My last post mentioned briefly the difference between “high level” and “low level” threat intelligence.
High level intelligence includes human-understandable information that we can’t immediately parse into specific data, like a warning that “hacktivists” have targeted an organization. In contrast, low level intelligence usually consists of atomic data (network addresses, malware indicators, payment card information, etc.)
However, we should see this as a spectrum rather than a dichotomy: continuous, not discrete. As an example of this, what about monitoring social media from within your SIEM? For example, many analysts have noted the value of Pastebin as an OSINT source. So Xavier Garcia wrote a post on monitoring Pastebin leaks. This served as a basis for Xavier Mertens to post on monitoring Pastebin.com within your SIEM. Maybe you can use this to look for compromised logins on your domain, then correlate against login attempts for those accounts?
This has grown, of course, and so now we have examples of monitoring RSS feeds and tracking tweets from within a SIEM environment. If you tie this to case management (which many of us do within the SIEM, e.g. using ArcSight), then you’ve got a head start on OSINT monitoring. I suspect you could combine this with Yahoo! Pipes to monitor all sorts of loosely-structured data, whether for correlation or integration into your workflow.
