The DML Model for Threat Intel

DML LevelsWhile taking part in the most recent SANS CTI Summit via Twitter, I was introduced to the Detection Maturity Level (DML) model created by Ryan Stillions (@ryanstillions) back in 2014. The model still stands as one method of measuring your organization’s intelligence maturity in detecting and responding to attacks.

In the original post Ryan starts out by defining the DML and then dives into the eight different levels — Goals, Strategy, Tactics, Techniques, Procedures, Tools, Host & Network Artifacts, Atomic Indicators, and None or Unknown. He then covers four use cases, including “Providing a Lexicon for Easier Communication,” “Assessing Your own Detection Maturity,” “Assessing the Maturity of a Security Product or Service Provider,” and “Providing More Context to Your Analysts.”

Some of the more interesting take-aways include incorporating TTPs and showing maturity graphically. TTP is a buzzword (or buzz-acronym I guess) thrown around industry a lot and this model not only defines them in terms of cyber intelligence but also shows how they fit into the DML model. Out of the use cases, the two on assessing your organization and vendors are especially insightful with how they graphically depict maturity.

DMLs By ActorFor those interested in exploring threat intelligence more or just filling some knowledge gaps, Ryan’s post is a must read. You can learn more about the DML model here.


Today’s post pic is from Postulations after Great Cogitation. See ya!

5 comments for “The DML Model for Threat Intel

  1. February 12, 2016 at 12:05 am
  2. February 12, 2016 at 1:11 am

    BLOGGED: The DML Model

  3. February 12, 2016 at 7:46 am

    The DML Model #iSecNews

  4. February 12, 2016 at 8:43 am

    Quick intro to @ryanstillions DML Model for orgs doing the #threatintel thing. #infosec

  5. February 12, 2016 at 10:01 am

    Into “maturity” things & #threatintel? Check out @ryanstillions DML model.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.