I recently attended the ENISA (European Union Agency for Network and Information Security) Threat Intelligence Workshop held in Brussels on 4-5 November, 2018. ENISA organized the event to bring experts, researchers, practitioners and academics together to promote dialogue and envision the future of Cyber Threat Intelligence (CTI) as a key cybersecurity practice.
Several experts joined the workshop from both the public and private sectors in an effort to connect EU institutions, the CTI industry and academia. Digital Shadows participated in the event, representing the industry view for future CTI development and current best practices.
Source: ENISA (enisa.europa.eu)
The following topics were discussed during both presentations and networking sessions at this year’s event:
- AI (Artificial Intelligence): Both the EU and private sector gave their approaches of how to use AI to improve CTI operations. It seems that AI is a research area that will attract significant interest for the foreseeable future. Some different implementations were presented such as IBM’s Watson and ENISA’s Open CSAM that promise advanced searching and results with applicable AI techniques.
- CTI Capabilities Framework and maturity level: It is commonly accepted that CTI is a cyber security area where more expertise is needed and where specific capabilities need to be defined to reflect operational, strategic and tactical goals. At the same time, the CTI maturity level is considered poor across EU institutions and member states. Participants recognized that a designated effort for further improvement is needed in these areas. Another commonly agreed upon topic was that CTI is a necessity and should be a function in security operations, fitting within or alongside any applied models such as Security Operations Centres (SOCs) or Incident Response Teams.
- MITRE ATT&CK Framework: Across several presentations and one-on-one conversations, I heard participants point to the MITRE ATT&CK framework as the main reference model for mapping adversary actions and providing additional context to intelligence data. All the vendors agreed that it is the right approach to explaining and describing adversaries’ operations and tactics, techniques and procedures (TTPs). Digital Shadows presented a practical approach of how a publicly available source for adversary TTPs can be mapped to the MITRE ATT&CK framework (in this case the GRU indictment for the DNC and DCCC attacks).
- CTI Analyst Competencies: What makes a CTI Analyst a real expert? A presentation about CTI analyst competencies revealed the expertise gap and raised the question of how this could be resolved. Part of the problem is that the CTI analysts’ skills have yet to be widely established and accepted. A skillset around computing fundamentals, information security, data collection and examination, and critical thinking were defined as the core required background for a successful CTI Analyst. ENISA expressed its interest in investing more resources on CTI training, and asked the industry community for further and active contribution. The European Defense College was also pointed as a potential education provider.
- Automation: Large scale security event data, analysis and fast processing requirements, increasing needs, and an evolving threat landscape require much more effort of CTI analysts. Part of the solution that was recommended is automation at every stage (collection, processing, reporting). AI will be again a significant factor to this solution.
- STIX2: Presented by its own creator, the STIX2 project highlighted the weakness of traditional intelligence data (IP lists, file hashes) and the strength of structured and contextualized data provided by STIX2. Some former STIX1 weaknesses have been sorted and the protocol is more interoperable than ever before. A STIX2 certification program is ongoing to confirm compatibility and standardization for information exchange. Despite this, there are several CTI components that miss standards and need to be addressed accordingly in the future.
- CTI Defense Research: The European Defense Agency (EDA) described the opportunities and future goals of EU defense authorities and how CTI will play a significant part. Most industry people do not know the EDA’s role, which is to promote research for defense, including Cyber. Future budget for research will be focused on cyber security.
ENISA and EU institutions are really focused on improving CTI operations. Those at the event agreed that the field lags behind other cyber security operations like incident handling or log monitoring, but there is a common willingness to put in the extra effort to fill that gap. The event itself was impressive and a big success with the way it covered every important topic around CTI. The participants showed a high level of interest and interaction with the speakers and other delegates, and the overall quality of the presentations was excellent.
This year’s workshop further demonstrated that the EU is at the forefront of establishing how CTI and Cybersecurity in general should be handled!
Isidoros Monogioudis has 15 years experience working in CIS, with the last 10 focused on Cyber Defence and Security. Prior to joining Digital Shadows, he was a Military Officer in Greek Armed Forces having served in multiple positions (retired as Colonel). Starting as a team member, he ended as Head of Cyber Operations Section in Greek MOD, being responsible for multiple cyber security operations including active engagement in plan and design national and international cyber defence exercises like NATO Cyber Coalition, Locked Shields, Cyber Europe, and Panoptis. He was also the National Subject Matter Expert for Cyber Defence in several NATO and EU workgroups. He holds a MSc in Computer and Information technologies and multiple security certifications (GIAC, OSCP).
To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.