Tag Archives: Threat Intelligence

Using FAIR with CTI – The Intelligence Models/Processes

This post is part of the FAIR and CTI related blog posts; an event back in January made me want to add this to the mix.

I was interviewing for a Cyber Threat Intelligence Manager position, and part of the interview process was to talk to the person doing intelligence for the Physical Threat Intelligence space. During the interview, I asked which Intelligence models they used in case I had to brush up on one or learn something new. Part of the role was sharing data between the two intelligence groups. Even though the interviewer previously worked in Military Intelligence, they said they didn’t know what I was talking about.

That gave me pause because I went to a DoD-backed program in Undergrad, and we learned multiple Intelligence Processes/Models. I covered them in most of my Threat intelligence presentations and when I was teaching at the same DoD-backed program after I got my master’s degrees. Even after walking through the three, I knew the best; the person I was talking to didn’t know what I was talking about.

So, as I said, I thought I’d go through them into here, for people that haven’t been exposed to them yet. I’ve always figured people reading my blog would be familiar with at least a couple of the models.

Continue reading

Using FAIR with CTI (Intro)

As I mentioned in the past, I taught a Graduate level Risk Management and Incident response course. In my first term, I was literally hired three days before the term started. The grad class was new, with no framework or anything else to build off of, and I had to build it on the fly.

So, I went with what I learned in grad school elsewhere, which was the NIST documentation. During my first term teaching the class, I kept telling myself there must be something better. NIST SP 800-53 and the related documents have been around for a while, yet we still see breaches. It builds a framework around an organization, but something is missing. With the frameworks in place, breaches still happen and missing ways to help prioritize objectives.

Driving home after teaching class one night, I heard an interview with Jack Jones talking about Factor Analysis in Information Risk (FAIR). It made sense, and FAIR can tie actual monetary loss to things. So, I got a copy of the book but didn’t change the class in the middle of the term; I just waited for the next term the class was offered (it was only offered once a year).

When going through “Measuring and Managing Information Risk: A FAIR approach” by Jack Freund and Jack Jones, the book mentioned Threat intelligence several times, asking the Threat Intelligence experts, working with threat intelligence vendors, etc. And that part spoke to me too. Using the FAIR framework creates better planning/requirements and direction steps to speak to the threats a company faces.

In FAIR, threats don’t mean all the uses that we have in IT/Cyber Security, which boils down to speaking to an adverse event or action when something is exploited or compromised. In FAIR, a Threat is someone or something that can take independent action against an asset in a way that changes value. That made sense, too;  it gave better, tighter definitions to work with.

As I read and thought more about FAIR, cybersecurity, and Threat Intelligence, I realized that Risk and Incident Response are two sides of the same coin. More or less. The Risk Management side is the expected annualized loss based on things happening. The Incident Response side is how an organization responds to materialized risk, or what the company does when the risk actually happens. And I thought about how Threat Intelligence plays into both Risk and Incident Response.

And while staring at the FAIR Framework, I came up with the below image. It is a modified version of the framework applied to areas of influence I see belonging in whole or in part to Threat Intelligence / Cyber Threat Intelligence showing the highlighted sections:

I’ll walk through the different parts and how I see Threat Intelligence’s role in each in future posts. They’re probably going to be mixed in with other things, but I’ll have a link page like I did the Building an OSINT box series that links to each part in order.

Intelligence – Garbage In, Gospel Out

I don’t remember which podcast or who said it, but “Garbage In Gospel Out” is so true. Especially when talking about Cyber Threat Intelligence. I talked a little about this before, both in conference talks and in Validate Data Before Sharing.

But here it is, three years later, and the problem remains. I’m willing to say it is getting worse. We’re not running full life cycles, either Intelligence or Incident Response. We get to the collection phase and call it done. NixIntel has a good post on that at their blog.

Continue reading

Validate data, before sharing.

I’m going to have to add a couple more slides to my Threat Intelligence: From Zero to Basics deck. But I told GrrCON that I would have an updated deck from Circle City Con anyway.

Over the last two weeks I’ve seen some stuff shared publicly in Threat Intelligence Platforms, that really shouldn’t have been. The data wasn’t valid, at the time of sharing.

Continue reading

Read “Effective Threat Intelligence: Building and running an intel team for your organization”.

Recently I read the kindle version of “Effective Threat Intelligence: Building and running an intel team for your organization” by James Dietle. I found out after the fact there was a paper back version of it, and even gave one copy away as a Christmas present.

Anyway, this is the book I wish I had in January of 2016, when  I moved from Incident Response / Event Analysis to Threat Intelligence. It’s a good primer on the subject. While it’s not completely new material, it’s the basics in one place. When I started doing TI, I had to learn from the ground up, and things were scattered. Some was easy, other parts were more advanced, and nothing made a good how to. Especially when I wanted to start showing value from the word go.

I think that if I had, had this book and read it when I was starting it would have been very beneficial. While it’s not as in depth as SANS For578,  I do think that it would make a good primer for anyone in IR going to SANS for Cyber Threat Intelligence.



You can’t buy threat intelligence, or yet another “article” on Data vs Information Vs Intelligence.

The background:
This is a blog post I’ve been meaning to write for a few months now. It’s based in part off a twitter conversation that carried over in to a phone call. It is also something I’ve personally observed, a trap I fell in to, and heard other Threat Intelligence people say they observed. And while reading Cyint’s favorite tweets of 2016, I finally decided to sit down and write.

In the tweet list was a tweet was from Alex Pinto asking ‘how many more #ThreatIntel articles do we need about the difference between “data”, “information” and “intelligence”?’

So my answer is, as many as it takes to break out of our own echo-chamber / choir and figure out how to talk to our Cybersecurity peers and the stakeholders. So everyone is able to understand what is being bought. So here is yet another article talking about Intelligence vs Data Feeds being sold as Intelligence.

The Problem:
Companies are selling data feeds while calling it intelligence.

Continue reading

SANS Forensics 578

Work recently sent me to SANS Forensics 578, Cyber Threat Intelligence. This was my first SANS class ever, and it was pretty good. The instance of the class I was sent to was presented by Jake Williams and Rebekah Brown. I think having both of them teach the class was great, because it gave more from the trenches view than having just one of them as an instructor.

Continue reading