How Do I Build a CTI Theme in a Threat Intelligence Platform?


How Do I Build a CTI Theme into a Threat Intelligence Platform?: Detect ‘19 Series

After you have watched this Webinar, please feel free to contact us with any questions you may have at


GINO ROMBLEY: Good morning, everyone.

Today,C I'm going to talk about how to build a CTI theme in a threat intelligence platform.

A reason why I chose to do this talk is because there are several customers or faith that always struggle to understand how they should bundle their feeds, how they should create a team.

So I'm going to take you to a example.

And it could be applicable to any type of CTI team.

So a little bit background about me.

I have a Master's In Computer Science specialization in Software Engineering technology.

At the University of Eindhoven in the Netherlands.

I used to be an identity and access management consultant at CA Technologies.

So I had several roles from professional services to pre-sales.

Roughly about two years ago, I made a switch to become a Threat Intelligence Solutions Consultant at Galactic IQ, which is one of our competitors based out in Amsterdam.

And currently, I'm now a solution architect at Anomaly.

So I handled a little technical sales, predominantly in EMEA.

And when I got time, I'm a Threat analyst at night.

So any time I have time to pretty much understand like what's going on, find in my own research, and eventually provide Finnish Intel.

So you might ask why build a CTI team?

All right.

So what I've seen is with customers is one of the most common question I get, could you tell me something about my company?

Could you provide me Intel about my company?

And I'm like, what is it you want?

Something you could find in a deep dark web.

So I'm like, OK.

I don't do that.

Anomally doesn't do that.

So I need to go to a feed provider.

So some of them, those feed providers then provide you like a bundle, right?

So a bundle could be like brand abuse, brand awareness are financial crime, deep dark web crime.

And what you'll notice is that each feed provider has their own way of delivering the intelligence in one way of doing your research to deliver that intelligence to you.

And in some cases, there might be overlap.

So some of the information that they're finding is probably coming from the exact same source in the deep dark web or probably somewhere on the internet that you can find on your own.

So what I try to educate my customers is it's good that you're receiving this intelligence from the feed providers.

But try to understand, what is deliver to you and how they get to that steps?

Because it's pretty much a trade off.

If you have sufficient resources you could have gone and create your own intelligence versus buying it from a commercial vendor.

So a lot of those strategies have overlap.

One of the most common challenges the feed provider has to own methodology of delivering Finnish Intel.

So I'm just going to give an example.

Intel 47, if you look at their reports, the FireEye is totally different because they have their own way of delivering finished intel.

So having a threat intelligence platform, pretty much, may look consistent because it's a report, but you see a lot of inconsistency in terms of the thread data that comes in.

A lot of tags with one feed provider, whereas the other is like less tags and hard additional contacts.

So what I normally tell my customers is, it's good that you start working on building your own theme, and this ties back up to intelligence requirements.

So if you decide to purchase a threat intelligence platform, the main question I always ask is , what is it?

What breach are you trying to mitigate?

Is it brand awareness?

Is it data breaches?

Is it financial crime?

And with that, I tell them to go through this step, workflow step, of defining your input sources.

So who should I go to to get my input sources?

On top of that, based on the output of the input sources, which enrichment sources is best to you?

So think on VirusTotal, think on Hybrid Analysis, or any other type of enrichment source.

Define your own taxonomy, which I pretty much stressed enough.

So I'm going deep in details what taxonomy is.

And create your rules, which you can apply.

Use your rules to apply a taxonomy on the intelligence that are coming into your platform.

And then, you can add it to your workbench to start your triage investigation.

So I'm going to take an example, a used case.

This is pretty much the most common one I get all the time.

This is customers come to me and asks me, could you provide me some intel about my company?

So pretty much, I put out on the theme, of data breach theme.

So I take some sources that I'm quite familiar, with SpyCloud.

Anyone familiar with SpyCloud?

So SpyCloud is-- I wouldn't say-- a slightly deep dark web, but pretty much provide you data breaches that are based out.

I think they're based in Houston if I'm not mistaken, American-based company.

SixGill provides deep dark web intelligence.

They're based in Israel.

And then, we have social media, Twitter, Facebook, ThreatExchange to see for compromised accounts.

So just to give you an idea of the data that they provide.

The SpyCloud provides incident.

So if there's a data breach, it's incident.

It tells you, for example, you can register your assets, whatever you call it or hide it to the white list of domains.

So if my company, Anomali, I can add it to their portal and anything that comes up that relate to or any of my employees, they will notify me in time if there are some new intel that comes in.

So there'll be usernames, there'll be passwords, there'll be the targeted victim, so which organization got breached, IPv4, IPv6 accounts.

Similar with SixGill.

