Seven Ways to Apply the Cyber Kill Chain with a Threat Intelligence Platform
ABSTRACT
Threat Intelligence Platforms (TIP) are an emerging technology supporting organizations as they consume and then act on cyber intelligence. Lockheed Martin believes that a TIP helps an organization transition from relying solely on external intelligence sources to producing their own intelligence based on what is observed in their environment. The result is elevated cyber maturity and improved resilience against attackers.
INTRODUCTION
Within the past decade, computer network defense has shifted from a culture of sharing minimal information to one of intelligence overload. Previously, information regarding system breaches, malware, or attack attribution was rarely shared between organizations. Today the more common issue is how to sift through all the emails, reports, and indicators to identify actionable intelligence.
Threat intelligence is evidence-based knowledge about a threat that can be used to inform decisions regarding the response to that threat (McMillan, 2013). It includes the details of the motivations, intent, and capabilities of threat actors (Holland, 2014). In order to successfully defend against the multitude of Advanced Persistent Threats (APT) facing an organization, consuming external threat intelligence has become an increasingly important aspect of cybersecurity. However, exactly how to ingest the intelligence and successfully leverage it within an organization’s environment often remains a challenge.
In addition to external intelligence, an influx of data from one’s own organization can further complicate matters. Alerts from a myriad of technologies including Intrusion Detection Systems (IDS), firewalls, mail scanners, Host Intrusion Prevention Systems (HIPS), and proxies can overwhelm a defender who is trying to respond to and disposition each alert. External intelligence can quickly become an afterthought as there is no time to evaluate and implement countermeasures, making it useless. Conversely, external intelligence fed directly into these tools results only in more noise if it is not properly vetted for one’s environment and mitigations are not appropriately tuned.
In order to process all of this internal and external data and have it result in actionable intelligence, a TIP can be employed. A TIP is the central management repository for all external and internal intelligence, and can provide the mechanism to act upon this intelligence.
This paper is organized as follows: section two of this paper documents related work on defining the requisite components of a TIP. Section three introduces an expansion of this definition that is based upon the Intelligence Driven Defense® approach to computer network defense. Section four outlines the seven ways an organization can apply the Cyber Kill Chain® framework in their environment using a TIP. Section five introduces the PalisadeTM solution, Lockheed Martin’s Threat Intelligence Platform, and section six summarizes the paper.
Read the article below: