cancel
Showing results for 
Search instead for 
Did you mean: 

Threat Intelligence SOPs

venkata-ayyala
New Contributor II

Hi Team,

I am looking for SOPs related to Cybersecurity Threat Intelligence gathering processes - covering each of the specific areas like OSINT (Open Source), TECHINT, SOCMINT (Social Media), HUMINT (Human) and deep web and dark web intelligence. We are mandated to build a team that can manage a CTI program covering these areas. Can anyone kindly provide some good references pls...

3 ACCEPTED SOLUTIONS
C-Leavy
Netskope
Netskope

Hey there @venkata-ayyala,
My name is Colin Leavy, I work on the Threat and Vulnerability Management Team here at Netskope. Me and my team actually built the CTI program here, so here is a brief rundown for you!

 

We have a CTI program that utilizes many sources from social media, to OSINT, to Government Agencies like CISA. We utilize an RSS feed with Machine Learning to aggregate and cross check these feeds, and create investigations and escalations from the events driven from there as needed. The primary goal is to identify actively exploited vulnerabilities and active campaigns, and use that knowledge to find likely points of attack for anyone targeting our own company.

 

For specific references, here are some great places to start

  • https://www.cisa.gov/
    • USA Cybersecurity and Infrastructure Security Agency
    • This agency is responsible for supporting the security of government agencies, but provides guidelines that can support any business. A great resource for any team looking to build out an Intel program
  • https://www.cisa.gov/known-exploited-vulnerabilities-catalog
    • CISA Actively Exploited CVE List
    • CISA maintains a list of actively exploited CVE's, this is a quick reference to what may be applicable in the threat landscape, mapped back to a standardized vulnerability ID allowing easy referencing to other tools
  • https://attack.mitre.org/ 
    • MITRE ATT&CK defines a standard for Threat Actor Tactics Techniques and Procedures (TTPs)
    • This provides a standardization of attack tactics that can be used across tools



CTI works well in conjunction with other tools such as

  • Attack Surface Management (ASM)
    • ASM tools give visibility into what assets are externally exposed
    • CTI combined with knowledge of your attack surface allows prioritization of the assets most likely to be targeted by attackers
  • Attack Breach Simulation (ABS)
    • ABS tools allow you to test known exploits, malware, and even Threat Actor TTPs against your security controls
    • This gives you confidence your tooling is able to block specific attacks
  • News Aggregators
    • News Aggregators allow simple consolidation of multiple sources of intelligence
    • Could be as simple as an RSS Feed
  • MISP ( https://www.misp-project.org/ )
    • MISP is an Intelligence Sharing Platform that allows sharing and importing of IoCs
    • Effectively a database of known Intelligence that stores IoCs, TTPs, Threat Actors, and a lot more information.

 

If you have any other questions, feel free to ask!

View solution in original post

AFunkhouser
Netskope
Netskope

Hello!,


When looking to build a CTI program a few useful tips to start off with is understanding the Cyber Threat Intelligence lifecycle to establish a procedure for the program to follow along with the ability for feedback to always improve the CTI program being built. Once you’re comfortable with the CTI lifecycle, understanding how threat intelligence is categorized and shared is crucial to being successful. Many teams misunderstand that CTI should consist solely of IoCs. However IoCs without context are unhelpful to the operationalization of intelligence gathered. The contextual intelligence gathered alongside IoCs should allow an analyst to determine what threats the organization should prioritize. Remember IoCs are short lived, but threat behavior and motivations are longer lasting. 

 

I would also encourage looking into understanding models based on CTI. The model I prefer is the Diamond Model for threat intelligence as it correlates the CTI data found and allows a good all around understanding of threats an organization may face. Using the MITRE ATT&CK and Cyber Kill Chain to correlate intelligence to better prepare organizations in responding to threats found. These models can be used in evaluating the organization’s security stack for gaps, leading threat hunts, and helping in incident response. Threat Intelligence Platforms can help enhance the ability to cross-evaluate threat founds in the threat landscape against the organization’s environment and see if any indicators of attack are found. 

