The Threat Intelligence Lifecycle


So, how does cyber threat intelligence get produced? Raw data is not the same thing as intelligence — cyber threat intelligence is the finished product that comes out of a six-part cycle of data collection, processing, and analysis. This process is a cycle because new questions and gaps in knowledge are identified during the course of developing intelligence, leading to new collection requirements being set. An effective intelligence program is iterative, becoming more refined over time.
1. Planning and Direction
The first step to producing actionable threat intelligence is to ask the right question.
The questions that best drive the creation of actionable threat intelligence focus on a single fact, event, or activity — broad, open-ended questions should usually be avoided.
Prioritize your intelligence objectives based on factors like how closely they adhere to your organization’s core values, how big of an impact the resulting decision will have, and how time sensitive the decision is.
One important guiding factor at this stage is understanding who will consume and benefit from the finished product — will the intelligence go to a team of analysts with technical expertise who need a quick report on a new exploit, or to an executive that’s looking for a broad overview of trends to inform their security investment decisions for the next quarter?

2. Collection

The next step is to gather raw data that fulfills the requirements set in the first stage. It’s best to collect data from a wide range of sources — internal ones like network event logs and records of past incident responses, and external ones from the open web, the dark web, and technical sources.
Threat data is usually thought of as lists of IoCs, such as malicious IP addresses, domains, and file hashes, but it can also include vulnerability information, such as the personally identifiable information of customers, raw code from paste sites, and text from news sources or social media.

3. Processing

Once all the raw data has been collected, you need to sort it, organizing it with metadata tags and filtering out redundant information or false positives and negatives.
Today, even small organizations collect data on the order of millions of log events and hundreds of thousands of indicators every day. It’s too much for human analysts to process efficiently — data collection and processing has to be automated to begin making any sense of it.
Solutions like SIEMs are a good place to start because they make it relatively easy to structure data with correlation rules that can be set up for a few different use cases, but they can only take in a limited number of data types.
If you’re collecting unstructured data from many different internal and external sources, you’ll need a more robust solution. Recorded Future uses machine learning and natural language processing to parse text from millions of unstructured documents across seven different languages and classify them using language-independent ontologies and events, enabling analysts to perform powerful and intuitive searches that go beyond bare keywords and simple correlation rules.

4. Analysis

The next step is to make sense of the processed data. The goal of analysis is to search for potential security issues and notify the relevant teams in a format that fulfills the intelligence requirements outlined in the planning and direction stage.
Threat intelligence can take many forms depending on the initial objectives and the intended audience, but the idea is to get the data into a format that the audience will understand. This can range from simple threat lists to peer-reviewed reports.

5. Dissemination

The finished product is then distributed to its intended consumers. For threat intelligence to be actionable, it has to get to the right people at the right time.
It also needs to be tracked so that there is continuity between one intelligence cycle and the next and the learning is not lost. Use ticketing systems that integrate with your other security systems to track each step of the intelligence cycle — each time a new intelligence request comes up, tickets can be submitted, written up, reviewed, and fulfilled by multiple people across different teams, all in one place.

6. Feedback

The final step is when the intelligence cycle comes full circle, making it closely related to the initial planning and direction phase. After receiving the finished intelligence product, whoever made the initial request reviews it and determines whether their questions were answered. This drives the objectives and procedures of the next intelligence cycle, again making documentation and continuity essential.

Comments

Post a Comment

Popular posts from this blog

The Biggest Threats in Cyber Security

AI-Driven Attacks We’ve seen it in science fiction films but it looks like reality that computers are learning to attack on their own. Different cyber security platforms are embracing the modern AI to overcome these attacks but hackers are also using the same technology to launch new attacks at their end. Experts suggest that the hackers adopt powerful AI tools for automated attacks and expand their domain in various cyber security reports. Adversarial AI attacks are particularly worrying, because they are so powerful. Theft of data in the past attacks caused a great deal of fear due to the money, time and effort required to carry it out. Now AI has made it easier for hackers to execute several types of attacks within the same time frame and using very less energy. Even with the few lines of codes, hackers can now solve the problem of years into seconds and gain access throughout the network. Phishing Phishing is among the oldest scams and is considered green as ever
Read more

Spam vs. Phishing: What Is the Difference?

Both spam and phishing are related to social engineering, a general term for any activity in which an attacker is trying to manipulate you into revealing personal information. Passwords, account credentials, social security numbers--you should always think twice before giving out this information. Always verify who is really on the other end of the line. What is spam? Spam is unsolicited and unwanted junk email sent out in bulk to a wholesale recipient list. Typically, spam is sent for commercial purposes. However, spam email can also contain a malicious attempt to gain access to your computer, so email security becomes an important defense. What is phishing? Phishing is a common type of cyber attack that everyone should learn about to protect themselves. Phishing attacks are fraudulent communications that appear to come from a reputable source. The goal is to trick the recipient into giving away sensitive data or to install malware in the form of spyware on the victim&
Read more

Threat Hunting Steps

The process of proactive cyber threat hunting typically involves three steps: a trigger, an investigation and a resolution. Step 1: The Trigger A trigger  points threat hunters to a specific system or area of the network for further investigation when advanced detection tools identify unusual actions that may indicate malicious activity. Often, a hypothesis about a new threat can be the trigger for proactive hunting. For example, a security team may search for advanced threats that use tools like fileless  malware  to evade existing defenses. Step 2: Investigation During the  investigation phase , the threat hunter uses technology such as  EDR (Endpoint Detection and Response)  to take a deep dive into potential malicious compromise of a system. The investigation continues until either the activity is deemed benign or a complete picture of the malicious behavior has been created. Step 3: Resolution The resolution phase  involves communicating relevant malicious activity
Read more