Cyber Threat Intelligence
What is Cyber Threat Intelligence?
- The acquisition and analysis of information to identify, track, and predict cyber capabilities, intentions, and activities to offer courses of action that enhance decision making. [1]
- Intelligence can make a significant difference to the organization’s ability to anticipate breaches before they occur, and its ability to respond quickly, decisively and effectively to confirmed breaches. [2]
- The idea behind cyber threat intelligence is to provide the ability to recognize and act upon indicators of attack and compromise scenarios in a timely manner. [3]
Cyber Threat Intelligence Plan (CTIP)
The following is an example of how an organization can use cyber threat intelligence to strengthen their security posture. The following is a proposal for a fictitious utility company.
Executive Summary
As a major utility in the United States we need to comply with NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection). This is a set of requirements designed to secure the assets required for operating North America's bulk electric system (see NERC CIP Critical Infrastructure Protection Cyber Security Standards section below ). These requirements focus on controls on change management, access control, perimeter protection, incident response, recovery and reporting. CIP places emphasis on ensuring utilities are ready to respond to serious incidents. We need to do more, we need to position ourselves so we can prevent some of these serious incidents from happening. We want to be proactive instead of reactive. We want to predict malicious events before they happen or interdict the events before threat actors accomplish their goals. Cyber intelligence will enable risk reduction by eliminating the threat or providing context for faster identification, remediation and response.
This proposal is about using cyber intelligence to strengthen our security posture by getting ahead of the threats. To prevent cyber events before they happen and if they do happen to be better prepared to respond and remediate effectively and efficiently.
We want to use cyber intelligence to reduce risk and exposures by leveraging knowledge provided by our vendors, partners, provider and intelligence community. We need stay ahead of the threats, we want to find out about these threats before they become an incident. The only way we can accomplish this is with cyber intelligence.
This proposed solution includes a threat intelligence subscription from a vendor. The vendor collects cyber threat intelligence from multiple sources including customers, technology partners, service providers, open source feeds and sector specific information sharing sources. All of this information is collected, analyzed and processed and delivered to subscription customers.
What and Who are we protecting against?
As a major utility, we have the need to protect our critical infrastructure against many threat actors. The 2014 power outage event in the Ukraine is an example of what is possible given the malicious motivations by threat actors. In this event in the Ukraine, 225,000 people were without power for several hours. Hackers gained access to the SCADA distribution management system and disconnected several substations for hours. [5] This is one example of what might happen, but there are other threat actors with different motivations and capability that potentially could target a utility. (see table below)
The following is an example of how an organization can use cyber threat intelligence to strengthen their security posture. The following is a proposal for a fictitious utility company.
Executive Summary
As a major utility in the United States we need to comply with NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection). This is a set of requirements designed to secure the assets required for operating North America's bulk electric system (see NERC CIP Critical Infrastructure Protection Cyber Security Standards section below ). These requirements focus on controls on change management, access control, perimeter protection, incident response, recovery and reporting. CIP places emphasis on ensuring utilities are ready to respond to serious incidents. We need to do more, we need to position ourselves so we can prevent some of these serious incidents from happening. We want to be proactive instead of reactive. We want to predict malicious events before they happen or interdict the events before threat actors accomplish their goals. Cyber intelligence will enable risk reduction by eliminating the threat or providing context for faster identification, remediation and response.
This proposal is about using cyber intelligence to strengthen our security posture by getting ahead of the threats. To prevent cyber events before they happen and if they do happen to be better prepared to respond and remediate effectively and efficiently.
We want to use cyber intelligence to reduce risk and exposures by leveraging knowledge provided by our vendors, partners, provider and intelligence community. We need stay ahead of the threats, we want to find out about these threats before they become an incident. The only way we can accomplish this is with cyber intelligence.
This proposed solution includes a threat intelligence subscription from a vendor. The vendor collects cyber threat intelligence from multiple sources including customers, technology partners, service providers, open source feeds and sector specific information sharing sources. All of this information is collected, analyzed and processed and delivered to subscription customers.
What and Who are we protecting against?
