
Introduction
Course Description
This course is designed to enable organizations, to build and operationalize a Cyber Threat Intelligence (CTI) program based on their specific needs, requirements, and budget. In addition to leveraging existing internal sources, an effective CTI program will add pro-active component to threat monitoring, as well as detection and response efforts. That way organization can be one more step ahead in defending against emerging cyber threats.
As each organization varies in terms of size, capabilities, budget, there is no ‘one-size-fits-all’ solution when it comes to CTI. While Intelligence aggregation and correlation tools are nice to have, they are only required if they satisfy an Intelligence Requirement, use case or other internal need. CTI programs do not need to be overly expensive or complex, as long as they are designed to support organizational intelligence objectives.
Topics include:
Asset Discovery
Risk Assessment and Threat Modelling
Intelligence Requirements (and dependencies)
Collection Plans
Courses-of-Action (CoAs)
Intelligence Products and Reporting Metrics.
Please Note: This course is intended to address requirements, setup and operations of a CTI program.
This course is not intended to address analytic or other investigation techniques.
Course Objectives
Upon completion of this course participants will be able to:
Discuss the key concepts behind CTI.
Outline the steps required to establish a CTI program.
Create intelligence requirements and supporting CTI processes.
Understand key tools and technologies that can be used to automate CTI operations.
Produce actionable intelligence products that can be integrated and/or distributed with various teams, stakeholders and tools.
Identify and implement appropriate Courses-of-Action to defend against threats that have the potential to negatively impact the organization.
Produce key operational performance metrics that highlight the activities and the efficiency of the CTI team.
Program Maturity
As this course focuses on building CTI capabilities for an organization, we first have to focus on establishing basic processes and procedures”.
As your CTI program operates and evolves, the basic processes and procedures will start to mature through fine-tuning repeatable processes, enhanced tools, and automation.
The maturity process typically automates labour intensive tasks which result in the ability for analysts to take on, or otherwise develop, additional tasks and intelligence products that would benefit the organization.
A fully mature CTI program is highly efficient and leverages a high-amount of automation and tools that are integrated into other security tools or lines of business.
CTI capabilities have vastly expanded to support other teams such as Threat Hunters, Red/Blue Team, Malware Reverse Engineers
Data processing and enrichment capabilities with a very low false positive rate.
Introduction of Cyber Threat Intelligence
Unit Objectives
Upon completion of this unit participants will be able to:
Understand key concepts behind CTI, its benefits and capabilities, and how these can be used to compliment an organizations’ existing security operations.
Compare and contrast different types of adversaries (and their objectives) that have the potential to target your organization.
Discuss the success factors related to an effective CTI program.
Understand basic concepts and terminology associated to CTI including but not limited to ThreatCon, Cyber Threat Kill Chain, Traffic Light Protocol (TLP), and the Intelligence Life Cycle
What is Cyber Threat Intelligence (CTI)
CTI leverages internal and external data to analyze and understand threats that can negatively impact an organization.
CTI allows organizations to pro-actively make informed decisions that will enhance their defensive capabilities against threat actor’s activity.
CTI achieves this through:
Structured analysis and assessment of potential threats with the ability to impact your organization.
Courses-of-Action that can be used to detect, discover, and block potential threats affecting your environment.
Targeted Intelligence products (strategic, tactical, technical, and operational) which
can be consumed by various internal teams and security tools.
Listed are a few significant vulnerabilities of the past ~2 years.
From a CTI perspective organizations should know:
Is this vulnerability in our environment?
Are we already compromised?
What tools can I use to find out if I am affected
What do I need to identify this (i.e. signatures)
What security controls does our organization have in place to defend against these types of attacks
What remediation efforts can we implement
What stakeholders needs to know about this
References:
https://thenewstack.io/30-of-apache-log4j-security-holes-remain-unpatched/
https://arstechnica.com/gadgets/2021/07/microsoft-discovers-critical-solarwinds-zero-day-under-active-attack/
https://techcrunch.com/2022/03/23/okta-breach-sykes-sitel/
Integration across teams
CTI leverages a holistic organizational approach to cyber-security by interfacing
with several internal teams.
This structure allows for the sharing of internal data and intelligence between teams to identify security gaps that may pose a cyber risk. This allows for CTI to provide the necessary support, intelligence and recommendations to assist in the reduction of risk, and mitigation of cyber threats.
CTI Team Support:
Privacy: Identify the disclosure or potential sale of sensitive information from affected organizations,
whom have recently been breached or compromised.
Incident Response: In the event of an incident, breach or compromise affecting organizations (directly or indirectly), Threat Intelligence can provide support through in-depth data enrichment based on the artifacts and information that have been identified.
Vulnerability Management: Monitor for recently exploited vulnerabilities affecting organizations technology stack and provide awareness and recommendations to the appropriate internal teams.
IT and Infrastructure: Leverage Threat Modelling to understand cyber threats and trends targeting the organizations sector and identify security enhancement that can be implemented to reduce risk.
Application Support & Development: Leverage Threat Modelling during the application development and Secure Software Development Lifecycle (SSDLC) process to provide a holistic approach to cyber threats and techniques used by threat actors that may be used to target organizations applications, and provide strategic recommendations during the development process.
Project Planning and Internal Initiatives: Identify the context of key components within internal projects and initiatives and assess the potential threats that may be applicable.
What is NOT CTI
SOLELY Indicators of Compromise (IOC) FEEDS
Some security professionals believe Threat Intelligence is IOC Feeds into their SIEM.
While this is a component of Threat intelligence there are many other services and products CTI can provide other then Intelligence Feeds (IOCs) !
Simple news outlets monitoring
Security news and information is “interesting”, but is it also relevant to your organization?
Don’t waste time on irrelevant threats, or personal research requests
Rule of Thumb: If you cannot report on it you do not do it
What makes a successful CTI program
Executive buy-in
Support and interest from the executive management tier in an organization to pursue threat intelligence activities is a key component of any successful CTI program.
This will provide clear direction and required funding for:
Staffing resources
Hardware / Software - intel tools, community memberships, data/service/portal subscriptions
This will help in the planning and preparation stages of the CTI program
Can help shape the CTI team organization structure
Full Time Employee (FTE) count and their utilization
Develop roles and responsibilities of the new positions
Supports intelligence requirements and their development
Supports decisions regarding the acquisition of tools and other paid resources.
Timely and actionable intelligence products:
Good Operational Security (OPSec):
Operational Security can be broken down into 2 main aspects:
Protecting organizational assets during investigations
When investigating malware samples, you do not want to accidentally execute the malware and compromise your system or any other systems on your corporate network.
Be cautious when using public sandboxes and online tools (i.e. VirusTotal, any.app.run, Hybrid Analysis)
Sensitive information could be publicly disclosed as part of the analysis report
Prevent Threat Actors from knowing you are investigating them
Investigating a suspected threat actor from a personal LinkedIn account
You will show up in their “Viewed Your Profile” notifications and will tip them off that you are on to them.
Use a VPN** to hide your personal public IP Address
If you access a threat actor’s infrastructure or websites, your IP address will show up in their logs.
Use Sock Puppet* social media accounts during investigations
* Sock Puppet - social media accounts are accounts of fake individuals with completely fabricated profiles. In using these profile, any digital footprints that may be left lead back to a random profile completely unattached from any investigator or organization.
** VPN - My personal favourite for a VPN service is Private Internet Access (PIA). PIA provides its users with the ability to have public IP addresses from almost all countries around the world and you are able to easily change this through a click of a button within their app. Setup and Installation were very easy, and just had to download an install the PIA application and enter your username and password.
Click the image link below for more details on this service.
Please Note: this is an affiliate link and any purchases made through the link above are appreciated and will help support course creation, management and support.
Metrics and Reporting
With executive buy-in, the CTI team will need to report on performance, operational efficiencies, and the value it brings by reducing risk to the overall organization
Metrics should be meaningful, in the form of Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs)
Provide insight into the Cyber Threat landscape and help support strategic decisions and direction regarding security
Emphasize initiatives and controls in place to reduce risk to the organization
Highlight improvements to operational efficiencies and detection capabilities
Be concise, easily interpreted and highly visual
Feedback from consumers and stakeholders
As the CTI team produces products and services the only way to improve on these is through feedback from your consumers.
This feedback should address:
Additional use-case and new products
Address suggestions to reduce the false positive rate of detection signatures
Enhancements to product formats in order to streamlined the products ingestion into security tools.
Data enrichment that could be used to enhance the quality of products
Try to meet with your stakeholders on a regular basis to discuss the performance and effectiveness of CTI products and services.
This will help improve and mature the overall CTI program and operations.
What you should know when developing a successful CTI program - Part #1
Types of cyber threats that can affect your organization
What are your security capabilities
When creating an Intelligence product, you need to understand what capabilities there are, and how the recipients can ingest and use CTI products and/or services. At the same time data sources could assist the CTI team build better products.
Key questions for an organizations IT, Network, Security team(s), etc…:
What do you have visibility into within your organization?
Application logs / network traffic / user activity / other endpoint logs
Can these be shared?
What security tools, technologies does the organization have?
Endpoint Detection and Response (EDR), Intrusion Detection System/Intrusion Prevention System (IPS), Security Information Event Management (SIEM), Web-Application Firewall (WAF), Data-Loss Prevention (DLP)?
Can you add custom detection rules?
What capabilities do the security tools have?
Can you add custom rules, search for lists of data?
Could you integrate with these Application Programmable Interface (API)?
Know Security Subject Matter Experts (SME) within the organization
What intelligence and/or products could the CTI team provide to them?
What information could they provide when investigating a threat?
What you should know when developing a successful CTI program - Part #2
Who are your competitors and supply-chain
Your competitors and supply-chain, although not directly associated with an organization's operation, could still impact an organization if they have been compromised.
If competitors are compromised, this could be a precursor to other emerging threats/attack within your industry.
If your supply-chain or other partners are compromised (i.e. SolarWinds) this could lead to an attack and/or other operational issues, or information disclosure of your sensitive data and/or processes via these attack vectors.
Common questions when addressing the industry wide threat landscape and your supply-chain / competitors:
What threats are your competitors and supply-chain experiencing?
Have they been compromised (if so how)?
How would your organization be affected?, Could the same threat affect your organization?
Can you work together?
Share between competitors or supply-chain (Trusted Circles)
Small/select number of organizations share information amongst each other.
Industry Information Sharing and Analysis Center (ISAC)
High number of organizations within an industry (i.e. Retail, HealthCare, Financial Services, Energy) participating in the sharing of threat information and other industry threat workgroups.
Other organization groups
Community Slack/Discord channels, mailing lists, etc…)
Who are your customers
Customers who have had a negative experience or have found means to take advantage of an organization may be posting comments and discussing this online.
There are many open and online platforms facilitating conversations about your organization
What is the general population and your customers saying about your organization?
Is sentiment of these conversations positive/negative?
Where are these conversations taking place?
Social Media: Reddit, Facebook Groups, Twitter, YouTube, etc…
Online and Dark Web Forums
Do these conversations pose any threat to your organization?
Exploit in your product or service (i.e. password sharing, hack to unveil addition features)
Exploit the return/exchange policy (i.e. return fraud)
Sale of fake/knock-off products (i.e. unauthorized reproduction)
Physical threats (i.e. Protests, Activism, etc…
Who are your adversaries
There are numerous types of adversaries that may target your organization with malicious intent. When identifying what type of adversaries may target your organization each of the following should be reviewed and assessed to determine applicability to your organization.
What you should know when developing a successful CTI program - Part #3
The Cyber Threat Kill-Chain
The Traffic Light Protocol (TLP)
Source: https://www.us-cert.gov/tlp
Example: SANS ThreatCon
A ThreatCon, is a rating system used to measure threat exposure of the Global, National and Industry threat landscapes.
Many different types of organizations measure the ThreatCon level such as security vendors, Information Sharing and Analysis Center (ISACs) and Communities, and Governments.
Example: Symantec ThreatCon, Sans Institute, United States DefCon (Defense Condition)
Each ‘Con’ has its own niche, such as the SANS InfoCON which is a cyber-security focused threat condition, others may pertain to physical threats, military readiness, or defense posture.
Source: Infocon - SANS Internet Storm Center
The intelligence lifecycle
The Intelligence Lifecycle describes the process of how intelligence and other information is collected and analyzed in order to produce intelligence products.
This lifecycle contains the following 5 steps to produce intelligence products and/or services:
Planning and Direction
Collection
Processing
Analysis and Production
Dissemination
The feedback component of this lifecycle is a contributing factor in determining the success of the threat intelligence program.
Based on client feedback you will be able to tune your Intelligence Requirements, support the evaluation of your intelligence products and/or services as well as their associated sources.
What resources do I need
The resources you need will depend on your intelligence requirements, and the maturity of your CTI program.
Primarily resources fall into 2 categories:
Technical Resources
Data (paid intelligence services, data, and feeds)
Tools (Commercial or Open-Source)
Infrastructure Costs (Systems and environments to run tools and conduct investigations)
Human Resources (people doing the work)
These can be internal or external (outsourced) teams
Data
CTI data can come from anywhere, as long as it is relevant to your Intelligence Requirements.
Data could be from publicly available open-sources (OSINT), Commercial (i.e., Recorded Future, SiloBreaker, Intel471, ISACs), or internally generated logs and data (i.e. application / system logs.
Open-Source (free) – requires additional tools/effort to vet and enrich in order to be useful.
Good starting place for most intelligence requirements.
Commercial data / platforms - typically already vetted, structured, and/or enriched.
As intelligence requirements mature commercial data / platforms are a great way to streamline and automate Intelligence requirements activities.
Internal data - great source of information as it costs nothing
Shows direct insight into what your applications, networks and systems are seeing.
When starting out, for most intelligence requirements open-source data typically
works fine
If your CTI team is fairly new there may not be a need for an upfront additional expense.
Tooling
In order to receive or generate data some type of tool is required.
These could be as simple as an internally developed PowerShell script, open-source tools from Git-hub, or even free online services.
On the other hand, expensive and complex tools such as Dark Web services, or Threat Intelligence Platforms (TIP) could also be used, yet the right tool is one that suites your needs and produces actionable output, inline with your intelligence requirements.
Multiple tools may be required as based on your intelligence requirements, which is absolutely fine, as long as they are effective, and the benefit outweigh the cost of the tools.
Tools do not produce CTI products or services on their own. Tools produce an output that needs to be reviewed and analyzed by intelligence analyst, which in turn produce the intelligence products.
Remember:
The success of the CTI products and services is determined by the value your team and analyst brings to the organization to reduce risk, and not the tools you are using. It is possible to have very expensive tooling, and completely misuse or misinterpret the data its provides rendering the tool ineffective and a waste of money.
Infrastructure
When using tools, they will have to be run from some type of system computer.
Most useful Intelligence tools are Linux based and can be run on a Linux Desktop / Server with 20 GB HD, and ~4 GBRAM works well.
Virtual environments can also work well such as a virtualized server or desktop within your environment (i.e. VMware / VirtualBox) or cloud infrastructure (AWS, GCP, Azure, etc…).
It is best to run your tools, scripts and Intelligence programs on a separate system and on a segregated network.
This way in the event that something goes wrong with these tools, or a malicious
link was clicked on these systems it will not impact any other device on the
corporate network.
Human Resources
The human resources required for the CTI team depend on the scope of your intelligence requirements and your budget.
These roles can be filled internally through Full Time Employees (FTEs), internal contractors, or leveraged third-parties Teams such as Managed Security Service Providers (MSSPs), or other Threat Intelligence Vendors.
Resources do not need to be 100% utilized to CTI operations. If required, the operations may only require 0.25 – 0.50 of an FTEs.
For a successful CTI team it is best to have team members with a variety of experience and expertise.
Summary
During this unit we discussed:
The key concepts behind CTI, including its benefits and capabilities and how these could compliment existing security controls and monitoring.
The different types of adversaries (and their objectives) that have the potential to target your organization.
Discussed the success factors related to effective CTI program.
The basic concepts and terminology associated to CTI including but not limited to ThreatCon, Cyber Threat Kill Chain, Traffic Light Protocol (TLP), and the Intelligence Lifecycle.
What is next
Feel free to join us for the next unit in our “Building Cyber Threat Intelligence Capabilities for Organizations” course.
The next unit we be discussing the Discovery phase of this process.
The Discovery phase aids in inventorying sensitive assets within an organization, that could potentially be exposed or otherwise impacted by cyber-based threats.
The inventory list is a key tool in a CTI program, and is will be used to help develop Intelligence Requirements, Collection requirements, and can be used as a reference in determining if emerging cyber threats have the ability to impact the organization.
Discovery Introduction:
Course Overview:
Introduction
Discovery
Risk assessment and threat modelling
Intelligence requirements
Definition
Intelligence sources & collection plans
Courses-of-action, service catalogue, communication Plans and SLAs
Intelligence tools
Operational reporting & metrics
Executive and stakeholder buy-in
Unit Objectives
Upon completion of this unit participants will be able to:
Identify key assets, technologies and data, that support the organizations ability to produce its products or services.
Understand the business context of assets and resources that support critical functions in order to enable organizations to prioritize efforts consistent with internal risk management strategy and business requirements.
Identify stakeholders and internal teams that can benefit from CTI products and services.
Discover data sources within the organization that can assist in cyber threat detection and/or data enrichment capabilities.
Methodology
The discovery phase is one of the most important components of developing a CTI program.
Information collected during this phase, will be used to conduct risk and threat modelling of internal assets which further supports the development of intelligence requirements.
Assets identified act as a reference for technologies and sensitive data associated with the organization.
As we go through the process of building the CTI program, each unit will leverage, and build upon the information and activities that we completed and collected during the Discovery Phase
Discovery Activities
Intelligence discovery consists of listing assets and technologies that are used within the organization.
These assets play an integral part in your organization and if unavailable could pose service or operational issues.
Assets should be organization-specific and include key employees, Domains, Social Media accounts, Service Providers, etc…
A simple Excel or Word Document will work fine for this, as long as the data can be structured for filtering purposes.
Commercial asset discovery and tracking tools also exist.
The best way to discover key assets within an organization is to meet with Stakeholder to identify:
Assets, Crown Jewels, Critical Systems/Technology, Critical Data, key brands/products, etc…
Establish SME contacts for various lines of business, who can support discovery initiatives.
Identify stakeholders with internal data sources that could be leveraged for detection capabilities, and/or enrichment for Threat-Intelligence Services.
Where else can Cyber Threat Intelligence compliment other security teams?
Each Line of Business may have their own unique corporate assets including:
Digital assets (Websites, Proprietary Applications, Processes, Algorithms)
Physical assets (Office Locations, Data Centres, etc…)
Brand and products
Technical assets (Servers, Network Segments, Hardware, Software, etc…)
Social media accounts (Corporate, High Profile employees)
Dependencies: Service providers (ISP, Telco’s, Domain/Hosting etc…)
Corporate crown jewels*
Depending on the assets you are trying to identify and where they are located there may be automated tools that can assist within this enumeration and data collection (i.e. nmap to scan devices on the network to enumerate their Operating System)
*Crown Jewels – the organizations most sensitive possessions
Data Collection - Part #1
Company Details
Gathering company details is a good method to start creating a keyword list to help detect targeted
potential threats.
This includes but is not limited to:
Names, Address, Phone Number, Industry/Sector, Subsidiaries, Competitors, Brands, Products, Dependencies, Intellectual Property, etc.
The above details will assist in understanding the full operating model and the overall business context of the organization and provide a useful reference for Cyber Threat Intelligence Operations.
Generally, these details would not have any type of logs or other type of visibility that could be leveraged as a data source.
Depending on your Intelligence Requirements monitoring typically would leverage external sources.
Critical component of an organization
Next step is to identify the critical assets, processes and technologies.
This helps the CTI team become familiar with the mission critical aspects of the organization.
Helps the CTI team understand the underlining motivation of the threat actors in obtaining sensitive information and potentially disrupt operations.
These assets, processes, and/or technologies may have logs that the CTI team could leverage as data sources for threat hunting or other data enrichment activities.
Technical components of an organization
We now dive deeper into the technical details of the organization and focus more on the infrastructure, network/security tools, and applications that the company regularly uses.
At the very start check if your organization already has hardware/software inventory application, as this would be an excellent place to start and expedite the discovery process.
When you are collecting this data, you want to be sure that you capture as much information details as possible, such as software versions.
Many of these assets generate logs (specific to their role) and outputs, or have other capabilities to ingest threat intelligence as well.
Best to keep a note of these so it can be referenced later.
Domains used by an organization
Organizations typically own at least one Domain, if not several.
These could include but not limited to:
Current Domain Name
Historical Domains (i.e., after corporate rebranding or acquisitions)
Product Based Domains
Promotional and Event Domains
Some of these may have been used for a brief period only but could still be utilized by a threat actor.
By keeping a record of corporate domains, they add a key piece of information
that can be used for detection purposes.
Social media accounts of an organization
Understanding the organization’s Social Media accounts will allow the CTI team monitor for spoofed Social Media Accounts of the organization.
Threats associated with an organizations social media accounts:
Social Media spoofing to promote fake news, malicious links.
Targets for malware delivery and installation.
Credential Phishing
Selling Fake Goods
Data Collection - Part #2
Key people
Understanding the employee pyramid structure within an organization, especially the higher echelon of decision makers, will allow the CTI Team to monitor for spoofed social media accounts associated with these important individuals.
Threats affecting these key people could include but not limited to:
Social Media spoofing of these identities to promote fake news.
Targets for malware delivery and installation.
Credential Phishing to gain access to the corporate environment
Business Email Compromise (BEC) / False Invoice Scams – Sending money to false accounts
The matrix below, is a simple risk matrix noting the possible risk level of internal teams based on positions. This is a simple way to understand who should included as part of this list. This should be a manageable list and not include every employee within a team.
Service providers
Services providers are essential to any organizations, yet any threat targeting them could directly or indirectly impact you as well.
In listing out essential services providers for an organization, the CTI team can understand the organization’s dependencies and its supply-chain channels.
In the event of a major service disruption this could severely impact your operations, processes and or tasks.
Through monitoring service providers of potential adversarial events (i.e. data breach or other cyber-security event) that can negatively affect your organization, the CTI team can pro-actively respond to potential privacy and/or security incidents.
Attack/incident history and other keywords
Other information that could be used for additional Intelligence monitoring are details regarding historical security incidents.
Some of these keywords may not be directly related to your organization but can be used to monitor for changes in the threat landscape and other emerging threats that may impact your organization, and/or industry.
Additional monitoring using these keywords can pro-actively identify threats affecting industry vertical, competitors, supply-chain.
The goal is to take appropriate action, raise internal awareness and defend proactively identified cyber-threats.
Action Items:
Establish SME contacts for various lines of business, who can support discovery initiatives.
Identify which lines of business have internal data sources that could be leveraged for detection capabilities, or enrichment.
Discover and document key assets within your organization through stakeholder interviews, automated scanning, corporate documentation etc…:
Digital Assets (Websites, Proprietary Applications, Processes, Algorithms)
Physical Assets (Office Locations, Data Centres)
Brand and Products (Products & Services)
Technical Assets (Servers, Network Segments, Hardware, Software, etc…)
Social Media Accounts (Corporate, High Profile employees)
Dependencies: Service Providers (ISP, Telco’s, Domain/Hosting etc…)
Corporate Crown Jewels
Summary:
During this unit we discussed:
To identify assets associated with an organization or at high-level within an industry.
How to identify critical key words associated with an organization or industry.
Understand the business context of assets and resources that support critical functions in order to enable organizations to prioritize efforts consistent with internal risk management strategy and business requirements.
Determine stakeholders and internal teams that can benefit from Cyber Threat Intelligence Products.
Discover data sources within the organization that can assist in Cyber-Threat detection and/or data enrichment capabilities.
What is Next:
Feel free to join us for the next unit in our “Building Cyber Threat Intelligence Capabilities for Organizations” course.
The next unit we be discussing the “Risk assessment and threat modelling”, which will assist in identifying the types of threats that could affect the assets that were identified.
Understanding these threats, and how they could affect an organization will assist in developing intelligence requirements also known as CTI use-cases.
Introduction
Course Overview
Introduction
Discovery
Risk assessment and threat modelling
Intelligence requirements
Definition
Intelligence sources & collection plans
Courses-of-action, service catalogue, communication plans and SLAs
Intelligence tools
Operational reporting & metrics
Executive and stakeholder buy-in
Unit objectives
Upon completion of this unit participants will be able to:
Identify threats that have the ability to impact the organizational assets identified within the discovery phase.
Arrange and model high-level threats to identify similar assets at risk if compromised.
Generate data-driven metrics to support the business need and requirements for a CTI program.
Categorize risks and threats to support the development of the Intelligence Requirements in the next unit.
Methodology
This phase leverages the assets identified during the discovery phase and is intended to determine what risks and threats could affect these assets.
Threats and risks that have been identified will form the basis for the organizations intelligence requirements also known as CTI use cases.
Risk assessment and threat modelling
This unit focuses on risk assessments and threat modelling to help visualize the flow identified threats can take to exploit your organization.
This phase is not a full threat risk assessment on the organization or its assets, but a high-level exercise to start to understand what threat scenarios could possibly impact your organization.
By understanding the risks and what assets could be affected this will help support the intelligence requirements in the next phase.
Through this process, data-driven metrics can be generated to help support the business need and requirements for a CTI program.
These metrics can highlight, risk scenarios and other areas of risk that an organization could focus on to establish your intelligence requirements and what monitoring and detection capabilities are required.
The risk assessment and threat modelling is used to identify assets of high risk as well as gaps within existing security controls.
To perform these activities leverage the assets that were identified in the discovery phase and start to model the threats that may impact them.
Include the any risk reduction capabilities, existing security controls, as well as the
likelihood and impact of each associated threat.
Go through each asset and identify associated risks, threats and security controls.
Using the excel template you can go through each section and identify the threat scenarios that impact identified assets.
The right most columns in the spreadsheet are used to indicate what type of security controls are currently in place, and what type of risk reduction and/or visibility that security control provides.
By selecting a risk reduction, likelihood and impact value a risk rating will be generated. The higher the risk the more focus should be placed on these assets.
Each asset may have multiple risks and threats that can be entered as a separate record in the spreadsheet, while some assets may not have any associated threats.
Risk and threat models by category
Threats affecting the organization
The nature of doing business could be a threat in general to any organization, as there are entities out there that may not agree, or want to take advantage of your business.
Examples of these types of threats include but are not limited to:
Threat actors targeting your industry or organization: Maliciouscampaigns directed towards an organization or industry in attempts to obtain sensitive information, or disrupt operations.
Protest / Activist activity organized near business facilities: Physical disruptions around locations could disrupt operations.
Tarnished Brand and/or Reputation: Negative claims with the intent to negatively affect an organization brand or reputation.
Threats affecting critical assets, technologies and process
Every organization has their own “Crown Jewels” that if compromised could significant impact your organizations ability to operate.
Examples of these types of threats include but are not limited to:
Disclosure of Sensitive Information or Intellectual Property: Weaknesses within security systems could be exploited to expose classified information.
Disruption to Critical Systems: Weaknesses within critical systems, could lead to significant disruption for the organization.
Disruption in Supply-Chain: Attacks or disruptions to your supply-chain (raw products or service providers), could result in an indirect disruption to your organization’s operations.
Threats against technical operations
The more technical assets an organization has, the greater the attack surface for a threat actor.
Even the smallest security weakness in any technical device if exploited could result in unwanted or otherwise undesired activity or actions, that could lead to security issues in the future.
Examples of these types of threats include but are not limited to:
Ransomware: Malware, when executed encrypt a victims computer and may have capabilities to spread to other network devices on the network.
Critical and zero-day vulnerabilities: Vulnerabilities that may suddenly emerge and if exploited could pose significant impact to the organization or its operations.
Commodity malware distribution: Distribution of commodity malware to corporate devices such as credential stealers, spam bots, backdoor trojans, etc… that could be spying, or attempting to launch a larger attack.
Threats affecting corporate domains
Every organization has at least one registered website or domain, if not multiple for legacy names, product promotions, related events, etc...
These domain names could be spoofed and used as an attack vector by threat actors (i.e. typo-squatting, substitution).
Examples of these types of threats include but are not limited to:
Phishing Targeting Employees: Spoofed websites or domains attempt to obtain the credentials of employees, or spoof email addresses and request specific actions of other employees.
Phishing Targeting Clients: Spoofed websites domains attempting to collected the login credentials of your clients.
Risk and threat models by category - Part #2
Threats against organization’s leadership
Key people within an organization typically have social media accounts (either personal or professional).
Depending on their role within an organization, social media connections, and their influence and reach, this may increase the likelihood of them being targeted, or spoofed for malicious purposes.
Examples of these types of threats include but are not limited to:
Spoofed Social Media Accounts:
Scams and/or Misinformation: Posting of information that is incorrect, harmful or otherwise not inline with the official corporate message. This situation could result in negative impact to the official organization reputation.
Pre-Texting: Leveraging a spoofed account to initiate a conversation with a legitimate connection with malicious intent/purposes.
Targeted Phishing:
Business Email Compromise (BEC): Targeting of sensitive individuals within the accounting department to pay fake or otherwise modified invoices.
Credential Phishing: Attempts to obtain credentials of a sensitive individual for the purposes of gaining access to sensitive information.
Whaling: Targeting executive or upper management positions within a company to obtain sensitive information, or request specific actions of other individuals (i.e. purchase iTunes Gift Cards).
Threats against social media presence
Majority of organization have social media accounts to promote their brands, products and or services.
There are a number of threats, tactics, and techniques that threat actors could use to leverage your brand via spoofed accounts for malicious intent including but not limited to:
Promotion of Counterfeit Products: Promotion of products that are similar to a legitimate company or organization, yet are heavily discounted and counterfeit.
Fake Webstores: Promotion of products or services that redirect to a fake webstore with the primary intent of stealing payment card information
Scams and/or Misinformation: Posting of information that is incorrect, harmful or otherwise not inline with the official corporate message. This situation could result in negative impact to the official
organization reputation.
Malware delivery: Spoofed accounts posting messages and links to malicious sites with the
intent to deliver malware.
Threats affecting service provider / vendors
Every organization works with service providers/vendors at some level.
In the event your services provider/vendor is affected by a cyber threat this could also impact your organization and or operations as well in the form of:
Denial of Service: If a service provider is unavailable this may results in service disruption of your organization.
Information Disclosure: In the event that a service provider has been compromised this may results in the disclosure of your organizations sensitive information.
Supply-Chain Malware Delivery: Supply-Chain software and services that are installed within your organization could pose risks in the event a malicious update has been pushed. (i.e. M.E. Docs and Kaseya were both software providers that were compromised and pushed a malicious update resulting in the distribution of ransomware.
References:
(1) https://www.scmagazine.com/news/security-news/ransomware/ukrainian-police-seize-m-e-docs-servers-as-part-of-notpetya-investigation
(2) https://www.reuters.com/article/us-cyber-solarwinds-microsoft-idUSKBN2AF03R
(3) https://www.thestreet.com/investing/cryptocurrency/intuit-sued-after-hackers-stole-crypto-from-customers
(4) https://techcrunch.com/2021/07/05/kaseya-hack-flood-ransomware/
Threat metrics
Data collected throughout this exercise can also be used for metrics to highlight area’s of risk within your organization.
This information will be useful in the next unit when developing the intelligence requirements as this would facilitate area’s to focus.
Metrics will also support requests for executive buy-in as your intelligence requirements will be supported by research data.
*** In the template used for the examples within this course these charts are auto-generated and can be easily filtered in numerous ways ***
Action items
Using the excel template you can go through each section and identify the threat scenarios that impact the assets identified within the discovery phase.
In the right most columns in the spreadsheet indicate what type of security controls are currently in place, and what type of Risk Reduction and/or visibility that security control provides.
Select a risk reduction, likelihood and impact value a risk rating will be generated. The higher the risk the more focus should be placed on these assets.
Each asset may have multiple risks and threats that can be entered as a separate record in the spreadsheet, while some assets may not have any associated threats.
Summary
During this unit we discussed:
How to identify and assess risks associated with the assets identified within the discovery phase.
How to model high-level threat scenarios that have ability to impact your organization.
How to generate data-driven metrics to support the business need and requirements for a CTI program.
How to categorize identified threat scenario to support the development of the intelligence requirements.
What is next
Now that a list of keywords, assets, and threats have been established you will have a better understanding of the organization’s assets, and what technologies are used to conduct business operations.
Feel free to join us for the next unit where we will be discussing the development of intelligence requirements that can be used for detection and monitoring purposes in order to defend against emerging threats.
When the intelligence requirements are formalized and established, this will help identify CTI priorities as well as where efforts should be focused. Intelligence requirements also help identifying what type of intelligence products are required, what stakeholders need to receive them, and how they will be consumed, and or actioned.
Examples: strategic / technical / tactical reports, IOC feeds, evidence lists, etc…)
Introduction
Course overview
Introduction
Discovery
Risk assessment and threat modelling
Intelligence requirements
Definition
Intelligence sources & collection plans
Courses-of-action, service catalogue, communication plans and SLAs
Intelligence tools
Operational reporting & metrics
Executive and stakeholder buy-in
Unit Objectives
Upon completion of the intelligence requirement – definitions unit participants will be able to:
Leverage discovery information to establish threat scenarios that could impact your organization
Determine which threat scenarios you could monitor for and action against.
Categorize threat scenarios in order to establish the basis of your intelligence requirements.
Methodology
Intelligence requirements are the listing of defined intelligence priorities. Once an intelligence requirement is identified, it is the responsibility of the CTI team to collect, process, analyze and disseminate the required information. The identification of intelligence requirements is parts of the intelligence cycle.
The “Definition” of intelligence requirements will leverage the threats and risks that have been identified in previous units to establish and contextualize threat scenarios that could affect the organization.
Subsequent units of the intelligence requirement process will focus on where and how to collect the necessary data, and the types of products and services the CTI can offer to other business units.
Intelligence Requirements
Intelligence requirements are used to contextualize the threat modelling performed in previous units and formalizes the activities to be performed by the CTI team.
Intelligence requirements are essentially the “who, what, where, why, when, and how” of CTI investigations and:
Defines the threat and threat scenarios
Establishes intelligence sources and collection plans to support the IR
Determines the CTI products, services and other outputs and deliverables.
Determines the Courses-Of Action that reduce risk to the organization.
Examples:
What new vulnerabilities have been discovered that have the ability to affect my technology stack?
Have any fake social media profiles been created for my brand or sensitive employees.
Priority Intelligence Requirements (PIRs)
There are also Priority Intelligence Requirements (PIRs), which are time sensitive and ad-hoc versions of a intelligence requirement.
PIRs are typically derived from an incident, or an urgent specific request from a stakeholder within an organization.
PIRs are intelligence requirements of top priority, as they have the most potential to imminently inflict harm on the organization.
PIRs will follow the same process as a IR for creation. PIRs are derived from an incident and are established ad-hoc and may or may not become a standing or ongoing intelligence requirement.
Continuous monitoring and alerting should be in place in order to immediately respond to any alert triggered from a PIR.
As PIRs are more of an urgent request requirements and timelines may be determined on-the-fly. The rest of the intelligence requirement process will remain the same.
Examples:
We have been compromised by ransomware – what type of ransomware is this, are there any IOC’s for this to determine if other systems are potentially compromised, has our data been published on the Dark Web?
Please Note: For the next several units we will only be focusing on IRs.
Anatomy of a intelligence requirement
Definition: This section describes the risk you are attempting to defend against.
Threat Description: Multiple threats could be associated with the higher-level risk, and provides
more granular details of threats you are defending against.
Intelligence Requirements: What specific data/information are you looking to find and/or obtain
Collection Plans and Intelligence Sources: What data sources are used, and how are you receiving the data.
Intelligence Products, SLA’s, Communication Plans: What will be produced, how/who/what will receive this, and how long will it take to receive it.
Courses of Action: What actions/activities will be taken, and how will that help defend the organization.
Defining the initial intelligence requirements, will take some time, as each section has their own considerations and data requirements.
The first section – Definition – will continue below.
The following course units will focus on the details of each section of the Intelligence requirements, and will discussed in further units including but not limited to:
Collection Plans and Intelligence Sources
Intelligence Products and SLAs
Communication Plans
Courses-of-Action
Intelligence Requirements - Definitions
The first thing that needs to be defined in an Intelligence Requirement is a high-level description of the threat you are trying to identify.
Once the high-level description is defined we can become more granular with the lower level details of the threat.
For example we may have multiple types of phishing intelligence requirements:
Credential phishing targeting our employee’s (i.e. O365)
Credential phishing targeting our customers (i.e. Spotify, CoinBase, etc..)
Spam delivery of commodity malware
Spam delivery of ransomware
The intelligence requirements section further specifies the questions that need to be answered, such as what are you looking for, and how bad are we affected.
Other parts of the definition section include:
A priority field to indicate whether this is a high, medium, or low priority IR.
A categorization field to help classify/tag what type of IR this is associated with.
A frequency field to indicate how often this Intelligence Requirement should be performed.
As there are many steps and aspects to take into consideration when creating intelligence requirements for each components will be addressed in following slides and units.
Sample Intelligence Requirements
Brand & Assets
Direct threats to brand or physical assets
These intelligence requirements are directed towards monitoring of clients brands to promptly identify mentions of clients that may have a negative impact on their brand or reputation or may cause physical harm
Brand or product mentions on sensitive sources
The monitoring of client brand mentions originating from sensitive sources is used to identify conversations, posts or other mentions on sources typically associated with malicious activity or other threat actor communities.
Protest and activism with potential to impact client operations
Protests and activism may have direct or indirect impacts on clients, which may result in the disruption of operations or damage or other harm to client operations
Executive and corporate monitoring
Executive and corporate monitoring us used to identify negative mentions or other online activity from or directed to clients. This involved but is not limited to, fake social media accounts of executives, negative mentions of executives by disgruntled customers or employees, posts by executives that may be taken out of context or perceived as negative comments, or other negative corporate level attention.
Sensitive images or mentions originating from inside classified client locations
Objective of this use case is to identify the public disclosure of sensitive information or social media sites from within
client location (i.e. manufacturing, technology, security controls, networking, and infrastructure, employee desk areas).
Malicious App Stores:
Monitoring of third-party app-stores in order to identify non-authenticate, and republished mobile-applications.
Threats associated with technology stack
Confidential Information (credential leaks, database dumps, documentation
The disclosure of confidential client information has the potential to impact client security, their operations as well as their trade secrets. In monitoring for these threats, CTI can proactively identify and act against and/or remediate identified risks.
Mentions of client IP addresses and infrastructure on sensitive sources
In monitoring sensitive sources for mentions of client IP addresses and infrastructure, CTI can identify these mentioned and assess threat actor goals and/or objectives. Once this information has been assessed, the CTI team can use this information and provide to clients for further action.
Vulnerabilities identified with potential to impact technology stack
CTI is able monitor for vulnerabilities within technology stack and provide a risk based assessment of their potential impact. Once the potential risk and impact have been identified, remediate controls and recommendations will be provided.
Threats targeting organization’s industry or business operations
Industry peers targeted in cyber attacks
Monitoring of the overall cyber threat landscape as well as industry peers allows for the CTI team to leverage the TTPs, attack vectors, and implement detection and other controls within the clients environment to proactively protect against similar attacks.
Supply chain threats
In monitoring the supply chain the CTI team could identify potential threats that may be delivered through side-channel style attacks.
Phishing campaigns to deliver commodity malware
Identification of phishing campaigns attempting to deliver commodity malware is important to identify IOCs, as well as designing blocking controls to further prevent distribution and potential compromise.
Exploitation of zero-day vulnerability in the wild
The intelligence derived from monitoring zero-day vulnerabilities is used to identify attack vectors, as well as the overall business impact.
Organization’s Infrastructure actively targeted by sophisticated APTs
Monitoring of emerging threats actively targeting infrastructure is used to identify imminent cyber-attacks and threat actors and threat actor TTPs, which can then be used to defend against these attacks
Emerging cyber threats
New malware detected
By monitoring for newly identified malware, CTI could obtain an understanding of its functions, behaviors and potential impacts. With these details a CTI team could identify mitigating controls to prevent against exploitation of these malware.
Updates and modifications to known malware
By monitoring for updates and modifications to known malware, Cyber Threat Intelligence obtains an understanding of the new functions and behaviors of the malware. With these details CTI is able to identify mitigating controls to prevent against the exploitation of the malware.
Malware discussed on sensitive sources
Monitoring sensitive sources for new malware developments provides the CTI team with an understanding of how the malware works as well as threat actor intentions. With these details CTI could identify mitigating controls against the exploitation of malware.
Identification of new zero-day vulnerability
The monitoring of new Zero-day vulnerabilities is used to identify the exploitation of newly discovered vulnerabilities, as well as to assess if your organizations environment or technology stack is potentially
at risk.
New and trending vulnerabilities
New and trending vulnerabilities closely monitored and tracked to understand impact & infection vectors as well as the landscape and potential impacts of these vulnerabilities having been exploited.
Threat actor activity
Events associated with a sophisticated threat actor identified
Threat actor activity is monitored, to identify organizations, industries and sectors targeted by threat groups.
New sophisticated threat actor TTPs identified
Threat actor activity is monitored by CTI to identify new TTPs used. Identification of new TTPs allow the CTI team to identify control and detection capabilities that can be integrated with your security tools to defend
IOCs associated with threat actor activity
Threat actor activity is monitored to identify new IOCs. When identified these IOCs allow the CTI team to implement controls and detection capabilities that can be integrated into the organizations environment.
Action Items
Based on the assessments (threat, risk, controls) in the previous step, identify the findings your organization is most concerned with. Group findings together into Categories and sub-categories and establish clear description of the risks and threats they pose.
Begin to compile the intelligence requirement for each category and sub-category of identified threats, and for each sub-category begin to frame up the initial context of threats, and scope of collection activities. Ensure each IR is detailed, specific and inline with the capabilities of the organization.
The output or result of each IR should be strategic, operational, tactical or technical measures such as :
Mitigation of identified cyber threats
Enhancements to existing controls
Technical or tactical reporting
Outputs of IR’s may be in the form of Indicator of Compromise (IOC) lists, detection rules
(i.e. snort/yara), internal discussion with the organization, or even PDF for security
awareness.
