There are no certainties in Threat Intelligence Gathering and Analysis. Everything bit of information you receive should be treated as the author’s assertion of the truth – it is not the truth.
Threat Analysts are looking for patterns; looking for commonality; looking for statistical outliers. And when they find something unusual they have a need to track it in some way for future use and investigation. They are effectively looking at the collection of data that they have received from others and themselves over a multitude of mechanisms, and trying to make sense out of it. They slice it, dice it and try to form new relationships between the objects within it - new 'hypothetical' relationships that range from nearly impossible to purely speculative.
We need to support the both ability to share these more hypothetical relationship possibilities to help the threat analysts speculate, yet we need to allow the incident responders at the coalface to only care about the immediate threats and provide them with the ability to defend their Organization from attack.
At the moment we have the ability to say 'we assert that Object A and Object B are related with low confidence', but we don't have the ability to say 'if Object A was related to Object B then that would mean Objects C, D and E are also related'. If we provided the ability to send out hypothesis and get agreements and disagreements with the hypothesis sent back to the originating Threat Analyst (à la indicator sightings) then they would enable the Threat Analysts to crowdsource 'what-if' scenarios amongst themselves, leading to potentially faster conclusions.
POTENTIAL ANSWER
This could be handled within the relationship object, by somehow acknowledging the hypothetical relationships are exactly that. Providing the mechanism for separating hypothetical relationships with real ‘production-level’ relationships will allow people to use only the production-level relationships in their security tools, yet still keep track of the hypothetical relationships and participate in community speculation.
This section goes hand-in-hand with the Investigation Object idea (section 18: Difficult to group 'possibly' related things during an investigation”).
PROBLEM
There are no certainties in Threat Intelligence Gathering and Analysis. Everything bit of information you receive should be treated as the author’s assertion of the truth – it is not the truth.
Threat Analysts are looking for patterns; looking for commonality; looking for statistical outliers. And when they find something unusual they have a need to track it in some way for future use and investigation. They are effectively looking at the collection of data that they have received from others and themselves over a multitude of mechanisms, and trying to make sense out of it. They slice it, dice it and try to form new relationships between the objects within it - new 'hypothetical' relationships that range from nearly impossible to purely speculative.
We need to support the both ability to share these more hypothetical relationship possibilities to help the threat analysts speculate, yet we need to allow the incident responders at the coalface to only care about the immediate threats and provide them with the ability to defend their Organization from attack.
At the moment we have the ability to say 'we assert that Object A and Object B are related with low confidence', but we don't have the ability to say 'if Object A was related to Object B then that would mean Objects C, D and E are also related'. If we provided the ability to send out hypothesis and get agreements and disagreements with the hypothesis sent back to the originating Threat Analyst (à la indicator sightings) then they would enable the Threat Analysts to crowdsource 'what-if' scenarios amongst themselves, leading to potentially faster conclusions.
POTENTIAL ANSWER
This could be handled within the relationship object, by somehow acknowledging the hypothetical relationships are exactly that. Providing the mechanism for separating hypothetical relationships with real ‘production-level’ relationships will allow people to use only the production-level relationships in their security tools, yet still keep track of the hypothetical relationships and participate in community speculation.
This section goes hand-in-hand with the Investigation Object idea (section 18: Difficult to group 'possibly' related things during an investigation”).