As a major utility, we have the need to protect our critical infrastructure against many threat actors. The 2014 power outage event in the Ukraine is an example of what is possible given the malicious motivations by threat actors. In this event in the Ukraine, 225,000 people were without power for several hours. Hackers gained access to the SCADA distribution management system and disconnected several substations for hours. [5] This is one example of what might happen, but there are other threat actors with different motivations and capability that potentially could target a utility. (see table below)
The Proposed Solution
This solution will address the following:
This solution will address the following:
- Improve the ability to prevent and detect breaches earlier in the kill chain.
- Prioritize alerts in a timely manner.
- Significantly reduce NERC CIP non-compliance risk ( 1MM penalties per day per incident)
- Implement more efficient security operations and management
The proposed solution consists of:
|
There are many threat intelligence services available in the market. They all deliver and collect data about emerging threats. One of the requirements for this solution was to find a platform that would enable automation of detection, prevention and mitigation of threats. Automation can, not only significantly reduce operation costs, but it can also dramatically shorten the time for detection and remediation, which in turn reduces risk.
NERC CIP Critical Infrastructure Protection Cyber Security Standards
The NERC CIP (North American Electric Reliability Corporation critical infrastructure protection) plan is a set of requirements designed to secure the assets required for operating North America's bulk electric system. All major utilities must comply with the following standards.
NERC CIP Version 5 Cyber Security Standards:
The NERC CIP (North American Electric Reliability Corporation critical infrastructure protection) plan is a set of requirements designed to secure the assets required for operating North America's bulk electric system. All major utilities must comply with the following standards.
NERC CIP Version 5 Cyber Security Standards:
- CIP–002–5 Bulk Electric System (BES) Cyber System Categorization
- CIP–003–5 Security Management Controls
- CIP–004–5 Personnel and Training
- CIP–005–5 Electronic Security Perimeter(s)
- CIP–006–5 Physical Security of BES Cyber Systems
- CIP–007–5 Systems Security Management
- CIP–008–5 Incident Reporting and Response Planning
- CIP–009–5 Recovery Plans for BES Cyber Systems
- CIP–010–1 Configuration Change Management and Vulnerability Assessments
- CIP–011–1 Information Protection [5]
[1] Carnegie Mellon University SEI. (). Cyber Intelligence. Retrieved from http://www.sei.cmu.edu/about/organization/etc/cyber-intelligence.cfm
[2] Ernst Young. (2014). Cyber threat intelligence - how to get ahead of cybercrime Retrieved from http://www.ey.com/Publication/vwLUAssets/EY-cyber-threat-intelligence-how-to-get-ahead-of-cybercrime/$FILE/EY-cyber-threat-intelligence-how-to-get-ahead-of-cybercrime.pdf
[3] Shackleford, D. (2015, February). Who’s Using Cyberthreat Intelligence and How? Retrieved from https://www.sans.org/reading-room/whitepapers/analyst/cyberthreat-intelligence-how-35767
[4] NIST. (2014, February, 12)NIST Roadmap for Improving Critical Infrastructure Cybersecurity Retrieved from https://www.nist.gov/sites/default/files/documents/cyberframework/roadmap-021214.pdf
[5] NERC (2015). CIP standards. Retrieved from http://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx
[2] Ernst Young. (2014). Cyber threat intelligence - how to get ahead of cybercrime Retrieved from http://www.ey.com/Publication/vwLUAssets/EY-cyber-threat-intelligence-how-to-get-ahead-of-cybercrime/$FILE/EY-cyber-threat-intelligence-how-to-get-ahead-of-cybercrime.pdf
[3] Shackleford, D. (2015, February). Who’s Using Cyberthreat Intelligence and How? Retrieved from https://www.sans.org/reading-room/whitepapers/analyst/cyberthreat-intelligence-how-35767
[4] NIST. (2014, February, 12)NIST Roadmap for Improving Critical Infrastructure Cybersecurity Retrieved from https://www.nist.gov/sites/default/files/documents/cyberframework/roadmap-021214.pdf
[5] NERC (2015). CIP standards. Retrieved from http://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx