paper and for companies that have dedicated cyber security resources. Here is where I dive into some tips for the Planning phase. And this post talks Collection. Today, we are going to go over the aspects associated with Processing and Exploitation.
Processing and Exploitation
The first thing that I have to note is that once you have selected all of you collection sources you have to make provisions to store that data. Take care in projecting how much physical storage needs to be available for your particular use case. In the planning phase, you should have decided how long you will need to store your data based on your requirements. As you are analyzing your collection sources you can begin estimating how much data is gathered over a set period of time. Be sure to account for periods where there may be a surge of traffic due to peaks in business. There are some robust storage platforms that are available that are open source reducing your costs to the required hardware if you design an on premises solution. You can also leverage the cloud to provide this service if their capabilities align with your requirements.
Before you can begin to analyze the data you are collecting it must be sorted. Your collection sources can be from a variety of technologies that do not have a uniform output. They can also provide redundant information or superfluous details that are not relevant to your objectives. To assist with sorting it would be helpful to have a framework that helps define where things should go and then allows you to prioritize where to spend your time. One example is the Cyberkill Chain I referenced previously. The kill chain is a graphic representation depicting that as you move to the right of the chain the more impactful the breach. Collection sources that indicated that someone is conducting recon on your network may be useful in an after action analysis but may be overwhelming for proactive defensive activities. Data collected that belongs in the Command and Control section of the kill chain is an indicator that you are under active attack and may require an all hands on deck incident response approach.
Software is going to be needed to facilitate the sorting. Thus begins the discussion of introducing a dedicated threat intelligence management platform (TIP/TIMP). A common question is: Can a SIEM serve as the threat intelligence platform? And my typical answer is: "It depends". For me, it's a nuanced conversation that can have several factors that influence my answer. Some SIEM solutions have TIMP functionality/plugins built into them. I plan to do a blog post dedicated to this conversation at a later time. But for now let's just speak of the TIMP conceptually in terms of functionality.
The TIMP platform allows for automation of the processing and exploitation phases of the threat intelligence lifecycle. The data from your collection phases is aggregated and categorized with the goal of enabling you to respond more quickly to threats. When deciding on your solution you must go back to your requirements. An example is if you plan on processing structured and unstructured data sources your TIMP solution options may change. This will drive the solutions that are available to you. Commercial TIMP platforms tend to be expensive. There are some open source solutions that are available but may need more investment in time/resources for implementation and maintenance.
Some Open source Platform Options:
Before you can begin to analyze the data you are collecting it must be sorted. Your collection sources can be from a variety of technologies that do not have a uniform output. They can also provide redundant information or superfluous details that are not relevant to your objectives. To assist with sorting it would be helpful to have a framework that helps define where things should go and then allows you to prioritize where to spend your time. One example is the Cyberkill Chain I referenced previously. The kill chain is a graphic representation depicting that as you move to the right of the chain the more impactful the breach. Collection sources that indicated that someone is conducting recon on your network may be useful in an after action analysis but may be overwhelming for proactive defensive activities. Data collected that belongs in the Command and Control section of the kill chain is an indicator that you are under active attack and may require an all hands on deck incident response approach.
Software is going to be needed to facilitate the sorting. Thus begins the discussion of introducing a dedicated threat intelligence management platform (TIP/TIMP). A common question is: Can a SIEM serve as the threat intelligence platform? And my typical answer is: "It depends". For me, it's a nuanced conversation that can have several factors that influence my answer. Some SIEM solutions have TIMP functionality/plugins built into them. I plan to do a blog post dedicated to this conversation at a later time. But for now let's just speak of the TIMP conceptually in terms of functionality.
The TIMP platform allows for automation of the processing and exploitation phases of the threat intelligence lifecycle. The data from your collection phases is aggregated and categorized with the goal of enabling you to respond more quickly to threats. When deciding on your solution you must go back to your requirements. An example is if you plan on processing structured and unstructured data sources your TIMP solution options may change. This will drive the solutions that are available to you. Commercial TIMP platforms tend to be expensive. There are some open source solutions that are available but may need more investment in time/resources for implementation and maintenance.
Some Open source Platform Options:
- MISP
- Alienvault OSSIM/OTX
- ThreatConnect Open
- YETI
- Threat_Note
A nice compiled list can be found here: https://github.com/hslatman/awesome-threat-intelligence
MISP Screenshot
I would recommend platforms that have a large community support that is active for those that have questions/issues. MISP and Alienvault are platforms that I personally have the most experience with and can easily grab plugins that may be needed for unique use cases. The platform should also be able to handle common threat intelligence sharing frameworks such as STIXX or TAXII. The decision you make for a TIMP should enable the analyst by providing actionable intelligence to produce knowledge designed to improve your ability to detect and respond to attacks.