Cyber Threat Intelligence Lessons from Star Wars

Dan Cole:
No. Thank you for that fine introduction. I will do my best not to disappoint. Uh, welcome, everyone. So today, we’re gonna talk a little bit about Star Wars, little bit about CTI. And at the end of this, I’m hoping you leave with some tips, uh, some lessons that are gonna ultimately help you as CTI analysts, CTI managers, reduce burnout, make it easier to acquire more resources, more budget, and all that, you know, hopefully giving you time to focus more on actual higher impact threats. So, you know, like Doug said, my name is Dan Cole. I’m the VP of product marketing at ThreatConnect. I’ve been with the company for more than nine years. Uh, I’ve been a big evangelist of a lot of our CTI initiatives since then. So today, uh, I’m gonna talk a little bit about a few cliches that we wanna overcome. Then I’m gonna go into something that I call the threat gap, uh, which is all about sort of that sort of traditional, you know, gap between, you know, defenders, attackers. Uh, and then I’m gonna go talk about something that might be a little unusual, a little new to CTI, and that is risk and why it matters or should matter to CTI analysts. Uh, and then finally, we’re gonna talk about how we can actually apply some of these lessons to close that gap, reduce burnout, get more budget, more resources. So let’s talk a bit about cliches. And the first one I I need to address is that, yes, I know that a lot of people have used Star Wars, uh, to explain various cybersecurity concepts, various CTI concepts. I know it’s been done. Uh, But, you know, quick shout out though to Adam Shostak’s book, Threats. Really good introduction to a lot of these concepts. But I promise I will not be talking about the death star as a crown jewel asset. I will not be talking about the thermal exhaust port as a vulnerability. We’re gonna do things a little different. So George Lucas, creator of Star Wars, uh, sort of very un unapologetic about what he does. He says that, you know, he makes movies that he would wanna watch. Uh, and, well, I’m gonna make presentations I would wanna attend. I really like Star Wars. I think there’s a lot of lessons there we can apply. Um, so, yes, I know it’s a cliche to use Star Wars to talk about CTI, but we’re doing it anyway. Another cliche I wanna talk about as somebody who works for a vendor in marketing, I see a lot of vendors kick off their pitches with this statement. Threats are growing faster than ever before, and defenders are struggling to keep up. I’m sure everyone here has heard some variation of that one time or another. You know, in fact, you know, the problem with that cliche is that it can be applied to anything from, you know, the moment our first hominid ancestors picked up a bone to use as a club, threats have been growing faster than ever before, and defenders have been struggling to keep up. So in the next section, what I’d like to do a little bit is kind of unpack that cliche, uh, put it in sort of quasi mathematical terms, and that’s gonna lead into some of what we’re gonna talk about as far as risk goes. So first, I wanna define a few terms, and the first is what I call attack complexity. And this is essentially how attacks grow over time, you know, from that those first bone clubs to to bullets, uh, or, you know, of course, in cybersecurity, we look at things like new TTPs, new resources, new capabilities. And, essentially, as this complexity grows, the impact of an attack can grow over time. And when we think about the rebel alliance, who we’re gonna stand in as our threat actors here, they started their journey with simple old bombers, which they could use to conduct hit and runs. That was essentially their one TTP, if you will. Then eventually, they acquired x wings, which allowed for space superiority. Then they acquired capital ships, which allowed them to do fleet engagements. And finally, they acquired the biggest resource of all, Ewoks, which, of course, let them ultimately defeat the empire. But the point here is that this complexity grew over time. The second term I wanna talk about is attack service. So this is basically the size and scope of what the Galactic Empire, in this case, our defenders, need to defend. And the bigger that surface area, the greater the likelihood of an attack because there’s just more places to hit. And so you imagine the empire starts with Thai fighters, and they have certain weaknesses. They require capital ship support. Then they introduce Thai bombers, which require escorts. They introduce new variants of the Thai’s, which are become expensive. And, you know, these older resources don’t go away. So you can imagine, you know, in cybersecurity with things like digital transformation, adopting, uh, uh, more cloud devices, more IoT devices, that surface area grows because a lot of times those old things don’t