Welcome to our deep dive on threat intelligence: intended to help security professionals embarking on creating and building a threat intelligence capability. Readers will understand how to make threat intelligence relevant, actionable, and effectively communicated to a myriad of stakeholders. The blog includes best practices of threat intelligence, as well as some free tools and resources along the way.
What is Threat Intelligence? An Overview
Threat intelligence has many competing interpretations and definitions, but Gartner’s threat intelligence definition is a good starting point:
Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.
Wrapped up within this definition are two salient themes that we will return to:
- Threat Intelligence is focused on informing a decision-maker and improving their decisions. The Threat Intelligence function within a business can be as a standalone function, particularly within more mature organizations or sector with a lower risk tolerance, but more often it is a function of an individual within a security team. This function can serve multiple stakeholders within the business, including incident responders, threat hunters, and management.
- Focuses on the threat, not risk. “Threat” is just one component of “Risk”. Some frameworks, such as FAIR (Factor Analysis of Information Risk), help to bring this all together into a richer framework.
Establishing Measures of Effect: First Things First
Few threat intelligence pieces begin by discussing how you measure the effectiveness of a program; this is more commonly done either as an afterthought or by a handful of the most mature organizations. However, this is critical: having a well-defined success criteria will ensure that there is a clear business case and, in the longer term, enable you to demonstrate a return on investment. That’s why we’ve included this at the very start.
We’re not doing threat intelligence for fun; we want to increase the bottom line. To do so, the TI program must be both measurable and tailored to business goals.
- Measurable. A great deal of recent work (see presentations from Microsoft and ThreatConnect) has been done on measuring the effectiveness of a threat intelligence program and providing examples to take away when building your own. This will reduce the focus on mere output, extend the business case, and enable you to demonstrate a Return on Investment. These include, but are not limited to:
- Number of incidents derived from threat intelligence
- Mean time to detect
- Mean time to recover
- Savings generated
- Cost savings
- Reduction of risk
Understandably, threat intelligence that can inform some sort of action will be considerably easier to measure.
- Relevant. Unless the TI goals are mapped to business goals, it will be challenging to demonstrate true business value. Consider what you want to protect, whether that is customer data, intellectual property or the brand. More on that in our threat modeling section to follow.With the goals clear and aligned to the business, here’s how you ensure your threat intelligence is as effective as possible.
Intelligence vs Information vs Data
One of the biggest barriers to ensuring Threat Intelligence is relevant is confusion between data, information and intelligence. Indeed, as Threat Intelligence has become more commoditized, the differences between data, information and intelligence have become blurred. Let’s start first by clarifying the differences.
Data – Are recorded facts from snapshot at a point in time. With data, there is little or no subjectivity involved. Data is binary: it is either true or false. For example, ‘it was wet in London at 10:27 last Wednesday.’
Information – Information is structured data that has been combined by the process of Collection. For example, ‘it rained last Wednesday and has for the last 20 in London’
Intelligence – Critically intelligence is about future events, rather than Data and Information which is purely historical in nature. The sole objective of intelligence is to assist a decision maker in making a better decision about an issue than a coin toss. For example, ‘There is no reason other than coincidence that it has rained in London on every Wednesday for the last 20, but based on historical data, there is a 70% chance it will rain on the next Wednesday.’
The relationship between Data, Information, and Intelligence
This diagram is a good way to understand the relationship between these three terms, showing:
- Data is converted to information via the process of Collection, and Information into Intelligence by Analysis. Within this conceptualization Data, Information and Intelligence are commodities and Collection and Analysis are processes.
- The pyramid that underlies the above image is intended to represent the volume of each commodity and the fact that a lot of data declines to a smaller set of information and an even smaller set of intelligence products.
- The hierarchical nature of Data, Information and Intelligence and how one must flow into another. This is what separates a ‘guess,’ from an intelligence product due to the fact that an intelligence assessment is supported by information and data, where as a guess is not.
4 Types of Threat Intelligence
While many claim they do threat intelligence, this can mean a whole number of things. There are four types of threat intelligence and, while they have some areas of overlap, help us to understand different functions of threat intelligence.
