Running Head: CYBER THREAT INTELLIGENCE PLAN 1

Cyber Threat Intelligence Plan

University of San Diego

March 11, 2019

Executive Summary

Our organization faces a wide array of cyber threats on a daily basis. A single

incident can have serious financial, reputational, and regulatory consequences so it is in

the companies’ best interests that we are well postured to mitigate these threats.

Establishing a sound cybersecurity program inclusive of policies, operations, and testing

is crucial to our organization. Even more, maintaining the program and holding our

company and its employees to that standard will be an even bigger challenge.

A big consideration about cyber security and threat mitigation is that applied tools

and techniques are not a “one and done” tool. The company will have to be steadfast in

maintaining all of the equipment, performing periodic assessments, and performing

necessary maintenance and upgrades in order for the company to stand the best chance of

not being subjected to an incident. Another consideration is that as an Internet Service

Provider, our company not only has our own resources to protect. We are responsible to

our company, its resources, its employees, as well as its customers. In the world of cyber

security, a smaller investment up front does not immediately present a return on

investment (ROI), but is recognized by the lack of incidents that would ultimately cost

this organization more than it invested.

This proposal will serve as a recommendation to the senior leadership of our

organization on what steps or actions we should take in order to decrease our exposure to

cyber threats while inheriting an acceptable level of risk. The common phase “you get

what you paid for” is very applicable in the world of cyber security and threat mitigation.

There are no shortcuts to good security, so our security and the defense of our assets is

only as good as we make it.

Cyber Threat Intelligence Plan

Our company faces the potential exposure to cyber threats constantly. To ensure

that the company has the highest probability of avoiding cyber incidents, this intelligence

plan will present historical examples of cyber incidents, the induced ramifications, as

well as propose some steps that senior leadership can take to better posture our company

against these threats.

A History of Cyber Attacks

Many companies have been exposed to high visibility attacks. Private sector

organizations such as Home Depot, Target, Costco, Heartland Payment Systems, and

Sony have all been breached resulting in significant damages to the organizations. To

add to that, the United States Federal Government has also seen its share of breaches

including the Office of Personnel Management breach that exposed Personal Identifiable

Information of millions of federal employees.

There have been well-known and well-documented malware attacks that have

affected millions of users worldwide. Attacks can originate from various threat actors, or

those who initiate their attacks with certain intentions in mind.

Image 1. The Various Threat Actors and Their Intentions (Trend Micro, 2015).
CYBER THREAT INTELLIGENCE PLAN 4

Vulnerabilities to software applications, malware, phishing, and other attack vectors have

been employed. Unpatched software applications such as the Microsoft SMB

vulnerability resulted in the Equifax data breach in 2017 as well as the WannaCry and

NotPetya ransomware attacks of 2017. Other security vulnerabilities with these attacks

included exposed developer credentials, domain controller problems, and even infected

updates for M.E.Doc software that was involved in the NotPetya ransomware breach.

Image 2. Top 5 Common Cyber Threats (Cybriant, n.d.).

The briefly illustrated history of attacks and attack vectors utilized brings to light that our

company should take proactive measures on identifying threats and vulnerabilities,

improving our cyber security, and ultimately mitigating the widest range of threats

feasibly possible.

The Plan

This briefing and associated presentation will serve as a recommendation to

senior leadership regarding what steps and actions we can take in order to evaluate and

improve upon our cyber security posture. The following actions are highly recommended

for the organization to improve the current cyber security posture:

 Implement network monitoring solutions: These software solutions, such as Logic

Monitor, enable companies to monitor the security and performance of the

enterprise network. This includes resource use and management, testing, data

logging, and security monitoring and alerting.

 Perform audits: Assessing compliance with standing policies can reveal potential

security shortcomings. Company policies such as Acceptable Use, Bring-Your-

Own-Device (BYOD), and Teleworking are some of the few policies our

company has in place. Ensuring full compliance by employees of these policies

can help in mitigating accidental internal threats.

 Employee training: Performance trends from network monitoring and audits

verifying compliance can reveal shortcomings in employee awareness and

knowledge when using the corporate network. Sufficient training should be

provided to employees to help reduce exposure to threats, such as training about

phishing threats in emails or social engineering attacks.

 Perform penetration testing: This type of testing can be performed internally or

externally, but due to the nature and size of our company it is recommended to

have a third party perform the testing. This test will assess our entire cyber

security posture and reveal security vulnerabilities ranging from expired to

credentials to missing patches to improperly configured networking equipment.

 Consider farming out certain functions and operations: The cost, either monetary

or resources, of obtaining and maintaining operations can become excessive.

There are third party firms that can offer a wide array of cyber security services,
CYBER THREAT INTELLIGENCE PLAN 6

such as Solar Winds or Logic Monitor, who provide network monitoring as a

Software-as-a-Service (SaaS).

 Update policies and procedures: Any identified problems and lessons learned

from penetration testing should be incorporated to existing policies.

Incorporating audits into the policies should ensure that the company remains in

compliance with established documentation.

Timeline and Costs

This section will briefly cover approximate time requirements and costs

associated with the recommended upgrades.

 Network monitoring solution: This requirement, depending on deployment

structure, could be deployable within days to weeks. If network monitoring is

handled within the organization, the time required to procure, test, and implement

the solution must be considered as well as employee training to operate and

maintain the solution. The more feasible option would be to farm this function

out to a third party vendor. Logic Monitor offers this solution as a SaaS service,

requiring very little time and resources from the company and is scalable to our

architecture. Pricing for enterprise level protection starts at $4000 per month for

200 devices at a rate of $20 per device (Logic Monitor, n.d.).

 Penetration testing: This service can take several days to a couple weeks

depending on the vendor or depth of testing performed. As a baseline, TrustNet

offers penetration testing services based on the number of IP’s with one package

starting at $20,000 for 300 IP’s (TrustNet, n.d.).

 Training, audits and policies: These processes can take days to weeks to perform

and could cost the company little in monetary value. What would be experienced

is reduced time from employees working in order to attend training. Audits can

be performed during penetration testing and policies can be updated afterwards.

Conclusion

The company can benefit from implementing these proposals in a great manner.

These steps can identify vulnerabilities within the organization ranging from personnel

concerns, physical or network security, and can give the company the insight and

information required to mitigate such vulnerabilities and avoid serious financial and legal

ramifications later down the road. This briefing recommends these various steps, but

senior leadership should also take into consideration the benefits versus costs and decide

if the Return on Investment is deemed worthwhile.

References

Cybriant. (n.d.). Top 5 Cyber Threats. Retrieved fro https://www.cybriant.com

Fleishman, G. (2018). Equifax Data Breach, One Year Later: Obvious Errors and No

Real Changes, New Report Says. Retrieved from

http://fortune.com/2018/09/07/equifax-data-breach-one-year-anniversary/

Logic Monitor. (n.d.). Pricing. Retrieved from https://www.logicmonitor.com/pricing/

Symantec. (2017). Ransom.Wannacry. Retrieved from

https://www.symantec.com/security-center/writeup/2017-051310-3522-99

Trend Micro. Targeted Attack Campaigns and Trends: 2014 Annual Report. Retrieved

from https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/targeted-

attack-campaigns-and-trends-2014-annual-report

TrustNet. (n.d.). Penetration Testing Cost. Retrieved from

https://www.trustnetinc.com/pricing/penetration-testing/