go away. And if we look at the relationship between attack complexity and attack surface, it’s not one to one. You know, different attacker resources can attack different defender weak points. It is multiplicative. And so if we graph attack complexity and attack surface, what we see over time is that this sort of exponential threat risk starts to grow, where, you know, threat risk is sort of that cumulative element of how complex attacks get and the size of the overall attack surface. And what I’m basically saying here is that threat risk grows proportionally to attack complexity times attack surface. Now the final term I wanna talk about is defensive capacity. You know, I I think everyone knows what this is. This is what we all do, and it’s basically the ability to detect, analyze, and respond to threats. Now the challenge is, you know, of course, as you all know, defenders face challenges that many attackers don’t. Uh, so, you know, we face red tape and bureaucracy. We all sit in too many meetings. And, of course, there are issues like employee burnout and turnover. So let’s take this out of Star Wars for a moment and put this in real numbers, real terms that affect cybersecurity. So let’s look at defensive capacity, which, again, I mentioned is sort of held back a little bit. So we look at challenges like 48% of organizations facing cutbacks to their defense forces, and the workforce gap is growing by 26% year over year. So with cutbacks and the workforce gap, we’re looking at sort of bare bones resources. Now that said, the overall spend on cybersecurity is planned to grow 12 and a half percent between now and 2030. So we do see additional investments. The problem is when we look at threat risk, So, you know, looking at the DBIR, for example, we see things like how vulnerability attacks, uh, or rather vulnerabilities used as sort of an initial attack vector, uh, you know, have grown a 80% in the past year. Supply chain attacks are up, and attack surface is growing. Like, I already mentioned cloud adoption, which is growing at at two x rate, two x increase in IoT devices, more remote workers. So, yes, if you look to the left, spend is growing. But if you look to the right, threat risk is growing a lot faster. And so if we graph these two things out, threat risk and defensive capacity, what you see is that, you know, on the left, we might start with a defender advantage, but over time, that multiplicative relationship causes that adversary advantage, which I’m causing uh, which I’m calling the threat gap to grow and grow and grow. And so what this means is that even if the defender starts with an advantage, as that threat risk grows, eventually, that risk is gonna overtake it, and we’re gonna see an adversary advantage. So keep that threat gap in mind. And now I wanna talk about risk. So when you think about risk, you need to think about how leadership, and I mean, like, VPs, CISOs, boards, the ones who write the checks for you guys, how do they make decisions? So day to day, you’re gonna struggle with things like false positives, uh, technology scaling, mean time to respond. What this translates to, like, what are your boss’s boss’s pain points, It’s money. Uh, these turn into costs, uh, when you when an attack comes, these turn into cyber insurance rates. So the average cost of a tax last year was $4,880,000. And that was a record, and we’re anticipating that record to be beaten this year. The cost of cyber insurance is up 25 and a half percent. So those costs, you know, the sort of top line or bottom line impact of your pain points are growing and growing and growing. So what they see this threat gap as, they see it as a risk gap, meaning that the financial impact of the organization is growing. So we see all those risk numbers growing up. Now despite that, cyber defense spend is only going up 12 and a half percent, and that’s a bit of a mismatch. So what can we actually do about it? Well, you’re gonna get a crash course in how these organizations calculate business risk when it comes to cybersecurity. Uh, and apologies, there’s gonna be some more terms that we’re gonna have to define. So consider an attack. So x wings coming in, firing their blasters at this imperial TIE fighter. The first term is frequency. So how often is one of those attacks going to occur? So, you know, are are the rebels engaging in these sort sorties daily, weekly, etcetera? Next, what is the probability of success? So when that x wing fires its blasters, what are the odds that it’s gonna hit? What are the odds it’s gonna blow up that TIE fighter? So those, I think, are fairly straightforward. Now we get into some things that are a little more complex, and the first is single loss expectancy. Fancy term, but basically, all it is is how much does it cost when that TIE fighter is destroyed? So it’s not just the cost of building the TIE fighter. You’re