As a Cyber Threat Intelligence Lead, what strategies do you use to prioritize and address the most critical threats facing your organization?
As with all intelligence, we need to ensure that the intelligence cycle starts with a clear direction. What is our end goal, what are we hoping to achieve, and what is our scope?
This will help us create our intelligence requirements and assist with prioritization.
To do this, we need to understand a number of things:
- We need to understand the objectives of our organization and also those of our clients.
- We need to identify critical assets.
- Conduct a business impact analysis (What happens if we are attacked? Where are our crown jewels? What happens if we lose HR, etc.?)
- Understand where we sit in the world and identify similar organizations.
- Conduct a threat landscape assessment to identify recent incidents that have affected similar organizations and how these have evolved over time.
We then need to draft priority intelligence requirements (PIRs).
- Based on our previous assessments and engagement with the organization, we can start to identify and prioritize our requirements.
- These requirements need to be actionable and then feed into a collection plan.
- Identify the end client/stakeholder as they may need different outputs.
- Once we have a collection plan, we need to ensure the incoming data is accurate and reliable.
We also need to enrich some of the incoming data to provide context, and we may also want to structure the data so it is more usable for analysts, such as converting data into STIX and applying MITRE ATT&CK, etc. Crucially, this process needs continuous review. Maybe we start seeing new activity on our EDR that requires us to shift focus or change our collection plan to ensure that we understand new developing threats or changes within the business.
Finally, we need to make sure our intelligence deliverables are ACTIONABLE and ACCURATE.
We need to consider how the SOC may use intelligence and how the C-suite uses it. We may want to inform multiple parties, but they will need information at different levels and potentially in different formats.
Once we have standardized, enriched, and processed our data, we are able to provide the relevant indicators of compromise, Sigma, or YARA rules to our incident response team. We can also leverage MITRE ATT&CK to conduct threat hunting.
This process also allows us to conduct threat modeling; maybe we can see that several threat actors are targeting an organization like ours with overlapping techniques, we can identify whether our defenses will detect or prevent these techniques, and if not, we can take measures to ensure that they do.
To answer the initial question, the main strategy is to ensure that we follow the intelligence cycle, conduct continuous review, and ensure that we are providing actionable intelligence.
Can you share an example of a significant threat your team has identified and mitigated, and what were the key factors that led to its successful resolution?
A good example of when we mitigated a threat was when we responded to a strange incident where multiple users were receiving anti-virus alerts for generic commodity malware (we had no further information from the client) all over the network.
It initially appeared to be random and maybe even a coincidence. After installing EDR across the network (we had no visibility of any network traffic prior to this), we were able to identify that each of the affected endpoints had similarly named JavaScript files.
We had already collected a lot of information on SocGholish and had plenty of intelligence within our threat intelligence platform, which helped us identify the dropper as a SocGholish-related script.
We realized that we had to identify the source, as it was too much of a coincidence for so many devices to be affected by this initial dropper.
We conducted a threat hunt to identify the source and determine whether the kill chain had progressed, especially since SocGholish is regularly used as an initial stage for ransomware campaigns.
We trawled through browser history, as SocGholish was being delivered by infected WordPress plugins.
We identified that the company had their own HR portal online, and once we inspected the site, we found the malicious WordPress plugin that had been informing users to update their browsers to access the HR site.
Next, we began looking for evidence of Zloader (the next stage of the identified campaign) by reviewing autoruns to identify persistence, and we found a couple of examples of this.
Luckily, this was caught early, and we did not see any further activity related to the campaign, which could have been incredibly costly to the organization.
The key factors that assisted us in this case were the increased visibility provided by EDR and the ability to collect endpoint artifacts from infected hosts. Putting this data into our threat intelligence platform enabled us to quickly correlate similarities with SocGholish.
Having a good understanding of the SocGholish campaign enabled us to quickly hunt for related activities and successfully assisted with the detection of the next stages of the kill chain.
How do you ensure that your threat intelligence team stays updated with the latest threat landscapes and trends, and what resources or methods do you rely on?
We ensure that we stay up-to-date by being heavily integrated with the other teams at Thomas Murray, which allows us to see what is happening at the coal face.
We get to see what is happening in IR across our clients by analyzing attack data coming in from a wide range of security tools.
We also need to keep track of what is going on elsewhere. As a consultancy, we are likely to see one specific threat more than others, but we still need to be aware of those that may come along in the near future.
We collect a lot of open-source reporting from blogs and social media, and we also have access to closed-source information, including the dark web, which allows us to cast a broad net on the threat intelligence landscape.
This breadth allows us to cater to clients across different industries and regions.
We conduct statistical analysis on all of this data, including the data we collect from IR, to identify trends and attempt to predict what may happen next.
To ensure that we have good coverage, we make sure that our collection plan is relevant to our priority intelligence requirements.
Like everyone else, something may also pique our interest, causing us to re-evaluate.
What processes do you have in place to foster collaboration between your threat intelligence team and other departments, such as incident response and risk management?
This is central to everything we do at Thomas Murray.
We want every team to make use of threat intelligence, and I think we are doing this very well. Simple implementations, such as MITRE ATT&CK mapping, can lead to quick wins across several departments, whether that is helping GRC map controls to NIST, assisting the red team with threat simulation, or conducting threat hunts within IR.
But the crucial process is having that data readily available and accessible.
Using a threat intelligence platform allows the CTI team to map things like ATT&CK but also allows us to plug into other services automatically.
We have also built tools around this to cater to specific requirements from each department so that they can use the platform with limited assistance from the CTI team.
We are also involved directly with each service, which makes collaboration a lot easier. Other teams can see that CTI can help them and that their information also helps the CTI team. This feedback loop is essential for a good intelligence product.
What are the most important skills and qualities you look for when hiring new team members, and how do you support their ongoing development and growth within the organization?
I think that the best people to hire within CTI are naturally inquisitive and innovative.
I have found throughout my career, especially during my time in the armed forces, that the best people were never happy with going along with the flow, they were looking to continuously improve and I think this is an ideal trait within cyber security.
As Intelligence Analysts are always looking for something out of place, being naturally inquisitive is very helpful. We cannot take everything at face value, we need to dig deeper.
I would also say that there is a heavy focus on technical skills out there but these can definitely be taught, especially if the individual is inquisitive and innovative. These types of people will want to improve their own skills so that they can understand more.
I think the best way to develop new team members is by providing exposure to new things and keeping it interesting whilst also allowing them to also naturally take on more responsibility. In my experience, this naturally improves their capability and hopefully keeps them happy in their role whilst also gathering new skills for promotions etc.
I also like to ensure that new members get experience across different teams, because it allows them to understand other teams requirements and it will also develop new skills at the same time.