While taking part in the most recent SANS CTI Summit via Twitter, I was introduced to the Detection Maturity Level (DML) model created by Ryan Stillions (@ryanstillions) back in 2014. The model still stands as one method of measuring your organization’s intelligence maturity in detecting and responding to attacks.
In the original post Ryan starts out by defining the DML and then dives into the eight different levels — Goals, Strategy, Tactics, Techniques, Procedures, Tools, Host & Network Artifacts, Atomic Indicators, and None or Unknown. He then covers four use cases, including “Providing a Lexicon for Easier Communication,” “Assessing Your own Detection Maturity,” “Assessing the Maturity of a Security Product or Service Provider,” and “Providing More Context to Your Analysts.”
Some of the more interesting take-aways include incorporating TTPs and showing maturity graphically. TTP is a buzzword (or buzz-acronym I guess) thrown around industry a lot and this model not only defines them in terms of cyber intelligence but also shows how they fit into the DML model. Out of the use cases, the two on assessing your organization and vendors are especially insightful with how they graphically depict maturity.
For those interested in exploring threat intelligence more or just filling some knowledge gaps, Ryan’s post is a must read. You can learn more about the DML model here.
Today’s post pic is from Postulations after Great Cogitation. See ya!