Generally speaking, we can use low-level (tactical) threat intelligence in four ways:
- Analysis: Use the data for summaries, trending, and other sorts of reporting.
- Blocking: Implement preventive controls to defend against the threats. This might include firewalls, software changes, or (in a law enforcement context) detainment.
- Monitoring: Implement detective controls for further investigation when an event matches the intelligence. For example, flag all events from a “known bad” IP address.
- Correlation: Cross-check other data against the intelligence on an ad hoc basis. An investigator already looking at a suspect system might correlate all files against the system against hashes of specific malware or documents.
As this is early days, I’m not sure how well this model works. Should blocking really include detainment by LE? And 3 and 4 in particular have a lot in common, but I think of them as different use cases because one creates automatic notifications and one responds to manual lookups.
I’ll probably let this brew in my head for a bit before taking further steps with it, and I’d love to discuss any parts of it in more detail with anybody.