Please Note:
Not every threat that was identified in previous units will result in a intelligence requirement for several reasons:
Inability to easily obtain comprehensive information to effectively monitor and action identified threats
No internal resources or capabilities to take actions and mitigations.
Costs associated with obtaining credible information, or cost of security tools to action information.
Just because you are not able to build intelligence requirements on every threats at present it does not mean that you will not have an effective CTI team.
The key to an effective CTI team is to operate within your budget and capabilities.
As your CTI program evolves and matures, so will your tools and capabilities, resulting in the ability to address more complex intelligence requirements.
Summary
During this unit we :
Leveraged discovery information to establish threat scenarios that could impact your organization
Determined threat scenarios you could monitor for and action against.
Categorized threat scenarios in order to establish the basis of your intelligence requirements.
What is next
This unit was focused on the high-level definition of intelligence requirements based on the threats and assets identified in previous units.
Feel free to join us for the next unit which will focus on the intelligence sources and collection plans that are required to support the intelligence requirements you are in the process of defining.
We will be discussing a variety of intelligence sources including, open-source, commercial, internal, and dark-web and focus on determining the most appropriate source to complement your intelligence requirements.
Once we have intelligence sources established, we will need a means to obtain, query and review these sources to obtain the most recent data, which could be collected through manual or automated processes
Introduction
Course Overview
Introduction
Discovery
Risk assessment and threat modelling
Intelligence requirements
Definition
Intelligence sources & collection plans
Courses-of-action, service catalogue, communication plans and SLAs
Intelligence tools
Operational reporting & metrics
Executive and stakeholder buy-in
Unit Objectives
Upon completion of this unit participants will be able to:
Identify and evaluate intelligence sources, platforms, and tools required to support your Intelligence Requirement.
Establish collection objectives and capabilities and determine how these will be used to support the operationalization of your Intelligence Requirement.
Understand the value of intelligence sources for the CTI program.
Determine estimated costs for intelligence tooling, subscriptions and other dependencies to support each intelligence requirements.
Methodology
This unit focuses on identifying the appropriate data sources and collection plans required to support the operations of your intelligence requirements.
Using multiple sources ensures that data can be cross-referenced and validated, and may also provide additional situational context. However, this also require additional efforts and resources to maintain the additional source in the collection plan.
Intelligence Sources
Information is all around us and can be obtained from a variety of sources, including internal data repositories as well as open, closed commercial sources.
When information is processed that becomes intelligence.
It is also possible to have access to intelligence sources where the information has already curated.
Intelligence sources ARE NOT limited to threat feeds in the form of IoCs.
With effective data and intelligence sources a wide variety of CTI products and services can be developed to effectively defend against emerging cyber-threats.
All sources must be vetted, reviewed and categorized to ensure their confidence and reliability (quality sources = quality results).
Internal Sources
Estimated cost: Free
Internal data sources are information repositories that reside and are otherwise owned by your organization.
Internal data is one of the best intelligence sources as it is specific to your organization.
Internal data could potentially include department outputs and products, business and application data, business intelligence reporting as well as device and application logs.
•Raw data from these sources is critically useful, but you may need to re-parse, restructure, and tabulate data from other sources in order to create actionable intelligence content.
This information may be leveraged to:
Identify patterns in suspicious activity or potential threats.
Influence corporate and/or executive decisions.
Compliment data collections for your intelligence requirements.
Enrich intelligence products.
Open Source (OSINT)
Estimated cost: Free - $$
OSINT refers to data collected through publicly available sources.
These sources include but are not limited to public websites, online databases, blogs, forums, and research sites.
In most cases, OSINT is free, however depending on the source and/or tool some information may be collected from you (i.e. your queries and/or scans) and sold for profit by the vendor/provider to unauthorized third parties.
You have to be cautious of your source and data must be validated to ensure its accuracy and reliability.
Sources should be leveraged to validate findings and provide a global perspective.
(i.e. The Globe and Mail (Canada), The Russian Times (Russia), Al Jazeera (Middle East))
Data from these sources can be viewed manually, automatically downloaded or scraped through custom build tools or others that could be found in GitHub or similar.
Some online services allow for API access when registered for a “Free Account”. When using OSINT Tools they work better with the more API Keys they have enabled. It is recommended to obtain as many API keys are possible.
It is likely you will be using multiple OSINT sources and these will need to be operationalized and reviewed daily.
This sounds like a lot, but there are tools that can help further automate and streamline the review process.
Always adhere to “quality over quantity” principle. The key is to use authoritative, and reputable sources only.
It is important to note that OSINT sources have the tendency to change. Often better sources emerge, the original publisher no longer provides updates, or once free products put behind a pay-wall.
If a source is no longer providing updates it is best to immediately remove it and replace with an appropriate substitute.
Open source (OSINT) - Social Media
Estimated cost: Free
Social media is a good source of information that can assist in profiling individuals of interest by identifying connections, accomplices, events and timelines and other profile details.
Information obtained through Social Media Intelligence (SocMINT) will support threat actors tracking and profiling initiatives.
Other social media use cases may include:
Identify scammers promoting fake products.
General online research, such as identifying discussions related to particular organizations or topics, monitoring mentions of emerging threats.
Public comments, indicating malicious intent, made by potential threat actors in forums, chat rooms and social media.
Twitter for geo-social searches (times, dates and places when tweeted)
At a minimum, Twitter should be leveraged to monitor real time events, comments, and conversation threads of those you are “following” on the platform.
Following the quality Twitter profiles, this is a very effective method to be alerted in near real-time of emerging cyber threats.
As these threats emerge and circulate through Twitter, security researchers also investigate on their own to confirm or deny these threats and share additional information they have discovered.
This information is useful for your organization as it can implement pro-active controls to defends against newly identified threats.
Commercial sources
Estimated cost: $ - $$$$
Each commercial threat intelligence vendor has their “niche” in the marketplace, you can essentially find a vendor with any type of data. Their tools provide a wide range of products and services to promptly provide structured and curated intelligence.
Commercial threat intelligence services may also integrate with other security tools or support API’s developed to support other commercial products or custom tools.
Depending on your requirements, a commercial intelligence vendors may be required either to:
Expedite the production of your intelligence products
Provide high-confidence data and data enrichment
Provide research tools and enrichment capabilities that may not otherwise be accessible if attempted in-house.
These vendors have their “own” sources for intelligence, which may be derived through, scraping and indexing of authoritative sources, providing services, honey-pots and other infrastructure, and create data-bases of information with enrichment.
Sometimes it may just be easier and more cost effective to create a similar tool internally.
Dark Web
Estimated cost: $$$
The deep dark web (DDW) is a part of the Internet that is only accessible using specialized software to access.
Once connected to the dark web you could access marketplaces and forums.
The DDW can be a good source of intelligence if illicit underground marketplace activity are a Priority Intelligence Requirement.
Examples:
Zero-day vulnerabilities, targeted or coordinated attacks, sale of breached data, Threats targeting your brand and or products.
These vendors scape and index DDW content and present this in a searchable website / database, and provide threat actor profiling, and translation services.
They provide services such as Request For Information (RFI’s), that allow organizations to provide the vendor with a list of PIRs and they will conduct the research and reporting.
Tools may integrate into your security tools for additional enrichment and contextualization.
It is strongly suggested that DDW activities are not performed internally
The deep dark web is not indexed and in order to find the website / marketplace / forum you wish, you must know the Onion URL. (i.e. http://juhanurmihxlp77nkq76byazcldy2hlmovfu2epvl5ankdibsot4csyd[.]onion)
Illicit forums and marketplace do not take kindly to new comers. Even if you did find an appropriate marketplace, you have to register/apply and go through a vetting process. If you get in the marketplace you will not have any reputation, and most members will not speak with you.
These forums and marketplaces are filled with sophisticated hackers and other criminal – if they have reason or suspect you are up to something it is unknown what they may do.
These are international marketplaces where people of all languages participate, unless you have employees who can translate forums threads, you otherwise won’t be able to make sense of the threads.
Security concerns, as you are going to illicit websites which could be used to deliver malicious code to and your computer with some type of virus.
OPSEC (i.e. VPNs) do not always ensure 100% privacy,
Internal legal teams typically have concerns as the DDW is commonly a grey area, and largely believed to be associated with illegal activity.
Requires significant effort and resources to monitor effectively.
Please consult your legal council before exploring the option of using the Dark Web.
Trusted communities
Estimated cost: $$
Trusted communities and ISAC’s are groups of members who share intelligence focused on a specific sector, or relationship.
Some trusted communities may require an annual membership fee, and provide access to industry specific threats, communities, conferences and services.
Examples:
Industry ISAC’s (FS-ISAC (Financial Services ), H-ISAC (HealthCare), E-ISAC (Electricity), etc….)
Circles of Trust (Intelligence Sharing Agreements between various organizations)
Trusted Security Research Groups
Slack Channels, Mailing lists
Collection plans
A collection plan is essentially the plan that establishes which sources will be consulted, in order to obtain the appropriate information you require.
Shown in the example on the right requirements for the threat are as follow:
Identify emerging threats/exploited vulnerabilities
Determine if the organization is exposed to, and identify exposed systems
Determine detection/protection measures required to defend against these threats and provide these to the necessary teams.
Raise awareness to stakeholders regarding the situation.
For each of these you need to ask yourself the question “How”, as in “How would l find this information or perform this activity?
Do you have internal sources that could be leveraged (i.e. firewall/web-app logs, domain controller, anti-virus)?
Is data available through open-sources, or are commercial tools or services available?
Example:
Social media threats -> check social media
Stolen credential -> dark web / paste sites / HaveIBeenPwned / IGotPhished / private forums
Emerging threats -> security vendor and researcher blogs, ISAC communities, etc…
Where possible it is recommended to use multiple sources or other enrichment means to validate findings.
Additional information could be enumerated from one source yet not found in the other, providing more details and context about potential threats.
Map each collection source to each associated intelligence requirement, and rate sources based on NATO System / Admiralty Code “Reliability” and “Confidence” of information.
At this point base the reliability on your knowledge and personal experience regarding these sources as this may be an educated guess at this point until you have operationalized these processes.
Once this process has been operationalized this rating can be advised based on your internal experience.
Determine how often will this task need to be completed (Ad-Hoc, Daily checks (once per day), Hourly through automation)
Determine Operational Security (OPSec) requirements
Social media sock puppet accounts, VPN access, dedicated intelligence systems, “Dirty Lines” (completely separate Internet connection) that is not connected to associated with the organization.
Action Items
For each intelligence requirement you have established complete the collection plan section with the intelligence sources you will be using and what you are trying to identify.
Keep in mind, just because certain sources are listed does not mean they are the only ones that can be used. Any relevant source could be used as long as you trust the site and producer.
You should also be keeping side notes related to dependencies within each requirement.
Costs associated with tools / platforms / data
How to consume and produce data and other intelligence products
Special tools / integrations
Custom scripts or open-source tools
Other technical requirements
Each Intelligence requirement comes at a cost, so understanding all the components and costs associated, will help support the business case for pursuing the requirement.
You also do not want to put in $1000 worth of effort a month to save $100.This will help filter out the more impractical Intelligence requirements, and highlight the ones to focus your efforts on.
Internal Sources
Determine if any internal data sources (business applications, team members, or business unit outputs and reports) could be of value based on your intelligence requirements.
Business Applications
Application logs
Helpdesk tickets submitted by employees (i.e., Service Now, Jira)
Internal Teams:
Security:
What type of incidents does your security team see most
Vulnerability management:
What vulnerabilities are still exposed within your environment
Social Media
Depending on the intelligence requirement for social media sources, determine if there is a need to create social media accounts on various platforms, or if data can be publicly viewed.
Determine which platforms are in scope, and if the registration of a social media account is required, ensure you use a sock puppet type account to ensure anonymity of you and your organization.
Disable options that may allow for data leakage (i.e. How you appear to someone when you viewed their profile.)
Follow the accounts of any associated vendor and/or competitor.
Follow any influencers associated with your industry.
Follow cyber-security researchers and organizations.
Identify hash-tags and keywords associated with your industry or organization.
Repeat this process for FaceBook, LinkedIn, Instagram, etc…
Commercial Sources
Ensure your intelligence requirements are clearly defined, and determine which vendors provide intelligence services that meet your requirements.
Ensure you know how you are going to action the findings.
What tools could integrate with this vendor, and what would that do?
Do existing tools provide integrations with commercial services, and are they already in production?
Contact commercial vendors and get in their sales cycle get the demo, and share the PIR’s, and request a trial period and evaluate multiple products (Always ensure non-disclosure agreements are in place).
Track your findings and CoAs for each vendor and evaluate their effectiveness.
Tune the services the vendor is offering and evaluate if 24/7 service is required (as an
example), or if an RFI type snapshots could be used every 6 months or a year or so.
Be creative and customize the services as required.
Trusted communities and ISACs
Determine what specific role would the ISAC play within your threat intelligence program. If the business expectation is for the ISAC to play a significant role as part of the team, then it is recommended to participate in a paid ISAC community.
If budgeting permits it is recommended to join and participate in the appropriate ISAC. You will interact with other members of the community and be able to share business experiences, pain-points, vendor experiences as well as threat related information. In addition, ISACs frequently have private forums, events and presentations which can also be leveraged for your internal intelligence program.
If budgeting is a constraint, there are alternatives to ISAC’s such as trusted communities found in Slack / Discord Groups or other newsgroups.
For most new intelligence programs these communities and ISACs are not necessarily required, but if you have the funding and capabilities it definitely would be an asset to your team.
Summary
During this unit we discussed:
How to identifying and evaluate intelligence sources, platforms, and tools required to support your intelligence requirement.
How to establish collection objectives and capabilities, and determine how these will be used to support the operationalization of your intelligence requirement.
How to assess the value of intelligence sources and how they can support your overall CTI program.
How to determine costs for intelligence tooling, subscriptions and other dependencies to support each intelligence requirements.
What is next
This unit was focused on establishing collection plans, including collection requirements, objectives as well as the appropriate intelligence sources.
With all this data that is collected for each intelligence requirement, the result needs to be some type of product that can help defend against identified cyber threats.
Each intelligence requirement may have multiple products or outputs depending on the recipients, in addition to different formats depending on how they are consumed.
Feel free to join us for the next unit where we will discuss various CTI products that can be distributed to various stakeholders to help in defending against emerging cyber threats.
