Scribd
Upload
375 views37 pages

Cyber Threat Intelligence - Maturity and Metrics

No The document discusses cyber threat intelligence maturity and metrics. It provides guidance on developing a mature intelligence program, including prioritizing requirements, collecting relevant information, analyzing data, disseminating intelligence products, and incorporating feedback into the intelligence cycle. Key aspects of a mature program are documented and updated requirements, collection management, predictive analysis, and identifying knowledge gaps to improve future intelligence.

Uploaded by

amhosny64
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
375 views37 pages

Cyber Threat Intelligence - Maturity and Metrics

No The document discusses cyber threat intelligence maturity and metrics. It provides guidance on developing a mature intelligence program, including prioritizing requirements, collecting relevant information, analyzing data, disseminating intelligence products, and incorporating feedback into the intelligence cycle. Key aspects of a mature program are documented and updated requirements, collection management, predictive analysis, and identifying knowledge gaps to improve future intelligence.

Uploaded by

amhosny64
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 37

INTEL 471

Cyber Threat Intelligence:


Maturity and Metrics

By Mark Arena, CEO


Intel 471
http://intel471.com
Intelligence definition

 “… intelligence is information that has been


analyzed and refined so that it is useful to
policymakers in making decisions—specifically,
decisions about potential threats …”

 https://www.fbi.gov/about-us/intelligence/defined
I have IOCs!
Everything is targeted at me and unique to me! Cant share!
IOCs or not actionable!
IP blocked!
Only able to consume tactical intelligence products
I have IOCs with grouping and some context!
This is China APT - Ugly Panda!
I mostly copy content from vendor threat intel reports
Have some pre-determined requirements documented
It’s not relevant unless it hits us!
I have prioritized intelligence requirements
I produce unique, timely and relevant intelligence products to different internal consumers
I look at threats to my vertical/sector, not just my org
My intelligence program is expensive!
We see everything!
No one flies
We can jump a lot though
Cyber threat intelligence

 Two main customer/consumer intelligence product types:


 Executives/decision makers
 Network defenders
 Others (i.e. fraud teams)

 Different intelligence products (deliverables) needed

 Current market focus?


Relevance

 Relevance: does this intelligence (collection) satisfy one


or more of my intelligence requirements

 If I don’t have intelligence requirements (you should),


does this impact me or my sector/vertical
Giving tactical intelligence products with
IOCs to your C level
Your intelligence program’s
maturity is based on your
ability to do each part of the
intelligence cycle
Input into the intelligence cycle

Prioritized business risks


Output of the intelligence cycle

Decrease of probability or
impact of a business risk
Incident Centric Intelligence
Actor Centric Intelligence
Planning, Direction, Needs,
Requirements

 Three requirements lists to build and maintain:


 Production requirements – What will be delivered to
the intelligence customer/consumer.

 Intelligence requirements – What we need to collect to


meet our production requirements.

 Collection requirements – The observables/data inputs


we need to answer our intelligence requirements.
Production requirements Intelligence
requirements
• What is needed to be
delivered to the • What we need to collect
intelligence customer to be able to meet our
(the end consumer of production
the intelligence). requirements.
Production requirement Intelligence requirements
What vulnerabilities are - What vulnerabilities are
being exploited in the world currently being exploited in
that we can't defend against the wild?
or detect?
- What exploited
vulnerabilities can my
organization defend?

- What exploited
vulnerabilities can my
organization detect?

- What vulnerabilities are


being researched by cyber
threat actors?
Intelligence Collection requirements
requirements
• The observables/data
• What we need to collect inputs we need to
to be able to meet our answer the intelligence
production requirement.
requirements.
Intelligence requirements Collection requirements
What vulnerabilities are - Liaison with other
currently being exploited in organizations in the same
the wild? market sector.

- Liaison with other


members of the
information security
industry.

- Open source feeds of


malicious URLs, exploit
packs, etc mapped to
vulnerability/vulnerabilities
being exploited.

