Cyber Threat Intelligence Summit 2022

Organised by SANS, 27-28 Jan 2022

A great thing about SANS is now they have plenty of online resources and conferences you get to attend for free (a positive effect of COVID) virtually. People from all parts of the world get to attend the rich sharings from professionals and physical cybersecurity conferences held in the US is a thing of the past. (Disclaimer: I'm not sponsored by SANS in any way. The instructors and community they have is fantastic with their passion to share their knowledge. The free resources they have on their website is amazing!)

The agenda of the summit shows the line up of topics and speakers from Cybereason, Google, Digital Shadows, PwC, Recorded Future, Micro Focus, Red Canary, Booz Allen Hamilton, Proofpoint, TeamT5 Cyber Threat Intelligence Team, Yahoo!, Cargill Inc., Cardinal Health, New York Cyber Command,Reqfast, Kroll and Pulsedive. There is a Spanish track too.

DAY 1

1. Keynote - Journey to the Center of CTI: Story, Systems, and Self

2. Applied Forecasting: Using Forecasting Techniques to Anticipate Cyber Threats

3. DeadRinger: Three APTs Walk into a Bar...

4. Threat Actor of in-Tur-est: Unveiling Balkan Targeting

5. Lunch & Bonus Session: Threat Intelligence for Security Digital Value Chain

6. WORKSHOP - Getting Started as a Cyber Threat Intel Analyst: How it Begins

7. You Get What You Ask For: Building Intelligent Teams for CTI Success

8. Mark Your Calendars: Why Dates Matter to Adversaries

9. I Award You No Points, and May God have Mercy Upon your Soul: Feedback in CTI

10. I Award You No Points, and May God have Mercy Upon your Soul: Feedback in CTI

11. Clip Addiction: A Threat Intelligence Approach to Video-Based Chinese InfoOps

DAY 2

1. Keynote - Use Your Voice: Why Diversity and Inclusion Matter for Cyber Threat Intelligence

2. Building Strategic Return on Investment Through Cyber Intelligence

3. The First Purpose: Rediscovering Warning Analysis for CTI

4. Integrated Intelligence

5. We’re in Now, Now: The Tyranny of Current Intelligence and How to Manage It

6. Mind Your Gaps: Leveraging Intelligence Gaps to Drive Your Intelligence Activities

7. Lone Wolf Actors: How Ransomware Evolved into Freelance Work

8. Is Sharing Caring? A Deeply Human Study on CTI Networking

The topics are interesting and if you're registered for the conference, you have access to the decks and recording. An important part of any event is usually networking and getting to ask questions. As with all virtual SANS conferences (since 2020), all attendees can access to a Slack channel. This is where people from all over the world come together for their cybersecurity passion and interact online. Questions and answers come freely. The only peeve I have about these channels is that the Slack channels are deleted immediately after the conference! All the resources shared are gone. :(

Some Q&A I've gleaned (without attribution and key extracts) with multiple answers and perspectives to the questions asked:

Q1: Is there any guide on how are threat groups created? How does someone go from finding a malware to linking them to a threat group or deciding that it's a completely new group?

A: https://www.mandiant.com/resources/how-mandiant-tracks-uncategorized-threat-actors

A: This is the million dollar question - a lot of different organization do this differently based on factors such as their visibility and where they sit in the eco-system. There isn’t necessarily a “correct” way, you just have the understand the assumptions going in.

A: The answer is both simple and complex. An activity group or threat group is simply an analyst deciding that a subset of the Diamond Model features of a malicious activity belong together and are sufficient enough to distinguish it from other activity. Basically, what features make this unique enough to tell it apart from other threat activity? The COOL part about this is that analysts can do it HOWEVER THEY WANT. Seriously, analysis is there to be done by the analyst, not necessarily approved by the community. That doesn't mean that your analysis can be wrong, what it means is that how you arrive at the best and correct analytic conclusion is up to YOU. Therefore, people have developed different methods and tradecraft to define different groups. Nobody's analysis is going to be the same as anyone else's. In fact, Richard Heuers teachs us that two analysts with the same data will come to different correct conclusions or the same conclusion in different ways - that this is a feature of being human. Therefore, how threat groups get formed (called activity groups in the Diamond Model) is entirely dependent on what the analyst needs to do and how they want to work using their own unique mental capacity (as not everyone's mental processes are the same).

A: It is important to understand how your sources group their actor sets, as much as you can understand since most vendors will not show how the sausage is made. Internally, its important to have an established method your team uses to group observed activity, cluster it, and call it a Thing. Then having a process where you connect your Thing to the named group of other vendors - and this is where tensions begin among CTI analysts. Is APT123 from Vendor A really the same group as BACKFLIPPINGDOG from Vendor B? depends on if you plan on publishing your connection! for my role as a CTI analyst supporting internal SOCs, rolling all of the various names up to a single country is good enough. My SOC analysts and CISOs don't care that its a military unit or an intelligence agency. they just want to know can we detect and defend against their capabilities.

A: I recommend focusing on the activity your team directly observes and analyzes. Use the diamond model to cluster what you know from your incident tickets. TTPs and malware get listed on one corner, targets/victims (all HR staff or finance? widely blasted?), and details about the infrastructure on a 3rd corner. do a diamond for every confirmed incident your SOC works, then look for diamonds that have similarities in at least two of the corners. This didn't really click for me until watching @Katie Nickels webcast "The Cycle of Cyber Threat Intelligence". https://youtu.be/J7e74QLVxCk

Q2: I'm starting in CTI in small company and Im building my knowledge sources about attacks, groups, APTs, incidents etc. focusing mainly on strategic long-term intelligence rather than incident response phase, what kind of sources (could be commercial) would you recommend?

A: I would also suggest to brush up on your research and cognitive skills. a few works I would suggest are a thinkers tool kit, I&W by CSIS, intelligence documents from UNODC, and effective writing primers from military or intelligence agencies - there are lots online. A lot of militaries also publish their non classified manuals online - they are long and boring, though filled with a lot of good info.

A: This could be helpful https://www.cfr.org/cyber-operations/

Q3: I see a lot of CTI job postings that have a requirement similar to "must have tracked at least two actors for a year". Is there something folks can do who might be in security but don't track actors do to gain equivalent experience (or at least have an answer to the question)?

A: [summary of everyone's answers] pick two threat actors right now and work on tracking them as a side task. Start tracking them with the experience you have gained by tracking threat actors. I would think what they are really after, do you have the experience to collect data, analyze it and it into intelligence, and the ability to use OSINT tools. Start to look at your vertical, and see how similar organizations are being attacks and if a threat actor has been attributed. Look into some of the more established criminal campaigns, like trickbot, or long-running ransomware stuff, because there's usually also a lot of good info about TTPs and previous attacks. Most interviews will touch on something about recent cyber attacks, current events, etc. so it's always a good area to prep for anyway. if you're coming into a job to be a CTI analyst, every team i've been on or interviewed with expected some degree of knowledge around your various threat actors. You could also review past activities by a well known threat actor group, and then try to forecast future activity by using Indications and Warnings framework. If you're new to Threat Intel, take a look at the items shared on this blog from Andreas Sfakianakis. Some great details here: https://threatintel.eu/