Striking the match with cyber threat intelligence

Our last couple of posts introduced four types of intelligence product/reporting: Technical Data, TTPs, and Assessment and Estimation, and Vulnerability.

Intelligence or information in these categories is available from a variety of sources, including paid intelligence providers. Intelligence practitioners call incoming sources of information or intelligence “feeds”. But until you know what to do with them, you will waste vast amounts of money, time, and energy.

So here’s the secret: when reviewing feeds, analysts seek for matches between the external world and their internal systems across all four categories.

You will note that each risk intelligence type roughly corresponds to activities that can be considered operational, tactical, and strategic, respectively. In many cases, this also corresponds to a different security role or user within an organization. For example:

  1. Threat Hunters match technical data (such as attacker-controlled domain names) with data in internal sensor networks to identify compromises that have already occurred.
  2. Change Management Team matches TTP information and vulnerability disclosure information (such as an understanding of vulnerabilities exploited in attacks against other organizations) with software operated internally to prioritize patching or other mitigations.
  3. CISOs and CIOs match assessments and estimations of adversary capability (such as those drawn from long term planning documents and military doctrine of non-friendly nation-states) with their own operational geographies and industries.