- Online forum monitoring


where exploitation of
vulnerabilities are
Intelligence Collection requirements
requirements
What vulnerabilities are - Online forum monitoring.
being researched by cyber
threat actors? - Social network
monitoring.

- Blog monitoring.
Requirements updates

 Update your requirements at least bi-annually

 Ad hoc requirements should be a subset of an existing


requirement
Once you have your collection requirements

 Look at what is feasible.


 Consider risk/cost/time of doing something in-house versus using an
external provider

 Task out individual collection requirements internally or to external


providers as guidance.

 Track internal team/capability and external provider ability to


collect against the assigned guidance.
Collection

 Characteristics of intelligence collection:


 Source of collection or characterization of source provided
 Source reliability and information credibility assessed

 Some types of intelligence collection:


 Open source intelligence (OSINT)
 Human intelligence (HUMINT)
 Liaison
 Technical collection
NATO’s admiralty system

 Used for evaluating intelligence collection

Reliability of Source Accuracy of Data


A - Completely reliable 1 - Confirmed by other
B - Usually reliable sources
C - Fairly reliable 2 - Probably True
D - Not usually reliable 3 - Possibly True
E – Unreliable 4 – Doubtful
F - Reliability cannot be 5 – Improbable
judged 6 - Truth cannot be
judged
https://en.wikipedia.org/wiki/Admiralty_code
Processing / Exploitation

 Is your intelligence collection easily consumable?


 Standards
 Centralized data/information (not 10 portals to use)
 APIs

 Language issues?

 Threat intelligence platforms (TIPs) can help you here


Intelligence analysis

 Intelligence style guide


 Defines format and meanings of specific terms within your
intelligence products

 Analysts who are able to deal with incomplete information


and predict what has likely occurred and what is likely to
happen.

 Encourage analysts to suggest multiple hypothesizes.


Not analysis

 Dealing with facts only (intelligence analysts aren’t


newspaper reporters)

 Reporting on the past only, no predictive intelligence

 Copy and pasting intelligence reports from vendors


 You have outsourced your intelligence function
Words of estimative probability

 Consistency in words used to estimate probability of


things occurring or not occurring, i.e.
100% Certainty
The General Area of Possibility
93% give or take about 6% Almost certain
75% give or take about Probable
12%
50% give or take about Chances about even
10%
30% give or take about Probably not
10%
7% give
Google or take
search for:about 5% Almost
CIA words certainly
of estimative not
probability
Dissemination

 Intelligence products written with each piece of


collection used graded and linked to source.

 Intelligence products sent to consumers based on


topic and requirements met.

 What information gaps do we have?


Feedback loop

 We need to receive information from our intelligence


customers on:
 Timeliness
 Relevance
 What requirements were met?

 This will allow identification of intelligence (collection)


sources that are supporting your requirements and which
aren’t
Intelligence program KPIs

 Quantity – How many intelligence reports produced?

 Quality – Feedback from intelligence consumers


 Timeliness, relevance and requirements met
Item Yes/
No
Regularly (bi-annually) updated requirements list that maps with your
prioritized business risks.
Ad hoc requirements meets existing documented intelligence
requirements
Documented production requirements

Documented intelligence requirements

Documented collection requirements

Documented linking of collection requirements to internal


teams/capabilities or external providers (guidance)
Regular assessment of guidance versus output from internal
capabilities and external providers (collection management)
Item Yes/
No
Intelligence collection is easily consumable, i.e. in a TIP

Intelligence style guide

Have an intelligence review and editing process

Intelligence produced includes future predictions and doesn’t just report


on facts
Sources used in intelligence products are linked and graded

Knowledge gaps are identified in intelligence products and pushed back


into the requirements part of the intelligence cycle
Feedback is received from intelligence consumer/customer
Item Yes/
No
KPIs are generated for the intelligence program

KPIs are generated for each part of the intelligence cycle including for
internal and external sources of intelligence collection
Have an intelligence (collection) management function that handles
requirements to assigned guidance
Questions

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy