| CARVIEW |
- About FIRST
- Mission Statement
- Strategy Framework
- History
- Sustainable Development Goals
- Organization
- FIRST Policies
- Anti-Corruption Policy
- Antitrust Policy
- Bylaws
- Board duties
- Bug Bounty Program
- Code of Conduct
- Conflict of Interest Policy
- Document Record Retention and Destruction Policy
- FIRST Press Policy
- General Event Registration Refund Policy
- Guidelines for Site Selection for all FIRST events
- Identity & Logo Usage
- Mailing List Policy
- Media Policy
- Privacy Policy
- Registration Terms & Conditions
- Services Terms of Use
- Standards Policy
- Statement on Diversity & Inclusion
- Translation Policy
- Travel Policy
- Uniform IPR Policy
- Whistleblower Protection Policy
- Partnerships
- Newsroom
- Procurement
- Jobs
- Contact
- Membership
- Initiatives
- Special Interest Groups (SIGs)
- SIGs Framework
- Academic Security SIG
- AI Security SIG
- Automation SIG
- Cybersecurity Communications SIG
- Common Vulnerability Scoring System (CVSS-SIG)
- CSIRT Framework Development SIG
- Cyber Insurance SIG
- Cyber Threat Intelligence SIG
- Curriculum
- Introduction
- Introduction to CTI as a General topic
- Methods and Methodology
- Priority Intelligence Requirement (PIR)
- Source Evaluation and Information Reliability
- Machine and Human Analysis Techniques (and Intelligence Cycle)
- Threat Modelling
- Training
- Standards
- Glossary
- Communicating Uncertainties in CTI Reporting
- Webinars and Online Training
- Building a CTI program and team
- Curriculum
- Detection Engineering & Threat Hunting SIG
- Digital Safety SIG
- DNS Abuse SIG
- Stakeholder Advice
- Detection
- Cache Poisoning
- Creation of Malicious Subdomains Under Dynamic DNS Providers
- DGA Domains
- DNS As a Vector for DoS
- DNS Beacons - C2 Communication
- DNS Rebinding
- DNS Server Compromise
- DNS Tunneling
- DoS Against the DNS
- Domain Name Compromise
- Dynamic DNS (as obfuscation technique)
- Fast Flux (as obfuscation technique)
- Infiltration and exfiltration via the DNS
- Lame Delegations
- Local Resolver Hijacking
- Malicious registration of (effective) second level domains
- On-path DNS Attack
- Stub Resolver Hijacking
- Detection
- Code of Conduct & Other Policies
- Examples of DNS Abuse
- Stakeholder Advice
- Ethics SIG
- Exploit Prediction Scoring System (EPSS)
- FIRST Multi-Stakeholder Ransomware SIG
- Human Factors in Security SIG
- Industrial Control Systems SIG (ICS-SIG)
- Information Exchange Policy SIG (IEP-SIG)
- Information Sharing SIG
- Law Enforcement SIG
- Malware Analysis SIG
- Metrics SIG
- NETSEC SIG
- Public Policy SIG
- PSIRT SIG
- Red Team SIG
- Security Lounge SIG
- Security Operations Center SIG
- Threat Intel Coalition SIG
- Traffic Light Protocol (TLP-SIG)
- Transportation and Mobility SIG
- Vulnerability Coordination
- Vulnerability Reporting and Data eXchange SIG (VRDX-SIG)
- Women of FIRST
- CCB Initiatives
- FIRST CORE
- Internet Governance
- IR Database
- Fellowship Program
- Mentorship Program
- IR Hall of Fame
- Victim Notification
- Volunteers at FIRST
- Previous Activities
- Special Interest Groups (SIGs)
- Standards & Publications
- Events
- Education
- Blog
CTI Maturity model - Stage 2
In Stage 2, the team will start to build relationships allowing a more consistent intake of high-fidelity human-generated and semi-automated data flows.
Information received through automatic feeds, if appropriate, can be used to block activity. Careful consideration is required to select which feeds fall into this category. CTI personnel research which feeds best meet their requirements, ensuring that their budget is allocated properly.
