How to Improve Threat Report Analysis and Action
Most organisations have more threat intelligence than they know what to do with, from a variety of sources – commercial, open source, government, industry sharing groups and security vendors. Bombarded by millions of threat datapoints every day, it can seem impossible to appreciate or realize the full value of third-party data. In a recent CyberSocial webcast, industry experts David Grout, CTO EMEA for FireEye and Yann Le Borgne, Technical Director for ThreatQuotient, helped listeners tackle this challenge. Using threat reports as an example of one type of published threat information, they responded to real-time polling results as they provided advice on how to analyse a threat report and make it actionable.
Here are five tips they shared.
- Select the right sources of threat data for your organisation.
When polled, the audience reported using a well-balanced combination of sources of threat intelligence. They are on the right track, but David explains that it is also important to identify the right sources for your organisation and collect threat reports from several different sources as they provide different levels of content – strategic, operational and tactical. Figure out the who, what and when for consumption and use that for your metric for success when looking at acquisition.
Yann adds that as open-source intelligence (OSINT) is free and easy to access, most organizations use it extensively. But organisations must also consider the trust and reliability of sources. Yann explains that in a classical hierarchy, the highest level of trust comes from the intelligence you generate and receive from your close network and peers, and OSINT information is placed at the lowest level. David recommends using trust models such as the Admiralty System or NATO System which classifies information from A to F for reliability and from 1 to 6 for credibility, particularly for new sources that surface during times of crises or outbreaks. Applying this scale to threat intel helps to determine what to do with the data and reduces false positives and noise generated from non-validated and unconfirmed data.
- Determine who will acquire the data.
In response to the next poll question, 25% of respondents said all groups have access to all threat intelligence sources. David explained that while it may be good to provide access to a broad audience, it is probably even better to have one team responsible for acquiring and analyzing threat reports and only delivering information that is actionable. Not every stakeholder needs every level of intelligence.
Using the report on the Ryuk ransomware from the French National Agency for the Security of Information Systems (ANSSI) as an example, Yann explained that to do this you need to determine how the same report will impact and be used by various teams across the organization. Different teams may use different aspects of the same report in different ways to achieve their desired outcomes, for example modifying policy (strategic), launching hunting campaigns (operational) or disseminating technical indicators (tactical). A threat report that is in PDF format requires a lot of work to translate the information it contains into actionable data for different sets of users, which is why it is important to have a dedicated team acquire the data.
- Structure the data for analysis.
Yann explained that the three steps for analysis include: understanding the context of report, the relevance of the report, and relating the report to any prior reports, intelligence and incidents. This process allows you to contextualize and prioritize intelligence but requires that the data be structured uniformly. Threat data comes in various formats (e.g., STIX, MITRE ATT&CK techniques, news articles, blogs, tweets, security industry reports,indicators of compromise (IoCs) from threat feeds, GitHub repositories, Yara rules and Snort signatures.) and needs to be normalized. The information you gather, in the Ryuk report for example, is expressed with their own vocabulary and translating it into a machine-readable format is necessary to link it to other related reports and sources of information.
David adds that it isn’t just about format. The volume of information across the threat intel landscape is high and different groups use different names to refer to the same thing. Normalization compensates for this and enables you to aggregate and organize information quickly. Structuring data so that you can prioritize is critical for triage and ensures you are focusing on the threats that matter most.
- Use tools to help with analysis.
Yann explains that the tools you use need to support your desired outcome. According to the poll, 67% of attendees using technical ingestion (SIEM) which indicates that desired outcomes are more technical. And 15% are still handling the acquisition and analysis process manually. This is quite a challenge, particularly during a big event. A threat intelligence platform (TIP) does a good job of extracting context and can help you use the information in various ways for different use cases (e.g., alert triage, threat hunting, spear phishing, incident response) and to support different outcomes.
It is also important that the tool you select works well with frameworks like MITRE ATT&CK. David shared that MITRE is the most used framework to organise the analysis process. Customers are identifying their crown jewels and mapping to MITRE to understand which adversaries might target them, the tactics, techniques and procedures (TTPs) to concentrate on, and what actions to take.
- Select the right tools to help make data actionable.
Analysis enables prioritization so you can determine the appropriate actions to take. There are a variety of tools to help make threat reports and other elements of your threat intelligence program actionable and achieve desired outcomes at the strategic level (executive reporting), operational level (changes in security posture) and tactical level (updating rules and signatures).
In the final polling question, 45% of respondents said they are using a TIP to make the data actionable for detection and protection, but few are using a TIP for forensics. Yann and David agree this is a missed opportunity and a capability teams should explore as their capabilities continue to mature. From a forensics standpoint, MITRE is an important tool to enable analysis of past incidents so organizations can learn and improve.
In closing, our experts recommend that before you start thinking about threat intelligence sources, analysis and actions, you need to understand the desired outcomes and deliverables for each of your constituents. It’s a journey that typically starts at the tactical level and, with maturity, evolves to include operational and strategic intelligence to deliver additional value. When shared the right way with each part of the organization, key stakeholders will see threat intelligence for the business enabler that it is, and the threat intelligence program will gain support and the budget to grow.