Cyber Threat Intelligence: Q n As (aka #ctijam)


See below Q n A’s that are related to Cyber Threat Intelligence (see #ctijam in Twitter for more details). The replies come from some of the most knowledgeable CTI guys out there.


  • Q1 – Finding talent is hard, what suggestions do you have for successfully recruiting Threat Intel staff?
    • From the perspective of an employee, good tools and data sources are key, flexibility in work hours/environment help too.
    • Look for people with analytic skills even in other fields if they are eager to learn. Diverse backgrounds make a well-rounded team.
    • I think the key has to be moving towards building analysts, otherwise it’s fighting over a finite group.  It seems there is a natural progression path from Tier-1 SOC analysts. Training people is key.
    • Maybe don’t start hiring “intel” staff. Hire IR staff that know how to use and make good indicators. Work up from that.
    • Curiosity and an analytical mind are key. Given tools, process, and mentoring, those two traits will go a long way.
    • A lot of orgs overlook great people they already have who may just need some additional training.
    • Don’t turn them into IOC monkeys. Give them cool work, training & tools. Tell them what you need but not how. Let them innovate.
  • Q2 – Retaining staff is also hard, what suggestions do you have for developing and retaining staff?
    • Have clear career path, consider remote workers, designate side project time for research, speaking, tool development.
    • Unstructured/research time is key. Most analysts want interesting telemetry and the freedom to explore it.
    • Give them training! Don’t micro-manage!
    • Work has to be rewarding and most importantly manageable. Threat Hunters are the most in danger to become “Cyber Nihilists”
    • Let them be creative and engage in research in areas they are passionate about. It will benefit you as well!
    • Work with HR department to make sure corp salary bands don’t prevent offering market value raises. Expensive to start over.
    • Community involvement is a great way to encourage professional growth and foster job satisfaction.
    • Encourage conference attendance, social media (twitter, slack). It’s important to feed intel people with knowledge and peer exp.
    • Variety of work. Repetition leads to boredom. Folks have to feel excited by their contribution.
    • Given how small the field of candidates is and how minimal training is compensation is key.
  • Q3 – What are good options for training analysts? Commercial, EDU…. ?
    • Get on advisory board for local edu & guide their programme so they graduate capable students.
    • Provide 1 continuing edu course annually (SANS 578, CMU INI). Use cyber range for team training.
    • Encourage analysts to get involved with their peers, find a closed/vetted sharing venue and encourage peer review/mentoring.
    • Whenever you can, train as a team, not individuals. Ya’ll are going to have to work together eventually. Teamwork, and the ability to work as a team, is way under appreciated. Finding out you’re bad at it in an incident sucks.
    • Mentoring! One-to-one formal programs are good, but I’ve also had really great success with informal mentoring of a group.
    • Given the range of things in CTI (4n6, RE, traditional intel, netsec, etc) give people freedom to explore.
    • READING! Stock a library of notable publications and hardcover books that encourage good process/tradecraft.
    • Read Center for the Study of Intelligence library
    • In previous life, we also defined training plans and actually gave people time to train. Later, it became required.
    • Look for likeminded tradecraft training. Society of Competitive Intelligence Professionals has good 101 methodology.
    • SANS FOR578 and tons of reading. Intelligence tradecraft applied to technical expertise = winning combo
    • Have a look at @CYINT_dude ’s resources list for continuing education
  • Q4 – How do you respond to this? “I’m not MegaBank, I will never have Threat Intel team, what should my staffing strategy be?”
    • Define requirements based off of historical data and trends and ID what current staff should focus on. Grow it organically.
    • Intel starts with good requirements. Figure out yours. Realize the investments you can make (sliding scale of cyber security).
    • Further, figure out if you want to generate or just consume Intel. Both require people but largely different investments. This is the #1 least understood issue in CTI. Consuming is doable for any team, creation is a challenge.
    • First, evaluate your current strengths and weaknesses. What gaps do you have that threatintel could address?
    • You can get pretty far in the intel game by using your IR staff correctly!
    • PLEASE don’t threatintel for the sake of saying you can threatintel
    • Provide tools and processes as force multipliers. One or two well-trained folks can do a lot with right tooling
    • CTI works at any size. It doesn’t need a team. It’s a mind-set first then a process then tools.
    • Good responders can create decent indicators, and know how to use them to find related activity.
    • You don’t always need a dedicated “intel team” to do well with threat intel. Start small and see how much growth makes sense.
    • Intel !=just IOCs. It’s also what u know about your org and the threats against it. Intel & metrics as Venn diagram #VERIS
    • Scale is so important. Small orgs with few resources should not be trying strategic intel. Start small, build up as you mature.
  • Q5 -How mature does an organization need to be to use ThreatIntel
    • PROTIP: If u don’t have 2FA on VPNs, have the same local admin pw across org, u might not want to hyper focus on ThreatIntel
    • threat intel applies to orgs of ANY maturity. Just need to have a smart strategy + some visibility to make it work.
    • maturity != capability. CTI is a process at any maturity level. If you can log, you can intel. It is more maturity of ppl
    • Oh boy, I have some opinions about this. ThreatIntel can be very powerful, but there is a lot other words should do first.
    • Get some basics in place, but feel free to incorporate particularly tactical intel early! Use it, carefully, for visibility.
    • How to start: Detect incidents. Extract key IOCs (pref. at high #PoP levels). Make sure you find those IOCs again if they occur.
