence nice to know orneed to know?13

The Six Stage Intelligence CycleDirection for current andfuture intelligence gatheringactivities is establishedIntelligence personnelassess how well eachphase of the cycle isperformed.Collect information fromknown sources. Identify &collect information from newsources of information.Intelligence is delivered toand used by the consumer.Raw information isconverted to forms readilyused by analysts.All available processedinformation is integrated,analysed, evaluated andinterpreted.14

Analysis Analysis is really theapplication of commonsense and experience toraw informationLeonard Fault, The New Competitor Intelligence, p. 359. Turns information intoactionable intelligence thatleads to informeddecisions and actions.15

Basic Analysis Steps Read all previously processedinformation.Concentrate on the reliable data.Recognize gaps in informationRead between the linesLook for patternsOrganize the informationDevelop a number of possiblescenarios.Develop long-term and short-termresponses for each scenario.Know when to quit! (Know Your Business Drivers)16

Potential Sources of IntelligenceInformation Web SitesSearch Engines and ToolsNews FeedsFTP SitesPrinted MaterialVulnerability AlertsProfessional AssociationsGovernment SourcesVendorsIndustry OrganizationsMedia OrganizationsHacker OrganizationsIn House Technical experts PeriodicalsSubscription ServicesNewsgroupsChat (IRC)Information Exchange PartnersHuman Sources–––– Industry expertsUndergroundLaw EnforcementGovt. Intelligence AgenciesPublic Record DatabasesBulletin BoardsProprietary SourcesEtc.17

Search Engines Googlehttp://www.google.com AllTheWeb.comhttp://www.alltheweb.com Yahoohttp://www.yahoo.com HotBothttp://www.hotbot.com List of Search ch.com/links/index.php18

Personalized Web Search Updates19

Meta Search Engines Meta SearchEngines returnbest results fromleading tacrawler.com20

Copernic Agent Professional(meta-search rofessional.html21

WebSite Watcher Monitors Webpages andnotifies youwhen theychangehttp://www.aignes.com/22

Copernic SummarizerUsingsophisticatedstatistical andlinguisticalgorithms, itpinpoints thekey conceptsand givessummary ofany izer23

Net Snippets Allows savingselected informationon web pageInformation can beeditedAdd commentsAutomaticallycaptures and savesbibliographyinformationAutomatedbibliography reportsSnippets stored inHTML format so youcan later use them inMS Word etcwww.netsnippets.com24

The Information Explosion The Potential Sources of IntelligenceInformation are increasing:– The size of the world-wide web is doublingevery 12-months and this rate is increasing– Annual publication rates 800mb person/annum for everyperson on the planet– Disk space usage in organisations increasing 50-70% perannum– The ‘Deep’ or ‘Hidden’ web includes databases of informationfrom businesses, universities, government agencies whichsearch engines can’t spider– The Hidden’ web is up to 50 times larger than the visible web(Sherman – Search Engine Watch Newsletter)25

The High Cost of Not Finding Information Susan Feldman, in KMWorld-Volume 13, Issue 3, March2004, estimates.– Knowledge workers spend from 15 to 30% oftheir time searching for information– Searchers find what they look for only 50%of the time or less– 40% of corporate users report they can’t findthe information they need to do their jobs ontheir intranets– The average enterprise wastes at least 1.6 to 2.3m per yearsearching for non existent information, failing to find existinginformation and recreating information that cant be found– The Fortune 1000 stands to waste at least 2.5 billion per year dueto an inability to locate and retrieve information.26

Intelligence Tool Requirements Single point of access to multiple sources: Search enginesSubscription sitesSpecialised portals User defined web sites Newsfeeds Newsgroups Bulletin BoardsIRCEtc.Web SitesSubscription SourcesUsenetNews Feeds Collect Information from parts of web notindexed by search engines (Hidden Web)Support multiple data formatsLog-in search source capabilityAutomate the search process with ‘human’like abilities to translate, analyze andintelligently discover contentIntelligently rank results and summarise contentusing statistical and linguistic algorithmsLink analysis for visualizing associations and interactionsInternal SourcesEvaluationResults &Reports 27

Cogenta Research Director Single point of accessto multiple datasourcesCentral DataRepositoryShare results with coworkers – distributedanalysis.Intelligent agentssearch hidden webFinds new sourcesSearches dynamicallycreated web pagesDocuments rankedusing computationallinguistic algorithmsSummarisesdocuments28

Behavioral Profiling TechniquesThe same data mining technologies used bymarketers can be used by Cyber IntelligenceAnalysts: Data warehousing for accessing multiple and diverse sourcesof information and demographics Link analysis for visualizing criminal associations andinteractions Intelligent Software agents for retrieving, monitoring,organizing, analyzing and acting on information Text mining for sorting through gigabytes of documents, webpages, public records and e-mails in search of concepts andkey words Data mining for predicting the probability of crimes andextracting profiles of perpetrators29

Cyber Intelligence Program Enables You to: Facilitate more informed security related businessdecisions by providing situational awareness Predict, understand and give advance warning ofimminent or emerging threats, and cyber attacks Prevent and effectively respond to potential oractual threats Understand how your threats compare to those ofyour competitors Identify whether any actions taken by you or newsregarding the company may make you a target,and In a world of unlimited threats focus limitedresources effectively30

Questions ? www.cogenta.com Ian.cook@cogenta.com Tel: 44 (0)1252 725478“Someone else maydecide if you will be atarget - but youdecide whether or notyou will be a victim.” Gavin De Becker31

Cyberspace is rapidly growing and has become part of the way we conduct our lives. . selected information on web page Information can be edited Add comments Automatically captures and saves bibliography information Automated bibliography reports Snippets stored in HTML format so you can later use them in MS Word etc www .