Intelligence Preparation of the Cyber Environment – SANS Cyber Threat Intelligence Summit 2018

(soft electronic music) (audience clapping) – I want to talk to you about
intelligence preparation of the cyber environment. Here we go. As Rebecca pointed out, actually a soldier,
not an officer, but yes, British
army/military intelligence. Some of you may have remembered
my talk from last year. Not much has really changed, the two things that
really have changed in this last year for me is, I got myself an avatar, and I’ve been promoted. I’m the director
of intelligence, and also now the CEO
of a company called
Security Alliance. I’m also a CREST-certified
threat intelligence manager, which in some
parts of the world, in order to create
threat assessments for parts of critical
infrastructure, not only does your organization have to be certified to do so, but so do the people that do it. I’m one of those people. I’m actually working on
things like CBEST engagements and threat landscape work. Two particular
areas of interest, insider threat and nation
state fusion warfare. Really, how
information operations, intelligence operations, conventional warfare,
cyber warfare, how are all those glorious
things coming together, and what’s conflict gonna
look like in the future? As well as all that, I’m also an associate
director for Gartner for cyber threat intelligence for their media
consultancy team. As I said, I’m from a military
intelligence background, and that’s really why I’m
here wanting to talk to you about what IPB is and what intelligence
preparation of the cyber environment is, ’cause it’s kind of
my old-school craft. It’s what I’m doing now, but I’ve just taken it
into the cyber environment. This was me last year, and what I want to do this year is I just wanna progress
from where I was. Last year, I talked about conventional
intelligence methodologies and how we are adapting
those into cyber. I talked about wonderful things such as murder boarding,
devil’s advocate, 10th man, all these things that
we do to check our work. I talked about cones
of plausibility and how we can
take our scenarios, look for variables, and work out what potentially is gonna be happening
in the future, and also some of
those wild card things that are happening as well. I talked about backcasting, so, that’s effectively going, this is where all my
really cool stuff is, and this is what people
wanna get from me. These are my crown
jewels and my key assets. This is where the
threat actors are. What’s the stuff that
happens in the middle, how are we gonna work that out? And then, towards the end, I
had about two minutes on this. I said, “Why are we doing
all of these things? “Why are we using
all these methods?” Well, what we’re
trying to do is reach intelligence preparation
of the battlefield. This is the definition
I gave at the time. I’ll just go into it in
a little bit more detail in two seconds. Effectively, what I
was saying was IPB. Now, there is intelligence
preparation of the battlespace, as well as intelligence
preparation of the battlefield and intelligence preparation
of the environment. All slightly different things, but I’ll come on to
that in a second. But what is IPB? It’s effectively
the stuff, right? To find the battlefield
environment, where’s my employees,
where is my supply chain, where are all my
assets, what’s in it, where are all of the things? What are the things
that affect them? Rick mentioned it this morning, I talked about it last year
with PESTLE-M, STEMPLES, some of those
sub-headings that help us determine those things. Evaluate the threat. Who are they, who
are the bad guys, why are they coming after me, what they’re after, how
are they getting to do it, and what those attacks are
actually gonna look like. What are the courses of action which to you and me are, you know, what are
the threat scenarios? That’s what IPB was. It was trying to get some form
of 360-degree understanding of what was happening
within my environment. Now, last year, I was
telling you all how I was a bit of a weirdo and
everything is in notebooks. I work in cyber, but I
don’t like computers. Effectively, I’ve
regressed a little bit. I don’t have my
notebooks, and natch, I just draw on the
wall behind my desk and stick things to it. This is my research around
intelligence preparation in the cyber environment. What I really want
to cover today is just some definitions
around the differences between battlespace,
battlefield environment, and actually what a
cyber environment is. I just wanna also pull out
some of those techniques that I talked about last year, and show you where we’ve
potentially used those within the methodology of IPB. Talk about the stages, that’s
the important stuff, isn’t it? How are we doing
this within cyber, and why? What can we do with IPCE,
why are we doing it, what’s the fallout for it, and what we should be doing
with it in the future. And then, just share the
three main references. There’s a lot of references
that I used for the research for those three particular
cases that are really strong. So, intelligence preparation
of the battlefield. This is the definition. The definition comes
from the good old US Army and the US Marine Corps. I dropped the British
one from last year. But we don’t really
wanna know about IPB. We wanna know about
intelligence preparation of the cyber environment. Now, bad news. There is no definition for intelligence preparation
of the cyber environment, so I made one up. I stole stuff from other
people and other places. Really, this slide
should probably have me in a turtleneck jumper
