Time
3 hours 1 minute
Difficulty
Advanced
CEU/CPE
3

Video Description

Levels Two, Three and Four of the Threat Intelligence Maturity Model This lesson continues the discussion about the Threat Intelligence Model. With a focus on levels two (2) and three (3). When the model is at stage two (2), there is an increasing threat intelligence capacity and the business is shifting from a reactive approach to a more proactive approach. There is also a definite team which consists of a Security Operations Center (SOC) has defined roles and workflows. The SOC also performs network monitoring and incident response. Risks and exposures still exist at this level as analysis is too labor intensive and source feeds change rapidly. It is also difficult to filter actionable events. At Level Three (3) of the Threat Intelligence Model, there is a program for Cyber Threat Intelligence in place. The team is more structured and able to perform strategic analysis and there is a more strategic approach by tracking identified threat factors. The team now consists of incident response, SOC, NOC, a Security Director, a Threat Intel analyst as well as IT staff. At this point, workflows should be optimized and there is a transition from tactical to strategic use of threat intel. Finally, at Level 4 there is a stable threat intelligence program with a mature process and workflow.

Video Transcription

00:04
now at the capacity increased level of Level two,
00:09
the the production of the Intel is gaining in perhaps popularity within the organization.
00:17
You
00:18
getting better understanding of where the events come from, maybe even seeing some
00:25
semblance of patterns and some other kind of information, which could help the analyst
00:30
better recognize that. Oh, I've seen this before. We know that there's a certain pattern of events that might occur that produced these types of,
00:39
uh
00:40
of the IOC's, for instance,
00:43
and
00:45
trying to do the correlation of those various IOC's with information from other areas like your firewall logs or a proxy log Or,
00:54
um,
00:56
a, uh, you know, long that was generated at a particular endpoint
01:00
that becomes a little bit more
01:03
mature because
01:04
the organization is saying Okay, we've got,
01:07
are are are feeds air being a filter a little bit, We're reducing the overall number of events that we're looking at,
01:14
and then you could slowly transition from being completely reactive, being slightly proactive.
01:21
It may be the case, for instance, that
01:23
certain events and certain patterns of events might precipitate
01:29
a compromise, or my might be part of the
01:34
early stages of some kind of an attack,
01:36
even a campaign,
01:38
which we'll talk about a little bit later.
01:41
So at this stage that the team is now defined,
01:44
perhaps you you also have a security operation center or a sock,
01:49
and this means that you've got a more formalized approach to
01:53
producing the intel and also consuming it for analysis purposes.
02:00
This hopefully would provide the correct linkages to your incident response program
02:05
so that the feeds come in their analyzed. The appropriate events are generated, and then incident response gets involved. When is determined that that this particular event or events meets the criteria are meets the threshold for an actual incident that's underway for maybe an incident that's even already happened.
02:29
So the risks and exposures at this level would be that there's still some more automation possibilities. Maybe there's still too many manual things that are happening.
02:38
The, uh
02:40
uh,
02:42
the task of deciding which events are actionable is also still very challenging.
02:46
Even though the benefits of automation are in place,
02:50
it could be that there still
02:53
a lot of human interaction required to understand.
02:57
We're looking at this and this and this. What does it all mean?
03:00
Maybe a person still needs to decide
03:02
whether this information is is useful.
03:06
Maybe the information is already considered stale, for instance, and cannot be easily used because
03:13
the events already happened and there's no chance to do the required real time analysis. Perhaps
03:21
if the threat until platform, as we see here eyes somewhat more mature,
03:27
the security team can benefit from this
03:30
there. May this already maybe an embedded function within your cyber security team.
03:35
But it's not always the case into the response might be separate,
03:38
UH, threat, threat analysis and, uh,
03:43
and infrastructure monitoring, maybe also slightly different function or a different team.
03:49
So it's It just depends on how your organization's structured As far as how this information will be used.
03:57
Up to this point, the organization's mostly been
04:00
focusing on internal information, But now, at this stage, it's expected that external feeds of information would also be incorporated
04:10
because these could be coming from your various technology vendors. That could be coming from state and local government if they've got some
04:18
capacity like us cert dot gov, for instance,
