The Disclosure Dilemma - Ensuring Defense

JoeSlowik 44 views 50 slides Aug 11, 2024
Slide 1
Slide 1 of 50
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18
Slide 19
19
Slide 20
20
Slide 21
21
Slide 22
22
Slide 23
23
Slide 24
24
Slide 25
25
Slide 26
26
Slide 27
27
Slide 28
28
Slide 29
29
Slide 30
30
Slide 31
31
Slide 32
32
Slide 33
33
Slide 34
34
Slide 35
35
Slide 36
36
Slide 37
37
Slide 38
38
Slide 39
39
Slide 40
40
Slide 41
41
Slide 42
42
Slide 43
43
Slide 44
44
Slide 45
45
Slide 46
46
Slide 47
47
Slide 48
48
Slide 49
49
Slide 50
50

About This Presentation

Presentation from FIRST CTI 2024 on the disclosure dilemma within cyber threat intelligence reporting and information security.

Size: 1.89 MB
Language: en
Added: Aug 11, 2024
Slides: 50 pages

Slide Content

Joe Slowik, MITRE ATT&CK CTI Lead
@jfslowik
Ensuring Defense
The Disclosure Dilemma

2© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.
§ Joe Slowik
§ MITRE ATT&CK CTI Lead, Critical Infrastructure Security
§ Previous:
§ Various Roles In CTI, DE&TH
§ CTI Training & Teaching
Intros

3© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.
§ The Disclosure Dilemma
§ CTI & The Intelligence Dilemma
§ Examples
§ Balancing Gain-Loss In CTI
Agenda

4
The Disclosure Dilemma
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.

5
The Disclosure Dilemma“Dilemma”
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.
“A situation in which a difficult choice has to
be made between two or more alternatives,
especially ones that are equally undesirable,”
https://www.oxfordreference.com/display/10.
1093/oi/authority.20110803095718683

6
The Disclosure Dilemma“Dilemma”
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.
https://
imgflip.com
/i/8itylr

7
The Disclosure DilemmaIntelligence & Dilemmas
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.
Intelligence Is
DECISION
SUPPORT
Decisions Have
CONSEQUENCES
& IMPACTS
Intelligence Must
Understand
Outcomes

8
The Disclosure DilemmaIntelligence Equities
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.
Sources
•Where Intel Gathers Info
•Mix Of Public, Private, & Other Sources
Methods
•How Info Is Collected
•Proprietary, Secret, Or Even Public
Analysis
•Applying Reason To Sources &
Methods
•Finalized
Understanding

9
The Disclosure DilemmaIntelligence Equities
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.
Ideally Sources, Methods, & Analysis Are
Kept Secret From Adversaries, Or
Adversaries Are Unaware Of Their Specifics

10
The Disclosure DilemmaIntelligence & Impact
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.
Ideally Sources, Methods, & Analysis Are
Kept Secret From Adversaries, Or
Adversaries Are Unaware Of Their Specifics
But For Intelligence To MATTER, It Must
Lead To Decisions That Have An IMPACT
For The Supported Organization!

11
The Disclosure DilemmaIntelligence, Impact, & Adversaries
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.
Impactful Intelligence Cannot Easily Be Hidden If It Leads To An Action
The Impact Scenario Provides Adversaries Insight Into Intelligence Understanding
Adversaries Can Determine What May Have Informed Defenders

12
The Disclosure DilemmaThe Intelligence Dilemma
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.
Intelligence Finding
Disclose, Leading
To Action
Withhold,
Preserving Sources
& Methods

13
CTI & The Intelligence Dilemma
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.

14
CTI & The Intelligence DilemmaCyber Threat Intelligence
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.
CTI Is A Technical Discipline
Dependent On Persistent Collection Of Information
Loss Of Collection Imperils CTI Efficacy

15
CTI & The Intelligence DilemmaCTI Processes
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.
Raw
Data
Enriched
Information
Finalized
Intelligence

