How to Leverage Cyber Threat Intelligence to not

Only Mature Your Program but Promote Your

Career
whoami

net user John.Doyle

• SANS. FOR578 Cyber Threat Intelligence Instructor.

• Mandiant. Principal Intelligence Enablement Consultant.

• Mandiant. Principal Strategic and Incident Response Consultant.

• Mandiant. Principal Advanced Intelligence Integrator.

• Central Intelligence Agency (CIA). Senior Cyber Threat Analyst.

• George Mason University. Adjunct Cyber Security Professor.

• Certifications: CISSP, GIAC x 7

Learning Outcomes
• Familiarize students with core cyber threat intelligence (CTI)
concepts
• Understand the role, responsibility, and workflow of CTI teams
• Determine complementary areas of coverage and how to
leverage CTI teams
• Identify ways to improve your career mobility by improving
efficiency and organizational reach
• Devise effective engagement strategies with CTI counterparts
Agenda
• Introduction
• Sharing a Common Frame of Reference
• Introduction to Core CTI Concepts
• CTI Team Workflows
• Best Practices for Engaging the CTI team
• Additional Resources
• Q&A
Roll for Initiative
Sharing a Common Frame of Reference
./synergy.sh

• Differential equations and race

conditions are real in cyber security
• Defenders and attackers operate at
various speeds to complete objectives
• Intelligence speeds up how quickly we
can complete the defender’s OODA loop
• But first, we need a common operating
picture of what everyone’s role is and
how we contribute
 Sharing a Common Frame of Reference
./synergy.sh

• Collaboration is most effective

when we understand what each
other do
• Almost certainly are there unspoken
expectations on both sides, never
voiced, about job role responsibility

The NICE Framework is comprised of the following components:

• Categories (7) – A high-level grouping of common
cybersecurity functions
• Specialty Areas (33) – Distinct areas of cybersecurity work
• Work Roles (52) – The most detailed groupings of
cybersecurity work comprised of specific knowledge, skills,
and abilities (KSAs) required to perform tasks in a Work Role
Bridging the Gap
Are Risks and Threats the Same?

• Threats factor into risk analysis and

risk-based decisions. Capability
• Assumption organizations can take
proactive and reactive steps to reduce
risk.
— Proactive steps reduce risk exposure.
— Reactive steps reduce accepted risk and Intent Opportunity
account for unexpected unacceptable risks.
o Ex) Intrusion activity

Relevant Threat = Capability + Opportunity + Intent

What is Cyber Threat Intelligence (CTI)?
What is Cyber Threat Intelligence (CTI)?
CTI provides timely and relevant insights about the
cyber threat landscape, cyber threat actors,
their capabilities, and motivations to
inform risk exposure, planning, and
cyber defense actions.
The Intelligence Lifecycle

• This one framework drives all of

threat intelligence operations!
• It is an end-to-end process that Dissemination Planning and
fuels program management and and Feedback Requirements
development
• Borrowed from the traditional Collection
intelligence disciplines and Production and
Processing
adopted as a predicate for CTI.

Analysis and
Exploitation
 Stakeholders and Support at a Glance
Audience
Strategic Operational Tactical
Type:
Customer • Chief Information Security • Incident Response Team • Security Operations Center
• Security Management • Vulnerability and Patch Management • Network Operations Center
Roles: • Risk Management and Analysts Team
• Security Awareness • Forensics Team
• Red Team
• Purple Team

Customer • Allocate resources • Determine attack vectors • Push indicators to security tools
• Understand risk posture • Patch systems
Tasks: • Develop and communicate plans • Remediate incidents
• Communicate with executives • Hunt for breaches

Problems They • No clear investment priorities • Event reconstruction tedious • False positives
• Executives are not technical • Difficult to identify damage • Alert overload
Face: • Difficult to prioritize patches

Value-add • Demystify threats • Add context to reconstruction • Validate and prioritize indicators
• Prioritize based on business risk • Prioritize patches • Prioritize alerts
from CTI: • Focus in on potential targets
CTI Frameworks The Lockheed Martin Cyber Kill Chain

MITRE ATT&CK

The Mandiant Targeted Attack Lifecycle

Diamond Model of Intrusion Analysis

The Unified Cyber Kill Chain
Adversary

Infrastructure Capabilities

©2022 Mandiant 14
Victim(s)
 Stakeholders and Support at a Glance
Internal Support Government - CERTs Government - Military/Intelligence

Senior
Leadership
ISAC 1 Internal SOC
Red Team Risk

Internal
Vendors ISAC 2 Operations
Policymakers

Purple Incident
Team
CTI Response
CTI CTI
Team Team Team
National-leve
Internal Sharing
Security Vendors l
Detections Government Groups
Awareness Policymakers