04:23
and that can add a lot of benefit to the overall program
04:28
now getting to level three where the program now exists means that there is a well defined
04:33
level of maturity.
04:35
You've got all your roles and responsibilities defined. You've got work flows.
04:42
There's ample documentation
04:45
to show how things work. Who's responsible for what
04:48
lines of reporting lines of escalation
04:51
should also be well understood at this level
04:56
and external feeds that come from vendors. Some of these could be free feeds. It could be feeds that are that are
05:02
purchased on a subscription model, which is quite common.
05:06
And
05:09
now the bigger picture can be looked at a little bit more clearly
05:13
because the correlation of these events
05:16
could be
05:17
understood to the level where you can say Okay, well, we know that this
05:21
this campaign is being perpetrated by this group over here. Or we've got some individual actors that are doing some actions over on this side,
05:30
and that the deeper level of understanding means that that the production of this Intel is now having a much greater benefit
05:39
to the organization. Overall,
05:42
we see a mention here of information sharing and analysis, senators sharing it, analysis organizations, the ice ax, and so's.
05:50
I thought
05:51
not every organization is going thio. I have this level of
05:56
of hierarchy. But but it could make sense if your organization is large enough and you've got the funding to staff
06:03
and produce these these different teams to work together towards the common goal of analyzing the information that's coming in.
06:13
Second part of this
06:15
level three would be visualizing the information which we'll talk about later in this course
06:20
and trying Thio
06:23
find a way to present the data so that it can be consumed by various different people on the team.
06:30
As we see here, the team could include instant response,
06:32
your sock, your knock, different types of analysts like threat Intel analysts. Maybe the security director is getting some roll up type reports,
06:42
and your various members of the I T staff are also involved because
06:46
they are managing the pieces of the infrastructure which are producing log events,
06:53
whether they are from things that happened locally on that system
06:57
or events that were generated because an I. D. S was triggered or a Coast based firewall, for instance, all those things could be funneling information to aggregate
07:09
for the overall C T I program, but we see they're still risks and exposures here
07:15
related to things like optimizing the work flows, optimizing the filtering, trying to put in place processes and procedures
07:24
so that new
07:26
events that haven't been seen before come quickly, be,
07:30
uh,
07:30
characterized and integrated into the existing monitoring program in analysis program
07:36
In order to optimize automation.
07:39
The format of the information of the data should be standardized so that various vendors products can all use that the data interchangeably.
07:49
And that's usually
07:53
accomplished by using things like XML formats
07:56
or
07:57
perhaps something like
08:01
the, um,
08:01
some of the other standards that are available
08:05
from different vendors. All right, moving on to the last level, Level four.
08:09
This is when the program is now considered stable.
08:13
All of your roles and responsibilities are well defined. All the work flows are are well understood.
08:20
Ample documentation exists so that someone who is new to the team can sit down and hopefully understand in a relatively short amount of time. What's expected of them in their role. How does their role fit into the overall functioning of the team?
08:37
And how did the different members of the team work together,
08:43
choosing which kinds of information need to be shared
08:48
within the organization, or perhaps even with other organizations or within the threat Intel community at large.
08:56
There are obvious challenges in deciding which information can be shared. It needs to be properly sanitized, and there's some other common sense considerations that would that would be appropriate here.
09:09
But I hope you enjoy the overview on the Threat Intelligence Maturity program, our maturity model, I should say.
09:16
And
09:18
as I mentioned earlier, several vendors have produced these kinds of models.
09:22
So there's a lot of good information out there if you choose to a dive a little deeper into this, and maybe you can even find some more detailed methodologies for going from one level to the next.
09:33
All right, well, that's it for this module will see you in the next Thank you.

Up Next

Advanced Cyber Threat Intelligence

The Cyber Threat Intelligence (CTI) course is taught by Cybrary SME, Dean Pompilio. It consists of 12 modules and provides a comprehensive introduction to CTI. The subject is an important one, and in addition to discussing tactics and methods, quite a bit of focus is placed on operational matters including the various CTI analyst roles.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor