Lesson 1 of 4
In Progress

Threat Intelligence Process

1                 Introduction

1.1             Purpose

This document is intended to define the process that the Threat Intelligence Analyst will use for the collection, aggregation and dissemination of intelligence.

1.2             Scope

The GSOC Threat Intelligence Process applies to the GSOC only. The frequency of which the supporting processes are performed is documented in Upstream (Dependent) Processes. and Downstream (Affected) Processes

This document does not go into elaborate detail, provide low-level technical procedures, or address all potential outcomes or failure cases. Analyst are expected to maintain and rely on technical work notes and controls to guide their execution of this process, and expected to use their best judgement when minor adaptations are needed to execute actions.

1.3             Ownership

The KPMG GSOC Management owns this document. He or she is responsible for ensuring that it is updated and maintained in response to feedback from GSOC Analysts.

1.4             Audience

All members involved with the GSOC Threat Intelligence function must read and understand this process.

1.5             Change Management Cycle

This document should be reviewed on an annually basis, or any time that the Constraints or Assumptions are believed to have changed.

1.6             Exceptions

The GSOC Deputy Manager or GSOC Manager can authorize exceptions to this process. Documentation of any process exceptions must be provided to GSOC management for process modifications.

1.7             Reporting Violations

Failures to adhere to this process must be reported directly to the Deputy GSOC Manager or Level 3 (L3) analyst.

1.8             Responsibilities

The following roles have overall responsibility for elements of this process. Please note that these are not comprehensive listing of responsibilities of each of the following roles, but represent these roles specific responsibilities to support the process.

1.8.1          GSOC Manager

  • Oversight and exception approvals
  • Approval of Threat Intelligence Process Requirement and Collection Strategy Changes
  • Approval of new or changes to external feeds

1.8.2          GSOC Deputy Manager

  • Oversight and exception approvals

1.8.3          Threat Intelligence Analyst

  • Overall responsibility for Threat Intelligence Process

1.8.4          Tooling Engineer

  • Receives tactical intelligence from Threat Intelligence Team

1.8.5          Level 2 Analyst

  • Provides incident data to Threat Intelligence Team
  • Receives Strategic Intelligence from Threat Intelligence Team

1.8.6          Level 1 Analyst

  • Provides incident data to Threat Intelligence Team
  • Receives Strategic Intelligence from Threat Intelligence Team

1.9             Upstream (Dependent) Processes

  • Threat Intelligence Platform
  • KPMG – CRITs sources
  • KPMG GSOC Job Description
  • Reporting Service

1.10        Downstream (Affected) Processes

  • Optimization Detection Process

2                 Threat Intelligence Overview

The Threat Intelligence team will define the collection, analysis and dissemination of data from either internal or external sources to determine if there is a threat to your environment.

This can be broken down into five stages:

These stages are further defined in the Threat Intelligence Process.

Figure 1: Threat Intelligence Process Stages

2.1             Roles

As referenced in the KPMG GSOC Job Description document, the role and responsibilities of the Threat Intelligence Analyst as it relates to the Threat Intelligence team are to provide technical insight into current and emerging threat activity, establishing extent of threats and accessing impact to the business.

The responsibilities as they relate to the Threat Intelligence team are as follows:

2.2             Threat Intelligence Platform

KPMG will be using CRITS as their Threat Intelligence Platform, refer to “Threat Intelligence Platform” for reference on how that will be used and integrated into the GSOC and Threat Intelligence process.

3                 Threat Intelligence Process

This section defines what are the expected actions and output for each of the stages of the Threat Intelligence Process as displayed below:

Figure 2:  Threat Intelligence Process Stages

3.1             Direction and Optimization

3.1.1          Direction

Direction sets foundational components of the threat intelligence process. This will define the requirements of the Threat Intelligence Process. With well-defined requirements, a collection strategy can then be formed to align with the specific requirements.

3.1.1.1        Threat Intelligence Requirements

On a regular basis the Threat Intelligence Team must define their objectives and requirements. These requirements will provide guidance on what type of data to collect. In order to define the requirements the Threat Intelligence Team must have answer the below questions:

Business and Risk

 Adversary

3.1.1.2        Threat Intelligence Collection Strategy

After defining the requirements the Threat Intelligence Team needs to define a collection strategy that collects both tactical and strategic intelligence.

Strategic Intelligence

Strategic intelligence is high-level descriptive intelligence from security summits, executive briefs, seminars, threat research papers, security blogs and threat assessments. Strategic intelligence provides industry related threat landscape details.

Strategic intelligence should align mostly to the Business and Risk requirements in the Section, Threat Intelligence Requirements as well as meet the below guidelines:

Operational Intelligence

Operational Intelligence is still high-level intelligence but differs from strategic intelligence that is more focused on providing more detail on the current threats and threat actors attacking KPMG. This type of intelligence over time can be used to be more predictive. A key part of operational intelligence is Actor profiling, as described in the Section, Analysis . Actor profiling finds and categorizes commonalities of threat actors Tactics, Techniques and Procedures into threat actor profiles.

