The Value of Threat Intelligence

Tim Callahan

CISO at Aflac

Learning Objectives

Aflac’s threat intelligence program provides decisive operational insight into what threat actors are doing right now and how threats are trending over time. By combining deep visibility into threat actor techniques with automation supported by millions of data points that are integrated into an adaptive security framework, Aflac’s systems and environments are significantly more resilient to attacks. Learn how a clear understanding of your adversaries’ motivations, methods and capabilities, enable you to make effective decisions regarding how you prioritize your efforts and investments to protect your organization.


"You can sit around and talk about information, but intelligence is really where the rubber meets the road. "

Tim Callahan

CISO at Aflac

Transcript

Hello, my name is Tim Callahan. And I am the global CISO at Aflac. And today I’m going to talk about my experience and the implementation that we’ve experienced with threat intelligence program, I certainly don’t have to tell this audience how important threat intelligence is, and how important it is to be aware of the threat landscape. I mean, we’ve seen year over year, just a tremendous increase in breaches of companies. And then you know, some pretty significant ones, leave, you know, if you this particular slide comes from a website called information is beautiful, the largest breaches. And if you look at that website, and you go back to site 2008 2009, you would say some breaches, but never to the degree that you do today. So, you know, it’s very important that we do everything we can to help stay in front of the criminal, the criminal is, you’re out there all the time trying to think up ways to get into our systems. And, you know, Gone are the days when the information security team, or as we used to call it, the IT security team, can just set in a defensive posture, we have to really get to a more offensive posture. And when I say that I’m not speaking about halfback, I’m talking about being more proactive and active. And one of those ways to do that is, you know, having a strong threat intelligence program. I think to understand the adversary, and to inform your threat intelligence program, it’s very understand, important to understand the threat length landscape, you know, some of the methodologies we talked about is, you know, fishing. You know, certainly the email sector, or vector I should say, is one of the prevalent used by criminals today. You know, traditional hacking is not, it takes a long time, it’s hard to do, it takes a dedicated resource

with phishing, the criminal can launch 1000s of these things, through bots, automatically, and not have to do anything until someone responds. And then once they respond,

you know, then they can, then they can take action. So it’s a much more efficient way for the criminal to compromise. So many people nowadays, that fall for these, and these can be very tricky. So I’m not, I’m not in any way poking anyone in the eye, so to speak, on this, because I tell you, I’ve seen some that come through our system, that are very sophisticated, and you know, I’ve come very close myself to falling for some of these. But you know, they’re they’re set up in a way that will try to capture your credentials, if at all possible, or plant malware on your machine. And certainly, you know, adversaries do take, sometimes exploiting border bilities is tied with phishing, because they use that to get a foothold. Sometimes it’s just scanning your environment to try to look for vulnerabilities that are outward exposed, because they haven’t been patched or whatever. You know, so that’s another method that they use, it takes a little more effort from the time for the criminal. But again, you know, as you know, information security professionals do, you know, when we scan our environment, through our red teaming, action and things like that, we know that the tools out there to do that has become a lot more sophisticated. So they could scan the environment, and then only react to those where it shows a vulnerability. And we also know that abusing privileges is another vector. You know, many times in many, many unauthorized access scenarios isn’t necessarily the criminal. It’s people that we have given the access abusing that, you know, we call that insider threat and that does not always mean employees, and it shouldn’t be necessarily implied to mean employees. But but in One that we share third parties, contractors, whatever. And then, you know, certainly the credential harvesting exposes, again, that if if I have credentials, I don’t have to go through the mechanism to hack, I simply log in with the credentials. So that’s kind of the landscape at a high level. And certainly we go into more detail than then we should in this particular presentation. But then there’s the cyber threat actor and understanding them and their motivation. In some of these are really they overlap quite quite a bit. But, you know, some of the more prevalent ones are obviously nation state attacks, in their, you know, geopolitical, they’re motivated by, in some cases, you know, influencing the country to do what they want them to do. You know, there’s been a lot of talk about, you know, the, the various nations trying to influence influence the US elections. And certainly, that’s a political motive, adversarial political motive to try to influence that. And, you know, as we know, we’ve got nations that would want one administration over the other. And so you can see that that favoring, and then, you know, cyber criminals, which I think, are probably becoming more and more sophisticated, we’re starting to see techniques from cyber criminals that rival that of nation states, because they’re motivated by profit. And if the more money they can make, the more they can invest in tools, the more training they can do the more sophistication. And also, you know, for sale on the dark web is, you know, a lot of the tools to do this. So a fairly not, you know, low trained individual can buy these tools, and use them in attacking and trying to defeat, the cybersecurity protections that we put out there. hacktivist are motivated by their ideology. You know, it can be good, it can be bad, whatever. But they are influenced by that. They generally do things that are less

