Threat Intelligence Process
NIST CSF 2.0 Toolkit: Version 1 ©CertiKit
Threat Intelligence Process [Insert classification]
Implementation guidance The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.
Purpose of this document This document describes how threat intelligence will be gathered, processed and reported within the organization.
Areas of the framework addressed The following areas of the Cybersecurity Framework are addressed by this document: •
•
Identify (ID) o Risk Assessment (ID.RA) ▪ ID.RA-03 ▪ ID.RA-05 Detect (DE) o Adverse Event Analysis (DE.AE) ▪ DE.AE-05
General guidance There are a number of common definitions of the “intelligence cycle” and the one presented in this process document may be varied as you need to. You may also decide to separate out some more detailed procedures for strategic, tactical and operational threat intelligence if it makes sense to do so, for example if there are significant differences in the way you choose to approach them.
Review frequency We would recommend that this document is reviewed annually and upon significant change to the organization.
Version 1
Page 2 of 11
[Insert date]
Threat Intelligence Process [Insert classification]
Document fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”. To update this field (and any others that may exist in this document): 1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name. 2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab). 3. Press F9 on the keyboard to update all fields. 4. When prompted, choose the option to just update TOC page numbers. If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly. Further detail on the above procedure can be found in the toolkit Completion Instructions. This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.
Copyright notice Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.
Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.
Version 1
Page 3 of 11
[Insert date]
Threat Intelligence Process [Insert classification]
Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Version 1
Page 4 of 11
[Insert date]
Threat Intelligence Process [Insert classification]
Threat Intelligence Process
Version 1
DOCUMENT CLASSIFICATION
[Insert classification]
DOCUMENT REF
CSF-DOC-IDRA-4
VERSION
1
DATED
[Insert date]
DOCUMENT AUTHOR
[Insert name]
DOCUMENT OWNER
[Insert name/role]
Page 5 of 11
[Insert date]
Threat Intelligence Process [Insert classification]
Revision history VERSION
DATE
REVISION AUTHOR
SUMMARY OF CHANGES
Distribution NAME
TITLE
Approval NAME
Version 1
POSITION
SIGNATURE
Page 6 of 11
DATE
[Insert date]
Threat Intelligence Process [Insert classification]
Contents 1
Introduction ................................................................................................................ 8
2
Threat intelligence process ......................................................................................... 9 2.1
Direction/Planning .......................................................................................................10
2.2
Collection .....................................................................................................................10
2.3
Analysis ........................................................................................................................10
2.4
Production....................................................................................................................10
Figures Figure 1: Threat intelligence process .............................................................................................. 9
Tables Table 1: Threat intelligence levels .................................................................................................. 9
Version 1
Page 7 of 11
[Insert date]
Threat Intelligence Process [Insert classification]
1 Introduction Threat intelligence is the discipline of obtaining and analyzing information about those who would do us harm in cyber space in order to understand how to make our defences as effective as possible. The collection, processing and reporting of threat intelligence is vital to [Organization Name]’s ability to assess risk and react to the threats it faces to its information security, for example from external parties who may be on the other side of the world. [Organization Name] is committed to ensuring that effective methods are employed to ensure the accuracy, completeness and timeliness of the threat intelligence it uses. This process sets out the major steps involved in collecting and processing intelligence about threats at the strategic, tactical and operational levels. This control applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to [Organization Name] systems. The following policies and procedures are relevant to this document: • • • • •
Threat Intelligence Policy Specialist Interest Group Contacts Authorities Contacts Information Security Incident Response Procedure Technical Vulnerability Management Policy
Version 1
Page 8 of 11
[Insert date]
Threat Intelligence Process [Insert classification]
2 Threat intelligence process In accordance with our policy, threat intelligence is gathered and reported at three levels; strategic, tactical and operational. These levels are described in Table 1. LEVEL
DESCRIPTION
Strategic
Focused on the collection and analysis of high-level information regarding groups of attackers, their motivation, typical targets, types of attack and current levels of activity.
Tactical
Concerned with specific attackers or types of attackers and the tactics, techniques, and procedures (TTPs) that they are currently using to gain access to systems or otherwise pose a threat to our organization.
Operational
Relating to specific and potentially ongoing attacks, including indicators of compromise (IOCs) which may allow us to identify cases where we have suffered a breach.
Table 1: Threat intelligence levels
This process is intended to be used in its basic form to produce threat intelligence at all three levels as the overall approach in each case is similar. The process of threat intelligence is shown in Figure 1 and each step is described in the following sections.
Figure 1: Threat intelligence process
Version 1
Page 9 of 11
[Insert date]
Threat Intelligence Process [Insert classification]
2.1 Direction/Planning It is important that clear objectives are defined for threat intelligence in general and for the specific topics for which information is to be collected and analyzed. These objectives should consider the context of the organization, in terms of our industry, locations, technology and interested parties. The information sources that will be used both for a specific topic and on an ongoing basis must be identified and due diligence carried out on each one to ensure their validity and accuracy. Sources that will provide information on a long-term basis must be added to the list of Authorities Contacts and Specialist Interest Group Contacts. Those sources that are used for a single purpose will be identified in the resulting report.
2.2 Collection Relevant information will then be collected from the identified sources by whatever method is appropriate (for example download of a report, request for information, subscription to a news feed). Any necessary preparation of the information (such as translation, summarization, or comparison with other sources) must also be carried out to make its analysis more effective. The information must be stored appropriately (for example in a filing system) and its source clearly recorded for future reference.
2.3 Analysis The collected information must be analyzed to define its relevance to, and implications for, the organization. At the tactical and operational levels, this may include comparing information received from external sources (for example indicators of compromise (IOCs)) with information available from internal systems, such as security information and event management (SIEM) and event logs to investigate any existing impact to the organization, such as a breach. Factors such as the types of technology and software versions affected may also be relevant to determine whether a threat needs to be analyzed further.
2.4 Production Once sufficient analysis of threat intelligence has been carried out, the resulting information must be presented in an actionable form, usually as a report or briefing paper. Where appropriate, reports from third parties may be distributed in their published form,
Version 1
Page 10 of 11
[Insert date]
Threat Intelligence Process [Insert classification] particularly at the strategic level. However, analysis should reflect clear guidance about the relevance of such reports to [Organization Name] where required. Reports should be distributed to all areas of the business that may be affected by their contents. This will usually include: • • • •
Top management (mainly for strategic level reports) Risk management Business areas responsible for the application of controls (such as ICT and HR) Business areas responsible for security testing, for example of application code
Where reports refer to a potentially urgent threat, additional methods of communication such as face to face or virtual briefings should also be used. Feedback should be requested on each report in order to improve aspects such as format, language used, timeliness and content.
Version 1
Page 11 of 11
[Insert date]