16
CTI & The Intelligence DilemmaCTI Processes
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.
Continuous Collection & Analysis
Raw
Data
Enriched
Information
Finalized
Intelligence

17
CTI & The Intelligence DilemmaCTI Processes
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.
Continuous Collection & Analysis
Decision Support To Stakeholder Action
Raw
Data
Enriched
Information
Finalized
Intelligence

18
CTI & The Intelligence DilemmaCTI Processes – Adversary Awareness
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.
Continuous Collection & Analysis
Decision Support To Stakeholder Action
Adversary
Identification!
Raw
Data
Enriched
Information
Finalized
Intelligence

19
CTI & The Intelligence DilemmaCTI Processes – Adversary Disruption
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.
Continuous Collection & Analysis
Decision Support To Stakeholder Action
Adversary
Identification!
Enables Reaction & Response!
Raw
Data
Enriched
Information
Finalized
Intelligence

20
CTI & The Intelligence DilemmaCTI-Informed Defensive Actions
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.
IP BlockDomain SinkholeFile Alerting
Port Block Or FilterEtc.

21
CTI & The Intelligence DilemmaCTI-Informed Defensive Actions
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.
IP BlockDomain SinkholeFile Alerting
Port Block Or FilterEtc.
All Involve An
Action Noticeable
To An Adversary!

22
CTI & The Intelligence DilemmaDisclosure Dilemma Impacts in Infosec
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.
Is The Disclosure Dilemma A Real Issue In
CTI Operations & Support?

23
CTI & The Intelligence DilemmaDisclosure Dilemma Impacts in Infosec
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.
Is The Disclosure Dilemma A Real Issue In
CTI Operations & Support?YES

24
Examples Of The Dilemma
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.

25
ExamplesNetwork Infrastructure Creation
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.
https://threatconnect.com/blog/using-fancy-bear-ssl-certificate-information-to-identify-their-infrastructure/

26
ExamplesNetwork Infrastructure Creation
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.
APT28 Used Consistent Infrastructure Creation Steps For YEARS
Shortly After Blog Publication, APT28 Activity Shifted Entirely From Known Patterns
Ability To Identify New Domains & Certificates In Near Real Time Stopped!

27
ExamplesDPRK Evolution
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.
https://www.mandiant.com/resources/blog/north-korea-cyber-structure-alignment-2023

DPRK Threat
Actors Initially Viewed As "Primitive"
Frequently
Disclosed In Public Research & Analysis
Subsequent Drive Toward More "Sophisticated" Behaviors & Advanced Tooling
28
ExamplesDPRK Evolution
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.

29
ExamplesSlingshot & Counter-Terror Operations
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.
https://www.kaspersky.com/about/press-releases/2018_slingshot

30
ExamplesSlingshot & Counter-Terror Operations
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.
https://www.kaspersky.com/about/press-releases/2018_slingshot

31
ExamplesSlingshot & Counter-Terror Operations
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.
"Slingshot" Was Associated With An Active Counter-Terrorism Operation
Assessment That Post-Disclosure Entities Abruptly
Changed Behaviors
Not Just An Intel Loss - Potential For Physical Harm!

32
Balancing Gain-Loss
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.

33
Balancing Gain-LossCTI Pressures
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.
CTI Is An Expensive Luxury!There Is Pressure To "Produce"
Failure To "Produce" Results In Redundancy!

34
Balancing Gain-LossCTI Pressures
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.
Incident Response &
SOCLeadership
MarketingSales

35
Balancing Gain-LossCTI Pressures
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.
DELIBERATELY Withholding
Information Has Consequences!

36
Balancing Gain-LossImpacts Of Hiding Information
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.
Intrusions Take Place!Value Is Lost Or Impacted!
Loss Of Confidence & Trust In CTI!

