How Macro and Micro Intel Sharing Can Shape Your Security Operations
Cyware Situational Awareness Platform (CSAP) • Dec 20, 2019
We use cookies to improve your experience. Do you accept?
Cyware Situational Awareness Platform (CSAP) • Dec 20, 2019
Threat Intelligence is not just useful for detecting cyber threats. It can boost an organization’s security operations in many different ways. Whether it is everyday security operations, responding to threats, or improving an organization’s security strategy, Threat Intel has many diverse applications. To understand this, let us dive deeper into the various forms of Intel and their roles within an organization.
Threat Intel can be divided into four categories based on the outcomes that can be achieved from it. This includes Strategic, Operational, Tactical, and Technical Threat intel. Below are brief descriptions of each type of Intel:
Strategic Intel provides high-level information on changing risk
Operational Intel includes information on specific attacks and member intel sharing
Tactical Intel details the attackers’ Tools, Techniques, and Procedures (TTPs)
Technical Intel provides low-level Indicators of Compromise (IOCs)
Each type of Intel has specific applications within different functions of an organization. Also, each type of Intel is relevant for members of an organization in different roles. To simplify the picture, we can analyze the types of Intel in two parts - Macro Intel and Micro Intel. Macro Intel includes strategic and operational Intel whereas Micro Intel includes Tactical and Technical Intel. Now, let us take a deeper dive into what Macro and Micro Intel means for organizations and how they can leverage it in their security operations.
Micro Intel consists of Tactical and Technical Intel as mentioned earlier. This is low-level Intel containing various kinds of indicators of compromise (IOCs) that help detect, monitor, track, or block corresponding attacks.
Technical Intel is focused on IOCs such as IP addresses, file hashes, domain names, attackers’ tools, etc. These IOCs can be fed into security controls within an organization to automatically block attacks featuring the same IOCs in the future. On the other hand, Tactical Intel consists of threat actors’ tactics, techniques, and procedures (TTPs) which form the entire attack lifecycle. These TTPs explain the behavior of threat actors on a much broader scale compared to low-level IOCs included in Technical Intel. Thus, Tactical Intel is key to predicting attacks based on behavior patterns of adversaries.
Micro Intel, in general, provides a capability for machine-machine orchestration. This means that Technical or Tactical Intel gathered from various sources can be directly fed into existing security controls to drive security actions. Whether it means blocking a malicious domain found in phishing emails or alerting about an anomalous escalation of privilege as a sign of an ongoing attack, such actions are crucial for security teams to facilitate quicker threat detection, analysis, and response.
Moreover, Micro Intel sets the foundation for other Intel activities such as IOC Sharing, Threat Intel Enrichment, Exploitability Mapping, Kill Chain Mapping, ATT&CK Mapping, and more. Thus, Micro Intel is akin to Swiss pocketknife for security teams, meaning it can help them accomplish many different objectives.
Macro Intel is useful for security leaders and managers within an organization to understand the scope of various threats, maintain visibility over the threat landscape, and assess and manage the overall cyber risk for their organization. It consists of high-level Intel including Strategic and Operational Intel.
Strategic Intel provides in-depth information on changing cyber risk for organizations. And Operational Intel provides information on specific threats affecting an organization’s operations and also includes Intel shared from partner organizations.
Machine-Machine orchestration has certain limitations. However, Macro Intel involves both the Human and Machine intellect and sets the ground for Machine-Human, Human-Machine, and Human-Human orchestration. Through various methods such as Real-Time alerting, Intel reports, Threat Research Reports, etc, Macro intel helps equip security leaders with the right information to shape the organization’s cybersecurity strategy. Furthermore, Macro Intel also helps guide the security operations by providing Malware Advisories, Vulnerability Reports, Member Intel Sharing, and more.
Thus, Macro Intel is a very important tool for security leaders and managers to set priorities for their security operations, communicate cyber risk with C-suite executives, evolve their cybersecurity strategy, manage their human resources, and more.
Threat Intel operations can provide many benefits to an organization beyond its core security functions. However, this requires the decision-makers to have a deep understanding of the applications of various types of Intel. Information without action is of no value. The maturity and efficacy of Threat Intel operations is determined by how effectively Intel is used to drive actions at different levels within an organization. Thus, organizations should aim to leverage both Macro and Micro Intel in their security operations to develop a strong cybersecurity posture.