“The Security Intelligence Handbook” Notes
The Security Intelligence Handbook: How to Disrupt Adversaries and Reduce Risk With Security Intelligence, Third Edition by Recorded Future is an excellent, comprehensive overview of cyber threat intelligence (CTI) from a leader in that space. It’s accessible, able to be understood by technical and non-technical readers.
You can download the ebook for free (some personal info required).
My notes follow.
Principles of effective security intelligence
- Focus on disrupting the adversaries most likely to target you, and make their lives as challenging as possible using security intel.
- Security intel must provide timely, clear, actionable context required to make fast, informed decisions and take effective action. Intel must get everyone in organization on same page.
- People and machines work better together. Machines are better at processing and categorizing raw data. Humans are better at intuitive, big-picture analysis.
- Security intel isn’t a separate domain of security; it’s the context required by every security role.
Term “threat intelligence” is usually associated with info about threats to traditional IT systems. Term “security intelligence” is broader, including third-party risk, brand protection, geopolitical risk, etc. in addition to threat intel.
What Is Security Intelligence?
Data, information, intelligence
- “Data” is discrete facts and stats gathered for analysis (e.g., IP addresses, URLs, hashes).
- “Information” is multiple data points combined to answer specific questions (e.g., answer to question, “How many times has my organization been mentioned on social media this month?”).
- “Intelligence” is result of analyzing data and info to uncover patterns and provide context for decision-making. It must point toward specific decisions or actions, and be tailored for easy use by a specific person, group, system that will use it to decide or act.
Characteristics of successful security intel processes
- Collaborative process and framework (sharing across departments)
- 360-degree visibility (scanning wide variety and quantity of sources)
- Extensive automation and integration (reduce manual effort; integrate with various security solutions)
- Alignment with organization and security use cases (collect and process only info that’s relevant to organization’s priorities; make intel easy to use)
Types and Sources
Operational (technical) intel
- Knowledge about active attacks, events, campaigns
- Used by defenders
- Usually sourced from machines
- Broad overview of organization’s entire threat landscape
- Business-oriented content for decision-making executives
- Presented through reports or briefings
- Must be created by humans
- Sources: policy documents, news, white papers, research reports
The Security Intelligence Lifecycle
Security Intelligence Lifecycle
- Direction: set goals for security intel program
- Collection: gather info to address most important intel requirements
- Processing: transform collected info into usable format
- Analysis: turn info into intel to inform decisions
- Dissemination: get finished intel output to places it’s needed
- Feedback: understand requirements and priorities of consumers of intel, adjust your process accordingly
SecOps Intelligence Part 1 — Triage
Organizations can only investigate 48% of security alerts they receive, and of those investigated, only 26% are legitimate.
Most zero days are just variations on a theme, exploiting old vulnerabilities in slightly different ways. So rather than focusing on zero days, identify and patch vulnerabilities in software your organization uses.
If a vulnerability isn’t exploited within 2 weeks to 3 months after it’s announced, it’s unlikely that it will ever be exploited. So it’s not a priority to patch old vulnerabilities.
Your goal should not be to patch the most vulnerabilities, or even the most zero-day threats, but rather to identify and address the vulnerabilities most likely to be exploited against your organization.
The value of vulnerability databases is limited by their focus on technical exploitability rather than active exploitation, and that they’re updated too slowly to warn against rapidly-spreading threats.
By cross-referencing info from multiple sources, you can focus on vulnerabilities that present the greatest actual risk, rather than racing to patch everything.
Analytical Frameworks for Security Intelligence
Cyber Kill Chain
- Describes 7 stages of attack: reconnaissance, weaponization, delivery, exploitation, installation, command and control, actions on objectives (exfiltration).
- Doesn’t account for many modern attacks (e.g., phishing skips exploitation phase).
- Used to track attack groups over time, not progress of individual attacks.
- The diamond for an attacker isn’t static; it evolves as attacker adjusts TTPs and changes infrastructure and targets.
- Tracks adversary (attacker), capability, infrastructure (used by attacker), victim. Can also track phase, result, direction, methodology, resources.
- Diamonds require a lot of maintenance, as aspects can change rapidly.
- Trusted Automatic Exchange of Intelligence Information (TAXII): transport protocol that enables organizations to share intel and use API commands to extract intel.
- Structured Threat Information eXpression (STIX): standard format for presenting intel.
- Cyber Observable eXpression (CybOX): method for tracking observables from cybersecurity incidents.
- Describes indicators and tactics associated with specific adversaries.
- 12 tactic categories: initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, command and control, exfiltration, impact.
Developing Your Core Security Intelligence Team
Security intel team skills
- Correlating external data with internal telemetry
- Reverse-engineering malware and reconstructing attacks (forensics)
- Providing threat situational awareness and recommendations for security controls
- Proactively hunting internal threats
- Educating employees and customers about cyber threats
- Engaging with wider security intelligence community
- Identifying and managing information sources