WEBINAR | From Deal to Defense: Unifying Cybersecurity Post-M&A
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
March 15, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Welcome to our deep dive on threat intelligence: intended to help security professionals embarking on creating and building a threat intelligence capability. Readers will understand how to make threat intelligence relevant, actionable, and effectively communicated to a myriad of stakeholders. The blog includes best practices of threat intelligence, as well as some free tools and resources along the way.
Threat intelligence has many competing interpretations and definitions, but Gartner’s threat intelligence definition is a good starting point:
Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.
Wrapped up within this definition are two salient themes that we will return to:
Few threat intelligence pieces begin by discussing how you measure the effectiveness of a program; this is more commonly done either as an afterthought or by a handful of the most mature organizations. However, this is critical: having a well-defined success criteria will ensure that there is a clear business case and, in the longer term, enable you to demonstrate a return on investment. That’s why we’ve included this at the very start.
We’re not doing threat intelligence for fun; we want to increase the bottom line. To do so, the TI program must be both measurable and tailored to business goals.
One of the biggest barriers to ensuring Threat Intelligence is relevant is confusion between data, information and intelligence. Indeed, as Threat Intelligence has become more commoditized, the differences between data, information and intelligence have become blurred. Let’s start first by clarifying the differences.
Data – Are recorded facts from snapshot at a point in time. With data, there is little or no subjectivity involved. Data is binary: it is either true or false. For example, ‘it was wet in London at 10:27 last Wednesday.’
Information – Information is structured data that has been combined by the process of Collection. For example, ‘it rained last Wednesday and has for the last 20 in London’
Intelligence – Critically intelligence is about future events, rather than Data and Information which is purely historical in nature. The sole objective of intelligence is to assist a decision maker in making a better decision about an issue than a coin toss. For example, ‘There is no reason other than coincidence that it has rained in London on every Wednesday for the last 20, but based on historical data, there is a 70% chance it will rain on the next Wednesday.’
The relationship between Data, Information, and Intelligence
This diagram is a good way to understand the relationship between these three terms, showing:
While many claim they do threat intelligence, this can mean a whole number of things. There are four types of threat intelligence and, while they have some areas of overlap, help us to understand different functions of threat intelligence.
To add further complexity, on top of all of this, these types of threat intelligence may be produced internally, gained from sharing communities (such as FS-ISAC, HS-ISAC), or derived from an external provider (both paid and free).
While threat intelligence continues to gain in adoption (The SANS Institute reports an increase of 60% to 72% of respondents producing or consuming threat intelligence), it often has several limitations:
In this blog, we’ll dig into some of the best practices for getting threat intelligence right and avoiding these pitfalls.
If you are going to start doing threat intelligence, a good process is needed. It can be the difference between you getting value from your intelligence function or not. A good place to start with this, is the intelligence cycle.
Earlier, we mentioned that there are a host of pitfalls associated with threat intelligence, such as false positives, a lack of relevance, and an inability to remediate issues. These most commonly occur when threat intelligence programs lack direction and structure from the outset, with analysts conducting analysis for the sake of analysis. That’s why the intelligence cycle remains so popular today: it helps to define stages and structure the program.
The intelligence cycle consists of five stages – direction, collection, analysis, dissemination, and review.
1. Direction
Of all the stages in the intelligence cycle, it’s tempting to focus on collection and analysis, and to ignore the direction and planning stage. However, having the right approach can save you time and make threat intelligence more meaningful.
Before any data is collected, bought, analyzed, or shared, organizations should first understand what they are trying to protect – what are their critical assets? Of course, this is easier said than done, especially as notions of “criticality” differ between attackers and an organization (like social media accounts). Also, a critical asset maybe highly tangible or intangible in nature i.e. a tangible critical asset could be an organization’s connection to the SWIFT banking network whereas an intangible asset could be customer confidence in the brand.
What is and what is not a critical asset vary depending on the industry and the organization, so it’s important to understand what is inherently valued in your industry. Some common critical assets overlap, regardless of industry, such as payment card details, logins, databases with customer information, payment systems, trading platforms, exchanges, Enterprise Resource Planning (ERP), and proprietary technology.
Board level decision making is not typically driven by tactical intelligence such as IOCs, but instead by operational or strategic concerns. Therefore, on top of understanding what an organization ought to be protecting, it’s important to get the requirements of key stakeholders and consider how the intelligence program will satisfy these.