Public Foreign
Trust and Website Partners
Fraud
Safety
CTI Analyst Profile/Make Up

“Mandiant’s Cyber Threat Intelligence Analyst Core Competencies Framework”

 FOR578 Mapping
Intelligence Acumen Information Technology (IT) Cyber Security
• The role of intelligence in enabling stakeholder actions • Data structure identification • Threat modeling (VERIS)
• The Intelligence lifecycle • Data parsing, extraction, and storage • Developing metrics
• Intelligence Requirements • Data normalization • Identifying artifacts of an intrusion
• Collection management frameworks • Data schemas creation • Incident response hunting methodology
• Critical thinking and developing mental models • Data visualization • Common Vulnerabilities and Exposures (CVEs)
• Understanding cognitive biases and combatting • Machine-to-machine data sharing (STIX/TAXII) • Proxy log analysis
them with Structured Analytic Techniques (SATs) • Network traffic analysis (PCAP)
• Producing finished intelligence (FINTEL) • Network traffic decoding
• Communicating effectively and use of estimative language • Network flow analysis (Netflow)
• FINTEL dissemination platforms • Memory forensics
• Data classification (TLP levels) • Yara signature development
• Target-centric analysis • Malware configuration extraction
• Enriching information through all-source intelligence

Cyber Threat Intelligence (CTI)

• The origin and evolution of the CTI discipline
• Defining, cataloging, and tracking intrusion activities, clusters, and activity
groups
• Tactical, operational, and strategic-level attribution
• Correlating intrusion activity using link analysis tools
• Indicator of Compromise (IOC) lifecycle
• CTI Frameworks:
o Pyramid of Pain
o Diamond Model of Intrusion Analysis
o MITRE ATT&CK
o Lockheed Martin Cyber Kill Chain
• Pivoting on file characteristics in malware repositories
• Pivoting on passive DNS (pDNS) records, TLS certificates, and internet scan data
• Vendor naming conventions
• Public-private information sharing communities of interest (ISACs and ISAOs)
• Threat feeds
• Threat Intelligence Platforms (TIPs)
CTI Team Make Up

Threat Intelligence
Team Manager

Strategic Intelligence Fusion/Operational Tactical Intelligence DevOps/Tooling/Intel

Threat Researcher
Function Intelligence Function Function Engineering

Resource 1 Resource 2 Resource 5 Resource 7 Resource 8

Resource 3 Resource 6 Resource 9

Resource 4
CTI Team Workflow (High Level)
 Cyber Threat Profile

Compromise Trends
Sector/Industry Generic and Geo-Specific

+
=
Cyber Threat Profile
Intelligence Requirements
• Consider these as a knowledge
capture of stakeholder use cases
and intelligence needs.
• The CTI team…
• Translates the needs to intelligence
requirements
• Adds a priority rating
• Establishes SLAs
• Documents intended output
• Additional resource: Mandiant
blog “A Requirements-Driven
Approach to Cyber Threat
Intelligence”
Intelligence Requirements

• What business units are at most risk to cyber crime?

Strategic • Have our investments in security positively reduced the risk we face
toward threats we are currently tracking?

• What threat activity groups are currently active in our industry?

Operational • If FUZZYSQUIRREL breached our organization, what assets would most
likely be compromised?

• What adversary behaviors should security focus on to identify threats

Tactical that are the most likely to breach our organization?

• What indicators are most relevant to search for to quickly respond to
the breach that has occurred today?
Products and Service Lines

Finished Intelligence (FINTEL)

Short Form Long Form Presentations/Briefings

1-3 pages 4+ pages Tailored for a specific purpose, so variable length

Often includes:
• Be cognizant of design elements
• BLUF • Executive summary
• Create to be future proof
• Tight, concise language • Technical appendices
• Have elevator pitch ready in case
• A graphic presentation gets cut prematurely
Products and Service Lines
Who is the audience for your product? Do you Analyst
Audience understand their frame of reference or have a Expertise
and
shared common operating picture? Knowledge

Source Sound
Reliability Analytic
What intelligence question are you & Techniqu
Issue answering? What is the impact? This will Credibility
Analytic
es
Assessment
affect written response via timeliness.

