Vulnerabilities / Threats
7/29/2016
10:30 AM
Adam Meyers
Adam Meyers
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

How to Roll Your Own Threat Intelligence Team

A lot of hard work needs to go into effectively implementing an intelligence-driven security model. It starts with five critical factors.

Many organizations want to build a threat intelligence team but don’t really know where to start, let alone answer the question, what exactly is threat intelligence? The definition has been clouded by the industry over the last several years, even as vendors rush to build "intelligence"-based solutions. Without getting bogged down in the argument over what is -- and is not -- threat intelligence, let's discuss how an organization can build a team to effectively use intelligence to drive enterprise security. Here are five critical factors:

Factor 1: Establish an intelligence priorities framework. To effectively use intelligence, the organization must first establish and prioritize information they will need. This can be accomplished by identifying intelligence gaps that exist, formulating requirements from the intelligence gaps, then organizing the requirements into categories that align with the organization.

For example, in a priority intelligence requirements (PIR) document, "P1" might map to what adversaries target my organization, underneath this, another requirement might be what nation-state adversaries target my organization. This might be expressed as "P1.a." This structure allows the organization to maintain a centralized list of all intelligence requirements available for review on a regular basis.

Factor 2: Incorporate and consolidate intelligence sources. There are a wealth of different sources:

  • Technical sources include the SIEM, IDS, firewall, next-generation endpoint security platforms, and logs from any number of devices
  • Open Sources such as published vendor reports, any number of free feeds of indicators, vendor vulnerability lists (Microsoft, Apple, Adobe, etc), and media sources
  • Closed Sources may include community mailing lists, or organizations such as ISACs
  • Paid Intelligence Feeds

Factor 3: Map Your Intelligence Collection. As new intelligence is collected from these sources, align them with the intelligence priorities defined in factor 1. For example, public reports indicators associated with a known threat actor, might align to an intelligence requirement around targeted attacks. Memorialize that intelligence via an internal system: an email with the source, date, priority it maps to, the collected intelligence, and some analysis. Store the collected intelligence in a searchable repository. If possible, operationalize it by feeding into technical sensors then take the actionable information and apply to SIEM, create firewall block or logging event, create an IDS rule, or block the hash in the endpoint prevention system.

Factor 4: Find the best talent. Employing intelligence analysts who can review inbound intelligence and produce analysis germane to the organization is key. As new intelligence is collected, someone needs to assess if it is significant to the organization, explain how it is significant, decide who it is significant for, and produce cogent analysis around scenarios in which it might be significant.

Entire libraries can be filled with books on proper analytic tradecraft, but training a SOC analyst to perform intelligence analysis can be very costly and time-consuming. Many technical experts operate in a binary world; something is either black or it is white. Intelligence analysts live in a grey world: they consider a myriad of states and can make assessments around the likelihood that something might happen, or cause a situation to change. These analysts will employ concepts like alternative competing hypotheses (ACH) to handle multiple possibilities or outcomes.

Factor 5: Tailor The Finished Products To The Audience. Disseminating intelligence is a critical function of the intelligence team. Weekly or even daily products that convey the intelligence analyzed and collected over a discrete period of time allow the intelligence team to keep their internal customers abreast of the various things that are going on. Intelligence products should be tailored to the audience and contain information to help them be more effective. For example, a product for the executive suite covering the attacks observed, upcoming events that may impact enterprise security, the latest relevant news pertaining to enterprise security, and intelligence assessments about things that may happen will go a long way in shaping an organization so that it is more proactive to threats.

Related Content:

 

Adam Meyers has over a decade of experience within the information security industry. He has authored numerous papers that have appeared at peer reviewed industry venues and has received awards for his dedication to the field. At CrowdStrike, Adam serves as the VP of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/29/2016 | 12:54:21 PM
Define Intelligence
The question for me is how would you most simplistically define intelligence?
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.