Cyber Threat Intelligence

According to ResearchAndMarkets.com "The threat intelligence market size is estimated to grow from USD 5.3 billion in 2018 to USD 12.9 billion by 2023, at a Compound Annual Growth Rate (CAGR) of 19.7%". Cyber Threat Intelligence platforms uses global security intelligence to detect malicious activity. These platforms get their threat intelligence feed from vendors, analysts and other sources about threat and unusual activity happening all around the world. Malicious IP addresses, domains, file hashes and other data stream in constantly from external parties. This helps the organizations to get visibility across the networks. Additionally, these platforms provide actionable indicators that can be used to identify potential threats to an organization (such as known bad IP addresses and URLs, and malware hashes).
What is Cyber Threat Intelligence (CTI)
" The collection, classification, and exploitation of knowledge about adversaries - collectively known as cyber threat intelligence - gives network defenders information superiority that is used to reduce the adversary's likelihood of success with each subsequent intrusion attempt. Responders need accurate, timely, and detailed information to monitor new and evolving attacks, as well as methods to exploit this information to put in place an improved defensive posture"
​
Threat Intelligence & Security Controls
​
Threat Intelligence platforms work in congestion with various security controls (within the organization). These controls comprise of Endpoint Platforms - Endpoint Security, Network Security Platforms, Incident Response and Threat Intelligence Exchange Services. Threat intelligence services are being offered from cloud and these controls are generally on-prem whether it's an endpoint agent at your machine or a Firewall/IPS in the data center. Security vendors in general, process the threat intelligence in the cloud and later push it to the controls. E.g. (Email Security appliance on-prem , get its File o URL reputation from cloud and based on the local policies , actions will be perform). As threat landscape becomes more complexed, Cyber Threat Intelligence platform have to evolve to address the changes and complexity. As security professional CTI is critical to every Security vendor in the industry , their value proposition is CTI. Vendors will compete not based on features , it's all about threat intelligence. As we know threat researchers work 24/7 to hunt threats so there is an element of ethics where these researchers have visibility of data and they have to ensure they operate professionally as well as ethically.

TDC Financial Services Cyber Threat Intelligence Plan

Executive Summary

• ​Financial services make up 35% of all data breaches
• TDC Financial Services as a company should invest heavily on cyber security solutions with world-class cyber threat intelligence platform.
• Leverage Automation Tools to Sift through the noise
• Track Threats Specific to Your Organization
• Cyber Security training for employees
• Evaluate Risks - Not Just compliance - As a way to increase Security
• Investment on improving the over all vulnerability/patch process framework and incident response teams

Top Notable Cyber Incidents of 2017-2018

Threat Horizon & Industry Outlook

• Companies in the financial services and insurance industries will almost certainly remain a high profile target for cybercriminals, hacktivists, and APT groups.
• The following factors may influence future targeting in these sectors:

1. Consumer services and mobile applications that offer personal financial management are likely to be a target for credential theft
2. Existing commodity infections such as bots can provide threat actors with a way to gain access to the networks of high value victims in the financial services sector.
3. Cybercriminals leverage Citadel infections to install custom malware, move laterally in the network, and steal financial data

Equifax Breach

• On Sept. 7, 2017, Equifax, discovered the application vulnerability on one of their websites led to a data breach that exposed
• The breach was discovered on July 29
• Equifax suffered the largest data breaches ever that affected about 143 million consumers in the US. UK and Canada was influenced as well
• 209.000 people's credit card numbers and 182,000 personal identifying information are stolen
• Attackers entered Equifax's system in mid-May through a web-application vulnerability that had a patch available in March.
• The vulnerability that attackers exploited to access Equifax's system was in the Apache Struts web-application software, a widely used enterprise platform.
• CVE-2017-5638 Apache Struts vulnerability is the root cause behind Equifax data breach

Threat Actors: Targeting Financial Vertical

• Enterprise - like cybercriminals seeking financial account data or other data they can monetize, and trying to make live fraudulent transfers
• Advanced persistent threat (APT)1 groups aiming to collect intelligence capable of providing their sponsoring government with insight into the targeted company's operations, or information on potentially - sensitive customers
• Cybercrime groups : Money Taker , Carbanakand Cobalt
• Nation-State APT groups

TDC Financial Services Cyber Threat Intelligence Plan
​Email Security Solution

• We know top 2 threat vectors are email and web. Perhaps email is considered to be the gateway for malware/Ransomware.
• TDC Financial Services receives thousands of emails every day and has hundreds of people browsing its website.
• We need to implement a solution that could continually monitor email traffic, examining for vulnerabilities and malware risk
• The email security solution should offer comprehensive security for cloud- based mailboxes, prioritizing critical alerts and providing contextual insights of events to support categorization and containment of threats
• The email security solution should have industry's best cyber threat intelligence for IP reputation , file reputation , URL reputation, domain protection, third-party cyber threat intelligence feed (STIX/TAXII)
• The solution should support APIs and have the ability tointegrate with SIEM (Security Information and event management)​

