We often hear clients asking about threat intelligence related processes: how to collect, refine and utilize it (by the way, this document is being updated; let us know if you have feedback about it!). It’s very easy to explain and visualize when we are talking about machine readable TI (MRTI for short); your tools ingest the data feed and look for the IOCs in your environment. But what about the other type of threat intelligence, the “Non-MRTI” type?
Here’s a simple example. Take a look at this post from the McAfee Labs Blog. It is a nice explanation of a somewhat new exploitation technique used by malware they recently analyzed. This is a typical “TTP” (Tactics, Techniques and Procedures) piece of TI (and by the way…did you notice it’s FREELY AVAILABLE?). It describes threat behavior. Of course, it could be more valuable if there was more information to link it to threat actors, campaigns, etc, but it is valuable nevertheless. But coming back to the point of this post: why am I talking about it?
Because you can use to check where you are in terms of processes to leverage this kind of TI. Try to answer, for example some of this questions:
- Do I have people looking for and reading this type of information?
- Do I have a process that takes this type of information and turns it into actionable advice for my security operations?
With that you can see if the basic processes are in place; you can further extend this small self-assessment with more detailed questions such as:
- Would this technique work in my environment?
- Am I currently prepared (in terms of tools and monitoring use cases) to detect this?
- If not, what changes do I need to do on my environment and tools to detect it?
Some people expect some ethereal process or method when we talk about consuming TI; there’s nothing special about that. If you can answer “yes” to all, or even some of the questions above, you’re already doing it. Of course, there are different maturity levels, types of TI and sources of information, but all that can evolve over time. So, if you are thinking about your capabilities to consume TI, take a look at the example above. It might give you some interesting insights.
from Augusto Barros http://ift.tt/29i8dbB