1. Cyber Threat Intelligence Program Primer NASCUS August 1, 2016 Chicago, IL Christina Saari, Senior Cyber Intelligence Officer National Credit Union Administration

2. CU Industry Challenge 2 Growing small business attacks Shifting attack vectors/ttps can sidestep traditional countermeasures (i.e. virus, malware utilities.) Need for cost effective solutions insights.sei.cmu.edu

3. CAT Domain 2 Baseline 3 DomainDeclarative StatementComment 2: Threat Intelligence & Collaboration The institution belongs or subscribes to a threat and vulnerability information sharing source(s) that provides information on threats (e.g., Financial Services Information Sharing and Analysis Center [FS- ISAC], U.S. Computer Emergency Readiness Team [US-CERT]). (FFIEC E- Banking Work Program, page 28) Increasingly, situational awareness of current and emerging threats is considered foundational to effective cybersecurity risk management. As a result, financial institutions should subscribe to information sharing resources that include threat and vulnerability information for situational awareness. There are many sources of information such as US-CERT, critical infrastructure sector ISACs, industry associations, vendors, and federal briefings. There are 19 public and private information-sharing ISACs for critical infrastructure, set up for the purpose of sharing information with their constituents, between themselves, and government. US-CERT offers a free email subscription service for vulnerability alerts along with weekly summaries. 2: Threat Intelligence & Collaboration Threat information is used to monitor threats and vulnerabilities. (FFIEC Information Security Booklet, page 83) Threats and vulnerabilities that are considered important to the financial institution are monitored via identified information resources. Financial institutions can monitor threats and vulnerabilities by visiting information sharing resources on a regular basis and/or by subscribing to alerts, warnings and RSS feeds of threat and vulnerability information from the information sharing resources. 2: Threat Intelligence & Collaboration Threat information is used to enhance internal risk management and controls. (FFIEC Information Security Booklet, page 4) The financial institution associates threats based on the targeted vulnerabilities and motivations, with the parts of the organization most likely to be targeted. Stakeholders for threat and vulnerability information are identified and involved. Examples of control enhancements could include actions taken to mitigate activity or patterns of activity associated with elevated fraud risk for electronic banking systems or plastic cards (i.e. debit or credit cards). 2: Threat Intelligence & Collaboration Audit log records and other security event logs are reviewed and retained in a secure manner. (FFIEC Information Security Booklet, page 79) Logging is enabled and a retention process is in place for assets or systems that generate important security-related event logs. Perpetrators often seek to delete audit or security logs to eliminate evidence of a computer intrusion and theft of customer or financial institution information or funds.

4. CAT Domain 2 Baseline 4 DomainDeclarative StatementComment 2: Threat Intelligence & Collaboration Computer event logs are used for investigations once an event has occurred. (FFIEC Information Security Booklet, page 83) Logs from security technologies, endpoints, and network devices provide incident responders with crucial evidence for investigations into attack activity. Logs from network devices such as switches and wireless access points, and from programs such as network monitoring software, might record data that could be of use in computer security or other information technology (IT) initiatives, such as operations and audits, as well as in demonstrating compliance with regulations. However, for computer security these logs are generally used on an as-needed basis as supplementary sources of information. Organizations should consider the value of each potential source of computer security log data when designing and implementing a log management infrastructure. (NIST 800-92) 2: Threat Intelligence & Collaboration Information security threats are gathered and shared with applicable internal employees. (FFIEC Information Security Booklet, page 83) Threat information is collected and provided to applicable individuals and/or business units. For example, social engineering is a major threat vector that requires security awareness throughout the institution. 2: Threat Intelligence & Collaboration Contact information for law enforcement and the regulator(s) is maintained and updated regularly. (FFIEC Business Continuity Planning Wor k Program, Objective I: 5-1) Maintaining law enforcement contact information is an initial step towards effective information sharing and can facilitate more rapid incident response. 2: Threat Intelligence & Collaboration Information about threats is shared with law enforcement and regulators when required or prompted. (FFIEC Information Security Booklet, page 84) Regulator notice is required for customer data breaches under the GLBA Safeguarding Guidelines (NCUA RR Part 748 Appendix B). Responsibility for cybersecurity reporting obligations should be assigned to appropriate personnel (e.g., internal reporting, US-CERT, law enforcement).

5. Research on CTI Benefits 5 Ponemon Institute 2015

6. CTI Research 6 Ponemon Institute 2015

7. CTI Research 7 Ponemon Institute 2015

8. CTI Research 8 Ponemon Institute 2015

9. CTI Research 9 Ponemon Institute 2015

10. What is Cyber Threat Intelligence? 10 Cyber Threat Intelligence (CTI) is the acquisition and analysis of information to identify, track, and predict cyber capabilities, intentions, and activities that offer courses of action to enhance decision-making.

11. Cyber Threat? 11 A cyber threat is the possibility of a malicious attempt to damage or disrupt a computer network or system.

12. Intelligence? 12 Intelligence is information that has been analyzed and refined so that it is useful in making decisions.

13. What Intelligence is Not… 13 Intelligence is NOT… – data – information

14. Relationship 14 U.S. Department of Defense’s Joint Publication 2-0: Joint Intelligence

15. Intelligence-Aspirations 15 Cyber Threat Intelligence should strive to be… – accurate – relevant – timely – actionable

16. Developing a CTI Program 16 PRIORITIZE critical assets – IS.B.12 ENGAGE key stakeholders – IS.B.12 IDENTIFY personnel – IS.B.83 ACQUIRE information sources – IS.B.83, EB.B.28 FILTER & ANALYZE the data – IS.B.4, IS.B.83 COMMUNICATE results – IS.B.83 Institutionalize the Process Domain 2 Domain 1

17. Types of Information Sources 17 Internal – IT and Security Infrastructure – Employees Enterprise – Managed Security Service Providers – Business partners External – Government – Industry Associations and Networks – Commercial Sources

18. Government Resources 18 U.S. Computer Emergency Readiness Team (US-CERT) – https://www.us-cert.gov/mailing-lists-and-feedshttps://www.us-cert.gov/mailing-lists-and-feeds InfraGard – https://www.infragard.org/ https://www.infragard.org/ Internet Crime Complaint Center – http://www.ic3.gov/default.aspx http://www.ic3.gov/default.aspx Cyber Information Sharing and Collaboration Program (CISCP) – http://www.dhs.gov/ciscp# http://www.dhs.gov/ciscp# National Security Agency, Information Assurance Division – https://www.iad.gov/iad/ https://www.iad.gov/iad/

19. Questions? 19 Christina Saari, Senior Cyber Intelligence Specialist, NCUA csaari@ncua.gov 703-201-8805 Tim Segerson, Dep. Dir. E&I, NCUA segerson@ncua.gov 703-518-6397