Blog

June 16, 2020

What It Takes to Build Threat Context

Written by: Josh Campbell

As the Cyber Threat and Operations Lead at Cyborg, I’ve been working with my team on a lot of fronts to develop threat hunting content that can help cyber defenders improve their responsiveness to threats. Much of the work we do centers on technical research that drives the development of threat profiles. Arming threat hunters and traditional analysts with these profiles provides them crucial context about various threats when they need it most.

As we develop this content, our ultimate goal is to make sure the profiles provide actionable intelligence to identify and respond to threats, regardless of their complexity. The profiles we’re building are based on malware families, threat actors, and their associated tactics, techniques, and procedures (TTP) to offer multiple dimensions of context and searchability for analysts. This means curating data from across the industry, as well as developing our own threat information and intelligence. 

We work to develop comprehensive data on the capabilities of hundreds of malware families and exploitation toolsets, and the threat actors that use them, which can then be codified using the industry-standard MITRE ATT&CK framework accompanied with our own in-depth analysis. While this process is incredibly manually intensive, it allows every analyst the ability to understand the threats they are facing, the capabilities and methodologies, and the risks to organizations and individuals. Whereas many organizations have produced ad-hoc reporting on various threats, we are developing a sustainable capability which can work to help raise all boats.

Developing this capability is arduous for many organizations, with the body of knowledge being both vast and of varying quality. This results in analysts, often in the middle of an investigation, being forced to pause their efforts in order to sift through the information, contributing to analyst fatigue and exposing organizations to additional risk. Other firms have tried a different tack, instead choosing to apply machine learning as a means of combing through this information. However, the results are often inconsistent and still require the analyst to ingest and process all of that data in a reactive manner.

Instead, my team gathers that reporting proactively, across industries, geographies, and languages, as well as the malware and tools themselves, in order to vet, validate and categorize the reporting, perform analysis on the malware and tools, and document our findings in a consistent format. This ensures that the intelligence we provide to our customers is timely, accurate, and actionable.

This process of curation, aggregation, analysis and the resultant documentation and tagging–both for our threat feed as well as our hunting content–allows us to distill necessary information and present it to the analyst, including: threat actor and malware aliases, targeting preferences, delivery and installation mechanisms, persistence methodologies and communication formats employed by both threats and threat actors.

Ultimately, my team’s mission is to ensure that whenever a defender uses an indicator from the Cybernetic Threat Feed, or a piece of content from the Cybernetic Content, that they can be confident that it will be accompanied with Cyborg’s detailed context and tagging to assist in their investigation, reducing the demand on the analysts and assisting organizations in making their security data more immediately actionable.

Read more from Josh Campbell, Cyborg’s Cyber Threat and Operations Lead, in his blog The Trouble With Threat Intelligence Today.

 

 

About the Author