CMF
Your Collection Management Framework (CMF) manages your data sources, and measures their maturity
Collection Management Framework
The Collection Management Framework (CMF) is a tool to understand what data sources you currently use in your threat intelligence program, and the value you gain from those sources.
Use with Intelligence Requirements
When developing your Intelligence Requirements (IRs), it’s helpful to know what data sources would enable you to answer the key intelligence questions in the IRs, which is where the CMF comes into play. With your CMF, you can quickly and easily understand if you posess the right data in your environment to confidently answer the questions in the IRs.
Use with Threat Hunts
Similarly, when conducting your threat hunts, it’s important to know what data sources you have at your disposal, since you’ll be able to quickly tell if you’ll be able to detect or find the information you are after. If there is a new detection rule released for an RCE vulnerability and it requires PCAP data, you can quickly tell if you currently have PCAP collection, and if not, you’ll know you probably won’t be able to succesfully hunt for this activity.
As with IRs, measuring your sources against their use will help you prioritize what sources get matured. Using both IRs and hunts as input will help you measure what is the most critical sources.
Maturity Model
Alongside the CMF, lives the Maturity Model, which is a tool to measure the stage in which you are utilizing your CMF. This ranges from immature phases and actions such as one-off queries through the CLI or ad-hoc queries in the UI, to more advanced maturity levels where there are automated processes in place to automatically utilize the dataset.
Look at what sources are utilized most in your IRs which will help prioritize leveling up the sources that aren’t as mature as other sources not typically used
Maturity Model Levels
These levels are taken from this blog which lists the various areas of maturity for each data sources, but more succintly, the following guidelines are used when defining sources, however, how you define these are up to you.
Initial
We can query the dataset ad-hoc through the GUI or CLI. Useful for data enrichment
Repeatable
The data source is readily available to use through internal toolset
Defined
There is clear documentation on how to use the data source as well as SOP’s in place for using the data
Managed
Metrics inform the quality of data we are getting from the collection source
Optimizing
We are able to innovate and enable new methods of pivoting and searching with the collection source
Collection Sources
Under the Collection menubar item is Collection Sources, in this tab you’ll find all the data sources contained in your CMF, as well as two helpeful dashboards. One is the “Top Sources Utilized in Intelligence Requirements”, and the other is “Top Sources Utilized in Threat Hunts”. Each of these graphs show you what sources are being used in their respective areas.
Using these graphs you can quickly understand what sources are being used the most, which typically would inform what sources you should prioritize maturing.