You’ve collected a lot of IOCs, but is your Cyber Threat Intelligence (CTI) process serving you well? Quantity alone doesn’t tell the whole story. What kinds of intel are you collecting and how useful is it for identifying incidents? What are your strongest areas and where are your gaps? Do you know enough about your priority threats to feel confident in your detection stance against them? These are hard questions to answer, and there’s little existing guidance for answering them.
Taking a case study approach, this session will teach attendees how to use models such as the MITRE ATT&CK framework and the Pyramid of Pain to analyze and visualize the quality of their collected CTI information, not just it’s quantity.
Attendees will learn:
1) How to load, normalize, and merge IOC data from disparate sources in your environment to make it ready for analysis
2) How to enrich the data with information from the Pyramid of Pain and the ATT&CK framework
3) How to visualize your collected threat intel to validate your collection strategy, to identify CTI strengths, and to prioritize closing collection gaps
4) Why you should do these things on a regular basis
I’d like you to review and identify gaps in
what we know about our high priority threat
actors going into peak [retail season].
Assigning the IOCs and TTPs to phases in MITRE’s ATT&CK™
lifecycle model allows us to see “where” in the lifecycle we know
Most of our CTI
process for gaining
a foothold in the
We know little
happens before or
Assigning IOCs to the
level helps describe their
potential volatility and
Put another way, we want to maximize our ability to increase
the adversary’s cost of action against us.
We’re doing pretty
well covering most
of the Pyramid.
Looks like we need
more info about
lifecycle phase vs.
Pyramid level can
reveal not only
Box plot of IOC
age reveals your
”Banding” on the
Breaking down the
ages by lifecycle
phase gives more
info about how
current we are for
Analyzing it by
Pyramid level is
also useful in
ages to volatility.
The lower the
level, the fresher
your IOCs need to
Mapping the known
TTPs to the ATT&CK
quickly shows strengths
White doesn’t imply a
gap. Maybe the actor
doesn’t do that thing.
I’d like to find
Challenge What we did
CTI data in multiple repositories
• Developed custom extraction for each and
• Manual review of priority actor wiki pages
Data tracked by different repos is
inconsistent, sometimes even when it
looks the same (e.g., timestamps mean
• Analyzed using estimates and approximations
• Custom merging/deduplication logic
Converting a one-time analysis into a
repeatable, automatable process
• Captured code, documentation and graphs
in a Jupyter Notebook
• Work is still ongoing…