complex, just to make a statement, terrorist groups, and this is where I think they overlap a lot. terrorist groups can be also nation state supported, they can be hacktivist type. But what what they’re trying to advocate is maybe what makes them different from the activists is, you know, that they’re trying to do more destructive kinds of things. Generally speaking, not just make a statement, but maybe take something down. We’ve got thrill seekers, certainly that, that we used to call script kiddies, although they’re very sophisticated in some ways, but they’re doing it either for self satisfaction, or maybe bragging rights. And then insider threats, certainly can be discontent. You know, I never talked about insider threats without including a statement that’s, you know, part of the insider threat can be non malicious mistakes. And, you know, certainly they’re a part of the landscape as well. The, and this is just, you know, get us all on the same page. I think, you know, nowadays, we probably all all know what this is. But you know, most of what we see in the non authenticated space on the web is what we call the surface web. When you go to the deep web that gets into more legitimate but authenticated sites, your banking, you know, their investments, different things that you do that you authenticate, on, you have a username, password, or some method, hopefully multi factor method to authenticate. And then you have the dark web, which again, is a authenticated site. There are there chat rooms, there’s different kinds of areas within the dark web. But, you know, one of the ones that’s most pertinent to our conversation are kind of these hacker web chat rooms insights, where they share information on companies and techniques and those kinds of things. We see a lot of valuable information. But to get into the site, you have to be sponsored or authenticated to Do that. And that takes a lot of work in order to do that, you know, that’s why, you know, oftentimes companies will our services in order to do that, for them, just look for any company pertinent information in there. And I do think it’s a very valuable piece of any threat intelligence program to have some type of service for that, I would encourage people to hire a third party for that activity, or work with the associations rather than doing that from your company. Now, what are some of the intelligence sources? There’s no internal, there’s the dark web, as I spoke about, there’s the external sources, and you know, the external it can be open source or it can be organizations memberships. It can be your vendors that actually sell a service, that gives you you know, some very valuable information. Certainly, there’s cooperative programs, with with the federal government, the Department of Homeland Security, for instance, often, oftentimes, you get access more cleanly to that through ice AX, the information sharing, and analysis centers, which, you know, there’s 16 among the sectors. And I would encourage you, as you look, and you build your program, certainly you go about method, with a method that you don’t want to flood yourself with, with information that you can’t really analyze and turn into true intelligence. But But it’s important that, you know, you you explore all of these different sources, some industries, you know, are the habits, I Sachs, that’s a good place to start. Internally, you you have your network traffic, log files, security, appliance appliances, and even to some extent employee behavior, what we call behavioral user behavioral analytics, kind of motives. And then the dark web, certainly getting information out of the particular your to your company is very important in the program. So, you know, quite what is intelligence? And I think it’s, you know, it’s a word that’s thrown

around a lot nowadays. But it has a very specific meaning. It’s the ability to acquire and apply knowledge and skills, we generally see it in the military. A lot, you know, there’s the famous joke about military intelligence, that they, you know, it’s an oxymoron. Certainly, I have a high respect for my partners in voluntary intelligence. But that’s kind of poor, we, we’ve traditionally seen it in the government and the military sphere. But more and more companies in the private sector are seeing the value of it. Threat Intelligence, then is the analyzed information about threats, that we can discover insights we can actually discover and make it actionable intelligence, which is really enough specificity in the information that we can take action. It, you know, information is valuable, certainly in context. But information on it sound does not necessarily denote an intelligence, it’s it’s information. For instance, we all know that there are bad guys out there trying to do bad things. That’s information. What do we do with that? And the truth is, we can’t do a lot with that. It’s, you know, it certainly brings a level of awareness, but it doesn’t necessarily help us. Intelligence is specific information, information that we can apply. For instance, if we get and this is a very simple example, I get that. But if if we get information that hackers are using a specific IP address, to exploit a specific vulnerability, then the action we can take is patch the vulnerability obviously, but then block that IP address. So that becomes actionable information. That’s what intelligence and the value of intelligence is. You know, you can you can sit around and talk about information, but intelligence is really where the rubber meets the road. And then I kind of divide intelligence into strategic and tactical, strategic intelligence is that that more informs the program. It’s, you know, what groups are doing, what their motives, methods, affiliations, that kind of general information, helps us set up a program to deal with tactical information is that in our tactical intelligence is that that comes in the fight, right? It’s, you know, when you’re in the fight, you care less about who is doing it to you than what they’re doing, that the Why is even less important. In the fight, you really just want very specific intelligence that will tell you what, what they’re doing, and how to stop it. And so that’s kind of the difference. Both are very valuable, you have to have both. But, you know, it all depends on how you, you play it out. So forming intelligence. You know, I’ve heard a lot of vendors again, throw out that we’re, we’re a threat intelligence vendor, but they really aren’t. I mean, they’re, they contribute to, to threat intelligence, like the sim itself is not necessarily threat intelligence. It’s not about the abs, it’s not just about logging. It’s not just info sharing. But all of these began to form, the discipline and the need for intelligence. So I think very important to in that context is that we have some type of analytics process, and, you know, hopefully, an analytics engine, some automation, around gathering the information, such as a threat intelligence platform, and this is something that we’ve found very valuable, is, you know, collecting the information, and running it through our intelligence platform to do the automate Automated Analytics. And we do use, what part of the feed

