Thank you very much, Osman. Nice to be your friend when you introduce me. So thank you very much everybody for being here. I'm going to step into what more practical CTI and mainly focus on organizations.
You know, it was great to hear Andrea's, you know, presentation regarding what are the major concerns and why do we need CTI. Here, we would like to know then how do we adopt CTI in an organization and what are the things we are missing normally, based on my experience.
So, Ruth, I haven't introduced myself yet. My name is Patrick Schirasi. I'm a security advisor in a Swedish bank called Swedbank, easy to remember. And at the same time, I'm doing security research in university. So what you are going to hear is both my practical background and also, I can say, a review of 600 academic papers in last year. So then let's go get it. You might remember or you definitely know Mike Tyson, the famous American boxer. Someone asked him, are you worried about someone who comes to be your opponent and that person has a plan? And then he said something really interesting.
He said everyone has a plan until they got punched in the face. And it means when you got punched in the face, all your plans just go away. That's the same thing in security. Everything is great, looks great, before you get an incident. And when you have an incident, everything goes away, you know, that level of stress, anxiety, and you know, you need to report to 10 people, 20 people, everything that really prevents you from having, let's say, a solid plan at that time.
Now, that's why we need CTI. CTI is there to make you sure you can predict them as much as possible, because you will get breached, no doubt. You might have breached already. CTI helps you predicting that.
Now, what is CTI practice in organizations? Pretty much something like this.
You know, you have a CTI team, some nerds, normally sitting in a basement, and they are doing some data gathering. There are some data sources, there are some threat feeds, and you know those data sources could be gathered manually, could be gathered through some tools that they are going, scanning dark web, you know, everywhere, gathering Intel. So these people gather them all together, and then there are some other tools for correlation, normalization, you know, removing these anomalies, and some analysis. So they gather Intel, they analyze Intel, and they will share it with different teams.
Like, hey, if you are in a tech team, we have found there is an APT doing these things, and they are targeting us, probably. So get ready. There is a vulnerability in that platform, or talking to SOC team, or IT security team.
Okay, be prepared. We have seen this trend is coming up with these type of institutes, and we are one of them.
So, okay, is this working properly? Main question is, is CTI actionable? And then I can tell you this is a misconception. It is not really actionable. A set of connected tools never makes it actionable. And that's why, you know, normally CTI people say, we are sending mails, we are informing others, but no one's paying attention. And that's no wonder. That's how it should be, you know, with that setup. So first action to do in an organization, make sure you are adopting a TIP, Threat Intelligence Platform, not set of connected tools, not set of islands, a platform. And why a platform?
Because, you know, when you have a platform, this is just contextual, it is conceptual thing, let's say. So when you have a platform, you have definitely threat fees, and sources, and other things. Then you have some capabilities like ingestion, normalization, contextualization, scoring of those threats, all of those, and these platforms can talk to each other.
Now, your IT infra doesn't matter which tool or what other platform, they can connect to them automatically, they can integrate to each other, and use those in their services. So your SIEM tool, for example, could be a very good receiver of those, you know, your own incident recovery plans, everything. And there are users, you know, you don't need to tell them by email, or meetings, or whatever, they will get it automatically. That's the first step to do action one, having a platform thinking, not just tools.
But again, now a question, is this actionable, having that? Of course, the way I ask, looks like no, but it is no, actually. Many organizations said, we have paid a lot of money, and we have purchased a lot of tools, but where do we see CTI, you know, why should I pay more for it? And then there is a point in here, just having a platform won't make it actionable. A platform is just a tool, you know, you need to have proper data there, you need to use a platform in a good way, and what good way is it? Making sure it is integrated to your processes.
You know, I can tell you one million examples, based on experience, but if I just summarize it, CTI seems to be too technical, so you just see some nerds. You know, IT is there to support the business, IT is not IT only for IT, it's there to support the business. So you need to make sure it is integrated to your business. And how? I can tell you a couple of components there.
You know that we have different types of CTI, we have strategic CTI, we have technical, tactical, operational, you know, in some sources they combine these two, you know, doesn't matter, but you know, on each type of CTI, we have different things to be to be covered. And you have your CTI platform, regardless of which of those, you need to make sure you have integration with these four major components of your business. So I will start one by one, I'm going through them quickly, I know that we are behind time a little bit, so I make it a bit fast.
So first of all, it is a must, IT service management. If you don't have an IT service management, of course that's another problem, but if you have it and your CTI is not there, then your CTI is not actionable. I can guarantee that. What is IT service management? You have your service catalog, you have all your assets there, and you connect everything to those, like your incident management, change management, who is the owner of that, you know, expiration, all of those information are there, audits, whatever. Your CTI needs to connect there.
One of those assets could be, for example, your active directory, a simple thing, a simple example, not a simple thing, it's really complicated, but if this is your active directory, you know who's the owner, who is using it, what are the risks assigned to this active directory. Now your CTI should also connect to that, like your platform says, we found this threat and it is bind to this one, so you will see the full history. The owner of that platform, that tool, can see all of those threats. That's the first step to make it actionable.
Next one, you know, security without risk management is nothing. So how do you see your threat intelligence into your risk management processes?