Judgment
Message What is the key takeaway? Facts s

What is the narrative? Where are we in the

Storyline chronology of the story arc.
Products and Service Lines
 Collection Management Framework
Endpoint
Windows Systems Network Firewall
Protection System

Data Type: System Alert Host-Based Logs Netflow System Alert

Exploitation, Internal Internal

Exploitation and
Kill Chain Coverage: Installation
Installation, and Actions Reconnaissance, Reconnaissance,
on Objectives Delivery, and C2 Delivery, and C2

Follow-on
Malware sample Files and timelines Packet Capture Netflow
Collection:

Typical Storage in
30 days 60 days 23 days 60 days
Days:
Collection Management Framework
The Intelligence Lifecycle
• Email Distribution List
• CTI Team Intranet Page • Stakeholder Analysis
• Communication Systems • Intelligence Requirements
(Teams, Slack, etc.) Dissemination Planning and
and Feedback Requirements

Collection
Production and
• Finished Intelligence Processing • Collection Management Framework
Storage (Sharepoint, • Internal, Commercial, and 3P Data
TIP, Intranet Site, etc.) • Centralized Data Store (Hypergraph/TIP)
Analysis and
Exploitation

• Internal Ticket System

• Virtual Machine or Other
Exploitation and Intelligence
Creation Environment
• Communication Systems (Teams, Slack, etc.)
What Does Strategic CTI Entail?
What Does Strategic CTI Entail?

Anything affecting potential risk posture, but usually:

• Trends in vulnerability exploitation
• Does a newly discovered vulnerability impact us
• Are we potential collateral damage for <current
events>
• Newly identified industry-centric threat actor
campaigns
• Or anything the big boss might see on the news…
What Does Strategic CTI Entail?

• Best practices for creating CTI prescribes including

actionable recommendations for all reports
(Optional) Strategic CTI Exercise
Take 15 minutes to read the following blogs:
• https://www.ncsc.gov.uk/collection/ncsc-annual-review-2021/the-threat/solarwinds
• https://www.mandiant.com/resources/blog/unc2452-merged-into-apt29

Consider the following questions:

• Why was the Solarwinds operation a big deal?
• What is APT29 and which organization does the cyber security community believe
they work for?
• Who is UNC2452 and what is their relationship with APT29?
• If you were tasked to pull together training material based on this incident, what
would it look like? Who is the target audience? What would it contain?
What Does Operational CTI Entail?
(Optional) Operational CTI Exercise

Take 15 minutes to read the following blogs:

• https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/elfin-
apt33-espionage
Consider the following:
• What data should a CTI team extract from this blog?
• Assuming no structured data store or format exists, how should they store the data?
What are some field names should they include?
Day in the Life of a CTI Analyst

• Start by reviewing cyber security news sources

• Refresh Twitter/Mastodon/Bluesky multiple times a day
• Review a combo of internal data and those in trusted
information sharing groups
• Review RFI and current queue, both research and
products
• Collaborate with colleagues and stakeholder peers
• Create spicy memes
• Adjust workload for any urgent requests that come in
• Begin proactively determining what is the next useful
research/product to develop for stakeholders
Over to You…
How CTI Can Help Promote Your Career

Improve efficiency
• Chances are they are already or can produce
products on intelligence trends that you can lift
language from.
• Or they would be willing to if they know you are
interested.
Extend organizational reach.
• Security Awareness is either thought of as a
stakeholder or partner to most CTI teams.
CTI Team Engagement

• Engage early and often

• Understanding their culture, existing workflow, and
identify champions
• Ask how your team can provide intelligence
requirements and establish Service Level
Agreements (SLAs) for out-of-band RFIs
• Find opportunities to promote them and to partner
with i.e. co-authorship
• Establish a shared Slack/Team channel or ask to be
invited to one should it already exist
• Feedback, feedback, feedback!
Finding Synergies Across Teams
• Personality types affect interpersonal dynamics and subsequent relationship
building efforts. Self-awareness, emotional intelligence, and maturity are
important. Several personality type assessments exist to aid in self-discovery.
Myers-Briggs DiSC Enneagram

Task Oriented People Oriented

(Optional) Engagement Exercise
Take 10 minutes to research what we can ascertain about a CTI analyst with
these traits/EIQ profiles.
• What do they tell us about the individual?
• How will this influence how we’d engage and what we might expect of the communication
style?

