š So, You Wannabe a CTI Analyst?!
You are subscribed to an RSS feed or newsletter from different cyber security organizations, firms, and government CERT; now what?
As a cyber threat intelligence (CTI) analyst, you are not just copying and pasting or forwarding security-related events or incidents to your stakeholders and teammates like passing a āhot potatoā as they said. You wanted to make sure that it is [1]relevant to your organization and [2]actionable in a timely manner.
Now, letās debug what does ārelevantā mean from a CTI perspective? In BLUF (bottom-line up front), it simply means that the āintelligenceā you are providing should be applicable to your organizationās line of business like the financial (FinTech) sector, operational technology (OT), information technology (IT), military (mil), and other specific environments like semiconductor, data center, healthcare and hospitality, food and beverages, academe, and more.
How about the āactionableā in a timely manner? Why is it very important and crucial to the organization? It is because this is the turning point that you as a CTI analyst would be providing āstrategic intelligenceā to the leaders of the businesses such as CISO, CIO, CTO, and domain directors or managers for long-term security solutions to achieve defense-in-depth towards cyber-resiliency. This is where the āwhack-a-moleā child play is being avoided.
While āoperational intelligenceā and ātactical intelligenceā are relatively significant for your threat and vulnerability management (TVM) program to battle against the risks on exploitable tech-stacks you have and for the security operations (SecOps) program for threat hunting on the relevant adversariesā tactics, techniques, and procedures (TTPs) that can be used against your company.
Mining the Gold
š·š¼ Today you received or read an article about cyber security threats or incidents ā now whatās next? pass the āhot potatoā?
Of course, you should convert that ārelevantā news to āactionableā intelligence in a ātimelyā manner before sharing it with your organization or publishing it in your internal blog.
So letās take for example this security awareness from āhttps://www.bleepingcomputer.com/news/security/vmware-microsoft-warn-of-widespread-chromeloader-malware-attacks/" about the āChromeLoaderā malware campaign; based on their IOA (indicators of attack) demonstration ā you should be easily able to identify the TTPs programmed by the malware author to formulate a Threat Modeling to come-up with Strategic, Operational, and Tactical Intelligence for different security domains (TVM, SecOps, ProdSec/AppSec, Architecture & Engineering, GRC, and to the CISO).
Here are the šŗATT&CK IDs that can be extracted from that article:
Command-Line Interface (T1059)
Connection Proxy (T1090)
Data Encoding (T1132)
Obfuscated Files or Information (T1027)
Deobfuscated/Decode Files or Information (T1140)
Exfiltration Over Alternative Protocol (T1048)
Exfiltration Over Command and Control Channel (T1041)
Indicator Removal on Host (T1070)
Input Capture (T1056)
Browser Extensions (T1176)
Create Account (T1136)
Data Obfuscation (T1001)
Drive-by Compromise (T1189)
Logon Script (T1037)
Modify Registry (T1112)
Remote File Copy (T1105)
Scheduled Task (T1053)
Scripting (T1064)
Signed Script Proxy Execution (T1216)
User Execution (T1204)
Windows Management Instrumentation (T1047)
Therefore, from the above TTPs ā here are the compensating controls that can be implemented toward Cyber Resiliency.
š°MITIGATION
Audit
Limit Software Installation
User Training
Application Isolation and Sandboxing
Exploit Protection
Update Software
Data Loss Prevention
Filter Network Traffic
Network Intrusion Prevention
Network Segmentation
Antivirus/Antimalware
Behavior Prevention on Endpoint
Code Signing
Disable or Remove Feature or Program
Execution Prevention
Privileged Account Management
Restrict Web-Based Content
User Account Management
Multi-factor Authentication
Operating System Configuration
Restrict Registry Permissions
Restrict File and Directory Permissions
These are just a few skills of a CTI analyst which include DFIR, malware analysis, and reverse engineering for IOC extraction, offensive security, OOP, DFIR, critical thinking, communication and presentation skills, and dozens of patience to shield you against frustrations that nobody listens to you.
In less than 5min of reading this, by now you should have realized that the CTI job plays a very vital role and hopefully, you are not just a lovely decoration in your organizational chart. Else, you were investing your precious time in the wrong company.
DISCLAIMER: The contents cited in this article do not constitute the views of my previous and current employer. This is merely the authorās own wild imagination š. Any similarities are purely coincidences.