Following years of feedback-driven development and proven success, we’re excited to announce the initial Open Source release of the General Intelligence Requirements (GIR) framework on the GitHub software development platform. This will allow practitioners to ingest the GIRs directly into their organizations’ intelligence platforms and supercharge their threat intelligence programs. The open source release of the CU-GIR framework is in JavaScript Object Notation (JSON) Structured Threat Information Expression (STIX) version 2.1 format and the latest iteration of the framework, as well as historic versions, can be accessed directly from our GitHub account.
Three years ago, Intel 471 developed the framework as a baseline tool to assist in organizing, prioritizing, measuring and producing cyber underground intelligence. Central to this framework are General Intelligence Requirements (GIRs). GIRs describe threats and activities that pose risks to organizations – such as malware, vulnerabilities, access brokering, etc. – and the relevant questions around those activities that practitioners should focus on to create actionable intelligence products.
Eventually, the GIR framework was distilled down into the Cyber Underground General Intelligence Requirements Handbook (CU-GIRH). This functional handbook is utilized by Intel 471 and cyber threat intelligence (CTI) practitioners around the globe to assist in operationalizing the GIR framework as the core component for bootstrapping or refining intelligence programs. The handbook is available for download here.
Organizing the Underground
The cybercrime underground economy may appear to be chaotic at first glance, but in fact it’s highly organized. GIRs classify malicious activity and services and provide a framework for collection efforts. This helps practitioners understand what kind of intelligence is most useful for mitigating risk for their organization and how to collect it, as well as how to measure whether collection efforts have resulted in intelligence that reduces risk.
Intel 471 has used GIRs internally to organize our collection efforts to ensure that the intelligence needs and requirements of our clients are satisfied. Each Intel 471 deliverable – such as a report on malware, a data breach or a new ransomware variant – is tagged with the applicable GIR or GIRs and automatically highlighted to clients who have prioritized those GIRs for collection. For our clients, the GIRs are a central component used to plan collection and build productive intelligence programs that mitigate risk and demonstrate value.
GIRs: Ready-Made Intelligence Requirements
Intel 471’s GIRs are inspired by intelligence frameworks used by the U.S. military. The U.S. Marine Corps Intelligence Activity has long used GIRs to assist human intelligence (HUMINT) collectors in the physical areas they operate, such as urban or mountainous environments. Collectors use a set of prescribed GIRs as a baseline tool to spot and assess collection opportunities against common observables they might encounter in the field.
We can do the same for the cybercrime underground. The GIR framework allows for consistent and standing coverage of commonly observed and generalized threats to industries, sectors, supply chains and geographic areas of interest. Each GIR maps to typical stakeholders and use cases where CTI teams need to produce intelligence. GIRs essentially are ready-made intelligence requirements that can be used to bootstrap discussions with your stakeholders. When content is marked or tagged with a GIR, it means that it fills a gap in knowledge. GIRs are organized in a nested tree structure under the following six categories:
GIR #1 - Malware
GIR #2 - Vulnerabilities and Exploits
GIR #3 - Infrastructure
GIR #4 - Fraud, Identity Theft and Unauthorized Access
GIR #5 - Adversary Tactics and Activities
GIR #6 - Threats Impacting Industry or Region
Take GIR #1. Under Malware, there are 16 subcategories that describe different kinds of malware. An information security practitioner may look at the list and decide that information-stealer malware (infostealers) – which is one prevalent kind of malware distributed in spam – is an organizational priority and begin focusing intelligence collection efforts toward infostealers.
Much more robust than a simple tag
An important aspect of GIRs is the essential elements of information (EEIs). EEIs are the basic questions that need to be answered for a particular collection requirement - the who, what, when, where, why and how. Analysts will address these questions in a report or deliverable to satisfy a particular stakeholder use case. For example, the EEIs for the “Malware variants” GIR are:
To narrow down even further, the EEIs for the “Information-stealer malware” GIR are:
Note that the EEIs are inherited from the parent GIR.
How GIRs Drive an Intelligence Program
GIRs can be used to gauge what intelligence is of most interest to practitioners. By surveying stakeholders, such as the chief information security officer (CISO) or security operations personnel, a chosen subset of GIRs can be turned into Priority Intelligence Requirements (PIRs), which guide an organization’s intelligence collection individually by stakeholder at an enterprisewide scale.
The PIRs from various stakeholders can be recorded in a master PIR Collection Register. The PIRs in the Collection Register then can be scored and ranked and combined into a master list that becomes the Collection Guidance. This is the consolidated list of PIRs that are most important to an organization.
The Collection Guidance is used to develop a Collection Plan. The plan describes how analysts can collect the intelligence necessary to fulfill the PIRs - what coverage is needed, what vendors and suppliers can help, what data feeds are required and what team expertise is imperative. The Collection Plan includes sources and methods for collecting data, such as cyber underground monitoring, indicator feeds, credential monitoring and more.
The end goal is to deliver strategic, operational and tactical intelligence products that routinely satisfy your organization’s PIRs. One output could be in the form of a Monthly Intelligence Report for senior management.
For more help on operationalizing the GIRs as a central component to your intelligence program, download the GIR handbook or sign up here to attend an upcoming virtual Intelligence Planning Workshop hosted by Intel 471.
Technical Details
The current version of the CU-GIR framework uses STIX version 2.1 and each GIR is mapped to STIX Domain Objects (SDOs) in the following ways:
Top-level GIRs are of the SDO type Grouping.
- GIR #1 (Malware) – SDO type Malware.
Malware tools are of the SDO type Tool.
GIR #2 (Vuln. and Exploits) – SDO type Vulnerability.
GIR #3 (Infrastructure) – SDO type Infrastructure.
GIR #4 (Fraud, Identity Theft and Unauthorized Access) – mixed SDO types.
- GIR #5 (Adversary Tactics and Activities):
All GIR tactics, techniques and procedures (TTPs) are of the SDO type Attack Pattern.
Where applicable, each Attack Pattern has been linked, via external reference, to MITRE ATT&CK IDs and/or kill chain phases.
- GIR #6 (Threats Impacting Industry or Region):
- Regions are of the SDO type Location.
Each country is linked to its respective ISO 3166-1 alpha-2 code.
Industry and Sectors are of the SDO type Identity.
- Regions are of the SDO type Location.
Extra information for each GIR has been linked in the following way:
Stakeholder information – SDO type Note.
- Courses of Action – SDO type Course of Action (Mitigates).
EEIs – SDO type Note and are linked to Courses of Action.
Common Use Cases – SDO type Course of Action (Investigates).
Child GIRs inherit extra information from their parents through STIX Relationship Object (SRO) type Relationship.
Final Thoughts
Our intention with releasing the GIRs as an open source project is to extend the capabilities of threat intelligence teams with a framework and methodology that ultimately improves outcomes for practitioners and stakeholders. This will be an evolving project, since we will continue to update the GIRs periodically as the cyber underground evolves. We’re also interested in feedback. If you have suggestions or ideas for improvement, contact us at gir-suggestions@intel471[.]com.