They provide the exact same intelligence as well as social media.

So all of these inputs, usernames, passwords or IP4, 6.

That helps me to know thinking which following enrichment sources I can use and reach on this information.

So just to give you an example of SpyCloud.

This is an interface of Spy Cloud.

It shows you exactly your watchlist.

So you can add your domains, email addresses.

Just verify your domains by adding a-- forget the term that they use-- but do what you have to verify your domain in order for you to get added here.

And then, it'll show you like emails, passwords, but also pretty much data breaches that you see.

So this is an example of SixGill, so compromised credentials, email passwords, description, when it was breached at one time, and end of recommendations, which is quite pretty much generic saying that you should probably update your databases, reset the password, inform the users, pretty much standard security guidelines within the breach.

And then, finally Twitter.

So Twitter, new credentials, phone, [INAUDIBLE],, go there, click on a link, and I see a list of user accounts and passwords.

This is all interesting for me because not only am I looking at my organization input.

I'm looking at my third party risk.

So if I'm working in a lot of companies in my organization.

But if it's a shipping company or delivery company, I put that in scope as well as a data breach.

So if I know they're compromised credentials from our organization, I quasi work it, that will also be like flagged into my platform as well.

So enrichment sources.

These are a couple I just took based on the input I get from SixGill.

So Have I Been Pnwed?

RiskIQ, VirusTotal, majority of these are free.

Just go and sign a prescription And then, add them into your platform.

So this is just the example of Have I Been Pwned?

It just used a test account here.

Just add in your email address and shows you exactly what information, LinkedIn.

Shows exactly when it was created, amount of DB was used, so compromised data, email addresses, employees geographic location, job titles.

Same thing applies to RiskIQ, predominantly for the IP addresses.

What I normally use this for is to identify a domain that's been registered to see the person, the C2 domain that was linked to, the compromised account or the person who registered that domain.

If I can find their email address from here and then from the email address from the person who registered the domain, if I could find additional domains that thinks.

It's pretty much going down my analysis to see if it's really a person that's predominantly creating domains for phishing attempts or phishing attacks.


Have anyone heard about the term taxonomy?

If anyone used taxonomies before?

So one thing I noticed a lot in terms of people using threat intel's platform is that it overlooked taxonomy.

Taxonomy is pretty much your own terminology within your organization that if new intel comes in or something that you find relatable, that you can add your own taxonomy.

So I stress a lot with my customers aim to define your own taxonomy.

And I can always assist you in providing some examples within your platform.

So digital identity, for example.

If I find something about an email address as a digital identity, I would add, for example, a tag to the observable.

Data breaches as well, PDI information.

So anything that's related to that, I can add that to that particularly.

So what you see in a lot of the platforms, you get tags from the feed provider.

And so pretty much the threat intelligence provider take the data from the feed provider.

And then, they transform them into certain metadata into tags.

So I stress a lot.

I've seen a lot.

It becomes inconsistent if multiple providers.

I stress on customers like create your own taxonomy.

So databases, Oracle database making a subtaxonomy, Oracle, Microsoft, Postgres.

And more importantly, the industry sector.

So who are they targeting?

Is it financial sector?

Is it health care?

Is it manufacturing media?

So I can expand on this list.

If you have any questions about a field to speak to me and I can show you and share some taxonomies that I use in my day-to-day practice.

So this is an example of a taxonomy that are combined between from a feed provider and from me.

So bleeping computer probably was a source credit card scammer.

Also already mentioned in the feed, credit card theft, but I applied data breach, may sort that came from the feed provider RiskIQ.

So once the data comes into my platform, I create rules that if it has content that looks like data breaches, ad my own taxonomy to it.

So then, I can start the triage in a next step by saying, if new data comes in that links triage, add this to my workbench, and then I can start my analysis.

So as I mentioned earlier, rules help me to pretty much search for the content that comes into the platform.

So I normally, and I think this is pretty much from every analyst is fluid There's so many data coming in that you want to focus on what you're set up as your objective.

So because I'm focused and I've created a data breach bundle, anything that's related to data breaches or anything that is related to data breaches, I create a rule so that I'm alerted on a new intel.

So it is critical.

And it's not only in any, I mean, a all platforms today has rule functionality settled and create your rules.

So this is some example, if a content contains data breach or an Oracle database, you can apply it attack data breach Oracle database.

If you have IP4 or IP6, IP addresses that contains tag data breach and bank, apply data breach of financial service.

So this is something.

This is just an example.

But try to expand as much as possible on rules.

What you'll see there'll be a lot of overlaps.

You're not going to get it perfect the first time, but is important at least to start with a couple.

And depending how the data is populated within the platform, you can refine the rules to either make it more stringent or you could relax a little bit more.

