Threat Intelligence Process
This document is intended to define the process that the Threat Intelligence Analyst will use for the collection, aggregation and dissemination of intelligence.
The GSOC Threat Intelligence Process applies to the GSOC only. The frequency of which the supporting processes are performed is documented in Upstream (Dependent) Processes. and Downstream (Affected) Processes
This document does not go into elaborate detail, provide low-level technical procedures, or address all potential outcomes or failure cases. Analyst are expected to maintain and rely on technical work notes and controls to guide their execution of this process, and expected to use their best judgement when minor adaptations are needed to execute actions.
The KPMG GSOC Management owns this document. He or she is responsible for ensuring that it is updated and maintained in response to feedback from GSOC Analysts.
All members involved with the GSOC Threat Intelligence function must read and understand this process.
This document should be reviewed on an annually basis, or any time that the Constraints or Assumptions are believed to have changed.
The GSOC Deputy Manager or GSOC Manager can authorize exceptions to this process. Documentation of any process exceptions must be provided to GSOC management for process modifications.
Failures to adhere to this process must be reported directly to the Deputy GSOC Manager or Level 3 (L3) analyst.
The following roles have overall responsibility for elements of this process. Please note that these are not comprehensive listing of responsibilities of each of the following roles, but represent these roles specific responsibilities to support the process.
- Oversight and exception approvals
- Approval of Threat Intelligence Process Requirement and Collection Strategy Changes
- Approval of new or changes to external feeds
- Oversight and exception approvals
- Overall responsibility for Threat Intelligence Process
- Receives tactical intelligence from Threat Intelligence Team
- Provides incident data to Threat Intelligence Team
- Receives Strategic Intelligence from Threat Intelligence Team
- Provides incident data to Threat Intelligence Team
- Receives Strategic Intelligence from Threat Intelligence Team
- Threat Intelligence Platform
- KPMG – CRITs sources
- KPMG GSOC Job Description
- Reporting Service
- Optimization Detection Process
The Threat Intelligence team will define the collection, analysis and dissemination of data from either internal or external sources to determine if there is a threat to your environment.
This can be broken down into five stages:
These stages are further defined in the Threat Intelligence Process.
Figure 1: Threat Intelligence Process Stages
As referenced in the KPMG GSOC Job Description document, the role and responsibilities of the Threat Intelligence Analyst as it relates to the Threat Intelligence team are to provide technical insight into current and emerging threat activity, establishing extent of threats and accessing impact to the business.
The responsibilities as they relate to the Threat Intelligence team are as follows:
KPMG will be using CRITS as their Threat Intelligence Platform, refer to “Threat Intelligence Platform” for reference on how that will be used and integrated into the GSOC and Threat Intelligence process.
This section defines what are the expected actions and output for each of the stages of the Threat Intelligence Process as displayed below:
Figure 2: Threat Intelligence Process Stages
Direction sets foundational components of the threat intelligence process. This will define the requirements of the Threat Intelligence Process. With well-defined requirements, a collection strategy can then be formed to align with the specific requirements.
On a regular basis the Threat Intelligence Team must define their objectives and requirements. These requirements will provide guidance on what type of data to collect. In order to define the requirements the Threat Intelligence Team must have answer the below questions:
Business and Risk
After defining the requirements the Threat Intelligence Team needs to define a collection strategy that collects both tactical and strategic intelligence.
Strategic intelligence is high-level descriptive intelligence from security summits, executive briefs, seminars, threat research papers, security blogs and threat assessments. Strategic intelligence provides industry related threat landscape details.
Strategic intelligence should align mostly to the Business and Risk requirements in the Section, Threat Intelligence Requirements as well as meet the below guidelines:
Operational Intelligence is still high-level intelligence but differs from strategic intelligence that is more focused on providing more detail on the current threats and threat actors attacking KPMG. This type of intelligence over time can be used to be more predictive. A key part of operational intelligence is Actor profiling, as described in the Section, Analysis . Actor profiling finds and categorizes commonalities of threat actors Tactics, Techniques and Procedures into threat actor profiles.
