Hello. Welcome to the next module in the Cyber Threat Intelligence Course. We cover tactical threat Intelligence. Not we're talking about operational threat intelligence
again. We will look at the role of the analyst,
talk a little bit about how information
an example for the diamond model for intrusion analysis, intrusion, detection and, lastly, will wrap up with threat actors and campaigns. So analyst for Operational Threat Intelligence.
This is a day to day roll, right. Unlike tactical, where the time eyes will get longer.
The Operational Threat intelligence analyst is working on things that are happening from day to day, hour hour, minute to minute.
So mostly this. It means that they this role is focused on adversaries.
What are their tactics, techniques and procedures? Their GPS?
Those need to be analyzing to be understood
so that the the operational analyst can make
those decisions on a daily basis, which best protect the organization's assets. This also includes threat feeds. Some of these are going to be internal
naturally because you're doing continuous monitoring and you've got your own
SIM devices and I. D. P s. And so on,
as I touched on earlier modules. There are many vendors provide threat feed information, so if it's free, so that is paid for Maurin, a subscription type of model. In either case,
this information still needs to be properly
analyzed. To see if it's relevant to the organization is incredible.
Isn't actionable? Basically,
This would also include
because of the convergence of mobile devices
with laptops and workstations and so on.
people roaming around with their work based computer or or
tablet or or bull phone in their pocket.
And because they're in and out of buildings because they take these devices with them when they're not on the job, there are tremendous additional risks to consider.
Also, emerging technology would cover things like the The ever upward spiral of
using cloud resource is
or other types of managed service is
thes present challenges because you may have difficulties properly defining where the
where the boundary is between
the provider of service and the client as Faras, who's responsible for monitoring or incident response and those kinds of things
can be some definite challenges there. This this analyst in the operational role also needs to think about how they
distribute the information that they generate.
So on a daily basis that could be different trouble tickets that are coming in. There might be meetings my B, a
brainstorming session with instant response team, for instance.
And so all that information could be used in various ways. There could be correlations between other existing evidence that's already been discovered or other IOC's that have been discovered.
So the official and and it's really needs to keep their finger on the pulse of what the organization is dealing with in order to properly perform that
that just distribution function sharing information
has a lot of advantages,
because you've got operational analysts who got tactical analysts,
all those different groups, all those different teams
need to have some idea of what each other is working up.
Even though their time scales are different.
There are some potential overlaps for re use of research or reuse of
evidence that was gathered from one investigation
that could be part of a longer term campaign by a threat actor or a nation state.
So sharing that information with the relevant
especially when there's some uncertainty about whether or not some events actually constitute an instant an incident.
Not all events are incidents, so events are false. Positives, or
problems or something suspicious happening. But it may not be a large enough event or may not affect enough people for to be classified as an incident there by invoking the incident response.
Sum Sum's cross sharing of information between the different teams makes a lot of sense,
and the operational analyst is the one that is dealing with the most near time or near real time information
so they might have valuable updates for
members of other teams that are working on longer turn projects.
This helps the overall quality of the analysis that's being performed as well, because now
management can look at
operational, tactical and strategic timeframes and see how that all fixed together with a narrative of different kinds of threats or a P T s, for instance, that might be going on the environment.
So is that a real value here
in performing the information, sharing effectively how we could think about the management of this information?
Some of you may have heard of the information sharing analysis center idea I sack,
and what this really means is you're taking a very methodical approach to
gathering and using information.
where do you get the information from what internal source they're used? What external source are used
threat feeds. For instance, If there are multiple companies that are part of this I sack, which is typically the case
then key stakeholders from each of those companies need to be identified because they are the targets for updates and information sharing, and
surveys and questionnaires asking for
information we're asking for. Feedback on
past performance of different activities have happened between
the companies that are members of this I sack. The member companies would also have different people who are producing Intel. Some people are consuming it,
so knowing who those people are makes a lot of sense identify these things clearly
This way, when reports are sent out,
redundantly sent to people who don't require the information. The people who produced the report are going to be sending it to other producers. Necessarily,
there were interested in sending it, perhaps to the consumers of this Intel.
So it's a good idea to differentiate between these different groups
and the members off. The I sack
should have some sort of incentive in order to be willing to share their information.
Obviously, if Thean Formacion that's been gathered has too many specifics
that pertained to remember company, then they would have to take some steps a sanitizer or do something else that's that's reasonable
to de identify any P I I, for instance, or
anything that's considered proprietary. That's a natural step that you would have to take.
if you can gather information,
do the correct analysis and store it
for reporting purposes or for trend analysis, this provides a lot of value to most organizations.
because you're got multiple companies that are all pulling. The resource is together
and you're trying to get the best and brightest people in the room to look at this data and decide.
Is this really as it doesn't affect more than one company? Is that some part of a larger campaigner and so on?
So it's a really great weight