on a dark background with this definition next to it, and the name and date. But effectively, this is
what I’ve come up with. IPCE, intelligence preparation
of the cyber environment, is a systematic and
continuous process of analyzing the means and
motives of threat actors, your digital environment and the digital environment
in which you operate in order to understand
the likely scenarios in which you will face threat, hopefully enhancing your
operational resiliency. That’s what I see IPCE as. Again, like I
said, I made it up. There’s somebody out there
who’s much better at this and will probably make
a better definition. There’s some fallout on that, why I’ve included
certain things. Old IP, I’ve
included continuous. IPCE is something
that we’re just doing. Chances are, I’m actually
doing IPCE anyway, but I’ve just put a name on
it and stolen it for myself, and made money out of you. That’s what I do, I’m a vendor. Anyway, so, another key point is
Carnegie Mellon University, I think they borrowed this from the Naval War
College, actually. “The key to success in defining
the virtual environment “is to analyze it from an
adversarial point of view.” absolutely key, and I have
a slide on that in a moment, so we’re gonna park that,
and I’ll come back to it. Why are we doing it? Well, US CERT sums it up. The ability to organization
to achieve its mission even when you’re a
bit under attack. And effectively, SANS,
thank you very much, “It (IPB) needs to be
part of rehearsals, “simulation, testing,
and development now.” I’m gonna pull this one out into a specific slide
in a moment as well, ’cause again, that’s
really important. I promised, so, from last year, those methodologies and
where we can use them. When we are talking
about scenarios, and I’m talking
about looking at it from an adversarial point
of view, red team SWOT. That’s less what my
strengths and weaknesses. That’s the enemy going, right, what are my strengths when I’m gonna be
targeting Rob Dartnall? What opportunities
is Rob giving me in order to attack him? What weaknesses have I got? How, potentially, can
that be determined? Cones of plausibility, when you’re looking
at your scenarios. We know what these
scenarios look like, but let’s look at
some of those drivers and those assumptions that
we’ve made and change them, and see how those
scenarios can change, and then also include
those in our playbooks. And scenario generation, and my favorite, I
love backcasting. You know, working
out what’s happened. But what’s important,
horizon scanning. For me, quite often, these exercises and
what we do with IPCE is like a single point
in time exercise. What we need to do is go, what’s changing in the future? What’s out there that’s gonna
have an influence on me? What’s my organization
gonna be like in a year, two years’ time? What’s my technology,
what’s my strategy, how is that gonna
evolve, and therefore, how’s my landscape
going to change? If you can get
there, good for you. Most people can’t. So, IPB, then. Still not quite on IPCE, sorry. We’ll get there eventually. These are the four
stages, primarily. Three main areas of research. Carnegie Mellon Software
Engineering Institute, they wrote a paper on
operational resiliency. The US Army, military doctrine,
and the SANS Institute. You can see that they’re
all fairly similar, they’re not too dissimilar. But effectively, step one, I love the terminology
of the SEO. Determine the voice
of the environment. That’s very 2018, isn’t it? Define the operational
environment, define
the battlefield. All of the things. Step two, determine the
voice of the organization, which is fine, but there’s also external
forces that have an influence. For me, it’s more along
the lines of SANS, define the effect on the
battlefield effectively. Step three, determine the
voice of the threat actor, because threat actors
have voices and opinions and emotions as well, and evaluate the threat. Step four, describe use cases. For me, use cases
are really important to help drive your
courses of action, but they are different. But really, step four, what are those courses
of action gonna be? But that’s IPB. IPCE. People that know
me know that I am, I really like simple,
plain English, especially intelligence. The secret to intelligence is
really strong dissemination. We all know in our industry, we’re really bad at
verbalizing things. We’re very bad at
disseminating our intelligence and making it
appealing to the board and other people within
our organization. I put things in layman’s
terms all the time. It’s actually mostly
’cause I’m dyslexic and I can’t understand words
with more than three syllables, but it’s fine. What does it really mean,
what are we looking at? Operational environment, what’s affecting the
operational environment, who are the bad guys, and how
are they coming out at me? Know yourself,
know the bad guys, know what different
compromises look like, and know all of the things
that are gonna influence the bad guys in my environment. It’s pretty simple, right? Probably mostly doing it, ’cause effectively, where
we’re trying to go is situational awareness. Now, situational awareness
is a glorious thing that you will never achieve. It is something
you aspire to get, but you’ll never quite get there because the environment
is constantly changing. But effectively, I think this
is a really great definition. “The perception of the
elements in the environment “within a volume
of time and space, “the comprehension
of their meaning, “and the projection of their
status into the near future.” Okay, that’s fine. But basically, perception of everything within
my environment, understanding what’s happening