Operational intelligence must align with both the ‘Business and Risk’ and ‘Adversary’ requirements defined in the Section, Threat Intelligence Requirements and should provide insight into:
Tactical Intelligence is mainly indicator based, such as what you would get from threat indicator feeds. Tactical Intelligence can be either predictive or reactionary, but has little to no context around it and is used mainly to build GSOC Content. Typically, tactical intelligence will be accompanied by a strategic or operational intelligence report.
It is important to align your collection and intelligence output with KPMG’s operational capability, meaning that the Threat Intelligence Analyst will not collect or analyse data that the GSOC or Member Firms have no use for. This is illustrated in the Figure 3, in which the Intelligence output is more than the KPMG GSOC can consume. APPENDIX A: Components of a Cyber Attack provides details of the indicators the KPMG GSOC and Member Firms can consume.
The situation will exist where Member Firms will have more visibility into their environment then the GSOC does, meaning that the Member Firms may be able to consume more types of actionable intelligence then the GSOC alone. The Threat Intelligence Analyst must take this into consideration and update the Actionable Intelligence table in APPENDIX B: Actionable Intelligence.
Figure 3: Intelligence Output vs Consumers Operational Capability
Part of the Optimization phase is to analyse the current threat landscape as well as KPMG’s risk strategy and revise and update the requirement and collection strategy as appropriate.
Optimization will focus on two key aspect of the Threat Intelligence Process.
In order for the Threat Analysis Team to assess their current state, they will compute the below metrics on a weekly basis. The Threat Intelligence Analyst may have to work with the Tooling Engineer and Level 2 Analyst in order to compute these metrics.
|External Source Effectiveness (Hit Rate)||How many detections came from external sources|
|Internal Source Effectiveness (Hit Rate)||How many detections came from internal sources|
|P1/P2 incidents not detected by intelligence||How many high priority incidents were not detected by intelligence but by other means|
|False Positives associated with stale or bad intelligence||How many false positives due to stale content and/or intelligence|
|Predictive vs Responsive intelligence||What is the ratio between predictive and responsive intelligence|
The Threat Intelligence Analyst will identify gaps or requirement changes needed in order to be more efficient. In order to do so, they will have to review the inputs:
While reviewing these inputs, the Threat Intelligence Analyst should use the below Optimization Model as a guide.
Figure 3: Threat Intelligence Optimization Model
In the collection phase the Threat Intelligence Analyst uses internal and external sources and open source research to collect and normalize actionable intelligence. The information that is collected should align with the Threat Intelligence requirements and operational capability defined in the phase, Direction and Optimization, otherwise it is not usable intelligence.
As set in the Threat Intelligence Collection Strategy, the Threat Intelligence Analyst will collect the below three different types of intelligence:
3.2.1 Collection Sources
There are three types of sources KPMG will collect intelligence from:
3.2.2 Collection Process
For all data collected either externally or internally the Threat Intelligence Analyst will determine what format the intelligence is in and then extract intelligence from that format using created parsers or manually. Below are different types that data can be formatted in.
Figure 4: Threat Intelligence Collection Formats
After determining the format of the data, the Threat Intelligence Analyst will normalize the data. This can be done by using a parser that exists or can easily be created to extract the intelligence or it can be done via a manual process.
For file formats such as malicious binaries or PCAPs that have been collected, malware analysis will be performed to extract and then normalize the data.
Figure 5: Threat Intelligence Collection
Normalization of data will ensure extracted intelligence is in the proper format for analysis as shown below.
Table 1: Normalized Data
In the Intelligence Triage stage the Analyst will assign a confidence rating. The confidence rating will be rated as High, Reasonable or Low and can be assessed using the below criteria.
Figure 6: Threat Intelligence Classification Taxonomy
The confidence rating will provide guidance on the format and timing of the intelligence to be disseminated. For example, for intelligence that is rated high, the Threat Intelligence Analyst may decide to release strategic intelligence for awareness as well as tactical intelligence to create alerts. For intelligence that is rated low, it may be decided to only create strategic intelligence and not create tactical intelligence as it would be more prone to false positives.
In the analysis phase, the Threat Intelligence Analyst will take the normalized data from the collection phase and classify the attack components into a new or existing intrusion set. Additional details on attack components can be found in APPENDIX B: Actionable Intelligence section.
For any actionable intelligence from external sources the Threat Intelligence Analyst must also perform historical searches to determine if the threat is or was active on the environment and if so they must open a new security incident with the Level1 Analysts.
