Whiptail Networks

Cyber Threat Intelligence Plan

By
Jeffrey Ryan
Cyber Security Lead Architect
Executive Summary
Whiptail Networks is a rapidly growing developer and manufacturer of next generation firewall
appliances used by organizations and governments around the world. Our expanding presence
makes us an enticing target of adversaries that will attempt to attack our systems using multiple
attack vectors. This proposed Cyber Threat Intelligence Plan (CTIP) describes the threats we
face, who the adversaries are, their potential methods of attack, and how we can defend against
them using hardware, software, and employee training solutions. A risk reduction plan further
details specific and measurable ways for us to accept, avoid, limit, or transfer risk improving our
risk profile. The recommendations in this proposal will reduce our cyber threat intelligence Total
Cost of Ownership by 65% with a ROI of 1588% over five years compared to how we operate
today.
Threats
The cyber threats we face today are numerous, ranging from traditional trojans, worms, and
unpatched software to more modern Advanced Persistent Threats, ransomware, and Distributed
Denial of Service attacks using botnets. Each threat is comprised of three main elements:
 Intent – the adversary’s desire to target our organization4
 Capability – the tools and/or techniques of the adversary used in the attack1
 Opportunity – the opening or vulnerability the adversary needs to perform the attack
We don’t have much, if any, control of an adversary’s intent or capability. However, we have
almost full control of the opportunities we present to adversaries. Our attack surface is defined as
our exposure, or reachable and exploitable vulnerabilities we have.3 It is safe to say the primary
goal of this CTIP is to make our attack surface as small as possible, which will minimize our risk
in the process
Threat actors, motivations, means, and methods
There are four primary groups of threat actors we care about – nation states, cyber criminals,
insider threats, and hacktivists. Of the four groups, insider threats are the most concerning.
Insider threats are made up of malicious insiders, accidental insiders, and third-party contractors
or vendors. Accidental insiders are usually negligent or unknowledgeable employees that fall
victim to a well-orchestrated social engineering attack such as spear phishing. The table below
gives a high-level overview of the threat actors we face, and their motivations, means, and
methods.
 Threat Motivation Means Methods
Actor
 Diplomatic Advantage  Immense financial and  Social Engineering
 Military Advantage political support  Zero Day Exploits
Nation States  Stealth
 Develop complex
custom tools and code
 Money  Range of financial  Social Engineering
Cyber support  Distributed Denial
Criminals  Use of existing tools of Service (DDoS)
 Develop some complex
code
 Money  Limited financial  Misuse of
 Sabotage support credentials
 Coercion  Privileged knowledge  Evade detection
Insider  Accidental of target  Backdoor Insertion
Threats  Existing access to target
 Use of existing scripts
 Attention  Minimal financial  Distributed Denial
Hacktivists  Change business support of Service (DDoS)
practices  Use of existing tools  Defacement
Table 1 Threat actors, motivations, means, and methods

Risk Reduction Plan

Risk is defined as the potential for an unwanted outcome resulting from an incident, event, or
occurrence, as determined by its likelihood and the associated consequences.2 The following
steps will help us identify and prioritize all of our assets, determine any vulnerabilities, and
mitigate associated risks.
Step 1: Discovery of all assets
A discovery of all assets in our company is required to get a complete picture of risk areas. We
need to know every detail of our system including:
 networking infrastructure
 all endpoints connected to the network
 who our employees are
 what 3rd parties have access to the network.
Our Management of Change (MoC) process described in a separate policy should catch new and
deleted assets but a monthly discovery scan will detect possible rogue systems that might require
further investigation.
Step 2: Design, install, and configure FireEye security solution
A business case analysis was performed comparing our current cyber security operation to
security solutions from Fortinet and FireEye. Both solutions drastically reduce TCO over five
years but recommendation, FireEye, had a better ROI and faster break-even point, demonstrated
in Figure 1.
 ROI and TCO TCO
$34,479,939
$35,000,000

$30,000,000

$25,000,000

$20,000,000 Fortinet
ROI 1224% $14,705,084
$15,000,000 FireEye BE 143 Days
ROI 1588%
$10,000,000 $12,156,456
BE 127 Days
$5,000,000

