External Threat Analysis
Hi, this is Dan Klinedinst of the CERT Enterprise Threat and Vulnerability Management team. Recently we've been looking to extend the methodologies from our insider threat research to other sorts of threats. Personally, I'm interested in applying well-known analysis techniques to security data in an automated fashion. The goal is to identify classes of threats and watch how they evolve over time. This analysis will allow organizations to adjust their defenses and resources based on the type of threat they face and the risk it poses to their business or mission.
We're using scientific tools such as statistical models and system dynamics, as well as intelligence analysis techniques--link analysis, pattern analysis, technical analysis, etc. This approach should allow us to create classes of external threats similar to the ones we've defined for insider threats.
There is a lot of data available about attackers. Some of it is available only to the target organization in the form of logs, alerts, and traffic analysis. Some of it is publicly or commercially available, including malware signatures, data dumps, and network meta-information. Attackers are even providing data by tweeting about their targets and techniques these days, often in advance.
We're very interested to hear from others who are doing systematic analyses of threat data over long periods of time. Please send your input to firstname.lastname@example.org. It would be great to develop a common language and protocol for exchanging threat information.