There are commonly two types of threat intelligence programs: Early Stage programs focus primarily on Indicators of Compromise (IoC), which are the traditional tactical — and often times reactive — indicators used in threat detection. In contrast, Mature Stage programs focus on behavioral indicators or Indicators of Attack (IoA), which is a more proactive way of determining the intent of the bad actors.
Once you’ve defined whether you have an early or mature stage threat intelligence program, you can make better decisions about securing the right tools for your program, helping ensure that you invest in the tools that will support your program rather than wasting money on a tool that looks sexy but doesn’t solve the problems you face in your stage. For example, an early stage program will detect cyber-threats using atomic indicators (e.g., IP addresses, file hashes, email addresses, URL addresses) in an automated manner. These indicators will come from threat intelligence sharing groups or OSINT (open source intelligence) and the data needs to be in a standardized format in order for the automation to be efficient. Which leads me to the second step.
The second step in the LEAD framework is focused on making your threat intelligence efficient. How do you do that? You and categorize the data.
The LEAD framework uses a scoring matrix that includes five different properties to assist in determining the importance of each piece of data:
- Indicator Type — This is the information that tells you where the attack is coming from: IP address, domain name, file path, email address, URL, or file hash.
- Threat Intelligence (TI) Source or Feed — The reliability and accuracy of TI data is often related to the source of the threat, whether that’s OSINT, TI sharing groups, paid vendors, or internal threat intelligence.
- Threat Source (a.k.a, The Adversary) — Some threat actors and malware families target specific sectors and infrastructure, which makes them rate higher on the threat scale. These sources include script kiddies, scammers, hacktivists, organized crimes, and nation/state sponsors.
- Threat Context — One of the most important factors influencing the score, threat context describes how the attack or threat is being carried out. For example, is it a malware threat, a MITRE attack, a SQL injection, or a cyber-kill chain? Context is also commonly known as TTPs: techniques, tactics, and procedures.
- Data Retention — Is the threat intel data historical or new?
Here is an example of a basic threat profile:
Indicator: 1.1.1.1
Indicator Type: IP Address
Threat Intelligence Source: OSINT (Open source intelligence)
Threat Context: Targets MacOS, targets only EU companies, communicating over port 80, It is used only for exfiltrating data (Cyber Kill Chain Phase: Exfiltration)
Data Retention: Last used two months ago
We then use this information to assign a positive or negative score to each property based on the overall threat profile. So, for the above example, the threat score might look like this:
Indicator Type:
IP +1
Domain +2
File Hash +2
Credit card data+3
Email +3TI Data Source:
OSINT +1
TI sharing +1
Paid feed +2
Internal TI +3Threat Attribution:
Organized crime +3
Scammers +2Context:
Infection Vector — Phishing +2
Targeted Sector — E-commerce +4
Targeted Region — Europe. +4
Targeted OS — Windows +2Data Retention:
Indicators last seen < 3 months +2
Indicators last seen > 3 months -2
Once scored, each threat is then categorized by use case and stakeholder. This helps determine the threat level and whether the threat is currently active, expired, or has previously resulted in a false positive. In this example, incoming IP traffic from OSINT that is older than three months will have a lower score than a threat to credit card information from e-commerce companies that you found out about from a paid TI source.