Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/29/2016
10:30 AM
Adam Meyers
Adam Meyers
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

How to Roll Your Own Threat Intelligence Team

A lot of hard work needs to go into effectively implementing an intelligence-driven security model. It starts with five critical factors.

Many organizations want to build a threat intelligence team but don’t really know where to start, let alone answer the question, what exactly is threat intelligence? The definition has been clouded by the industry over the last several years, even as vendors rush to build "intelligence"-based solutions. Without getting bogged down in the argument over what is -- and is not -- threat intelligence, let's discuss how an organization can build a team to effectively use intelligence to drive enterprise security. Here are five critical factors:

Factor 1: Establish an intelligence priorities framework. To effectively use intelligence, the organization must first establish and prioritize information they will need. This can be accomplished by identifying intelligence gaps that exist, formulating requirements from the intelligence gaps, then organizing the requirements into categories that align with the organization.

For example, in a priority intelligence requirements (PIR) document, "P1" might map to what adversaries target my organization, underneath this, another requirement might be what nation-state adversaries target my organization. This might be expressed as "P1.a." This structure allows the organization to maintain a centralized list of all intelligence requirements available for review on a regular basis.

Factor 2: Incorporate and consolidate intelligence sources. There are a wealth of different sources:

  • Technical sources include the SIEM, IDS, firewall, next-generation endpoint security platforms, and logs from any number of devices
  • Open Sources such as published vendor reports, any number of free feeds of indicators, vendor vulnerability lists (Microsoft, Apple, Adobe, etc), and media sources
  • Closed Sources may include community mailing lists, or organizations such as ISACs
  • Paid Intelligence Feeds

Factor 3: Map Your Intelligence Collection. As new intelligence is collected from these sources, align them with the intelligence priorities defined in factor 1. For example, public reports indicators associated with a known threat actor, might align to an intelligence requirement around targeted attacks. Memorialize that intelligence via an internal system: an email with the source, date, priority it maps to, the collected intelligence, and some analysis. Store the collected intelligence in a searchable repository. If possible, operationalize it by feeding into technical sensors then take the actionable information and apply to SIEM, create firewall block or logging event, create an IDS rule, or block the hash in the endpoint prevention system.

Factor 4: Find the best talent. Employing intelligence analysts who can review inbound intelligence and produce analysis germane to the organization is key. As new intelligence is collected, someone needs to assess if it is significant to the organization, explain how it is significant, decide who it is significant for, and produce cogent analysis around scenarios in which it might be significant.

Entire libraries can be filled with books on proper analytic tradecraft, but training a SOC analyst to perform intelligence analysis can be very costly and time-consuming. Many technical experts operate in a binary world; something is either black or it is white. Intelligence analysts live in a grey world: they consider a myriad of states and can make assessments around the likelihood that something might happen, or cause a situation to change. These analysts will employ concepts like alternative competing hypotheses (ACH) to handle multiple possibilities or outcomes.

Factor 5: Tailor The Finished Products To The Audience. Disseminating intelligence is a critical function of the intelligence team. Weekly or even daily products that convey the intelligence analyzed and collected over a discrete period of time allow the intelligence team to keep their internal customers abreast of the various things that are going on. Intelligence products should be tailored to the audience and contain information to help them be more effective. For example, a product for the executive suite covering the attacks observed, upcoming events that may impact enterprise security, the latest relevant news pertaining to enterprise security, and intelligence assessments about things that may happen will go a long way in shaping an organization so that it is more proactive to threats.

Related Content:

 

Adam Meyers has over a decade of experience within the information security industry. He has authored numerous papers that have appeared at peer reviewed industry venues and has received awards for his dedication to the field. At CrowdStrike, Adam serves as the VP of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/29/2016 | 12:54:21 PM
Define Intelligence
The question for me is how would you most simplistically define intelligence?
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5216
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seei...
CVE-2020-5217
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.8.0, 5.1.0, and 6.2.0. If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be injected leading to directive injection. This could b...
CVE-2020-5223
PUBLISHED: 2020-01-23
In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3...
CVE-2019-20399
PUBLISHED: 2020-01-23
A timing vulnerability in the Scalar::check_overflow function in Parity libsecp256k1-rs before 0.3.1 potentially allows an attacker to leak information via a side-channel attack.
CVE-2020-7915
PUBLISHED: 2020-01-22
An issue was discovered on Eaton 5P 850 devices. The Ubicacion SAI field allows XSS attacks by an administrator.