Professional Documents
Culture Documents
Threat Intelligence Plan and Proposal Joseph Wagner CSOL 580 Professor Donald Biedermann University of San Diego
Threat Intelligence Plan and Proposal Joseph Wagner CSOL 580 Professor Donald Biedermann University of San Diego
Executive Summary
Gathering proper threat intelligence is important for any organization to help defend
against cyber-attacks. Cyber intelligence can be defined as, “…data that is collected, processed,
and analyzed to understand a threat actor’s motives, targets, and attack behaviors. Threat
intelligence enables us to make faster, more informed, data-backed security decisions and change
their behavior from reactive to proactive in the fight against threat actors.” (Baker, 2021). The
purpose of threat intelligence is to help organizations design and build a threat defense strategy
that is tailored to the needs of their business. Being able to disseminate what is good intelligence
vs. bad will also help organizations when deciding on where to invest and what types of tools to
use to defend against cyber-attacks. The purpose of this threat intelligence plan is to highlight
areas of weakness for ZS and identify where our most critical data and resources may be at risk.
With threats evolving every day, it is important to understand the current threat landscape as well
as the tools to help combat against these attacks. Since threats change, the tools used to protect
organizations will also change so it is crucial to use this report as a starting point and regularly
audit both the company’s infrastructure as well as the type of attacks that their organization may
be most vulnerable too. This report will also address a potential budget for the recommended
products and changes to the security architecture. This budget will lay a foundation so that the
organization will understand the potential ramifications and costs associated with a breach and
be able to weigh that against the cost of a well-planned security program. Since ZS primarily
works with healthcare and life sciences clients it is important to protect client and patient data. A
study by AAG recently found that, “Over 75% of the health care industry has been infected with
malware over the last year. The study examined 700 healthcare organizations including medical
treatment facilities, health insurance agencies and healthcare manufacturing companies.” (AAG
3
Digital, 2019) Since ZS plays such a large part in these organizations digital and technology
ecosystems it is important to make sure that ZS is protecting its own assets just as it would
Table of Contents
Executive Summary………………………………………………………………………….…2-3
Often business leaders need to see things black and white to make decisions. More old
school executives have a harder time believing theory or the what if, especially if it represents
them spending more money on software Some organizations have a great security program in
place, but the more intelligence they can gather the better in regard to any areas in their business
that may present a challenge. This can be done through constant scanning and research or
periodic audits. There is no wrong answer when trying to find holes in an organizations system
and network intelligence around threat actors is important so that organizations can best
understand what the most prevalent threats are and who or what bad actors may be targeting.
1. “ Stay up to date—know about new and emerging threats including methods, targets and
2. Know your enemy—if you can connect a certain attack or malware to a specific threat
actor, and understand their context and motivation, you are better equipped to defend
against them.
about threats that you can share across the security team, as well as with management and
When given good intelligence around a threat or a cyber breach an organization may be
able to take legal action. For example, if there is an inside threat where an employee leaked data,
if intelligence is gathered around how that data was leaked, what systems were used, and when it
occurred, they may be able to identify who did it and take legal action. An area of concern for IT
6
and threat teams is always budget. Even when they discover a tool that would greatly increase
the company’s security posture, they must have budget to purchase it. With good intelligence,
the team may present the software or tool to the executives and find budget for what they are
looking for.
Depending on the size of the organization and their resources they may have to make choices on
how and what they spend on. Having as much information about the cyber threat landscape will
allow then to make decisions that best fit their organization. Many tools exists and there is no
one size fits all that works for every organization so with good intelligence ZS can make
Threat Landscape
Today’s threat landscape changes rapidly, and organizations need to ensure that they have a
program in place that is relevant to their environment. For the purpose of this document the
1. Credential Leakage
2. Ransomware
These threats are seen across almost every major organization today and effect organizations
from a financial, reputational, and resources perspective. The damage of these threats’ affect
personnel and hardware/software. Each of these threat vectors have made national headlines as
they were the root cause for the leakage of data or accessing an organizations infrastructure.
