RECOMMENDATIONS OF A CYBER THREAT INTELLIGENCE PLAN

by

Ricardo Nevarez

Module 7 – Final Assignment

University of San Diego

August 29, 2017

 Page |1

Executive Summary

The manner in which we do business has dramatically changed since moving away from paper, and how
we now digitally manage our patient’s personal health information. Because of this new all-digital
direction we have embarked on, we need to implement a new security framework as well. Our current
security infrastructure is lacking in protecting our company against sophisticated cyber threats. What is
needed is to line-up our current security infrastructure measures to one that is equipped to deal with, and
safeguard against today’s, and tomorrow’s ongoing new cyber threats. With your support the executives,
we can successfully asses our current security posture, and face new challenges with regards to improving
security strategies that will improve business, and to also be strategically positioned to protect the patients
personal health information, and reputation of this company.

Furthermore, this will allow us to assess, respond, and remediate quicker to sophisticated security threats,
or breaches. It will also all a platform of which to identify the adversarial threats, their capabilities,
motivations, and methods. This proposed Cyber Threat Incident Response Plan will allow this company
to benefit from a higher level of customer support, and confidence in that our computer network systems
are secure, and especially meet and exceed HIPPA expectations. Since we have upgraded our daily
business processes with how we handle patient personal health information from all paper to all digital,
our existing security strategies, and methodologies are not aligned to protect us from cyber threats the
hackers pose, and also, whose intentions are to alter, steal or destroy our patient’s personal health
information. We are asking the executives for your approval, and support so that all this can be
accomplished moving forward, because this Cyber Threat Intelligence Plan will provide that platform this
company needs incorporate best practices to mitigate this new digital threat from breaching our networks
and stealing our customers private personal health information

Understanding Primary, and Ongoing Cyber Threat Concerns

Acquiring, and implementing an applicable actionable Cyber Threat Intelligence Plan is an ongoing
process, but the result of understanding what it is, the basics of it, having an understanding of the
technical aspect of the computer network, and the data that traverses over it is key. Think of the cyber
threat against this company as a flowing river. A cyber threat like the river is always flowing, it is never
the same at any given point, and it’s always changing. We need to know the threat actors to this company,
including their motivations in respect to altering, stealing or destroying our company’s patient’s personal
health information. We must be able to prevent, detect, and mitigate this threat, and asking the right
questions gets us on that path.

Key questions to continuously keep asking are:

 What current and future challenges do we face from these threat actors’?

 What are the methodology vectors of these threat actor’s?

 Current or Ex-Employees
 Spear Phishing
 Malware/ and or Ransomware
 Zero-Day Exploits
 Social Engineering
 SQL-Injection

 What Consequences and risks are involved if a successful attack should occur?
 Loss of existing and new patients.
 Page |2

 Negative public reputation of our company.

 Loss of personal private patient health information.
 Damage to our patient data, preventing “Business as usual”.
 Loss of revenue.

 What Cyber Intelligence must be analyzed to prevent threat actors into the network?
 Baseline of the computer network to determine what is not normal traffic.
 Improve security processes to protect digital company assets.

 What role do the executives play in the event of an attack?

 What Controls and Plans should be implemented to mitigate and prevent attacks?

Answering these questions requires actionable intelligence. We do this by focusing to understanding our
adversary. The adversarial threat to our company includes organized crime trying to get to our personal
patients health information to sell for a profit. Other direct threats include:

Cyber Threat Intelligence Products

The current security strategies in place now are not equipped to successfully handle cyber threats. For the
Cyber Threat Intelligence Plan to work, we require the implementation of new products that will generate
data of which will be used to create actionable intelligence. Such a security product that satisfies this gap
is the “FireEye Threat Intelligence” network appliance. It will provide our computer networks perimeter
with the threat detection we are looking for, and also intercept direct attacks before they breach into the
network. Its’ design also meets our needs to generate the information we need to produce actionable
intelligence we are looking for against the threat actors. Shown in the table below is the data we are
looking for in the product to produce for us.