Introduction
Introduction
Discovery
Risk assessment and threat modelling
Intelligence requirements
Definition
Intelligence sources & collection plans
Courses-of-action, service catalogue, communication plans and SLAs
Intelligence tools
Operational reporting & metrics
Executive and stakeholder buy-in
Unit objectives
Upon completion of this unit participants will be able to:
Determine what Courses-of-Action (COAs) the CTI team can perform.
Classify COAs in order to be able to measure the strength and maturity of your capabilities in defending against emerging cyber threats.
Establish communication plans for each product or service that is offered, and determine who should receive these (i.e. email, pdf report)
Implement Service Level Agreements (SLAs) for each product or service the CTI team provides.
Design a CTI service catalogue – a list of intelligence services and products provided by the CTI team.
Methodology
This unit focuses on the CTI outputs and activities (i.e. COAs, products, services, etc…) that can be performed or produced when responding to an alert related to an Intelligence Requirement.
The intent of these outputs and activities is to implements controls to mitigate risk, or communicate findings and/or other intelligence to associated teams and stakeholders for awareness or other forms of actions to be taken by respective teams.
The goal is to produce CTI Products, services and other activities in a timely manner that is inline with established SLA’s.
Courses of Action (COAs)
Courses-of-Actions (COAs) are the individual actions the CTI team performs while acting upon an identified threat.
These COAs could include but are not limited:
Blocking a known malicious domain.
Threat hunting activities to discover potentially malicious activity on your corporate network
Reporting threat actor infrastructure for take-down by the service provider.
Implement detection and prevention signatures based on emerging threats.
The objective of COAs, is to establish the directed activities the CTI analyst will take when an emerging threat is detected.
These actions are intended raise awareness or enhance the organizations security posture by implementing controls to mitigate any associated risk to an emerging threat.
Depending on the maturity level and capabilities of your security tools, you may be limited in terms of the controls and detections that can be put in place.
It is best to understand what you have, what is within your capabilities, what internal teams can support and what you may need to contact your vendor for.
Sometimes a simple “heads-up” or awareness email to an appropriate party is all it takes.
NOTE: For courses-of-action that are recommended to be performed by other teams, it is best to consult with them to determine if your recommendations would impact existing controls. They are the SME’s – let them decide if they want to implement.
Example – Security monitoring & investigations
The CTI team works very closely with security monitoring & investigations Teams.
There are many services and products that CTI can provide that will assist Investigations teams to detect new threats and aid in the investigation of high priority incidents.
Example – Incident Response
During an incident, information is needed very quickly to aid in incident investigation.
The CTI team should be able to leverage their sources and capabilities to provide addition insight into the actor intent, capabilities, as well as TTPs used.
Example – Patch and vulnerability management
The CTI team also works very closely with patch and vulnerability management teams to monitor for emerging threats such as exploitation of zero-day or critical vulnerabilities, targeting technologies used within the organization.
Early identification of these threats provides these teams with information to support their evaluation of risks, and priorities for patching.
Classifications and Categorization
Classifications
Courses-of-Actions fall into 3 main classifications:
Also known as classifications of products and services the CTI team produces.
Depending on your intelligence products and capabilities, your courses-of-action may be focused within one or many of these area’s.
This is completely fine, as long as your products, recommendations and efforts are effective in mitigating or reducing risk.
Categories
COAs also fall into multiple categories, used to measure the strength and capabilities of the organizations in terms of pro-actively defending against threats.
Service catalogue - Part #1
As discussed in the previous sections first the intelligence requirements were defined, and then the COAs to be taken for each IR has been established.
The final step is to group these intelligence requirements and COAs into a product or service the CTI team is producing.
Each product or service may comprise of smaller products or services, that have their own formats and recipients.
As an example while working closely with the security operations team:
IOC feed are created by the CTI team but automatically ingested into a SIEM.
Snort signatures may be provided by email to a security engineer.
Security management or directors may be receive threat landscape reporting as PowerPoint presentations.
Security Operations Centre (SOC)
Advisories and reporting:
Threat intelligence reports
Threat context affecting clients by sector / Industry
TTPs and Threat Actor activity
Global / sector threat landscape assessment (ad-hoc, scheduled reporting)
Emerging threats and exploited vulnerabilities
Actionable content:
Automated intelligence feeds and ingestion of this information into various security tools including but not limited to SIEM for on-going detection and monitoring
Vetted Indicators for threat hunting activities
Enriched indicator patterns and signatures for blocking (i.e. Domain Generating Algorithms DGA URL)
Detection rules such as Snort and Yara signatures based on malware samples and network activity
Recommendations and COAs:
Determine risk and exposure based on threat details
Apply updates to security controls, configurations and security policies
Other administrative controls.
Incident Response
Advisories and reporting:
Support IR operations through threat actor attribution and TTPs used.
Lessons learned
Impact on organization (Financial, Reputational, Technical)
Actionable content:
Data enrichment of IOCs associated with the incident for :
Compare malicious activity against known TTPs to develop threat context and attribution
Validation of attack scenarios and delivery techniques
Indicator investigation and pivoting in order to enrich and correlate threat actor infrastructure
Supporting details regarding exploited vulnerabilities and potential root cause
Develop and deploy security signatures (i.e. Snort, Yara, etc…) to detect current or potential future compromise.
Leverage intelligence sources to provide additional research into the incident, threat, threat actor, and their capabilities.
Recommendations and COAs:
Determine Risk and exposure based on threat details
Identify updates to security controls, configurations and security policies that could be implemented to mitigate risk.
Patch / vulnerability management
Advisories and reporting:
Technical reports on actively exploited vulnerabilities.
Strategic advisories regarding the threat landscape of actively exploited vulnerabilities.
Security awareness associated with newly exploited zero-day and critical vulnerabilities.
Security awareness associated with emerging threats targeting technologies within the organization.
Actionable content:
Hunting activities within vulnerability scanning tools to identify vulnerabilities within the organization that could be exploited by newly weaponized exploits that are and are actively being exploited in the wild.
Leverage Intelligence sources to provide additional research regarding the difficult to patch systems and application and what mitigation efforts are required.
Monitoring and identification of updates and security patches for software and hardware used within the organization.
Recommendations and COAs:
Determine risk and exposure based on threat details.
Identify updates to security controls, configurations and security policies that could be implemented to mitigate risk.
Service catalogue - Part #2
Awareness and reporting
Services that should be mandatory for every CTI team are awareness and reporting.
They are cost efficient services that provide meaningful products for various stakeholders regarding emerging threats that have the potential to impact their operations.
Depending on the size of the organization, or objectives of the CTI team awareness reporting requirements may vary.
In order for each product or service to be effective they must be timely, to the point, provides accurate and concise information, and serves a purpose.
Operational reporting (Daily)
Daily monitoring and reporting of emerging threats, threat actor activity, malware campaigns, exploited vulnerabilities, etc..., is a simple way to identify threats that may pose harm on an organization, their competitors, as well as their supply-chain.
By raising awareness to these newly identified threats as they are occurring this provides various teams the necessary information in order for them to make informed decisions regarding defending and mitigating against these threats.
In addition, this also collects information that helps to establish the threat landscape over time, by region, and also by industry.
Flash reports
Flash reports are near real-time reporting of external threats that could pose imminent danger to an organization due to external factors (targeted threat actor activity, malware/ransomware campaigns, etc..)
The objective of Flash reports are to “raise the alarm”, and share what information is known at the time to appropriate stakeholders in order to raise awareness, and advise of appropriate security controls and enhancements.
Depending on the duration and/or potential impact of the threat, subsequent Flash reports may be required as new information is known.
Reference: https://www.cisa.gov/sites/default/files/publications/Mamba%20Flash.pdf
Technical / tactical reports
Technical and tactical reports are used to provide an in-depth analysis on emerging threats including but not limited to:
Threat Actor Tactics, Techniques and Procedures (TTPs)
Malware reverse engineering
Intrusion and exploitation
These types of reports provide specific details that are intended and used by recipients to help understand various threats at a technical level, in order to understand how mitigating controls can be implemented.
Service catalogue - Part #3
Dossiers
Dossiers are files that contain detailed information on a particular entity, subject, or group.
Dossiers are useful when monitoring persons, subjects, or groups as this is a centralized and structured location to keep the details of these actors and their activities.
Priority Intelligence Requirements (PIRs)
Priority Intelligence Requirements (PIRs) are urgent requests for immediate information regarding an ongoing security threat and or incident.
In order to establish what is required in an PIR, essentially the Intelligence Requirement process to establish this requirements for this new PIR, which may be difficult as they are time-sensitive and not much initial information may be known at the time
Depending on the capabilities of the CTI team, this may also be done in-house with internal resources, or through an intelligence vendor by using a Request For Information (RFI) service.
Depending on the reasons for the PIR, more times then not PIRs should be outsourced to an appropriate intelligence vendor for the following reasons:
Vendors have larger teams (usually distributed as well)
More access to tools and data sources
Allows your internal team to continue with their daily operations, and continue to provide support to the security incident.
Example: We experienced a data breach, is our intellectual property being sold on the dark web.
Request for Information – RFI
Requests for Information (RFIs) are unique situations when a need arises, additional information is required (you have to ask someone else, or someone asks you for information).
Commonly used to fill a collection gap for a new intelligence requirements, or to validate internal research and capabilities.
RFIs are usually ad-hoc intelligence requests or derived other Priority Intelligence Requirements (i.e. “How many compromised accounts for our mobile app are being sold on the Dark Web.”) and only used for a short period of time until a request has been satisfied. However these also may turn into standing intelligence requirements as well.
In order to establish what is required in an RFI, essentially the Intelligence Requirement process to establish this requirements for this new RFI.
Depending on the capabilities of the CTI team, this may be done in-house with internal resources,
or through an intelligence vendor.
The products or deliverables as a result of the RFI will be determined by the stakeholder.
Communication plans
Communication plans identify the distribution lists, system integrations, stakeholders, and other key contacts as recipients of threat intelligence products or services.
Based on each intelligence requirement, there may be multiple COAs where each has their own lists of recipients.
Determine what type of intelligence products and/or services are delivered to whom, when, why, and how
Communications plans also apply to operational metrics and reporting (i.e. weekly, monthly, quarterly operational reports).
Distribution may be based on organizational group
As intelligence products may contain sensitive information it is important to limit and/or restrict distribution.
Distribution list should be limited only those who need to know and include the TLP protocol.
Traffic Light Protocol (TLP)
Source: https://www.us-cert.gov/tlp
Service Level Agreements (SLAs)
Intelligence products are only useful if they are timely and actionable.
As the information and intelligence provided by the CTI team is considered a product or service, the stakeholders receiving these expect them in a stated amount of time known as a Service Level Agreement (SLA).
SLAs vary based on the Intelligence Requirements due to many factors including availability of information, efforts required to produce as well as effort to distribute.
Reasonable expectations should be established with a balance in mind regarding the effort to produce the intelligence products and their timely delivery.
These SLAs assist in providing estimated timelines to stakeholders during security events or incidents.
Action items
Service catalogue
Determine what type of products can be produced based on the Intelligence Requirements, intelligence sources, and COAs.
Determine what tools and teams may leverage these services and products and what standard formats are to be used:
Example: CSVs, STIX bundles, PDF reports, emails and other communications
Determine how frequently these services and products can be produced.
Add the service catalogue components to the appropriate use cases.
Courses of Action (COAs)
Identify the capabilities of your organization to determine where threat intelligence can be leveraged.
Examples: IOCs and/or detection rules to IDS/IPS or SIEM, phishing Take-down requests, configuration updates and hardening efforts, external/internal reporting
Identify key contacts and Subject Matter Experts (SME’s) within your organization who can be contacted
for more information about their area of expertise and other internal operations.
Identify online tools and portals that can be used for reporting malicious or suspicious content or activity.
Ensure each COA has associated COA classification, and add applicable Courses-of-Action (COAs) to
Intelligence Requirements.
Communication plans
Identify distribution lists, stakeholders, and key contacts who are to be recipients of intelligence services and obtain their approval for sending them intel products
Request feedback on intel products delivered in order to ensure they are meeting and/or exceeding the expectation of your stakeholders.
Service Level Agreements (SLAs)
Establish SLAs for the production and distribution of each intelligence product.
Leverage templates, scripts or other automation where possible in order to produce
consistent intelligence products.
Objective is to have the lowest SLA as operationally possible.
When the intelligence requirements sections for these have been completed the IRs should look like the image to the left.
As IRs change or are enhanced over time it is best to ensure that any changes are reflected in these documents and include a “version history” or “revision log” in order to track the changes.
Summary
During this unit we discussed:
How to determine what COAs the CTI team has the ability to perform.
How to classify COAs and measure the strength and maturity of your capabilities in defending against emerging cyber threats.
Establishing communication plans for each product or service that is offered, and determine who should receive these, as well as how (i.e. email, pdf report).
Implementing SLAs for each product or service the CTI team provides.
Design a Service Catalogue of service offerings provided by the CTI team.
What is next:
This unit was focused on the COAs, service catalogue, communication plans & SLAs that support Intelligence Requirements.
Now that we understand from the intelligence requirements (specifically what we are looking to collect and produce) you can start to determine which tools could be leveraged to assist and automate in collection and other operational procedures.
Feel free to join us for the next unit where we will be discussing various intelligence tools used to:
Ensure that information is regularly and consistently collected in an efficient manner
Automates processes to allow the CTI analyst to address the more manual tasks
Tools can act as a data repository for referencing historical findings and actions
Supports operational reporting and metrics.
Introduction
Course overview
Introduction
Discovery
Risk assessment and threat modelling
Intelligence requirements
Definition
Intelligence sources & collection plans
Courses-of-action, service catalogue, communication plans and SLAs
Intelligence tools
Operational reporting & metrics
Executive and stakeholder buy-in
Unit objectives
Upon completion of this unit participants will be able to:
Determine appropriate tools that can be used to support the operations of the Cyber-Threat Intelligence team.
Estimate cost requirements for hardware, software and other dependencies associated to various tools and intelligence requirements.
Understand the basic concepts of Operational Security (OPSEC) and how your investigative actions my provide forewarning to a threat actor.
Discuss the benefits and capabilities of commonly used Threat Intelligence Platforms (TIPs).
Compare and contrast the benefits and disadvantages of using online resources and services.
