ThreatQuotient and vCyber Present:

How to leverage a TIP for an efficient SOC

Robert Streamer – APAC Director, ThreatQuotient
Topics
1. What is CTI and what is a TIP

2. CTI Models and Maturity – Where to Start?

3. Where does a TIP fit into Security Operations and XDR

4. Success Criteria: Customer needs and requirements

5. Success Criteria: Laying foundations for successful automation

6. Success Use Case: Large financial organization

What is CTI and TIP?
Cyber Threat Intelligence (CTI)
• It is quite literally the 'cyber' version of military threat intelligence
• It is not just the latest random news on cyber attacks with a collection of technical
indicators
• It includes tactical, operational, and strategic information to inform everything from day
to day decision making, through to process development, and technology investment
• Should be collected from internal sources as well as external sources

Threat Intelligence Platform (TIP)

• First and foremost, it is a tool for CTI Analysts
• A specially structured data repository where CTI Analysts store their research and is
capable of disseminating information to required stakeholder in various formats
• Used to process data and ultimately turn it into finished intelligence
• SOC is one of many stakeholders (customers) of TIP - Not necessarily direct users,
but consumers of information
• Needs to operate a data model appropriate for you
 Strategic
Detection Maturity Model Intelligence
CTI Maturity and Models – Where to Start? • Generally proactive in nature
Attacker Identity
Advanced • Detailed understanding of
the attacker, their
Attacker Goals
motivations, and their
Attacker Strategy
capabilities
• Drives priority and

TTPs Tough Tacticsinvestment

• Potentially force APTs to
Techniques
change their tactics
Procedures
Tools Tactical Intelligence
Adversary Challenging • Generally reactive in nature
• More difficult to obtain
Tools
• Requires use of internal
sources such as SIEM, EDR,
Infrastructure

Network/Host

MATURITY
Capability

Sandbox
Artifacts Difficult • Close ties with Incident
Response and Threat Hunting
Host & Network Artifacts

Domain Names Operational Intelligence

• Generally targets the ‘low
Victim hanging fruit’
Diamond Model • Informs day-to-day decision
making
Relatively
IP Addresses Easy
• Relatively easy to obtain
• Only offers point-in-time
protection
Atomic Indicators
• Puts limited pressure on the
adversary
• Should be heavily automated
Hash Values • Care needed with lifecycle
management
Where does a TIP fit into SecOps / XDR?
Threat Spectrum
Known Unknown

Security Vendors External Independent CTI Internal Intelligence

Security vendor intelligence teams research the CTI ranges from open sources, ISACs, CERTs to Internal intelligence comes from IR, hunt and alert
latest and most prevalent threats and create paid intelligence providers with large teams of triage, analysing customised attacks for which no
signatures, rules and logic for their products to analysts. Providers can be highly specialise offering external threat intelligence exists. Phishing emails,
detect and block. bespoke services. malware sandbox, DNS, etc.

TIP Unifies external and internal intelligence for higher confidence and better decision making, integrated with security technologies.

IOC Queries Outcomes

Technology, Users & Use-Cases CTI Analysts TIP SOAR
 Accelerate Detection
& Response
Priority IOC Lists &

TIP Use Cases

by TIP Intelligence
Playbooks driven
Sighting Events

 Better Leverage
CTI Team SOC Team IR Blue Team
Resources
CTI Mgt Triage Forensics Defence Mgt
Sharing Incident Response Vuln Mgt
 Improve
Threat Hunting Collaboration and
Communication
SOC Analysts SIEM XDR Devices
 Reduce Overall Risk
Logs & Alerts
Success Criteria 1: Understand the Stakeholder / Customer Needs

GOAL: Deliver intelligence that is: Relevant, Accurate, Timely, Contextual,

and Actionable

Every organisation structures teams differently, typically driven by budgets

and maturity.

Security Operations teams generally include:

• Level 1 Analyst - Alert Triage
• Level 2 Analyst - Incident Response
• Level 3 Analyst - Threat Hunting

These are the ‘customers’ of the intelligence team, so you need to

understand their specific requirements: REMEBER
• What do they need
• How does it need to be presented / what format?

You must:
=
• Follow the Intelligence Lifecycle. Feed back is the most important step! Garbage Garbage
In Out
Success Criteria 2: Lay the Foundations for Automation

GOAL: Automate the basics so analysts can spend more time on higher value tasks.

• Data Collection: Automate as much data collection as possible. Collect to meet

requirements. Don't collect for the sake of collecting.

• Enrichment: Check additional sources for available context. Be selective about what
you enrich. Don’t enrich everything.

• Scoring and Prioritisation: Don't overwhelm stakeholders with too much information.
Only hold what’s relevant and actionable.

• Lifecycle management of IOCs: Ensure IOCs are appropriately vetted prior to use,
and timely as stale IOCs will cause problems.

• Dissemination to XDR: Integrate with SIEM, SOAR, Ticketing, Endpoint, Firewalls,

IDS/IPS, Proxies, etc.
Success Use Case: Large Financial Organization

GOAL: Replace impractical systems that did not support their requirements
and workflows.

Key Use Cases:

• Threat Modelling – Research known threats and apply them to their own
environment to understand their potential impact and make proactive decisions.
• Alert Triage – Use CTI to apply context to alerts to enable their SOC to make
quicker and better decisions.
• Vulnerability Prioritisation – Use CTI to understand which vulnerabilities impact
them the most, and which need priority patching.
• XDR Integration - Disseminate high priority IOCs to their XDR devices.
• Fraud – Collect intelligence on compromised e-commerce organisations and
proactively cancel credit cards likely to be up for sale on the dark web.

Their Key Success Criteria for TIP:

• Flexible data model
• API interactions for unique customisations
Thank You!
CTI Maturity and Models – Where to Start?