Threat intelligence basics: crawling, walking, and analysis (Part 3)

Threat intelligence basics: crawling, walking, and analysis (Part 3)

This is the last article (1 and 2) of the threat intelligence basic trilogy. This article will continue to discuss how threat intelligence is implemented in security operations.

Intelligence Analysis in security operations

In the first two parts of this series, we introduced the Intelligence Framework: intelligence classification (Strategic Intelligence, operational intelligence, tactical intelligence) and types of intelligence (such as technical intelligence, trend intelligence, and long-term intelligence ). Regardless of the level and type of intelligence, the demand for intelligence analysis remains unchanged.

Analysis is the most important part of intelligence. It calls data and converts it into intelligence that provides the basis for our decision-making.

Analysis: lost fragments

In my RSA speech, I compared the traditional intelligence cycle with the network threat intelligence:

　　

 

Traditional intelligence cycle

　　

 

Network threat intelligence

We are very good at information collection, processing and dissemination, but are prone to missing a large number of important parts of the intelligence cycle, leading to alarms not triggered, too many error warnings, misleading users.

It is easy to say, but it is difficult to carry out intelligence analysis, especially in emerging fields such as cyber threat intelligence. Models and methods can help us understand the process of intelligence analysis, but it is not easy to determine the model type. There are many similar models that play different roles in different scenarios.

So the question is: what is analysis?

Intelligence analysis aims to reduce uncertainty, provide threat warnings, and provide information assessment and interpretation that can support decision-making. Former U. S. Secretary of State Powell gave a brief summary of "intelligence", that is, "let me know what you know, let me know what you don't know, and tell me what you're thinking. ".

With the help of the information collected by yourself or others, analysts can further identify which parts need to be collected and which can be used as a reference, and then decide how they use the information.

Before you start the analysis, you should specify the purpose of the intelligence analysis. Theoretically, the requirement depends on the leader, customer, or other types of users. However, in many cases, the customer's requirements are not very clear. Therefore, understanding the company's demand for threat intelligence is critical. The first step is to find out where the problem is or is worth exploring.

Analysis Model

Once you understand the problems that need to be solved in intelligence analysis, you can select the best model from different analysis models for analysis. Some useful resources are listed here to help you understand common threat intelligence models.

Different models can serve different purposes. The SWOT method is more suitable for higher-level analysis, and finds its own advantages and disadvantages through comparison with competitors. F3EAD, Diamond Model, and Kill Chains can be used to analyze specific commands or associations between different events and commands. Target Centric Intelligence is a rarely known model, but it not only helps us understand an event, but also strengthens collaboration between Intelligence decision makers, collectors, analysts, and other relevant departments, this avoids repeated information, non-shared information, and common false positives during intelligence processing.

· SWOT (Strengths, Weaknesses, Opportunities, Threats)

· Find, Fix, Finish, Exploit, Analyze, Disseminate by @ srobert TS

· Target CentricIntelligence

· Diamond Modelfor Intrusion Analysis

· Analysis ofAdversary Campaigns and Intrusion Kill Chains

Pay attention to this Information Collection

Generally, the intelligence analysis result depends on the initial information quality. Through training, the intelligence analyst has the ability to evaluate the information source so as to know whether the information affects reliability due to subjective factors. During the analysis of network threat intelligence, we mainly rely on data collected from other channels rather than the first-hand information. This is also one of the important reasons for information analysis in the self-owned network.

In addition, as a team member, it is necessary to ensure that the information is transparent so that others can conduct intelligence analysis. This may expose sources or methods of acquisition, but we still need to strike a balance between protecting the source and making full use of intelligence.