Methodology
This phase leverages the Intelligence Requirements that were established in the previous units, to determine what operational tools, data repositories, and intelligence sources are required to support the operationalization of the intelligence requirements.
This establishes the technical requirements and dependencies to support the IRs such as hardware and software requirements, licensing, subscriptions, etc...
Intelligence tools are most effective if they are integrated & enriched with data from other intelligence and security tools.
Data collection
As with any organizational team, various tools, services, subscription and portals, are required to support the operations and overall performance, and effectiveness of the CTI program.
From a CTI perspective three types of tools or data repositories are required:
Data collection
Research and investigation
Tracking systems
The best tools to use are ones that support your business, technical as well as intelligence requirements.
It is recommended to use tools that provide integrations through API calls or similar, as this will enable your tools to “talk” to each other and act as data repository and enrichment sources.
There are many open-source tools, that can be used to support the success of the CTI team.
Once sources have been identified the intelligence analysis must assess the format and structure of the source data and determine how it can be collected based on intelligence requirements.
Is the data in a structured form that can be automated and parsed?
Does an analyst need to review certain sources manually
Can you directly integrate with the data source (i.e. IOC threat feeds, STIX/TAXII, SIEM)
Depending on what tools you wish to collect data this may also impact what data sources you are using due to the source data not being available in a suitable format (i.e. websites do not offer RSS feeds or email alerts).
Do you require a custom scripts to be created to scrape specific page content on a regular basis?
It is always best to find alternate sources to ensure that you are able to still collect current data in the event of a system or feed is unavailable. This resilience will enable the CTI team to continue to provide its services in such event.
While evaluating CTI tools there are a few factors to consider including:
Where will the tools will reside?
What are the requirements and dependencies of the tools
License or purchase cost (one-time or recurring)
Technical requirements (processing, storage, and other hardware)
Do tools offer automation capabilities to create efficient and streamlined processes.
Note: When using and testing CTI tools, please ensure this is done in a safe and secure environment, and also in accordance with any organizational processes and procedures that may apply.
Pull data
There are 2 ways to collect data.
Pull : A user goes to the data source to acquire the data through manual processes
Push : Data is automatically pushed to you via direct integration or other notification
Collecting data from sources via the “Pull” method, while manual allows for easy portability amongst team member.
Depending on the number of source you are using, this method could become inefficient in time and automation tools should be explored.
For some simple data sources (i.e. just need to download a csv), it may be possible to automate with a simple script
Example: A simple Linux (bash) 2 liner could easily accomplish this
#!/bin/bash
curl http://example.com/file.csv -o file.csv
Push data
Pushing data to a user or device is an automated process where when the site is update, you are either directly pushed the updates or otherwise notified of the update.
Think Push Notification on your cell phone.
Leveraging sources that provide some type of push notifications will save time an effort for the CTI analysts.
It is best to have all updates and notifications go to a centralized location, such as a shared mailbox, email distribution lists, or a centralized platform, otherwise this may cause operational issues.
Example: All notifications are sent to john.smith@example.com and John Smith leaves the company.
Data collection - Part #2
Web searching
Sometimes we don’t know where certain data we need could be found on the internet, and that is where a search engine can support your goals.
While not the most efficient means to collect data, it can certainly help narrow down sources to review, and at least help you get on your way.
Not every search engine is the same and they conduct searches slightly different, or prioritize certain sites over others.
Example: Google, Yandex (Russian) & Baido (Chinese) Yandex/Baido give better results for their respective geographies.
For fast and simple web searches it is best if you use search engine operators to narrow your search and filter the results.
Example: ransomware filetype:pdf , +ransomware +Canada, (ransomware OR malware)
Browser bookmarks
If you find yourself consulting the same websites on a regular basis, it may be more efficient to use a folder of browser bookmarks.
With a simple click, your most frequently visited sites are displayed, and you can even right-click and automatically open them all in separate tabs within your browser.
When creating bookmarks, make sure that you are bookmarking the pages that are changing and provide the updates (i.e. main blog post page) so they are up front and easily noticeable.
Otherwise if bookmarking a specific article/blog, this will leave you with additional clicking to find the new content.
Email alerts
Email alerts are an efficient way to be informed when a website has an update.
Typically when a website has an update and you have received the email alert, usually the alert is a link to the update on their website.
When searching through numerous sources, this provides CTI analysts with the ability to be notified of new threats simply by clicking the send/receive button in an email clients.
As these alerts are simply an email notification, email client rules or other workflows can be applied such as filtering, flagging or categorizing based on keywords.
RSS feeds
Most websites that are frequently updated provide RSS Feeds to push these directly to a client RSS Reader.
Depending on the RSS Client, the feed may contain just a link to the actual article, while other download the entire post in text format.
An easy way to implement RSS Feeds as a data source is by leveraging an RSS Client, and receiving the updates is as easy as clicking “send/receive”
Most email client such as Microsoft Outlook or Mozilla Thunderbird offer RSS Client capabilities.
Content Aggregation (Feedly)
Feedly (http://feedly.com) is a free online service that monitors for updates on practically any website even if it does not provide an RSS feed.
This has many benefits as the analyst does not waste time reviewing sources that have not been updated, and Feedly only displays the content update, not the entire site, which saves time and resources. When you are reviewing 150-200 sources a day a few seconds here and there add up quickly.
When you login to the dashboard you will only see the updates to the sources your are monitoring sources
can also be categorized based on source classification.
Additional features are available for commercial accounts. Some news/content aggregating services may have categories such as “cyber-security” or “data breaches”, pre-configured as well which may also compliment your sources.
TweetDeck
TweetDeck is a tool provided by Twitter that displays Twitter updates for various Hashtags, or other Twitter search criteria in a columnar format with live updates.
The desktop version of TweetDeck is best to use due to the widescreen display of the data.
If possible, display TweetDeck on a dedicated monitor to view the live updates of hashtags related to emerging threats.
In having this live dashboard of Tweets you can monitor emerging threats throughout your day and act on potential issues as they are flagged by the Twitter community.
Commercial vendors and platforms
There are also many commercial platforms that provide data collection capabilities.
These typically are provided in 2 different ways:
Platforms: Vendor platform have various capabilities including, but not limited to searches and custom queries, dashboards and heatmaps, threat feeds, API integrations, and other data enrichment capabilities all in a self-server format that you control.
Request for Information (RFI): RFI’s are services that commercial vendors typically offer, which is a one-time request for research on a very specific topic and is usually derived from a Priority Intelligence Requirement (PRI).As these vendors have access to high-quality data and are conducting the work efforts to satisfy the PIRs and generate the reports, this could off-load efforts to a third party allowing your internal team to continue with day-to-day operations.
Examples of these vendors include:
Recorded Future - Recorded Future, the world's largest intelligence company with robust coverage across adversaries, infrastructure, & targets.
SiloBreaker - Silobreaker helps security, business & intelligence professionals make sense of overwhelming amount of data on the web.
ZeroFox - ZeroFox provides enterprises protection, intelligence and disruption to identify and dismantle threats.
Intel 471 (Dark Web) - Intel 471 empowers cybersecurity teams to be proactive with its platform & comprehensive coverage into the criminal underground.
Some vendor also offer free newsletters, threat advisories, and quarterly landscape reports simply by signing up – Take advantage of these where applicable!!!
Operational Security (OPSec)
Virtual Private Network (VPNs)
Before we get into the fun activities and tools, one topic that needs to be discussed is Operational Security (OPSEC)
OPSEC is the ability to safely conduct investigative activities without revealing your activities or intents to you adversaries, or exposing your internal infrastructure.
Your activities could be disclosed within logs (i.e. IP Addresses) and fingerprints (i.e. User-Agents) you leave when accessing or interacting with websites or online services.
For example if you work for a large organization investigating a security event and you access the infrastructure of an adversary and your IP address shows up in their logs, this could tip-off the threat actors off and let them know you may be on to them.
A VPN is recommended to be used which is a service that proxies your internet traffic through their servers and provides you with one of their public IP addresses.
With a VPN you can pick the country you want to proxy your traffic from which is useful when attempting to “cover your tracks”
Segregated infrastructure
There are occasions when you may be conducting and investigation, running random tools and code, or other highly sensitive security activities.
These are dangerous activities and while investigating it is best to disable any security controls that are in place so you can see what they are intended to do (which makes these activities more dangerous).
As these activities have unexpected results, and you do now know what impact they would have if you were legitimately infected, it is recommended to use a dedicated subnet, with dedicated systems and hardware that can be reverted to a safe state every time.
These environments should be completed separate from the corporate environment to ensure safety and security of operations.
Virtualization technology (i.e. VMware, VirtualBox) to facilitate segregated infrastructure.
Social Media
Another tools for research and investigations are social media websites.
While useful, if done insecurely could pose a security concern to the organization or the assigned investigator if done through personal accounts as this would “tip-off” your adversaries to your actions.
An example of this is viewing a LinkedIn profile from a personal account, that will show up in the adversaries “Viewed your Profile” notification.
It is best to create dummy social media accounts (also known as sock puppet accounts) to perform these activities, as any interaction would be associated with these fake accounts (with their own back story) and no affiliation with the organization.
Research and investigation - pre-configured virtual machine’s and other tools
Once a threat has been identified, additional research and investigations will be required, and to support this there are niche intelligence tools that can assist you in obtaining the specific data you require.
Tools are typically available as local installations, pre-configured virtual machines, hosted services, and/or commercial services.
Depending on your needs and/or requirements a combination of the above will most likely be required to support your intelligence requirements, and their associated products and/or services.
As the output of these tools vary additional scripting could be required to parse the output to a suitable format either for presentation purposes or input into another tool or service.
OSINT virtual machines
To quickly setup and deploy a the most effective OSINT tools there are pre-made virtual machines available:
Kali Linux: Kali Linux is an open-source distribution aimed at Penetration Testing and Security Auditing
and contains several hundreds tools targeted towards Pen Testing, Security Research, Forensics and
Reverse Engineering.
https://www.kali.org/get-kali/
https://www.kali.org/tools
These virtual machines can be launched in any desktop virtualization software (i.e. VMware Player, Virtual Box), and majority of the tools are ready to be run out of the box. Other tools may require third-party API keys or other configurations before they can be run.
Local application
Maltego - Integrate data from public sources (OSINT), commercial vendors, and internal sources to establish links and other data correlations.
Recon-ng - Recon-ng provides a powerful environment in which open source web-based reconnaissance can be conducted, and we can gather all information.
theHarvester - TheHarvester is a command-line tool included in Kali Linux that acts as a wrapper for a variety of search engines and is used to find email accounts, subdomain names, virtual hosts, open ports / banners, and employee names related to a domain from different public sources (such as search engines and PGP key servers).
Shodan (CLI) - Shodan is a search engine that lets users search for various types of servers (also has a Command Line Version).
Metagoofil - Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf,doc,xls,ppt,docx,pptx,xlsx) belonging to a target company.
SpiderFoot - SpiderFoot is unique in that it recursively analyses each piece of data found during a scan so that no stone is left unturned.
Online tools and resources
VirusTotal - VirusTotal is a free virus, malware and URL online scanning service.
Whois.sc- Research domain ownership with Whois Lookup: Get ownership info, IP address history, rank, traffic, SEO & more. Find available domains & domains for sale.
URLscan.io- Website scanner for suspicious and malicious URLs.
Shodan.io - Shodan is a search engine that lets users search for various types of servers connected to the internet using a variety of filters. Some have also described it as a search engine of service banners, which are metadata that the server sends back to the client.
App.Any.Run - Online malware analysis tools you can research malicious files and URLs and get result with incredible speed
Hybrid-Analysis - Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology.
Intelligence X - Intelligence X is a search engine and data archive. Search Tor, I2P, data leaks and the public web by email, domain, IP, CIDR, Bitcoin address and more.
Please Note: When using these online services you are the product. For example if you are using an online
malware sandbox most likely your analysis results will be available to you as well as any other user of the service, and if you are sandboxing sensitive files this may lead to a new information disclosure issue.
Before using any of these services it is best to review their terms and conditions to fully understand what will be done with your data while using their services.
Tracking systems
As the CTI team operates and performs their activities these need to be documented and logged in order to track the team’s activities and performance.
These tracking systems also support processes and procedures of daily operations, and supports operational reporting.
Various systems may be needed depending on tracking and reporting requirements.
Some tracking systems may include web-applications and large database. While these tools may provide some fancy features, you also need to keep in mind that you need resources to host, support and maintain.
Try to leverage internal tools and other intelligence systems that provide the ability to integrate with other systems (i.e. API for look-up and data enrichment)
Excel (IOCs)
If an organization has the ability to monitor for Indicators of Compromise (IOCs), it is recommended to track these for
reference, tracking and reporting purposes.
You guessed it - The easiest way to track IOC’s is in good old excel.
Excel has many data manipulation and filtering tools that are very beneficial for tracking and reporting, and is simple to use.
You need to be careful when working with IOC’s as some applications may detect these as a hyper-link and automatically embed the link, and if you accidentally click these malicious links you may end up compromising yourself.
To prevent IOC’s from becoming links it is best to work with the IOC’s in a plain-text editor first (i.e. Notepad), and change sections of the link to prevent it from being clickable.
This is known as “Defanging”, and common ways to do this are:
Use square brackets around periods in domain names and/or IP addresses (i.e. example[.]com, or 1.2.3[.]4)
Change the http part of a URL to something else (i.e. meow://example.com/badfile.exe
Source: https://github.com/tesla-consulting/ioc-list/blob/main/iplist.csv
SharePoint (Threat events & Courses of Action)
SharePoint can create custom lists which is useful when you are tracking threat events, and COAs.
A custom list with a few columns for a title, Source URL, and some meta-tags would be a easy and effective way to track threat events.
COA tracking lists could be created using a few fields for title and description, status and assigned fields, SLAs etc…
As you operate and start to populate these SharePoint lists, different views and dashboards can be created to support to operational reporting requirements.
Data from SharePoint can easily be exported, or as data repository for other Office or SharePoint list.
Ticketing system (Courses-of-Action / COAs)
Ticketing systems are useful for tracking the COAs and other activities the CTI team is performing.
Ticketing systems are more then just an application that logs task data, but they can also be used to tag
or classify tasks, apply a prioritized and SLA’s, provides automatic and custom dashboards, and depending on the tool API integrations.
