Introduction

Mission Statement

To define Cyber Threat Intelligence (CTI) and its common applications with a view to agree best practice in the context of supporting effective digital forensics and incident response (DFIR) operations.

Goals

The term “Threat Intelligence” or “Cyber Threat Intelligence” has been used in the context of information security since 2010. In practice this term covers a very broad, and sometimes conflicting, range of capabilities. When organizations implement these capabilities it is done in a manner that delivers varying levels of return on investment, due in part to a lack of a common definition. In some respects, threat intelligence is a perspective on the overall incident response process. However there are new technologies, sources of data, practices and techniques that provide tangible benefits to an organization.

There is an opportunity to better define threat intelligence to support incident responders in gaining maximum value from investments in this area. The proposal for this Special Interest Group is to discuss and define.

Whilst some of what is being done is a continuation of existing capability, there are some novel and new techniques that provide the opportunity for significant enhancements or opportunities to the incident response process. The aim of this SIG is to collaboratively explore how IR Teams can effectively and consistently utilise threat intelligence to enhance their response/detection programs and aid in tactical decision making during cyber incidents.

Deliverables

The objective of this group is to deliver a series of outputs that may be shared amongst community members to the common benefit. At the formation of the SIG the suggested outputs and deliverables include:

  1. Workshop on Threat Intelligence - collating a common FIRST view of threat intelligence
  2. Briefing Paper – Using Threat intelligence to Support Incident Response
  3. Creation of a FIRST wide common body of knowledge (CBK) on Threat Intelligence
    1. Definitions of commonly used terms and terminology
    2. Collate list of Open Source Threat Intelligence Tools that can be used by Threat Intelligence Teams
    3. Glossary Collate list of Cyber Threat Intelligence Feeds and sources
    4. Description of methods, models and techniques
  4. We are considering training modules as an output. There is a severe lack of training in this area at present
  5. Stock slide-deck for FIRST members to present the topic of Threat Intel to their executive management

Collaboration with other SIGS

Given that cyber threat intelligence is such a large topic area it is expected that there is some degree of overlap with some of the other SIG’s currently in place under FIRST. We believe that this SIG should collaborate with the other SIG’s to help support and enhance the overall work of the FIRST community. Specifically the following SIG’s may have the opportunity for collaboration.

Big Data SIG

The Cyber Threat Intelligence SIG would propose to share data sources and large scale collection schemes with this SIG for the purposes of collaboration.

Ethics SIG

Ethics plays a critical role in Cyber Threat intelligence both legally and ethically some techniques can take organisations close to the line. It is important that teams not only consider the legal implications of operations, but also consider the ethics that sit behind intelligence operations. Agent provocateur, directed surveillance, handling of stolen data and victim handling all require careful consideration.

Information Exchange Policy SIG (IEP-SIG)/ Information Sharing SIG

Collaboration and effective sharing is essential to effective intelligence. Where intelligence groups can join forces and collaborate it can make an enormous difference. We would propose that this SIG draw upon and build upon the proposals of the Information Exchange Policy SIG.

Malware Analysis

Programmes such as CIRCL.lu’s MISP project and the discussion of indicators gathered from active malware samples provides new opportunities in threat intelligence. This SIG provides a rich discussion of technical indicators. This can benefit from threat intelligence by combining observations with tactics, capabilities and fusion with other sources outside of malware alone. The threat Intelligence SIG would look to contribute to the work of the Malware Analysis SIG by suggestion techniques and opportunities to ‘fuse’ this rich data with other data sources to gain a more complete picture of emerging threat.

Passive DNS Exchange

Understanding the outputs of the Passive DNS SIG provides a valuable source for intelligence, and even more relevance with the recent changes relating to the impact of EU privacy legislation on the WHOIS system. There is an opportunity for the Threat Intelligence SIG to contribute requirements to the group forming these standards.

Red Team SIG

Threat Intelligence has been used to help red teams prove that simulated attacks are based on real, in the wild, observed attack techniques. Programmes such as the EU-TIBER (European Central Bank) have sought to support red teaming exercises by providing businesses evidence that the techniques used by red teams are observed in real world attacks. This helps red teams take the conversation to business stakeholders helping them understand the value of red teaming.

Traffic Light Protocol (TLP-SIG)

TLP is an essential component of collaboration in Threat Intelligence. The Threat Intelligence SIG would seek to re-enforce the work of the TLP SIG and use it as a standard in all communications.

Vulnerability Coordination

Vulnerability Reporting and Data eXchange SIG (VRDX-SIG)

The measurement and response/detection programs and aid in tactical decision making during cyber incidents are a natural area for threat intelligence to support. For example, intelligence activities often invest time in looking for proof-of-concepts or monitoring of discussion in both researcher and criminal communities to bring context to discussion of specific vulnerabilities.