37
Balancing Gain-LossRethinking The Disclosure Dilemma
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.
Information Disclosure
Keeping CTI
Observations
Secret To
Preserve
Sources &
Methods
Disclosing All
Available Info
To Assist &
Inform Defense

38
Balancing Gain-LossRethinking The Disclosure Dilemma
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.
Information Disclosure
Keeping CTI
Observations
Secret To
Preserve
Sources &
Methods
Disclosing All
Available Info
To Assist &
Inform Defense
A Continuum Of
Options Is Available –
Not A Binary Choice!

39
Balancing Gain-LossRethinking The Disclosure Dilemma
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.
Information Disclosure
Keeping CTI
Observations
Secret To
Preserve
Sources &
Methods
Disclosing All
Available Info
To Assist &
Inform Defense
Requires Nuanced Understanding
Of Circumstances & Needs!
A Continuum Of
Options Is Available –
Not A Binary Choice!

40
Balancing Gain-LossKey Considerations
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.
•How Unique Is The Information In Question?
•If Source Is Lost, Could This Be Replaced?Sensitivity
•How Significant Is This For The Defended Organization?
•What Harm Would Result If NOT Disclosed?Impact
•Are The Insights Related To Partner Operations & Collection?
•Are There Law Enforcement Or Other Considerations To Understand & Recognize?Scope

41
Balancing Gain-LossPath Forward
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.
Criticality
•Identify Significance
•Determine That Disclosure Is "Simply Important"
Value
•Disclosure Balances Internal &
External Perspectives
•Value Added Is Greater Than
Value Lost
Result
•Network Is Defended!
•Others Can Maintain Defense & Understanding!

42
Conclusions
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.

43
ConclusionsSituations To Avoid
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.
Reasons To Never Disclose Sensitive
Information
Marketing
Sales
Public Attention

44
ConclusionsBalancing Self Vs. Wider Defense
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.
Actions Taken To Defend YOUR
Organization
Considerations For Broader Defense &
Threat Actor Understanding

45
ConclusionsBalancing Self Vs. Wider Defense
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.
Actions Taken To Defend YOUR
Organization
Considerations For Broader Defense &
Threat Actor Understanding
Natural
Tensions &
Different
Motivations!

46
ConclusionsAvoiding Absolutes
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.
There Are No "Hard" Rules
Situational Understanding Of Gain
Vs. Loss Is Necessary
Understanding Consequences &
Outcomes Is Critical!

47
ConclusionsEstablishing A Hierarchy Of Needs
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.
Industry-Wide Collaboration &
Coordination
Expanding Intelligence Understanding
Beyond Own Organization
Specific Organization Self-Defense

48
Questions?
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.

49
Not A Complete List!Selected Resources
•A Song of Intel and Fancy - ThreatConnect (https://threatconnect.com/blog/using-fancy-bear-ssl-
certificate-information-to-identify-their-infrastructure/)
•Assessed Cyber Structure and Alignments of North Korea in 2023 – Michael Barnhart, Austin
Larsen, Jeff Johnson, Taylor Long, Michelle Cantos, & Adrian Hernandez, Mandiant
(https://www.mandiant.com/resources/blog/north-korea-cyber-structure-alignment-2023)
•Slingshot: the spy that came in from the router – Kaspersky Labs
(https://www.kaspersky.com/about/press-releases/2018_slingshot)
•Kaspersky’s “Slingshot” report burned an ISIS-focused intelligence operation – Chris Bing & Patrick
Howell O’Neill, Cyberscoop (https://cyberscoop.com/kaspersky-slingshot-isis-operation-socom-five-
eyes/)
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.

https://www.linkedin.com/in/joe-slowik
@JFSLOWIK
[email protected]
Joe Slowik
© 2024 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 24-1050.
Tags
cybersecurity cyber threat intelligence threat intelligence intelligence information security risk management
Categories
Technology Business
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 44
  • Slides 50
  • Age 477 days
Related Slideshows
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx 11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
44 views
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx 10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
45 views
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx 13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx 11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
Know for Certain 21
Know for Certain
DaveSinNM
19 views
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx 17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views
View More in This Category