is certainly the SIM, it’s the logging that we get through the network, through the applications, through the web, you know, our interactive websites, you know, as part of that information. But we combine that with outside sources, as well, so that we can have kind of the analytics going on. And then based on all of that we have, we were able to automatically apply a confidence rating, how confident are we in this, that this information is accurate, and the confidence can can come from,

you know, various feeds, but part of the confidence is, you know, the source of the information. You know, one of the old military intelligence filled manuals, talks about,

you know, some of the criteria about determining how confident you are in this intelligence. And it, you know, it specifies, you know, is this a trusted source, have there been accurate in the past those kinds of things, and that all comes up with a confidence rating. And then also, how does it apply to your organization, I mean, you can get some of the best intelligence in the world, but if it doesn’t apply to you, it’s, it has no value to you, for instance, if you, if you get a threat, intelligence that says, you know, this is an exploit that’s happening on AI, you know, Ai, x, Linux, and you don’t have that platform running in your shop, then you want some automated way to reject that information. So part of the platform has to have some knowledge about what’s going on in your environment. And that all leads, you know, to the high competence, or the competence writing, and then the output, if it has high confidence, then automate those alerts automate that action. The reason I say that is, if you if it has Thai confidence, it’s a fairly simple, you know, blocking it at the firewall or blocking with your web proxy or whatever, then that’s something that you can do without humans, you know, having to touch it, or having to be involved. If it’s low confidence. That doesn’t mean it’s not valuable, but it’s going to have to take some other action. analytics, oftentimes to, to tell the value of that, or if that applies, you know, the high confidence score. And here, again, a very simplistic example, it could be a domain that as well known to be malicious. And so we set off those automated blockings, or whatever, based on that, again, well known to be malicious. From a source that you trust, those kinds of things. low confidence may just be logging into the network incorrectly multiple times, you wouldn’t necessarily block that action, because that could very well be just a legitimate user struggling to

log on.

Right. So I mean, that shows you kind of the opposite spectrum of that. This is some actual, some metrics over the past seven months, that that we’ve gathered through our automated system, over 75 million connections have been blocked with fewer than a dozen false positives, in what is a false positive? Well, a false positive. You know, in this case, maybe I blocked a site that I didn’t intend to, or it’s a legitimate site, sometimes that can come about because a legitimate site itself is infected, and, you know, have been captured and infected by criminals. And so the system picks up on that, and then blocks it. And then obviously, we, you know, one of our legitimate users needs that site, and it pops up the block, it will tell us, you know, tell them how to contact us and get it unblocked. And then we’ll look at it and figure out why it was blocked. Most of the time, in those cases, it’s, it’s a legitimate side, it’s just that somehow another it has been used by the criminals, or has some type of vulnerability that we wouldn’t want people to go to. But anyway, we continue to maintain kind of threat actor groups, their techniques, and then indications of compromise, we track and we’re really doing this with a relatively small team, globally. And that kind of leads us into soar, the security, Oregon’s orchestration, automation and response, certainly, that’s something that you hear a lot about, Gartner has, you know, spoken about that. And, you know, written articles and such out, will tell you that we were doing this, before soar became a word, we gone down that road, very early, and the concept was still kind of forming in the community. And, you know, now, you know, it is viable. Now, you can actually find vendors that give you the entire solution. Whereas we, we kind of cobbled it together with with different providers and help and then used, you know, more of an off the shelf kind of analytics process. What makes a good sore program is automated repetitive tasks. So, before you really go down the road of a sore implementation, you really have to define it, you know, I believe, like any anything else, you know, I’ve often said that, if it doesn’t work on the whiteboard, it’s not going to work. Once you automate, you have to have that process down. But, you know, there are, you know, processes that you can perfect, and then go down the road of automation. And then automated integration, investigation and response that gives you a faster response and then integrate existing security infrastructure in there again, this is this is where you use the various tools, bringing them together the data from those tools into a common engine, you know, that can do the analytics and then automate the action.

