Small Cyber Threat Intelligence Program

This is my journey to build a small Threat Intelligence Program

Overview of Cyber Threat Intelligence and CTI Requirement

Just a draft

Refs

• https://www.slideshare.net/asfakian/cti-training-on-intelligence-requirements

• https://www.slideshare.net/asfakian/setting-your-cti-process-in-motion

• https://www.first.org/resources/papers/london2019/1430-1500-Your-Requirements-are-Not-My-Requirements-Speaker-Pasquale-Stirparo.pdf

When I studied and learned about CTI there was a cycle that at first I overlooked but now I realize it is very crucial to understand this cycle, which is the CTI Life Cycle

The first thing in CTI is to have a requirement

Who defines the requirements?

You try to answer a question from your employer, your C-level, or for yourself. Such questions could be vague and broad for example:

• Is our company likely to be a target for a ransomware attack?

• What adversaries might attack our company?

Intelligence Direction

To be sure that the most relevant and most critical information is processed and not lost into the noise.

Establish a Request for an Information Portal (PFR) or Priority Intelligence Requirement (PIR)

This can enable SOC, C-level, and customer to create an intelligence requirement request such as:

• Trend Reports

• Threat Profile

• Cyber Threat Advisory

• ...

Collection - Good Feeds/Tools and Connectors

After you have your requirement you now need to collect the data and all the telemetry, the historical and related data to the requirement.

The second step of TI is to collect data, the first step is the direction (which is not the purpose of this guide). There are 3 types of information sources:

• Internal Source (network traffic, logs, scans)

• Technical Source (Vul DB, Threat Feeds, OSINT) → free feed or paid free, or could be malware repository or C2 scanner

• Human Source (Dark Web, Social Media, Forums, Cyber Security Blogs, and Feeds) → It is very hard and needs a dedicated person and training to penetrate and collect data

Telegram Info-Stealer Monitoring

Some feeds require you to send them an email so that have access to their feed, create a PGP key, and send them an email

Taken from Blue Team Hand Book

Name	Source	Type	Reliability of Source	Accuracy of Data
MISP Community Feed OSINT	https://www.circl.lu/doc/misp/feed-osint/	Technical
MISP Commnunity Feed
CISA Known Exploited CVE	https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json	Technical	A	A
CISA ICS/OT Adversory		Technical	A	A
ICS Stuffs
AlienVault Open Threat Exchange (Need to creat acount and obtain API key)
Threat Fox	https://threatfox.abuse.ch/downloads/misp/	Technical
Ransomwatch	https://ransomwatch.telemetry.ltd/#/recentposts	Technical	B	B
Ransomware Live	https://www.ransomware.live/#/ (you can use API to crawl this data)	Human
APT Group and Operation	https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/edit#gid=667848006	Human	B	B
Botvrj	https://www.botvrij.eu/data/feed-osint/	Technical
AlienVault OTX	https://otx.alienvault.com/	Technical
Abuse CH	https://sslbl.abuse.ch/blacklist/	Technical
Emerging Threats	https://rules.emergingthreats.net/	Technical
Malpulse	http://malpulse.com/	Technical
Unpac me	https://www.unpac.me/feed	Technical

Tools could be used to generate/find data

• https://github.com/ciscocsirt/GOSINT

Assets Profiling

I read the Cuckoo's Egg and really love it, on how Cliff actually know every part of his network, I think he did a good job on Assets Management.

This will need some standardization the gather asset information

For me, I just use this spreadsheet as a template for Assets Management (IP addresses, what is its function, how critical it is)

<Insert the spreadsheet>

Create Diamond Model

Refs:

• https://www.socinvestigation.com/threat-intelligence-diamond-model-of-intrusion-analysis/
• https://www.slideshare.net/asfakian/spin-your-cti-process-round-first-cti-conference-2023
• https://www.slideshare.net/asfakian/cti-training-on-intelligence-requirements