1.
HOWDOYOUPREDICT
THETHREAT LANDSCAPE?
Janne Pirttilahti
Director, New Services, F-Secure Cyber Security Services

2.
2
 Holistic cyber security
 Definitions
 Why predictive capabilities matter
 Predictive approach to cyber threats
 Threat intelligence
 Recommendations
AGENDA

3.
CYBERSECURITYISAPROCESS
3
Understand your risk,
know your attack surface,
uncover weak spots
React to breaches,
mitigate the damage,
analyze and learn
Minimize attack surface,
prevent incidents
Recognize incidents and
threats, isolate and
contain them

4.
CYBERSECURITYISAPROCESS
4
Understand your risk,
know your attack surface,
uncover weak spots
React to breaches,
mitigate the damage,
analyze and learn
Minimize attack surface,
prevent incidents
Recognize incidents and
threats, isolate and
contain them

5.
PREDICT
Pri-`dikt
To declare or indicate in advance; especially : foretell on
the basis of observation, experience, or scientific reason
Source: Merriam Webster
5

6.
6
 Top three behaviors that impact us?
 What do future attacks look like?
 Where to invest next?
 How to train our people?
 How to prepare oneself and for what?
PREDICTIVECAPABILITIESARENEEDED
TOANSWERMANYQUESTIONS

7.
PRIORITIZE.
BEPREPARED.
7

8.
MARSH&MCLENNANCYBERHANDBOOK:
MOSTORGANIZATIONS NOT
ADEQUATELY PREPARED FOR
CYBERATTACK
8

9.
9

10.
10

11.
11

12.
12 Source: www.databreaches.net

13.
13
October

14.
14
October
November

15.
PREDICTIVEAPPROACH
TOCYBERTHREATS
15
2) ACTIONABLE THREAT
INTELLIGENCE
PROACTIVELY ANTICIPATE NEW
ATTACKS
1) ASSET & VULNERABILITY
MANAGEMENT
UNDERSTAND THE CURRENT STATE OF
YOUR SYSTEMS

16.
THEFOUNDATIONOFACTIONABLE
INTELLIGENCEISTOKNOWYOUROWN
SYSTEMS
16

17.
THREAT INTELLIGENCE:
FOREWARNED IS
FOREARMED
17

18.
18
“Threat intelligence is evidence-based knowledge
(e.g. context, mechanisms, indicators, implications
and action-oriented advice) about existing or
emerging menaces or hazards to assets.
CISOs should plan for current threats, as well as those
that could emerge in the long term (e.g. in three
years).”
Gartner, February 2016

19.
19
CDN
STIXTAXII
OSINT
HUMINT
TLP
IOC
CTI
IOA
DGA
MD5 MRTI
ISAC
ISAO CTIIC
NCCIC
TTP
TAP
SHA1
OTX
SIEM
CISA
IODEF OPENIOC
CYBOX
YARA
Technical Intel
Adversary Intel
Vulnerability Intel
Breach Monitoring
TIP
Strategic Intel
Data Enrichment

20.
20
STRATEGIC / EXECUTIVE LEVEL
THEDIFFERENT LEVELSOF
THREATINTELLIGENCE
– Strategic, high level information of changing risk
– Geopolitics, Foreign Markets, Cultural Background
– Vision timeframe: years

21.
21
OPERATIONAL / TACTICAL
STRATEGIC / EXECUTIVE LEVEL
THEDIFFERENT LEVELSOF
THREATINTELLIGENCE
– Strategic, high level information of changing risk
– Geopolitics, Foreign Markets, Cultural Background
– Vision timeframe: years
– Details of specific incoming risk: who, what, when?
– Attacker’s methods, tools and tactics, their modus operandi
– Early warnings of incoming attacks
– Vision timeframe: months, weeks, hours

22.
22
OPERATIONAL / TACTICAL
STRATEGIC / EXECUTIVE LEVEL
TECHNICAL
THEDIFFERENT LEVELSOF
THREATINTELLIGENCE
– Strategic, high level information of changing risk
– Geopolitics, Foreign Markets, Cultural Background
– Vision timeframe: years
– Details of specific incoming risk: who, what, when?
– Attacker’s methods, tools and tactics, their modus operandi
– Early warnings of incoming attacks
– Vision timeframe: months, weeks, hours
– Specific IOCs (for SIEM, FW, etc. integration)
– More data, less intel
– Automated processing is paramount
– Vision timeframe: hours, minutes (but also long lasting)

23.
MANYORGANIZATIONS START
WITHFREESOLUTIONS.
23

24.
24

25.
25

26.
NOTHING BEATS
ANEXPERT.
26

27.
PROCURINGSTRATEGICALLY
RELEVANTINTELLIGENCE IS
EXTRAVAGANT.
27

28.
STRATEGICALLYRELEVANTDATAIS
UNIQUETOEACHCOMPANY
28
All threat data:
Vulnerability feeds
Exploit kit feeds
Malicious software feeds
Indicators of compromise feeds
Bad IP address feeds
Botnet activities feeds
DNS changes feeds
Reputation feeds (URL & content)
Known threat actor behavior data
All ”breadcrumb” data from
company personnel
…
Global
landscape
Business area
landscape
Possibly relevant
data
Strategically
important data

29.
EVENACTIONABLE
INTELLIGENCE IS
ONLYWORTH ITWITH
PROCESSES INPLACE TO
EFFECTIVELY ACTONIT.
29

30.
CYBERSECURITYISAPROCESS
30
Understand your risk,
know your attack surface,
uncover weak spots
React to breaches,
mitigate the damage,
analyze and learn
Minimize attack surface,
prevent incidents
Recognize incidents and
threats, isolate and
contain them

31.
 Understanding your own environment is the foundation
31
CLOSINGWORDS

32.
 Understanding your own environment is the foundation
 There are both commercial and free options available
32
CLOSINGWORDS

33.
 Understanding your own environment is the foundation
 There are both commercial and free options available
 Start from figuring out what benefits you the most
33
CLOSINGWORDS

34.
 Understanding your own environment is the foundation
 There are both commercial and free options available
 Start from figuring out what benefits you the most
 Threat Intelligence can strengthen your security posture
34
CLOSINGWORDS

35.
QUESTIONS &ANSWERS
35

36.
f-secure.com