Five best practices to improve threat report action & analysis
Article by FireEye CTO for EMEA David Grout and ThreatQuotient technical director for Europe Yann Le Borgne.
Most organisations have more threat intelligence than they know how to action — including those who do not have established deep threat intelligence programmes.
Security teams are bombarded by millions of threat data points or indicators every day, making it seem impossible to appreciate or realise the full value of third-party data.
Here's a breakdown of how to analyse a threat report and make it actionable.
Select the right sources of threat data for the organisation
During a recent CyberSocial webcast, real-time audience poll responses suggested that as a cohort, they predominantly utilised a well-balanced combination of threat intelligence sources. While these audience members and their organisations are on the right track, it is equally important to identify the right sources that apply to an individual organisation and collect threat reports from several sources.
This will provide differing insights, whether strategic, operational or tactical. Determining the 'who, what, when and where' is crucial in successfully deploying or actioning threat intelligence.
Open source intelligence (OSINT) has the advantage of being free and easy to access. However, organisations must also consider the trust and reliability of sources.
In a classical hierarchy, the highest level of trust comes from the intelligence an organisation generates itself. This is known as internal threat intelligence, which is received from close networks or industry peers, like ISACs, CERTS or Government sources. Meanwhile, OSINT intelligence is the least trustworthy.
Trust models can help with navigating this hierarchy. For example, the Admiralty System or NATO System model is classified from 'A to F' for reliability and '1 to 6' for credibility — this is particularly helpful for assessing new sources during an event, attack or crisis.
Applying a scale or scoring system like this to threat intelligence not only helps determine what to do with the data and insights provided by sources, it also reduces false positives and allows teams to focus on what matters.
Determine who is responsible for owning data or insights from threat intel sources
For around a quarter of organisations, all their internal security groups or teams have access to threat intelligence sources. While it may seem like a great idea to provide broad access, it is better to have one team responsible for acquiring and analysing threat reports and then delivering actionable insights.
There is no real advantage if every stakeholder has access or is responsible for every level of intelligence — in fact, this can become a potential disadvantage if communication and processes are unclear.
Structure the data for analysis and application
Three critical steps for threat intelligence analysis include:
- Understanding the context of the report or source
- Determining the relevance of the report or source
- Relating the report to any prior intelligence or incidents.
This process ensures intelligence can be contextualised and prioritised, but to do so requires structured uniformity. Threat data comes in various formats, including MITRE ATT-CK techniques, news articles, blogs, tweets, industry reports, and indicators of compromise (IoCs) from threat feeds.
The information an organisation gathers from a report must be expressed with the organisation's own vocabulary and translated into a machine-readable format so that it can be linked to other related reports.
Thinking beyond format is also required, as the volume of information across the threat intel landscape is high, and different groups use different language when referring to the same thing. By normalising data, information can be aggregated and organised quickly. This is why scoring is important when using a threat intelligence platform (TIP) such as ThreatQ. Structuring data ensures that the organisation will be able to focus on the threats that matter most.
Leverage the capabilities of tools to achieve objectives
The majority of the audience on the webcast revealed that they use technical ingestion (SIEM), which indicates that desired outcomes are more technical, with 15% handling the acquisition and analysis process manually.
The issue with this approach is that during a big event, it will create quite a challenge. A TIP does a great job of extracting context and then helping organisations use information for different use cases — this could be alert triage, threat hunting, spear-phishing and incident response.
Equally, selecting a tool that works well with frameworks like MITRE ATT-CK is crucial. Organisations are identifying their crown jewels and mapping to frameworks like MITRE to understand the adversaries that might target them and the techniques to concentrate on.
The right tools equal actionable data
Analysis allows for prioritisation, which allows organisations to determine the appropriate actions to take. There are a variety of tools to help make threat reports actionable, and to achieve desired outcomes at the strategic level (executive reporting), operational level (changes in security posture) and tactical level (updating rules and signatures).
While many organisations use a TIP to make data actionable for detection and protection, far fewer use a TIP for forensics. This is a missed opportunity and capability that teams should be exploring as their capabilities, tools and frameworks mature.