NTU_Cyber Threat Intelligence Lifecycle_Intro.pdf

Full Transcript

Cyber Threat
Intelligence
Lifecycle
Course Introduction

©2023 Mastercard. Proprietary and Confidential
FlexiMasters in Cybersecurity and Digital Trust
Copyright 2024 Mastercard

The information provided herein by Mastercard (the “Presentation”), as well as all materials, concepts, processes and
methodologies employed by Mastercard or a Mastercard supplier in connection with the Presentation, are and will remain the sole
and exclusive property of Mastercard (or such Mastercard Supplier). Mastercard hereby grants to meeting participants a limited,
non-exclusive right to use the Presentation without the right to assign, transfer or sublicense the Presentation in any way.

The Presentation is confidential, provided for informational, non-commercial purposes only. The recipient may use the
Presentation for its own internal business purposes. Except with the prior written permission of Mastercard, the Presentation shall
not be used for any other purpose and shall not be published or disclosed to third parties, in whole or part.

Mastercard makes no warranties concerning the Presentation and disclaims all express and implied warranties to the extent
permitted by law, including but not limited to ay implied warranty of merchantability, course of dealing, or fitness for a particular
purpose. Recipient is responsible for its use of the Presentation, and Mastercard assumes no responsibility or liability with respect
thereto.

In addition, all meeting participants are reminded that this meeting must adhere to competition law rules and, as such, no
confidential or commercially sensitive information ought to be shared directly or indirectly between competitors. If any member
feels that a discussion includes prohibited topics, they should raise an objection immediately as to stop discussion on such matter
pending advice regarding the application of competition law.
 Course Instructors:
Sharon Flategraff: [email protected]

Chris Carsten: [email protected]

3
 Administrative

QR Code
Cameras On
Raise Hand / Use Chat
Feel Free to Interrupt
Introductions in the Chat

4
 Clip 1: Incident Response
Clip 2: Intelligence Analysis
Clip 3: Cyber Threat Intelligence

5
 Reduced to its simplest terms, intelligence is
knowledge and foreknowledge of the world
around us—the prelude to decision and action
by [stakeholders].

6
 Course Goals

Survey course for understanding the foundations of Cyber
Threat Intelligence
Explore the Cyber Threat Intelligence Lifecycle and its
applications
Understand how the Cyber Threat Intelligence Lifecycle enables
threat-informed Network Defense
This is NOT a practitioner course

7
 Agenda

Introduction to the Intelligence Lifecycle
Course Overview
Introduction to Cyber Threat Intelligence

8
 Introduction to the Intelligence Lifecycle

9
 Overview of the Intelligence Lifecycle

The Intelligence Lifecycle is a Dissemination Requirements
foundational model for
& Feedback & Planning
conceptualizing and
organizing the processes
associated with the
production of finished
intelligence products and
services. This version of the
Intelligence Cycle has been
tailored for cyber threat
intelligence purposes
Analysis &
Collection
Production

Processing &
10
1
Ingestion
0
 Requirements & Planning

Dissemination Requirements The requirements and planning phase is used to
& Feedback & Planning
establish mission scope and intelligence
requirements, which will directly influence all other
phases of the intelligence cycle
The mission scope is a statement of the parameters
of a CTI program’s area of responsibility
Intelligence requirements (IRs) are the overarching
Analysis &
analytic questions an intelligence team will attempt
Collection to answer through its products and services
Production
Mission scope should generally remain static, while
IRs should be adjusted regularly based on
stakeholder feedback and periodic reviews
Processing &
Ingestion

11
1
1
 Collection

Dissemination Requirements
& Feedback & Planning The collection phase includes all activities and
processes associated with the collection of data
and information relevant to the team’s mission
scope and IRs.
This includes identifying existing, relevant sources of
data and information as well as developing a
strategy to identify new, relevant sources of data
and information
Analysis &
Collection
Production Sources may include clear, deep, and dark web
intelligence, external telemetry-based intelligence,
and internal-telemetry based intelligence

Processing &
Ingestion

12
1
2
 Processing & Ingestion

Dissemination Requirements
& Feedback & Planning
The processing and ingestion phase includes all
processes and engineering required to ensure data
and information collected is in a format that can be
appropriately analyzed
In cyber threat intelligence, this phase usually
focuses on processing and ingesting data and
Analysis &
information into analytic tools (such as a Threat
Collection Intelligence Platform (TIP) solution)
Production
To ensure all data and information is consistent and
comparable, data is usually processed to conform
with a predetermined schema, taxonomy, and / or
Processing &
data model
Ingestion

13
1
3
 Analysis & Production

Dissemination Requirements
& Feedback & Planning
Analysis and production includes all processes,
methodologies, and tools used to derive
assessments and produce finished intelligence
products and services
This includes developing appropriate product lines
for target stakeholders and intelligence consumers
Analysis & Most CTI products are delivered as finished
Collection
Production
intelligence products or formal intelligence briefings

Processing &
Ingestion

14
1
4
 Dissemination & Feedback

Dissemination Requirements
& Feedback & Planning

The dissemination and feedback phase includes all
processes, procedures, and platforms used to
disseminate or deliver products and services to
customers
Feedback – including performance metrics, client
Analysis & feedback, and feedback from client engagement
Collection
Production teams – is leveraged to refine, amend, or expand IRs,
bringing the cycle full circle