2. Collection
Once you know what assets you want to protect, you can start to think about where you will look for information on threats to those assets. Another cycle, the collection cycle, exists to collect timely and relevant information for analysts to develop into intelligence. Our intelligence experts like to form a collection cycle that includes developing observables, collecting information, assessing that information, and feeding this assessment back to the collection cycle for future improvement. Some common things to keep in mind when developing a collection cycle include coverage, languages, tools, and the direction.
Organizations will turn to a range of sources depending on the initial requirements. This often includes technical sources (many of which are available free here: https://github.com/hslatman/awesome-threat-intelligence), social media, criminal forums, dark web pages, code repositories, and more. You can get an idea of the type of sources you might expect to cover in our Data Sources document.
It’s worth noting that the advantages and disadvantages of focusing on dark web sources is out of scope for this piece, but you can read more in another blog we wrote called “Dark Web Monitoring: The Good, The Bad, and The Ugly”. TLDR: the dark web is over-hyped, but does have some value depending on your goals.
3. Analysis Frameworks
We spoke earlier about how “intelligence” is derived from just “information” by the process of analysis. Indeed, with information collected, it’s next necessary to place these findings into some sort of analytical framework, of which there are many. It is important that threat intelligence teams understand and utilize these frameworks in the production of intelligence products. These frameworks are utilized across the cyber security sector and allow intelligence teams to communicate findings in ways which the cyber security sector understand.
One of the most prominent frameworks is the Cyber Kill Chain developed by Lockheed Martin. The Cyber Kill Chain identifies seven tangible steps to carrying out an attack from the perspective of an attacker:
These steps provide valuable insight into cyberattacks and enhance analysts’ understanding of threat actor TTPs.
The Lockheed Martin Cyber Kill Chain serves as the basis for the Diamond Model and MITRE ATT&CK, which both build on the model proposed by the kill chain. The Diamond model uses the four corners to represent adversaries, infrastructure, victim, and capabilities and maps the cyber kill chain out on the diamond at each step depicting whether the step is technical or socio-politically motivated. The intention of Diamond Model is to simultaneously deal with multiple attacker Kill Chains by identifying similarities between different kill chains’ adversaries, infrastructures, victims, and capabilities.
MITRE ATT&CK takes the Cyber Kill Chain framework and expands on it by incorporating initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, command and control (C2), exfiltration, and impact. We’ve mapped a host of campaigns to Mitre ATT&CK, which you can read. Below, we’ve outlined one mapping we did on the tactics used by the GRU in the build up to the 2016 US Presidential Election.
One of the biggest hurdles to good analysis is cognitive biases, defined as “a mistake in reasoning, evaluating, remembering, or other cognitive process, often occurring as a result of holding onto one’s preferences and beliefs regardless of contrary information.”
There are a large number of different types (188 to be precise) of cognitive bias. These have been expertly combined in the following image (full credit goes to https://www.visualcapitalist.com/18-cognitive-bias-examples-mental-mistakes/).
There are numerous techniques that intelligence analysts employ to overcome cognitive biases, known as Structure Analytical Techniques (SATs). The father of intelligence analysis is widely regarded to be Richards Heuer, who published many techniques in his 1999 paper, Psychology of Intelligence Analysis (a must-read for anyone interested in employing SATs).
TI pros often immediately look for the sophisticated SATs. However, in truth, there’s plenty that can be done with simpler methods. For example, Devil’s advocate and a SWOT analysis (techniques within the reach of all of us) can help to sharpen our analysis. We’ve outlined several tips in a recent blog on this very topic, A Threat Intelligence Analyst’s Guide to Today’s Sources of Bias.
However, for analysts with more time, there are techniques like Analysis of Competing Hypotheses (ACH), a methodology developed by Richards Heuer himself, and the Cone of Plausibility (most suitable for forecasting). We won’t go into detail in these in this blog, but you can read more detail on ACH and Cone of Plausibility in our previous blogs:
4. Dissemination
In the introduction, we outlined how threat intelligence is there to better inform a decision or decision-maker. You can produce the most amazing piece of analysis, but if it’s not communicated in a way that is meaningful to your stakeholders, it’s wasted effort.
