Cyber Threat Intelligence

Move to an intelligence-
driven cybersecurity model
Stéphane Hurtaud Laurent De La Vaissière
Partner Director
Governance Risk Governance Risk
& Compliance & Compliance
Deloitte Deloitte

Sébastien Besson
Governance Risk
& Compliance
Senior Consultant
Deloitte

The evolving cyber threat landscape

The business and technology innovations that
organisations are adopting in their quest for growth,
innovation and cost optimisation are resulting in
increased levels of cyber risks. These innovations have
likely introduced new vulnerabilities and complexities
into the technology ecosystem. For example, the
continued adoption of Web, mobile, cloud and
social media technologies has undoubtedly increased
opportunities for attackers. Similarly, the waves of
outsourcing, offshoring and third party contracting
driven by a desire to cut costs may have further diluted
institutional control over IT systems and access points.
These trends have resulted in the development of an
increasingly boundary-less ecosystem within which
organisations operate, and thus a much broader ‘attack
surface’ for the threat actors to exploit.

44
Threat actors are increasingly deploying a wider Enhancing security through a ‘defence-in-depth’
array of attack methods to keep one-step ahead. strategy: a good understanding of known threats and
For example, criminal gangs and nation states are controls, industry standards and regulations can help
combining infiltration techniques in their campaigns, organisations to secure their systems by designing
increasingly leveraging malicious insiders. As reported and implementing preventive, risk-intelligent controls.
in a Deloitte Touche Tohmatsu Limited (DTTL) survey1 Based on leading practices, organisations can build a
of global financial services executives, many financial ‘defence-in-depth’ approach to address known and
services companies are struggling to achieve the level emerging threats. This involves a number of mutually
of cyber risk maturity required to counter the evolving reinforcing security layers which provide redundancy
threats. Although 75% of global financial services firms and potentially slow down, if not prevent, the
believed that their information security programme progression of attacks in progress.
maturity is at level three or higher2, only 40 percent
of the respondents were very confident that their Enhancing vigilance through effective early detection
organisation’s information assets were protected from and signalling systems: early detection, through
an external attack. These figures apply to the larger, the enhancement of programmes to detect both the
relatively sophisticated financial services companies. emerging threats and the attacker’s moves, can be
For mid-tier and small firms, the situation may be an essential step in containing and mitigating losses.
much worse, especially because resources are typically Incident detection that incorporates sophisticated,
scarcer and attackers may see them as easier targets. adaptive, signalling and reporting systems can automate
In a similar vein, the Snowden incident has probably the correlation and analysis of large amounts of IT and
increased awareness of insider threats as well. business data, as well as various threat indicators, on a
company-wide basis. Organisations’ monitoring systems
Being secure, vigilant, and resilient is a must should work 24/7, with adequate support for efficient
Organisations have traditionally focused their investments incident handling and remediation processes.
on becoming secure. However, this approach is no longer
adequate in the face of the rapidly changing threat Enhancing resilience through simulated testing and
landscape. Put simply, organisations should consider crisis management processes: resilience may be more
building cyber risk management programmes to achieve critical as destructive attack capabilities gain steam.
three essential capabilities: the ability to be secure, Organisations have traditionally planned for resilience
vigilant and resilient. against physical attacks and natural disasters; cyber
resilience can be treated in much the same way.

1 ‘2012 DTTL Global Financial Services Industry Security Study,’ Deloitte Global Services Limited, September 2012
2 Survey defines 1-5 levels of maturity of organisation’s information security programme. Level 3 – defined (set of defined and
documented standard processes, some degree of improvement over time); level 4 – managed (process metrics, effective
management control, adaption without loss of quality); level 5 – optimising (focus on continuous improvement, innovation)

45
 Developing ‘actionable’ cyber threat intelligence By intelligence, we are not only referring to the
Executives recognise that becoming a learning collection of raw data about known threat indicators,
organisation where intelligence drives actions is likely as is provided by many vendors in the form of threat-
to be increasingly important for success across multiple intelligence feeds. Threat intelligence is also the ability
dimensions. The realm of cybersecurity is no different, to derive meaningful insights about adversaries from
as real-time threat intelligence can play a crucial role in a wide range of sources, both internal and external,
enabling security, vigilance and resilience. through automated means, and through direct human
involvement.
“Availability of real-time intelligence can help
organisations prevent and contain the impact of cyber To be actionable, threat data should be viewed in a
attacks: a recent study3 from the Ponemon Institute context that is meaningful to the organisation. As a
revealed that surveyed IT executives believed that less company develops greater maturity in its data gathering
than 10 minutes of advance notification of a security and processing capabilities, automation can be
breach would be sufficient time for them to disable the leveraged to better filter and highlight information that
threat. Even with only 60 seconds’ notification after is directly relevant to important risk areas. In this way,
the compromise, costs of security breaches may be threat intelligence becomes the foundation on which a
reduced by an average of 40%”. firm builds its secure, vigilant and resilient capabilities.

So, how can organisations create that dynamism and move to an intelligence-driven cybersecurity model?