Detection Gap The time between the breach into the computer network, and the discovery of the breach.

Response Gap The time between the discovery, and the remediation of the breach, thus limiting damage to the computer
network.

Prevention Gap The time invested in preventative measure to avoid future breaches of an attack before it occurs.

The intelligence gathered will also help put a picture together of 1) what the threat is, 2) what the source
of the vulnerability, 3) how to minimize the vulnerability, and 4) detecting the vulnerability. Other
sources to our disposable for gathering information to create actionable intelligence include:

1. RSS Feeds 4. Application Log Files

2. FTP sites 5. Conferences
3. System Log Files (tcp dumps) 6. Data Exchange Groups
 Page |1

7. AlienVault.com 12. The Cyber Threat

8. Cyveilance.com 13. ThreatConnect.com
9. FireEye.com 14. Security Log Files (firewalls/ IDS/
10. LookingGlass.com IPS)
11. Symantec.com
(Gourley, 2017)

Total Cost of Ownership of the “FireEye Threat Intelligence” appliance.

Return on Investment of the “FireEye Threat Intelligence” appliance.

The Return on Investment with the “FireEye Threat Intelligence” appliance is expected to be realized
after a six to seven months from the time of deploying the appliance. The selected components taken into
consideration, and used to arrive at our ROI included:
 Benefits we will reap.
 Confidence that we have the right tools, and processes to protect the network.
 Total Cost of Ownership.
 Flexibility of maintaining and managing this appliance, and the risks.
 Having the appliance onsite allows for direct management, cutting out the middle-man.
 Less risk of losing control of the appliance.

The risks of not investing in this appliance will include:

 Added manpower hours to manage security and data logs on an obsolete computer network.
 Regulatory fines for violations of HIPPA.
 Becoming a bigger target of a breach, negative press to the public, loss of revenue.
 Being sued by private parties, for not adequately protecting their private information.
(Mearian, 2016)
Here is a current graph of the estimated threats within our vertical market of home health care.
 Page |1

Potential Threats

To protect ourselves, we must first know the adversarial threat. Assessing the threat against our networks
reveals our weaknesses against the adversary’s offense, from which allows us to prepare. Strengthening
our processes and methodologies against that offense is the beginning. The adversarial direct threats are
those who have the financial means, and time to prepare, and learn new ways to circumvent the computer
network.

Their strength is in the numbers, and that hacker mentality is that hacking information should be free to
everyone. The InfoSec community tends to keep things closer to the chest. We do not easily share
information for the fear it may get out into the hacker community, turning that knowledge against our
networks. We need to be aware of the script kiddies, insider threats, activists, and organized crime. We
know these threats are persistent, skillful in their craft, greedy, and stealthy. Their attacks methodologies
are deliberate, and malicious in nature.

The table below breaks down into the adversary’s motives and their actions to our computer network.

We generally know the adversarial threats to our computer networks are from hackers, and we know a
little about their psychology in that they are excellent in managing their stress, are multitaskers, relaxed,
balanced, and self-healing (Atkinson, 2015).

Other direct threats to our computer network and our company data will include:
1. Advanced Persistent Threats (APT)
2. Distributed Denial of Service (DDoS)
3. Internal employees (see table above for malicious insider)
4. Ransomware /Malware
5. Phishing
6. Webmail Spam
(Caramela, 2017)

Adversarial Threat Actors, and their Methods

Part of the success of this Cyber Threat Intelligence Plan, will be to continuously stay in the loop of
whom, and what our threats are, and having the threat intelligence to close the gap on these threats.
Knowing that and the “where, when, why, and how” of the adversarial threats to this company will
positively contribute to mitigating the threats (EY, 2016). Now that we running our business practices
within the digital sphere, we needs to ask ourselves questions like what will the threats look like on our
systems. What weaknesses within our network will this threat exploit? Is this a new threat or an existing
known threat to the InfoSec community, and what can we do to remove it, and prevent it from happening
again.
 Page |2

From our research and threats against similar home health care businesses such as ours, the adversarial
threats actors will exploit the system through outdated firewall rule sets, unscheduled outdated software
updates, slow to maintain existing systems, outdated Windows operating system updates, not using
encrypted email, and lack of employee training on best security practices. The numbered “security
practices” below will mitigate against direct adversarial threat actors.