Operational intelligence must align with both the ‘Business and Risk’ and ‘Adversary’ requirements defined in the Section, Threat Intelligence Requirements and should provide insight into:

Tactical Intelligence

Tactical Intelligence is mainly indicator based, such as what you would get from threat indicator feeds. Tactical Intelligence can be either predictive or reactionary, but has little to no context around it and is used mainly to build GSOC Content. Typically, tactical intelligence will be accompanied by a strategic or operational intelligence report.

Operational Capability

It is important to align your collection and intelligence output with KPMG’s operational capability, meaning that the Threat Intelligence Analyst will not collect or analyse data that the GSOC or Member Firms have no use for. This is illustrated in the Figure 3, in which the Intelligence output is more than the KPMG GSOC can consume. APPENDIX A: Components of a Cyber Attack provides details of the indicators the KPMG GSOC and Member Firms can consume.

The situation will exist where Member Firms will have more visibility into their environment then the GSOC does, meaning that the Member Firms may be able to consume more types of actionable intelligence then the GSOC alone. The Threat Intelligence Analyst must take this into consideration and update the Actionable Intelligence table in APPENDIX B: Actionable Intelligence.

Figure 3: Intelligence Output vs Consumers Operational Capability

Part of the Optimization phase is to analyse the current threat landscape as well as KPMG’s risk strategy and revise and update the requirement and collection strategy as appropriate.

3.1.2          Optimization

Optimization will focus on two key aspect of the Threat Intelligence Process.

In order for the Threat Analysis Team to assess their current state, they will compute the below metrics on a weekly basis. The Threat Intelligence Analyst may have to work with the Tooling Engineer and Level 2 Analyst in order to compute these metrics.

MetricDescription
External Source Effectiveness (Hit Rate)How many detections came from external sources
Internal Source Effectiveness (Hit Rate)How many detections came from internal sources
P1/P2 incidents not detected by intelligenceHow many high priority incidents were not detected by intelligence but by other means
False Positives associated with stale or bad intelligenceHow many false positives due to stale content and/or intelligence
Predictive vs Responsive intelligenceWhat is the ratio between predictive and responsive intelligence

 

3.1.3          Threat Intelligence Optimization Model

The Threat Intelligence Analyst will identify gaps or requirement changes needed in order to be more efficient. In order to do so, they will have to review the inputs:

While reviewing these inputs, the Threat Intelligence Analyst should use the below Optimization Model as a guide.

Figure 3: Threat Intelligence Optimization Model

3.2             Collection

In the collection phase the Threat Intelligence Analyst uses internal and external sources and open source research to collect and normalize actionable intelligence. The information that is collected should align with the Threat Intelligence requirements and operational capability defined in the phase, Direction and Optimization, otherwise it is not usable intelligence.

As set in the Threat Intelligence Collection Strategy, the Threat Intelligence Analyst will collect the below three different types of intelligence:

3.2.1          Collection Sources

There are three types of sources KPMG will collect intelligence from:

3.2.2          Collection Process

For all data collected either externally or internally the Threat Intelligence Analyst will determine what format the intelligence is in and then extract intelligence from that format using created parsers or manually. Below are different types that data can be formatted in.

Figure 4: Threat Intelligence Collection Formats

After determining the format of the data, the Threat Intelligence Analyst will normalize the data. This can be done by using a parser that exists or can easily be created to extract the intelligence or it can be done via a manual process.

For file formats such as malicious binaries or PCAPs that have been collected, malware analysis will be performed to extract and then normalize the data.

Figure 5: Threat Intelligence Collection

Normalization of data will ensure extracted intelligence is in the proper format for analysis as shown below.

Table 1: Normalized Data

Intelligence ArtefactNormalization
IP Addressxxx.xxx.xxx.xxx
Domain Nameswww.hostname.com
URL’shxxp://host.com/sub
User-Agents 
MD5 Hash 
Protocol 
Email DNS[JG1] 

3.3             Intelligence Triage

In the Intelligence Triage stage the Analyst will assign a confidence rating. The confidence rating will be rated as High, Reasonable or Low and can be assessed using the below criteria.

Figure 6: Threat Intelligence Classification Taxonomy

The confidence rating will provide guidance on the format and timing of the intelligence to be disseminated. For example, for intelligence that is rated high, the Threat Intelligence Analyst may decide to release strategic intelligence for awareness as well as tactical intelligence to create alerts. For intelligence that is rated low, it may be decided to only create strategic intelligence and not create tactical intelligence as it would be more prone to false positives.

