I attended FOR578 – Cyber Threat Intelligence ( https://www.sans.org/course/cyber-threat-intelligence
) at the Cyber Threat Intel Summit this past week. Two of the course authors,
Robert M Lee (@RobertMLee) and Rebekah Brown (@PDXBek) co-taught the class. The
third course author is Jake Williams (@MalwareJake).
My background is network and security operations, incident
response, and pen testing. I haven’t ever functioned as an intel analyst
specifically. But, I’ve been both a consumer of Intel and a producer of Intel
in past roles. There were three primary items that I want to share from this
class.
- The importance of clear articulation of the use of consumption of Intel versus production of Intel in the mission objectives of the team.
- The potential for enrichment of raw data with Intel
- An effective expression of the kill chain via the concept of race to the finish.
Before I go into the details of these items, I want to
express why they are important to me, so you understand the reason why these
are primary take away lessons. The course that I wrote (MGT517 – Managing
Security Operations: Detection, Response, and Intelligence) discusses
integration of intel into security operations. I wanted to glean as much as
possible from Rob, Rebekah, and Jake’s experience working in the Intel
community to assure that the system I’m presenting is aligned with their
experience, and what Intel Analysts attending SANS training will be bringing back
to their organizations.
I determined that most of the other students were there to
sharpen (or to establish) the intelligence function within their organizations.
In speaking with the other attendees, and in listening to their questions,
there were many tactical (how to do the intel actions) questions. There were
also some strategic (what should we be doing) questions but most were on the
tactical side.
The importance of clear articulation of the use of consumption of Intel versus
production of Intel in the mission objectives of the team.
There are two major things to do with threat intelligence:
produce it or consume it. A funded and mature team of threat intelligence
analysts will likely do both. For less mature or less funded functions, the
consumption of intelligence is a more realistic goal. This consumption only
strategy (summarized) means the purchase of threat intelligence feeds and the
aggregation of open source intelligence information. This information is culled
for the data relevant to the organization the threat intel analysts work for.
At some point in time, these analysts may determine that they have collected
data internal to their organization which is worthwhile to share with other
parties outside of the organization. This is the production of intelligence.
The potential for tight integration of enrichment of raw data with Intel.
Let’s discuss the objective of consumption of intelligence. The
term applied during FOR578 was enrichment. There was discussion of
what this looks like and how to do it. I’m going to skip those details because
it is more granular than the space I intend to devote to this post. But the key
take away is the process of combining external intelligence with internal data is
enrichment. Let’s use the pyramid of pain ( https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
) to describe the ingestion of threat intelligence. This is remaining abstract,
so we’ll refer to the categories of intelligence: hashes; IP addresses; Domain
Names; Host artifacts; Tools; and Tactics, Techniques, and Procedures (TTPs).
Enrichment of your internal data with the lower levels
(hashes, IP addresses, Domain Names, and Host Artifacts) takes some work, but
is relatively straight forward. Use of this data includes analysis of the data
elements to validate they are applicable, and correlation to your stored data
to assess the presence of these data elements. An example might be the addition
of the updated file hash values to sysmon (https://technet.microsoft.com/en-us/sysinternals/sysmon)
tracking. It might include researching your DNS query logs for requests to DNS
entries identified via the threat intelligence.
Most important to this effort
is using that initial item of identification to start the effort of collection
of additional intelligence about what adversaries are doing within your
environment. This can be neatly encapsulated in Bejtlich’s Intruder’s Dilemna:
the defender needs only one initial indicator to begin response. (https://taosecurity.blogspot.com/2009/05/defenders-dilemma-and-intruders-dilemma.html).
An effective expression of the kill chain via the concept of race
to the finish.
I discuss the cyber threat kill chain in MGT517 (as well as
ACH, Diamond Model, and Hofstede’s Cultural and Organizational dimensions) to
address a terrible shortage of encouraging objective analysis within security
operations.
Rob had a specific item of guidance regarding practical
application of the Cyber Kill Chain®. Among other practical guidance was
included the notion of “race to the finish.” That is, where ever you find a
data element in the kill chain, go down the chain until the finish rather than
back up the chain to the beginning. The rationale is that is where the
important information is that allows you to understand, then express the impact
to the business regarding the intrusion you’re investigating.
I gathered many other nuggets of wisdom from Rob and
Rebekah. These three items warrant repeating: start with consumption of
intelligence and with maturing move into production of intelligence; enrich
your internal data with intelligence you consume; start by racing to the finish
in the kill chain, or whatever framework you use to understand adversary actions.