gonna have to retrain new pilots. There’s gonna be a morale impact. You know, you can imagine in cybersecurity that if there’s a major breach, there may be PR expenses. Uh, there’s cost to retrain, time spent on downtime, all these sort of direct and indirect costs caused by the loss of that TIE fighter. And then finally is annual loss expectancy, which is basically taking all these three things and wrapping them up. So on the empire, sending all these TIE fighters out into space, they’re getting shot down by a bunch of x wings. What is the actual risk and cost to me going to be across an entire year? Or, you know, as it’s called in Star Wars, a galactic standard. So let’s look at an example. So take the TIE fighter, the mainstay fighter of the Imperial Navy. So let’s imagine that once every two days or 82.5 times per year, a TIE fighter is going to be attacked by an x wing. Now the probability of success of that x wing landing a shot and blowing up that TIE fighter is 50%. You know, these TIE fighters have no shields. They have pretty weak armor. So

Dan Cole:
it’s

Dan Cole:
a little like shoot like, uh, shooting fish in a barrel. Now factoring in the cost of a TIE fighter, the cost of retraining those pilots, the time to complete paperwork, you know, the time spent hiding from Darth Vader because you failed, we’re gonna say that’s gonna cost the empire a hundred thousand credits. So if we look at this over the full year, you know, in terms of how often Thai fighters are attacked, what is the probability of success, how much does a single loss cost, we’re looking at over 9,000,000 imperial credits in sort of calculated risk every year. So that’s what the empire is seeing today. So why does this actually matter to a threat intelligence analyst when talking to leadership? Well, fundamentally, threat analysts are storytellers. You know, whether you’re reporting to threat hunters or the SOC or your managers or leadership, you’re trying to tell and communicate a narrative, whether of, you know, whether it’s of an attack or remediation. You’re telling that story. And I think you all know this, that different audiences need different stories. You’re gonna be telling you’re gonna be talking about, you know, a, uh, particular threat actor differently to, you know, a tier three SOC analyst than to your manager. Now for your leaders, you know, like we talked about when we showed those cost of reach and insurance metrics, risk and ROI are the most palatable stories that you can tell for those leaders. So when you’re going to seek more resources, like, you know, additional headcount, uh, additional tools, or priorities, so whatever you know, how do you sort of convince leadership of your threats versus something they saw in the news? We need to speak in the language of business. So how do we do that? You know, how do we kind of bring this TIE fighter example to ground with what a CTI analyst is gonna deal with? So consider the attack techniques, if you will, that the rebel alliance is going to use against these TIE fighters. Well, they might shoot their blasters at them or they might fire some missiles at the TIE fighter, different ways they could blow the TIE fighter up. So what are the vulnerabilities of the TIE fighter? Well, like we talked about before, they have no shields and maybe they’re too slow, like they can’t evade those missiles. So we talked about before that the probability of success of one of those things hitting the TIE fighter and blowing it up is 50%. And again, that costs a little over 9,000,000 credits. So what are the mitigations we can put in place for these threats? Well, let’s look at blasters as a technique. Maybe we install shield generators on our TIE fighters. Well, that’s gonna cost us 4,000,000 credits. And good news, that takes the probability of success of one of those blaster hits from fifty percent to twenty percent. Great. Our new loss expectancy is only about three and a half million credits now. So that’s quite a reduction by almost five and a half million credits. But we also have to look at the cost of that risk reduction. So 4,000,000 credits. And at the end of the day, we’ve reduced our risk by 1,500,000. Pretty good. The empire is gonna save some money. Your executives are gonna feel a little bit better. But what if we looked at mitigating missiles? Well, maybe we take more armor out of the TIE fighter. That makes it lighter and faster, and that only costs a hundred thousand credits. Well, that only reduces our, uh, probability of success from 50% to 40%, which is not as good as 20%. But when we factor in the mitigation costs, the risk reduction is actually a little bit better. So when you’re communicating to their to your leaders and you’re looking for the best way to protect these ties, well, here on the right is the best story because that ultimately pays down that risk quite a bit