I plan on discussing the pain points to threat intel and sharing that this presentation is not for the Microsofts and Targets of the world but instead for the orgs that want to get more value out of their small CTI team. I'll discuss why true attribution is a bad idea for most organizations with real world examples. Then, I will provide real world examples of how TTPs can help an organization better by knowing the What and How (TTPs) versus the Who and Why (true attribution). I'll show examples of how an org can build out an adversary detection pipeline starting with the attack data in their mail and expanding out to the WAF attack data and tickets with the SOC/DFIR. A discussion of mapping MITRE ATT&CK ttps and how to find the specific procedures. Next, there will be real world examples of adversary detection pipelines and how purple team exercises can be run from threat intel specific to the org's attack data. Finally, a discussion of reporting for management/department that is possible as a result of the adversary detection pipelines. Main takeaways: Squeeze more value out of the data you are already collecting, Showing how any organization can leverage threat intel through adversary detection pipelines, regardless of internal skill sets or experience, Heatmaps for threat actor campaign volume, multiple year tracking, delivery rate, click rate, and more used to prioritize Hunt, Red Team, and Blue Team actions with respect to Threat Actor Activity, Intelligence driven hypothesis creation for threat hunting, How to operationalize adversary detection pipelines to enhance red team & purple team activities, particularly to improve adversary emulation/simulation, RELEVANT red team ops, Higher fidelity alerts for the SOC with less false positives.

Citation: Shin, B., & Lowry, P. B. (2020). A review and theoretical explanation of the ‘Cyberthreat-Intelligence (CTI) capability’ that needs to be fostered in information security practitioners and how this can be accomplished. Computers & Security 92(101761), pages 1-16. https://doi.org/10.1016/j.cose.2020.101761

1. CTI - Prioritized Collection and Research for Relevant Threats
2. CTI ANALYSIS - Analysis and Preparation of Deliverable
3. OTHER TEAMS - Red, Hunt, Purple, SOC, Detection Engineering ACT on CTI provided context
4. FEEDBACK/INPUT - Communication and Collaboration
5. RINSE & REPEAT

The resources below are pointers...all you gotta do is pull that string and keep pulling.

📻ATTRIBUTION

• Brian Bartholomew & Juan Andres Guerrero-Saade. Wave Your False Flags! Deception Tactics Muddying Attribution in Targeted Attacks - Link
• Jake Williams. Conducting a Successful False Flag Operation. BlackHat Europe 2019 - Link
• Jason D. Jolley. Attribution, State Responsibility, and the Duty to Prevent Malicious Cyber-Attacks in International Law - Link
• Katie Nickels. The Attribution Game: When Knowing Your Adversary Matters - Link
• Robert M. Lee. The Problems with Seeking and Avoiding True Attribution to Cyber Attacks - Link
• Thomas Rid & Ben Buchanan. Attributing Cyber Attacks - Link
• Tim Maurer. Cyber Mercenaries: The State, Hackers, and Power - Link

🦾TTPs

• Adam Pennington. Emulating an Adversary with Imperfect Intelligence. DEF CON 28 Red Team Village - Link
• MITRE ATT&CK TTP Training - Link
• MITRE ENGENUITY - ATT&CK Evaluations - Link

🔥CYBER THREAT INTELLIGENCE

• Amy Bejtlich. Analytic Tradecraft in the Real World - Link
• Bongsik Shin and Paul Benjamin Lowry. A review and theoretical explanation of the ‘Cyberthreat-Intelligence (CTI) capability’ that needs to be fostered in information security practitioners and how this can be accomplished - Link
• Brian P. Kime. Threat Intelligence: Planning and Direction - Link
• MITRE ATT&CK - Link
• Rebekah Brown & Robert M. Lee. The Evolution of CTI: 2019 SANS CTI Survey - Link
• Scott J. Roberts. CTI Squad Goals-Setting Requirements - Link
• Sergio Caltagirone. Building Threat Hunting Strategies with the Diamond Model - Link
• Sergio Caltagirone, Andrew Pendergast, & Christopher Betz. The Diamond Model of Intrusion Analysis - Link

👑DETECTION ENGINEERING

• Detection Ideas Repo by Vadim Khrykov @BlackMatter23 - Link
• Sigma Rules Repository - Link
• YARA Rules Resource - Link

🕶DFIR

• Ali Hadi's DFIR Resources - Link
• The DFIR Report - Link

🌎HUNT

• Ch33r10's Twitter Threat Hunting List - Link
• David J. Bianco and Cat Self. SANS Threat Hunting & IR Europe Summit 2020 - Link
• David J. Bianco. The ThreatHunting Project - Link
• Joshua Stevens. Hunting for the Undefined Threat: Advanced Analytics & Visualization. RSA Conference 2015 - Link
• Matt Bromiley. Thinking like a Hunter: Implementing a Threat Hunting Program. SANS Analyst Paper - Link
• Robert M. Lee and David J. Bianco. Generating Hypotheses for Successful Threat Hunting. SANS Analyst White Paper - Link
• Roberto Rodriguez. How Hot is your Hunt Team? - Link
• Roberto Rodriquez. ThreatHunter Playbook - Link
• Valentina Costa-Gazcon. Practical Threat Intelligence and Data-Driven Threat Hunting - Link

👾MALWARE ANALYSIS

• Coleman Kane. Malware Analysis - Link
• Monnappa K A. Learning Malware Analysis - Link

🌠PURPLE

• Ch33r10's Purple Team Exercise Idea Queue - Link
• Ch33r10's Purple Team Resources - Link
• Jorge Orchilles. Purple Team Exercise Framework Workshop - Link
• SCYTHE’s Purple Team Exercise Framework - Link
• SCYTHE's Community Threats - Link

👹RED

• Atomic Red Team by Red Canary - Link
• C2 Matrix - Link
• Joe Vest & James Tubberville's Red Team Development and Operations - Link
• Red Teaming Techniques & Experiments - Link
• SpecterOps Blog - Link
• Vincent Yiu's Red Team Tips - Link

🎵RESOURCES

• Attack2Jira by Mauricio Velazco and Olindo Verrillo - Link
• Ch33r10's Field Classifications Contribution for Attack2Jira by Mauricio Velazco and Olindo Verrillo - Link
• MITRE CAR - Cyber Analytics Repository - Link
• MITRE D3FEND - Link
• MITRE SHIELD - Link
• MITRE ATT&CK Navigator - Link
• NIST Cybersecurity Framework, MITRE ATT&CK v8.2, & CIS Controls v8 CSV (Mappings Compliments of CIS - Center for Internet Security) - Link