Goldilocks CTI: Building a Program That’s Just Right

Vendor or Defender?

CTI Capabilities and Services

  • Adversary infrastructure analysis
  • Attribution analysis
  • Dark Web tracking
  • Indicator analysis, including enrichment, pivoting, and correlating to historical reporting
  • Intelligence production (e.g. writing intelligence reports)
  • Intelligence sharing (external to the organization)
  • Malware analysis & reverse engineering malware
  • Threat research (Finding/correlating badness with external datasets)
  • Tracking threat actors’ intentions and capabilities
  • Vulnerabilities research

Threat Actor Tracking & Attribution

Malware Analysis Team?

To the Dark Web! Or Not?

Indicator Platform or Analyst Platform?

  • Do you want your team to track threat actors' intentions and capabilities over the long term? Or…
  • Is it good enough that your team simply tracks IOCs and generates alerts when traffic matches known IOCs?
  • Separate object types for reports, actors, malware, IOCs, CVEs, TTPs
  • True deduplication of each object type (many vendors do some magic handwaving about deduping, but they have one record per source, so the same IOC is actually in your system multiple times despite what they say and how they display it… major impacts for integrating into a SIEM)
  • Automatically correlate threat actor reporting to my Actors, Malware, CVEs, signatures, and IOCs based on the context in the threat reporting
  • Let me override anything and everything the TIP automatically did, including correlations, scoring, etc. AND NOT JUST DURING UPLOAD. AT ANY TIME I SHOULD BE ABLE TO MODIFY ANY OBJECT AND ANY ATTRIBUTE.
  • Standard enrichment only requires plugging in an API key from the appropriate vendor. SERIOUSLY, I SHOULDN’T NEED SOAR TO ENRICH IOCS WITH VIRUSTOTAL AND WHOIS
  • Truly manage signatures (writing, testing, correlating to threat reporting/actors/CVEs/etc.), including sensor integration
  • Visualization support for mapping out campaigns, object relations, etc.

Defender CTI Programs For The Win

  • Who are the threat actors likely to target our organization and why?
  • What are their capabilities and how can we detect them?
  • Which vulnerabilities in our environment have been targeted by threat actors?
  • Which systems and users are critical for our business operations, how are defending them, and have they been targeted in the past?



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Andy Piazza

Andy Piazza

I enjoy writing, mentoring, and sharing knowledge. I’m klrgrz (killer grizz) on Twitter. I do stuff n things with cyber threat intel.