 

Now to the real question “how do I get started?”. To check off the areas you are asking about in intelligence gathering, you will need to find platforms that fulfill the goals you have set. It is important to have a goal then shop, rather than shop without goals. You want tools and platforms that provide value to an organization. Likely this will lead to purchasing a threat intelligence provider that will collect, aggregate, and distribute threat intelligence and insights into the threat landscape. These services will provide the intelligence on areas listed on OSINT, TECHINT, SOCMINT, HUMINT, and dark web. It is also a good idea to have a news aggregator or feed based on cybersecurity to see what is trending in the threat landscape. One area that is crucial in threat intelligence is monitoring for novel attack vectors and zero-day vulnerabilities. These provide value by enhancing the organization's ability to detect and respond to active threats. After setting up the necessary platforms to fill in your intelligence requirements and building out the CTI lifecycle then automating parts of the collection and distribution will exponentially increase the efficiency of the CTI program being built.

 

I also have a blog coming out Thursday on CTI which I will come back and link here. If you have any questions or concerns please reach out! 

 

Allen Funkhouser

Information Security Analyst - Threat and Vulnerability Management

https://www.linkedin.com/in/allen-funkhouser/

 

Other References to understand CTI and CTI programs:

 

Gartner Research on How to use Threat Intelligence:

https://emtemp.gcom.cloud/ngw/eventassets/en/conferences/hub/security/documents/how-to-use-threat-in...

 

Understanding MITRE ATT&CK: https://www.mitre.org/sites/default/files/2021-11/prs-19-01075-28-mitre-attack-design-and-philosophy...

 

SANS webcast on Threat Actors Names and Tracking Threats:

https://www.youtube.com/watch?v=3CUNlgQBwc4

 

Books I have used to understand CTI:

 

The Cyber Intelligence Handbook: An Authoritative Guide for the C-Suite, IT Staff, and Intelligence ... by David Cooney

 

Operationalizing Threat Intelligence: A guide to developing and operationalizing cyber threat intell... by Kyle Wilhoit and Joseph Opacki

 

Intelligence-Driven Incident Response: Outwitting the Adversary by Scott Roberts and Rebekah Brown

 

The Threat Intelligence Handbook: A Practical Guide for Security Teams to Unlocking the Power of Int... by Chris Pace

View solution in original post

10 REPLIES 10
Rohit_Bhaskar
Community Manager
Community Manager

Hi @venkata-ayyala , Thank you for posting your questions. We've circulated your questions within the teams and one of our expert reach out with more details 🙂

Hello Rohit, thanks for helping me reach out to your teams. If I wish to add a few of my colleagues into this community, what are the options? Is there a quick reference process, pls let me know.

C-Leavy
Netskope
Netskope

Hey there @venkata-ayyala,
My name is Colin Leavy, I work on the Threat and Vulnerability Management Team here at Netskope. Me and my team actually built the CTI program here, so here is a brief rundown for you!

 

We have a CTI program that utilizes many sources from social media, to OSINT, to Government Agencies like CISA. We utilize an RSS feed with Machine Learning to aggregate and cross check these feeds, and create investigations and escalations from the events driven from there as needed. The primary goal is to identify actively exploited vulnerabilities and active campaigns, and use that knowledge to find likely points of attack for anyone targeting our own company.

 

For specific references, here are some great places to start

  • https://www.cisa.gov/
    • USA Cybersecurity and Infrastructure Security Agency
    • This agency is responsible for supporting the security of government agencies, but provides guidelines that can support any business. A great resource for any team looking to build out an Intel program
  • https://www.cisa.gov/known-exploited-vulnerabilities-catalog
    • CISA Actively Exploited CVE List
    • CISA maintains a list of actively exploited CVE's, this is a quick reference to what may be applicable in the threat landscape, mapped back to a standardized vulnerability ID allowing easy referencing to other tools
  • https://attack.mitre.org/ 
    • MITRE ATT&CK defines a standard for Threat Actor Tactics Techniques and Procedures (TTPs)
    • This provides a standardization of attack tactics that can be used across tools



CTI works well in conjunction with other tools such as

  • Attack Surface Management (ASM)
    • ASM tools give visibility into what assets are externally exposed
    • CTI combined with knowledge of your attack surface allows prioritization of the assets most likely to be targeted by attackers
  • Attack Breach Simulation (ABS)
    • ABS tools allow you to test known exploits, malware, and even Threat Actor TTPs against your security controls
    • This gives you confidence your tooling is able to block specific attacks
  • News Aggregators
    • News Aggregators allow simple consolidation of multiple sources of intelligence
    • Could be as simple as an RSS Feed
  • MISP ( https://www.misp-project.org/ )
    • MISP is an Intelligence Sharing Platform that allows sharing and importing of IoCs
    • Effectively a database of known Intelligence that stores IoCs, TTPs, Threat Actors, and a lot more information.

