Scribd
Upload
135 views13 pages

Cyber Threat Intelligence Plan Overview

This document outlines a cyber threat intelligence plan for a company. It defines cyber threats and threat intelligence, describes different types of threat actors and their capabilities. It provides examples of past cyber attacks and risks to the company. The plan proposes regular red teaming to test against phishing, timely patching of systems, and password audits to mitigate risks. It stresses reevaluating the plan regularly to adapt to changes.

Uploaded by

api-526409506
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
135 views13 pages

Cyber Threat Intelligence Plan Overview

This document outlines a cyber threat intelligence plan for a company. It defines cyber threats and threat intelligence, describes different types of threat actors and their capabilities. It provides examples of past cyber attacks and risks to the company. The plan proposes regular red teaming to test against phishing, timely patching of systems, and password audits to mitigate risks. It stresses reevaluating the plan regularly to adapt to changes.

Uploaded by

api-526409506
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd

CYBER THREAT

INTELLIGENCE PLAN
G LOGAN GOMBAR
8/14/2020
USD CSOL580 M7
DEFINITIONS

• Cyber Threat
• Anything that can damage, corrupt, or steal data, or disrupt an orgs digital landscape and
presence

• Cyber Threat Intelligence


• The aggregation & analysis of info from multiple sources related to cyber threats
• Sources can be anything – forums, word of mouth, official newsletters, press releases
• Provides actionable insight into threats to the org or its interests
THREAT ACTOR TYPES

• Organized Crime
• Groups paid by other groups to do the actions

• Industrially & Politically motivated threats


• Political spies, nation-state hackers
• Industry competitors

• Hacktivists
• Persons who hack for a social cause

• Insider Threats
• Employees who are upset with their company

• Those with no obvious motives (script kiddies, lone wolves, etc.)


THREAT ACTOR CAPABILITIES

• Range of capabilities and methods of attacks


• Nation-state hackers have large funding, can create their own exploits
• Script kiddies are limited to premade, scripted attacks

• Potential Methods of Attack, non-exhaustive list


• Phishing/social engineering
• Exfiltrates sensitive data from the company
• Vulnerability exploitation
• Hackers can break into unpatched systems
• Misconfiguration exploitation
• Hackers take advantage of administrators not following best practices
EXAMPLE COMPETITOR -
KONSTANT INFOSOLUTIONS
• Web application development company out of India, founded in 2003
• C-Suite
• Vipin Jain, CEO
• Manish Jain, Co-Founder
• Assim Gupta, President of US Business

• Threat Level
• Unlikely to target the company offensively
• Not a publicly traded company, so no public market value, but are still active
• Received “Top Rated” award in 2019 from SoftwareWorld
EVENT EXAMPLE 1 – MAERSK & NOTPETYA

• Who: Unknown
• When: June 2017
• Why: Unknown, seemed to be complete destruction
• What: A Ukrainian tax software update server was poisoned with
malware. It permanently encrypted infected devices. Estimated
cost of Maersk recovery was $300 million, with ~$10 billion for
global recovery
• How: Used a public NSA tool, EternalBlue, exploited unpatched
systems. The patch to render EternalBlue useless was also public.
EVENT EXAMPLE 2 - MIRAI IOT BOTNET

• Who: Paras Jha & associates


• When: September 2016
• Why: Financial gain, hit competing Minecraft hosts
• What: A 600k+ device botnet that could create high levels of DDoS
traffic; it accidentally knocked Amazon offline & intentionally knocked
multiple targets (Minecraft hosting servers) offline for days at a time
• How: Using IoT device factory default username & passwords, it
infected devices around the world. Changing passwords from the
factory default would have prevented this.
EVENT EXAMPLE 3 - WANNACRY

• Who: Unknown
• When: May 2017
• Why: Financial gain, malware demanded ransom
• What: Encrypted computers & demanded ransom. Hit high-profile
networks, British National Health Service and FedEx.
• How: Used a public NSA tool, EternalBlue, exploited unpatched
systems. The patch to make EternalBlue useless was public.
RISKS TO THE COMPANY

• Phishing/Social Engineering
• Exfiltrating sensitive data via social engineering is a risk to every company
• Can happen via multiple mediums – in person, email, phone, etc.

• Unpatched systems
• Have known vulnerabilities, are liabilities

• Default/weak usernames & passwords


• If the login info is default, anyone can log in and compromise the device
• Weak passwords can be easily broken, making them irrelevant
RISK MITIGATION - PHISHING

• Red Team Social Engineering


• In-house attempts to exfiltrate sensitive data from employees
• A minimum of one scenario per quarter (4x yearly)
• Target a small set of employees each time

• Phishing Familiarization training


• Once during in-processing, twice (2x) yearly after that
• Elaborate on advanced phishing techniques, show give away signs
RISK MITIGATION – PATCHING & PASSWORDS

• Patching Process & automation


• EternalBlue exploited unpatched systems
• Review critical security patches w/in 3 days
• Apply patch enterprise-wide w/in 7 days with automation
• Engage in weekly automated security patch scans of the enterprise
• Implement SolarWinds products enterprise-wide in 90 days

• Password Audits
• Mirai botnet used factory default passwords for networked devices
• Quarterly password audits and minimum requirements help avoid this
RE-EVALUATE REGULARLY

• Creating a process is time- & effort-intensive


• Organizations often will create it and never touch it again

• This CTI Plan will need to be reviewed twice a year


• Ensures it is keeping up with company changes, given we are a small team
• Ensures it is keeping up with the changing cyber security world

• The Red Team, Patching, & Password Audit processes will need to be reviewed
quarterly to ensure they meet the target

You might also like