Introduction to EASY Framework for Intelligence
AttackIQ course: Introduction to EASY Framework for Intelligence by Chris Cochran and Ronald Eddings approx. 1.5hrs long
This course walks learners through the EASY Framework, a framework for improving or creating your threat intelligence program. In this course, Chris Cochran and Ronald Eddings present a simple way to avoid headaches and keep your threat intelligence program organized and relevant.
Goal of EASY framework: Understand the business, people, processes, and technology
Ellicit requirements - identify stakeholders. Question what information is required. Get to know the team on what is TI and when they need information. Set expectations.
Assess Collection Plan - Data source (i) Internal (network logs, application logs, SIEM, Incident/Case Management) and (ii) External data sources (threat feeds, ISAC groups, threat groups, news, social media, industry peers). Justify external source on impact, anyone reading feeds, etc. IOCs (i) Atomic and Computed IOCs (file hashes, domains, URLs) and (ii) Behavioral IOC (behavior of network artifact or behavior of application) e.g. unusual DNS process. Good to detect anomalous behavior. Curate and store data in threat intel platform. Metrics & Automation: understand metrics and implement automation to help with collection of metrics, automate collection, storing and curation of data feeds
Strive for Impact - requirements and collection plan are the roadmap for implementation and impact. Has team fulfilled the requirements that were collected? Priortize work that needs to be completed. Immediate impact action to proactively seek feedback from stakeholders after gathering requirements and assessing collection plan.
Yield to feedback - Measure relevance to identify if intelligence is given to the right teams. Metrics help set goals. Assess threat intel program yourself to highlight challenges and successes of team. Ask what can be done to improve results immediately or problematic points of the requirements. Communication is key component of threat intel. All feedback indicates adjustment.
Easy Framework Template
Elicit Requirements
Stakeholder(s) | |
Requirement Name |
|
Subject Area |
|
Business Event | A trigger that stimulates activity within the business. Many business events occur at the interface point between the business and one of the external entities with which it interacts. Business events must be observable |
Constraints that must be met to fulfill the requirement |
|
Primary Actor / Malware / Attack Vector |
|
Adjacent Threats |
|
Assets |
|
Participants | Members involved in fulfilling threat intelligence requirement
|
Requirement Overview |
|
Assess Collection Plan
Internal Data Sources |
|
External Data Sources |
|
Metrics To Collect |
|
Process and Technology Gaps |
|
Areas That Can Be Automated |
|
Strive For Impact
Metrics to Collect |
|
Impact to Mission |
|
Evaluate Collection Plan |
|
Yield To Feedback
Feedback from stakeholders |
|
Last updated