My first year in Cyber Threat Intelligence

-



As of 1 August, I have been working in the cyber threat intelligence industry for one whole year. It has been a steep, but rewarding, learning curve that gives as much back as you put into it.


In 2016, I started university doing a cybersecurity-specific course as I knew it was what I wanted to do since I was about 15 years old. I graduated in 2019 with a 2:1 in BSc (Hons) Computer and Information Security. Within three weeks of finishing my course I was offered a job in July and started in August. It could not have been better. 


It was only until the end of my course that I began to learn about threat intelligence and emerging threats in an interesting module that educated us about 0day vulnerabilities and the darknet. Initially, I wanted to be a penetration tester (like most students on my course), but I was only just about able to make it through the labs on Kali and Metasploit through hard work and frustration. This put me off and made me look elsewhere into other areas of security which included learning about OSINT and malware. Cyber threat intelligence was perfect for my skill set. 


In my first role as a Junior Security Researcher I had to learn A LOT. This is a fair warning to anyone entering the cybersecurity industry in general - you need to learn a little bit about everything and keep learning while on the job, it is just a fact. For example, the topics I have to cover includes:





What is Cyber Threat Intelligence?


“Cyber threat intelligence is information about threats and threat actors that helps mitigate harmful events in cyberspace. Intelligence sources include open source intelligence, social media intelligence, human Intelligence, technical intelligence or intelligence from the deep and dark web.” - Bank of England


My experience of cyber threat intelligence has been as part of an entity that is external of the organisations that it provides intelligence for. This is also known as CTI-as-a-Service. There are a number of firms dedicated to CTI, but other Managed Security Service Providers (MSSP) and Antivirus companies also provide similar offerings.


How to provide CTI:

  • Identify and analyse relevant threats to targeted organisations

  • Communicate effectively with Security Operations Centers (SOC)

  • Perform custom investigations on an adhoc basis

  • Timeliness is key to provide actionable intelligence


Gathering intelligence: 

  • Monitoring - checking sources and evaluating what needs to be reported on

  • Sources - gathering sources of new information, could be OSINT, RUMINT, HUMINT, and SOCMINT

  • Networking - working with the CTI community and intel sharing


Writing analytical reports:

  • Executive summary - explain concisely what is happening / has happened

  • Analysis - explain why this matters, add context with previous incidents, and evaluate

  • Spelling, punctuation, and grammar has to be flawless at all times

  • Write in active tense to describe something that is ongoing

  • Do not spend too long on one report (10 others still need to be written)


What is a threat? 

"If you see dark clouds outside, there's a threat of rain. If you decide to go out without an umbrella, that's a vulnerability. Combine the two and you have the risk of getting soaked." - Anonymous


Cyber threats are negative events impacting technology. This can include malware, phishing, social engineering, data breaches, vulnerabilities and exploits, APT groups, disinformation campaigns, and denial of service attacks. For a comprehensive view of the threat landscape is it necessary to keep track of all of these threats and have an understanding of them. I found it useful to have knowledge of each of the most notable two or three incidents for each example listed.


It has been interesting monitoring the threat landscape throughout the last year. Top-tier cybercrime groups have been generating more funds than ever. This year has been largely dominated by crippling ransomware attacks and data exfiltration that is later released to their respective leak sites. It is expected to continue, with ransom demands increasing in the millions of dollars worth Bitcoin.


In January, I started this blog (bushidotoken.net) to improve my writing. I wanted to improve my analytical skills for intelligence reports and research topics I wanted to learn more about. 


The blogs I wrote about which I learned the most from include:

Finally, when I first started my job we were working in a modern office only a 15 minute walk away from me, it was ideal. Then in March we were all sent home, like many others, due to the threat of COVID-19. It was the first time for me to work from home and at first I was unsure if it would be suitable for me. After a few weeks, however, I found myself enjoying it and now I would say I somewhat prefer it to a traditional office. Working from home doesn't necessarily mean from where you live, it is essentially anywhere with an internet connection. I also have a very supportive team that offers plenty of flexibility and opportunities for me to learn new skills and make new connections. 


Threat intelligence is so interesting to me as you never really know what the next week will bring. It could be a huge ransomware attack against a multinational firm or an exploit could be dropped and every Fortune 500 firm is immediately under attack. In the next year I hope to earn a certification - such as CTIA or CREST - and attend conferences to meet some of the connections in the industry I have made through Discord and Twitter.


Sources:

https://www.bankofengland.co.uk/-/media/boe/files/financial-stability/financial-sector-continuity/understanding-cyber-threat-intelligence-operations.pdf

https://www.cia.gov/library/readingroom/docs/CIA-RDP84T00896R000200550005-2.pdf

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-e
Read more

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

-
Image
After tracking the cybercrime threat landscape on a day-to-day basis for over four years now, it’s not that often anymore that something surprises me. But the latest trend of a suspected English-speaking big game hunting cybercriminal group, tracked under the moniker as Scattered Spider by CrowdStrike or 0ktapus by Group-IB, teaming up with a Russian-speaking ransomware group known as BlackCat (or ALPHV) has caught my attention. Background on Scattered Spider CrowdStrike introduced Scattered Spider in December 2022 and shared an update in January 2023 . These financially motivated English-speaking threat actors are known for their unique style of attacks, which usually all begin the same way, either via an SMS phishing message to harvest credentials or via an old school (yet still very effective) social engineering vishing call to get credentials or get the target to download malicious software and provide access. Other tricks Scattered Spider is known for includes multi-factor
Read more

Lessons from the iSOON Leaks

-
Image
  Introduction A Chinese Ministry of Public Security (MPS) contractor called  iSOON (also known as Anxun Information) that  specializes in network penetration research and related services has had its data leaked to GitHub. Based on the level of detail, leaked chat logs, amount of data, and corroboration from overlaps indicators of compromise (IOCs), there is a high level of confidence it is legit. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on  internal and border security, counter-terrorism, surveillance. The MPS is comparable to the  Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to their MPS clients. About
Read more