Syngress Publishing How to Define and Build an Effective Cyber Threat Intelligence Capability (2015) by Unknown

Author:Unknown
Format: epub
Published: 0101-01-01T00:00:00+00:00

5.1. Illustration: translating the objective into concrete intelligence needs

Let us continue with concrete, tangible cases to make this as real as possible. For each of the examples above, if the objective is to prevent, identify, and investigate losses of sensitive internal data or intellectual property, then what are the actual mission activities carried out by the group of people who will sit in a room and do the actual work? And how does that list of activities translate into the actual intelligence needs (i.e., the “what” you need to develop or go out and buy)?

One activity might include understanding hacker and threat actor “TTPs” or tactics, techniques and procedures. How are they attacking other organizations? How did that recent breach in the news happen? How did they get into that organization? Who was responsible and what kinds of things do they commonly use to accomplish their goals? If gaining that knowledge is the required activity, then your intelligence need might be defined as a feed, content stream, education program, or other on-going service that educates your team about those threat actors and their TTPs.

Here is another aspect that might tie to this example. Suppose an activity that supports your mission is attempting to detect when data exfiltration is under way, or that a host on your network has been compromised. If that is a key activity, then what types of data could you use to support it so that you can in turn, generate intelligence? (You may recall that what many people sell as intelligence, by our definition, is not. But it may be the data you can turn into intelligence.) A vendor might offer a feed of IP addresses and domain names for current drop sites to which exfiltrated data is being transmitted. By taking that list of IPs and putting it into your infrastructure to prevent or monitor data egress, you now have something that can be applied to your organization, has potential business value, and produces an action or response. Thus, data from the vendor can actually become intelligence.

Another related activity you might define to support this mission is to detect or discover when sensitive data has already left the organization. One activity in support of this would be to scour the internet for internally sourced, or authored data, or documents, focusing in part on some of the sites and markets that are known to deal in such data, for example, PasteBin, Pastey, Pirate Pad, and the likes, hacker Internet Relay Chat (IRC) channels, and forums, document sharing sites like Scribed, Docstock, and Slideshare, or “leak” sites like OpenLeaks, Wikileaks. In this scenario, then, the activity is to monitor or check such sources for your own internal materials, and the data or intelligence need might be defined as a feed or service that automates or supports you by doing such searching or monitoring, gathering, screening, and delivering to you any sensitive materials that appear in these forums.

So to summarize, if, for example, the objective is to prevent

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.