CTI Example - Cisco Talos

TDC Financial Services Cyber Threat Intelligence Plan
Network Security Solution

• Network Security should be simultaneously implemented to provide advanced threat protection and breach detection, safeguarding the organization against the world's most sophisticated and damaging attacks.
• Network Security products which include Firewalls (NGFW), Network based Advanced Malware Protection (AMP) and IPS assists in knowing what's going on across multiple systems and servers gives us visibility across our entire infrastructure
• Initially its recommended to use IPS and other products in 'monitor mode' to get a feel of how it would perform and then quickly implemented it in 'block mode
• Network Security products and solution should get their threat intelligence from CTI platforms.
• The IT team will be using the Central Management to propagate the latest threat intelligence and correlate information across attack vectors. Central Management helps in bringing increased operational efficiency across multiple solutions and products.

TDC Financial Services Cyber Threat Intelligence Plan
Endpoint Security Solution

• Endpoint security is vital for our organization to protect against the latest threats (such as malware/ransomware)
• TDC Financial Services should have a mandate to use endpoint security on every other machine which is a part of the organization network otherwise the machine should be quarantine (until its compliant)
• Endpoint security solution similarly gets it threat intelligence from CTI platform e.g. Cisco's AMP endpoint get its threat intelligence from Cisco Talos which is cloud based CTI platform.
• TDC Financial Services should select the best in class solution which offers best threat intelligence across the industry.
• The endpoint security solution should provide file trajectory information and in-depth visibility and control.

TDC Financial Services Cyber Threat Intelligence Plan
​Incident Response Team and Training

• Traditionally Financial Services have limited IR staff and they don't focus on trainings
• TDC Financial Services should invest heavily in IR teams and its critical. We have seen ransomware attacks on Financial (such as banks locked for couple of days) in recent times with limited IR teams.
• TDC Financial Services should make it mandatory for every employee to take cyber security training based on the profile.
• Vulnerability management is also critical since hackers exploit these vulnerabilities to gain access. Hence its critical to patch systems on time and monitor their software releases etc.

References
Financial Services Threat Landscape Report:
The Dark Web Perspective - July 2018
Nasdaq : https://www.nasdaq.com/markets/ipos/company/proofpoint-inc-389844-68813
Email Security Market Research Report: Global Forecast 2023
https://www.marketresearchfuture.com/reports/email-security-market-3120
Cyber Security, May 31st , 2018 Maersk Line: Surviving from a cyber attack
https://safety4sea.com/cm-maersk-line-surviving-from-a-cyber-attack/
Lazarovitz, Ransomware Analysis - Executions Flow and Kill Chain
https://www.isaca.org/Knowledge-Center/Blog/Lists/Posts/Post.aspx?ID=880&utm_referrer=direct%2Fnot%20provided
Nedbal, Manuel, July 11th 2018, (Not)Petya "X": A Worm's Evolution & Cyber Kill Chain
https://www.shieldx.com/2017/07/notpetya-x-worms-evolution-cyber-kill-chain/
Reflection
During this course we focused on threat centric platforms, assessments, hunting and adversaries. We learnt on how to build an effective Cyber threat intelligence plan for large enterprise. This required number of stages which was covered in the early modules of this course. Cyber threat intelligence is critical to any organization and its all about how to secure organization data or information which include IP, customer/partner data etc. It's all about getting visibility of threats intel within the organizations. If we upscale to country or nation level , it's again all about how fast we can get threat intelligence and how fast we can remediate and how fast we can predict too.
Quoting CrowdStrike " In the world of cybersecurity, advanced persistent threats (APTs) and defenders are constantly trying to outmaneuver each other. Organizations want to know the adversary's next moves so they can proactively tailor their defenses and preempt future attacks.To support proactive and predictive cybersecurity operations, security teams need knowledge. CTI provides that knowledge by shedding light on the unknown and enabling organizations to make better security decisions.One of the primary benefits of threat intelligence is that it helps security professionals better understand the adversary's decision-making process. For example, if you know which vulnerabilities an adversary is exploiting, you can choose the technologies and patching activities that will best mitigate exposure to those vulnerabilities.Along the same lines, threat intelligence reveals adversarial motive. When you understand what drives threat actors to perform certain behaviors, you can monitor for advanced indication and warning of potential attacks.Furthermore, intelligence helps security teams understand the tactics, techniques, and procedures (TTPs) that the adversary leverages. This understanding can be used to enhance threat monitoring ,threat hunting, incident response and a variety of other cybersecurity disciplines.A clear understanding of the adversary is the foundation of a robust, proactive defense.In addition to empowering cybersecurity stakeholders, threat intelligence can empower business stakeholders, such as executive boards, CISOs, CIOs and CTOs; to invest wisely, mitigate risk , become more efficient and make faster decisions"
In the end, I must admit I gain lot of threat intelligence information while doing research on the final project and its definitely going to help me professionally as well as ethically to understand how nations or organization protect their data and which is today's currency.