Threat Vectors
7
Employee credentials are one of the most highly sought-after assets that bad actors look
for today. Obtaining employee credentials allows bad actors access into company systems in an
authorized manner. They can obtain these credentials by social engineering, phishing
campaigns, and sometimes even by purchasing them on the dark web. Often employees will use
the same password combinations for personal accounts and if a bad actor is able to buy these
credentials from the dark web, they are then able to try them on work accounts. Once credentials
are gained, the bad actor can often move around the network and infrastructure of the
ramifications these can have. Once the bad actor or hacker group can install the ransomware on
the system, they are then able to hold resources hostage until the ransom is paid. These attacks
are usually performed for financial gain but can also be to expose executives of an organization
who may have reputational damaging emails or content on their devices. These attacks effect
every industry, and the ransoms are not cheap. “Ransoms could cost victims a collective total
of $265 billion by 2031. The estimate is based on the prediction that the price tag will increase
30% every year over the next 10 years.” (Bisson, 2021). Ransomware can enter an organizations
system through different methods so ensuring proper tools are in place to stop these areas of
weakness is important.
Distributed denial of service attacks are performed when a bad actor or group desires to
bring down a system. These are often done for political gain, notoriety, or to make a statement
against a company. These type of attacks have effected companies like Amazon who just fell
victim in 2020, “We have reached another milestone with the largest Distributed Denial of
Service (DDoS) attack on record being reported by Amazon Web Services (AWS) at 2.3 Tbps in
8
Q1 2020.” (Nicholson, 2021) Since this attack was on Amazon Web Service or AWS, it not only
effected Amazon but also the customers were using AWS for their organization’s infrastructure.
These attacks can be devastating to organizations from a financial perspective if their systems are
so overwhelmed that their online payment or ordering systems cannot function. For amazon it
put into question if companies could trust AWS and their infrastructure to host some of their
The three listed threats pose a potential threa to our organization because of the sensitive
data that is stored on our systems as well as the financial ramifications that would be implicated
Threat Actors
Threat actors can vary depending on the goal of the attack and their target. Types of threat actors
seen in today’s landscape are nation state attackers, political activists (hacktivists), insider
threats, and organized cyber-criminal groups. Below is graphic that depicts these types of
(Van-Riper, 2019
9
Threat Remediation
Each of the threats discussed do have paths to remediation and some the ability to stop
the threats before the damage the organization. Having tools in place like email security,
firewalls, threat detection, single sign on, password strengthening tools, and network protection.
Each element of a properly designed security stack will help protect against these types of
attacks. Though nothing can guarantee the safety of an organization each tool will help protect
the organization from most threats. Continually analyzing the strength of the tools and the
internal network will help the organization decide if the tools continue to be the best fit for the
Training/Next Steps
An important part of keeping an organization safe from the threat vectors mentioned in
this report is proper training. Making sure that employees understand a bit of the threat
landscape and how to create proper passwords and keep their personal and work credentials
separate is important when attacking the issue of phishing and credential loss. Having a team
that properly pen tests the network and tools will help with ransomware and making sure that the
company network and infrastructure does not have large holes or areas of weakness. Ensuring
that the IT and security team all have a good understanding on how to notice a DDOS attack and
have backups and resources for the most critical and money-making systems is essential. The
organization should make sure that employees are training consistently and in areas that most
By focusing on these threat vectors and laying a foundational framework for stopping
threats, identifying threats, and remediating them if they do happen will help the organization
10
keep our most precious assets safe. If a proper plan is in place, when a threat does occur the
organization will be well prepared to handle it in a manner with minimal loss of resources.
11
References
Barrett, B. (2020, February 10). How 4 Chinese hackers allegedly took down Equifax. Wired.
https://www.wired.com/story/equifax-hack-china/#:~:text=On%20Monday%2C%20the
%20Department%20of,of%20a%20years%2Dlong%20investigation.
Cimpanu, C. (2019, March 8). Marriott CEO shares post-mortem on last year's Hack. ZDNet.
post-mortem-on-last-years-hack/
Fruhlinger, J. (2020, February 12). Equifax Data Breach FAQ: What happened, who was
affected, what was the impact? CSO Online. Retrieved February 21, 2022, from
https://www.csoonline.com/article/3444488/equifax-data-breach-faq-what-happened-who-
was-affected-what-was-the-impact.html
Fruhlinger, J. (2020, February 12). Marriott Data Breach FAQ: How did it happen and what
was the impact? CSO Online. Retrieved February 21, 2022, from
https://www.csoonline.com/article/3441220/marriott-data-breach-faq-how-did-it-happen-
and-what-was-the-impact.html
12
Hotel Tech Report. (2022, January 26). Marriott Data Breach FAQ: What really happened?
https://hoteltechreport.com/news/marriott-data-breach
Schwartz, M. J., & Ross, R. (2018, September 11). Postmortem: Multiple failures behind the
equifax breach. Bank Information Security. Retrieved February 21, 2022, from
https://www.bankinfosecurity.com/postmortem-behind-equifax-breach-multiple-failures-a-
11480