+5
Hi Team,
I am looking for SOPs related to Cybersecurity Threat Intelligence gathering processes - covering each of the specific areas like OSINT (Open Source), TECHINT, SOCMINT (Social Media), HUMINT (Human) and deep web and dark web intelligence. We are mandated to build a team that can manage a CTI program covering these areas. Can anyone kindly provide some good references pls...
Best answer by C-Leavy
View original
+17
Hi @venkata-ayyala , Thank you for posting your questions. We've circulated your questions within the teams and one of our expert reach out with more details 🙂
+3
Hey there @venkata-ayyala,
My name is Colin Leavy, I work on the Threat and Vulnerability Management Team here at Netskope. Me and my team actually built the CTI program here, so here is a brief rundown for you!
We have a CTI program that utilizes many sources from social media, to OSINT, to Government Agencies like CISA. We utilize an RSS feed with Machine Learning to aggregate and cross check these feeds, and create investigations and escalations from the events driven from there as needed. The primary goal is to identify actively exploited vulnerabilities and active campaigns, and use that knowledge to find likely points of attack for anyone targeting our own company.
For specific references, here are some great places to start
CTI works well in conjunction with other tools such as
If you have any other questions, feel free to ask!
+11
Hello!,
When looking to build a CTI program a few useful tips to start off with is understanding the Cyber Threat Intelligence lifecycle to establish a procedure for the program to follow along with the ability for feedback to always improve the CTI program being built. Once you’re comfortable with the CTI lifecycle, understanding how threat intelligence is categorized and shared is crucial to being successful. Many teams misunderstand that CTI should consist solely of IoCs. However IoCs without context are unhelpful to the operationalization of intelligence gathered. The contextual intelligence gathered alongside IoCs should allow an analyst to determine what threats the organization should prioritize. Remember IoCs are short lived, but threat behavior and motivations are longer lasting.
I would also encourage looking into understanding models based on CTI. The model I prefer is the Diamond Model for threat intelligence as it correlates the CTI data found and allows a good all around understanding of threats an organization may face. Using the MITRE ATT&CK and Cyber Kill Chain to correlate intelligence to better prepare organizations in responding to threats found. These models can be used in evaluating the organization’s security stack for gaps, leading threat hunts, and helping in incident response. Threat Intelligence Platforms can help enhance the ability to cross-evaluate threat founds in the threat landscape against the organization’s environment and see if any indicators of attack are found.
Now to the real question “how do I get started?”. To check off the areas you are asking about in intelligence gathering, you will need to find platforms that fulfill the goals you have set. It is important to have a goal then shop, rather than shop without goals. You want tools and platforms that provide value to an organization. Likely this will lead to purchasing a threat intelligence provider that will collect, aggregate, and distribute threat intelligence and insights into the threat landscape. These services will provide the intelligence on areas listed on OSINT, TECHINT, SOCMINT, HUMINT, and dark web. It is also a good idea to have a news aggregator or feed based on cybersecurity to see what is trending in the threat landscape. One area that is crucial in threat intelligence is monitoring for novel attack vectors and zero-day vulnerabilities. These provide value by enhancing the organization's ability to detect and respond to active threats. After setting up the necessary platforms to fill in your intelligence requirements and building out the CTI lifecycle then automating parts of the collection and distribution will exponentially increase the efficiency of the CTI program being built.
I also have a blog coming out Thursday on CTI which I will come back and link here. If you have any questions or concerns please reach out!
Allen Funkhouser
Information Security Analyst - Threat and Vulnerability Management
https://www.linkedin.com/in/allen-funkhouser/
Other References to understand CTI and CTI programs:
Gartner Research on How to use Threat Intelligence:
Understanding MITRE ATT&CK: https://www.mitre.org/sites/default/files/2021-11/prs-19-01075-28-mitre-attack-design-and-philosophy.pdf
SANS webcast on Threat Actors Names and Tracking Threats:
https://www.youtube.com/watch?v=3CUNlgQBwc4
Books I have used to understand CTI:
The Cyber Intelligence Handbook: An Authoritative Guide for the C-Suite, IT Staff, and Intelligence Team by David Cooney
Operationalizing Threat Intelligence: A guide to developing and operationalizing cyber threat intelligence programs by Kyle Wilhoit and Joseph Opacki
Intelligence-Driven Incident Response: Outwitting the Adversary by Scott Roberts and Rebekah Brown
The Threat Intelligence Handbook: A Practical Guide for Security Teams to Unlocking the Power of Intelligence by Chris Pace
+5
Hi Colin, Thank you very much for the detailed reply and guidance. Very informative - I may request some more time and guidance from you since actually built a CTI program. Thanks again!
+5
Hi Allen, lots of useful information and links in your post.. almost a knowledge treasure! It seems to be an ocean this CTI thing.. 🙂 Thanks for the detailed guidance and very useful references, much appreciated
+5
Hello Rohit, thanks for helping me reach out to your teams. If I wish to add a few of my colleagues into this community, what are the options? Is there a quick reference process, pls let me know.
+11
I agree at first CTI can seem quite daunting which is why I like to reference processes (the CTI lifecycle) and models (Diamond models) as they make it more manageable and help put action into intelligence gathered. It is what inspired me to do a blog series on this particular topic which is coming out later this week.
I am glad you found my response helpful and be sure to reach out with any other question you may have!
+5
Looking eagerly forward to your blog, Allen!
+3
Yes of course! Just let me know your email and what times work for your team and I can set up a meeting with my team, including @AFunkhouser
+11
As promised, here is part one of the blog on CTI
https://www.netskope.com/blog/understanding-cyber-threat-intelligence
If you haven't already registered, now is a good time to do so. After you register, you can post to the community, receive email notifications, and lots more. It's quick and it's free! Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.