Processing &
Ingestion

15
1
5
 Course Overview

16
1
6
 Intelligence Lifecycle in Context of the Course
Largely a relationship
management issue that is
Full Module
use-case and stakeholder Dissemination Requirements
specific & Feedback & Planning

Analysis &
Two Full Modules Collection Full Module
Production

Largely a data science
and content engineering
issue that is use-case and
Processing & platform specific
17
1
7 Ingestion
 Course Overview

Requirements and
Collection Analysis
Planning (Self-
(Self-paced) (Self-paced)
paced)

Course Wrap Up Assignment & Production
(Live) Quiz (Self-paced)

18
1
8
 Core Modules

Requirements and
Collection Analysis Production
Planning (Self-
(Self-paced) (Self-paced) (Self-paced)
paced)

Office Hours:
2000 – 2200 on 9
October 2024

Modules will include pre-recorded lectures as well as publicly available resources that students
will be expected to review
Each module will also include an exercise to allow you to explore the real-world application of
the intelligence concepts covered
Course instructors will hold two virtual office hour sessions (invites will be sent via email), but
19
1
can also be reached directly via email
9
 Assignment, Quiz, and Wrap Up

Assignment Quiz Wrap Up
(Self-paced) (Virtual) (Live)

Assignment
The Skills Test / Quiz will be multiple choice and may
include questions on any of the materials covered in the
modules, including instruction, open-source materials,
and exercises
The live Wrap Up session will serve as a recap of the
course materials and allow students to raise questions
and prompt discussions about any of the topics covered
in course (similar to the office hour sessions)

20
2
0
 Introduction to Cyber Threat Intelligence

21
2
1
 A brief introduction to Cyber Threat Intelligence

Intelligence
Technical
Tradecraft
Acumen and
and All-Source
Telemetry
Capabilities

Cyber Threat
Intelligence

22
2
2
 Defining Cyber Threat Intelligence

Cyber Threat Intelligence has
no single, accepted definition
within the industry, and
means different things to
different organizations;
however, most industry
professionals are likely to
interpret this discipline as the Cyber Threat
collection, analysis, and Intelligence
dissemination of intelligence
that focuses on cyber
threats, which is primarily
leveraged to support
proactive network defense
and incident response
activities

23
2
3
 Focus on threat management

Cyber Threat Intelligence has
no single, accepted definition
within the industry, and Threat
means different things to
different organizations; Management
however, most industry
professionals are likely to
interpret this discipline as the
collection, analysis, and
dissemination of intelligence
that focuses on cyber Vulnerability
threats, which is primarily
Asset
leveraged to support Management Management
proactive network defense
and incident response
activities

24
2
4
 Focus on network defenders and incident responders

Cyber Threat Intelligence has
no single, accepted definition
within the industry, and
means different things to
different organizations;
however, most industry
professionals are likely to
interpret this discipline as the
collection, analysis, and Cybersecurity Policymakers Security Operations and Response
dissemination of intelligence
that focuses on cyber
threats, which is primarily
leveraged to support
proactive network defense
and incident response
activities

Security and Detections Engineers Digital Forensics Specialists
25
2
5
 Focus on cyber threats

Threat actor infrastructure Victimology

Malware and tooling Cyber Threats Targeted Systems / Data

Tactics and techniques Motivations and Goals

26
2
6
 Focus on cyber threats

Threat actor infrastructure Victimology
What infrastructure are threat actors using to conduct What threats and threat actors are most likely to target
malicious operations? my organization?

How can I detect and mitigate threats originating from this
infrastructure?

Malware and tooling Targeted Systems / Data

What kinds of malware and tools have threat actors been What times of systems, data, applications, and
observed using? technologies do these threats target?

How would I detect the presence of these executables or How do I harden my systems, data, applications, and
tools in my environment? technologies to mitigate exploitation?

Tactics and techniques Motivations and Goals

What tactics, techniques, and procedures are threat actors What are the threat actors attempting to do? Steal data,
using to conduct their operations and achieve their goals? extort money, disrupt operations?

How would I detect this behavior in my environment? How do they typically impact targeted organizations to
achieve these goals?
27
2
7
 Focus on cyber threats

Threat actor infrastructure Victimology
Security and Detections Cyber Security Policymakers
Engineering Security and Detections
Incident Response Engineering
Forensics

Malware and tooling Targeted Systems / Data
Endpoint Detection Cybersecurity Policymakers
Security and Detections Legal and Data Privacy
Engineering Security and Detections
Incident Response Engineering
Forensics Vulnerability and Risk
Management

Tactics and techniques Motivations and Goals
Endpoint Detection Cybersecurity Policymakers
Security and Detections Legal and Data Privacy
Engineering Incident Response
Incident Response Forensics
Forensics
28
2
8
 The bigger picture
Support defensive improvements Identify relevant threats
Inform on related or adjacent Inform risk analysis and
threats management
Share relevant findings with Inform cybersecurity policy and
intelligence partners Identify resource allocation

Inform security and detections
engineering
Recover Protect Support training and awareness
Enterprise Support proactive defense and
Cyber tools changes
Security
Inform and support the incident
response process
Analyze incident artifacts and
forensics Support detections engineering
Support security operations and
Respond Detect threat hunting
Inform attack surface logging and
detections coverage

29
2
9
 Questions?
Sharon Flategraff: [email protected]

Chris Carsten: [email protected]

30
3
0