more. So there’s a lot of information here. I’m not gonna go through everything. But this also works when looking at a strategy across an entire fleet. So consider all of the assets in a standard Imperial capital ship squadron. You’ve got star destroyers, superstar destroyers, escort frigates, And we can do all these same calculations. So consider a superstar destroyer. It is a massively well defended big boy asset. Because it’s so well defended, it only gets attacked about twice a year, low probability of success. But it’s by far the most expensive asset in the fleet by orders of magnitude. And so each of these assets have different vulnerabilities, and the rebels can use different attack techniques. So maybe they crash an a wing into the bridge. So we can think about the cost of mitigation for these different things. But also look at this particular, uh, Imperial carrier, which, you know, carries starfighters, uh, as part of this, uh, fleet squadron. So they have vulnerabilities too. So maybe they use old codes, the rebels can infiltrate using stolen codes, etcetera, etcetera, etcetera. Well, if we do those same calculations we did with the TIE fighter, what we see is that the net risk reduction for the carriers is significantly more than the risk reduction for the Superstar Destroyer. So you know as a CTI analyst that risks to this carrier are greater than the risk to the Superstar Destroyer. Now initially, your executives, they’re gonna see the Superstar Destroyer as a crown jewel asset. Like, the single loss expectancy is 1,200,000,000,000.0 credits. But you know as a CTI analyst that the greatest impact actually is gonna be this carrier. And if you can use these numbers to make this case, you’re gonna get that seal of approval to update those ciphers. And the critical takeaway here is that these items in blue, frequency, probability of success, etcetera, those are the metrics that a CTI analyst can really influence. So you bring those together, and you can actually tell your story. So what does this actually look like in a real cybersecurity example? So this is a screenshot from one of ThreatConnect’s products called risk quantifier, and this is not meant as a sales pitch. It’s just, I think, a really good visual. What we can do here is we can align cybersecurity objects, like the underlying things behind these different techniques, to lost information we know about your specific business. So we know that by not putting in the right controls, the right mitigations for bits jobs, that’s gonna be the largest financial risk to the company. So maybe one of your executives saw something in the news, um, about fishing. Very common attack vector, obviously, but maybe you’ve got controls in place already, but they’re like, fishing, fishing, fishing, fishing. You know as a CTI analyst that bits jobs are gonna be the biggest risk here. So you can use these financials to make that case that, hey. We need more controls in place to do this. Maybe we need to hire somebody with expertise in mitigating risk jobs. Maybe we need to have our threat hunters prioritize that as an attack factor. So, again, the reason that this matters, by using those risk metrics, what you’re gonna do is enable the executive team to have every dollar spent on cyber defense, pay down more than a dollar in risk reduction. And that kind of turns defensive capacity into something that’s actually going to catch up and close that risk because you are being more efficient, more effective with your resources. So the final piece I wanna hit on is really looping in how the CTI analyst can apply these things. So everyone, I think, is familiar with the threat intelligence life cycle. If you’ve heard me speak before or you’re familiar with ThreatConnect, you know we’ve been talking about what we call the evolved intelligence life cycle. And what we’ve done is we’ve taken the traditional intelligence life cycle, which is focused on production of intelligence, and really looped in the consumers. You know, threat intelligence, by definition, is about informing actions. So who are the people, the teams, actually taking that action? Like, are you informing, uh, better detections? Are you helping guide threat hunts? Well, when we talked about risk, the main piece here is leveraging threat intelligence to inform the decisions that ultimately go back to how you plan your intel production. So, again, in terms of storytelling, you’re gonna tell a different story to incident response as you do to detection engineers. Well, again, you’re gonna tell a different story to leadership, and that story you tell is via risk. So your role is to capture likelihood and impacts. So frequency, probability of success, vulnerabilities. So again, filling in the blanks on things like attack complexity and attack surface so you can get to that threat risk and then get to that actual financial