The market’s understanding of threat intelligence is evolving. According to Gartner, “Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that you can use to inform decisions regarding the subject’s response to that menace or hazard.” Forrester defines threat intelligence as “details of the motivations, intent, and capabilities of internal and external threat actors. Threat intelligence includes specifics on the tactics, techniques, and procedures of these adversaries. Threat intelligence’s primary purpose is to inform business decisions regarding the risks and implications associated with threats.”
Converting these definitions into common language could translate to threat intelligence being evidence-based knowledge of the capabilities of internal and external threat actors. How can this type of data benefit the SOC? The idea is extending security awareness beyond the internal network by consuming intelligence from other sources Internet-wide related to possible threats to your organization. For example, you might hear about a threat that has impacted multiple organizations, and so you can proactively prepare rather than react once the threat is seen against your network. Do not confuse threat intelligence with enrichment data discussed earlier in this chapter. Providing an enrichment data feed is one service that threat intelligence platforms would typically provide.
Forrester defines a five-step threat intelligence cycle, shown in Figure 2-12, for evaluating threat intelligence sources: planning and direction, collection, processing, analysis, and production and dissemination.
Figure 2-12 Threat Intelligence Cycle According to Forrester
In many cases, you will be the consumer for one or more intelligence feeds. A number of threat intelligence platforms that you might want to consider include the following:
- Cyber Squad ThreatConnect:9 An on-premises, private, or public cloud solution offering threat data collection, analysis, collaboration, and expertise in a single platform. Learn more at http://www.threatconnect.com/.
- BAE Detica CyberReveal: A multithreat monitoring, analytics, investigation, and response product. CyberReveal brings together BAE Systems Detica’s heritage in network intelligence, big data analytics, and cyberthreat research. CyberReveal consist of three core components: platform, analytics, and investigator. Learn more at http://www.baesystems.com/.
- Lockheed Martin Palisade: Supports comprehensive threat collection, analysis, collaboration, and expertise in a single platform. Learn more at http://www.lockheedmartin.com/.
- MITRE CRITs: Collaborative Research Into Threats (CRITs) is an open source feed for threat data. Learn more at https://crits.github.io/.
In addition, a number of standards of schemas are being developed for disseminating threat intelligence information, including the following:
- Structured Threat Information eXpression (STIX): An express language designed for sharing of cyberattack information. STIX details can contain data such as the IP address of command-and-control servers (CnC), malware hashes, and so on. Learn more at http://stix.mitre.org/.
- Open Indicators Of Compromise (OpenIOC): Open framework for sharing threat intelligence in a machine-digestible format. Learn more at http://www.openioc.org/.
- Cyber Observable eXpression (CybOX): A free standardized schema for specification, capture, characterization, and communication of events of stateful properties that are observable in the operational domain. Learn more at https://cybox.mitre.org/.
Transport mechanisms, such as Trusted Automated eXchange of Indicator Information (TAXII), are used to exchange cyberthreat information represented by the previously discussed schemas.
You should define what threat intelligence is best for your security operation. Evaluation criteria could include the benefits it brings, do you plan to consume it, and how threat intelligence will integrate with your SOC technologies and processes, including the automation of this integration. Also, it is important to note that there are many open source and non-security-focused sources that can be leveraged for threat intelligence as well. Some examples are social media sources, forums, blogs, vendor websites, and so on.