Carry out threat intelligence assessments
Overview
This standard covers the competences needed to carry out threat intelligence and threat modelling assessments to identify current and potential threats to business data and systems.
In order to meet this standard, you are required to; have the knowledge, skills and understanding necessary to carry out threat intelligence and modelling processes, ensure that your work complies with all legal, statutory, industrial and organisational requirements, and follow applicable industry codes of practice. You will be required to work autonomously and take responsibility for the quality and accuracy of the threat intelligence and modelling work that you carry out.
This type and level of activity is likely to be undertaken by someone whose work role involves cyber security threat analyst work which incorporates threat analysis and modelling e.g. Security Analysts, Cyber Threat Intelligence Analysts. You will likely work within a team of analysts collating, analysing and reporting upon information relating to cyber security activities and threats as well as assessing their origin and potential impact to the organisation. You will be competent in sourcing information that identifies potential threats, analysing related trends and highlighting security issues relevant to the organisation.
Your underpinning knowledge of threat intelligence and modelling will enable you to apply the appropriate principles and practices and use these to inform on the potential threats to the systems and data in an organisation. Effective threat intelligence involves comprehensive, continuous collection and analysis of the right data sources, from both inside and outside an organisation.
Performance criteria
You must be able to:
research and collect information from a range of threat intelligence sources (including threat intelligence databases, Open Source Intelligence [OSINT] and Warning, Advice and Reporting Point communities [WARP]) to identify new threats and threat actors
identify new threat tactics, techniques and procedures used by cyber threat actors
develop tactical and strategic cyber intelligence from acquired threat intelligence and technical indicators from external and internal sources
proactively engage in threat hunting activities for threats in the enterprise environment
deliver cyber threat intelligence services and material to information technology and business leaders
publish actionable threat intelligence for business and technology management
review and disseminate known trends and countermeasures for potential threats to the organisation
assess and validate threat information and exploits data in order to determine the relevance and reliability in line with organisational requirements
use threat intelligence in order to develop attack trees that show how an asset can be attacked
investigate and analyse threat information to track threat propagation and produce actionable threat intelligence reports and briefings to the organisations teams
collaborate with other cyber security teams (network security, security testing, vulnerability detection, incident management) to help guide organisational cyber security strategy
identify irregular patterns in network and system activity using log correlation
analyse the significance of processed intelligence to identify significant trends, potential threat agents and their capabilities
carry out threat modelling to examine the impact of threats on infrastructure and key assets
document new threats and trends identified and make recommendations on how to mitigate these in line with organisational requirements
select and apply threat analysis tools in line with organisational procedures
comply with organisational policies, procedures, guidelines and regulatory requirements when carrying out threat analysis and modelling activities
Knowledge and Understanding
You need to know and understand:
the steps involved in threat intelligence, modelling and assessment
how to identify internal and external data sources and plan and conduct comprehensive, continuous collection and analysis of threat intelligence from them
the processes, procedures and methods to research, analyse and disseminate threat intelligence information
the systems for automated threat intelligence sharing using the industry standard protocols for Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Indication Information (TAXII)
how to identify new threat actors, tactics and methods
how to identify threat scenarios that are attributed to a specific threat source or multiple threat sources
how to perform packet capture analysis
- the open and closed-sources of threat intelligence information available, including Open Source Intelligence (OSINT) and Warning, Advice and Reporting Point communities (WARP), and how to access and evaluate these
- the organisational policies and procedures for carrying out threat intelligence and threat modelling
- the industry standard threat modelling tools and techniques and how to apply them
- the steps involved in kill chain threat modelling
- the network activity characteristics that indicate new threats
- how to analyse and review threat intelligence information to identify patters and trends
- how to prepare threat intelligence reports
- how to apply attack trees using a methodical analysis of a security system
- how to implement the regulatory, legislative and organisational policies and procedures for carrying out threat intelligence and modelling activities