These capabilities and automation will greatly assist the CTI team by lessening the effort require to maintain and track the progress of activities, and reporting.
If your organization already has a ticketing system it is would be best to use that instead of a dedicated ticketing system for the CTI team, as occasionally tickets may be assigned to teams resources outside of the CTI team.
Source: https://www.tempo.io/hubfs/Imported_Blog_Media/TempoPost-Dashboard-example-1.png
Threat Intelligence Platforms (TIP) – MISP (Threat tracking and IOCs)
MISP is an open source software solution for collecting, storing, distributing and sharing cyber security indicators and threats about cyber security incidents analysis.
MISP is designed by and for incident analysts, security and CTI professionals or malware reversers to support their day-to-day operations to share structured information efficiently.
MISP provides metadata tagging, feeds, visualization and even allows you to integrate with other tools for
further analysis thanks to its open protocols and data formats.
Website: https://www.misp-project.org/
Threat Intelligence Platforms (TIP) - Open-CTI (Threat tracking and IOCs)
OpenCTI is an open source platform allowing organizations to store, organize, visualize and share their knowledge on cyber threats.
With multiple tools and viewing capabilities, analysts can explore the whole dataset by pivoting on the platform between entities and relations.
All indicators are linked to threats with all the information needed to the analysts to fully understand the situation.
From operational to strategic level, all information are linked through a unified and consistent data model based on the STIX2 standards.
Source: https://www.opencti.io/wp-content/uploads/2022/03/dashboard-1-1536x843.png
Website: https://www.opencti.io/en/
Where are your tools going to live
Now that you understand what tools may be useful for your CTI program, you will need to start to plan where these tools are to live.
If there is only 1 person as part of your CTI Team then tools could be running off a virtual machine on their workstation, until they are sick, on holidays or no longer working for the organization.
It is best to have tools setup and configured on centralized servers or systems that multiple CTI Team members can access. This will ensure that your tools are always available regardless of the user who requires them, which in turn results in the continuity of CTI operations.
Depending on the type of tools you are using and their purpose, it may be best to have some tools setup in a segregated subnet, separate from other corporate systems (i.e. if you are debugging ransomware on a dedicated system, you do not want this to accidently spread to the corporate network.
Please Note: Please perform your own due diligence beforehand and follow existing approval and change management processes.
Action items
Based on intelligence sources determine what tools are best suited to be used to collect information from these sources.
Determine what tools are needed for threat event, IOC, COA tracking.
Compare and contrast various tools with similar capabilities to find appropriate tools for your requirements
Is there an open-source (free) version of a commercial tool that would work just as well?
Do other tools support automation, integrations
Understand the requirements and dependencies to use and support these tools (i.e. Licensing costs, hardware/software resources, maintenance costs and support etc...)
Determine where these tools will live, how they will be setup, and how they will be accessed
Could custom scripting (i.e. Bash / PowerShell / Python) be used for additional automation and batch
processing (either now or in the future)
Establish your operational security requirements and what is required to support these (i.e. VPN services, dedicated/segregated network and hardware).
Evaluate the costs associated by performing certain intelligence requirements, and determine if they are cost effective (risk vs. reward).
If costs are too high vs. the potential reward it may not be feasible to perform certain intelligence requirements. In this event you have 3 choices:
Drop the intelligence requirement altogether
Outsource the intelligence requirement to an intelligence vendor
Scope down the original intelligence requirement until it fits a suitable cost range, while still being effective
as an intelligence requirement
Update the intelligence requirements to reflect any updates or changed that have occurred
as you evaluated your tools (i.e. sources may change, additional COAs as a results of enhanced tool
capabilities, changes in the IR objective).
Summary
During this unit we discussed:
How to determine appropriate tools that can be used to support the operations of the Cyber-Threat Intelligence team.
How to estimate cost requirements for hardware, software and other dependencies associated to various tools and intelligence requirements.
The basic concepts of Operational Security (OPSEC).
The benefits and capabilities of commonly used Threat Intelligence Platforms (TIPs).
The benefits and disadvantages of using online resources and services.
What is next:
This unit was focused on the various tools used to support and secure the operations of a CTI team.
Tools have been identified that could be used for tracking purposes (i.e. threat events, COAs, & IOCs) these tools can also be used as a data-source for reporting and metrics.
Depending on the reporting platforms or tools used it may be possible for a direct integration with these tracking tools for automated snapshot or live dashboards.
Feel free to join us for the next unit where we will be focusing on reporting and establishing metrics is to:
Ensure there is a means in place to track overall performance and operational improvements.
Identifies area of improvement (i.e. quality of data source, process enhancement)
Communicates to management the efforts and output of the CTI team over a certain period.
Provide insight into the threat landscape both internal and external of the organization.
Introduction
Course overview
Introduction
Discovery
Risk assessment and threat modelling
Intelligence requirements
Definition
Intelligence sources & collection plans
Courses-of-action, service catalogue, communication plans and SLAs
Intelligence tools
Operational reporting & metrics
Executive and stakeholder buy-in
Unit objectives
Upon completion of this unit participants will be able to:
Establish reporting cadence and criteria for executive and stakeholders.
Formulate meaningful operational metrics to be included in various reporting products.
Prepare reporting templates and layouts based on reporting requirements and audience.
Construct methods to easily acquire and generate updated data and metrics.
Methodology
This phase leverages all the prior units to establish operational metrics and reporting requirements for various stakeholders. These reports and metrics are used to convey messages regarding emerging threats, COAs taken by the CTI Team, operational efficiencies, etc.
By regularly producing these reports and metrics this will help monitor the overall cyber-threat landscape, and gauge the effectiveness of the overall CTI program.
Also provides visibility to the overall security activities and efforts taken by the CTI team.
Operational metrics - Part #1
Metrics and reporting of the CTI team are intended to measure risk of the cyber-threat landscape and performance of CTI operations through their ability to mitigate risk
Metrics measured over time will help identify trends provide stakeholders with the necessary information required to make informed decisions.
Majority of the data required for reporting is typically collected and tracked during regular CTI operations and stored within various intelligence platforms.
Metrics need to be well thought-out in order to convey its intended message to the designated audience.
For example, a “Number of IOC’s added to the SIEM” is considered a “bean counter” effort as it is just a number with no real insight.
However, if metrics are more detailed and scoped i.e. ransomware IOC’s added to the SIEM from known campaigns operating within the past 3 months, it conveys a more concise message you as CTI analyst is trying to communicate.
Metrics can be cross-tabulated with other data points to provide more granular representation. An example would be IoC’s added to the SIEM related to critical and zero-day exploitation of technologies used the organization.
Metrics should be meaningful, easily calculated and acquired, and primarily address:
Key Performance Indicators (KPIs): A quantifiable measurement of performance over time for a specific
Intelligence Requirement (historical).
Key Risk Indicators (KRIs): KRIs provide an early signal of increasing risk towards the organization
(forward view).
Threat landscape
Description:
Threat landscape metrics provide a high-level overview of emerging threats over time. This could include but is not limited to threats impacting your organization, sector/industry, as well as global threats.
This provides an organization with an indication of current threats and trends, and where future efforts should be focused to proactively defend against these types of attacks.
Metrics (+/- period over period) :
Most prominent emerging cyber threats
Ransomware/malware variants
Threat group activity (frequency, targets/victims)
Actively exploited vulnerabilities and software applications
Threats targeting specific sectors, industries and region
Data Source: The information source for these metrics are typically derived from daily monitoring of media sources, community newsgroups, trusted third parties, as well as other relevant and supporting sources.
Detections stemming from CTI
Description:
This metric will primarily provide an overview of the effectiveness of the threat intelligence Indicators based on the SIEM’s and/or other security appliances activity, and the subsequent investigative result.
These metrics allow you to compare the quality of the threat feed sources, other intelligence sources, and the quality of the existing detection rules.
Metrics: Measure of alerts triggered within the SIEM or other security appliances based on the implemented detection rules and/or IOCs:
Total Detections (True / False Positives)
Detections blocked as a result of an existing security control
Indicator type (domain, URL, file hash, IP)
Indicator source (commercial, OSINT, internal, etc..)
Threat category / classification
Data Source: Multiple data sources will be used to calculate these metrics including various
SOC management and ticketing system (used to track events and incidents), the SIEM,
other security appliances, threat intelligence platform and other data repositories.
Operational metrics - Part #2
Performance of CTI services and sources
Description:
These metrics are used to measure performance & effectiveness of the CTI sources, tools, services, and associated vendors (if applicable).
In measuring the performance of CTI tools and services, this will assist the CTI team from a management point of view by assessing the uptime, performance, quality of CTI vendors, tools, and intel sources. It also assess added value of the internal CTI team supporting the management and configuration of security tools and appliances.
Metric:
CTI Product SLAs (SLA compliance vs. non-compliant):
Service and tooling uptime (associated internal / external tools, services, intel sources, web portals, IOC feed servers)
Operational Impacts (Effort and resources to resolve technical issues or tool/service downtime (Human resources, financial cost))
Intel/data source frequency and Confidence:
What is the quality and confidence of intel and data you are receiving from your intel/data sources
How often do you receive intel from your various data sources
What is the intel source True/False positive rate
Data Source: Service owners will be responsible for tracking the downtime of various Intelligence tools. When a service tool is required, yet unavailable this impacts the performance of the CTI, details regarding these downtimes may be requested by the CTI Team.
Security enhancements as a result of CTI Courses-of-Action (COAs)
Description: This metric is used to identify the number of security enhancements and improvements (COAs) that have been operationalized by the CTI team to defend against emerging cyber threat.
Metric:
Count COAs by Classification (Discover, Detect, Deny, Disrupt, Degrade, Deceive, Destroy)
Most commonly implemented CoA by Classification (i.e. Top 3):
Highlights capabilities of the CTI team and where improvements can be made
Most commonly leveraged security appliance/tool (i.e. IDS/IPS, Firewall Detection Signatures (Yara, Snort, etc…)
Recommendations to other teams:
IT and Desktop Services / application development (i.e., settings and configuration recommendations (non-indicator based)
Vulnerability Management (i.e., System Patching)
Most effective COAs by classification (i.e., Top 3):
Highlights strengths of the CTI Team and where improvements can be made
Data Source: These metrics will be derived from your COAs tracking system. In the event that multiple teams are using multiple tracking systems, it is possible you may have to derive data from other problem management and ticketing systems where tracking activities may have occurred from other teams, yet involved CTI as well.
CTI products and services
Description:
These metrics are used to track the performance and effectiveness of CTI intelligence requirements and their associated products and services.
This will assist the CTI team from a management perspective to identify where the team can improve by assessing the successes and weaknesses of each Intelligence requirement and product and assess where enhancements can be made.
This is also useful when performing and annual review of the CTI program as this will determine which Intelligence Requirements are useful, need to be improved or re-scoped, require better intel sources, and/or require products or service enhancement to streamline delivery methods and SLAs.
Metric:
Which intelligence requirements are most often triggered or actioned
Which Intel products and/or services are the most effective in defending the organization against cyber-threats
What Intel Requirements, Products and/or Services are time consuming, and yield little value
How can Intel products and/or services be enhanced in order to improve their effectiveness, and or delivery SLA
Do gaps exist in collection sources, current capabilities or require manual intervention (manual efforts vs. automated)
How many intelligence products have been produced.
Has feedback from stakeholders regarding CTI intel products and services been positive or negative
Data Source: The source of this information used to support these metrics are derived from internal CTI data repositories including COA and IOC tracking systems, and other ticket management systems. Other supporting information can be obtained through stakeholder/recipient feedback.
Reporting - Part #1
Each type of report has its own intent, message, cadence and format, depending on the intended audience and message.
Reporting should take advantage of existing CTI tools in order to streamline the acquisition of the appropriate data to support the reporting and associated metrics.
Each report type should be templated including corporate brand in order to be uniformly produced and updated. Keep in mind that generating reports requires time and effort of one or many resources.
There should be a fair balance of what reporting products are needed and the content within them, in order to allow the CTI team to produce meaningful products.
If reports are meaningful and stakeholders find them useful – then by all means continue to produce as efficiently and effectively as possible. (This is where feedback is the king!!!)
If reports are generated for the sake of producing a report and “checking off a box”, it is time to reconsider
and/or possible repurpose the reports for something more meaningful or discontinue it outright.
The following slides shows some examples of typical reporting used within CTI.
Daily reporting
The daily report is a daily summary of emerging threats, threat actor activity, malware campaigns, exploited vulnerabilities, etc. In a simple way, this report identify threats that may pose harm on an organization, their competitors, as well as their supply-chain. By raising awareness to these newly identified threats as they are occurring CTI provides various teams with the necessary information for them to make informed decisions regarding defending and mitigating against these threats.
Daily reporting is recommended as this is used to collect threat related information that helps to establish:
Threat landscape
Commonly targeted regions
Commonly targeted sector and industries
Information on commonly used Tactics, Techniques, & Procedures (TTPs).
Format: Email sent to Distribution List.
SLAs: 10am Daily
Intended Audience: A daily report is intended for general employees within Privacy, Security and IT Teams.
Weekly reporting
The weekly report is a summary of identified threat events as well as Courses-of-Actions that have been identified by the CTI Team over the previous week.
Weekly reports also contain some high-level metrics related to:
Top threats for the week
Threat and other notable events
Top detections
Summary of COAs
Format: A weekly report is typically 1-2 pages longs in word format delivered as a PDF to appropriate stakeholders.
SLAs: Tuesday of the following week
Intended Audience: The weekly report is intended for management level members of Privacy, Security and IT Teams.
Source: https://go.recordedfuture.com/hubfs/weekly-threat-intelligence-report-template.pdf
Reporting - Part #2
Monthly reporting
The monthly report is a detailed report of identified threat events as well as COAs that have been identified by the CTI team over the previous month.
Monthly reports contain some detailed metrics and trends related to:
ThreatCon Overview (Organization, Industry, Global)
Threat Landscape:
Popular threats and trends
Most exploited CVE
High and critical severity threats detections
Courses-of-Action taken by the CTI team to help defend against identified threats.
Monthly CTI operational metrics
Format: A monthly report is typically 6-8 PowerPoint slides delivered as a PDF to appropriate stakeholders.
SLAs: 10 business days into the following month
Intended Audience: The monthly report is intended for upper management level members of Privacy, Security and IT Teams.
