Scribd
Upload
65 views15 pages

Understanding Intelligence Slides

This document discusses how threat intelligence can help differentiate a security program by filtering through alerts to identify legitimate threats, classifying known and unknown threats, gathering and correlating multiple data sources, enriching data to provide valuable context, following the intelligence lifecycle of direction, collection, processing, analysis, dissemination and feedback, and using intelligence tools like the MITRE ATT&CK framework to categorize threats and provide actionable intelligence.

Uploaded by

waruenk
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
65 views15 pages

Understanding Intelligence Slides

This document discusses how threat intelligence can help differentiate a security program by filtering through alerts to identify legitimate threats, classifying known and unknown threats, gathering and correlating multiple data sources, enriching data to provide valuable context, following the intelligence lifecycle of direction, collection, processing, analysis, dissemination and feedback, and using intelligence tools like the MITRE ATT&CK framework to categorize threats and provide actionable intelligence.

Uploaded by

waruenk
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Understanding Intelligence

Christopher Rees
PLURALSIGHT AUTHOR / IT OPS LEADER

@cdrees | https://www.linkedin.com/in/cdrees
Module How is intelligence a differentiator?
- Filtering through the noise
Overview
Threat classifications
Gathering and correlating data
Enriching data and providing value
Phases of the intelligence lifecycle
Intelligence tool example
Intelligence as a Differentiator
Speed of attacks are Increasing with no signs of slowing down.
One of the biggest challenges in cybersecurity is actually keeping up with the
sheer volume of alerts

Alert Overload Filtering the Noise Too Little, Too Late


56% of alerts are 35% of investigated 51% of legitimate alerts
investigated alerts are legitimate are actually remediated

https://www.cisco.com/c/dam/m/digital/elq-cmcglobal/witb/acr2018/acr2018final.pdf
Alert Overload

Alerts 15,000

Investigated 8,400

Legitimate 2,856

Less than 10% of Alerts get Remediated


Remediated 1,457
Threat Intelligence Classifications

Unknown-Unknown
We are unaware of the threat’s existence. Basically flying blind with little
chance to deter/remediate.

Known-Unknown
Threats that are known, but we don’t fully understand them (how they work,
their intention, etc.)

Known-Known
Things (threats) we know about and we do fully understand. This
understanding can be used to direct an outcome to deter or mitigate a threat
Threat Intelligence Classifications

Unknown Known Known


Unknown Unknown Known

Goal is to move from flying blind and reactive to predictive and proactive
Gathering and Correlating Information
Data in a vacuum, without context, is extremely difficult to interpret and understand
exactly what data is valuable and what is noise

Forensics Alerts Logs Feeds Configs Dark Web

TI Analyst
Gathering and Correlating Information
Data in a vacuum, without context, is extremely difficult to interpret and understand
exactly what data is valuable and what is noise

Forensics Alerts Logs

TI Analyst

Feeds Configs Dark Web

Categorize TTPs and Enrich Alerts to track, target and deter/prevent attacks
Enriching the data and providing value
- Pass intelligence on to the defender
teams, protecting against
vulnerabilities
• Usually several teams
§ Vulnerability or security teams and
IT operations teams
- Threat intelligence can enrich the data
on imminent threats and help
prioritize patching/remediation efforts
Intelligence Lifecycle Evaluation

1. Direction
Dissemination Direction

2. Collection
3. Processing
4. Analysis Analysis Collection

5. Dissemination
6. Feedback
Processing

Feedback
Intelligence Lifecycle

Direction
Assets that need to be protected, impacts if lost, types of intelligence
required to address threats, priorities, runbooks, etc

Collection
Metadata, logs, threat feeds, open and dark web, news sources,
intelligence reports, raw data, etc.

Processing
Collected data is transformed into consumable format,
transforming/importing into other tools (SIEM, EDR, etc.)
Intelligence Lifecycle

Analysis
Understanding the audience and giving info in a consumable format
that allows decision makers to act, identify business impact, etc.

Dissemination
What teams needs the intelligence reports, how often should it be
distributed, what format, etc.

Feedback
Constant process to ensure the proper information, in the proper
format, is reaching the intended audiences and meets their needs
Where and How Intelligence Adds Value

Identify
• Identify Top Threats Facing the Organization

Research
• Understand the methods of attack for each threat

Decision Tree
• Develop assumptions on most likely primary and
secondary attacks

Cover the Gaps


• Map to existing organizational weaknesses to
develop defenses to deter / mitigate the threat
Demo
MITRE ATT&CK™ website and framework
can be used to categorize threats, track
and enrich data and provide actionable
intelligence to partner security teams
Module How is intelligence a differentiator?
- Filtering through the noise
Review
Threat classifications
Gathering and correlating data
Enriching data and providing value
Phases of the intelligence lifecycle
Intelligence tool example

You might also like