Figure 7: Threat Intelligence Analysis
3.4.1 Threat Actor Profiling
Once the indicators are pulled, centralized and normalized, the Threat Intelligence Analyst will perform Threat Actor Profiling. This is a key component of building operational intelligence, as defined in the Section Threat Intelligence Collection Strategy. Threat Actor Profiling achieves the below:
Threat Actor Profiling will take the actionable intelligence extracted, as well as any other additional context of the incident, and categorize each attack using the categories outlined in Figure 8: Actor Attribution Categories and Examples. Over a period of time, the Threat Intelligence team will have comprehensive profiles on their adversaries. With this profile, KPMG will be in a better position to detect the incident earlier on the Cyber Kill Chain or predict future attacks.
Figure 8: Actor Attribution Categories and Examples
Dissemination is the reporting and action on the actionable intelligence collected, triaged and analysed. Dissemination will take the form of either strategic intelligence or tactical intelligence that will be used on security devices for detection or prevention. All data being shared needs to adhere to the Traffic Light Protocol (TLP) shown below.
Figure 9: Traffic Light Protocol (https://www.us-cert.gov/tlp)
If the intelligence is from external sources, then it must keep the same TLP rating that was assigned to it at the time of collection. Internal intelligence must be assigned the appropriate TLP rating.
The below matrix shows the three types of output the Threat Intelligence team will use:
Figure 10: Threat Intelligence Dissemination Types
Figure 11: Dissemination Workflow
Threat Intelligence requires a global understanding of the components of a cyber-attack. Those components are defined in the below table. These components will be used by the Threat Intelligence Analyst to attribute attacks to certain intrusion sets.
Table 2: Components of a Cyber Attack
|Attackers||Attackers can be categorized as criminals (petty criminals, organized crime), nation state actors (cyber espionage) or Non-state Actors (Terrorists)|
|Targets||Attack on a specific industry, high value asset (s), Intellectual Property or Suppliers/Vendors|
|Frequency||Frequency of attacks categorized by vectors and employee’s and employee groups|
|Motivations||Motivations for the attack should align with the attackers and target and can include, Financial gain, Competitive advantage, National advantage or outright cyber warfare Terrorism or Nuisance|
|Malware Components||The classification, function and unique identifies of malware used in the attack|
|Avenues of Attacks||Also referred to as Infection Vector, this how the attack enters your network. This would include vectors such as spear-phishing, zero-day attacks, drive-by’s and watering hole.|
|Command and Control Infrastructure||The method by which the malware and threat actors establish, maintain and use a connection between the compromised host and the remote server(s)|
|Lateral Movement||After a threat actor has a foothold in your environment they will use certain tactics and tools in order to navigate through your organization. These tactics and tools range from using common password dumping tools such as GSECDump or capturing the AD database.|
|Objectives/Intent||This is where the threat actor acts on their actions by identifying the matching data to their objectives and possibly sending that data to external servers|
Actionable intelligence is host or network artefacts that supports the premise that there exist a threat.
Below is a table of the current types of actionable intelligence that the KPMG GSOC and Member Firms have visibility into. This table is to be updated as the GSOC and Member Firms gain more visibility. The Table separates the actionable intelligence into nine categories:
Each one of these categories contains the actual artefact that either the KPMG GSOC or its member firms have visibility into and can create alerts based on.
|GSOC and Member Firms|
|US Member Firm|
|Canada Member Firm|
Table 3: KPMG Actionable Intelligence Types
|General Host Indicators||General Network Indicators||File Indicators||Email Indicators||DNS Indicators||HTTP Request Indicators||HTTP Response Indicators||PDF Indicators||X509 Certificate|
|Usernames||IPv4||MD5||Attachment File Name||Domain Name (FQDN)||Accept||N/A||N/A||N/A|
|IPv6||File Name||From||IP address||Cookie|
|Domain Name||File Extension||Subject||Entry Type||Date|
|Communication Protocol||Sender||Record Name||Host|
|URL||Reply To||Record Type||If Modified Since|
|Communication Port||Content Type||TTL||If Unmodified Since|
|MIME Version||Flags||Proxy Authorization|
|User Agent||Data Length||User Agent|
|X Originating IP|
[JG1]Make this a separate document once it is completed