Building and Evaluating a Threat Intelligence Program (Part 1)

In the previous post, we discussed the basics of Threat Intelligence and its types by throwing light on the concept of knowns and unknowns. In information security, any information which can aid the internal security team in the decision-making process and reduce the recovery time accordingly is considered as threat intelligence. This first part in this series of articles will discuss threat intelligence cycle and its importance.

Without any doubt, an effective threat intelligence program will focus on a number of important areas. If the functions involved in a threat intelligence program are broken down and specified, the program will be more scalable as the extent and role of each function will be properly defined. Further, the organization can hire personnel with proven expertise in those functions so that the program is not prone to any major foreseeable weaknesses.

The Threat Intelligence Cycle

Before going on to discuss building and evaluating a threat intelligence program, we need to discuss the intelligence cycle in the context of threat intelligence. The below-given representation of this cycle was given by the Commission on the Roles and Capabilities of the United States Intelligence Community in 1996. This commission was chartered by the US Congress after the end of the Cold War in October 1994.[1]

Threat Intelligence Life Cycle
Threat Intelligence Life Cycle

Requirements

Properly defining requirements in any business plan can lead to unexpected success while overlooking the requirement part results in many complications as well as financial or reputational loss. In this phase, the decision-makers should focus on activities on the identification of expectations from the threat intelligence program and its desired outcomes from the management perspective. At times, the requirements can be more demanding in a challenging business environment, but the management should ensure that they and the internal security team are on the same page.

Collection

While making decisions, having large sources of information proves to be beneficial as it gives credibility and a feeling of confidence to the internal security team about their actions. Information for a threat intelligence program can come from a variety of sources such as threat intelligence feeds, white papers & research papers, publicly available resources, blog posts, news articles, forums, or human resources. Out of these sources, feeds and human resources are heavily relied on during the decision making. Threat intelligence feeds can be either paid or open source. We will thoroughly discuss them in the upcoming posts.

Analysis

This phase involves converting the information coming from the sources in the previous phase into actionable outcomes. At times, analysis can be as simple as parsing a feed directly into a firewall while it can be as difficult as extracting relevant information from a research study and implement it by considering the organization’s perspective. One of the major responsibilities of an analyst in this phase is to deduce intelligence from the incoming intelligence.

It is possible that this phase might overlap with the collection phase. An interplay between these phases can happen in a scenario when an analyst concludes that the information collected is not sufficient or there is some error.

Production

After the analysis phase is completed, it is time for implementing the derived intelligence. The result is then shared with the stakeholders such as the users, the employees, the management, etc. The result thus shared may vary depending upon the technical understanding of a user. For example, a thorough explanation can be shared with the technical team while a 3-line brief of the issue may be sufficient for the management.

Evaluation

Along with the requirements phase, this is another essential phase which is often ignored. When a business invests in a threat intelligence plan, there must be an evaluation to determine the practical feasibility of the said plan for the business. If the requirements are met, then additional activities can be carried out by the internal team but if the requirements are not met, there must be some fault in the implementation of the threat intelligence plan. The fault can be easily traced by going through the activities undertaken in each phase.

Ending Notes

In the same year as the previously mentioned Commission’s report, the United States Senates Select Committee published a functional flow for intelligence management which holds true for a scalable threat intelligence program.[2] This functional flow has been represented in the image given below. In the personal view of the author, a business shall first start with the basic model prescribed above and if it is able to successfully implement it, it shall move onto the below-given functional flow.

Modified Threat Intelligence Functional Flow
Modified Threat Intelligence Functional Flow

In the upcoming articles, we will continue our discussion from here by elaborating on the essential components of building a threat intelligence program.


[1] https://lawfare.s3-us-west-2.amazonaws.com/staging/s3fs-public/uploads/2011/08/Aspin-Brown-Report-on-the-Intelligence-Community-1996.pdf

[2] https://www.gpo.gov/fdsys/pkg/GPO-IC21/html/figure1a.gif

One thought on “Building and Evaluating a Threat Intelligence Program (Part 1)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s