Using a robust platform for cyber threat analysis training

We have recognised threats coming more regularly from varied origins such as nation-states, hacktivist and cybercriminal actors. Coupled with many new public policies aimed at mitigating the negative effects of data breaches, cyber espionage and intellectual property theft, it’s clear a new ecosystem of cyber threat intelligence sharing is emerging.

As more intelligence teams become established with the aim to fortify networks and reduce the liabilities and risks associated with data breaches, the need for trained threat analysts is increasing. Yet, there are very few that can represent their findings in a manner that is helpful to decision-makers. To correct this, organisations need to train cyber threat analysts using a technique that builds on the use on a threat intelligence platform (TIP) as a key tool in conveying the tradecraft of cybersecurity threat intelligence.

Developments in the threat intelligence sharing ecosystem

Through the development of this ecosystem, a global standards body known as the Organisation for the Advancement of Structured Information Systems (OASIS) has sponsored the further development of a standardised language, syntax and logic for a set of protocols for threat intelligence sharing. These are:

• Structured Threat Information Expression (STIX)
• Trusted Automated Exchange for Indicator Information (TAXII).

In parallel to this, several key corporate giants and innovative start-ups have developed their own tools for enabling the sharing of indicators of compromise (IOCs) and context around intrusions, breaches, information theft and other kinds of attacks that affect the confidentiality and integrity of data resources.

Despite this, policy analysts have pointed out that there is a severe lack of trained analysts for applying the STIX and TAXII protocols that are the standards of this ecosystem. In light of this, many public and private universities are paving the way and have begun to develop training programmes to fill this critical skills shortage and gap in the education system. Yet, as organisations struggle to recruit skilled analysts, it is in their interest to train their existing threat intelligence analysts as well as new analysts in this universal language to ensure ongoing cyber security.

Building training on a threat intelligence platform

There are multiple functions of a threat intelligence platform (TIP), including:

• The aggregation of threat intelligence “feeds” from various open and propriety sources while serving as a platform for enriching IOCs with supplemental data and information.
• Aiding the threat analyst in understanding the TTPs of the threat actors, as conveyed through the interpretation of enriched IOCs.
• Being able to distinguish between human readable threat intelligence (HRTI) and machine readable threat intelligence (MRTI).

Training cyber threat analysts using a technique that builds on the use of a TIP is a key tool in conveying the tradecraft of threat intelligence. Giving an analyst a robust TIP that is designed to give them a high level of configurability will expose them to the internal logic of the system, thereby empowering the analyst to carefully design the threat detection, response, and prevention parameters. This will help reduce false positives and increase the value of the data collected for the use of defensive or remedial action.

Whether for workforce training or academic education, applied, hands-on lab work is critical to learning objectives and arming students with practical knowledge to build upon. It is important that the training analyst is given theoretical frameworks – such as Kill Chain and the Diamond model – that guide hypothesis formation and testing as well as knowledge of the craft for effective integration into ongoing threat intel teams.

To effectively apply a TIP-based learning system for students, lessons should be drawn directly from the workflows of operational units such as red teams, Incident Response teams and SOC teams. Specific case studies can give students a sense of how TIPs function within an organisation where different teams collaborate on threat intelligence sharing. Having a robust and highly configurable TIP ensures that the analyst understands these basic workflows, use cases and various features needed for ingesting feeds, performing analysis and presenting findings.

The growing need for skilled threat analysts

With ever more intel teams becoming established there is a growing realisation of the benefits of threat intelligence sharing for fortifying their networks, reducing liabilities and risks associated with data breaches. This has increased the need for individuals to understand exactly how to interpret the IOCs, enrich the data and how to characterise the activity of threat actors that may be engaging in attacks on member networks.

There are currently very few threat analysts that understand how to use TIPs and STIX-formatted data, how to refine IOCs and how to analyse the patterns in order to test hypotheses on threat actor intent and motivations. Being fluent in the language of STIX will enable threat analysts to present their findings in a manner that is helpful for key decision makers.

Poaching of cyber security talent is becoming a growing concern for organisations, as highlighted by the talent poaching lawsuit brought against Nike by Mastercard in 2015. Not only are they being poached, they are also being recruited from roles such as network engineers, database managers, ethical hackers as well as other disciplines that have a bearing on the information and cyber security fields. Even for these specialised workers, it will be a steep learning curve to develop an understanding of the tools and techniques used to analyse attacks and developing application interfaces (APIs) between TIPs and existing in-house tools for monitoring networks and generating metrics.

Workforce development will continue to be a concern for companies and public-sector organisations and employers would do well to support their employees that seek development in the ecosystem of threat intelligence.