- Strategic Threat Intelligence – High-level analysis and information on trends over time that can be used to inform decision-making, especially relevant for Board and C-Level stakeholders.
- Operational Threat Intelligence – Gaining insights from ongoing and incoming attacks, including intelligence of actors and campaign details.
- Tactical Threat Intelligence – Intelligence on the tactics, techniques, and procedures (TTPs) of threat actors.
- Technical Threat Intelligence – Heavily based on Indicators of Compromise (IOCs). Technical threat intelligence tends to be utilized in malware research and detection to catalog malware families by their characteristics such as textual or binary patterns.
To add further complexity, on top of all of this, these types of threat intelligence may be produced internally, gained from sharing communities (such as FS-ISAC, HS-ISAC), or derived from an external provider (both paid and free).
Avoiding the Firehose
While threat intelligence continues to gain in adoption (The SANS Institute reports an increase of 60% to 72% of respondents producing or consuming threat intelligence), it often has several limitations:
- Too much noise and too many false positives. As we so often fail to differentiate between data, information, and intelligence, much of the “threat intelligence” we see only succeeds in overwhelming already short-staffed teams. All too often, teams are faced with a firehose of noisy indicators of compromise (IOCs).
- Lack of relevance to the organization itself. Threat Intelligence concerns information about attacks against other businesses and seldom has relevance to the organization in question.
- Not enough operationalization. A lot of Threat Intelligence provides insight, but no clear actions. Threat Intelligence ought to both improve decisions and inform an action.
In this blog, we’ll dig into some of the best practices for getting threat intelligence right and avoiding these pitfalls.
If you are going to start doing threat intelligence, a good process is needed. It can be the difference between you getting value from your intelligence function or not. A good place to start with this, is the intelligence cycle.
The Intelligence Cycle Explained
Earlier, we mentioned that there are a host of pitfalls associated with threat intelligence, such as false positives, a lack of relevance, and an inability to remediate issues. These most commonly occur when threat intelligence programs lack direction and structure from the outset, with analysts conducting analysis for the sake of analysis. That’s why the intelligence cycle remains so popular today: it helps to define stages and structure the program.
The intelligence cycle consists of five stages – direction, collection, analysis, dissemination, and review.
Of all the stages in the intelligence cycle, it’s tempting to focus on collection and analysis, and to ignore the direction and planning stage. However, having the right approach can save you time and make threat intelligence more meaningful.
Before any data is collected, bought, analyzed, or shared, organizations should first understand what they are trying to protect – what are their critical assets? Of course, this is easier said than done, especially as notions of “criticality” differ between attackers and an organization (like social media accounts). Also, a critical asset maybe highly tangible or intangible in nature i.e. a tangible critical asset could be an organization’s connection to the SWIFT banking network whereas an intangible asset could be customer confidence in the brand.
What is and what is not a critical asset vary depending on the industry and the organization, so it’s important to understand what is inherently valued in your industry. Some common critical assets overlap, regardless of industry, such as payment card details, logins, databases with customer information, payment systems, trading platforms, exchanges, Enterprise Resource Planning (ERP), and proprietary technology.
Board level decision making is not typically driven by tactical intelligence such as IOCs, but instead by operational or strategic concerns. Therefore, on top of understanding what an organization ought to be protecting, it’s important to get the requirements of key stakeholders and consider how the intelligence program will satisfy these.
Once you know what assets you want to protect, you can start to think about where you will look for information on threats to those assets. Another cycle, the collection cycle, exists to collect timely and relevant information for analysts to develop into intelligence. Our intelligence experts like to form a collection cycle that includes developing observables, collecting information, assessing that information, and feeding this assessment back to the collection cycle for future improvement. Some common things to keep in mind when developing a collection cycle include coverage, languages, tools, and the direction.
Organizations will turn to a range of sources depending on the initial requirements. This often includes technical sources (many of which are available free here: https://github.com/hslatman/awesome-threat-intelligence), social media, criminal forums, dark web pages, code repositories, and more. You can get an idea of the type of sources you might expect to cover in our Data Sources document.
