IOC/TTP Gathering and Distribution Flashcards

1
Q
A

While the task of collecting and distributing indicators of compromise and TTPs can be completed by anyone, it makes sense for a strategic threat intelligence analyst to perform this duty, as they will regularly be in contact with information-sharing partners and receive government-issued alerts from organizations such as NCCIC, US-Cert, NCSC, and more.

This task includes gathering IOCs regarding threat actors that are likely to target the organization, as trying to digest IOCs from every single cyberattack out there will generate a lot of noise and overwhelm defenders with alerts and false positives. If a threat actor is targeting banks and banking systems, the threat intelligence team at an aerospace company isn’t going to be running the same equipment and therefore is unlikely to encounter that specific threat agent.

IOCs that are gathered from threat intelligence vendors, government alerts, information sharing partners, and public sources are then passed down to tactical threat intelligence analysts, or the wider security team based on the information. We’ve created a diagram to help visualize this process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Example Walkthrough

A

The strategic threat intelligence analyst at Organisation A receives an email from an analyst at Organisation B, who is in their industry-specific information-sharing partnership (ISAC). Organisation B’s analyst informs the strategic analyst that they have just been hit by an APT who specifically targets the industry they operate in, and during incident response, they collected IOCs including IP addresses that were used to scan and exploit systems at Org B. The strategic analyst then passes these IOCs to a tactical threat analyst who performs threat exposure checks within the SIEM platform to see if the same IPs have scanned Org A recently based on perimeter firewall logs.

The strategic analyst also provides the wider security operations team with a situational awareness email, informing everyone that a similar organization has been hit by an APT and that they may target Org A in the near future.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly