SANS CTI Summit Recap: It’s All About The Process
Crystal City again hosted the eighth SANS Cyber Threat Intelligence Summit, with several hundred attendees. CTI Summit cochairs Rick Holland, Rebekah Brown, and Katie Nickels again planned a fun, entertaining, and very educational two-day event for threat intelligence professionals from around the world. If you’re a cyber threat intelligence analyst or vendor, I encourage you to attend and submit a presentation idea for 2021.
CTI Summit Highlights
- Requirements are hard. As Robert M. Lee stated, “Rule 1: Everyone sucks at intelligence requirements.” Additionally, as Josh Zelonis reported last year, “The CISO career path doesn’t prepare you to work with intelligence.” I could not agree more with both of these gentlemen. Security and risk professionals do well in many things but often find intelligence doctrine esoteric and confusing. Despite that, leaders need to get closer to their intelligence teams to build the trust and knowledge needed to manage the intelligence cycle and approve requirements.
- Collect to answer your requirements. Collecting logs, data, social media posts, and more for the sake of it is counterproductive. More data does not automatically ensure better analysis. In fact, more data and information can lead a CTI team into “analysis paralysis.” As Chris Cochran said in his “The Threat Intelligence EASY Button“ presentation, “continually assess your collection plan.” Remember, there is no start and finish to the intelligence cycle. As your requirements change, so should your collection plan.
- Get the benefits of attribution without doing attribution. Attribution is one of the most controversial concepts in cybersecurity today. The debate often plays out on social media with the “attribution doesn’t matter” and “attribution is necessary” sides usually talking past each other. Rob Lee’s keynote broke down these arguments — and how the focus on attribution is most often a waste of precious resources — and built them back up into a nuanced middle ground. In his interactive keynote, attendees listed intelligence sources that can be used to derive attribution. He then discussed each one and the analytical traps and biases associated with each source. Related to Chris Cochran’s presentation, Rob implores intelligence teams to “collect what you need for the detections you’re running.” Regarding analytical models, he also strongly advised to build those models first and then analyze your cases and intrusions. The reverse order results in poor analysis. Lastly, when producing intelligence, strive for completeness, accuracy, relevance, and timeliness (in that order) and your consumers will be better prepared to build your defense-in-depth strategy.
- Malware analysis = threat intelligence. We often get fixated on tools used during a breach and miss the forest for the trees. As many tools are freely available on GitHub (like mimikatz) and several intelligence services have lost control of other tools, both Rob Lee and Joe Slowik discussed how focusing analysis on malware often leads intelligence teams to cluster activity around malware developers and not the operators using these tools.
- Make your lawyers a member of your intelligence team. To reduce the risk of your CTI team crossing legal lines, Cristin Goodwin recommends using your corporate legal team to set boundaries and strategies to manage those risks while hunting, responding, and sharing information. Having a documented information sharing plan helps to show that you are a responsible party because, to an attorney, common #ThreatIntel sharing is a potential legal minefield. Having a documented, rehearsed information-sharing plan also helps reduce stress in the middle of a crisis and leads to consistently better outcomes.
- Sunday night workshop. Each year, the Summit cochairs come up with a new Summit-eve program for early arrivals to begin networking and learning from their peers. This year, “Trebekah” Brown played CTI Jeopardy host to contestants Rick Holland, Scott Roberts (coauthor, along with Rebekah, of Intelligence-Driven Incident Response: Outwitting the Adversary), and Dave Bianco (creator of the (in)famous “pyramid of pain“).
- CTI “capture the flag.” Attendees had a chance to put the lessons learned to use at the end of Day 1 with a fun and challenging CTI Summit analysis workshop. Working in teams, attendees pivoted off passive DNS data and malware hashes, dug deep into MITRE ATT&CK, and wrote an intelligence report in two hours. The team mostly comprised of the Deloitte internal threat intelligence team won the report challenge and a team of ATT&CK aficionados took the CTF crown.
- Mystery CTI Theater 2020. Security pros cringe at Hollywood portrayals of defenders and threats. Ryan Kovar, Rick Holland, guests, and attendees roasted two particularly egregious examples with a Mystery Science Theater 3000-style trashing of CBS’s Scorpion and the very old, very awful, short-lived Level 9. Both pieces had outrageous scenarios involving hacking airplanes that made for easy ridicule.
None! Our small but growing cybersecurity intelligence community is an incredibly diverse and inclusive one. That diversity is contributing directly to the community’s rapid maturation as an information security discipline.
Question for the community: What research or presentations would you like to see next year?