3.4             Analysis

In the analysis phase, the Threat Intelligence Analyst will take the normalized data from the collection phase and classify the attack components into a new or existing intrusion set. Additional details on attack components can be found in APPENDIX B: Actionable Intelligence section.

For any actionable intelligence from external sources the Threat Intelligence Analyst must also perform historical searches to determine if the threat is or was active on the environment and if so they must open a new security incident with the Level1 Analysts.

Figure 7: Threat Intelligence Analysis

3.4.1          Threat Actor Profiling

Once the indicators are pulled, centralized and normalized, the Threat Intelligence Analyst will perform Threat Actor Profiling. This is a key component of building operational intelligence, as defined in the Section Threat Intelligence Collection Strategy. Threat Actor Profiling achieves the below:

Threat Actor Profiling will take the actionable intelligence extracted, as well as any other additional context of the incident, and categorize each attack using the categories outlined in Figure 8: Actor Attribution Categories and Examples. Over a period of time, the Threat Intelligence team will have comprehensive profiles on their adversaries. With this profile, KPMG will be in a better position to detect the incident earlier on the Cyber Kill Chain or predict future attacks.

Figure 8: Actor Attribution Categories and Examples

3.5             Dissemination

Dissemination is the reporting and action on the actionable intelligence collected, triaged and analysed. Dissemination will take the form of either strategic intelligence or tactical intelligence that will be used on security devices for detection or prevention. All data being shared needs to adhere to the Traffic Light Protocol (TLP) shown below.

Figure 9: Traffic Light Protocol (https://www.us-cert.gov/tlp)

If the intelligence is from external sources, then it must keep the same TLP rating that was assigned to it at the time of collection. Internal intelligence must be assigned the appropriate TLP rating.

The below matrix shows the three types of output the Threat Intelligence team will use:

Figure 10: Threat Intelligence Dissemination Types

Figure 11: Dissemination Workflow

3.6        

4                 APPENDIX A: Components of a Cyber Attack

Threat Intelligence requires a global understanding of the components of a cyber-attack. Those components are defined in the below table. These components will be used by the Threat Intelligence Analyst to attribute attacks to certain intrusion sets.

Table 2: Components of a Cyber Attack

Attack ComponentDescription
AttackersAttackers can be categorized as criminals (petty criminals, organized crime), nation state actors (cyber espionage) or Non-state Actors (Terrorists)
TargetsAttack on a specific industry, high value asset (s), Intellectual Property or Suppliers/Vendors
FrequencyFrequency of attacks categorized by vectors and employee’s and employee groups
MotivationsMotivations for the attack should align with the attackers and target and can include, Financial gain, Competitive advantage, National advantage or outright cyber warfare Terrorism or Nuisance
Malware ComponentsThe classification, function and unique identifies of malware used in the attack
Avenues of AttacksAlso referred to as Infection Vector, this how the attack enters your network. This would include vectors such as spear-phishing, zero-day attacks, drive-by’s and watering hole.
Command and Control InfrastructureThe method by which the malware and threat actors establish, maintain and use a connection between the compromised host and the remote server(s)
Lateral MovementAfter a threat actor has a foothold in your environment they will use certain tactics and tools in order to navigate through your organization. These tactics and tools range from using common password dumping tools such as GSECDump or capturing the AD database.
Objectives/IntentThis is where the threat actor acts on their actions by identifying the matching data to their objectives and possibly sending that data to external servers

 

5                 APPENDIX B: Actionable Intelligence

Actionable intelligence is host or network artefacts that supports the premise that there exist a threat.

Below is a table of the current types of actionable intelligence that the KPMG GSOC and Member Firms have visibility into. This table is to be updated as the GSOC and Member Firms gain more visibility. The Table separates the actionable intelligence into nine categories:

Each one of these categories contains the actual artefact that either the KPMG GSOC or its member firms have visibility into and can create alerts based on.

LegendEntity
 GSOC and Member Firms
 US Member Firm
 Canada Member Firm

Table 3:  KPMG Actionable Intelligence Types

General Host IndicatorsGeneral Network IndicatorsFile IndicatorsEmail IndicatorsDNS IndicatorsHTTP Request IndicatorsHTTP Response IndicatorsPDF IndicatorsX509 Certificate
UsernamesIPv4MD5Attachment File NameDomain Name (FQDN)AcceptN/AN/AN/A
IPv6File NameFromIP addressCookie
Domain NameFile ExtensionSubjectEntry TypeDate
Communication ProtocolSenderRecord NameHost
URLReply ToRecord TypeIf Modified Since
Communication PortContent TypeTTLIf Unmodified Since
MIME VersionFlagsProxy Authorization
User AgentData LengthUser Agent
X MailerTLD
X Originating IP
X Priority
Attachment MD5

 [JG1]Make this a separate document once it is completed