How Deepwatch Approaches Cyber Threat Intelligence
By Eric Ford,
What is Cyber Threat Intelligence
Cyber threat intelligence is the process and product resulting from interpreting raw data into information that meets a requirement related to adversaries with the intent, opportunity, and capability to harm.
Cyber threat intelligence comprises the collection, processing, analysis, and dissemination of information from all intelligence sources on threat actor’s cyber programs, intentions, capabilities, research and development, tactics, targets, operational activities, and indicators, and their impact or potential effects on organizational interests. Cyber threat intelligence also includes information on cyber threat actor information systems, infrastructure, and data; network characterization, or insight into the components, structures, use, and vulnerabilities of threat actors’ information systems.
Deepwatch Intelligence Process & Methodology
At Deepwatch, the traditional Intelligence cycle is the fundamental process we use to turn information into intelligence. The stages of the intelligence cycle include gathering requirements, planning, and direction, and then collecting the necessary data and processing, followed by the analysis and production of the intelligence product. Finally, we complete the process when decision-makers provide feedback and revise requirements. Thus, the intelligence cycle effectively processes information and turns it into relevant and actionable intelligence.
Requirements Gathering, Planning, and Direction
The Deepwatch Threat Intelligence team’s mission is to provide intelligence that drives effective business decisions. We derive requirements from a combination of shifts in the cybersecurity landscape and customers’ business needs.
Collection & Processing
Deepwatch collects data through various methods, including open-source and organic (internal) intelligence. Collected data is processed and then ingested into a centralized system for analysis.
Analysis & Production
Threat Intelligence Analysts examine and evaluate all the information collected, add context as needed, and integrate it into a complete finished intelligence product. These products include assessments of events and estimates about the developing threat landscape.
Often these assessments and estimates include alternative scenarios and, when appropriate, warn customers about possible developments in the threat landscape. Furthermore, intelligence gaps are identified and used as the basis for additional requirements for further collection.
Relevant intelligence is disseminated both to Deepwatch internally and to our customer base through various mechanisms: including but not limited to weekly Cyber Intelligence Briefings, alerting, and time-sensitive Advisory Reports.
Feedback and Evaluation
Feedback and Evaluations are focused on after we have completed the analysis and disseminated the final product but are a continuous process that occurs at all stages of the intelligence lifecycle. This process is essential to ensure that produced intelligence effectively provides cybersecurity operational value and drives strategic business decisions.
Tracking of Threat Activity
To track threat activity clusters observed during incident response engagements, The Deepwatch Threat Intel Team uses Threat Activity Cluster designations (TAC-###) to track similar activity across multiple engagements.
An Explanation of Estimative Language and Analytic Confidence
To convey analytical assessments and estimates, the Threat Intel Team uses phrases like “assess” and “estimate,” as well as probabilistic terms like “could” and “likely.” However, we do not base such claims on facts, proof, or knowledge. Instead, these evaluations and judgments are based on assumptions or prior assessments and often from incomplete or fragmentary data.
To convey the possibility or probability of our hypothesis, the Deepwatch Threat Intel Team employs probabilistic language in our assessments. Because analytical assessments are not certain, we use terms to denote that our hypothesis has a lower or greater than even chance of possibility or probability.
For instance, terms like unlikely, improbable, highly likely, or highly improbable denote that our hypothesis has a lower than even chance of possibility or probability. Likewise, words like likely, probable, highly likely, or highly probable indicate that our hypothesis has a higher than even chance of possibility or probability.
Furthermore, a “roughly even chance” denotes that our hypothesis has a roughly 50% possibility or likelihood of occurring. In addition, terms such as “might,” “could,” or “may” reflect situations in which we are unable to assess the likelihood, generally because relevant information is unavailable, sketchy, or fragmented.
Weighing the following factors allows us to assign our assessments and estimates with high, moderate, or low levels of assurance: the complexity of the analytical task; the robustness, number, and applicability of analytic techniques employed, and the degree to which the results coincide; overall source reliability; the degree of corroboration and agreement amongst sources if multiple sources were available; analyst collaboration, expertise, and experience on the subject matter or topic; and finally, we account for any time pressures and deadlines faced by the analyst.