Understanding the Threat Intelligence Lifecycle

Uploaded on 2015-12-22 in TECHNOLOGY--Resilience, NEWS-News Analysis, FREE TO VIEW

 

Everyone is interested in Threat Intelligence (TI). There is a race to the top of the mountain with regards to providing ‘Intelligence’ on the ‘latest threats’; but what does that really mean for information consumers?

Firstly, let’s look at the term ‘Intelligence’. For most individuals the term Intelligence has several meanings ranging from covert operations to information gathering. However, very little time is actually spent on the Intelligence Lifecycle.

Understanding the lifecycle and some key framework concepts of Intelligence will help people understand where TI really enters into Intelligence; and how the basics can be leveraged to derive value added information into the organization.

The Intelligence Lifecycle
Excluding the scope of Cover Operations and Counter Intelligence one of the key missions of an Intelligence program is to prepare the battle space. However, this article is not working within a military construct so for the contextual use of the rest of the article the battle space will be the organisation.

From a technical perspective preparing the organization requires a mature asset and data management program.  From this perspective there is no one-size-fits-all solution to asset and data management.
For those who are just beginning there are several resources available on the Internet to help organizations get started. Furthermore, there is no need to gather TI if asset management in not addressed as much of the TI will probably pertain to assets owned by the organization.

Once assets have been identified, classified, and entered into a management lifecycle an organization can begin to ask the right questions. This is the consumer request for information.

Some example questions may be: What threats are posed against Java resources, or are there relevant threats currently attacking other Windows based infrastructures? The question initiates the Intelligence Lifecycle: Collect, Analyze, and Disseminate.

Low Budget Entry Points
For organizations wishing to do low budget Proof of Concepts or organisations that do not have the financial resources to developing robust Intelligence capabilities the two best places to start are in the domains of Human Intelligence (HUMINT) and Open Source Intelligence (OSINT). These two terms are some of the most powerful and cost effective terms to learn from a collection standpoint.

HUMINT is comprised of human interactions. This can be anything from fellow security professionals, relationships with security vendors, local law enforcement, Social Media et al.

Developing human relationships with regards to on the ground information can be more valuable than any high tech platform. For example: The creation of a Twitter account that follows such things as hacktivist groups and malware developer communities can reveal large amounts of information.

However, like any other collection effort it will be an effort of labor to manage, maintain, and sift through the vast amount of inbound information.

OSINT is the other low cost effective way to collect Intelligence. Always remember that Google is your friend. Simply typing in search terms like ‘threats to java’ or ‘latest windows hacks’ can reveal countless pages of information.

Furthermore, OSINT comprises of things like vendor supplied threat reports, news wires, streaming video, or just about anything you can obtain legally. For example: companies like Verizon publish yearly threat reports that cover a wide range of topics.

The nice part about these types of reports is that the information is typically backed by some form of metric, which can help with augmenting risk assessments conducted by the organization.

Many security vendors now come with their own form of Intelligence engines. These hardware and software solutions share detected threats with each other to enhance the overall effectiveness of the solution.

So, now that we have a very basic view of Intelligence and Threat Intelligence let’s look at a scenario regarding a local government who is ramping up their Cyber Security program but needs Threat Intelligence information to determine next steps.

The first step the organization performs is to recognize and understand the Intelligence Lifecycle. Once management understands the input(s) and output(s) of their request their expectations of returns will be on par with the initiative.

The second step the organization performs is to mandate the work to a security analyst within the organization. Although there are dedicated vendors who can also provide this information from a cost perspective this local government has decides to use an internal resource.

Once given the mandate for a generalized Intelligence effort the security analyst begins looking at relevant collection mechanisms. The analyst determines that there are some technical capabilities for Intelligence collection, but with regards to specific TI the analyst turns to more open sources of information.

After the information has been disseminated to all relevant stakeholders follow-up meetings are scheduled to continue the discussion, from a roadmap and remediation perspective.
Dark Matters: http://bit.ly/1Tf9zFr

 

« Mystery: US State Dept. Can't Find Missing Clinton Emails
Could IS Create A Cyber War? »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

RIVA Solutions

RIVA Solutions

RIVA provides innovative best practices in IT and management consulting, program support services and emerging technologies.

Cofense

Cofense

Cofense (formerly PhishMe) is a leading provider of human-driven phishing defense solutions.

Spanish National Cybersecurity Institute (INCIBE)

Spanish National Cybersecurity Institute (INCIBE)

INCIBE undertakes research, service delivery and coordination for building cybersecurity at the national and international levels.

Secure Innovations

Secure Innovations

Secure Innovations is a cybersecurity firm dedicated to providing top-tier cyber security solutions for the Defense and the Intelligence Community.

SANS CyberStart

SANS CyberStart

SANS CyberStart is a unique and innovative suite of tools and games designed to introduce children and young adults to the field of cyber security.

Osirium

Osirium

The Osirium PxM Privileged Access Management platform addresses both security and compliance requirements by defining who gets access to what and when.

IEEE Cyber Science and Technology Congress (CyberSciTech)

IEEE Cyber Science and Technology Congress (CyberSciTech)

CyberSciTech provides a platform for scientists, researchers, and engineers to share their latest ideas and advances in the broad scope of cyber-related science, technology, and application topics.

DigiByte (DGB)

DigiByte (DGB)

DigiByte (DGB) is a rapidly growing global blockchain with a focus on cybersecurity for digital payments & decentralized applications.

ITConnexion

ITConnexion

From cloud migration to ransomware protection, our managed IT services can be customised to address the most prevalent IT issues for your business.

Ampere Industrial Security

Ampere Industrial Security

Ampere is an industrial security firm. We specialize in industrial control systems (ICS) and operational technology (OT) security.

DoControl

DoControl

DoControl gives organizations the automated, self-service tools they need for SaaS applications data access monitoring, orchestration, and remediation.

Advantex Network Solutions

Advantex Network Solutions

Advantex Network Solutions are a leading provider in Mitel, IT Solutions, Networking, and iP surveillance.

Narf Industries

Narf Industries

Narf Industries are a small group of reverse engineers, vulnerability researchers and tool developers that specialize in tailored solutions for government and large enterprises.

Eden Data

Eden Data

Eden Data is on a mission to break the outdated mold of traditional cybersecurity consulting. We handle all of your security, compliance & data privacy needs.

Applied Connective Technologies

Applied Connective Technologies

Applied Connective is one team for all your technology needs, from IT to phones, cyber security to physical security, audio/video and the infrastructure to support it.

Allstate Identity Protection

Allstate Identity Protection

Allstate make it easy to provide complete identity protection, so everyone can live more confidently online.