In episode 71 of The Cyber5, guest Nisos moderator and teammate Matt Brown is joined by security practitioner Matt Nelson.

They talk about a recent intelligence blog Matt Nelson wrote about how to operationalize intelligence for the SOC and some outcomes that an incident response team looks for from intelligence. They also talk about how to make intelligence more broadly used for investigations and discuss the intelligence market more holistically.

Three Key Takeaways:

1) Threat Intelligence Augments Threat Hunting in the Security Operations Center (SOC)

Intelligence requirements are critical throughout the business and not just limited to the SOC. Threat intelligence can be a significant help to the threat hunting and detection team. The outcomes that threat hunting teams generally look for are:

1. Cyber Kill Chain: Analyzing payload, including commands it’s running, attack hosting infrastructure, what ports is the infrastructure using to communicate, etc.
2. Target Verification: Identifying who and how they are being targeted and for what intent is often missing context when just looking solely at forensics data.
3. Collection Intent of Attacker: Trying to determine what kinds of data the attackers are aiming for. This is hard to determine simply from forensics data.
4. Target of Opportunity Versus Targeted Attack: Determining if attacks are targeting the many or the select few is critical for defense strategies. If targeting efforts are directed solely at IT personnel with admin access, that’s more significant than a “spray and pray” campaign.
5. Outcomes: Outlining detections, protection strategies, and awareness campaigns.

2) Evolving Threat Intelligence Beyond the SOC

Threat intelligence is not just cyber news or indicators of a compromise (IoC) feed. Threat intelligence is useful for insider threat, fraud, platform abuse, corporate intelligence, and supply chain risk.

3) Single Data Aggregators for Enterprises (SIEMs, TIPs, MISP) Aren’t the Panacea

1. The SIEM is not the greatest place for threat intelligence data because there are too many internal logs that aren’t relevant.
2. The TIPs are mostly focused externally and good for IOCs and correlating threat intelligence that’s not useful. It’s simply repeating what is already known.
3. MISP (https://www.misp-project.org/) is open source but can be effective with the right resources. Data modeling and getting the right taxonomy of the data is the most critical.