now at the capacity increased level of Level two,
the the production of the Intel is gaining in perhaps popularity within the organization.
getting better understanding of where the events come from, maybe even seeing some
semblance of patterns and some other kind of information, which could help the analyst
better recognize that. Oh, I've seen this before. We know that there's a certain pattern of events that might occur that produced these types of,
of the IOC's, for instance,
trying to do the correlation of those various IOC's with information from other areas like your firewall logs or a proxy log Or,
a, uh, you know, long that was generated at a particular endpoint
that becomes a little bit more
the organization is saying Okay, we've got,
are are are feeds air being a filter a little bit, We're reducing the overall number of events that we're looking at,
and then you could slowly transition from being completely reactive, being slightly proactive.
It may be the case, for instance, that
certain events and certain patterns of events might precipitate
a compromise, or my might be part of the
early stages of some kind of an attack,
which we'll talk about a little bit later.
So at this stage that the team is now defined,
perhaps you you also have a security operation center or a sock,
and this means that you've got a more formalized approach to
producing the intel and also consuming it for analysis purposes.
This hopefully would provide the correct linkages to your incident response program
so that the feeds come in their analyzed. The appropriate events are generated, and then incident response gets involved. When is determined that that this particular event or events meets the criteria are meets the threshold for an actual incident that's underway for maybe an incident that's even already happened.
So the risks and exposures at this level would be that there's still some more automation possibilities. Maybe there's still too many manual things that are happening.
the task of deciding which events are actionable is also still very challenging.
Even though the benefits of automation are in place,
it could be that there still
a lot of human interaction required to understand.
We're looking at this and this and this. What does it all mean?
Maybe a person still needs to decide
whether this information is is useful.
Maybe the information is already considered stale, for instance, and cannot be easily used because
the events already happened and there's no chance to do the required real time analysis. Perhaps
if the threat until platform, as we see here eyes somewhat more mature,
the security team can benefit from this
there. May this already maybe an embedded function within your cyber security team.
But it's not always the case into the response might be separate,
UH, threat, threat analysis and, uh,
and infrastructure monitoring, maybe also slightly different function or a different team.
So it's It just depends on how your organization's structured As far as how this information will be used.
Up to this point, the organization's mostly been
focusing on internal information, But now, at this stage, it's expected that external feeds of information would also be incorporated
because these could be coming from your various technology vendors. That could be coming from state and local government if they've got some
capacity like us cert dot gov, for instance,
and that can add a lot of benefit to the overall program
now getting to level three where the program now exists means that there is a well defined
You've got all your roles and responsibilities defined. You've got work flows.
There's ample documentation
to show how things work. Who's responsible for what
lines of reporting lines of escalation
should also be well understood at this level
and external feeds that come from vendors. Some of these could be free feeds. It could be feeds that are that are
purchased on a subscription model, which is quite common.
now the bigger picture can be looked at a little bit more clearly
because the correlation of these events
understood to the level where you can say Okay, well, we know that this
this campaign is being perpetrated by this group over here. Or we've got some individual actors that are doing some actions over on this side,
and that the deeper level of understanding means that that the production of this Intel is now having a much greater benefit
to the organization. Overall,
we see a mention here of information sharing and analysis, senators sharing it, analysis organizations, the ice ax, and so's.
not every organization is going thio. I have this level of
of hierarchy. But but it could make sense if your organization is large enough and you've got the funding to staff
and produce these these different teams to work together towards the common goal of analyzing the information that's coming in.
level three would be visualizing the information which we'll talk about later in this course
find a way to present the data so that it can be consumed by various different people on the team.
As we see here, the team could include instant response,
your sock, your knock, different types of analysts like threat Intel analysts. Maybe the security director is getting some roll up type reports,
and your various members of the I T staff are also involved because
they are managing the pieces of the infrastructure which are producing log events,
whether they are from things that happened locally on that system
or events that were generated because an I. D. S was triggered or a Coast based firewall, for instance, all those things could be funneling information to aggregate
for the overall C T I program, but we see they're still risks and exposures here
related to things like optimizing the work flows, optimizing the filtering, trying to put in place processes and procedures
events that haven't been seen before come quickly, be,
characterized and integrated into the existing monitoring program in analysis program
In order to optimize automation.
The format of the information of the data should be standardized so that various vendors products can all use that the data interchangeably.
accomplished by using things like XML formats
perhaps something like
some of the other standards that are available
from different vendors. All right, moving on to the last level, Level four.
This is when the program is now considered stable.
All of your roles and responsibilities are well defined. All the work flows are are well understood.
Ample documentation exists so that someone who is new to the team can sit down and hopefully understand in a relatively short amount of time. What's expected of them in their role. How does their role fit into the overall functioning of the team?
And how did the different members of the team work together,
choosing which kinds of information need to be shared
within the organization, or perhaps even with other organizations or within the threat Intel community at large.
There are obvious challenges in deciding which information can be shared. It needs to be properly sanitized, and there's some other common sense considerations that would that would be appropriate here.
But I hope you enjoy the overview on the Threat Intelligence Maturity program, our maturity model, I should say.
as I mentioned earlier, several vendors have produced these kinds of models.
So there's a lot of good information out there if you choose to a dive a little deeper into this, and maybe you can even find some more detailed methodologies for going from one level to the next.
All right, well, that's it for this module will see you in the next Thank you.