The lessons learned from mistakes other similar businesses have gone through with mitigating direct
threats to the company network include:
1. Secure VPN access (we use this for our remote employees out in the field).
2. Update and keep current all firewall rule sets.
3. Keep the “the FireEye Threat Intelligence” appliance up to date.
4. Update IDS signatures.
5. Enforce updating password policy to every 60 to 90 days.
6. Scheduled updates, keeping current all security policies.
7. Enforce proper deletion of Intellectual Property, both of digital and printed copies.
8. Quick analysis of questionable files.
9. Deploy DNS black holes.
10. Create email filters.
11. End-to-End Protection.
12. Email Encryption.
13. Provide employees continuous security workshops with proper use on the network.
(Lord, 2017)
Moving forward with our new “all digital” business model, definitely adds many layers with protecting
this company. It’s not like before where we would only require locking the metal cabinets to secure our
company’s private personal health information. It’s more that now. Our computer network is “always” on,
and vulnerable. As with the other parts of this Cyber Threat Intelligence Plan, it is important to have the
mindset of the hacker, and understand the hacker ways, and their methods when they breach our computer
network.

The Cyber Kill Chain

To better protect out new digital network, we need to better understand the adversarial threats, and their
methods into our computer network we must first break down the attacks into parts. Using the model
developed by Lockheed Martin called “The Cyber Kill Chain” is just the tool to help us look into each of
the seven phases of a typical attack. Having this information will help us better mitigate future attacks.
Since we have upgraded to an all-digital business model, we have updated all our software, and
applications, including installing anti-virus on our computers, and locking down our switches and routers
per best security practices. As far as we know at this time, we do not think we have been breached in any
way, but by understanding an attack, we can better be prepared for one. A typical attack will include

1. The recon phase

2. The weapon phase
3. The delivery phase
4. The Exploitation phase
5. The Installation phase
6. The Command & Control phase
7. The Actions & Objective phase.
(Assante & Lee, 2015), (Martin, 2017)

It needs to be pointed out, that these phases are like links of a chain. If any of the phases are broken, the
attack is shut down. Also, the sooner the attack is mitigated, the less damage will result. Briefly, I want to
 Page |3

go over two perspectives, the hacker, and the protectors of the computer network (that’s us), and how this
tool can be used to mitigate a direct attack.

During the first phase, there is not much we can do since during this phase is the work the hackers put in
to do recon on our company. To make it harder for the hacker during this phase, we can minimize our
internet footprint by removing direct contact information from our website, and partner websites, use port
scanning detection techniques, and use firewall threat detection.

The second phase involves the hackers putting in the work in designing the malicious payload onto our
network. This is true for direct attacks. Unfortunately, we don’t have any control over this phase.

The third phase involves the logistics of how the second phase will be delivered. This will include email
links, and email attachments. What can help mitigate this phase is to implement a proxy filter to block out
certain protocols, and tune our anti-virus to scan email attachments.

The forth phase is for the payload triggering the “exploitable code” on our computer network. To
potentially mitigate this we will require implementing a host-based intrusion detection appliance to
continuously monitor, block known and unknown vulnerabilities using “end-to-end” protection, and
continuously scan local and the network systems for malware.

The fifth phase the adversarial threat actor will install a backdoor of which to use to stealthy get in and
out of the network. We can mitigate this by implementing, and enforcing user access control policies,
upgrade our current router/ firewall to one that is a “next generation firewall”, and continuously stay on
top of monitoring data traffic for abnormalities outside of normal network traffic.

Within the sixth phase, the payload will communicate back to its hacker’s servers from which they can
garner control of the network. We can mitigate this by blocking incoming/ outgoing communications to
malicious URL’s (using URL filtering), block known attack vectors, use honeypots, and ensure DNS
monitoring.

