Threat Intelligence: Collecting, Analysing, Evaluating

Threat Intelligence is rapidly becoming an ever-higher business priority. There is a general awareness of the need to ‘do’ threat intelligence, and vendors are falling over themselves to offer a confusingly diverse array of threat intelligence products. Over the past 6 years threat intelligence has grown dramatically. Whether it has been its popularity in search engines, possible products or general awareness. The term Threat Intelligence has been placed in the spotlight of the cyber world, but what exactly does it all mean?

David Chismon and Martyn Ruks of MWR-Info Security, in conjunction with CERT UK and The Centre for the Protection of National Infrastructure (CPNI)  have published a document (Threat Intelligence: Collecting, Analysing, Evaluating), that attempts to clear up some of the confusion surrounding threat intelligence.  (https://www.mwrinfosecurity.com/system/assets/909/original/Threat_Intelligence_Whitepaper.pdf)

They do so by addressing some of the following topics: What is threat Intelligence? Different types of Threat Intelligence? How to build and evaluate a Threat Intelligence Programme and more. This document gives a holistic approach to better understand the relevant and some-what confusing term of threat intelligence. This article will aim to summarize and highlight some of the key points from Threat Intelligence: Collecting, Analysing, Evaluating.

What is Threat Intelligence? The publication explains that the term Threat Intelligence is rather loosely defined and has many definitions. They explain that it will be easier to understand ‘threat intelligence’ by first understanding the term intelligence. They claim that intelligence is widely regarded as ‘information that can be acted upon to change outcomes’. They explain that understanding intelligence is crucial because threat intelligence is usually defined as intelligence applied to cyber threats. In addition to this they explore a few different definitions of threat intelligence.

What are the different types of Threat Intelligence? Building off of the idea that Threat Intelligence is a rather broad topic they believe it is only necessary to create sub-categories of Threat Intelligence. This will help narrow down different threats and create a more informed definition of such threats.

Strategic Threat Intelligence – This is considered the highest level of information. This is information that is consumed by the board level or by other senior decision-makers. This is unlikely to be technical and can cover such things as the financial impact of cyber activity. This intelligence comes mostly in the form of prose, such as reports, briefings or conversations.

Operational Threat Intelligence – This is considered information about specific impending attacks against the organization and is initially consumed by higher-level security staff such as security managers or heads of incident response. This form of intelligence is useful for understanding which groups are going to attack them, when and how. They explain that this sort of intelligence is rather rare and is usually confined to the government level.

Tactical Threat Intelligence – This is form of intelligence usually refers to Tactics, Techniques and Procedures (TTP’s) and is information surrounding how threat actors are conducting attacks. This information is usually gathered by defenders and incident responders to ensure that their defenses, alerting and investigation are prepared for current tactics.

Technical Threat Intelligence – This form of information usually comes in the form of data and is normally consumed through technical means. An example of such would be a feed of IP addresses suspected of being malicious. This form of threat intelligence often has a short lifetime as attackers can easily change IP addresses.

How do you build and evaluate a Threat Intelligence Programme? – This section of the paper attempts to explain the best way to build and evaluate a threat intelligence programme. They explain that an effective threat intelligence programme will have a number of areas of focus. They explain that the breakdown of threat intelligence into specific functions is more scalable, as staff are likely to be better skilled at specific aspects of intelligence. They explain that there are 5 crucial steps in the cycle to create an effective programme:

  • Requirements
  • Collection
  • Analysis
  • Production
  • Evaluation

They explain the importance of each step and how they should be completed in the following order.

The paper goes to explain each one of these steps in further depth in addition to explaining each subtype in depth as well. They also go on to discuss other areas of discussion surrounding threat intelligence such as: the need to share information, vulnerability assessments, functions of a threat intelligence team and more.

 

I believe that this publication is a must read for executive wishing to implement threat intelligence in their organizations.

Summary:

The main takeaways from this paper are:

  1. Understand what TI is
  2. Understand what TI can, and can’t do for your organization
  3. Identify the customers of TI within your organization, and their needs
  4. Select a TI solution (or solutions) which answer these needs

However, it is clear that threat intelligence comes with a cost- the price of the service and the associated labor within the organization. It may even be that this will be too great to bear for most and another set of tools or services (not discussed in this paper) is required to further simplify and automate this process.

(written by the one and only Daniel Kleinmann).