Most organisations have more threat intelligence than they know what to do with. It comes from a variety of sources – commercial, open-source, government, industry sharing groups and security vendors. Bombarded by millions of threat data points every day, it can seem impossible to appreciate or realise the full value of third-party data.
In a recent CyberSocial webcast, we used real-time polling to help attendees analyse and action a threat report. Here are five tips we shared.
1. Select the right sources of threat data for your organisation
When polled, the audience reported using a well-balanced combination of sources of threat intelligence. They are on the right track. But it is also important to identify the right sources for your organisation. Additionally, collect threat reports from several different sources as they provide different levels of content – strategic, operational and tactical. Figure out the who, what and when for consumption and use that for your metric for success when looking at acquisition.
Open-source intelligence (OSINT) is free and easy to access, and most organisations use it extensively. But organisations must also consider the trust and reliability of sources. In a classical hierarchy, the highest level of trust comes from the intelligence you generate and receive from your close network and peers. OSINT information is placed at the lowest level.
We recommend using trust models such as the Admiralty System or NATO System. These classify information from A to F for reliability and from 1 to 6 for credibility, particularly for new sources that surface during times of crises or outbreaks. Applying this scale to threat intel helps to determine what to do with the data. It also reduces false positives and noise generated from non-validated and unconfirmed data.
2. Determine who will acquire the data
25% of respondents said all groups have access to all threat intelligence sources. Giving access to a broader audience is not a bad thing. However, it is probably even better to have one team responsible for acquiring and analysing threat reports and only delivering actionable information. Not every stakeholder needs every level of intelligence.
The report on the Ryuk ransomware from the French National Agency for the Security of Information Systems (ANSSI) is a good example. You need to determine how the same report will impact and be used by various teams across the organisation. Different teams may use different aspects of the same report in different ways to achieve their desired outcomes. For example, modifying policy (strategic), launching hunting campaigns (operational) or disseminating technical indicators (tactical).
A threat report in PDF format requires a lot of work to translate the information it contains into actionable data for different sets of users. This is why it is important to have a dedicated team acquire the data.
3. Structure the data for analysis
There are three steps for analysis:
- Understanding the context of the report
- The relevance of the report
- Relating the report to any prior reports, intelligence and incidents.
This process allows you to contextualise and prioritise intelligence but requires that the data be structured uniformly. Threat data comes in various formats (e.g., STIX, MITRE ATT&CK techniques, news articles, blogs, tweets, security industry reports, indicators of compromise (IoCs) from threat feeds, GitHub repositories, Yara rules and Snort signatures) and needs to be normalised.
The information you gather in the Ryuk report, for example, is expressed with its own vocabulary. Translating it into a machine-readable format is necessary to link it to other related reports and sources of information.
This isn’t just about the format. The volume of information across the threat intel landscape is high. Different groups use different names to refer to the same thing. Normalisation compensates for this and enables you to aggregate and organise information quickly. Structuring data to prioritise is critical for triage and ensures you are focusing on the threats that matter most.
4. Use tools to help with analysis
You need to use the right tools to support your desired outcome. According to the poll, 67% of attendees using technical ingestion (SIEM). It indicates that desired outcomes are more technical.
15% are still handling the acquisition and analysis process manually. This is quite a challenge, particularly during a big event. A threat intelligence platform (TIP) does a good job of extracting context. It can also help you use the information in various ways for different use cases (e.g., alert triage, threat hunting, spear phishing, incident response) and support different outcomes.
It is also important that the tool you select works well with frameworks like MITRE ATT&CK. MITRE is the most used framework to organise the analysis process. Customers are identifying their crown jewels and mapping to MITRE. It allows them to understand which adversaries might target them, the tactics, techniques and procedures (TTPs) to concentrate on, and what actions to take.
5. Select the right tools to help make data actionable.
Analysis enables prioritisation so you can determine the appropriate actions to take. There are a variety of tools to help make threat reports and other elements of your threat intelligence program actionable and achieve desired outcomes at the strategic level (executive reporting), operational level (changes in security posture) and tactical level (updating rules and signatures).
In the final polling question, 45% of respondents said they are using a TIP to make the data actionable for detection and protection. However, only a few are using a TIP for forensics. This is a missed opportunity and a capability that teams should explore as their capabilities continue to mature. From a forensics standpoint, MITRE is an important tool to enable the analysis of past incidents so organisations can learn and improve.
In closing, our experts recommend that before you start thinking about threat intelligence sources, analysis and actions, you need to understand the desired outcomes and deliverables for each of your constituents. It’s a journey that typically starts at the tactical level and, with maturity, evolves to include operational and strategic intelligence to deliver additional value. When shared the right way with each part of the organisation, key stakeholders will see threat intelligence for the business enabler. The threat intelligence program will gain support and the budget to grow.
This article was written by David Grout, CTO EMEA for FireEye and Yann Le Borgne, Technical Director for ThreatQuotient.
FireEye is a publicly traded cybersecurity company headquartered in Milpitas, California. It has been involved in the detection and prevention of major cyber attacks. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks. FireEye was founded in 2004.
ThreatQuotient’s mission is to improve the efficiency and effectiveness of security operations through a threat-centric platform. By integrating an organization’s existing processes and technologies into a single security architecture, ThreatQuotient accelerates and simplifies investigations and collaboration within and across teams and tools. Through automation, prioritization and visualization, ThreatQuotient’s solutions reduce noise and highlight top priority threats to provide greater focus and decision support for limited resources.