While some people treat technical TI feeds as ready-made NIPS signatures, the reality of effective usage of threat intelligence feeds and reports for security is much more nuanced.
In this post, I will present a quick summary of discovered threat intelligence use cases, that apply to both strategic and tactical TI. Admittedly, I am saving the juicy details for my research paper, but I hope that these summaries will serve to both educate and start the discussion.
|Type of use case||Strategic TI||Tactical TI|
|Planning||Security architecture and monitoring planning based on long-term threats and relevant actor capabilities||Study historical trends across TI feeds and environment match history (maybe???)|
|Prevention||Better align security spending and attention based on attacker targeting; prevent attacks predicted by TI sources (HUMINT)||Block bad IPs, URLs, domains, emails, files, etc; the staple usage of blacklists and high-fidelity TI feeds|
|Detection||Look harder for intrusion evidence in places of “known interest” to attackers; review reports on threat actor tools to find ways to better detect them||Use TI feeds to create NIDS sigs, NFT, SIEM and ETDR alerting rules; detect internal systems communicating with “known bads”|
|Triage||“APT or commodity threat?” decision; a key decision that defines how subsequent IR process will go||Use TI feeds as context for enriching alerts and other monitoring data; link alerts together into incidents; automated triage by escalating alerts linked to “known bads”|
|Incident response||Better understand the business impact by relating incident artifacts to threat actor profiles; practical incident attribution||Finding a full scope of an incident by linking local observables to TI; “pulling the thread” to find all compromised assets and all attacker traces|
|Threat assessment||Assess overall threat level for your organization; report to management, board, etc||Assess the risk of customers connecting to your IT resources based on TI feeds; fraud risk assessment|
|TI fusion – making better TI out of TI||Increase value of TI feeds by validating, correlating, enriching context, tying to local observations and attribution; enrich tactical TI by linking to strategic TI||Increase value of TI feeds by validating, correlating, enriching context, tying to local observations and attribution; enrich strategic TI by linking to indicators and internal TI|
Note that I rolled “prediction” into prevention using strategic TI; if you think that prediction is a separate use case, just comment. At this point, true prediction (such as what is done by HUMINT and attacker sentiment analysis) is fairly rare.
P.S. By the way, are some of you wondering why I don’t call this domain “cyber threat intelligence” (CTI)? Even though I no longer assume that “c” in “cyber” stands for “clown”, frankly, I don’t see the need to “cyber it up.“ Hopefully, the discussion on definitions and types of TI makes it pretty clear that we are in the “cyber” domain here and not in gardening or something….
Posts related to this research project:
- On Broad Types of Threat Intelligence
- Threat Intelligence is NOT Signatures!
- The Conundrum of Two Intelligences!
- On Comparing Threat Intelligence Feeds
- Starting Threat Intelligence Research