It’s worth noting that the advantages and disadvantages of focusing on dark web sources is out of scope for this piece, but you can read more in another blog we wrote called “Dark Web Monitoring: The Good, The Bad, and The Ugly”. TLDR: the dark web is over-hyped, but does have some value depending on your goals.
3. Analysis Frameworks
We spoke earlier about how “intelligence” is derived from just “information” by the process of analysis. Indeed, with information collected, it’s next necessary to place these findings into some sort of analytical framework, of which there are many. It is important that threat intelligence teams understand and utilize these frameworks in the production of intelligence products. These frameworks are utilized across the cyber security sector and allow intelligence teams to communicate findings in ways which the cyber security sector understand.
One of the most prominent frameworks is the Cyber Kill Chain developed by Lockheed Martin. The Cyber Kill Chain identifies seven tangible steps to carrying out an attack from the perspective of an attacker:
- Command & control (C2)
- Actions on objectives
These steps provide valuable insight into cyberattacks and enhance analysts’ understanding of threat actor TTPs.
The Lockheed Martin Cyber Kill Chain serves as the basis for the Diamond Model and MITRE ATT&CK, which both build on the model proposed by the kill chain. The Diamond model uses the four corners to represent adversaries, infrastructure, victim, and capabilities and maps the cyber kill chain out on the diamond at each step depicting whether the step is technical or socio-politically motivated. The intention of Diamond Model is to simultaneously deal with multiple attacker Kill Chains by identifying similarities between different kill chains’ adversaries, infrastructures, victims, and capabilities.
MITRE ATT&CK takes the Cyber Kill Chain framework and expands on it by incorporating initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, command and control (C2), exfiltration, and impact. We’ve mapped a host of campaigns to Mitre ATT&CK, which you can read. Below, we’ve outlined one mapping we did on the tactics used by the GRU in the build up to the 2016 US Presidential Election.
Avoiding Cognitive Biases
One of the biggest hurdles to good analysis is cognitive biases, defined as “a mistake in reasoning, evaluating, remembering, or other cognitive process, often occurring as a result of holding onto one’s preferences and beliefs regardless of contrary information.”
There are a large number of different types (188 to be precise) of cognitive bias. These have been expertly combined in the following image (full credit goes to https://www.visualcapitalist.com/18-cognitive-bias-examples-mental-mistakes/).
Structured Analytical Techniques
There are numerous techniques that intelligence analysts employ to overcome cognitive biases, known as Structure Analytical Techniques (SATs). The father of intelligence analysis is widely regarded to be Richards Heuer, who published many techniques in his 1999 paper, Psychology of Intelligence Analysis (a must-read for anyone interested in employing SATs).
TI pros often immediately look for the sophisticated SATs. However, in truth, there’s plenty that can be done with simpler methods. For example, Devil’s advocate and a SWOT analysis (techniques within the reach of all of us) can help to sharpen our analysis. We’ve outlined several tips in a recent blog on this very topic, A Threat Intelligence Analyst’s Guide to Today’s Sources of Bias.
However, for analysts with more time, there are techniques like Analysis of Competing Hypotheses (ACH), a methodology developed by Richards Heuer himself, and the Cone of Plausibility (most suitable for forecasting). We won’t go into detail in these in this blog, but you can read more detail on ACH and Cone of Plausibility in our previous blogs:
- An Analysis of Competing Hypotheses for the Tesco Bank Incident
- Wannacry: An Analysis of Competing Hypotheses
- Wannacry: An Analysis of Competing Hypotheses Part II
- You Should Consider Forecasts, Not Predictions
In the introduction, we outlined how threat intelligence is there to better inform a decision or decision-maker. You can produce the most amazing piece of analysis, but if it’s not communicated in a way that is meaningful to your stakeholders, it’s wasted effort.