risk. Next, again, be storytellers. Now we don’t expect you to put these risk numbers, these financial metrics together yourself. So the goal is to work across multiple levels to turn your CTI findings, again, things like probability of success, uh, vulnerability, into financial and strategic language. That’s gonna help you develop those risk based business cases. So rather than talking about a particular threat actor targeting, you know, UK banks using this malware, talk about how we can reduce risk by 20% with only a 5% budget increase. And then this be this can become a routine on an ongoing basis as you close the intelligence cycle, connect those threats to potential loss events and business outcomes. And that’s gonna help you not only get more resources, it’s gonna help inform what are your actual requirements. And then finally, show leadership how certain mitigations can yield tangible ROI because, again, that’s what really cares about they really care about. And so by informing all of these decisions that leadership is making, that’s gonna give you an easier time getting budget, getting resources. And, again, because this is gonna help you align to your PIRs, it’s gonna help you spend more time finding high impact threats. So finally, conclusions and recommendations. Again, attack complexity times attack surface is is proportional to threat risk. Threat risk over time is pretty much always gonna outpace defensive capacity even if you start with a defender advantage. And then the problem is losing that advantage can turn into exponential rises in those financially material impacts like breaches, where, again, you’re dealing with maybe lawsuits, PR, downtime, etcetera. Risk is how we demonstrate the ROI of cyber defense, and business decisions are driven by that ROI. So it’s about telling that story in that language that are gonna help you actually play down that risk. And, again, we saw that where we talked about mitigating the missiles versus the blasters because it’s an overall increase in risk reduction and overall increase in applications of CTI and cyber defense. Sometimes the biggest single asset, you know, the one that your system is, like, banging on your door at 08:00 in the morning, that’s not necessarily the top priority. Aggregated risk to mid range assets can actually surpass it. We saw that in the example where we saw the fleet carriers taking precedence over that sort of crown jewel superstar destroyer. So my final call to action is to apply this risk based thinking and storytelling to your CTI processes. Again, starting with how you enable leadership and even tying back to things like how you develop your PIRs. Work with teams and especially across levels, so your manager, your manager’s manager, for ways to gather the data needed to feed those risk models, which again could be things like vulnerabilities, could be things like mitigations, could be ways to help calculate things like frequency of attacks and probability of success. Then finally, again, this is not a pitch. Uh, well, maybe it’s a little bit of a pitch. Uh, visit threatconnect.com. We have a lot more resources about how to actually apply risk, things like best practices, and, again, that’ll really help you circle back, uh, to addressing some of these issues. So in closing, you know, before question time, uh, I just wanna say, you know, thank you. May the force be with you. Uh, definitely wanna open the floor to questions. And in addition to questions, please feel free to geek out with me, uh, about Star Wars or, uh, call me out on any flaws, uh, in any of my Star Wars knowledge. So, uh, you know, first question, uh, did the rebels actually defeat the empire? Uh, good question. Hard to say. Certainly, there are lingering elements within the new republic seeking to revive the empire. What strategies do you recommend for aligning CTI efforts with the organization’s overall business objective? Uh, so that’s a really good question. So part of that goes into PIR development. So, you know, in looking at the top risks so, again, I’ve showed that that attack navigator view where it showed the top financial risk TTPs. That can help you inform things like your PIRs. So, again, getting back to the bits job example where that was the highest financial risk, you can align your PIRs to try to, uh, capture some of those. And then, of course, it’s a matter of taking things like vulnerability, attack technique, mitigation action, working with your higher ups to align them, uh, back to those business objectives. Uh, somebody asked if there are any if there’s a practical app to get more practical. Uh, very good question. I know this is very high level. Uh, we don’t have one planned today, uh, but if you go to if you do go to our website, uh, there are a lot of sort of very hands on resources there, uh, that’ll get a litter little, uh, deeper into this. Other questions?

