Threat Intelligence Plan and Proposal

Joseph Wagner CSOL 580

Professor Donald Biedermann

University of San Diego

 2

Executive Summary

Gathering proper threat intelligence is important for any organization to help defend

against cyber-attacks. Cyber intelligence can be defined as, “…data that is collected, processed,

and analyzed to understand a threat actor’s motives, targets, and attack behaviors. Threat

intelligence enables us to make faster, more informed, data-backed security decisions and change

their behavior from reactive to proactive in the fight against threat actors.” (Baker, 2021). The

purpose of threat intelligence is to help organizations design and build a threat defense strategy

that is tailored to the needs of their business. Being able to disseminate what is good intelligence

vs. bad will also help organizations when deciding on where to invest and what types of tools to

use to defend against cyber-attacks. The purpose of this threat intelligence plan is to highlight

areas of weakness for ZS and identify where our most critical data and resources may be at risk.

With threats evolving every day, it is important to understand the current threat landscape as well

as the tools to help combat against these attacks. Since threats change, the tools used to protect

organizations will also change so it is crucial to use this report as a starting point and regularly

audit both the company’s infrastructure as well as the type of attacks that their organization may

be most vulnerable too. This report will also address a potential budget for the recommended

products and changes to the security architecture. This budget will lay a foundation so that the

organization will understand the potential ramifications and costs associated with a breach and

be able to weigh that against the cost of a well-planned security program. Since ZS primarily

works with healthcare and life sciences clients it is important to protect client and patient data. A

study by AAG recently found that, “Over 75% of the health care industry has been infected with

malware over the last year. The study examined 700 healthcare organizations including medical

treatment facilities, health insurance agencies and healthcare manufacturing companies.” (AAG
 3

Digital, 2019) Since ZS plays such a large part in these organizations digital and technology

ecosystems it is important to make sure that ZS is protecting its own assets just as it would

protect one of the clients we work with.

 4

Table of Contents

Executive Summary………………………………………………………………………….…2-3

What is threat intelligence?..............................................................................................................

 5

What is threat intelligence?

Often business leaders need to see things black and white to make decisions. More old

school executives have a harder time believing theory or the what if, especially if it represents

them spending more money on software Some organizations have a great security program in

place, but the more intelligence they can gather the better in regard to any areas in their business

that may present a challenge. This can be done through constant scanning and research or

periodic audits. There is no wrong answer when trying to find holes in an organizations system

and network intelligence around threat actors is important so that organizations can best

understand what the most prevalent threats are and who or what bad actors may be targeting.

Imperva identified that threat intelligence can help organizations,

1. “ Stay up to date—know about new and emerging threats including methods, targets and

identities of threat actors.

2. Know your enemy—if you can connect a certain attack or malware to a specific threat

actor, and understand their context and motivation, you are better equipped to defend

against them.

3. Share information—threat intelligence provides conveniently packaged information

about threats that you can share across the security team, as well as with management and

other stakeholders.” (Imperva, 2020)

When given good intelligence around a threat or a cyber breach an organization may be

able to take legal action. For example, if there is an inside threat where an employee leaked data,

if intelligence is gathered around how that data was leaked, what systems were used, and when it

occurred, they may be able to identify who did it and take legal action. An area of concern for IT
 6

and threat teams is always budget. Even when they discover a tool that would greatly increase

the company’s security posture, they must have budget to purchase it. With good intelligence,

the team may present the software or tool to the executives and find budget for what they are

looking for.

Overall, intelligence is important so that organizations can understand what it at stake.

Depending on the size of the organization and their resources they may have to make choices on

how and what they spend on. Having as much information about the cyber threat landscape will

allow then to make decisions that best fit their organization. Many tools exists and there is no

one size fits all that works for every organization so with good intelligence ZS can make

informed decisions on what is best suited for the organization.

Threat Landscape

Today’s threat landscape changes rapidly, and organizations need to ensure that they have a

program in place that is relevant to their environment. For the purpose of this document the

three threats most applicable to the organization are:

1. Credential Leakage

2. Ransomware

3. Distributed Denial of Service Attacks

These threats are seen across almost every major organization today and effect organizations

from a financial, reputational, and resources perspective. The damage of these threats’ affect

personnel and hardware/software. Each of these threat vectors have made national headlines as

they were the root cause for the leakage of data or accessing an organizations infrastructure.

Threat Vectors
 7

Employee credentials are one of the most highly sought-after assets that bad actors look

for today. Obtaining employee credentials allows bad actors access into company systems in an

authorized manner. They can obtain these credentials by social engineering, phishing

campaigns, and sometimes even by purchasing them on the dark web. Often employees will use

the same password combinations for personal accounts and if a bad actor is able to buy these

credentials from the dark web, they are then able to try them on work accounts. Once credentials

are gained, the bad actor can often move around the network and infrastructure of the

organization undetected because they are using valid credentials.