    • Start slow and build slowly, methodically, & incrementally.
    • All of this contribute to frustration and lack of efficiency on current ThreatIntel
  • Q6 – Following up on previous tweets, how do orgs shift from ThreatIntel consumption to production?
    • Orgs should ideally start with production. Gather ThreatIntel from intrusions, build dossiers then fuse w external sources
    • Develop an achievable “product portfolio” with defined SLAs, and aligned to requirements and customers. And then estimate resources / analyst time to those products to limit scope creep and meet production requirements
    • There’s no “shift” if you start out with production from your own internal sources!
    • Production starts tactically, consume IOCs, produce F/W | IDS/IPS policy.
    • Use incident data to trend and brief awareness to security staff
    • Understanding production is important, doing it is a different animal. Practice it, at small scale as an intel program matures.
    • Interview CTI stakeholders to shape product outcomes of interest at all levels
    • Focus on internal “enrichment”-type products firs to take advantage of internal incidents and intel
    • At previous CIRT, I started threat intel with a CSV file of malicious IPs and domains. Grew from there!
    • And don’t get caught trying to produce daily summaries! They take too much time for little pay-off in actionability
    • The best threat data in the market is inside YOUR network. If you can’t find & capitalize on it you can’t effectively generate intel
    • Critical to define type of production you need (see requirements). Shiny threat reports often not what you want.
    • Start by following the crumbs of external ThreatIntel through their own telemetry to build a native capability
    • Don’t forget to evaluate whether the threatintel you are consuming is actually helping at all
    • Start with known bad: Your own incident management system. Otherwise you’re missing the point.
  • Q7 – Getting a bit more tactical, what are some good open source ThreatIntel tools orgs can deploy?
    • Threat Note, MISP, & CRITs are great open source Threat Intelligence Platforms.
    • take advantage of the free sources and communities like Alienvault OTX
    • excluding all the DFIR & Sec tools look to things like ThreatMiner, Threat_Note, ThreatCrowd, & MISP as good tools
    • Threat Note, CRITS, MISP. Just remember open source threatintel tools take care and feeding!
    • simple, low-cost collaboration tools such as Wikis, combined with technical intel DBs like MISP, CRITs
    • open source tools are free as in puppies. They takes care and effort to be awesome.
    • CriticalStack and Bro_IDS Intel Framework, MISP Project, Threatcrowd, ThreatMiner.
    • Big fan of Alienvault OTX, ThreatExchange and threat_note. MLSecProject combine can help with ThreatIntel
    • threat_note, STOQ, IntelMQ, Cacador/Jager.
    • You could buy a threat intel feed, or you could just buy a canary from  and know when you’be been breached
    • Some promotion: …
  • Q8 – What enrichment sources do you recommend?
    • Don’t neglect internal enrichment sources. Identity, asset, data value, vulnerabilities
    • Most popular today include PassiveDNS and WHOIS for network data. Correct application helps map attacker infrastructure.
    • PassiveTotal, DomainTools, Alienvault OTX, CentralOps, Aptnotes, & your own internal systems (AD, DNS, etc).
  • Q9  – What recommendations do you have for actually integrating tactical ThreatIntel into my security infrastructure?
    • Collocating your CTI & IR/SOC/CERT is key. Don’t be the team that comes down from on high with IOCs and disappears.
    • Import/export formats are critical. You need a common work/dataflow for multiple sources of data.
    • Don’t be so quick to stovepipe “intel” and “IR” into separate groups. They need each other to survive and flourish!
    • Collaboration and fusion of data and resources is key. CTI is ops support, where sec analysis, IR/M VMS are ops
    • Tools like IntelMQ, Cacador, jq, and Stoq can help transform, normalize data for input into a single repository.
    • CTI is a natural extension of IR. You should use CTI in sec ops but should primarily come from IR
    • Recommend using threat/intel data for visibility/alerting long before ever considering enforcement. Build process before acting.
  • Q10 – How do orgs measure the effectiveness of their ThreatIntel
    • How has CTI impacted operations? Have you seen quicker and more focused IR? Do you have an intelligence driven threat model?
    • Best metric I have seen so far is “dwell time”. How much quicker are we in finding badness and solving incidents with new info?
    • Are you influencing or changing behaviours? Document instances where intel directly led to $action or $behavior
    • Number of IOCs shouldn’t play any role in measuring effectiveness of ThreatIntel
    • For strategic look for security culture changes and executive and board level confidence as well as pain points addressed
    • Try to avoid “vanity metrics” like “# IOC” and “# reports”
    • Define what outcomes you anticipate with intro of CTI and measure based on those
    • When investing in ThreatIntel be ready for the Bobs. How did investment impact the org? Validate the $
    • How users respond to threats is another good way to judge value. threatintel should inform them, not just tactical defenders
    • The Bobs analogy applies to all security investments. Avoid expense in depth, measure for success.
    • PLEASE tie any eval directly to requirements. Are you meeting the need for your org? Do not talk # of incidents, IOCs, etc.
    • Keep in mind threat intel is not only about detecting threats, but knowing what else to expect from an actor during an IR
    • If your sec ops and IR people can’t name some CTI team members and list last time they helped out then you have a problem
    • Also measure for failure and then get rid of control or service. Don’t throw good money after bad.
    • You could conceivably track how useful it is in investigations and responses in addition to initial detections.
    • Best ThreatIntel success metric is “dwell time” – reduce time adversary is active.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s