Doing Threat Intel the Hard Way - Part 5: Analyze Threat Intelligence

This is the fifth post in a series on manual IOC management for threat intelligence. See the previous posts:

Part 1: Manual IOC Management Part 2: Capturing Threat Intelligence Part 3: Processing Threat Intelligence Part 4: Operationalizing Threat Intelligence

Analyze Threat Intelligence

Everything we have discussed to this point is meant to deliver the right information to your analysts, but the intelligence must still be analyzed. To do this an analyst work flow process must be established that includes incident escalation and response processes.

The Analyst work flow must provide a repeatable process to analyze the output of the integrations you have created in the previous steps. For example, if the SIEM determines that a server is communicating with a known botnet command and control domain, your analyst must be notified in some fashion (on screen prompt, email, SMS, IM, etc.). The analyst must then evaluate the collected information and take appropriate action based on the information’s accuracy. If the analyst determines that the notification is not valid, they should then document their findings for future reference and move on to the next analysis. If the analyst verifies that the notification is correct, they should begin a formal set of incident response steps.

In addition to providing analysts a work flow, you must also provide them with the necessary tools to gather information on the incidents they analyze. This is where enrichment of the sort discussed in the processing step can be useful. Analysts use sites like Shodan, Web of Trust, VirusTotal etc. to gather additional information on selected indicators. Integrating these sources of information into your threat intelligence platform will remove the need to seek them out manually, thus saving your analysts precious time when making an escalation decision.

One final tool you may wish to provide to analysts is the ability to perform indicator expansion in their research. Indicator expansion is a two-step process in which an analyst will first examine indicators related to the indicators seen in the local environment, then conduct a secondary search to see if any of those indicators are present. Many organizations struggle with this due to short retention periods of gathered log data. An analyst can only investigate as far back as their data reaches.

Up next in the series: Threat Intelligence Maintenance