As organizations mature, they will move away from merely sweeping on observables and move up the Pyramid of Pain. This incorporation of Operational and Strategic intelligence is gradually completed in Stage 2. Additionally, the incorporation of Operational and Strategic intelligence will most likely never be completed due to emerging technologies and other outside influences. Organizational maturity and technological advances will enable organizations to reach a stable state fitting their objectives and financial requirements, although they should periodically re-evaluate it.
The goal of moving further up the Pyramid of Pain is to increase the cost to the attacker, causing their campaigns to fail. Hashes, IP Addresses, and Domains are easily changed by threat actors, but disruption to their techniques, tools, and procedures causes much bigger disruption. Thus the capability must extend to identifying, researching, and blocking the attacker based on Operational and Strategic (TTPs). If done effectively, the attacker will have to change most aspects of their campaign, from process, tooling, and down to infrastructure.
At this stage, the team will start documenting the observable results of internal investigations and the corresponding analysis. In this way, they will be a collector and creator of raw intelligence. This can be leveraged at a later point to either discover larger campaigns or long-term trends. The CTI Team will start their knowledge management process and recognize that information from previous events helps to learn and develop better techniques for future events. At this point, the team will look at how to systematically collect, store, process, and disseminate data and implement a Threat Intelligence Platform (TIP).
At this stage, the team will develop analytic capability though it will be focused on analyzing and tying together multiple data sources and not so much on producing a product intended for external dissemination. This will also include incorporating data from underground forums provided through threat intelligence partners. In this phase, the direct collection will be avoided mostly due to the time it would require but also due to the lack of proper OPSEC training and supporting infrastructure.
At this stage, the organization will start to actively engage other teams across the industry.
Furthermore, the team will start providing input to the Risk Management and Business process. This is possibly the highest-value function that the CTI Team has at this stage. Providing this capability allows the CTI Team to create value for the company, allows its growth and maturing, and ensures its longevity. If the CTI Team is part of the RM process, they are directly supporting corporate security and mitigating risks as defined at the corporate and leadership level. Importantly, mitigating risks aligns the CTI Team with resources necessary to complete RM tasks X, Y, and Z. Simply stated, resources equals money, money for personnel, tooling, etc. CTI process support should align with organizational Risk Management / Mitigation (RM) Processes. Linking these two processes enables RM leaders to clearly identify their risks and quantitatively connect them with risk mitigation strategies. The Risk Mitigation strategies are then properly prioritized, which leads to a properly budgeted project. The RM leaders are then able to properly triage risks based on CTI and decide on what is the best mitigation method.
Structure within the CTI Team begins with documented analytical processes, how to request support, where to find their reporting, etc. It might be easiest to think of this document as a combination of Standard Operating Procedures and an Onboarding / New Hire guide. This will include how the CTI Team is using intelligence concepts (intelligence cycle, frameworks, etc.) and identifying the tactical, operational, and strategic intelligence they are providing. As part of the structure, the relationship between the Incident Response Team and the CTI Team will be formalized with inclusion into the RM Process as identified above.
Last but not least, some basic tasking will be initiated to gather and analyze information about specific threats. This process is indicative that the CTI Team has the capacity to move beyond supporting only incident response investigations and is now entering into Threat Landscape Reporting (TLR). TLR is necessary as it begins the process of supporting the RM process and strengthens the overall security with understanding. The biggest uncertainty most organizations face is “What does my environment contain and look like?” A TLR links the environment with likely threat actors who have targeted the organization before or who are active within the business vertical / sector. The TLR is a key element in building awareness about the organization's threats. The awareness grows into understanding. Once you understand the environment and threats within it, you can build solutions.
- Cyber Threat Intelligence SIG
- Curriculum
- Introduction
- Introduction to CTI as a General topic
- Methods and Methodology
- Priority Intelligence Requirement (PIR)
- Source Evaluation and Information Reliability
- Machine and Human Analysis Techniques (and Intelligence Cycle)
- Threat Modelling
- Training
- Standards
- Glossary
- Communicating Uncertainties in CTI Reporting
- Webinars and Online Training
- Building a CTI program and team
- Curriculum