How to Roll Your Own Threat Intelligence Team

A lot of hard work needs to go into effectively implementing an intelligence-driven security model. It starts with five critical factors.

Adam Meyers, Senior Vice President of Counter Adversary Operations, CrowdStrike

July 29, 2016

4 Min Read
Dark Reading logo in a gray background | Dark Reading

Many organizations want to build a threat intelligence team but don’t really know where to start, let alone answer the question, what exactly is threat intelligence? The definition has been clouded by the industry over the last several years, even as vendors rush to build "intelligence"-based solutions. Without getting bogged down in the argument over what is -- and is not -- threat intelligence, let's discuss how an organization can build a team to effectively use intelligence to drive enterprise security. Here are five critical factors:

Factor 1: Establish an intelligence priorities framework. To effectively use intelligence, the organization must first establish and prioritize information they will need. This can be accomplished by identifying intelligence gaps that exist, formulating requirements from the intelligence gaps, then organizing the requirements into categories that align with the organization.

For example, in a priority intelligence requirements (PIR) document, "P1" might map to what adversaries target my organization, underneath this, another requirement might be what nation-state adversaries target my organization. This might be expressed as "P1.a." This structure allows the organization to maintain a centralized list of all intelligence requirements available for review on a regular basis.

Factor 2: Incorporate and consolidate intelligence sources. There are a wealth of different sources:

  • Technical sources include the SIEM, IDS, firewall, next-generation endpoint security platforms, and logs from any number of devices

  • Open Sources such as published vendor reports, any number of free feeds of indicators, vendor vulnerability lists (Microsoft, Apple, Adobe, etc), and media sources

  • Closed Sources may include community mailing lists, or organizations such as ISACs

  • Paid Intelligence Feeds

Factor 3: Map Your Intelligence Collection. As new intelligence is collected from these sources, align them with the intelligence priorities defined in factor 1. For example, public reports indicators associated with a known threat actor, might align to an intelligence requirement around targeted attacks. Memorialize that intelligence via an internal system: an email with the source, date, priority it maps to, the collected intelligence, and some analysis. Store the collected intelligence in a searchable repository. If possible, operationalize it by feeding into technical sensors then take the actionable information and apply to SIEM, create firewall block or logging event, create an IDS rule, or block the hash in the endpoint prevention system.

Factor 4: Find the best talent. Employing intelligence analysts who can review inbound intelligence and produce analysis germane to the organization is key. As new intelligence is collected, someone needs to assess if it is significant to the organization, explain how it is significant, decide who it is significant for, and produce cogent analysis around scenarios in which it might be significant.

Entire libraries can be filled with books on proper analytic tradecraft, but training a SOC analyst to perform intelligence analysis can be very costly and time-consuming. Many technical experts operate in a binary world; something is either black or it is white. Intelligence analysts live in a grey world: they consider a myriad of states and can make assessments around the likelihood that something might happen, or cause a situation to change. These analysts will employ concepts like alternative competing hypotheses (ACH) to handle multiple possibilities or outcomes.

Factor 5: Tailor The Finished Products To The Audience. Disseminating intelligence is a critical function of the intelligence team. Weekly or even daily products that convey the intelligence analyzed and collected over a discrete period of time allow the intelligence team to keep their internal customers abreast of the various things that are going on. Intelligence products should be tailored to the audience and contain information to help them be more effective. For example, a product for the executive suite covering the attacks observed, upcoming events that may impact enterprise security, the latest relevant news pertaining to enterprise security, and intelligence assessments about things that may happen will go a long way in shaping an organization so that it is more proactive to threats.

Related Content:

 

About the Author

Adam Meyers

Senior Vice President of Counter Adversary Operations, CrowdStrike

As CrowdStrike's senior vice president of counter adversary operations, Adam Meyers leads the Threat Intelligence line of business for the company. Meyers directs a geographically dispersed team of cyber threat experts tracking criminal, state-sponsored, and nationalist cyber adversary groups around the globe and producing actionable intelligence to protect customers. He oversees the development and deployment of AI, machine learning, reverse engineering, natural language processing, and other technologies to detect suspicious and malicious cyber behavior and stop increasingly sophisticated adversaries. Meyers’ work in combining human intelligence and intelligence derived from technology continues to transform cybersecurity. 

Meyers works closely with other departments within CrowdStrike to ensure the smooth and speedy integration of intelligence into CrowdStrike’s entire lineup of products and services. His team brings unprecedented insights into the activities of cyber threat actors, providing strategic and technical guidance to Fortune 100 businesses, major financial institutions, key government agencies, and other CrowdStrike customers. 

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights