NTU Cyber Threat Intelligence Lifecycle Intro PDF

Summary

This document is an introduction to a course on cyber threat intelligence offered by Nanyang Technological University. It details the Cyber Threat Intelligence Lifecycle, explaining its foundations, applications, and its role in threat-informed network defense. It's not a practitioner course.

Full Transcript

Cyber Threat Intelligence Lifecycle Course Introduction ©2023 Mastercard. Proprietary and Confidential FlexiMasters in Cybersecurity and Digital Trust Copyright 2024 Mastercard The information provided herein by Mastercard (the “Presentation”), as...

Cyber Threat Intelligence Lifecycle Course Introduction ©2023 Mastercard. Proprietary and Confidential FlexiMasters in Cybersecurity and Digital Trust Copyright 2024 Mastercard The information provided herein by Mastercard (the “Presentation”), as well as all materials, concepts, processes and methodologies employed by Mastercard or a Mastercard supplier in connection with the Presentation, are and will remain the sole and exclusive property of Mastercard (or such Mastercard Supplier). Mastercard hereby grants to meeting participants a limited, non-exclusive right to use the Presentation without the right to assign, transfer or sublicense the Presentation in any way. The Presentation is confidential, provided for informational, non-commercial purposes only. The recipient may use the Presentation for its own internal business purposes. Except with the prior written permission of Mastercard, the Presentation shall not be used for any other purpose and shall not be published or disclosed to third parties, in whole or part. Mastercard makes no warranties concerning the Presentation and disclaims all express and implied warranties to the extent permitted by law, including but not limited to ay implied warranty of merchantability, course of dealing, or fitness for a particular purpose. Recipient is responsible for its use of the Presentation, and Mastercard assumes no responsibility or liability with respect thereto. In addition, all meeting participants are reminded that this meeting must adhere to competition law rules and, as such, no confidential or commercially sensitive information ought to be shared directly or indirectly between competitors. If any member feels that a discussion includes prohibited topics, they should raise an objection immediately as to stop discussion on such matter pending advice regarding the application of competition law. Course Instructors: Sharon Flategraff: [email protected] Chris Carsten: [email protected] 3 Administrative QR Code Cameras On Raise Hand / Use Chat Feel Free to Interrupt Introductions in the Chat 4 Clip 1: Incident Response Clip 2: Intelligence Analysis Clip 3: Cyber Threat Intelligence 5 Reduced to its simplest terms, intelligence is knowledge and foreknowledge of the world around us—the prelude to decision and action by [stakeholders]. 6 Course Goals Survey course for understanding the foundations of Cyber Threat Intelligence Explore the Cyber Threat Intelligence Lifecycle and its applications Understand how the Cyber Threat Intelligence Lifecycle enables threat-informed Network Defense This is NOT a practitioner course 7 Agenda Introduction to the Intelligence Lifecycle Course Overview Introduction to Cyber Threat Intelligence 8 Introduction to the Intelligence Lifecycle 9 Overview of the Intelligence Lifecycle The Intelligence Lifecycle is a Dissemination Requirements foundational model for & Feedback & Planning conceptualizing and organizing the processes associated with the production of finished intelligence products and services. This version of the Intelligence Cycle has been tailored for cyber threat intelligence purposes Analysis & Collection Production Processing & 10 1 Ingestion 0 Requirements & Planning Dissemination Requirements The requirements and planning phase is used to & Feedback & Planning establish mission scope and intelligence requirements, which will directly influence all other phases of the intelligence cycle The mission scope is a statement of the parameters of a CTI program’s area of responsibility Intelligence requirements (IRs) are the overarching Analysis & analytic questions an intelligence team will attempt Collection to answer through its products and services Production Mission scope should generally remain static, while IRs should be adjusted regularly based on stakeholder feedback and periodic reviews Processing & Ingestion 11 1 1 Collection Dissemination Requirements & Feedback & Planning The collection phase includes all activities and processes associated with the collection of data and information relevant to the team’s mission scope and IRs. This includes identifying existing, relevant sources of data and information as well as developing a strategy to identify new, relevant sources of data and information Analysis & Collection Production Sources may include clear, deep, and dark web intelligence, external telemetry-based intelligence, and internal-telemetry based intelligence Processing & Ingestion 12 1 2 Processing & Ingestion Dissemination Requirements & Feedback & Planning The processing and ingestion phase includes all processes and engineering required to ensure data and information collected is in a format that can be appropriately analyzed In cyber threat intelligence, this phase usually focuses on processing and ingesting data and Analysis & information into analytic tools (such as a Threat Collection Intelligence Platform (TIP) solution) Production To ensure all data and information is consistent and comparable, data is usually processed to conform with a predetermined schema, taxonomy, and / or Processing & data model Ingestion 13 1 3 Analysis & Production Dissemination Requirements & Feedback & Planning Analysis and production includes all processes, methodologies, and tools used to derive assessments and produce finished intelligence products and services This includes developing appropriate product lines for target stakeholders and intelligence consumers Analysis & Most CTI products are delivered as finished Collection Production intelligence products or formal intelligence briefings Processing & Ingestion 14 1 4 Dissemination & Feedback Dissemination Requirements & Feedback & Planning The dissemination and feedback phase includes all processes, procedures, and