By: Page Glave
June 22, 2021
Diamonds Are An Analyst’s Best Friend
By: Page Glave
June 22, 2021
What is cyber threat intelligence?
According to NIST, cyber threat intelligence is “threat information aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes.” Threat intelligence is differentiated from threat information by being modified to be actionable. There is so much information available that cybersecurity professionals must move beyond threat information to threat intelligence. An understanding of basic cyber threat intelligence is critical for multiple roles to effectively defend an organization.
How is cyber threat intelligence modeled?
Frameworks help organize information to make more sense. Two commonly used models are the Lockheed Martin Cyber Kill Chain and the MITRE ATT&CK Framework. Both can be used for advanced cyber threat intelligence modeling.
The Cyber Kill Chain resembles the typical steps in penetration testing, moving from reconnaissance to exfiltration. This model is relatively easy to understand as a linear process, but it can be difficult to model modern attacks using this model. The MITRE ATT&CK Framework is a massive framework of information about attackers. The ATT&CK Matrix has multiple categories of behavior to help categorize behaviors. This framework is extremely detailed and a great reference to help sort out adversary behavior. This strength can also be a weakness, however. The amount of information may be overwhelming for new cybersecurity professionals, and it can be easy to get lost in the weeds.
Both models help move from threat information to threat intelligence. The models can be combined or separate from other frameworks to make managing threat intelligence easier.
But what about the diamonds?
Several years ago, Sergio Caltagirone, Andrew Pendergast, and Christopher Betz proposed the Diamond Model of Intrusion Analysis. This model involves 4 main parts and can be implemented almost immediately. The vertices represent the adversary (the bad guys), Infrastructure (the stuff used), Capability (the tools and techniques used), and Victim (the targets). These are supplemented with meta-features, contextual information, and other details (such as socio-political factors). Grouping information into these categories allows connections to be made. Pivoting from one area to another is logical, and the model can be split out as needed (say to focus on a key adversary). By working from the general to the specific, the Diamond Model can help professionals quickly conceptualize the threats, leave room for unknowns, and enrich known information to make it more usable.
But how is it used?
There are many ways these models could be put into practice. A usable method that can be quickly taught is to start with the Diamond Model and fill out the details using the Cyber Kill Chain and ATT&CK Framework. Each framework can be used to get more granular with the information to improve decision making. Using the models together also allows the workload to be spread amongst more analysts. Less experienced professionals may be responsible for broadly categorizing information as a victim, adversary, capability, or infrastructure. That information can then be passed to more experienced analysts for in-depth analysis to drive decision-making. The key is finding what will work in the specific environment to inform decision-making. The goal is to move from intaking vast amounts of cyber threat information to contextualizing and making cyber threat intelligence.
Integrating these models into the collaboration platform used at the organization helps make the information readily accessible to those who need it. This will also help prevent the intelligence from being siloed. Whatever platform is used, make sure processes are put in place to prevent waste, such as rework. Effective handoffs are critical to making information actionable quickly. Ticketing systems shared notebooks or documents, and other options are all viable ways to collaborate. This workflow might look like a call coming into the help desk with some indicator of compromise. The help desk could add the indicator to the appropriate portion of the Diamond Model and handoff to tier 1 cybersecurity staff. They could do initial investigation and contextualization to determine if a deeper investigation is needed.
Working in information technology, and especially cybersecurity, is to live in a constant state of information overload. Becoming overwhelmed by the onslaught is a very real risk. It is critical to effectively manage the information coming in to make it valuable to the organization. More and more information can only be helpful when there is enough context to help drive decision-making. Professionals should avoid reinventing the wheel and use existing frameworks to improve how data is managed quickly. The Diamond Model is an effective method for quickly standing up a cyber threat intelligence program. The model is only simple on the surface and provides flexibility in how it may be implemented. As the program matures, additional context and threat modeling can be brought in to make the program more valuable.