On 8 August 2021, the cyber threat intelligence panel "Threat Report Roulette" was live streamed by the Blue Team Village at DEFCON29. Threat Report Roulette was invented by the fabulous @Ch33r10 and began as a fun game, which quickly turned into a very interesting and useful discussion about the different corners of CTI.
Firstly, on behalf of everyone who took part, we would all like to say a big thank you to @Ch33r10 for hosting and inviting us along, the other participants, and the Blue Team Village for offering us the time. We were honored to have three curated intelligence members take part in the discussion: myself, @0xDISREL, and @Ch33r10.
The rules to Threat Report Roulette are straightforward, the wheel would spin and one of the analysts would explain what steps they would take to get the most out of the information provided and take these threat reports "to the next level". This is a key skill for CTI analysts and is an important part of the 'value add' that CTI services offer to OSINT threat reports. It is our job, as researchers and analysts to explain what is going on and why it is important, as well as pivot off the findings in a meaingful way to share more useful insights.
"There are some particular things that I would key in on for creating custom indicators, aside from static hashes and IPs and domains, that we all know change pretty rapidly. In this case, REvil use Excel to call WMIC.exe. There's no reason why an Excel document should ever be calling that in a normal environment, unless some developer built their own custom tool, which should be whitelisted in some way. REvil also do some registry modifications and created a run once key with an asterisk (*), so it will also boot up in safe mode. This would be another thing I would alert on, as this isn't something a user or an admin is going to make changes to under normal circumstances." - Chris Russel (@cr00ster)
This was followed by the second stage of the game, where the CTI stakeholders come in. Once the analyst has offered their interpretation of the threat report, the stakeholders elaborate on how they would use those the insights to secure their environments. This discussion did a great job, in my opinion, of bringing to life the intelligence life cycle.
"This is one is very interesting because it actually involves more than just going into the network and trying to hunt. It involves working with your organisation to put out a message as far as dealing with fake call centers." - Danny Henderson Jr. (@B4nd1t0_)
Our stakeholders include SOC managers, penetration testers, threat emulators, incident responders. executives, other researchers. The discussion around each report brought up more and more interesting aspects that I had not considered before now. There were great talks going deep into detection opportunities and testing defences by simulating what threat actors are doing in the wild.
What Threat Report Roulette further demonstrated to me was that intelligence is highly ubiquitous and everyone's intelligence collection plans (ICPs) are different. As a security researcher, it raised the fact to me that although CTI may seem like one abstract corner of cybersecurity, it applicable at almost every level. When writing intelligence reports it is important to clear and concise. However, it can also pay to cater to a wide range of audiences by including as much useful key information where possible. The DFIR Report was praised several times for doing just this. It caters to the needs of a number of infosec disciplines and is highly beneficial for all.
The panel also discussed the ingestion of raw intelligence, such as IOCs, TTPs, new malware families, or disclosure of threat actor activity. This uncovered the differences in our intelligence collection plans and primary intelligence requirements (PIRs). For me, as I work for a CTI vendor, my PIRs are fairly different from our other Curated Intelligence member, 0xDISREL. We may both actively track the top threat groups - such as WizardSpider or Nobelium. However, I will write an incident report and update the documentation in my firm's threat actor database, whereas 0xDISREL may use the latest information support other aspects of the business he works for, such as ongoing incident response engagements or directly inform the security operations center about the latest TTPs to watch out for.
I hope you will enjoy our CTI panel and Threat Report Roulette as much as we did.
More information about Threat Report Roulette is available in @Ch33r10's GitHub here