FOR578 and Cyber Threat Intel Summit 2017

I attended FOR578 – Cyber Threat Intelligence ( https://www.sans.org/course/cyber-threat-intelligence ) at the Cyber Threat Intel Summit this past week. Two of the course authors, Robert M Lee (@RobertMLee) and Rebekah Brown (@PDXBek) co-taught the class. The third course author is Jake Williams (@MalwareJake).

My background is network and security operations, incident response, and pen testing. I haven’t ever functioned as an intel analyst specifically. But, I’ve been both a consumer of Intel and a producer of Intel in past roles. There were three primary items that I want to share from this class.

1. The importance of clear articulation of the use of consumption of Intel versus production of Intel in the mission objectives of the team.
2. The potential for enrichment of raw data with Intel
3. An effective expression of the kill chain via the concept of race to the finish.

Before I go into the details of these items, I want to express why they are important to me, so you understand the reason why these are primary take away lessons. The course that I wrote (MGT517 – Managing Security Operations: Detection, Response, and Intelligence) discusses integration of intel into security operations. I wanted to glean as much as possible from Rob, Rebekah, and Jake’s experience working in the Intel community to assure that the system I’m presenting is aligned with their experience, and what Intel Analysts attending SANS training will be bringing back to their organizations.

I determined that most of the other students were there to sharpen (or to establish) the intelligence function within their organizations. In speaking with the other attendees, and in listening to their questions, there were many tactical (how to do the intel actions) questions. There were also some strategic (what should we be doing) questions but most were on the tactical side.

The importance of clear articulation of the use of consumption of Intel versus production of Intel in the mission objectives of the team.

There are two major things to do with threat intelligence: produce it or consume it. A funded and mature team of threat intelligence analysts will likely do both. For less mature or less funded functions, the consumption of intelligence is a more realistic goal. This consumption only strategy (summarized) means the purchase of threat intelligence feeds and the aggregation of open source intelligence information. This information is culled for the data relevant to the organization the threat intel analysts work for. At some point in time, these analysts may determine that they have collected data internal to their organization which is worthwhile to share with other parties outside of the organization. This is the production of intelligence.

The potential for tight integration of enrichment of raw data with Intel.

Let’s discuss the objective of consumption of intelligence. The term applied during FOR578 was enrichment. There was discussion of what this looks like and how to do it. I’m going to skip those details because it is more granular than the space I intend to devote to this post. But the key take away is the process of combining external intelligence with internal data is enrichment. Let’s use the pyramid of pain ( https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html ) to describe the ingestion of threat intelligence. This is remaining abstract, so we’ll refer to the categories of intelligence: hashes; IP addresses; Domain Names; Host artifacts; Tools; and Tactics, Techniques, and Procedures (TTPs).

Enrichment of your internal data with the lower levels (hashes, IP addresses, Domain Names, and Host Artifacts) takes some work, but is relatively straight forward. Use of this data includes analysis of the data elements to validate they are applicable, and correlation to your stored data to assess the presence of these data elements. An example might be the addition of the updated file hash values to sysmon (https://technet.microsoft.com/en-us/sysinternals/sysmon) tracking. It might include researching your DNS query logs for requests to DNS entries identified via the threat intelligence. 

Most important to this effort is using that initial item of identification to start the effort of collection of additional intelligence about what adversaries are doing within your environment. This can be neatly encapsulated in Bejtlich’s Intruder’s Dilemna: the defender needs only one initial indicator to begin response. (https://taosecurity.blogspot.com/2009/05/defenders-dilemma-and-intruders-dilemma.html).

An effective expression of the kill chain via the concept of race to the finish.

I discuss the cyber threat kill chain in MGT517 (as well as ACH, Diamond Model, and Hofstede’s Cultural and Organizational dimensions) to address a terrible shortage of encouraging objective analysis within security operations.

Rob had a specific item of guidance regarding practical application of the Cyber Kill Chain®. Among other practical guidance was included the notion of “race to the finish.” That is, where ever you find a data element in the kill chain, go down the chain until the finish rather than back up the chain to the beginning. The rationale is that is where the important information is that allows you to understand, then express the impact to the business regarding the intrusion you’re investigating.

I gathered many other nuggets of wisdom from Rob and Rebekah. These three items warrant repeating: start with consumption of intelligence and with maturing move into production of intelligence; enrich your internal data with intelligence you consume; start by racing to the finish in the kill chain, or whatever framework you use to understand adversary actions.