When discussing findings and dissemination options, it is crucial to communicate in a common language to your target audience. As Threat Intelligence may be tactical, operational, technical, or strategic, products can be very different. While a technical audience may be more interested in Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs), an executive audience may be more interested to understand the business risk, assets, liabilities, profit, and loss. This aspect seems common sense, but too often a lack of understanding between analysts and decision makers has security repercussions. To promote more efficient and effective threat intelligence, it is vital to speak in the language of risk to decision makers.
Rick Holland, CISO of Digital Shadows, provided six tips for effective communication with stakeholders:
- Use their terminology; not yours. Those of us from both the intelligence and cybersecurity communities have a tendency to use our own abbreviations and terminology. Unless your intelligence consumer comes from your community, they won’t understand what you are trying to communicate. Use their own lexicon and analogies to help communicate your message.
- Focus on what they care about. If you are creating products for a technical audience, Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) are fine. They aren’t acceptable for executive level products. Business risk, assets, liabilities, profit and loss are terms executives are interested in. This has been said for many years; yet the problem persists.
- Create a personal story that resonates with your consumer. With as expansive as Trump’s business interests are and how pervasive intrusions are, it is highly likely that one of his companies has suffered a breach.
- Build briefing dossiers on your intelligence consumers. You build dossiers on your adversaries, why not build them for your intelligence consumers. What are their trigger words? What are they passionate about? Understanding and documenting what to say and what not to say is key for effective communication with a challenging consumer. Capturing this information is key; you need to learn from your successes and failures. Given the rate of turnover within organizations, capturing this knowledge is important for continuity of production.
- You may have to alter your existing practices. Just because you have historically done something doesn’t mean the approach can automatically be applied to a new intelligence consumer. When it comes to intelligence products, one size does not fit all. You will have to tailor your intelligence product’s format and timetable to the audience.
- Engage with them outside of official work channels. Look for ways to interact with your intelligence consumers outside of official forums and meetings. Would they be willing to mentor you? Could you take them out for lunch or coffee? This should resonate with people from our space; come up with a benign social engineering strategy to establish trust that will be the foundation of an ongoing relationship.
Obviously, the intelligence cycle is a cycle, so this is perhaps the most important stage. At the review stage, one analyzes the direction and goal of the intelligence and ascertains if those goals were met for further threat intelligence research.
Operationalizing Threat Intelligence
As we’ve outlined, it’s important to communicate effectively with stakeholders that have helped to shape the initial requirements of the intelligence program. However, it’s also important to ensure threat intelligence is actionable. After all, intelligence isn’t really intelligence if it doesn’t end in some type of action.
F3EAD (Find, Fix, Finish, Exploit, Analyze, and Disseminate) is an alternative, more tactical intelligence cycle from the contemporary intelligence cycle we have been through. F3EAD is commonly deployed by western militaries for operations, but is extremely applicable to a cyber security context. At Digital Shadows we believe these two cycles can be utilized together to better produce quality intelligence that satisfies both tactical and strategic requirements.
How does this work in practice? Let’s take a scenario, whereby a threat intelligence team have identified that their intellectual property is a significant target for APT Groups.
|Direction||Board level identification of APT groups as the core cyber security threat to the business|
|Collection||The company’s threat intelligence team collects data gathered from internal response cases and fuses it with data provided by the external threat intelligence provider.|
|Analysis||A full fusion and analysis of collected data over a strategic period of time (6 months to 1 year)|
|Dissemination||Results communicated back to the board and the wider threat intelligence community around the specific APT threat that has targeted the company|
Scenario Mapped to the Intelligence Cycle
|Find||Suspect activity identified on a number of hosts|
|Fix||Multiple common indicators of suspicious activity identify a cluster of infected hosts|
|Finish||Hosts are taken offline and employees are given new machines|
|Exploit||Based on analysis of malware found within the infected hosts a number of specific Indicators of Compromise (IOCs) are identified by the team|
|Analyze||Fusing the IOCs found ‘in house’ with the IOCs provided by the third part intelligence provider feeds into the wider picture of the APT threat and leads to further identification of anomalous behavior on the company’s network|
|Disseminate||The results of the analysis are disseminated to both tactical consumers (SOC etc) and the strategic sponsors of the project i.e. the members of the ‘c suite’ with an interest in the issue|
Scenario mapped to F3EAD
Mapping Mitre ATT&CK to Essential 8
Understanding common TTPs can be a useful way of identifying security gaps in your own organization, but it can be hard to translate this to actionable takeaways.
