Introduction to EASY Framework for Intelligence

AttackIQ course: Introduction to EASY Framework for Intelligence by Chris Cochran and Ronald Eddings approx. 1.5hrs long

This course walks learners through the EASY Framework, a framework for improving or creating your threat intelligence program. In this course, Chris Cochran and Ronald Eddings present a simple way to avoid headaches and keep your threat intelligence program organized and relevant.

Goal of EASY framework: Understand the business, people, processes, and technology

  1. Ellicit requirements - identify stakeholders. Question what information is required. Get to know the team on what is TI and when they need information. Set expectations.

  2. Assess Collection Plan - Data source (i) Internal (network logs, application logs, SIEM, Incident/Case Management) and (ii) External data sources (threat feeds, ISAC groups, threat groups, news, social media, industry peers). Justify external source on impact, anyone reading feeds, etc. IOCs (i) Atomic and Computed IOCs (file hashes, domains, URLs) and (ii) Behavioral IOC (behavior of network artifact or behavior of application) e.g. unusual DNS process. Good to detect anomalous behavior. Curate and store data in threat intel platform. Metrics & Automation: understand metrics and implement automation to help with collection of metrics, automate collection, storing and curation of data feeds

  3. Strive for Impact - requirements and collection plan are the roadmap for implementation and impact. Has team fulfilled the requirements that were collected? Priortize work that needs to be completed. Immediate impact action to proactively seek feedback from stakeholders after gathering requirements and assessing collection plan.

  4. Yield to feedback - Measure relevance to identify if intelligence is given to the right teams. Metrics help set goals. Assess threat intel program yourself to highlight challenges and successes of team. Ask what can be done to improve results immediately or problematic points of the requirements. Communication is key component of threat intel. All feedback indicates adjustment.

Easy Framework Template

Elicit Requirements

Stakeholder(s)

Requirement Name

Subject Area

Business Event

A trigger that stimulates activity within the business. Many business events occur at the interface point between the business and one of the external entities with which it interacts. Business events must be observable

Constraints that must be met to fulfill the requirement

Primary Actor / Malware / Attack Vector

Adjacent Threats

Assets

Participants

Members involved in fulfilling threat intelligence requirement

Requirement Overview

Assess Collection Plan

Internal Data Sources

External Data Sources

Metrics To Collect

Process and Technology Gaps

Areas That Can Be Automated

Strive For Impact

Metrics to Collect

Impact to Mission

Evaluate Collection Plan

Yield To Feedback

Feedback from stakeholders

PreviousUsing ATT&CK for Cyber Threat Intelligence TrainingNextFoundations of Purple Teaming

Last updated