It's been a while since I blogged... so, be warned I've just gotten more opinionated.
Threat Intelligence - one of the more recent buzz words in InfoSec (Cyber Security (yes, I know what word I used)).
What is TI? Who does it? How does one do it properly? What are the inputs? What are the outputs (products)? Can non-IC people learn the tradecraft and do it even remotely properly? -- Lots of questions regarding TI, and it seems that I am not alone in trying to figure it out.
What I know it's not: indicator feeds! We need to get out of the mindset that TI is just streams of indicators with no context! If you're given an IP address, alone with no context, how much can you figure out from just an IP address? Yes, with tools you can find out different things like Registrar, ASN, pDNS, etc. But do you know if you should be looking for traffic inbound to it or outbound? Do you know if one behavior is normal and the other is abnormal? Answer = most likely not.
How do we move the perception of TI to it not being just sharing contextual-less indicator wrangling?
I've seen a few different points of security talked about in a few different forms, from Defense in Depth, NSM, the Pyramid of Pain, and so on. One of the keys to executing on these models of security is knowing your environment. When I saying knowing it, I mean understanding both business functions, critical functions (business and IT), applications(systems/platforms/etc. (the glue that makes the business work), and mitigating controls intimately. Or at least with enough assurance that you can understand what is going on, and where you need to get better visibility/instrumentation.
When working on Security and Threat Intelligence I realized that a fair amount of orgs/Cos need to work on basic Data Intelligence before they start working up to Threat Intelligence. I went to a pyramid, which I'll need to draw up.
Steps (reverse for pyramid foundation to top):
1. Data Intelligence - log/app/event collection, configure to catch what you need
2. Operational/Business Intelligence - using log/app/event to improve Ops/Biz functions (keep the lights on)
3. Security Intelligence - Feed the SIEM for SOC/CIRT, build baselines, understand environment
4. Threat Intelligence - Advance SI to link internal/external threats to the intelligence stack
Is this possible? Yes. Will it be in constant flux? Of course; we have humans running the damn thing, making decisions, and changes.
Is this Threat Intelligence? Nope, but it is what I have in mind on building up to it.
@demon117
