😍 So, You Wannabe a CTI Analyst?!

You are subscribed to an RSS feed or newsletter from different cyber security organizations, firms, and government CERT; now what?

As a cyber threat intelligence (CTI) analyst, you are not just copying and pasting or forwarding security-related events or incidents to your stakeholders and teammates like passing a “hot potato” as they said. You wanted to make sure that it is [1]relevant to your organization and [2]actionable in a timely manner.

Credit: Pxby Free Images

Now, let’s debug what does “relevant” mean from a CTI perspective? In BLUF (bottom-line up front), it simply means that the “intelligence” you are providing should be applicable to your organization’s line of business like the financial (FinTech) sector, operational technology (OT), information technology (IT), military (mil), and other specific environments like semiconductor, data center, healthcare and hospitality, food and beverages, academe, and more.

How about the “actionable” in a timely manner? Why is it very important and crucial to the organization? It is because this is the turning point that you as a CTI analyst would be providing “strategic intelligence” to the leaders of the businesses such as CISO, CIO, CTO, and domain directors or managers for long-term security solutions to achieve defense-in-depth towards cyber-resiliency. This is where the “whack-a-mole” child play is being avoided.

While “operational intelligence” and “tactical intelligence” are relatively significant for your threat and vulnerability management (TVM) program to battle against the risks on exploitable tech-stacks you have and for the security operations (SecOps) program for threat hunting on the relevant adversaries’ tactics, techniques, and procedures (TTPs) that can be used against your company.

Mining the Gold
👷🏼 Today you received or read an article about cyber security threats or incidents — now what’s next? pass the “hot potato”?

Of course, you should convert that “relevant” news to “actionable” intelligence in a “timely” manner before sharing it with your organization or publishing it in your internal blog.

Credit: Pxby Free Images

So let’s take for example this security awareness from “https://www.bleepingcomputer.com/news/security/vmware-microsoft-warn-of-widespread-chromeloader-malware-attacks/" about the “ChromeLoader” malware campaign; based on their IOA (indicators of attack) demonstration — you should be easily able to identify the TTPs programmed by the malware author to formulate a Threat Modeling to come-up with Strategic, Operational, and Tactical Intelligence for different security domains (TVM, SecOps, ProdSec/AppSec, Architecture & Engineering, GRC, and to the CISO).

Here are the 👺ATT&CK IDs that can be extracted from that article:
Command-Line Interface (T1059)
Connection Proxy (T1090)
Data Encoding (T1132)
Obfuscated Files or Information (T1027)
Deobfuscated/Decode Files or Information (T1140)
Exfiltration Over Alternative Protocol (T1048)
Exfiltration Over Command and Control Channel (T1041)
Indicator Removal on Host (T1070)
Input Capture (T1056)
Browser Extensions (T1176)
Create Account (T1136)
Data Obfuscation (T1001)
Drive-by Compromise (T1189)
Logon Script (T1037)
Modify Registry (T1112)
Remote File Copy (T1105)
Scheduled Task (T1053)
Scripting (T1064)
Signed Script Proxy Execution (T1216)
User Execution (T1204)
Windows Management Instrumentation (T1047)

Threat Modeling Mapped by “Str@1n3r” (aka Art Rebultan)

Therefore, from the above TTPs — here are the compensating controls that can be implemented toward Cyber Resiliency.

🔰MITIGATION
Audit
Limit Software Installation
User Training
Application Isolation and Sandboxing
Exploit Protection
Update Software
Data Loss Prevention
Filter Network Traffic
Network Intrusion Prevention
Network Segmentation
Antivirus/Antimalware
Behavior Prevention on Endpoint
Code Signing
Disable or Remove Feature or Program
Execution Prevention
Privileged Account Management
Restrict Web-Based Content
User Account Management
Multi-factor Authentication
Operating System Configuration
Restrict Registry Permissions
Restrict File and Directory Permissions

These are just a few skills of a CTI analyst which include DFIR, malware analysis, and reverse engineering for IOC extraction, offensive security, OOP, DFIR, critical thinking, communication and presentation skills, and dozens of patience to shield you against frustrations that nobody listens to you.

In less than 5min of reading this, by now you should have realized that the CTI job plays a very vital role and hopefully, you are not just a lovely decoration in your organizational chart. Else, you were investing your precious time in the wrong company.

DISCLAIMER: The contents cited in this article do not constitute the views of my previous and current employer. This is merely the author’s own wild imagination 😝. Any similarities are purely coincidences.