Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/29/2016
10:30 AM
Adam Meyers
Adam Meyers
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

How to Roll Your Own Threat Intelligence Team

A lot of hard work needs to go into effectively implementing an intelligence-driven security model. It starts with five critical factors.

Many organizations want to build a threat intelligence team but don’t really know where to start, let alone answer the question, what exactly is threat intelligence? The definition has been clouded by the industry over the last several years, even as vendors rush to build "intelligence"-based solutions. Without getting bogged down in the argument over what is -- and is not -- threat intelligence, let's discuss how an organization can build a team to effectively use intelligence to drive enterprise security. Here are five critical factors:

Factor 1: Establish an intelligence priorities framework. To effectively use intelligence, the organization must first establish and prioritize information they will need. This can be accomplished by identifying intelligence gaps that exist, formulating requirements from the intelligence gaps, then organizing the requirements into categories that align with the organization.

For example, in a priority intelligence requirements (PIR) document, "P1" might map to what adversaries target my organization, underneath this, another requirement might be what nation-state adversaries target my organization. This might be expressed as "P1.a." This structure allows the organization to maintain a centralized list of all intelligence requirements available for review on a regular basis.

Factor 2: Incorporate and consolidate intelligence sources. There are a wealth of different sources:

  • Technical sources include the SIEM, IDS, firewall, next-generation endpoint security platforms, and logs from any number of devices
  • Open Sources such as published vendor reports, any number of free feeds of indicators, vendor vulnerability lists (Microsoft, Apple, Adobe, etc), and media sources
  • Closed Sources may include community mailing lists, or organizations such as ISACs
  • Paid Intelligence Feeds

Factor 3: Map Your Intelligence Collection. As new intelligence is collected from these sources, align them with the intelligence priorities defined in factor 1. For example, public reports indicators associated with a known threat actor, might align to an intelligence requirement around targeted attacks. Memorialize that intelligence via an internal system: an email with the source, date, priority it maps to, the collected intelligence, and some analysis. Store the collected intelligence in a searchable repository. If possible, operationalize it by feeding into technical sensors then take the actionable information and apply to SIEM, create firewall block or logging event, create an IDS rule, or block the hash in the endpoint prevention system.

Factor 4: Find the best talent. Employing intelligence analysts who can review inbound intelligence and produce analysis germane to the organization is key. As new intelligence is collected, someone needs to assess if it is significant to the organization, explain how it is significant, decide who it is significant for, and produce cogent analysis around scenarios in which it might be significant.

Entire libraries can be filled with books on proper analytic tradecraft, but training a SOC analyst to perform intelligence analysis can be very costly and time-consuming. Many technical experts operate in a binary world; something is either black or it is white. Intelligence analysts live in a grey world: they consider a myriad of states and can make assessments around the likelihood that something might happen, or cause a situation to change. These analysts will employ concepts like alternative competing hypotheses (ACH) to handle multiple possibilities or outcomes.

Factor 5: Tailor The Finished Products To The Audience. Disseminating intelligence is a critical function of the intelligence team. Weekly or even daily products that convey the intelligence analyzed and collected over a discrete period of time allow the intelligence team to keep their internal customers abreast of the various things that are going on. Intelligence products should be tailored to the audience and contain information to help them be more effective. For example, a product for the executive suite covering the attacks observed, upcoming events that may impact enterprise security, the latest relevant news pertaining to enterprise security, and intelligence assessments about things that may happen will go a long way in shaping an organization so that it is more proactive to threats.

Related Content:

 

Adam Meyers has over a decade of experience within the information security industry. He has authored numerous papers that have appeared at peer reviewed industry venues and has received awards for his dedication to the field. At CrowdStrike, Adam serves as the VP of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/29/2016 | 12:54:21 PM
Define Intelligence
The question for me is how would you most simplistically define intelligence?
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19702
PUBLISHED: 2019-12-10
The modoboa-dmarc plugin 1.1.0 for Modoboa is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this to perform a denial of service against the DMARC reporting functionality, such as by referencing the /dev/random file within XML do...
CVE-2019-19703
PUBLISHED: 2019-12-10
In Ktor through 1.2.6, the client resends data from the HTTP Authorization header to a redirect location.
CVE-2012-1577
PUBLISHED: 2019-12-10
lib/libc/stdlib/random.c in OpenBSD returns 0 when seeded with 0.
CVE-2012-5620
PUBLISHED: 2019-12-10
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2013-1689
PUBLISHED: 2019-12-10
Mozilla Firefox 20.0a1 and earlier allows remote attackers to cause a denial of service (crash), related to event handling with frames.