ISO27002 provides suggestions on security controls to maintain an information security management system (ISMS). It started as a British Standard in the 90s and migrated to ISO/IEC in 2000. It has been revised several times with the latest iteration, ISO27002:2022.
The new version contains many structural changes and controls rationalisation. The addition of threat intelligence stands out because other changes relate closely to existing controls. In the words of ISO, “Information relating to information security threats should be analysed to produce threat intelligence … so that the appropriate mitigation actions can be taken.”
What is the use of threat intelligence?
Why threat intelligence? In a large busy network, it is not uncommon for users, applications or devices to be compromised. Too often these minor comprises lead to major breaches.
In these cases, what seems to be missing is the organisational capability to detect and remediate compromises consistently, reliably and in a reasonable timeframe.
Attackers have unlimited dwell time to escalate. For example, the average time to detect large data breaches is around 200 days from the point of initial compromise and has been increasing over the years. Threat intelligence plays a vital role in improving security.
As one security expert summarised, “prevent what you can, detect what you can’t prevent and hunt what you can’t detect.” Implementing this simple statement requires better threat intelligence from external and internal sources combined with the ability to leverage this intelligence for both retrospective detection and also ongoing protection.
ISO threat intelligence recommendations
Exploring ISO, the standard makes the following six threat intelligence recommendations:
- Establishing objectives for threat intelligence production
- Identifying, vetting and selecting internal and external information sources
- Collecting information from selected sources
- Processing information for analysis
- Analysing information to understand how it relates and is meaningful to the organisation
- Communicating and sharing it to relevant individuals in a format that can be understood. Not surprisingly, all of these are very sensible and logical guidelines so let’s look at each of these in turn and discuss how a threat intelligence platform can help.
Establishing objectives for threat intelligence production
The purpose of the Cyber Threat Intelligence (CTI) team is to understand the cyber threat environment and provide threat intelligence that helps the organisation’s stakeholders make better decisions about lowering cyber risk. Documenting the intersection of the organisation’s business assets with the threat environment is formally called threat modelling.
Threat modelling involves assessing various threat actors, and adversary behaviours and characteristics, and prioritises them according to the organisation’s asset risk profile.
Most firms will already have a risk assessment framework in place as well as a set of security controls around the business assets and systems, which the CTI team can leverage to help in building a threat model. A good threat model will also highlight where the organisation has protection gaps or visibility gaps from the threats and adversaries relevant to the business.
A threat model will identify stakeholder use-cases for threat intelligence. However, through our work with customers globally, ThreatQuotient gets asked by firms to help with one or more of six high-level use-cases: threat intelligence automation; SOC alert triage; incident response; threat hunting; extended detection and response; and vulnerability prioritisation.
A good threat intelligence platform will come ready to implement these use-cases and many more. A TIP also provides the ability to centralise and correlate threat information from sources like MITRE ATT&CK and the National Vulnerability Database (NVD) to help the initial threat modelling, as well as ongoing fine-tuning by identifying threat and visibility gaps.
Identifying, vetting and selecting information sources
In most organisations, the CTI team is not only tasked with producing intelligence. They also manage guiding, developing, satisfying and measuring the CTI needs of the business.
Mature CTI teams assess and document each need, the source data required, what analysis needs to be done, the metrics to measure outcomes, and build feedback loops to ensure things improve over time. This set of cyber intelligence use-cases forms the stakeholder requirements, otherwise known as intelligence requirements (IRs), of the organisation.
The threat model helps determine intelligence needs like how the intelligence gets delivered, when and in what format. ‘Stakeholders’ can be people, groups, or systems, therefore threat information, and the way it is communicated, needs to be tailored to each use-case.
For example, if your firm assesses it is at risk from phishing attacks from criminal groups, your IR should describe how CTI is delivered to your email system and possibly SIEM. The threat model will influence the sources of information required to meet the stakeholder needs because information about adversaries and their behaviours will come from different sources.
If threat modelling determines which are the right use-cases for any given organisation, IRs explain how each IR is to be configured, and the threat intelligence platform is the place to automate the collection, selection and delivery of intelligence for each use-case.
A good TIP will also provide a place to document the firm’s IRs within the threat library. Not only does this provide a place that stakeholders can review IRs but also allows them to be linked with other data like threat adversaries who might be associated with the IR.
Collecting information from selected sources
The number of CTI providers has increased rapidly over the last few years. Nation state actors and criminal threats are organised, mature and industrialised. Threat research groups track them, focusing on certain classes of threat actors, or even specific threat groups.
Much of this analyst research produces finished intelligence reports, but the industry has evolved to augment reports with real-time cloud-based indicator “feeds”.
