Aha! Quindi tu hai preso il carrello ma hai dimenticato il cavallo !!!! Errore classico: la tua organizzazione sembra essere nei guai, ma non sei solo! Tutti gli altri sono come te, così bravo a fare la domanda.
La risposta, ovviamente, inizia con le persone e i processi. Hai bisogno di persone con le seguenti conoscenze, abilità e abilità per completare le seguenti attività per ogni insieme di procedure:
- Analista All-Source
- Specialista per la valutazione della missione
- Analista sfruttamento
- Analista linguistico multidisciplinare
- Sviluppatore target
- Analista di rete di destinazione
- Analista di minacce / avvisi
- Tutto il gestore della raccolta delle fonti
- Tutto il gestore dei requisiti di raccolta delle fonti
- Cyber Intel Planner
- Cyber Ops Planner
- Operatore di cyber
La risposta non finisce qui, immagino. Sì, ci sono soluzioni tecnologiche al tuo problema, ma non sono chiare. La maggior parte delle organizzazioni (ad esempio, banche) che hanno implementato qualcosa come una procedura di analisi All-Source che include una strategia di raccolta, formati standard di raccolta e requisiti di elaborazione, nonché una produzione di analisi, sanno che una solida fusione di infrastrutture, sociale, individuale e il capitale didattico è necessario per far decollare il programma.
Le risposte alla piattaforma tecnologica che ho ricevuto sopra seguono un certo paradigma. Non c'è nessuno, facile risposta. È sviluppato principalmente attraverso il rigore che evita la natura ad hoc di IT e R & D. Eppure, allo stesso tempo, sono solo un mucchio di utilità casuali collegate in modo casuale attraverso una pipeline di integrazione. È una toolchain senza toolbox in un garage molto, molto caotico.
(In nessun ordine specifico):
Mettere tutto insieme non sembra niente, ma forse qualcosa come questo post OSINT con Scrumblr . In realtà, forse sembra più simile a questo Jumping alle conclusioni di OSINT con Hunchly post. O entrambi. O nessuno dei due.
Gli obiettivi e gli obiettivi di un programma, spesso, sono, infatti, di lavorare all'indietro rispetto allo scenario da incubo e prevenirlo implementando alcuni controlli più rigidi per fasi, in modo che l'organizzazione non consumi il costo Opportunità tutto in una volta e può investire gradualmente (mantenendo le ruote accese, per così dire). Quindi, se vuoi vedere che aspetto ha Good prima del tempo, assicurati di controllare questa risorsa:
Inoltre, ci sono regole empiriche per i 4 componenti principali che ho descritto sopra:
Collection Strategy
Constant monitoring of every possible piece of data to a high degree of detail is not technically-feasible. An intelligence function must shape its collection strategy according to: 1) breadth vs. depth, a balance between detailed but narrow and broad but shallow; 2) Monitoring frequency, long enough to not incur unnecessary expense or undue delay while sufficiently short so that corrections can be made before deterioration.
- Periodic monitoring: Inspecting the environment at a regular
frequency which may entail minutes or months or more
- Event-driven monitoring: Inspecting the environment in an ad-hoc method that is driven by specific events occurring, or expected to occur
- Analysis-driven monitoring: Monitoring or inspecting the environment in an ad-hoc manner which is determined by the current state of analysis
Collection Standard Formats
MISP Galaxy provides standard formats for continuous, end-of day, and/or end-of week reporting on Collection work products. Typically, these are referred to
as Standard Technical Report Using Modules (STRUMs), or end-of day
formatted reports that detail all intelligence collected from sources.
In the past, STIX was proposed as the standard for sharing purposes, but STIX 2 recently emerged and is available in MISP Galaxy and the ATTACK-Python-Client. VERIS, another larger standard, is also available in MISP Galaxy. Let the tool do its job, but otherwise I have no specific guidance around which standard(s) your org selects.
Processing Requirements
Both SIEMs and TIPs (Threat Intelligence Platforms) play vital roles in this phase of the cycle, perhaps also the most-important and time-consuming phase (although ideally the heavy
lifting is automated). SIEMs can aid in correlation of many variables
and parameters, but cannot correlate everything alone, especially not
all data types that are relevant to intel analysts. The rigid
framework of the data that can be populated into SIEMs limits these
types of data that can be used for automated analysis. TIPs helps fill
those gaps when it comes to machine readable threat intelligence (MRTI) data ingestion and
handling. Because TIPs aggregates multiple types of sources of
intelligence, they tend to be more flexible in their data structures
than SIEMs. This allows the analysts to ingest threat intelligence in
different forms, often structured and unstructured. Despite the
less-structured nature of the data that is inputted into the platform,
TIPs can produce results in a structured manner that can then be
delivered to SIEMs or other platforms to provide context and
actionable results.
Automation in the Processing Cycle
Valuable data processing functions include: parsing, filtering, correlating, deduplicating, and aggregating.
Processing that can't be handled by point solutions can
instead be worked through a data-science pipeline such as Splunk SPL,
Splunk MLTK, Python Pandas, or Apache Drill.
Analysis Production
During the analysis phase, raw data is transmuted into information in the form of trends, patterns, sequences, clusters,
and so on. This is attained via a sequence of primitive inferences
such as selection, cataloging, abstraction, specification,
assessment, matching, instantiation, correlation, and transformation.
If the information generated during the analysis phase provides
sufficient understanding for avoiding or deterring a threat (or
alleviating any harmful event), then it can be termed as intelligence.
The analysis comprises of facts, findings, and forecasts that define
the element of study and allow the assessment and anticipation of
events and outcomes. The analysis must be timely, objective, and
mostly-importantly accurate. To generate intelligence objectively, the
analysts apply 4 types of reasoning -- deduction, induction,
abduction, and the scientific method. The analysis stage also requires
well-trained and specialized skills that allow analysts to give
meaning to the processed data and to prioritize it against known
requirements.
Up to this point in the intelligence cycle work, the discussion has
revolved around raw data. Even third-party threat intelligence
ingested into platforms is just data at this point. The production
phase of the intelligence cycle is where the raw data becomes actual threat
intelligence, not just machine readable threat intelligence (MRTI). Production is the process of turning the raw collected
data (which may or may not include MRTI) into finished intelligence (FINTEL).
Production can take many forms, each with a specific purpose and
audience in mind. Traditionally, the production phase involved the
creation of reports that could be delivered to customers as part of
the dissemination and feedback phase. Report production is still an
important part of the intelligence cycle and a critical
function of the threat intelligence team.
The whole point of this intelligence cycle work is to go from the
requirements phase through processing, production, and dissemination
in a cohesive manner.
Analysis Requirements
FFIEC has a requirement that cyber intelligence
orgs [use] multiple sources of intelligence, correlated log analysis,
alerts, internal traffic flows, and geopolitical events to predict
potential future attacks and attack trends.
Other regulations around cyber threat intelligence are emerging on their scope and specificity.