This is one thing that, you know, as far as our intelligence program, and then as we’ve moved across or implemented it, and then we saw, we were able to say, Okay, let’s build out

a defensive and advanced defensive multi layered system that That will help us as we get the information to have a place to do the automatic blocks depending on where in the in the kill chain it is. And depending on where you know, and how the threat comes back. The fight far analogy is, you know, we think it’s much better to stop the attack as far away from our core as possible. And I know, you know, very, you know, when we start talking about a cloud, hybrid environments and things like that, thinking about what core is, is a little more difficult. But generally speaking, what we’re trying to do is knock down the missile out into the, you know, beyond the edge, so that it does limited damage to us, you know, you have even our DDoS prevention service, although it’s out, it’s designed for DDoS, you can actually get some very valuable information on that, you know, you can find people scanning from, you know, weird places. You know, I recall one time, in one of the companies I worked for we were, we had turned on a DDoS appliance. And we started noticing that Kaspersky was scanning our environment, an IP, associated with Kaspersky. And, you know, they had no reason to do that, we inquired, but the truth is, had we not had that kind of first step there, we probably would have never known that. And again, I use the Kaspersky example, we discovered a whole lot of more malicious scans and probes. And then cloud email filtering, I think is very important. You know, that’s, that’s, at one point in my life, I really rejected kind of putting our email out in the cloud environment or email protection and the cloud environment. I think now, it, you know, certainly it’s much better than it used to be. But I think it’s very valuable now, because, again, you’re able to knock down the, you know, the criminal or the malicious email out and away from your core. Certainly a cloud firewall is is, you know, again, it gives you that, that protection, before it gets in, and making sure it leaks, your critical apps are behind that it’s very important, you know, in this defense, and again, if you get detailed intelligence or some intelligence, that’s another place that you can send an automated response to alter a rule, and help defend your environment. Black holing is a technique that, you know, again, very often associated with defending and DDoS and DDoS attacks, but the truth is, you can, you can black hole, anything, that doesn’t serve a legitimate purpose. So the analytics behind it out on the edge. You know, even if it’s like malformed packets, or whatever, you just, you don’t let them into your environment. They serve no useful purpose, even if they’re not malicious, they serve no useful purpose. So why even let them in. And then, you know, you’ve got your outer firewall, traditional DNS firewall, web web proxies, you know, the antivirus. And then as you go out, you know, go inward from your DMZ, that next level of firewall, IPS. And so, you know, what I’m describing here is this multi layer approach, where you use the appropriate tool at the right place within your network to accomplish an end. But again, the goal is to reduce as much as you can as far away from your core as possible, so that as things get closer, even, you know, you’ve you’ve at least reduced it down enough. You’ll know notice the little ninjas at the bottom, illustrating that you might have a lot out here, as it gets closer gets smaller, and then you can deal with it much better. We

so with any program, you have to measure success, and how do you do that? Well, here’s some metrics that we form up and I showed them to you earlier, I think it’s very important to capture them. Applying You know, applying the automated blogs, how many of these have you applied? Every once in a while you go back, I think, and check through all this to make sure that you’re getting valuable intelligence, I will tell you, there’s been several times that we we got IO C’s from other breaches, and we went back into our logs and found that that same threat actor tried to breach us. But because we had put in the appropriate automated block, or rule, they were not able to do that they were not able to exploit us. I think part of the intelligence program is ties well with vulnerability management, too. Because, you know, if you know what they’re exploiting what the criminal may be exploiting you, you can prioritize what you patch, based on that information. Certainly, I’m not saying that, that displaces in any way your normal vulnerability patch management process. But again, if you get, you know, good information, that there’s an active exploit against a particular vulnerability, and you look in your system, and know that the vulnerability is not patched. Maybe it’s scheduled to be patched next week, you can bring that forward, and and prioritize that over based on active intelligence information. In certainly, if you’re doing automatic blogs, you want to keep the false positives low. So that’s an important factor, and measure and then continuing to just use these metrics to show value. I think that, you know, part of what we’re always challenged in security is the what if? And when I say that, it’s, well, what if I didn’t have this? What if we didn’t have these tools? Going back to this to the fight for slide? What if I didn’t have one of these particular protections? Or do I have too many, you know, in a very austere environment, you know, security professionals have to talk through? How many do I have kind of scenarios. And, and then you’re each bringing value. And I do think we always have to think through that. There are certain things that we used to do long time ago, proved or did not prove out, or some technology displaced it. And we shouldn’t just hold on to it, just because we own it. Each thing must must prove value.

And so the metrics and the measures that you get, help the security professional, prove that out, you know, if over time, you see, for instance, the IPS has never worked, you know, hasn’t worked hasn’t been necessary, at least then you can start having a conversation about do we continue to provide that, that we continue to need that? I mean, if all of our defenses up to that have been proven out, over and over, why do I need that? And so, you know, I think your intelligence program, you’re gathering your metrics all work together to make that work. With that, thank you very much.


Get full Q/N Access

Sign up to Q/N with a few details to watch this presentation.