Experience-based learning Situational awareness

• Knowledge share within firm and industry
participants
+ • Continuous monitoring
• Correlate risk signals and indicators
• Leading practices from other industries

Outcome
With real-time intelligence, organisations can dynamically manage cyber threats

Secure Vigilant Resilient

Preventive aspect of the program Discovery of emerging threats/ Incident analysis and response/
early infiltrations recovery processes

Know threats Predictable threats Unpredictable threats

3 ‘Live Threat Intelligence Impact Report 2013,’ Ponemon Institute (sponsored by Norse Corporation), July 2013

46
Experience-based learning • What are some of the common challenges that at-
Just as cyber attackers play on their target’s weak spots, tackers face while infiltrating organisations’ systems?
so can organisations develop a sound understanding
• How are other organisations/industries dealing with
of the attackers and identify their Achilles’ heels.
such attacks?
Organisations can attempt to learn from past intrusions
within the individual firm and at the industry level.
Situational awareness
Many companies can also borrow lessons from other
Organisations can consider supplementing experience-
industries, to implement new techniques, playbooks
based learning with a continuous monitoring
and controls. These lessons include understanding
programme, focused on both external and internal
the nature of the attack, tactics and patterns, and
threats. Continuous monitoring can help capture the
containment strategies, and raise some questions
risk signals and indicators across the ecosystem in
that the organisation should consider to safeguard
order to develop a situational awareness of the threat
themselves from the onslaught of cyber attacks:
environment. It assists organisations in identifying
• Who are potential attackers and what are their attack patterns and moving from being reactive to
motives? proactive in their defence and response mechanisms.
• How do these cyber attackers manage such high Continuous monitoring also begins to address the
attack success rates? speed-of-response issue that attackers are using against
the financial services industry.
• Is it just the attackers’ expertise or are the victims
unwitting enablers? If yes, in what way, and how can
that be fixed?

Cyber threat intelligence acquisition and analysis

The overall cyber threat intelligence acquisition and analysis process can be summarised as follows:

External cyber threat intelligence feeds • Risk acceptance

Risk process
• Commercial feeds • Underground forums
• Law enforcement • Hash databases assessment • Risk mitigation
• Industry associations • GEOIP data process • Risk
• Security researchers remediation

Internal threat intelligence feeds Cyber threat Urgent

• Fraud investigations • Vulnerability data intelligence security
• Security event data • Sandboxes Collection control
• Abuse mailbox info • Human intelligence
research and updates
analysis process
• Line of business
Proactive surveillance
teams
Threat
• Honeynets • P2P monitoring • Security, fraud and
intelligence operational risk teams
• Malware Forensics • DNS monitoring
• Brand monitoring • Watchlist monitoring
reporting • Third parties,
subsidiaries

Infrastructure Application Technology

logs logs configuration data
47
 External intelligence feeds Internal intelligence feeds
• Publications
• Fraud investigations
• Law enforcement sources
• Security event data
• Industry associations
• Abuse mailbox information
• Security vendors
• Vulnerability data
• Underground forums
• Sandboxes
• Hash databases
• Human intelligence
• GEOIP data

Intelligence gathering Mobile computing: smartphones, mobile networks,

Gathering intelligence is a continuous activity. It text messaging services
involves choosing ‘promontories’ from which to scan
Personal computers: operating systems, third-party
the external environment and monitor the internal
applications, USB storage devices
environment. Another way to think of them would
be as ‘channels’ (akin to radio or television channels) Banking devices: ATMs, kiosks, RFID enabled
through which you can monitor these environments. smartcards
Promontories or channels include those that constitute Telephony: voice response units, VoIP phones and
external and internal cyber threat intelligence feeds. PBXs, voicemail
Identity management and authentication: log-on,
While it pays to cast a wide net, there is always the
password, user code and other IAM technologies
factor of cost and the danger of sacrificing depth for
breadth. So pick and choose your ‘feeds’ given your
Another potential source of intelligence would be the
industry, needs and capabilities. Not every source will
resources that potential adversaries use. Again, the
be useful to every organisation, and some will be more
goal should be to focus on devices and applications
useful than others to a given organisation.
that expose the organisation’s most valuable data,
processes, activities and infrastructure to the most risk.
Proactive surveillance rounds out the intelligence
Once a rich mix of intelligence is being acquired, efforts
gathering effort. Resources here include honeynets,
turn to analysis.
malware forensics, brand monitoring, DNS monitoring
and watch list monitoring.
Intelligence analysis
The amount of data derived from broad-based
A few of the specific technologies on which to focus
intelligence gathering can be staggering. Therefore,
threat research include the following:
analysis includes statistical techniques for parsing,
Internet applications: online transactions, HR systems, normalising and correlating findings, as well as human
wire systems, websites review.

48
Six questions should drive this analysis:
1. How can we improve our visibility of
the environment?
Another potential source of
2. What new technologies do we need to watch
intelligence would be the
for and monitor? resources that potential
3. Do we have vulnerable technologies and data?
adversaries use
4. To what extent will our existing controls protect us?
5. Which industries are cyber criminals targeting and
which techniques are they using and/or planning
to use?
6. How can we identify actionable information?

This analysis should be conducted within a risk

management process built around well-defined risk
identification, prevention, detection, communication
and mitigation activities. A cyber risk management
process prioritises threats, analyses threats, detects a
threat before, during or after actual occurrence, and
specifies the proper response. The latter may consist
of remediation, control updates, vendor or partner
notification, or other actions. Analysis, such as failure
modes and effects analysis, provides a feedback
mechanism, such as lessons learned, to constantly
improve the effectiveness of the analytics being
performed.

Becoming a learning organisation

For many firms, becoming a learning organisation
implies a need to develop an approach to address
weaknesses in understanding their attackers’ motives
and methods. Learning from each experience and
sharing information both within and outside the
organisation will likely help many organisations deal
with weaknesses in their ability to discover and recover
from attacks.

49