FireEye Stories

Understanding Role Based Intelligence

Intelligence is about answering questions, and cyber security practitioners need to make impactful decisions based on the best available information. Cyber Threat Intelligence (CTI) exists to give anyone who needs to make security decisions the capability to make more informed ones. Those decisions in turn should yield risk mitigation for the organization. It really is that simple. Then why is it so hard to create intelligence solutions and services that can provide the decision-making support and risk reduction value organizations require?

Working with dozens of global organizations, I believe some of the challenges are technological in nature. Some challenges are due to poor threat management staffing and training levels, and still other organizations are struggling with programmatic process issues. Rarely, but occasionally, I see organizations that orchestrate the golden triangle of people, process and technology correctly, and yet still struggle to provide intelligence services that drive decision advantage and risk reduction across the enterprise. Why is that?

Remember, intelligence is about answering questions to allow for better decision making. Therefore, considering the audience intended to consume the intel matters. Different end users of intelligence have different needs. Getting understandable and actionable intelligence into the hands of whoever needs it, in a format and language they can understand and use to make decisions, is the bedrock of a strong threat intelligence program. Sounds easy. Yet even in organizations that understand this need, a disconnect oftentimes exists between intelligence solutions and services and the needs of the end consumer of that intelligence. Role based intelligence helps us solve this dilemma.

There are three types of organizational intelligence: Strategic, Operational and Tactical. Understanding which audience needs what type of intelligence and delivering it in a timely and digestible manner can make all the difference between simply having an intelligence function and being an intelligence-led security organization.

Role Based intelligence interrelationships

Strategic Intelligence: Cyber Threat Trending

Strategic intelligence is the big picture view of threats an organization faces. We often call it “over the horizon” intelligence. It is intelligence produced to be predictive in nature about emerging threats, or current threats that may morph over time. By its nature, strategic intelligence takes a longer view of the threat landscape, so that an organization’s future security state can be modeled over time to reduce risk against those predictions.

This form of intelligence can be used by everyone in the security sphere at an organization, but is most oftentimes targeted at executives or upper management – Chief Information Officer, Chief Information Security Officer, Security Operations Center Director, etc. This is intelligence that when properly applied should help senior decision makers become aware of threats that may impact the organization in the future, so that they can make investment and process decisions in the present that “future proof” organizational security.

Some of the questions we are trying to answer with strategic intelligence are:

  • Who are my adversaries and how might they attack us?
  • Is my current technology stack adequate to ameliorate future threats?
  • Why am I a target and is our risk profile changing?
  • Based on future threats’ Tactics Techniques and Procedures (TTPs), will any processes require revision?
  • What targeting may we face due to industry, location, or geopolitical events?

Strategic intelligence reporting seeks to answer the “Who” and “Why” portions of the decision-making tree to guide investment-based changes to the organization that will limit future risk. Most often, this form of reporting is via monthly and quarterly reports that highlight recent incidents, emerging threats, and current reporting that shows any changes with known threat actors matching the organizations threat profile. Trend analysis is also an important element of strategic reporting. Lastly, the CTI team should make predictive estimates, with associated likelihoods, of the future threat state.

Operational Intelligence: Internal and External Fusion

Operational intelligence is focused closer into the actual cyber threats the organization faces. This form of intelligence is still laser focused on providing decision making advantage and reducing risk, but does so by providing the context that security practitioners need when investigating potential and realized threats.

Operational intelligence is most often written with a target audience of Incident Response, Forensics Investigators and Hunt Teams in mind. This audience needs to not only understand that the threat exists, but also requires a deeper and more technical understanding of how a given threat operates (actor motivation, TTPs, and changes to targeting considerations or infrastructure).

Some of the questions we are trying to answer with operational intelligence are:

  • How does a given threat actor’s attack patterns and frequency evolve over time?
  • Are threat infrastructures, methodologies or tactics evolving, and if so how?
  • Is our attack surface more or less vulnerable to these changes?
  • Where is the best place, within the network environment, to expose potential risks or bad actors?
  • How can a given bad actors past behaviors provide clues on how to expose them?

Operational intelligence is concerned with answering the “How” and “Where” questions associated with threats, to better prepare security groups with information to help them locate, isolate, and remediate network intrusions. Typical reporting includes daily and weekly reports that are more technical in detail, focused on actor TTPs, and mixed with analysts’ determinative comments on operationally focused topics like persistence methods, exploits and campaigns of interest.

Tactical Intelligence: Technical Advisory

Tactical intelligence is the most granular form of intelligence. This intelligence is the atomic indicators associated with known bad actors. Commonly called Indicators of Compromise (IOCs), these are machine readable artifacts of known bad actor signatures, tools, and infrastructure.

Tactical intelligence usually takes the form of IOC management – validating incoming IOCs to ensure they are of importance to the organization, from trusted sources and then enriching the indicators by adding known intelligence details on the bad actor in question. Tactical intelligence is still about improved decision making. In this case, our target audience can be Tier 1 and 2 analysts who need to make quick triage decisions in an oftentimes task saturated security operating environment, or Red Teams needing to emulate an adversary, and numerous other potential use cases.

Some of the questions we are trying to answer with tactical intelligence are:

  • What malware is being employed by a threat?
  • What command and control infrastructure should we expect to see from a threat?
  • What signatures are associated with a given malware?

Tactical intelligence is focused on answering the “What” questions associated with threats. Usually it is done with a mix of reporting. Data enrichment and IOC management is a large part of this, but also written products such as time sensitive Threat Alerts. By helping to validate and manage IOCs intelligence teams provide immediate help within the security environment. Finally, by applying follow on technical reporting with details of the threat, the decision-making requirement of intelligence is met.

Learn more about FireEye Threat Intelligence.