Cyber Threat Intelligence Program Primer

1
Cyber Threat IntelligenceProgram Primer

• CU Day
• August 29, 2016 Columbus, OH

2
CU Industry Challenge

• Growing small business attacks
• Shifting attack vectors/ttps can sidestep
  traditional countermeasures (i.e. virus, malware
  utilities.)
• Need for cost effective solutions

insights.sei.cmu.edu
3
CAT Domain 2 Baseline
Domain Declarative Statement Comment
2 Threat Intelligence Collaboration The institution belongs or subscribes to a threat and vulnerability information sharing source(s) that provides information on threats (e.g., Financial Services Information Sharing and Analysis Center FS-ISAC, U.S. Computer Emergency Readiness Team US-CERT). (FFIEC E- Banking Work Program, page 28) Increasingly, situational awareness of current and emerging threats is considered foundational to effective cybersecurity risk management. As a result, financial institutions should subscribe to information sharing resources that include threat and vulnerability information for situational awareness. There are many sources of information such as US-CERT, critical infrastructure sector ISACs, industry associations, vendors, and federal briefings.There are 19 public and private information-sharing ISACs for critical infrastructure, set up for the purpose of sharing information with their constituents, between themselves, and government. US-CERT offers a free email subscription service for vulnerability alerts along with weekly summaries.
2 Threat Intelligence Collaboration Threat information is used to monitor threats and vulnerabilities. (FFIEC Information Security Booklet, page 83) Threats and vulnerabilities that are considered important to the financial institution are monitored via identified information resources. Financial institutions can monitor threats and vulnerabilities by visiting information sharing resources on a regular basis and/or by subscribing to alerts, warnings and RSS feeds of threat and vulnerability information from the information sharing resources.
2 Threat Intelligence Collaboration Threat information is used to enhance internal risk management and controls. (FFIEC Information Security Booklet, page 4) The financial institution associates threats based on the targeted vulnerabilities and motivations, with the parts of the organization most likely to be targeted. Stakeholders for threat and vulnerability information are identified and involved.Examples of control enhancements could include actions taken to mitigate activity or patterns of activity associated with elevated fraud risk for electronic banking systems or plastic cards (i.e. debit or credit cards).
2 Threat Intelligence Collaboration Audit log records and other security event logs are reviewed and retained in a secure manner. (FFIEC Information Security Booklet, page 79) Logging is enabled and a retention process is in place for assets or systems that generate important security-related event logs. Perpetrators often seek to delete audit or security logs to eliminate evidence of a computer intrusion and theft of customer or financial institution information or funds.
4
CAT Domain 2 Baseline
Domain Declarative Statement Comment
2 Threat Intelligence Collaboration Computer event logs are used for investigations once an event has occurred. (FFIEC Information Security Booklet, page 83) Logs from security technologies, endpoints, and network devices provide incident responders with crucial evidence for investigations into attack activity. Logs from network devices such as switches and wireless access points, and from programs such as network monitoring software, might record data that could be of use in computer security or other information technology (IT) initiatives, such as operations and audits, as well as in demonstrating compliance with regulations. However, for computer security these logs are generally used on an as-needed basis as supplementary sources of information. Organizations should consider the value of each potential source of computer security log data when designing and implementing a log management infrastructure. (NIST 800-92)
2 Threat Intelligence Collaboration Information security threats are gathered and shared with applicable internal employees. (FFIEC Information Security Booklet, page 83) Threat information is collected and provided to applicable individuals and/or business units. For example, social engineering is a major threat vector that requires security awareness throughout the institution.
2 Threat Intelligence Collaboration Contact information for law enforcement and the regulator(s) is maintained and updated regularly. (FFIEC Business Continuity Planning Work Program, Objective I 5-1) Maintaining law enforcement contact information is an initial step towards effective information sharing and can facilitate more rapid incident response.
2 Threat Intelligence Collaboration Information about threats is shared with law enforcement and regulators when required or prompted. (FFIEC Information Security Booklet, page 84) Regulator notice is required for customer data breaches under the GLBA Safeguarding Guidelines (NCUA RR Part 748 Appendix B). Responsibility for cybersecurity reporting obligations should be assigned to appropriate personnel (e.g., internal reporting, US-CERT, law enforcement).
5
Research on CTI Benefits
Ponemon Institute 2015
6
CTI Research
Ponemon Institute 2015
7
CTI Research
Ponemon Institute 2015
8
CTI Research
Ponemon Institute 2015
9
CTI Research
Ponemon Institute 2015
10
What is Cyber Threat Intelligence?

• Cyber Threat Intelligence (CTI) is the
  acquisition and analysis of information to
  identify, track, and predict cyber capabilities,
  intentions, and activities that offer courses of
  action to enhance decision-making.

11
Cyber Threat?

• A cyber threat is the possibility of a malicious
  attempt to damage or disrupt a computer network
  or system.

12
Intelligence?

• Intelligence is information that has been
  analyzed and refined so that it is useful in
  making decisions.

13
What Intelligence is Not

• Intelligence is NOT
• data
• information

14
Relationship
U.S. Department of Defenses Joint Publication
2-0 Joint Intelligence
15
Intelligence-Aspirations

• Cyber Threat Intelligence should strive to be
• accurate
• relevant
• timely
• actionable

16
Developing a CTI Program

• PRIORITIZE critical assets
• IS.B.12
• ENGAGE key stakeholders
• IS.B.12
• IDENTIFY personnel
• IS.B.83
• ACQUIRE information sources
• IS.B.83, EB.B.28
• FILTER ANALYZE the data
• IS.B.4, IS.B.83
• COMMUNICATE results
• IS.B.83

Domain 1
Institutionalize the Process
Domain 2
17
Types of Information Sources

• Internal
• IT and Security Infrastructure
• Employees
• Enterprise
• Managed Security Service Providers
• Business partners
• External
• Government
• Industry Associations and Networks
• Commercial Sources

18
Government Resources

• U.S. Computer Emergency Readiness Team (US-CERT)
• https//www.us-cert.gov/mailing-lists-and-feeds
• InfraGard
• https//www.infragard.org/
• Internet Crime Complaint Center
• http//www.ic3.gov/default.aspx
• Cyber Information Sharing and Collaboration
  Program (CISCP)
• http//www.dhs.gov/ciscp
• National Security Agency, Information Assurance
  Division
• https//www.iad.gov/iad/

19
Questions?

• Christina Saari, Senior Cyber Intelligence
  Specialist, NCUA
• csaari_at_ncua.gov
• 703-201-8805
• Tim Segerson, Dep. Dir. EI, NCUA
• segerson_at_ncua.gov
• 703-518-6397