This last phase, lots of damage has already occurred within our network, and the threat actors have
already stolen our patient’s private personal information, copying it back to their servers through FTP or
other means. To mitigate the damage already done, we would black outbound command & control
communication, block communications to malicious URLS, and monitor outbound file transfer data
traffic.

We have work ahead, but with a much better understanding at what’s at stake here, and what it’s going to
take to implement this Cyber Threat Intelligence Plan. The resources required once this is approved will
be applied to manpower, to reduce the amount of hours each or our IT employees have to put in, the
required network security appliances, and the ongoing training to know how to maintain, and manage our
new network security appliances. Other budgetary considerations will include training our IT people on
how to properly lock down the local computers, and network. The new budget will also go to training our
IT people on network security best practices applied to the computer network, certifications, and training
to our employees with how to be a smart end-user.

Because we are a home health business and we need to abide by HIPPA regulations, we have a
tremendous amount of resources available to us through their website. The key here is to have everyone
involved, including the end-users to be aware of potential threats. Mitigating these risks is critical so we
are in a better position to minimize the impact on the computer network. We need to also ensure we
continuous assess and keep up with new technology, and hacker methodologies to minimize the risk over
time. I also recommend continuous training, and assigning the right responsibilities to the right people.
 Page |4

Other risk management methodologies I can recommend are to implement an incident management plan,
manage user privileges and their media controls, malware protection, and overall network security. One
other thing I’d like to bring up to mitigate future attacks on our computer network, is something called
“threat hunting”. Basically, this is the act of going out onto the computer network looking for anomalies.
But this can only be done, once we have successfully implemented our “Cyber Threat Intelligence Plan”
and have created a baseline of our entire computer network. It’s a new pro-active approach to searching
out, and identifying and understanding our adversarial threats. As I mentioned, understanding the threat
will allow us to better understand our weakness, of which will allow being better prepared.
 Page |5

References
Assante, M. J., & Lee, R. M. (2015, October). The Industrial Control System Cyber Kill Chain. Retrieved
August 29, 2017, from SANS.ORG: https://www.sans.org/reading-
room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297

Atkinson, S. (2015, June 20). Psychology and the hacker - Psychological Incident Handling. Retrieved
August 29, 2017, from SANS.ORG: https://www.sans.org/reading-
room/whitepapers/incident/psychology-hacker-psychological-incident-handling-36077

Caramela, S. (2017, June 2). Cybersecurity: A Small Business Guide. Retrieved August 29, 2017, from
Business News Daily: http://www.businessnewsdaily.com/8231-small-business-cybersecurity-
guide.html

EY. (2016). How do you find the criminals before they commit the cybercrime? Retrieved August 29,
2017, from EYGM: http://www.ey.com/Publication/vwLUAssets/EY-how-do-you-find-the-
criminal-before-they-commit-the-cybercrime/$FILE/EY-how-do-you-find-the-criminal-before-
they-commit-the-cybercrime.pdf

Gourley, B. . (2017). Cyber Thraet Intelligence Feeds. Retrieved August 29, 2017, from The Cyber
Threat: http://thecyberthreat.com/cyber-threat-intelligence-feeds/

Lord, N. (2017, July 17). How to Secure Intellectual Property From Loss or Compromise. Retrieved
August 29, 2017, from Digital Guardian: https://digitalguardian.com/blog/how-to-secure-
intellectual-property

Martin, L. (2017). The Cyber Kill Chain. Retrieved August 29, 2017, from Lockheed Martin:
http://www.lockheedmartin.com/us/what-we-do/aerospace-defense/cyber/cyber-kill-chain.html

Mearian, L. (2016, June 30). Hackers are coming for your healthcare records -- here’s why. Retrieved
August 29, 2017, from COMPUTERWORLD:
http://www.computerworld.com/article/3090566/healthcare-it/hackers-are-coming-for-your-
healthcare-records-heres-why.html