Intro

Threat Intelligence is often discussed as separate from data analytics, but this distinction needs to change. Fundamentally, threat intelligence is data analytics with a focus on threats or adversaries. It often involves custom tools and solutions that aren't necessary. Many of these solutions are tailored to address Extract, Transform, and Load (ETL) problems that exist when working with specialized data. This specialized data can be logs from a private system, combat equipment, or publicly available in a web format.

In cyberspace, threat intelligence closely mirrors traditional data analytics and engineering. The problems with system integrations are very similar, if not identical in many cases. This became clear when learning about Kafka's use in many security stacks to handle ETL processes for system log data. Kafka is also a key tool to queue massive amounts of data in many big data pipelines. It tends to be the backbone of event driven architectures as well.

So What?

If your Threat Intel team does NOT have standard operating practices and lacks a communication channel with leadership then you may find my Cyber Threat Intelligence (CTI) series worth a read. You may also find it interesting if your team does NOT have processes that enable integration with your security operations center, developers, or incident responders.

I'm highlighting Threat Intelligence because it is so similar to traditional data analytics and I see an industry push treating it differently. Threat Intelligence data should influence critical business decisions by key leaders at the strategic level. It should also be used by analysts and operators at the tactical level. Personally, I call this the CTI sandwich.

Strategery

Building on that, CTI is instrumental in supporting decision-making at both the strategic and tactical levels. It's crucial to understand that CTI doesn't make the decisions itself; rather, it equips others to make the right decisions. A common problem is that many organizations fail to integrate CTI into their decision-making processes, but quickly include other traditional data analytics products. Let's break down the two types of decisions that come from threat intel.

• Strategic Level involves long-term, high-level planning that can shape the direction of an organization. Strategic intelligence will build threat actor profiles, industry trends, and can include geopolitical assessments. The people making these decisions will typically be senior leaders and C-Suite members or their representatives.

• Tactical Level focuses on short-term actions aimed at achieving a specific objective or mission. Tactical intelligence guides incident response and threat mitigation in a network. Several pieces of intelligence at this level are Indicators of Compromise (IOCs), exploitable vulnerabilities within a network, or tactics that may be used to compromise a network.

A study on VPNFilter can show the importance of a good threat intelligence strategy, and how it plays a part at multiple levels. In 2018, the Talos Intelligence Group released data about the VPNFilter malware and potentially targeted systems. This immediately highlights both levels of threat intelligence, strategic and tactical. They released the impacted devices and a fix to reduce risk to this malware. Additionally, they included the end target being SCADA systems. This helped leaders at the strategic level make changes to priorities of work and focus for their organization.

Strategic Level

Leaders at the strategic level are planning long-term operations and making decisions at a higher level than what is needed by analysts and operators at the tactical level. At the end of the day, leadership decisions made need to flow down to security analysts and operators that may implement changes that align with the leadership's decisions. Those decisions need a translation to something actionable.

It is important that outputs from CTI help improve the decisions made at this level. What does this mean? Don't send leaders a list of IPs or a list of tactics to integrate into your Security Information and Event Management (SIEM) solution. They need to know answers around the following:

• Recommendations and answers to information requirements

• Recommendations and notification of key decision points

• Industry specific risks and adversary updates that are important

• Assessed actions adversaries may use impact the organization

This list is not comprehensive. Outputting products that support the above decisions made by leadership is just one component of what a CTI team may do. It is important to avoid tactical level information, unless it is truly critical to the decision leaders are making.

Tactical Level

Everyone at the tactical level find themselves in the trenches at one point or another. Day to day operations can get hectic and CTI can be one of the tools to help create order out of the chaos. Products from CTI can drive hunt operations, SIEM rules, or aid in incident response. Having an in-house CTI team can help the products be focused and specialized towards your organization.

Since CTI sits between senior leadership and the security analysts and incident responders the products need to cater to both. The same products that help answer information requirements or industry risk need to also drive the analysts' actions. There are two critical warnings for the CTI products at this level.

• Provide more than just IOC lists

• Outputs need to be actionable

How the analysis from CTI gets to the receivers at the tactical level will depend on your organization and if there are tools already available. If your team doesn't already have a platform then an open-source one like Filigran's OpenCTI may do the trick. A good Threat Intelligence Platform (TIP) will allow you to serve data up to the SIEM and to publish summarized reports, as well as help analyze all of the data being ingested. Some key outputs to focus on are:

• Concise summary of tactics, techniques, and procedures (TTPs) related to organization

• IOC feed integration with SIEM

• Enriching alerts and observations from SIEM

• Integrate solicited feedback

It is important to know these aren't the only outputs, but are some of the key ones. It is also important to know that some outputs can be a simple message on Slack or Teams. You don't need a multi-million dollar infrastructure or set of software licenses to get the job done. The CTI team needs to make sure the intelligence gets to the right people.

Conclusion

Successfully integrating threat intelligence into your organization's decisions and having it drive action is no different than taking the data from your business intelligence team to drive business decisions. The same principles carry over to threat intelligence. Threat intelligence has been around a while and has structure to it. Yet, the CTI team is often one of the last ones added to the organization.

A CTI team needs to be flexible, open to feedback, and quick to process all of the data they ingest. The team needs to be willing to look at things from a different perspective. I recommend skills in data engineering, data science/analytics, and of course cybersecurity. CTI can drive change and action in an organization.