Introducing basic threat intelligence to your security operations

Written By Peter Lescop

TI (“Threat intelligence”) is a daunting subject within cyber security, so much so that in fear of not getting it right, we often avoid attempts at implementing it within our operations. The allure of a shiny TIP (“threat intelligence platform”) to solve of your problems is enticing, but without the basics implemented within operations, you will often end up with another tool providing little to no value.

The truth is TI is complicated and that cannot be avoided. However, it is entirely possible to start your journey towards implementing some form of TI process within your operations, then continually improving as the operations matures.

Before we talk steps to introduce such processes, some key concepts are worth noting:

What is threat intelligence in the context of cyber security?

TI is not a concept that is easily defined, nor is there one agreed definition within the sector. This is largely because as a concept it includes a wide-ranging number of different approaches dependent on your particular use case.

In its most basic form TI is the identification of information related to threats or the potential of threats in the context of your business and operations. In our context we are considering TI from a cyber security perspective, sometimes referred to as CTI (“Cyber Threat Intelligence”)

Practically this means that within your operations you need:

  • The ability to identify threat information, often utilising such things referred to as threat feeds.

  • A process to apply business context to threat information, such as knowledge of your assets and their applicability to a particular threat.

  • A process to assess threat data as to the risk related to your business, including potential scenarios whereby the threat could become realised.

  • The ability to react to your risk assessment and apply some form of mitigation or potential tolerance to the threat identified.

Threat intelligence as a subject can go into much more depth and I would recommend the NCSC guidance on building a Security Operations Centre section on TI as a starter to researching more: Building a Security Operations Centre (SOC) - NCSC.GOV.UK.

Types of Threat Intelligence

There are many different types of TI available for our SecOps teams to use. Any form of information that you find useful to informing the potential of threat towards your business can be considered a TI.

Consensus is that TI is broken down into four distinct categories:

  • Strategic – High level and non-technical, general focused towards your senior stakeholders and encompasses summaries of the three other types of TI.

  • Tactical – Flexible in its approach, this type of TI is often related to your daily SecOps ability to respond to TI to prevent the potential for compromise.

  • Technical – Generally the detailed technical information received from threat feeds such as IOCs (“Indicators of Compromise”) and to be used either in response to an incident or to prevent future incidents.

  • Operational – Sitting outside of the technical aspect, this covers the wider human elements of TI such as OSINT (“Open-Source Intelligence”) such as the monitoring of Dark Web communications for the indicators of attack.

Each type of TI can be summarised in much more depth and there are many resources available online to research further.

Introducing TI to your Security Operation

Introducing TI to your SecOps can begin with the implementation of a formal process which should include the necessary steps for the lifecycle of TI, from identification to potential feedback. The key steps for any TI process should consider:

  1. Identification / Collection – The first step is to identify your chosen threat feeds (examples listed later in this article) and start collecting your data. In the early stages of your TI journey, collection of data can be managed utilising tools readily available, such as your ticket management software or even the dreaded excel. As you mature, utilising more robust options such as MISP (“Malware Information Sharing Platform”) should be considered.

  2. Handling / Processing – Once your data has been identified and collected, a process to ensure it is in a format that is usable will need to be performed. This could just be as simple as taking the information gathered and ensuring your core elements of data required, including such things as the source of the information, CVE scoring if applicable and even any IOCs available and documenting them in a consistent format to be assessed.

  3. Analysis / Assessment – In this step you will take the information you have gathered and documented, then analyse it for applicability to your business and context. This often can include attribution of the existence of the threat within your business, alongside a formal risk assessment. It is important to ensure your analysis and assessments are documented and evidence-based where possible. Being able to evidence good decision making within the context of TI will be important for future continual improvement and compliance efforts.

  4. Notification / assignment – Once your analysis and assessment are complete and where a threat has been attributed to being applicable to your business, it will need to be assigned and or notified to those responsible to action. This step can include the formal logging of a ticket, with your identified information to an asset owner for action. It could also include notification to a particular operational team of specific indicators to watch out for, to ensure a particular threat is not realised, or the ability to identify if it is. It is important to note that not all threats can be avoided, however the more information you have, the better you can respond.

  5. Feedback loop / continual improvement – Like most processes, TI is not exempt from the need for continual improvement and the feedback loop of the usefulness of TI, either the information itself or the process is incredibly valuable. This feedback loop should be used to ensure your process is always improving and should inform the types of threat feeds you may eventually choose as you move to a more mature TI operation.

The important take away is to ensure you have a process documented and formalise the steps, including documenting your decision making.

Threat Feeds

The one blocker that often stops many SecOps teams from introducing TI processes is the availability of threat feeds. There are many TIP and other paid for threat feeds available on the market, but equally there are many more free and open source options available as well. Each may come with a level of maturity to implement, however some initial types of threat feeds that can be used very easily are:

  • OSINT (“Open-Source Intelligence”) / Research – Open-source intelligence can itself come in many forms, but in essence is often defined as the option to gather freely available information from publicly available sources. For examples a threat actor researching your CEO via LinkedIn will be considered OSINT. Likewise, your SecOps teams regularly reviewing publicly available information to identify threats, such as reviewing bleeping computer (BleepingComputer | Cybersecurity, Technology News and Support) daily can also be considered OSINT.

  • Vendor led – One key element of threat feed that is often not considered as part of your operation is your vendors themselves. Having a central process to monitor your vendors for notification of threats and vulnerabilities is very important. Although sometimes flawed in respect to the time to notify of vulnerabilities and threats, in the early days of implementing a TI process within your SecOps, vendors should not be ignored.

  • NCSC CISP (About CISP - NCSC.GOV.UK) – CISP is a platform for security professionals to share threat intelligence and collaborate. Having gone through a recent refresh, it is a valuable tool for joining specific groups either related to operational domains and or even industries to collaborate with likeminded professionals. It is often useful to integrate reviewing CISP into regular checks for the identification of new threats.

  • Information Sharing Groups – An often-overlooked element of threat feed is joining information sharing groups. These groups can often exist specific to industry, facilitated by vendors or even by groups such as the NCSC or locally JCSC. They are generally covered by formal terms of reference whereby the sharing of data is controlled by a traffic light system to ensure members are comfortable when sharing information, it will be handled well by others. Membership can be very valuable and often provides a personal touch with respect to understanding how others have responded to threats, providing an initial jump ahead in learning.

There are many more threat feeds available such as OSINT MISP feeds and open-source toolsets available. An important step when initiating your TI process is running through a requirement gathering process at the beginning and researching your threat feeds and choosing which is applicable to your business. Then as you mature you can expand your operation to include those which may need a bit more knowledge to introduce, such as MISP.

Summary

TI can seem daunting but can be achievable if you approach it as a journey. Make sure your requirements for threat feeds are achievable, implement a process and continually improve.

Peter Lescop

Pete Lescop is Head of Risk and Security - Group Security Officer at JT Group Limited, and a committee member of the CIISF.

https://www.linkedin.com/in/peter-lescop-177542b2/
Previous

Jersey's New Cyber Law
Next

Incident Response