When discussing findings and dissemination options, it is crucial to communicate in a common language to your target audience. As Threat Intelligence may be tactical, operational, technical, or strategic, products can be very different. While a technical audience may be more interested in Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs), an executive audience may be more interested to understand the business risk, assets, liabilities, profit, and loss. This aspect seems common sense, but too often a lack of understanding between analysts and decision makers has security repercussions. To promote more efficient and effective threat intelligence, it is vital to speak in the language of risk to decision makers.
Rick Holland, CISO of Digital Shadows (now ReliaQuest), provided six tips for effective communication with stakeholders:
5. Review
Obviously, the intelligence cycle is a cycle, so this is perhaps the most important stage. At the review stage, one analyzes the direction and goal of the intelligence and ascertains if those goals were met for further threat intelligence research.
As we’ve outlined, it’s important to communicate effectively with stakeholders that have helped to shape the initial requirements of the intelligence program. However, it’s also important to ensure threat intelligence is actionable. After all, intelligence isn’t really intelligence if it doesn’t end in some type of action.
F3EAD
F3EAD (Find, Fix, Finish, Exploit, Analyze, and Disseminate) is an alternative, more tactical intelligence cycle from the contemporary intelligence cycle we have been through. F3EAD is commonly deployed by western militaries for operations, but is extremely applicable to a cyber security context. At Digital Shadows (now ReliaQuest) we believe these two cycles can be utilized together to better produce quality intelligence that satisfies both tactical and strategic requirements.
How does this work in practice? Let’s take a scenario, whereby a threat intelligence team have identified that their intellectual property is a significant target for APT Groups.
Scenario Mapped to the Intelligence Cycle
Scenario mapped to F3EAD
Mapping Mitre ATT&CK to Essential 8
Understanding common TTPs can be a useful way of identifying security gaps in your own organization, but it can be hard to translate this to actionable takeaways.
To combat this, we mapped some of the biggest campaigns to the Australian Signals Directorate’s (ASD) “Essential 8” where, they identified eight mitigation steps that they believe should be inherent for securing any organization – application whitelisting, patching applications, configuring Microsoft Office macros settings to block macros from the Internet, user application hardening, restricting administrative privileges, patching operating systems, utilizing multi-factor authentication, and backing up data daily.
As we outline in the blog, the Essential 8 maps very well to the MITRE ATT&CK framework and prevents many attacker techniques in the middle of the attack lifecycle. The Essential 8 does not make an organization immune to threats, but it increases the costs for adversaries to attack an organization.
Threat Intelligence should inform a decision, but also some sort of response. For example, you may learn that one of your third-parties has been breached, including some of your employee credentials. In this case, there should clearly be an action to reset the affected credentials.
Alternatively, there may be an actor registering spoof domains as part of a phishing campaign against you and your customers. Again, in this case, the domain in question ought to be taken down.
These are just two examples of the types of approach we’ve observed organizations taking, but there are countless others.
As we outlined at the start, threat intelligence is different from risk. Risk is comprised of threat, but also other components. Mapping threat intelligence into risk frameworks ensures that you can better inform strategic decision making.
“Risk” takes many forms. It might be Octave, NIST, COBIT, FAIR, or many other types of IT risk management frameworks. These all draw out different ways for identifying assets, identifying vulnerabilities and threats, and identifying and mitigating risks.
At Digital Shadows (now ReliaQuest), we have aligned our assessment of digital risk to FAIR. FAIR (Factored Analysis of Information Risk) is a “taxonomy of the factors that contribute to risk and how they affect each other. It is primarily concerned with establishing accurate probabilities for the frequency and magnitude of data loss events.” As a leading information risk framework, FAIR works because it breaks down a hard to measure concept into a set of easier to measure concepts.
Our FAIR-aligned risk scoring model is applied to each digital risk in Search Light (now ReliaQuest GreyMatter Digital Risk Protection), taking into account only the detail that is available at the time of raising the alert. It is recognized that it is not possible to know all influencing factors for every organization and every risk; we do not know what mitigating controls are in place, or the actual financial cost of data within your organization. But by using scenarios, and defining associated loss events for each risk type, the resulting scoring model allows us to provide a benchmark to measure the digital risk of alert.
Getting started with threat intelligence can be tricky and overwhelming. Here are 4 ways for you to get started with threat intelligence for your business right now.
Want to talk with one of our Digital Shadows (now ReliaQuest) threat intelligence experts to see how we help businesses like yours tackle threat intelligence? Fill out the form below and we’ll follow-up!