Ransomware attacks are very damaging to organizations due to the financial

ramifications these can have. Once the bad actor or hacker group can install the ransomware on

the system, they are then able to hold resources hostage until the ransom is paid. These attacks

are usually performed for financial gain but can also be to expose executives of an organization

who may have reputational damaging emails or content on their devices. These attacks effect

every industry, and the ransoms are not cheap. “Ransoms could cost victims a collective total

of $265 billion by 2031. The estimate is based on the prediction that the price tag will increase

30% every year over the next 10 years.” (Bisson, 2021). Ransomware can enter an organizations

system through different methods so ensuring proper tools are in place to stop these areas of

weakness is important.

Distributed denial of service attacks are performed when a bad actor or group desires to

bring down a system. These are often done for political gain, notoriety, or to make a statement

against a company. These type of attacks have effected companies like Amazon who just fell

victim in 2020, “We have reached another milestone with the largest Distributed Denial of

Service (DDoS) attack on record being reported by Amazon Web Services (AWS) at 2.3 Tbps in
 8

Q1 2020.” (Nicholson, 2021) Since this attack was on Amazon Web Service or AWS, it not only

effected Amazon but also the customers were using AWS for their organization’s infrastructure.

These attacks can be devastating to organizations from a financial perspective if their systems are

so overwhelmed that their online payment or ordering systems cannot function. For amazon it

put into question if companies could trust AWS and their infrastructure to host some of their

most sensitive assets and money-making systems.

The three listed threats pose a potential threa to our organization because of the sensitive

data that is stored on our systems as well as the financial ramifications that would be implicated

if someone were to gain access to the organizations infrastructure or resources.

Threat Actors

Threat actors can vary depending on the goal of the attack and their target. Types of threat actors

seen in today’s landscape are nation state attackers, political activists (hacktivists), insider

threats, and organized cyber-criminal groups. Below is graphic that depicts these types of

attacks and their aim when targeting organizations or groups.

(Van-Riper, 2019
 9

Threat Remediation

Each of the threats discussed do have paths to remediation and some the ability to stop

the threats before the damage the organization. Having tools in place like email security,

firewalls, threat detection, single sign on, password strengthening tools, and network protection.

Each element of a properly designed security stack will help protect against these types of

attacks. Though nothing can guarantee the safety of an organization each tool will help protect

the organization from most threats. Continually analyzing the strength of the tools and the

internal network will help the organization decide if the tools continue to be the best fit for the

type of threats most effecting the organization.

Training/Next Steps

An important part of keeping an organization safe from the threat vectors mentioned in

this report is proper training. Making sure that employees understand a bit of the threat

landscape and how to create proper passwords and keep their personal and work credentials

separate is important when attacking the issue of phishing and credential loss. Having a team

that properly pen tests the network and tools will help with ransomware and making sure that the

company network and infrastructure does not have large holes or areas of weakness. Ensuring

that the IT and security team all have a good understanding on how to notice a DDOS attack and

have backups and resources for the most critical and money-making systems is essential. The

organization should make sure that employees are training consistently and in areas that most

effect these security threat vectors.

By focusing on these threat vectors and laying a foundational framework for stopping

threats, identifying threats, and remediating them if they do happen will help the organization
 10

keep our most precious assets safe. If a proper plan is in place, when a threat does occur the

organization will be well prepared to handle it in a manner with minimal loss of resources.
 11

References

Barrett, B. (2020, February 10). How 4 Chinese hackers allegedly took down Equifax. Wired.

Retrieved February 21, 2022, from

https://www.wired.com/story/equifax-hack-china/#:~:text=On%20Monday%2C%20the

%20Department%20of,of%20a%20years%2Dlong%20investigation.

Cimpanu, C. (2019, March 8). Marriott CEO shares post-mortem on last year's Hack. ZDNet.

Retrieved February 21, 2022, from https://www.zdnet.com/article/marriott-ceo-shares-

post-mortem-on-last-years-hack/

Fruhlinger, J. (2020, February 12). Equifax Data Breach FAQ: What happened, who was

affected, what was the impact? CSO Online. Retrieved February 21, 2022, from

https://www.csoonline.com/article/3444488/equifax-data-breach-faq-what-happened-who-

was-affected-what-was-the-impact.html

Fruhlinger, J. (2020, February 12). Marriott Data Breach FAQ: How did it happen and what

was the impact? CSO Online. Retrieved February 21, 2022, from

https://www.csoonline.com/article/3441220/marriott-data-breach-faq-how-did-it-happen-

and-what-was-the-impact.html
 12

Hotel Tech Report. (2022, January 26). Marriott Data Breach FAQ: What really happened?

Hotel Tech Report. Retrieved February 21, 2022, from

https://hoteltechreport.com/news/marriott-data-breach

Schwartz, M. J., & Ross, R. (2018, September 11). Postmortem: Multiple failures behind the

equifax breach. Bank Information Security. Retrieved February 21, 2022, from

https://www.bankinfosecurity.com/postmortem-behind-equifax-breach-multiple-failures-a-

11480