So that is my advice to you.

Any questions at this moment?

Anything that's-- no?

So I have here my analyst workbench.

So if I have IOC, your threat model that has a tag data breach and/or Oracle database or financial service I see through to my workbench, and my workbench has the theme data breach.

And here, I can stop my triage.

So this is quite straightforward.

I can add additional rules to populate the workbench If I wanted to.

But this is just simple step for you to start getting familiar with using the workbench.

So this is an example.

So, which said if I wanted my rules, I'd probably add it to my workbench.

I might need to name also add to my workbench and I can start this IP address is there, there they're just name servers, email addresses, and you can just expand at that moment.

So do remember I had my enrichment sources and those are activated because I know this is my output of the input sources.

I can enrich and expand.

And then, I save it for it analysis if I get more intel around that.

Pretty much coming to my conclusion.

Like I said, it was a short, pretty much, to the point type of demonstrate presentation.

So one thing I do recommend, and before you even start working with a threat intelligence platform and you're starting up your CTI programs, it's pretty much the fundamentals of your CTI program, try to define the themes that ties back up to your intelligence requirements.

So I give you example of data breach theme.

There's hacktivism, for example.

There is a financial crime, for example, depending if you're on financial services.

Think on generic threats to IT, so stuff you see on every day on the internet [INAUDIBLE] as CV.

You can make that one more generic threats to my organization, which should look at your asset database and see what asset we have, what products are installed over in our organization, and tie that up back up to life, for example, the MVD database.

So when new CVs comes out and you do filtering [INAUDIBLE] that markets our product Office that you get alerted and see whether that CV applies to your assets.

Identify sources and analyze them.

So I think everyone do their due diligence by doing a POC with a feed provider.

And it should not be a feed provider, but threat intelligence provider as well as Anomali.

Analyze the data, understand where it's coming from, and what is the end result.

So there's a lot of open source field data out there.

Some are good, some are not that well in providing context.

Analyze them.

See if it fits in your bundle.

And of course, you can try it out for the first time.

But if you realize, if you get into too much noise, you know you need to probably look somewhere from another type of sources.

I'll stress again, define a taxonomy.

I see people do not define a taxonomy.

I may raise my hand to say we're guilty because at Anomali we don't normally provide a taxonomy within the platform.

We do tell our customers that we have the functionality.

But normally, when I speak to my customers and seeing my background my CTI, I stress to them and I sit down with them to define it taxonomy for the organization.

So use your own taxonomy.

If you want to have some examples, I can show you a couple of them as I have shown them this in his presentation, but I can pretty much give you some advice how to define it.

Create rules and subsets to avoid too many observables in one workbench.

So you'll notice as you start creating your rules, as and when should I be alerted on certain data.

Your workbench might get full.

This is a mistake that I made in the beginning.

I made a lot of rules, and I just added to my workbench.

And I went out one night, went to sleep, woke up the next morning, and my workbench was just full of IOCs.

And I was like, oh, OK, where should I start?

Try with small strict rules first, and then try to relax it.

So you don't want to be overloaded with work with IOCs looking at them like, OK was this or should I be focused on that.

Try to get as much a subset as possible.

And even if you have a theme on your workbench, try to make a subtheme as well.

So I have data breaches quite generic, but you can set data breach that star game VIP within my organization or data breach that are targeting my third party vendors or data breach and our targeting the government sector.

So the geo location.

Try to make it not too generic.

Have a data breach theme, but then make it more subsets that applies, I think.

So that way your rules would be more longer or stricter.

And then, you have content that really applies to that so your focus will not be diverted by other things.

Yeah, just like I mentioned, make one workbench.

Make multiple workbench to upset the rules.

So yeah, there's pretty much.

Like I said, make a generic theme.

These are quite easy.

In terms of themes, they're quite easy.

Look at your organization.

Look at the risks.

What is the stuff that you want to mitigate.

I'd just call off a couple that most companies use.

So it could be financial crime, data breaches, generic trust to IT, hacktivism.

Take those in consideration, and then you can start taking out workflow.

So just to go back, these slides are being shared if I'm not mistaken.

Try to take this process.

It's not one cut, but it's the way off.

I tried to explain to my customers is to get him a little more understanding about how to leverage a threat and tells a platform or more importantly defeat.

The platform is a tool to help you to do the work, but the content is much more important.

So thank you very much and--

About Detect LIVE

We believe that threat intelligence holds the promise of allowing organizations to better manage risk and develop resilience. Detect LIVE, brought to you by Anomali, is a virtual event series that provides a platform for security executives, practitioners, and researchers to share insights and experiences related to threat visibility, detection, and response.