with them and around them, and projection of what that’s
gonna play out in the future. That’s effectively
what we’re aiming for with situational awareness. Now, as I said, for me,
this is really important. “The key to success in
analyzing the environment “is to assess it from
the enemy perspective.” Forget about IPCE for a minute. Think about you as analysts. You should be finding
yourselves in this mindset most of the time. It’s great what you understand
your environment to be, and what you perceive
the threats to be, and what you perceive
to be critical data, but the enemy’s gonna have a pretty different
opinion about them. Their mindset’s
slightly different, and they’re gonna look
at things differently. Given the situations, they may be interested in
something slightly different to what you were
predominantly expecting. We always need to think about it from a red team point of view. But it’s not just that,
there’s somebody else as well. There’s three perspectives. There’s my perspective, there’s
the enemy’s perspective, and then there’s the business. There’s neutral forces. There’s other employees, there’s my clients,
there’s customers. There’s always three
perspectives to everything, and you need to
always look at it from those three
different perspectives in order to have a
really good understanding of the environment. Right, we’re getting
there, I promise. Let’s get into it. Determine the
operational environment. That’s where we are
in step one of IPCE. Now, you’re gonna
see some mind maps. These are not exhaustive. This mind map is this big. It should be this big. They are there to give
you some starting points and some ideas. Determining your
operational environment, big, tough gig, right? Try and break it
down into two areas. Your environment,
what you control, your IT architecture,
your network diagrams, your physical, tangible
things that you’ve got, your servers, your
racks, your firewalls, all of these things. The software and the
applications that
they’re built on, the operating systems, all of the vulnerabilities
that are attached to them. Where is your data
and your information when it’s in transit? Where is it when
it’s being processed? This is your
operational environment, and this is not an easy task. I will argue with
anyone that tells me that they know their operation
environment 100% of the time and where their data
is all of the time. But then you need to look at it from an external point of view. Where’s all of that data
outside of my environment? What are my employees
leaking on their profiles? Where’s my data within
my supply chain? Where’s my data within my
supply chain’s supply chain? What cloud services, what shadow services
are my employees using on things like Dropbox? Where are they leaking code
on code repositories like, well, there’s loads of them. That’s what you’ve
got to try and find. I mean, hands up, who here has ever
done full recon on their own organization
from an enemy’s point of view to see what can be
used to target you? Who does that regularly? Awesome, it’s a
really fun exercise, and I know a lot of
vendors do that for you, but that’s what effectively
you’re trying to do. You’re trying to be the enemy and find all of those things
that could be used against you. Credentials that are being
leaked as part of breaches, documents that could be
weaponized that are sensitive, that could be fed back
into your organization. Step two, we know
all of the things, but what affects those things? Now, before I move into this, this can sometimes be a bit
of a difficult exercise. I remember when I first started my army/military
intelligence training, a bit into it, I
started doing strategic, or I had the strategic
intelligence role, and you had to put your
head into a position where you were trying
to perceive things that you didn’t really
have a big grasp on. I was quite young at the time, and it was quite difficult
for me to understand what geopolitics
in Southeast Asia were affecting the role that
I was doing based in London. There seemed to be a disconnect, but there’s always a connect. We talked about
STEMPLES and PESTLE-M. In reading my US military
doctrine for this presentation, I came across a new one. PMESII-PT, not very cool. Legal is missing, so it
should probably be PMESII-PTL. I’d probably stick with PESTLE-M
or STEMPLEs, personally. But these are the subheadings that can give you
a starting point to try and think about the effects on your
environment, right? Again, this mind map should
be 10 times the size it is. It’s just an idea and
some starting points. What politics,
national, geopolitics are affecting my environment? There’s a caveat to this. Everyone in this room comes
from a different organization. Some of your organizations
are hundreds, some of them are
tens of thousands,
hundreds of thousands. You may operate in the US, you may operate in 128
different countries. You might operate in
oil and gas, pharma, you may work in
government, whatever. Some of these influences
will be completely different, in fact, all of them will
be completely different for every single one of you. So, President Trump
doesn’t sign off on the current
restrictions against Iran. What effect is that
gonna have on you and your organization and your
data and your information? Go toe-to-toe with North Korea, actually enter into
a military conflict. Brexit for me, being a Brit. In a couple of years, we’re either gonna be
swimming in the cash or we’re gonna be broke
as anything, right? How’s that gonna
affect my organization, how much budget am I
gonna have in the future or am I not gonna have,
probably not gonna have. Climate change exists, people, so how many people are