ENTJ
Parting Thoughts
• CTI is a service-driven entity that seeks out stakeholders in the organization to understand
their intelligence needs.
• CTI teams produce intelligence reports and briefings.
• The CTI team should have a product catalog, master tracker of stakeholders and intelligence
requirements, and collection management framework.
• The CTI team may, but should, also have an organizational cyber threat profile.
• Security Awareness is absolutely a valid stakeholder for CTI teams; however, they might not
understand your specific needs.
• Unspoken expectations exist on both sides so be proactive when engaging:
• “Day in the life of” sessions are incredibly helpful
• Lunch and learns/brown bags
• Cultivate liaison advocates and champions
• Provide scoped RFIs and feedback
• Establish realistic SLAs
Additional Resources
Katie Nickel’s Blog Posts:
• FAQs on Getting Started in Cyber Threat Intelligence
• A Cyber Threat Intelligence Self-Study Plan: Part 1
• A Cyber Threat Intelligence Self-Study Plan: Part 2
• 4 Hiring Tips for Building a Cyber Threat Intelligence Team

• Andy Piazza’s Cyber Threat Intelligence Study Plan

• Grace Chi’s "Is Sharing Caring?" report on current cyber threat intelligence networking practices, results,
and attitudes
• Empathy: The Way to Win Hearts and Minds in CTI
• Mental Health and Burnout in CTI
• Introducing the Mandiant Cyber Threat Intelligence (CTI) Analyst Core Competencies Framework Blog
• Breaking Into the CTI Field: Demystifying the Interview Process and Practice Interview Questions
• SANS Annual CTI Summit YouTube Archive
• Mapping SANS FOR578 Coverage to the Mandiant CTI Core Competencies Framework
 https://www.linkedin.com/in/john-doyle-a02bab10
Questions? Twitter: @_John_Doyle
 CTI Analyst Core Competencies

Problem Solving

Critical Thinking Research and Analysis Investigative Mindset

• Apply logic and reasoning • Understand internal and external data • Employ inquisition and familiarity
sets and tools with adversary operations, tradecraft,
• Undertake efforts that align with and forensic artifacts to determine
the business • Understand the limitations of IOC types logical next steps

• Considers current and future needs • Identify unique fingerprints and • Devise novel solutions by applying
patterns out-of-the-box thinking
• Deep knowledge on industry
construct and trends • Mine, interpret, extract, store, and
pivot on relevant content
• Ability to devise out-of-the-box
solutions • Generate intelligence on technical,
cultural, or linguistical leads
 CTI Analyst Core Competencies
Professional Effectiveness

Communication Teamwork and Emotional Intelligence Business Acumen

• Adapt presentation of analytic • Determine when and how to engage • Forecast changes in risk exposure
conclusions, research, and peers and leadership based on shifts in organizational
methodologies to audience type mission, vision, goals, and public
• Provides opportunities and solutions persona
• Leverage CTI and industry
frameworks to graphically depict • Able to navigate tricky situations, • Understand industry specific
adversary workflows diffusing conflicts as they arise processes and technologies ex)
FinTech systems
• Understand how to leverage CTI data • Ability to motivate and cultivate a
sharing communities of interest positive environment
(ISACs/ISAO) and data storage and
sharing standards (JSON/STIX and • Awareness of how actions can be
TAXII) conveyed by others and calibrate
responses accordingly
 CTI Analyst Core Competencies
Technical Literacy
Cyber Security Roles and
Enterprise IT Networks Cyber Security Ecosystem Responsibilities
• Active Directory, Kerberos, and the • NIST Cybersecurity Framework (CSF) • How each role supports risk exposure
role of GPOs and its five phases management

• Identity and access management • NIST SP 800-53 cyber security • Interplay between job roles to
controls support collective defensive efforts
• Security roles and attributes
• Cyber security hygiene best practices • Responsible, Accountable,
• How systems operate and interact Coordinated, and Informed (RACI)
with one another
• Service level agreements (SLAs)
• Virtualized infrastructure

• On-prem, hybrid, and off-prem cloud

computing solutions
 CTI Analyst Core Competencies
Cyber Threat Proficiency

Drivers of Offensive Operations Threat Concepts and Frameworks Threat Actors and TTPs
• Identify the roles and responsibilities • Vulnerabilities and Exploits • Loosely identify actor affiliation based
of individuals in an offensive cyber on vendor naming convention
program • Malware and interactive operations
• Reasoning why vendors do not borrow
• Understand resource constraints and • Adversary mid-point Infrastructure each other’s threat actor group names
outsourcing considerations • Attribution methodology, intrusion sets, • Characterize elements of adversary’s
• Understand actor motivations and and threat activity group nomenclature operational tradecraft
differentiate between enduring vs. • Key CTI frameworks and the problems they • Explain how key concepts like remote
tactical requirements help the CTI community solve to include access, persistence, lateral movement,
• Pinpoint drivers that should shift MITRE’s ATT&CK, the various kill chain staging, and data exfiltration
targeting priorities or TTPs models, and the Diamond Model of
Intrusion Analysis