Welcome to Fight Club.

The first rule of Fight Club is: you do not talk about Fight Club.

The second rule of Fight Club is: you DO NOT talk about Fight Club.

Third rule of Fight Club: someone yells "stop!" goes limp, taps out, the fight is over.

Fourth rule: only two guys to a fight.

Fifth rule: one fight at a time, fellas.

Sixth rule: No shirts, no shoes.

Seventh rule: fights will go on as long as they have to.

And the eighth and final rule: if this is your first time at Fight Club, you have to fight.

-Tyler Durden, Fight Club

As cool as Tyler Durden is, his rules need to be revised a bit to apply to Threat Intelligence.

Welcome to Threat Intelligence.

The first rule of Threat Intelligence is: you need to understand what "Intelligence" truly means.

The second rule of Threat Intelligence is: you MUST talk about Threat Intelligence ACCURATELY!

Third rule of Threat Intelligence: you must talk about Threat Intelligence with the right people.

Fourth rule: nothing exists in a bubble. There are always multiple factors to consider.

Fifth rule: a data feed does not equal Intelligence.

Sixth rule: no analysis = no intelligence.

Seventh rule: The production and application of Threat Intelligence is cyclical.

And the eighth and final rule: it may not be cheap or easy, but you need proper Threat Intelligence.                          

-Chad Kahl, Targeted Threat Intelligence

Unfortunately, when it comes to infosec, the rules are being broken right and left. To get a head start on the rules, let's take a look at a few terms you need to know:

Traffic Light Protocol (TLP): According to rule 3, you must talk about threat intelligence with the right people. This applies on two levels. First, recognize that open discussions about threat intelligence are best had with people who understand true threat intelligence. However, unlike at Fight Club, bringing others into the fold through teaching opportunities can also benefit the community as a whole.

Secondly, recognize that you probably shouldn’t really share everything with everyone. NTT Security, along with many others, subscribes to the US-CERT Traffic Light Protocol.

The originator of the information or intelligence product should assign a TLP color code to the item in question. Recipients should always respect the original designation and consult the originator if they believe a different color code should be assigned (Reference rule 4; as there may be factors you aren't always aware of). As a side note, all intelligence products delivered by the NTT Security Targeted Threat Intelligence service, unless otherwise specified, are TLP: AMBER, which means anyone in your organization who needs to see and use that intelligence can do so.

Noise to Data to Intelligence: Ah, rule 5. The number of times I hear these terms used incorrectly are starting to feel like a solid right cross. Their proper use is explained in the graphic below.

After reading through the descriptions, rule 6 should be completely obvious. A stream of data is a stream of data. One of the things that transforms information into intelligence is human analysis of that information. Without proper human analysis there is no intelligence. Yet, many services are selling raw data feeds as "Threat Intelligence" and the IT industry as a whole has accepted this as the standard. Some days, it feels like I am stuck in the police station while discussing this concept:

Narrator: You're making a big mistake, fellas!

Police Officer: You said you would say that.

Narrator: I'm not Tyler Durden!

Police Officer: You told us you'd say that, too.

Narrator: All right then, I'm Tyler Durden. Listen to me, I'm giving you a direct order. We're aborting this mission right now.

Police Officer: You said you would definitely say that.

We need to change the concept of intelligence from “a bunch of data” to “properly analyzed information.” The time for that change has passed. We need to make it happen now.

How do you make that happen?

You add structure. You define rules, just like they did in Fight Club. You define rules that help govern the way you define, present, and communicate intelligence. Consider the following technologies that serve this purpose.

STIX: No, not the kind you can play swordfight with. STIX is the Structured Threat Information eXpression, a collaborative community-driven effort to define and develop a standardized language to represent structured cyber threat information. Think of STIX as an XML-structured document to describe the following items and the relationships between them: 

  • Observables
  • Indicators
  • Incidents
  • Adversary Tactics, Techniques and Procedures (TTPs)
  • Exploit Targets
  • Course of Action
  • Campaigns
  • Threat Actors

TAXII: Awesome. Now we know a standard package used to share many intelligence analyses. How do we deliver it though?

FTP? Seriously? This is security we are talking about.

Encrypted email? Better, but still not the right way to do things.

No! Like the last tired fighter, you throw that STIX package into a TAXII! A Trusted Automated eXchange of Indicator Information server is the preferred method of exchanging STIX packages, enabling organizations to share structured cyber threat information in a secure and automated manner. Thought I forgot about rule 7, didn’t you?

Before you tap out because this blog is getting too long, I am going to step out and let you rest. You can be certain my team is not done discussing this topic. Be on the lookout for more education on true threat intelligence! More on rule 8 next time…

It's called a changeover. The movie goes on, and nobody in the audience has any idea.

-Narrator, Fight Club

References:

https://www.us-cert.gov/tlp

https://stix.mitre.org/

https://stix.mitre.org/