DeepSec 2018 Talk: Information, Threat Intelligence, and Human Factors – John Bryk
“Across the ICS spectrum, organizations are gathering threat data (information) to protect themselves from incoming cyber intrusions and to maintain a secure operational posture.”, says John. “Organizations are also sharing information; along with the data collected internally, organizations need external information to have a comprehensive view of the threat landscape.
Cyber threat information comes from a variety of sources, including sharing communities such as Information Sharing and Analysis Centers (ISACs), open-source, and commercial sources. Immediately actionable information is mainly low-level indicators of compromise, such as known malware hash values or command-and-control IP addresses, where an actionable response can be executed automatically by a system.
Threat intelligence refers to more complex cyber threat information that has been subjected to the analysis of existing information. Information such as different Tactics, Techniques, and Procedures (TTPs) used over time with an attack or the network of threat actors involved in an attack, is valuable information and can be vital to understanding and predicting attacks and guiding defensive measures. This information is also actionable, but on a longer time scale. Moreover, it requires action and decision-making by humans at the strategic level.
There is a need for effective intelligence management platforms, both automated and human-enabled, to facilitate the creation of intelligence from raw information, and to feed and facilitate the intelligence process. Some of the key challenges that exist include: working with multiple intelligence sources, combining and enriching data for greater intelligence, determining intelligence relevance based on technical constructs, delivery into organizational workflows and into technological products.”
We asked John a few more questions about his talk.
Please tell us the top 5 facts about your talk.
- Information and Intelligence are often misunderstood and misused in cyber conversations.
- Many organizations are paying for information and thinking they’re getting intelligence.
- Actionable intelligence is the desired end goal of information sharing.
- Quantity v. Value are inverted in the transition from information to intelligence.
- Organizations can assist intelligence analysts by crafting clear intelligence requirements.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
Hearing people at all levels misuse the terms information and intelligence. Knowing much time, effort, and money is being wasted, I wanted to help.
Why do you think this is an important topic?
Actionable intelligence is the holy grail, what we should all aim for. Actionable intelligence allows you to do something, to identify, defend, mitigate, and reconstitute.
Is there something you want everybody to know – some good advice for our readers maybe?
Everybody needs this basic understanding to: operate a Security Operations Center, create actionable intelligence, and inform the C-level to justify more resources!
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
Artificial intelligence may be a future boon to intelligence analysis if it doesn’t enslave us all first. Until then, only a human-in-the-loop can successfully produce finished, actionable intelligence.
John Bryk retired as a colonel from the United States Air Force after a 30-year career, with early assignments that included Intercontinental Ballistic Missile Combat Crew Commander, and launching the Space Shuttle and unmanned rockets. As a senior officer, he was selected to serve as a military diplomat at U.S. embassies in Canada and in Central and Western Europe. Colonel Bryk deployed to Southwest Asia on three combat tours and was awarded the Bronze Star Medal for service in Afghanistan. Prior to retirement he was attached to the Defense Intelligence Agency, where he later continued to serve as a U.S. Intelligence Officer until joining the private sector in 2015.
As the threat intelligence analyst for the Downstream Natural Gas-ISAC, John focuses on the protection of North America’s natural gas critical cyber and physical infrastructure.
John holds an MBA, an MS in Cybersecurity, and an MA in Business and Organizational Security. He maintains certification as a Counterintelligence Threat Analyst, and serves on the Governing Board of the McAfee Institute.