What the Heck is Threat Intelligence?

  • Threat intelligence is not “brand monitoring,” or at least it isn’t usually. The aforementioned article identified that threat intelligence is not brand monitoring and any efforts such as that should be handled by a dedicated team, and that statement is true. However, there are absolutely cases where brand monitoring may contribute to intelligence analysis, and the intelligence team should absolutely consume and analyze the results of brand monitoring, including the creation of fake social media profiles and fraudulent websites masquerading as an organization.
  • No part of threat intelligence is a “secondary duty.” Some organizations attempt to assign threat intelligence duties to their line analysts, such as collection of reporting and other data, however threat intelligence is a specialty, much like incident response or digital forensics, and as such it requires specific training and knowledge. It is not a task that can be distributed among other teams, and when it is distributed it takes analysts away from their primary responsibility.
  • Threat intelligence is not monitoring for compromised credit cards or credentials, but the results of that monitoring can serve as another input for threat intelligence. Much like brand monitoring, monitoring for stolen credit cards and compromised credentials is often a task that can be offloaded to various third-party services (or indeed implemented in-house with many open source tools). However, a threat intelligence team should absolutely monitor the results of that third-party collection for wider analysis, especially during incident response investigations.
  • Threat intelligence is not simply blindly reading and ingesting polished reports released by various vendors. While these reports may serve as a further input, intelligence analysis requires that such sources and reporting be assessed, collated, correlated, and analyzedto determine if the reporting aligns with existing bodies of knowledge on the subject, and if not, why. Unfortunately, this practice remains very common in various security operations centers globally, and often plays a significant factor in analyst fatigue and often contributes to the decreased perceived value of threat intelligence. After all, if all an analyst does is collect, read, and ingest vendor reporting, what value are they adding?
  • Threat Feeds — these are typically feeds which leverage automated distribution and will include various indicators of compromise and varying levels of tagging. This format can also challenge organizations, as the feeds often feature out-of-date information and lack any significant contextualization, resulting in analyst fatigue and frustration as well as a surge in false positive results.

Definition & Planning

Interestingly, one of the often-overlooked stages of the intelligence cycle is the first step, specifically defining intelligence requirements, and designing a collection plan. The process for establishing intelligence requirements (often referred to as “priority intelligence requirements” (PIR)) cannot be done in a vacuum, however, and requires detailed discussions with the intelligence consumers and stakeholders to identify their priorities, often in the form of questions needing answers. The more specific the question, the more specific the answers will be. Examples could include:

  • Who is targeting us?
  • Are actors actively targeting a known vulnerability in our web application?
  • What malware is known to exploit EternalBlue?
  • Sources, resources and challenges are identified; sources and resources are ranked according to value, and challenges are identified and plans to work around them (where possible) are included.
  • Priorities are established, with specific requirements and sources holding different priorities according to the established requirements.
  • Taskings are formal directives tasking specific resources with collection and analysis. This ensures that workloads are appropriately managed and that all requirements are addressed by specific subject matter experts.
  • Ongoing Evaluation will occur and have overall progress of individual tasks and overall PIRs tracked.
  • Dark Web
  • Social Media
  • Paste Sites
  • News Sites
  • Vendor Reporting

Collection

Intelligence collectors, once tasked, will begin the process of gathering relevant raw (or unanalyzed) data from the sources identified in the ICP. It is important to note that intelligence collectors do not have to be analysts — indeed, they often aren’t within the broader intelligence community. Instead, their job is to gather as much raw data as possible to support the PIRs, making sure that they record not only the events of interest but to capture the additional context surrounding those events. This contextualization is critical when that data begins to be processed (normalized).

Processing

After collection has occurred — or indeed while it is happening — the next phase is that of processing. During this phase, data and information is “processed,” or normalized, from its raw formats into more usable formats. This might include (but is by no means limited to) translating and transliterating foreign languages, de-obfuscating encoded data, or reverse engineering malware. Again, there is no set format for this data, however the processed data must be traceable to the raw intelligence. This last step is crucial, as the analyst must be able to verify the normalized data, and should any challenges or failures be experienced, validation must be able to occur.

Analysis & Production

The analysis and production phase of the intelligence cycle is where the processed data and information is provided to analysts in order to answer the fundamental questions: who, what, when, where, how, why, as well as establishing the connective tissue between the collected events and how they answer the questions laid out in the PIR. Each assessment (that is a non-obvious result of the analysis of the processed data and information) made during the analysis is based upon the processed data and information and should use either estimative language (i.e. won’t, unlikely, possible, likely, very likely) or a numerical percentage (0–100%) to convey the certainty of the assessment being true. These assessments also form the basis for one of the most important Key Performance Indicators (KPI) for threat intelligence: the number of assessments made, against the number of which are true, false, or undetermined.

Dissemination

The dissemination phase is relatively straightforward: once the audience-specific reporting is completed, the reports are then delivered to the intelligence consumers and stakeholders. While dissemination typically precedes the feedback, it is important to note that another aspect to dissemination, which is often overlooked, needs to occur and that is actioning of the data. This means that the intelligence reporting, if it is to be called successful, will result in direct action — or indeed perhaps direct inaction — by the consumers and stakeholders. When action (or deliberate inaction) does not occur, this should trigger additional review by the intelligence team during the feedback phase.

Feedback

The final phase in the intelligence cycle is perhaps one of the most critical components: feedback. In this phase, not only is the intelligence team engaged to provide feedback on how the process was conducted, but the intelligence consumers’ and stakeholders’ feedback is also sought to determine if the reporting met the PIR and the results were satisfactory.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Cyborg Security

Cyborg Security

Cyborg Security is a pioneer in cybernetic threat hunting, delivering an advanced, actionable threat hunting platform.