gonna be working from home because the office is
being flooded or whatever, opening up parts of your network that you’ve never had
to open up before? That’s all great, that’s
effect on the outside, but those effects occur on the inside as well. What’s my internal
politics like? What’s the board’s appetite towards cyber and
information assurance? What’s the business strategy? Are we going digital, are we bringing
everything back in-house, are we outsourcing everything? Are we trying to
make as much cash as we possibly can to float, so I’ve got no IT spend,
I’ve got no security spend? These are all things that have
a physical, tangible effect on your environment. Step three, determining
the badness. Ultimately, you wanna know who,
what, where, when, how, why. But how do you answer that? Some of you probably
have a really good idea. You’ve got use cases
from your internal SOCs, you’re part of ISACs, you’ve got use cases from
similar organizations. You’ve got a pretty
good grasp of it. But what happens if you
haven’t, and you don’t know? You’re brand-new
to your CTI team, or your CTI team is,
in fact, brand-new. It’s an exciting place to be,
I’m quite jealous, actually. OCGs, you can start big, right? This is just a financial
services institution. Very generic. Start by categories. You don’t have to start going, ABG 28, it’s the Russians,
it’s the Russians, it’s the Russians! It’s always the Russians. It can just be on the financial
services organization. Organized crime groups are
gonna be interested in me. Insiders have got access
to a lot of trading data. Nation states, because I
operate in 50 countries, are interested in dissident data based on their massive
amounts of PII that I have. You can start that big,
and that is perfectly fine. I personally use a
capability and intent score. Times capability and intent, capability being a
score of one to five, intent being a score
to one to five. It starts giving me a direction to start looking for
particular actors. Once I know that
organization crime groups are interested in me, I can probably start pulling
those use cases and going, okay, FIN6, FIN7, Carbanak. These are the
organized crime groups, these are their capabilities, this is their intent
towards my organization. I can start to have a
bit of a better idea of who those organizations, sorry, who are those
threat actors coming at me. What do you wanna collect
on those threat actors? Depends on how much
resource you’ve got. Depends how much
time you’ve got. This is just what I collect, this is just a screenshot from
our threat match platform. It’s kind of, who are they? What’s their use cases? What’s their intent,
what’s their motives? What are their TTPs
at each aspect, or, sorry, each element, if
they’re in a cyber kill chain? Who are they associated with? What are they likely to
be doing in the future, what languages do they speak? All that kind of stuff is really good
information to collect on the people that
are targeting you. Oh, malware, that’s pretty
helpful to know as well, what malware and tool sets they’re using is
fundamental, really. What about the scenarios? Right, we discussed
this earlier. There’s two sets of
scenarios, right? There’s the most
likeliest scenarios, the ones that we’re probably
going to see or are seeing, and then there’s the
most dangerous scenarios, those ones that are less likely, but really high-impact and
worst-case scenarios for us. We need to document all of
them and show our working. Your scenarios can
just be really generic and a sentence long. OCGX is going to target
my cash management system in order to steal cash. Pretty simple, right? We can start with
our capability. We know now we’re
talking about FIN7, so we can give them a
capability score of four. We know what they’re after because they’ve previously
attacked that payment system. I’ve got that payment system. Intent high. I’m a big-profile
bank, threat scores. I’ve put opportunity and
impact at the bottom. Impact is really important
to start assessing from this point of view. What’s the so-what, what’s
the fallout for the business, ’cause remember, you’re trying to tell a
story to the business, right? It’s not just about
what’s impacting me as a cybersecurity
professional or in the SOC, it’s what’s the impact
to the business. Opportunity is harder
to gauge at this point. Opportunity will come
when you actually start to rehearse and simulate
some of these attacks, but I’ll go into
that in a second. And, like I said back from
2017, timeline analysis, but backcasting is
really cool for this. This is the payment system
that they are gonna go after. This is where they
are right now. What have they gotta do in
order to get to that system? What am I gonna see, what
are the combat indicators, what are the flags
that are gonna crop up? When I see these things, I can start to attribute
attack to somebody or identify a particular
type of attack. How you do is a scenario
is, doesn’t really matter. Personally, I like
to tell stories. Not in that kind of sense, what I mean is I like to write
a story about these attacks. You know, how does
the story start? Why are they doing it,
what are they gonna do, what are we gonna see, and then, most importantly,
what’s the denouement, what’s the fallout
for the organization? Because not
everyone’s technical, not everyone’s in a SOC. These stories work
really well for the board when they start
reading this story and it starts feeling
real for them, as if it’s actually happening. You can attach it to
some form of kill chain or a variation thereof. You may just care, how are these guys getting
into my organization, how are they gonna