You know, if it's not end up there, no one takes it serious. It was a case study in academia that higher the grade of manager is, the lower trust towards CTI.
So engineers trust CTI easier, you know, but if you talk to a C-level manager, these people talk a lot, yes, but nothing happens, you know, and that's the problem of security, maybe, you know, people say we pay you a lot of money, but nothing happens, you know what I'm saying, you know, you pay us a lot of money to make sure nothing happens, we are there for that, but it needs to be visible, you know, does this threat intel that we found really expose any risk, then it has to be there, you know, you don't see that that often, that's another challenge.
Of course, you need to make sure you see that in your security architecture, depends on what type of reference architecture are you using, you might use Microsoft reference architecture, you might use Gartner mesh architecture, there are different types of these, but you need to make sure in your target architecture you have CTI bold there.
And last but definitely not least, threat risk landscape, you know, in your organization, if you don't have a threat risk landscape well developed, then you need to have, you know, you have to have it, and then you need to make sure your threat input is there, you know, it's visible there. So having those, it's one big step toward making it actionable.
Now, okay, we said all of these nice things, imagine you have enough money and budget and time and everything to make this happen, does it really make it actionable? And if it makes it actionable, then how can I ensure I have proper tool, how to buy it, you know, what am I going to look for?
Sorry vendors, but you know, when you move toward any conference and you see vendors, you know, every tool is supposed to be the next big thing and solve all the problems, and you know, that's a misconception here as well, that, you know, even the best platform in the world cannot work with your faulty data or with your low quality data, you know, it's not a silver bullet, you buy something like a platform, but when you are going to adopt it in your organization, you don't have a proper risk management, you don't have a proper ownership, you don't have a proper support, so don't expect that.
However, you need to buy something, you need to adopt something. And how to select one? I can give you a couple of insights here. So you have your, first of all, define your threat risk landscape. If your kingdom is here, there are so many other people there, but who's the adversary? You need to know who's your adversary. If I just tell you one simple point, who's adversary?
Now, first of all, someone who has the capability to harm you. If I make a very simple example, Osman here, he has the capability to punch me in the face, definitely he has that, but does he have the intent to do so? I hope not, but if he has, so then he's a potential adversary to me. And if he has the opportunity, it means, you know, he approaches closer and closer and closer, it is getting, you know, higher and higher and higher threat scope. Many times you see there are adversaries detected which are not really adversary, or they are far away from you.
So first of all, and you are not going to fight them all, I can tell you why. You know, if you look at MITRE ATT&CK framework, there are 163 known organized groups, APTs. These are organized ones, very well organized ones, all over the world. And there are 656, if I am not mistaken, when you sum it up together, techniques. So you have TTPs, techniques, tactics, techniques, procedures, and these are so many. Are you going to fight them all? No one on this earth can do that, really. You need to prioritize who are you going to protect from.
You know, from you guys that are from US, you might know David Mamet, and he's a famous drama writer. You know, he once said, every drama scene needs to answer three questions. Who wants what from whom? What if you don't get it, and why now?
So here, who wants to protect what from whom? You need to be careful about that first.
Okay, now, if you have MITRE ATT&CK as a, let's say, platform there, as let's say, as a reference, I would say, so you might say, what is your current capabilities? You might go to a MITRE ATT&CK and see, I can say, regarding initial access technique, those green ones are the ones that I am pretty sure I have very well coverage. Good. Yellow ones are the ones, or orange ones, are the ones that I'm not really good, I'm partially good at it, and white ones, I have absolutely no coverage. So that's acceptable. Your organization can cover them all.
Now, let's go and assess our adversary. You might have known, according to what I already said, you might have seen, we have these five, six, seven major adversaries against us. You might be a financial institute somewhere, and you are getting attacks from some of those. These are normally those red ones. Adversary main tactics and techniques that they are using.
Okay, you have them as well. Now, let's combine them together, you know. These areas are the gaps. These areas are the areas that, you know, your APTs are so good at, but you have no coverage.
So, these are your pain points. Okay, what to do?
Now, go look for a tool, or for a platform, or for something that can cover those gaps. Don't just go buy something blindly. It won't solve you, solve any problem for you.
Yeah, so with that said, let's just do a quick recap. How to make CTI actionable? First of all, make sure you are not having islands. You have a platform, you have adopted a platform, you know. Don't just buy, adopt. And adopt means, you know, considering your culture of the company, way of working. Make sure it is integrated to your processes. You see that, you know, it's visible in your risk management, in your ITSM, whatever.
And then these three, these four items tells you, assess your current capabilities, assess your adversary capabilities, create a nice risk landscape, threat risk landscape. And based on that, go find your gaps. Now it's time to fill your gaps. That's the way it should work, in a very nutshell.
So, with that said, I would like to say thanks for listening. We are going to have a panel right after this. I tried to be quick, Osman. It was too quick for me. But we are going to have a panel.
You know, I focused so much on one specific, or let's say one organization, one fictitious organization. But in the panel, we are going to talk more about, okay, what about sharing now?
You know, you have it all there in your organization. But are we going to share these, or everyone needs to reinvent the wheel again?
So, thank you very much.
