This blog series was written jointly with Amine Besson, Principal Cyber Engineer, Behemoth CyberDefence and one more anonymous collaborator. In this blog (#5 in the series), we will build a quick “framework-lite” for making CTI to DE flows better.
This article discusses three organizational models for integrating an existing threat intelligence (CTI) team with the detection engineering function for optimum detection work. Operating Model 1 is where CTI feeds the SOC/Detection Engineering team, but this setup is prone to silo problems and finger pointing. Operating Model 2 is where CTI feeds a mini-CTI inside the SOC/DE team, which allows for shorter turnaround times and better understanding of processes. Operating Model 3 is the Cyber Fusion Center model, which restructures the CTI, SOC, Hunting, and CSIRT/IR functions into a single cross-functional organization.
The article also provides some key markers of helpful intel that will lead to better detection engineering. This intel should be focused on describing a single threat, be specific to technologies, protocols, OS, and device type, and display some unique characteristics which are helpful to isolate invariable behaviors. It should also show relevance to the organization's IT estate and crown jewels, explain concepts in clear English, be delivered in a knowledge base item, and be delivered at a set frequency.
When the DE and CTI are able to work together in a common flow, it improves development and delivery of new detections, evaluation of the actual detection coverage, and boosts the teams competence in understanding cyber threats. The next blog post will explore how to break down intel into detections.
📓 Frameworks for DE-Friendly CTI (Part 5)
👉🏽 This blog series was written jointly with Amine Besson, Principal Cyber Engineer, Behemoth CyberDefence and one more anonymous collaborator. In this blog (#5 in the series), we will build a quick “framework-lite” for making CTI to DE flows better. 👉🏽 Three organizational models for integrating CTI and detection engineering for optimum detection work. 👉🏽 Operating Model 1: CTI feeds SOC/Detection Engineering team, prone to silo problems and finger pointing. 👉🏽 Operating Model 2: CTI feeds mini-CTI inside SOC/DE team, shorter turnaround times and better understanding. 👉🏽 Operating Model 3: Cyber Fusion Center model, restructuring CTI, SOC, Hunting, and CSIRT/IR functions. 👉🏽 Key markers of helpful intel for improved detection engineering. 👉🏽 Single threat focus, specific to technologies, protocols, OS, and device type. 👉🏽 Display unique characteristics for isolating invariable behaviors. 👉🏽 Relevance to organization's IT estate and crown jewels, explained in clear English. 👉🏽 Delivery in a knowledge base item and at a set frequency. 👉🏽 Common flow between DE and CTI improves development, delivery, competence in understanding cyber threats.
#ThreatIntelligence #DetectionEngineering #OrganizationalModels #CyberFusionCenter #IntelligenceMarkers