Operational Threat Intelligence - Analysts and Communication
Video Activity
Module 5 deals with Operational Threat Intelligence. This encompasses analysts, senior management, processes, and technology. We also have a look at the "Diamond Model," threat actors, and campaigns. The day-to-day duties of the analyst occur on a short timeline. They are more immediate and are focused on adversaries and understanding what they're ...
Video Description
Module 5 deals with Operational Threat Intelligence. This encompasses analysts, senior management, processes, and technology. We also have a look at the "Diamond Model," threat actors, and campaigns. The day-to-day duties of the analyst occur on a short timeline. They are more immediate and are focused on adversaries and understanding what they're up to. Intel comes to the analyst via threat feeds - internal and external - vendor-supplied, and via paid subscription. The analyst is then tasked with determining if any of this intel is credible. Emerging technologies such as the proliferation of mobile devices make the task more challenging. Roaming staff increases risk along with managed and cloud resources. Determining the boundary of responsibility becomes difficult. The final step as covered in a previous video is the sharing of threat intel with all interested stakeholders. From an organizational standpoint this requires a methodical approach governed by policies and procedures.
Video Transcription
00:04
Hello. Welcome to the next module in the Cyber Threat Intelligence Course. We cover tactical threat Intelligence. Not we're talking about operational threat intelligence
00:13
again. We will look at the role of the analyst,
00:16
talk a little bit about how information
00:19
is shared,
00:20
how it's managed.
00:22
Also examined
00:24
an example for the diamond model for intrusion analysis, intrusion, detection and, lastly, will wrap up with threat actors and campaigns. So analyst for Operational Threat Intelligence.
00:37
This is a day to day roll, right. Unlike tactical, where the time eyes will get longer.
00:44
The Operational Threat intelligence analyst is working on things that are happening from day to day, hour hour, minute to minute.
00:51
So mostly this. It means that they this role is focused on adversaries.
00:56
What are their tactics, techniques and procedures? Their GPS?
01:00
Those need to be analyzing to be understood
01:03
so that the the operational analyst can make
01:07
those decisions on a daily basis, which best protect the organization's assets. This also includes threat feeds. Some of these are going to be internal
01:15
naturally because you're doing continuous monitoring and you've got your own
01:19
SIM devices and I. D. P s. And so on,
01:23
but also extra
01:25
as I touched on earlier modules. There are many vendors provide threat feed information, so if it's free, so that is paid for Maurin, a subscription type of model. In either case,
01:38
this information still needs to be properly
01:41
analyzed. To see if it's relevant to the organization is incredible.
01:45
Is it? Usable?
01:47
Isn't actionable? Basically,
01:49
This would also include
01:52
emerging technologies
01:53
because of the convergence of mobile devices
01:57
with laptops and workstations and so on.
02:00
There are more more
02:01
people roaming around with their work based computer or or
02:07
tablet or or bull phone in their pocket.
02:12
And because they're in and out of buildings because they take these devices with them when they're not on the job, there are tremendous additional risks to consider.
02:22
Also, emerging technology would cover things like the The ever upward spiral of
02:28
using cloud resource is
02:30
or other types of managed service is
02:32
thes present challenges because you may have difficulties properly defining where the
02:38
where the boundary is between
02:40
the provider of service and the client as Faras, who's responsible for monitoring or incident response and those kinds of things
02:49
can be some definite challenges there. This this analyst in the operational role also needs to think about how they
02:55
distribute the information that they generate.
03:00
So on a daily basis that could be different trouble tickets that are coming in. There might be meetings my B, a
03:07
brainstorming session with instant response team, for instance.
03:09
And so all that information could be used in various ways. There could be correlations between other existing evidence that's already been discovered or other IOC's that have been discovered.
03:23
So the official and and it's really needs to keep their finger on the pulse of what the organization is dealing with in order to properly perform that
03:30
that just distribution function sharing information
03:35
has a lot of advantages,
03:38
either
03:38
because you've got operational analysts who got tactical analysts,
03:43
strategic analysts,
03:46
all those different groups, all those different teams
03:47
need to have some idea of what each other is working up.
03:52
Even though their time scales are different.
03:54
There are some potential overlaps for re use of research or reuse of
04:01
evidence that was gathered from one investigation
04:04
that could be part of a longer term campaign by a threat actor or a nation state.
04:12
So sharing that information with the relevant
04:15
stakeholders
04:18
is really important
04:19
especially when there's some uncertainty about whether or not some events actually constitute an instant an incident.
04:29
Not all events are incidents, so events are false. Positives, or
04:32
maybe an event is a
04:34
definite
04:36
problems or something suspicious happening. But it may not be a large enough event or may not affect enough people for to be classified as an incident there by invoking the incident response.
04:48
So
04:49
Sum Sum's cross sharing of information between the different teams makes a lot of sense,
04:55
and the operational analyst is the one that is dealing with the most near time or near real time information
05:01
so they might have valuable updates for
05:05
members of other teams that are working on longer turn projects.
05:11
This helps the overall quality of the analysis that's being performed as well, because now
05:16
management can look at
05:19
operational, tactical and strategic timeframes and see how that all fixed together with a narrative of different kinds of threats or a P T s, for instance, that might be going on the environment.
05:30
So is that a real value here
05:33
in performing the information, sharing effectively how we could think about the management of this information?
05:39
Some of you may have heard of the information sharing analysis center idea I sack,
05:45
and what this really means is you're taking a very methodical approach to
05:49
gathering and using information.
05:51
So
05:53
where do you get the information from what internal source they're used? What external source are used
05:58
threat feeds. For instance, If there are multiple companies that are part of this I sack, which is typically the case
06:05
then key stakeholders from each of those companies need to be identified because they are the targets for updates and information sharing, and
06:15
perhaps even
06:16
surveys and questionnaires asking for
06:19
information we're asking for. Feedback on
06:23
past performance of different activities have happened between
06:26
the companies that are members of this I sack. The member companies would also have different people who are producing Intel. Some people are consuming it,
06:34
so knowing who those people are makes a lot of sense identify these things clearly
06:41
This way, when reports are sent out,
06:43
they're not being
06:45
redundantly sent to people who don't require the information. The people who produced the report are going to be sending it to other producers. Necessarily,
06:51
there were interested in sending it, perhaps to the consumers of this Intel.
06:57
So it's a good idea to differentiate between these different groups
07:01
and the members off. The I sack
07:03
should have some sort of incentive in order to be willing to share their information.
07:10
Obviously, if Thean Formacion that's been gathered has too many specifics
07:15
that pertained to remember company, then they would have to take some steps a sanitizer or do something else that's that's reasonable
07:23
to de identify any P I I, for instance, or
07:27
anything that's considered proprietary. That's a natural step that you would have to take.
07:31
But ultimately,
07:33
if you can gather information,
07:36
do the correct analysis and store it
07:39
for reporting purposes or for trend analysis, this provides a lot of value to most organizations.
07:45
C t I program
07:46
because you're got multiple companies that are all pulling. The resource is together
07:51
and you're trying to get the best and brightest people in the room to look at this data and decide.
07:58
Is this really as it doesn't affect more than one company? Is that some part of a larger campaigner and so on?
08:03
So it's a really great weight
08:05
to do the analysis
Up Next
Intro to Cyber Threat Intelligence
The CTI course consists of 12 information-packed modules. CTI is a critical function within any organization that involves roles like analysts, methodologies, tools, teams, and policies. From threat analysis to the Cyber Kill Chain, learn it here.
Instructed By