Source: https://www.ironnet.com/hubfs/March%202022%20Collective%20Defense%20Monthly%20Report.pdf
Quarterly reporting
The quarterly report is a detailed report of threat trends and landscape as well as COAs that have been taken by the CTI team over the previous quarter to enhance the overall security posture of the organization.
Quarterly reports contain some detailed metrics and trends related to:
Current Threat Condition (Major Global Geo-Political and Socio-Economical Events)
Threat Landscape trends (i.e. threat types, targeted Regions / industries)
Threat Trends on commonly used TTPs
Notable Industry Events
COAs taken by the CTI team to enhance the overall security posture of the organization.
Format: A quarterly report could be produced as a slide-deck or Word document depending on stakeholders' requirements.
SLAs: 1 month after the quarter
Intended Audience: The quarterly report is intended for Board level members of the organization.
Source: https://www.accenture.com/_acnmedia/PDF-158/Accenture-2021-Cyber-Threat-Intelligence-Report.pdf
Annual reporting
Annual Reports are used to :
Threat landscape events and trends observed over the past year
Describes COAs taken by the CTI team to enhance the security posture of the organization
Provide details regarding operational insight and effectiveness (i.e., intelligence sources, Intelligence Requirements)
This report provides top-level decision makers with the information needed to:
Provide strategic direction and corporate insight to prioritize efforts
Consider the following year’s budget and resources
Annual reports could take a significant amount of time to produce and should have an SLA of up to 3 months.
Format: Annual reports are fairly long and could be produced as a slide-deck or Word document
depending on stakeholders' requirements.
SLAs: Before the end of the following Q1
Intended Audience: The annual report is intended for upper management and board level
members of the organization.
Action items
Identify reporting requirements, formats and cadence:
This is dependent on stakeholder requirements.
Identify the distribution and audience for each product.
Ideal would be daily, monthly, quarterly, annually and ad-hoc reports (i.e. Flash notifications, Intelligence Briefings, etc...)
Identify meaningful metrics:
Proactively identified threats that had the ability to impact the organization.
COAs taken to enhance the overall security posture.
Mitigations implemented to defend against emerging threats.
Mock-up potential reporting templates:
Determine how metric data will be obtained and generated
Determine where other content will be derived
Summary
During this unit we discussed:
Establishing reporting cadence and requirements for executive and stakeholders reporting.
Formulating meaningful operational metrics to be included in various reporting products.
Preparing reporting templates and layouts based on reporting requirements and audience.
Constructing methods to easily acquire and generate updated data and metrics.
What is next
This unit was focused on the various reports and metrics that can be used to measure the efficiency and effectiveness of the CTI team.
Feel free to join us for the next unit where we will discuss on how to present your vision of the CTI team (including inputs / outputs, and outcomes) based on all the work efforts that have been completed to this point to executives and stakeholders for approval.
The objective of executive and stakeholder buy-in is:
Obtain dedicated resources (i.e., budget, technical, and human resources) in order to stand-up and operate a CTI service.
Obtain strategic direction in order to define the goals and objectives of the CTI team.
To ensure executive authorization to utilize corporate resources (i.e., technical, financial, and
human resources).
Establish reporting requirements and cadence.
Introduction
Introduction
Discovery
Risk Assessment and Threat Modelling
Intelligence Requirements (IRs)
Definition
Intelligence Sources & Collection Plans
Courses of Action, Service Catalogue, Communication Plans and SLAs
Intelligence Tools
Operational Reporting & Metrics
Executive and Stakeholder Buy-in
Unit objectives
Upon completion of this unit participants will be able to:
Develop executive and stakeholder presentations regarding the Intelligence Requirements and CTI operations that have been established in order to obtain support and buy-in.
Justify identified cyber-threats and their associated Intelligence Requirement proposals on how identify and defend against these.
Appraise, tailor and update Intelligence Requirements based on executive and stakeholder feedback.
Methodology
This phase leverages all the units up to this point to put together a report or presentation to your executives and stakeholder regarding what you propose to establish with a CTI team, and how it will operate.
The objective of this is to obtain executive approval before moving forward with procuring hardware software and other services to support the CTI program.
In addition to approvals for moving forwards, executive and stakeholders can also provide other organizational supports to ensure that the newly formed CTI team integrates well into the existing operations of the organizations.
What can CTI do for an organization
The objective of obtaining executive and stakeholder buy-in and official approval is to ensure that the newly formed CTI team have the necessary support to ensure it is successful in achieving its objectives, while being inline with the overall corporate security strategy.
Throughout this course, you have learned how to establish potential organizational threats, intelligence requirements (IRs), intelligence products and services, etc…
This is CTI’s opportunity to present their capabilities, and proposals to defend/mitigate potential cyber-risk.
In presenting these CTI concepts to executives and various stakeholders, they may put forward options, alternatives and opinions, on the proposed CTI objectives, services, products and outcomes.
This simply means a refactoring of the Intelligence Requirements to adapt and address executive and stakeholder concerns and comments (i.e. scope of IR, cost to service IR, cost benefit of IR, etc…)
Executive and stakeholder buy-in / approval also establishes what commitments the organization will make towards establishing and supporting the CTI program (i.e. organizational support, operating budget, human resourcing, technology)
Executive and stakeholder approval can be broken down into 2 main components:
What can the CTI program do for the organization?
How can CTI support the organizations risk mitigation strategies?
How can the organization support the CTI Program
What organizational commitments is required?
From an executive or stakeholder perspective a balance between these components, mostly from a cost/benefit perspective.
It is always best to focus on intelligence requirements that you an do well, and are within the organizations capabilities.
When starting out, the CTI team will be most effective if it compliments
existing organizational process and security controls.
Once a good CTI operational base has been established the CTI team should further focus on how
to enhance the maturity of their CTI program, and grow strategically with the organization.
Benefits of a CTI program and how it can mitigate risk
The first component of obtaining executive and stakeholder buy-in is outlining what you propose to implement as a new CTI program, and how it will mitigate risk to the organization.
This includes the identified Intelligence Requirements and their supporting resources.
Through the proactive monitoring of identified Intelligence Requirements, and implementing various Courses-of-Action this will reduce the organizations exposure to cyber-threats.
In reducing exposure to cyber-threats this will mitigate risk to the organization by:
Understanding threat actor motives and attack techniques (TTPs)
Reducing operational down-time in the event a of cyber-attack
Reducing incident and recovery costs including manual efforts
Preventing reputational impacts of a threat event
Enhancing the security posture to proactive prevent potential emerging cyber-threats
Identifying cyber-threat trends and providing recommendations to enhance security monitoring and controls
What threats have the potential to impact your organization
In Unit #3 (Risk assessment and threat modelling), threats that have the ability to impact your organization and operations were identified.
Outcomes from that Unit can be used as a starting place to showcase your methodology and thought process for identifying potential cyber threats the organization may be exposed to, to your executives and stakeholders.
Having the ability to map the threats to specific organizational assets, technologies, and/or lines of business will aid your executives and stakeholders understand the need to further support, secure, and protect against these threats.
Intelligence requirements
Once executives and stakeholders are aware of the exposed assets, technologies, and/or lines of business, and their potential cyber-threats the CTI team has identified, you can now present the Intelligence Requirements that the CTI team has established.
These intelligence requirements will convey what cyber-threats and risk scenario the CTI team will monitor for and produce various CTI products, services and CoAs.
The Intelligence Requirements you are presenting should also be inline and compliment organizational security strategies and direction.
From an executive and stakeholder perspective, the best Intelligence requirements are the most actionable, as these will produce the most value for the organizations.
In addition these should easily compliment existing capabilities.
CTI Course of Action (COAs), products and services
Once the executives and stakeholders are aware of what intelligence requirements you plan to monitor for, the CTI COAs, products and services will help explain the actions that the CTI team will take to mitigate any potential risk.
This is where you need to explain to the executives and stakeholders examples of what is being produced by the CTI team, what teams will receive these products and/or services, and what other actions the CTI team will be taken in order for visualize and fully understand the benefits of the CTI team and the risk mitigation strategy.
Examples of this is based on your Intelligence Requirements and include but are not limited to:
Monitor emerging threats (i.e. malware, ransomware, etc…) and implement blocks within security tools based on identified IOC’s (file hashes, IP address, domains/URLs, etc…) to prevent communication or undesired actions with malicious actors.
Work with vulnerability management teams to identify and ensure that no vulnerable or actively exploited technologies are within the environment.
Identify additional controls to enhance the overall security posture of the organization and work with
IT Teams to have these implemented.
Identify fraudulent products and/or services being sold or offered by unauthorized individuals
(i.e. FaceBook Marketplace, third-party app stores), or other online activity that may pose reputational
impacts to the organization, and work with service providers, and website owners for take-down.
Organization support for the CTI program
The second component of obtaining executive and stakeholder support is to outline what is required by the organization to support the standing up and ongoing operations of the CTI team.
This primarily includes, but is not limited financial support for human resources, tools and other technologies.
Organizational support may also include dedicated facilities for the CTI team to operate, as well as stakeholder commitment to encourage other IT teams to work closely with the CTI team in order to gain synergy between various lines of business.
Human capital
In order to support a CTI Program there must be human resources and capital to perform the necessary CTI operations.
It may be possible to leverage existing employees to support CTI operations.
For example, borrow IT resource for 0.2 Full Time Employee (FTE) a week to complete some CTI Tasks, co-op students or similar.
Otherwise depending on how you wish to structure the CTI team and the required FTE’s to support operations you may be required to hire either additional FTE’s or contractors.
The total number of FTE’s required should be based on the time and effort to support the established intelligence requirements and day-to-day operations of the CTI Team.
Typically for a newly formed CTI team, human capital is the costliest requirement and it is best to ensure that you have accurate, optimized and realistic estimates in place.
•Depending on your situation it may be best to have access to at least one developer as they can assist in the automation of tasks, as this will expedite the tasks and require less manual resources in the future.
Financial support (CTI budget)
Another key component of a successful CTI Team is the financial support in the form of a budget obtained from executive and stakeholders.
This financial support is used to acquire the necessary:
Human resources
Hardware and software expenditures
Intelligence services and subscriptions.
When establishing the intelligence requirements these details regarding financial support should already have been factored in to provide a rough estimate
As the above are mostly based on the intelligence requirements that have been established, this is where leadership may request changes to the operations and support of the Intelligence Requirements in order to make them more cost effective.
It is recommended to have alternative operating plans (such as alternative tools, intelligence sources) to ensure that the CTI can still deliver and action various intelligence requirements with less of a financial requirement.
Other executive and stakeholder support
Other means of executive and stakeholder support could include but is not limited to:
Dedicate office space to operate
IT support and commitments:
Server/application support and hosting
Access to security tools
Other IT and technical supports
Support from other lines of business
Example: vulnerability management, information security, security operations, finance, product teams, etc…
The more support the CTI team has from the executive and stakeholder level (top-down) will allow for an easier integration with existing teams and ease of on-going operations.
Action items
Devise a means to present your ideas on how to defend against cyber-threat that have the ability to impact your organization and its operations.
Typically this should be in a PowerPoint/slide deck format
Highlight and outline the cyber-threat that you are attempting to defend against.
Highlight CTI activities and mitigation efforts as to how you plan on defending against these cyber-threats
Identify how you are plan on tracking and reporting on the activities performed by the CTI team over time.
During your presentation to executives and stakeholders they may have feedback and other idea’s to incorporate into your overall CTI plan.
This may include but not limited to other teams to involve in your mitigation activities, changes to intelligence requirements (additions/removals) and/or, changes to operations due to limited resources (human, technology, budgetary).
This phase may require multiple rounds of updates and review until final approval and support is provided.
Summary
During this unit we discussed:
Developing executive and stakeholder presentations regarding intelligence requirements and CTI operations that have been established in order to obtain support and buy-in.
Explaining and clarifying identified cyber-threats and their associated Intelligence Requirement proposals on how identify and defend against these.
Appraising, tailor and update intelligence requirements based on executive and stakeholder feedback.
What is next
Schedule time with your executives to present your proposal for a newly developed CTI program.
Once you have obtained executive approvals, it is now time to start to build and implement your concepts for the CTI program.
Final words of wisdom:
Automate wherever is possible
Track and log everything
Frequently engage stakeholders for feedback
Always look for free or Open-Source alternatives (i.e. data and tools)
Many service provider simply use OSINT tools and data, and simply charge a fee for formatting and vetting.
This can often be replicated internally for typically minimal costs and effort.
Best of luck !!!!!
The course aims to provide organizations, regardless of their size, with the necessary knowledge and skills to develop a customized Cyber-Threat Intelligence program that aligns with their unique needs, requirements, and budget. By following this course, participants will learn how to effectively plan, build, and operationalize such a program within their organization.
The course begins by emphasizing the importance of identifying critical assets, both in terms of technology and business processes. This step is crucial because it helps organizations understand which areas of their operations are most vulnerable to cyber threats. By recognizing these crown-jewels, which refer to the most valuable and sensitive assets, organizations can prioritize their efforts in protecting them.
Once the critical assets are identified, the course proceeds to teach participants how to detect cyber threats that specifically target those assets. This involves learning about various threat intelligence sources, such as open-source intelligence, dark web monitoring, and information sharing platforms. Participants will understand how to gather, analyze, and interpret threat data in order to identify potential risks and attacks.
Moreover, the course emphasizes the importance of implementing appropriate controls and detection capabilities to proactively respond to cyber threats. Participants will gain insights into different security measures and technologies that can be utilized to safeguard the organization's crown-jewels. This may include intrusion detection systems, security information and event management (SIEM) solutions, endpoint protection, and other relevant tools.
Importantly, the course highlights that developing a Cyber Threat Intelligence program does not have to be expensive or overly complex. Rather, the focus is on designing a program that aligns with the organization's intelligence objectives. This means tailoring the program to fit the specific needs, resources, and goals of the organization. By doing so, organizations can create an effective and efficient Cyber Threat Intelligence program that enhances their security posture without unnecessary financial burden or complexity.
Overall, the course provides organizations with a comprehensive understanding of the key elements involved in establishing a tailored Cyber Threat Intelligence program. By leveraging this knowledge, organizations can better anticipate and respond to cyber threats, safeguard their critical assets, and ultimately enhance their overall security posture.