API feeds are relevant because they supply threat information in the volume required and timeliness demanded by modern SOCs. Finished threat reports are still very useful but they are complimented with machine-readable versions of the same information.
While much progress has been made on CTI standards like STIX and TAXII, even standards are implemented in different ways by different sources. Many sources pre-date the standards and continue to use their own proprietary formats for obvious compatibility and legacy reasons. Thus, almost all sources are different and will remain so in the medium term.
Moreover, new sources appear regularly depending on threat and technology trends, which can often be in proprietary formats. While CTI often comes from external sources, increasingly, organisations are producing and consuming their own intelligence.
For a growing number of attacks there is no external CTI available because the attack is new, has been customised for the target, or uses any one of a number of obfuscation techniques.
In response, defenders use a range of techniques to detect these attacks like sandboxing / dynamic analysis, phishing email analysis, incident response, threat hunting, and alert triage. These activities all produce CTI that is relevant because it represents the actual attacks.
But many security teams do not have a process to use it, which is exactly what a TIP is designed to do. A TIP integrates internally gathered CTI, together with multiple external sources, into a single, consolidated and seamless library, making it actionable for all teams.
The threat intelligence landscape is dynamic. A TIP enables organisations to quickly adapt to changes as new standards emerge, new frameworks are adopted, new intelligence sources are released, and as other systems change how they create or use CTI.
For example, the numerous log4j related threat feeds shows how dynamic attackers can be. But log4j is also a case-study underlining the need to quickly ingest and leverage new threat resources because these styles of attacks are just the latest in a general category of threats.
Every year adversaries use new methods, news stories, or vulnerabilities, and a TIP helps improve the speed and reliability responding to these future threats.
Processing information collected to prepare it for analysis
Threat critical functions of a TIP improve the speed and scale at which the job of intelligence analysis can occur: normalisation, linking and deduplication. Normalisation refers to collecting data and storing in a single common data model. Once normalised, linking identifies related pieces of data and deduplication consolidates any information already known.
Linking is important for establishing the relationships between adversaries, their infrastructure and behaviours, especially when the information has come from many different data sources.
Furthermore, most threat research groups use different names to describe the same threat actor. APT28 is a Russian hacking group also called Swallowtail, Sofacy, and Fancy Bear, amongst other names. A TIP helps disambiguate threat actors known by different names.
Deduplication is there to reduce noise but it is not simply discarding duplicates. The same indicator is imported from different intelligence feeds, but this info will come at different times with different related information or indicators and it is vital to preserve these differences.
Analysing information to understand how it relates to the organization
Threat intelligence is just a collection of technical ‘atomic’ indicators like IP addresses, files hashes, and domain names. More often, each indicator comes with additional information like associated indicators, a confidence score, adversary information, target geographies, target industries, MITRE ATT&CK TTP details, and many other attributes related to the indicator.
This additional metadata helps validate that the data pertains to a real and active threat by looking at how old the data is and if it comes from a highly trusted source, for example.
Once information is validated, an organisation needs to establish its relevance by looking at things like the target geography or industry, are they vulnerable to the style or type of attack, or if it has been seen before in their environment.
A TIP uses scoring to automate validation and relevance. Scoring is a tool to filter and prioritise the small fraction of information and thereby turn it into useful intelligence and it is significantly easier when the information is properly normalised, linked and deduplicated.
Scoring is a way to normalise all the different ways that threat information is represented using factors identified during a firm’s threat modelling and intelligence requirements building. Scoring significantly reduces the volume of information to a manageable level.
Sharing CTI to relevant individuals in a format that can be understood
Stakeholder use-cases define what intelligence needs to be shared with whom and when. A stakeholder can be a system like the SIEM, a function like alert triage, or a group of people like the executive management team. A TIP can automate some or all of the communications required for a diverse set of stakeholders, delivering each what they need.
Doing this requires a broad range of communications options like APIs for all the major security solutions, tools for analysts, all the way to dashboarding and reporting options.
Without this, CTI management is time consuming and bogs analysts in data manipulation via spreadsheets. The speed of adversary activity and sheer scale of threat intelligence sources defies the ability of any CTI team to manage it effectively with the right tool for the job.
A TIP can help close the visibility gaps that all too often result in data breaches. The business case for acquiring a TIP is improved threat coverage, faster incident response times, and greater staff efficiency. A threat intelligence platform helps keep firms agile to the problems of a moving threat landscape and a rapidly evolving IT environment needing protection.
Anthony Stitt is the regional director of APAC Japan at ThreatQuotient