Skip to main content

Threat Intelligence - Evaluating Sources | Optiv

May 16, 2014

One of the highest concerns faced by the intelligence analyst lies in knowing if the assessment they are making hits the mark. As the analyst struggles with determining the applicability and reliability of collected data, the timeframe in delivering intelligence results to stakeholders is extended, which lessens the usefulness of the results.

The usefulness of intelligence lies within the analysis and timely dissemination of collected data, and if the information is not judged or judged incorrectly, the impact it could have on the operations component it supports could be useless, or even detrimental. How do we address the need for reliable, timely, and applicable collection?

As we have seen in industry over the past couple of years, there is no shortage of available information that can contribute to intelligence analysis - threat and vulnerability feeds, dissemination of indicators of compromise via Mandiant’s OpenIOC or Mitre’s Structured Threat Information eXpression (STIX), open-source information sharing platforms and threat lists, etc. Combined, these sourcesprovide an enormous amount of collectable data that can be used in intelligence products or applied to signatures and rules in security appliances. The problem lies within the validity of the information available and whether or not ingesting said information is applicable to your environment.

Sources of intelligence information must be evaluated for their usefulness, fidelity and validity. Authenticating sources and classifying them by their reliability will allow for the analyst to make sound judgments and assessments of the data collected. The tables below provide an outline that analysts can use to grade sources and intelligence information.

Source Reliability Matrix

 

RATING

DESCRIPTION

A

Reliable

No doubt about the source’s authenticity or trustworthiness. History of complete reliability.

B

Usually Reliable

Minor doubts. History of mostly valid information.

C

Fairly Reliable

Doubts. Provided valid information in the past.

D

Not Usually Reliable

Significant doubts. Provided valid information in the past.

E

Unreliable

Lacks authenticity, trustworthiness and competency. History of invalid information.

F

Cannot Be Judged

Insufficient information to evaluate reliability. May or may not be reliable.

 

Information Reliability Matrix

 

RATING

DESCRIPTION

1

Confirmed

Logical, consistent with other relevant information, confirmed by independent sources.

2

Probably True

Logical, consistent with other relevant information, not confirmed.

3

Possibly True

Reasonably logical, agrees with some relevant information, not confirmed.

4

Doubtfully True

Not logical but possible, no other information on the subject, not confirmed.

5

Improbable

Not logical, contradicted by other relevant information.

6

Cannot Be Judged

The validity of the information cannot be determined.

 

Concerning the above tables, it can be assumed that one of the many sources of information that an intelligence team will utilize is in-house Technical Intelligence (TECHINT) from the security appliances on the network. The intelligence information collected from these sources can be deemed either A-1 to B-3, depending on the level of signature and rule tuning and the analysis of false-positives.

TECHINT is the collection of information about or via technological platforms. This data will be derived from the in-house technical resources, such as firewalls, proxies, intrusion detection and prevention systems (IDPS) and the entity’s Security Information and Event Management (SIEM) system, as well as other technologies used by the information technology group.

To be able to grade your sources and the information they provide, you must track and score them. By doing this over time, you will better be able to grade them and then come to a decision of whether to continue reviewing, evaluating and incorporating said information into your finished products. Just as you would tune out a rule that continues to provide false-positives in your SIEM, so you should with invalid sources of intelligence information.

The intelligence staff must be trusted to provide dependable and timely analysis. Basing assessments off of unreliable or invalid source information will likely lead to a decrease in the security of the organization’s information assets.

Intelligence Disciplines & Sources of Information

HUMINT

Intelligence information derived from human sources.

SIGINT

Data gathered from various communications mediums.

GEOINT

Geospatial intelligence concerning terrain and imagery.

TECHINT

Technical information collected from internal sources and platforms.

OSINT

Intelligence information collected via publicly available resources.

 

The above table is provided to detail other disciplines within intelligence information collection where sources and information provided need to be graded for reliability and truthfulness. 

Related Blogs

March 05, 2015

Why do they call it DLP?

I always have to ask myself every time I hear the acronym “DLP.” Why do they call it that? There is no “prevention” in most DLP. It should be called D...

See Details

February 05, 2015

GHOST Vulnerability Puts Linux Systems at Risk | Optiv

A critical security vulnerability in the GNU C library, CVE-2015-0235 (a.k.a. “GHOST”), was reported on January 27, 2015. Many Linux systems are vulne...

See Details

January 15, 2015

DDoS Attacks Are Seldom What They Seem

In performing incident response over the years, I have frequently been pulled into DDoS incidents. These calls don’t come in every day, but they are p...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Related Insights

October 06, 2017

Managed Security Services - Service Guide

Learn about our flexible and scalable services to improve your security capabilities.

See Details

November 08, 2013

Threat Intelligence - Friend of the Enterprise | Optiv

Many organizations know that to protect their resources, they need to have the people, processes and technology in place to do so. However, many of th...

See Details

February 26, 2014

Threat Intelligence: The Delivery

The best thing an intelligence analyst can provide to his customer is a finished product which is actionable and well laid out. The analyst needs to b...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.