$-
Initial Year 1 Year 2 Year 3 Year 4 Year 5

Baseline FireEye Fortinet

Figure 1 Security Solution ROI, TCO

The FireEye solution is comprised of a network security appliance, endpoint security agents
managed by a central repository, and two threat intelligence subscriptions to assist in risk
mitigation and incident response.
 FireEye Network Security Essentials is a cost-effective network security solution with the
ability to stop known and unknown attacks. Coupled with the intelligence subscription, it
can prioritize alerts so our cyber security analysts can manage ticket triage much more
efficiently.
 FireEye Endpoint Security will allow our cyber security analysts to detect and quickly
triage threats found on any endpoint in our system. Incident response (IR) will include
where the attack originated and whether the attack was successful or blocked. If the
attack was successful, IR will include the attack vector(s) used for infiltration, how long
since the endpoint was compromised, and what actions the attacker performed including
lateral movement to other endpoints. If needed, a containment strategy will be developed
and executed.
 FireEye iSIGHT Fusion Intelligence subscription will be threat intelligence customized
for our company that will supplement alerts from our security products for better
prioritization and improved IR.
 FireEye Vulnerability Intelligence subscription will help us prioritize our patch
management process to address vulnerabilities quickly depending on what exploits are
being used in the wild.
Step 3: Detect and prevent loss of intellectual property and other sensitive data
Information protection is a top priority for us. The steps below will ensure only authorized
individuals have access to sensitive information and that it is stored and transferred securely.
 Determine all of our critical data assets, where they are stored, and who has access to
them.
  Develop strong access control policies that dictate least privilege, account login/logout
tracking, information flow, and separation of functions.
 Implement a Data Loss Prevention (DLP) solution that will alert when sensitive data is
emailed insecurely within the company or ever outside the company.
 Monitor outbound traffic for blacklisted IP addresses, abnormally long connection times,
and/or unusually high bandwidth usage.
Step 4: Vulnerability scanning
Once we have a list of our assets, we will use a vulnerability scanner to detect and prioritize all
vulnerabilities or weaknesses in the network, operating systems, and applications so they can be
addressed before an adversary finds them. Most of the vulnerabilities will be mitigated with the
FireEye security solution and patch management strategy below.
The initial scan will be used as a baseline. Scans will then be performed weekly and a summary
report generated to track the progress of eliminating vulnerabilities.
Step 5: Patch management strategy
Missing patches are a major source of vulnerabilities in computer operating systems and
applications. A robust patch management strategy and repeatable process is the easiest way of
reducing our attack surface. Our systems are almost entirely Windows based so WSUS is the
recommended method for Windows operating systems and Microsoft applications. Third party
tools like GFI LanGuard can provide cost effective means of patching non-Windows
applications.
 Applying patches does come with some risk. Apply new patches in a test environment
before rolling out to production servers.
 Setup regularly scheduled backups of critical servers and/or systems in the event a patch
renders the system unusable. Perform test restorations occasionally to verify the backups
are valid.
 Develop a staged deployment strategy to reduce risk.
 Both WSUS and GFI LanGuard offer reporting capabilities to measure the effectiveness
of our patching strategy.
Step 6: Perform employee security awareness training
Security awareness training for our employees and contractors is a crucial aspect of improving
our risk profile. All employees and contractors need to know:
 What red flags to look for in a suspicious email.
 What tactics an adversary might use while attempting to gather information using the
phone.
 What information can be used by an adversary.
Our cyber security awareness team will test our employees several times a year by sending out
suspicious emails and then tracking how many report the email as suspicious, how many click on
an unknown URL or open an attachment, and how many simply do nothing. If the reporting rates
increase and click rates decrease over time, we know our security awareness training is
effectively mitigating one of our biggest risks.
Conclusion
No company can eliminate all of their vulnerabilities or be 100% defensible to attacks. All of the
cyber threat intelligence in the world won’t be beneficial to us unless we know how it is
applicable to our unique network and systems. The recommendations presented in this plan will
cost effectively reduce our attack surface and minimize risk in ways that are achievable and
measurable.
References
1. Caltagirone et al. (July 5, 2013) The Diamond Model of Intrusion Analysis. Retrieved
from http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf.
2. US Department of Homeland Security (September 2008). DHS Risk Lexicon. Retrieved
from https://www.dhs.gov/xlibrary/assets/dhs_risk_lexicon.pdf.
3. SANS Technology Institute (n.d.). The Attack Surface Problem. Retrieved from
https://www.sans.edu/cyber-research/security-laboratory/article/did-attack-surface
4. Lee, R. M. (October 2, 2014) Cyber Threat Intelligence. Retrieved from
https://www.tripwire.com/state-of-security/security-data-protection/cyber-threat-
intelligence/