platforms used to disseminate or deliver products and services to customers Feedback – including performance metrics, client Analysis & feedback, and feedback from client engagement Collection Production teams – is leveraged to refine, amend, or expand IRs, bringing the cycle full circle Processing & Ingestion 15 1 5 Course Overview 16 1 6 Intelligence Lifecycle in Context of the Course Largely a relationship management issue that is Full Module use-case and stakeholder Dissemination Requirements specific & Feedback & Planning Analysis & Two Full Modules Collection Full Module Production Largely a data science and content engineering issue that is use-case and Processing & platform specific 17 1 7 Ingestion Course Overview Requirements and Collection Analysis Planning (Self- (Self-paced) (Self-paced) paced) Course Wrap Up Assignment & Production (Live) Quiz (Self-paced) 18 1 8 Core Modules Requirements and Collection Analysis Production Planning (Self- (Self-paced) (Self-paced) (Self-paced) paced) Office Hours: 2000 – 2200 on 9 October 2024 Modules will include pre-recorded lectures as well as publicly available resources that students will be expected to review Each module will also include an exercise to allow you to explore the real-world application of the intelligence concepts covered Course instructors will hold two virtual office hour sessions (invites will be sent via email), but 19 1 can also be reached directly via email 9 Assignment, Quiz, and Wrap Up Assignment Quiz Wrap Up (Self-paced) (Virtual) (Live) Assignment The Skills Test / Quiz will be multiple choice and may include questions on any of the materials covered in the modules, including instruction, open-source materials, and exercises The live Wrap Up session will serve as a recap of the course materials and allow students to raise questions and prompt discussions about any of the topics covered in course (similar to the office hour sessions) 20 2 0 Introduction to Cyber Threat Intelligence 21 2 1 A brief introduction to Cyber Threat Intelligence Intelligence Technical Tradecraft Acumen and and All-Source Telemetry Capabilities Cyber Threat Intelligence 22 2 2 Defining Cyber Threat Intelligence Cyber Threat Intelligence has no single, accepted definition within the industry, and means different things to different organizations; however, most industry professionals are likely to interpret this discipline as the Cyber Threat collection, analysis, and Intelligence dissemination of intelligence that focuses on cyber threats, which is primarily leveraged to support proactive network defense and incident response activities 23 2 3 Focus on threat management Cyber Threat Intelligence has no single, accepted definition within the industry, and Threat means different things to different organizations; Management however, most industry professionals are likely to interpret this discipline as the collection, analysis, and dissemination of intelligence that focuses on cyber Vulnerability threats, which is primarily Asset leveraged to support Management Management proactive network defense and incident response activities 24 2 4 Focus on network defenders and incident responders Cyber Threat Intelligence has no single, accepted definition within the industry, and means different things to different organizations; however, most industry professionals are likely to interpret this discipline as the collection, analysis, and Cybersecurity Policymakers Security Operations and Response dissemination of intelligence that focuses on cyber threats, which is primarily leveraged to support proactive network defense and incident response activities Security and Detections Engineers Digital Forensics Specialists 25 2 5 Focus on cyber threats Threat actor infrastructure Victimology Malware and tooling Cyber Threats Targeted Systems / Data Tactics and techniques Motivations and Goals 26 2 6 Focus on cyber threats Threat actor infrastructure Victimology What infrastructure are threat actors using to conduct What threats and threat actors are most likely to target malicious operations? my organization? How can I detect and mitigate threats originating from this infrastructure? Malware and tooling Targeted Systems / Data What kinds of malware and tools have threat actors been What times of systems, data, applications, and observed using? technologies do these threats target? How would I detect the presence of these executables or How do I harden my systems, data, applications, and tools in my environment? technologies to mitigate exploitation? Tactics and techniques Motivations and Goals What tactics, techniques, and procedures are threat actors What are the threat actors attempting to do? Steal data, using to conduct their operations and achieve their goals? extort money, disrupt operations? How would I detect this behavior in my environment? How do they typically impact targeted organizations to achieve these goals? 27 2 7 Focus on cyber threats Threat actor infrastructure Victimology Security and Detections Cyber Security Policymakers Engineering Security and Detections Incident Response Engineering Forensics Malware and tooling Targeted Systems / Data Endpoint Detection Cybersecurity Policymakers Security and Detections Legal and Data Privacy Engineering Security and Detections Incident Response Engineering Forensics Vulnerability and Risk Management Tactics and techniques Motivations and Goals Endpoint Detection Cybersecurity Policymakers Security and Detections Legal and Data Privacy Engineering Incident Response Incident Response Forensics Forensics 28 2 8 The bigger picture Support defensive improvements Identify relevant threats Inform on related or adjacent Inform risk analysis and threats management Share relevant findings with Inform cybersecurity policy and intelligence partners Identify resource allocation Inform security and detections engineering Recover Protect Support training and awareness Enterprise Support proactive defense and Cyber tools changes Security Inform and support the incident response process Analyze incident artifacts and forensics Support detections engineering Support security operations and Respond Detect threat hunting Inform attack surface logging and detections coverage 29 2 9 Questions? Sharon Flategraff: [email protected] Chris Carsten: [email protected] 30 3 0

Use Quizgecko on...
Browser
Browser