move through it, and what are they after and
how are they gonna get out? It can be as simple as that. Like I said, it
doesn’t really matter. It’s about what works for you, but most importantly, what works for the audience that you’re trying
to tell the story to around the threat actors. So, where are we? Potentially somewhere near
situational awareness? I kind of got a perception
now of all the elements. I spent six months trying to find all the
data in my organization. I’ve got a comprehension
of the current situation. I know who’s targeting me. I know what’s gonna affect
those types of attacks, and I’ve got an idea
of how these attacks are gonna actually play out. Bit of a caveat, there’s
three levels of maturity here. Maturity one, perception, reporting on what you think
before you’ve actually completed your
intelligence methodologies, until you’ve done
some murder boarding, until you’ve run some devil’s
advocate against all of this. It’s a pretty
dangerous place to be. If you think you know
what threat actor might be coming at you and you think what assets
they might be going after, therefore, you’ve put in a
particular set of defenses, but you don’t really know. It’s gonna be expensive
and dangerous. Just doing everything
I’ve described, documenting it,
having intelligence
methodologies around it, that’s a fantastic place to be. If you’ve achieved
that, good for you. And then, horizon-scanning. Like I was saying, it’s about
looking into the future. Where is my organization going, sorry, that’s the third
time I’ve done that. You’d think I’d learn by now. Where’s my organization going? Are we moving into
a new territory, are we launching a new product? Are we building our
IT architecture in
a particular way? All of these things, what’s gonna happen to
the threat environment over the next one,
three, or five years? Really important place to be, aspirational, absolutely. To appease those that say, “But Rob, there’s a
difference between battlespace, “battlefield, and environment,” you need to break this down. If you operate in multiple
geographies and multiple areas, you need to do IPCE
for each of those. If you operate in different
industry verticals, you need to do IPCE for
each of those verticals. The threats you face
in North America are very different to the
threats that will face you against your payment systems
in Thailand or Australia or South Africa or
definitely South America. You need to break that down. You can still pull
these together for an operational-wide
view of the environment, but having individual
pictures is critical. You can really go down into
quite minute details for those. But why? What’s the point? SANS says it best,
as ever, absolutely. “It needs to be part of
rehearsals, simulation, “testing, and development now.” The funny thing is, now was in 2001 when SANS
first wrote this paper. Yeah, 16 years ago. I can do math, quick math. There’s some really good
government and regulatory environments where, effectively, they call it other
things, but it’s IPCE. They’re only a
couple of years old. Why do we need to do it? We need to take those
attack scenarios, and you need to find
your favorite red team. You know those red teams
that are highly certified, very expensive, use previously-seen SCVs
on their previous reports, so they are good red teams, they’re not just pen testers
that say they do red teams. You need to get them to
test out those scenarios. Once they’ve tested
out those scenarios, you’re driving your
brilliance of your blue team, because the red team is
gonna sit with your blue team and show you what they did. They’re gonna work together and they’re gonna
enhance their capability for instant response as well, ’cause they’re
constantly practicing. It’s gonna create your
playbooks and your use cases, and they’re gonna get better and they’re gonna
play into the SOC. It’s gonna drive your
policy and hone your policy and actually make
it more effective. Most importantly, when
you’re doing this stuff, it’s gonna help drive the
strategy a bit better, but you’re gonna
find some real good tactical and operational wins that’s gonna drive your
road map in a direction that’s probably less
expensive, less time-consuming, and effort is pushed
into the right areas. But most importantly, from an
intelligence point of view, your ICP, your intelligence
collection plan, is driven by IPCE. You know know where your
intelligence gaps are. You know you don’t
know where’s my data. You’re not 100% sure on
particular threat actors or current methodologies. You don’t really understand
what the business is doing. You haven’t really integrated
into HR, procurement, or business strategy or to board to find out what’s their
aspirational place to be. All of these gaps
will come out of your IPCE and help drive your
intelligence requirements and help drive your
intelligence collection plan. Really good place to be. Like I said, most of
you are probably doing a form of IPCE already. I’ve just put a name to it, which has actually been
about for 50 years, but hey. Questions, so, I just wanna say, those are the three
main resources. The SANS paper is fantastic. The US Army and US
Marine Corps doctrine is very good, very in-depth,
but it’s 212 pages long. As I said, I’m dyslexic,
I won’t read that much, so the SANS paper is best. Carnegie Mellon, they’re mostly focused around
operational resiliency, as that’s effectively
why we’re doing it. Therefore, that’s
why I put it up there as a good resource. Thank you all very much indeed. (audience clapping) (intense music)

Comments 1

Leave a Reply

Your email address will not be published. Required fields are marked *