Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/29/2016
10:30 AM
Adam Meyers
Adam Meyers
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

How to Roll Your Own Threat Intelligence Team

A lot of hard work needs to go into effectively implementing an intelligence-driven security model. It starts with five critical factors.

Many organizations want to build a threat intelligence team but don’t really know where to start, let alone answer the question, what exactly is threat intelligence? The definition has been clouded by the industry over the last several years, even as vendors rush to build "intelligence"-based solutions. Without getting bogged down in the argument over what is -- and is not -- threat intelligence, let's discuss how an organization can build a team to effectively use intelligence to drive enterprise security. Here are five critical factors:

Factor 1: Establish an intelligence priorities framework. To effectively use intelligence, the organization must first establish and prioritize information they will need. This can be accomplished by identifying intelligence gaps that exist, formulating requirements from the intelligence gaps, then organizing the requirements into categories that align with the organization.

For example, in a priority intelligence requirements (PIR) document, "P1" might map to what adversaries target my organization, underneath this, another requirement might be what nation-state adversaries target my organization. This might be expressed as "P1.a." This structure allows the organization to maintain a centralized list of all intelligence requirements available for review on a regular basis.

Factor 2: Incorporate and consolidate intelligence sources. There are a wealth of different sources:

  • Technical sources include the SIEM, IDS, firewall, next-generation endpoint security platforms, and logs from any number of devices
  • Open Sources such as published vendor reports, any number of free feeds of indicators, vendor vulnerability lists (Microsoft, Apple, Adobe, etc), and media sources
  • Closed Sources may include community mailing lists, or organizations such as ISACs
  • Paid Intelligence Feeds

Factor 3: Map Your Intelligence Collection. As new intelligence is collected from these sources, align them with the intelligence priorities defined in factor 1. For example, public reports indicators associated with a known threat actor, might align to an intelligence requirement around targeted attacks. Memorialize that intelligence via an internal system: an email with the source, date, priority it maps to, the collected intelligence, and some analysis. Store the collected intelligence in a searchable repository. If possible, operationalize it by feeding into technical sensors then take the actionable information and apply to SIEM, create firewall block or logging event, create an IDS rule, or block the hash in the endpoint prevention system.

Factor 4: Find the best talent. Employing intelligence analysts who can review inbound intelligence and produce analysis germane to the organization is key. As new intelligence is collected, someone needs to assess if it is significant to the organization, explain how it is significant, decide who it is significant for, and produce cogent analysis around scenarios in which it might be significant.

Entire libraries can be filled with books on proper analytic tradecraft, but training a SOC analyst to perform intelligence analysis can be very costly and time-consuming. Many technical experts operate in a binary world; something is either black or it is white. Intelligence analysts live in a grey world: they consider a myriad of states and can make assessments around the likelihood that something might happen, or cause a situation to change. These analysts will employ concepts like alternative competing hypotheses (ACH) to handle multiple possibilities or outcomes.

Factor 5: Tailor The Finished Products To The Audience. Disseminating intelligence is a critical function of the intelligence team. Weekly or even daily products that convey the intelligence analyzed and collected over a discrete period of time allow the intelligence team to keep their internal customers abreast of the various things that are going on. Intelligence products should be tailored to the audience and contain information to help them be more effective. For example, a product for the executive suite covering the attacks observed, upcoming events that may impact enterprise security, the latest relevant news pertaining to enterprise security, and intelligence assessments about things that may happen will go a long way in shaping an organization so that it is more proactive to threats.

Related Content:

 

Adam Meyers has over a decade of experience within the information security industry. He has authored numerous papers that have appeared at peer reviewed industry venues and has received awards for his dedication to the field. At CrowdStrike, Adam serves as the VP of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/29/2016 | 12:54:21 PM
Define Intelligence
The question for me is how would you most simplistically define intelligence?
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15237
PUBLISHED: 2019-08-20
Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks.
CVE-2019-15228
PUBLISHED: 2019-08-20
FUEL CMS 1.4.4 has XSS in the Create Blocks section of the Admin console. This could lead to cookie stealing and other malicious actions. This vulnerability can be exploited with an authenticated account but can also impact unauthenticated visitors.
CVE-2019-15229
PUBLISHED: 2019-08-20
FUEL CMS 1.4.4 has CSRF in the blocks/create/ Create Blocks section of the Admin console. This could lead to an attacker tricking the administrator into executing arbitrary code via a specially crafted HTML page.
CVE-2019-15231
PUBLISHED: 2019-08-20
Webmin 1.890, in a default installation, contains a backdoor that allows an unauthenticated attacker to remotely execute commands. This is different from CVE-2019-15107. NOTE: as of 2019-08-19, the vendor reports that "at some point" malicious code was inserted into their build infrastruct...
CVE-2019-15232
PUBLISHED: 2019-08-20
Live555 before 2019.08.16 has a Use-After-Free because GenericMediaServer::createNewClientSessionWithId can generate the same client session ID in succession, which is mishandled by the MPEG1or2 and Matroska file demultiplexors.