Dan Cole:
It looks like there’s a couple more. Thanks so much, Dan.

Dan Cole:
Great. Sorry. Presentation. Uh, just had to scroll down.

Dan Cole:
There you go.

Dan Cole:
Uh, what are your recommendations for automating vulnerability management to produce this ROI? Uh, that’s a very good question. And, again, I’m gonna recommend, uh, taking a look at our website. Uh, we integrate with a lot of different vulnerability managers. Uh, our risk quantifier product actually automatically brings in a lot of that vulnerability management data, uh, and that’s gonna help you sort of align, uh, with some of the other data we bring in specific to your organization, uh, to help tie vulnerabilities to that ROI. Uh, I love the person geeking out with me about Ewokis, uh, and Sheriwook, which is the Wookiee language. Uh, and, again, that’s actually an important point is, again, shifting your language depending on who you’re talking to. So, uh, if you’re talking to Wookiees, uh, about how to mitigate their cyber defenses on their home planet of Kashyyyk, yes. You would want to try to speak, uh, their language. In terms of, uh, where did the the numbers in the threat risk slide come from, uh, I will actually hop into the Slack after this, uh, and share some of those. Some of those came from Verizon DBIR. Uh, some came from things like IBM’s cost of breach report. Uh, frameworks or templates. Um, yes. Uh, and, again, I’ll kinda refer you to our website uh, to take a look at some of that. Uh, one of the key things there is making sure that things are tailored specifically to your company, uh, because different companies may have different, you know, risk policies, uh, and that’s gonna be important to, uh, look at. How can CTI mitigate fraud in online payment gateways? Very good question. Um, we actually do have a lot of customers that do use our platform to look at fraud mitigation. Uh, I do think I’m out of time, though. Uh, so let me actually see if I can hop into the Slack channel, uh, to see if I can answer that.

Dan Cole:
I think you actually you got a couple more minutes if you wanna answer, uh, one more. Uh, we also have one in the, uh, in the Slack channel here as well. How would you mitigate a zero day such as the holdover, uh, the the maneuver? The holdover

Dan Cole:
Uh, very good question. Um, so to answer that, uh, you know, certainly one of the things about, uh, zero days, uh, is that in many ways, uh, they are learning opportunities. Uh, so, you know, that really comes down for me to the feedback and validation step, uh, in the threat intelligence life cycle. So sometimes there are things that CTI teams simply can’t get ahead of. Uh, many zero days are one of them. Uh, but, uh, yeah. Hopefully, the first order, uh, took some lessons from that, uh, and I don’t know, found ways to, like, jam hyperspace navigation and present prevent that again. Um, and and again, I’ll just I’ll try to sort of answer oops. Uh, I’ll try to answer, uh, that question about CTI fraud, um, online payment gateways fraud. Uh, I mean, a lot of that’s gonna come down to your actual intelligence vendor, like, are they providing insights to that? Uh, we are seeing more intel vendors provide that. Uh, we also, like I said, uh, have a lot of customers that use our platforms for, uh, CTI and fraud. So that includes things like tracking things like credit card numbers, uh, account numbers, uh, and treating them almost like indicators of compromise. Um, and and a big part of it is also collaboration between teams. So we’ve seen customers actually, uh, in some cases, actually merge, uh, their fraud and cybersecurity teams because, of course, uh, you know, cybersecurity vectors are a way to get into those online payment systems. Uh, others have still kept those teams separate, uh, but still, uh, will use, like, common ticketing systems, for example, uh, to actually get those teams together. So it’s very much sort of a take the takes a village answer where you are getting cybersecurity and fraud teams working together, uh, to look, uh, and apply some of that CTI knowledge to address those things. Okay. Uh, I think, uh, Doug, you know, is gonna check me, uh, on anything. I think that covers just about everything.