One of the hot words (and much-abused terms) in the security arena this year is “threat intelligence” and not because it is a new term but because it is going through an evolutionary period where many organizations are recognizing the value of this information.
As described in the article The next marketing buzzword in security is…, it is very important that “the organization understands how external intelligence can be fused with internal data so you can understand it in relationship to your environment”.
A quick and easy model that covers all the important steps of an intelligence program is:
- Monitor cyber threat intelligence sources for notifications, alerts and early warning indicators
- Collect intelligence relevant to the organization threat profile
- Identify threat actors (TAs) as well as identify the Tactics, Techniques, and Procedures (TTPs)
- Communicate to the stakeholders (internal and external)
- Integrate with the IT organization ecosystem
One’s mileage may vary, and this approach may be renamed or extended by adding more details, but the methodology is essentially the same.
A Threat Intelligence Analyst (TIA) might approach this by:
- Evaluating intelligence report/message in detail and determines legitimacy of source(s).
- If the TIA considers that the intelligence represents a risk threat for the organization, the analyst schedules a meeting with at minimum one CIRT/CSIRT team member to collaborate on analysis of the information trying to answer (even partially) the following key questions:
- Is the intelligence source relevant and credible?
- Is the intelligence publically available?
- What is the likelihood of exploitation in the organization?
- How could this impact our people, process and organization?
- Do I need to take actions?
All of these actions collapse into the third step (identify) and upon completion of the threat severity analysis, the TIA prepares a communication to the internal stakeholders where he briefs the:
- Description of threat intelligence
- Relevance to organization
- TAs and TTPs
- Action Plan
- Contact Information
If this bulletin is relevant or appropriate to external stakeholders, the TIA will sanitize the report and securely distribute using the appropriate sharing model and method (CIF, IETF MILE standards, CybOX/STIX/TAXII, OTX, OpenIOC, TLP).
The final step (integrate phase) is to:
– Immediately ingest actionable threat intelligence data into detection and monitoring technologies and processes
– Perform historical searches and develop active monitoring capabilities
– Initiate incident response procedure for any systems that indicate compromise
But, how does the organization determine what is an appropriate response to a threat intelligence report?
A straightforward way to solve this problem is to use the following formula:
Relevance ´ Likelihood ´ Impact = Action
- Is the intelligence consistent with other sources?
- Is the source known and credible?
- Is the associated TAs or TTPs relevant to our organizational threat profile?
- Are our resources vulnerable to the associated exploit(s)?
- How susceptible are we to the TTP/methods?
- What are the known capabilities of the associated attack tool/cyber weapon?
- Will our existing security defenses prove effective against this threat?
- What is the estimated cost of remediation or mitigation of the risk?
- What is the estimated number of systems/users/business units at risk?
- Might critical business processes be affected?
- Can the threat potentially place critical assets at risk?
- Who should be responsible for taking actions?
- Does the cost to mitigate the threat exceed the annualized loss expectancy (ALE)?
- Given our analysis of the evidence, what time frame should we establish remediation?
How does your organization operationalize threat intelligence? Do you get value out of most of the intelligence you collect? Or is it generally not actionable?