To combat this, we mapped some of the biggest campaigns to the Australian Signals Directorate’s (ASD) “Essential 8” where, they identified eight mitigation steps that they believe should be inherent for securing any organization – application whitelisting, patching applications, configuring Microsoft Office macros settings to block macros from the Internet, user application hardening, restricting administrative privileges, patching operating systems, utilizing multi-factor authentication, and backing up data daily.
As we outline in the blog, the Essential 8 maps very well to the MITRE ATT&CK framework and prevents many attacker techniques in the middle of the attack lifecycle. The Essential 8 does not make an organization immune to threats, but it increases the costs for adversaries to attack an organization.
Actions and Response for Threat Intelligence
Threat Intelligence should inform a decision, but also some sort of response. For example, you may learn that one of your third-parties has been breached, including some of your employee credentials. In this case, there should clearly be an action to reset the affected credentials.
Alternatively, there may be an actor registering spoof domains as part of a phishing campaign against you and your customers. Again, in this case, the domain in question ought to be taken down.
These are just two examples of the types of approach we’ve observed organizations taking, but there are countless others.
Threat Intelligence and Risk
As we outlined at the start, threat intelligence is different from risk. Risk is comprised of threat, but also other components. Mapping threat intelligence into risk frameworks ensures that you can better inform strategic decision making.
“Risk” takes many forms. It might be Octave, NIST, COBIT, FAIR, or many other types of IT risk management frameworks. These all draw out different ways for identifying assets, identifying vulnerabilities and threats, and identifying and mitigating risks.
At Digital Shadows, we have aligned our assessment of digital risk to FAIR. FAIR (Factored Analysis of Information Risk) is a “taxonomy of the factors that contribute to risk and how they affect each other. It is primarily concerned with establishing accurate probabilities for the frequency and magnitude of data loss events.” As a leading information risk framework, FAIR works because it breaks down a hard to measure concept into a set of easier to measure concepts.
Our FAIR-aligned risk scoring model is applied to each digital risk in SearchLight, taking into account only the detail that is available at the time of raising the alert. It is recognized that it is not possible to know all influencing factors for every organization and every risk; we do not know what mitigating controls are in place, or the actual financial cost of data within your organization. But by using scenarios, and defining associated loss events for each risk type, the resulting scoring model allows us to provide a benchmark to measure the digital risk of alert.
5 Ways to Get Started with Threat Intelligence For Free
Getting started with threat intelligence can be tricky and overwhelming. Here are 5 ways for you to get started with threat intelligence for your business right now.
- Make use of a range of free threat intelligence tools and free resources, as listed here: https://github.com/hslatman/awesome-threat-intelligence
- Read or listen to our weekly threat intelligence summaries. If you don’t have time to keep up with the latest and greatest, let us sum it up for you!
- Read it here: https://resources.digitalshadows.com/weekly-intelligence-summary
- Listen on your favorite podcast player or find the latest episodes here: https://resources.digitalshadows.com/threat-intelligence-podcast-shadowtalk.
- Register for our free tool: Test Drive. This will give you 7 days access to Digital Shadows’:
- Intelligence profiles of threat actors
- Latest industry news
- Full access to dark web and criminal sources
- Read more! Katie Nickels, an industry expert and the ATT&ACK Threat Intelligence Lead at MITRE Corporation, produced a great post linking ten excellent blogs on getting started in threat intelligence.
- Check out and subscribe to our threat intelligence blog: https://www.reliaquest.com/blog/category/threat-intelligence-tradecraft/
Want to talk with one of our Digital Shadows threat intelligence experts to see how we help businesses like yours tackle threat intelligence? Fill out the form below and we’ll follow-up!