 

If you have any other questions, feel free to ask!

Hi Colin, Thank you very much for the detailed reply and guidance. Very informative - I may request some more time and guidance from you since actually built a CTI program. Thanks again!

Yes of course! Just let me know your email and what times work for your team and I can set up a meeting with my team, including @AFunkhouser 

AFunkhouser
Netskope
Netskope

Hello!,


When looking to build a CTI program a few useful tips to start off with is understanding the Cyber Threat Intelligence lifecycle to establish a procedure for the program to follow along with the ability for feedback to always improve the CTI program being built. Once you’re comfortable with the CTI lifecycle, understanding how threat intelligence is categorized and shared is crucial to being successful. Many teams misunderstand that CTI should consist solely of IoCs. However IoCs without context are unhelpful to the operationalization of intelligence gathered. The contextual intelligence gathered alongside IoCs should allow an analyst to determine what threats the organization should prioritize. Remember IoCs are short lived, but threat behavior and motivations are longer lasting. 

 

I would also encourage looking into understanding models based on CTI. The model I prefer is the Diamond Model for threat intelligence as it correlates the CTI data found and allows a good all around understanding of threats an organization may face. Using the MITRE ATT&CK and Cyber Kill Chain to correlate intelligence to better prepare organizations in responding to threats found. These models can be used in evaluating the organization’s security stack for gaps, leading threat hunts, and helping in incident response. Threat Intelligence Platforms can help enhance the ability to cross-evaluate threat founds in the threat landscape against the organization’s environment and see if any indicators of attack are found. 

 

Now to the real question “how do I get started?”. To check off the areas you are asking about in intelligence gathering, you will need to find platforms that fulfill the goals you have set. It is important to have a goal then shop, rather than shop without goals. You want tools and platforms that provide value to an organization. Likely this will lead to purchasing a threat intelligence provider that will collect, aggregate, and distribute threat intelligence and insights into the threat landscape. These services will provide the intelligence on areas listed on OSINT, TECHINT, SOCMINT, HUMINT, and dark web. It is also a good idea to have a news aggregator or feed based on cybersecurity to see what is trending in the threat landscape. One area that is crucial in threat intelligence is monitoring for novel attack vectors and zero-day vulnerabilities. These provide value by enhancing the organization's ability to detect and respond to active threats. After setting up the necessary platforms to fill in your intelligence requirements and building out the CTI lifecycle then automating parts of the collection and distribution will exponentially increase the efficiency of the CTI program being built.

 

I also have a blog coming out Thursday on CTI which I will come back and link here. If you have any questions or concerns please reach out! 

 

Allen Funkhouser

Information Security Analyst - Threat and Vulnerability Management

https://www.linkedin.com/in/allen-funkhouser/

 

Other References to understand CTI and CTI programs:

 

Gartner Research on How to use Threat Intelligence:

https://emtemp.gcom.cloud/ngw/eventassets/en/conferences/hub/security/documents/how-to-use-threat-in...

 

Understanding MITRE ATT&CK: https://www.mitre.org/sites/default/files/2021-11/prs-19-01075-28-mitre-attack-design-and-philosophy...

 

SANS webcast on Threat Actors Names and Tracking Threats:

https://www.youtube.com/watch?v=3CUNlgQBwc4

 

Books I have used to understand CTI:

 

The Cyber Intelligence Handbook: An Authoritative Guide for the C-Suite, IT Staff, and Intelligence ... by David Cooney

 

Operationalizing Threat Intelligence: A guide to developing and operationalizing cyber threat intell... by Kyle Wilhoit and Joseph Opacki

 

Intelligence-Driven Incident Response: Outwitting the Adversary by Scott Roberts and Rebekah Brown

 

The Threat Intelligence Handbook: A Practical Guide for Security Teams to Unlocking the Power of Int... by Chris Pace

Hi Allen, lots of useful information and links in your post.. almost a knowledge treasure! It seems to be an ocean this CTI thing.. 🙂 Thanks for the detailed guidance and very useful references, much appreciated

I agree at first CTI can seem quite daunting which is why I like to reference processes (the CTI lifecycle) and models (Diamond models) as they make it more manageable and help put action into intelligence gathered. It is what inspired me to do a blog series on this particular topic which is coming out later this week.

 

I am glad you found my response helpful and be sure to reach out with any other question you may have! 

Looking eagerly forward to your blog, Allen!