First Step Guide for Building Cyber Threat Intelligence TeamReturn to TOC

No ratings

Presented at FIRST 2014 by

Hitoshi Endoh

Natsuko Inui

CDI-CIRT / Cyber Defense Institute, Inc., Information Analysis Department / Chief Analyst Localization project manager for enterprise software and vulnerability notes and security papers. Joined Cyber Defense Institute (CDI-CIRT) in November 2009 involved mostly in government research projects, cyber exercises, and incident response. Steering Committee member of the Nippon CSIRT Association. Title: First step guide for building Cyber Threat Intelligence Team As cyber threats and attacks have evolved into sophisticated and goal oriented attack scenarios, protection with conventional incident response methods has become increasingly difficult. The importance of Cyber Threat Intelligence is widely known by CSIRTs for the reason that although the detection phase is the first of the three basic incident response steps (detection, triage, response), but recent attacks often go unnoticed for long periods of time, in some cases for years. On the other hand, there is a lack of know-how of building a Cyber Threat Intelligence Team. Through incident response services, Cyber Defense Institute (CDI-CIRT) has gained knowledge on the importance of situational awareness, and the processes that follow in building a Cyber Threat intelligence team. The purpose of this presentation is to first introduce a "best practice" flow and tips in building a Cyber Threat Intelligence Team and to share the know-how of building a Cyber Threat Intelligence Team and the lessons learned from the case of NTT-CERT which has built newly-organized team since January 2013. This presentation will also introduce concrete methods acquired through our cyber intelligence activities. Some cybersecurity companies have their own Cyber Threat Intelligence Teams now and there are a lot of presentations about the great importance and helpful knowledge for leading Cyber Threat Intelligence Teams which are already above a certain level. However, these know-how and knowledge are not really useful for someone who plans to build a Cyber Threat Intelligence Team from scratch, because it is too difficult to be learned. This presentation will introduce a First Step Guide for building a Cyber Threat Intelligence Team based on an actual example, the building of NTT-CERT's intelligence team. We will also provide the lessons learned how to keep the team in good performance, and will compare the two teams, NTT-CERT and CDI-CIRT as different existing examples. Topics are below: # The three phases of building a cyber threat intelligence team Recognition (situational awareness) Assessment (building a strategy) Taking Action (team building, automation of specific functions, operation) # Definition of Security Intelligence of NTT-CERT (Mission, constituency, Outputs) # How to earn skills of cyber threat intelligence # Process of analysis and reporting # Daily work (Collecting information) # Sharing information with other CSIRTs # Requirements for networks and tools # Requirements for facilities # Lessons learned - Team building, operation and maintenance - Report creating (Phase: Collecting information, Hypothesis testing, Analysis) # A comparison of 2 different intelligence teams CDI-CIRT (security specialists and white hackers) NTT-CERT (largest telecommunications company in Japan) # Future plans