Threat intelligence is a critical part of an organization's cybersecurity strategy, but given how quickly the state of cybersecurity evolves, is the traditional model still relevant?
Whether you're a cybersecurity expert or someone who's looking to build a threat intelligence program from the ground up, this simple framework transforms the traditional model, so it can apply to the current landscape. It relies on the technologies available today and can be implemented in four simple steps.
A Quick Look at the Threat Intelligence Framework
The framework we'll be referencing here is called the Intelligence Cycle, which breaks down into four phases:
This is the traditional framework, but let’s take a deeper look at every step, update them for the modern day, and outline how to follow them in 2022.
To do this, we'll leverage a use case of credential leakage as an example. Credential leakage is an area organizations of any size should be familiar with, making it an optimal choice for illustrating how to build an effective threat intelligence program.
1. Set a direction.
The first step in this process is to set the direction of your program by outlining what you're looking for and what questions you want to ask and answer. To help with this, you can create Prioritized Intelligence Requirements, or PIRs, and a desired outcome.
You should aim to be as explicit as possible. In the case of credential leakage, let's set our PIR to identify login credentials that have been exposed to an unauthorized entity.
With this very specific PIR outlined, we can now determine a desired outcome, which in this case would be forcing a password reset. This is crucial, and later, we'll see how the desired outcome impacts how we build this threat intelligence program.
2. Map out what data to collect.
Once you've set your PIRs and desired outcome, you need to map out the sources of intelligence that will serve the direction.
For this use case, let's identify how threat actors gain credentials. A few of the most common sources include the following: endpoints (usually harvested by botnets), third-party breaches, code repositories, posts on a forum/pastebin, and Dark Web black markets where credentials are bought and sold.
Mapping out these sources allows you to outline the areas you need to focus on for analysis.
3. Select your approach to analysis.
You can take an automated or a manual approach to analysis. Automated analysis involves leveraging AI or sophisticated algorithms that will classify relevant data into alerts of credential leakage, where the emails and passwords can be extracted and pulled out. The alternative approach is to manually analyze the information by gathering all the data and having the analysts on your team review the data and decide what's relevant to your organization.
The biggest advantage of manual analysis is flexibility. You can put more human resources, intelligence, and insight into the process to surface only what is relevant. But there are also disadvantages — this process is much slower than automated analysis.
With speed being critical, automated analysis is the best approach. It doesn’t require analysts to sort through the data, and if threats are being automatically classified, they can likely be automatically remediated.
Let's take a look at this in practice: Say your algorithm finds an email and password mentioned on a forum. The AI can classify the incident and extract the relevant information (e.g., the email/username and password) in a machine-readable format. Then, a response can be automatically applied, like force resetting the password for the identified user.
Automated analysis may not be the best option in every scenario, but in this case it brings us closest to our desired outcome.
4. Disseminate analysis to take action.
Traditionally, when it comes to the intelligence cycle and the dissemination of threat intelligence, we talk about sending alerts and reports to the relevant stakeholders to review and take appropriate action.
But as our example in the previous section shows, the future (and current state) of this process is fully automated remediation. With this in mind, we shouldn't just discuss how we distribute alerts and information in the organization — we should also think about how we can take the intelligence and distribute it to security devices to automatically prevent the upcoming attack.
For leaked credentials, this could mean sending the intelligence to the active directory to automatically force password reset without human intervention. This is a great example of how shifting to an automated solution can dramatically reduce the time to remediation.
Once again, let’s go back to our PIR and desired outcome; we want to force the password reset before the threat actor uses the password. Speed is key, so we should definitely automate the remediation. We need a solution that takes the intelligence from the sources we've mapped out, automatically produces an alert with the information extracted, and automatically remediates the threat to reduce risk as fast as possible.
This is how detection and response should look in 2022.
About the Author
Alon Arvatz joined Rapid7 in July 2021 following its acquisition of IntSights Cyber Intelligence, which he co-founded and led as Chief Product Officer. Alon is now a key contributor to the Rapid7 threat intelligence product road map, including product development, threat research, and intelligence gathering operations.
Prior to founding IntSights, Alon was co-founder and CEO of Cyber-School, an educational program offering cybersecurity-related courses to teenagers. Alon is a veteran of an elite cybersecurity intelligence unit within the Israel Defense Forces (IDF), where he led and coordinated global cyber-intelligence campaigns.