Time
3 hours 1 minute
Difficulty
Advanced
CEU/CPE
3

Video Description

Levels Zero and One of The Threat Intelligence Maturity Model This lesson discusses the Threat Intelligence Maturity Model starting with level Zero (0). When the Threat Intelligence Maturity Model is at this level, businesses do not know where to begin. There is not a team in place yet and little is known about risks and exposures. At this point, IT staff is struggling about which source to utilize to obtain information as there are so many threat feeds available. Present alerts are usually outdated. At Level One (1) of the Threat Intelligence Model, businesses are beginning to build momentum with threat intelligence. At this point, there is a small team consisting of a Network Administrator and a solo analyst in place. There is a reactive approach to risks and exposures in place but a lack of context.

Video Transcription

00:04
hello and welcome to Milder, one of the advanced C T. I program
00:09
in this matter, we're going to discuss the Threat Intelligence maturity model.
00:14
It's pretty interesting. As I mentioned in the introduction, several different vendors in the cyber security
00:22
market have developed their versions of this,
00:26
and it's a
00:28
away for an organization to or or the practitioners within an organization
00:32
to analyze where they are in their current timeline for the maturity of their C T. I program, starting off a level zero,
00:43
the analysts are. Even the organization as a whole doesn't really know exactly
00:48
how to get started. So some of the challenges here relate to the different threat feeds that might be available.
00:56
Anyone who has spent time searching for threat feeds has probably quickly discovered that there's
01:03
Maur Choice available than then is easily analyzed.
01:07
You might suffer from what's known as analysis paralysis.
01:11
There might be hundreds or maybe even thousands of different choices available for where you get your information.
01:19
Now we see mentioned here about the SIM device,
01:23
Sim device can sometimes be seen as sort of a all purpose tool for aggregating information and
01:33
just magically letting people know when there's a problem
01:37
and thereby making everything more efficient.
01:40
And once the SIM device is properly tuned
01:45
and uh,
01:46
and has been configured in such a way that then you might get close to that ideal
01:51
functioning.
01:53
But at the beginning, you're you're sending raw feeds to your SIM device.
01:57
Different vendors have different formats for the types of events that their products produced,
02:05
but usually with a sim device, your usual looking for something like a sis log format that's pretty typical. The problem again, with this kind of approach at the beginning, is that you've got
02:16
all different types of pieces of infrastructure that could be servers,
02:21
important work stations or user endpoints, firewalls, proxies, switches
02:28
and so on. There's a lot of different types of equipment that might all be sending information,
02:32
and it's difficult to understand.
02:35
Is this data that we're getting
02:38
truly useful? How do you decide where and when to filter information out of your capture so that you don't clutter up your databases and make the analysis more difficult?
02:51
In the previous course and the introduction course,
02:55
we talked about the the IOC of the Internet,
02:59
the indicator of compromise, now an indicator of compromise could be quite a wide variety of different facts or or scenarios. Some of the simpler things could be some follows. Missing or new files have been created
03:14
or a system CONFIG file has been changed. Or maybe there's a time stamp information on a file or a folder that's been modified.
03:23
Any of those things could be an indicator of compromise.
03:25
It could be that there's artifacts left over from some malware infection and someone so on. These IOC's can be
03:35
quite wide ranging, and they will obviously very on a case to case basis as far as
03:40
what is considered actionable, what's not. How do you feel for that Out and so on
03:46
a T beginning because of the use of something like a SIM. You do have some of the benefits of automation
03:54
if you can figure all your devices to send the data to the Sim than the sin can automate a reply or a alert that goes to the various people that are
04:05
that are interested in that information. But at this early stage, you really don't have your team together. Yet
04:12
the roles and responsibilities haven't been fully defined,
04:15
so because of that deficiency. There are,
04:18
uh, some definite risks and exposures, as we see here.
04:24
A lot of the work, maybe manual. You're only getting limited automation with SIM device. At the early stages,
04:29
you may not have the right
04:31
rules and responsibilities define so that
04:34
a deeper, more comprehensive analysis is not yet taking place.
04:41
And
04:42
anyone who's managed to sim or manage an I. D. S
04:46
knows that you end up getting overwhelmed with alerts and events,
04:50
and it's very difficult to figure out how to whittle that down on how to sort through that information to get to what's really important.
05:00
I used the analogy
05:01
in the previous discussions where you've got this big, massive pile of hay and you're trying to find a few needles that might be hidden
05:10
in the haystack. And that's difficult challenge. At the early stages of of SETI I, maturity level one, the organization and the and the analyst and the engineers and so on are gaining some momentum.
05:25
So now the automation is becoming
05:29
a little bit more useful,
05:31
but that
05:32
that problem of being overwhelmed still exists
05:35
because now you may be thinking, OK, we've got more and more different sources of information coming in.
05:42
But, you know, you're getting tens of thousands of events every day. How do you decide
05:47
which ones of those events are worth looking into?
05:53
The team may start taking a little bit of shape
05:55
in the previous step. Maybe your network administrator was the only person who was security administrator might be the only persons who were
06:02
looking at this information. The network admin might be involved at level one as well,
06:09
but we see that maybe, uh,
06:11
analysts or or other practitioners security practitioners might be getting involved as well. And that's important because
06:19
there needs to be some sub division of labor so that people can focus on their areas of expertise without being spread too thin.
06:28
It's always a challenge no matter what kind of environment you're in.
06:31
But as we see in the risks and exposures areas here,
06:35
this is still being reactive instead of Proactiv
06:40
because you're getting information
06:42
aggregating it and trying to automate some sort of a response.
06:46
And because the information isn't well formatted and well understood, it can be difficult to understand. Are we looking at
06:54
a campaign of coordinated events or is it just a single attack that is not connected to other events that have been recorded or discovered. That's difficult to tease that all a part and part of the reason why
07:10
the the effort on filtering and blocking must must be ramped up during this phase
07:15
in order to reduce the number of events overall
07:19
and try to find a methodology or some logical rules, or even a decision tree, if you will,
07:29
to get to the
07:30
to the events on the data that are most important
07:32
while not losing any of the information which
07:36
which
07:39
you know,
07:40
could turn out to be critical.
07:43
There is always that that balance between filtering information out and focusing on what's left over
07:50
for the for the analyst. You know, there there's that little voice in back your head that might be saying, Well, did we filter something out that we still should be looking at?
07:59
It's a question that never really gets 100% answered. In my experience,
08:03
it's something that you just have to be aware of and
08:07
be willing to remain open minded and make adjustments as needed.
08:11
Your SIM device
08:13
could also benefit from making some improvements in the structure of the data that's being sent to it

Up Next

Advanced Cyber Threat Intelligence

The Cyber Threat Intelligence (CTI) course is taught by Cybrary SME, Dean Pompilio. It consists of 12 modules and provides a comprehensive introduction to CTI. The subject is an important one, and in addition to discussing tactics and methods, quite a bit of focus is placed on operational matters including the various CTI analyst roles.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor