By: Nicole Hoffman
If you work in cyber threat intelligence (CTI), you have probably at one time or another been tasked with writing an industry-specific cyber threat landscape report. I have performed several of these investigations whether it was for a request for information (RFI), a blog, a research project, or even a writing prompt for a CTI interview. These reports can be beneficial for a number of reasons:
- Highlighting the most common risks and trends, they offer a thorough picture of the present cyber threat landscape. By doing so, businesses may better identify the threats they might encounter and take precautions to reduce their risks.
- They can assist firms with setting priorities for their cybersecurity efforts. Organizations can direct their resources toward resolving the most important vulnerabilities and risks first by assessing the most urgent threats.
- They can provide actionable recommendations for improving an organization’s cyber security posture. Many reports include recommendations for best practices and tools that can be used to defend against specific threats.
- They can help organizations stay up-to-date on the latest developments in the cyber security industry including the techniques, tactics, and procedures of threat groups targeting the industry as well as trending malware.
The intelligence requirements (IR) for these reports can range from strategic to tactical in nature. I prefer to have a time period, such as the last three to six months, in there as well so I do not report on threats that are no longer relevant. If it is an industry that is not heavily targeted I may extend the time period to yield more case studies.
If you are unsure of how to format your report, here is a simple outline to use:
- Executive summary of key threats impacting industry
- Discuss the trigger, or what prompted the investigation
- Education sector overview
- What is at stake / why the industry may be targeted
- Key threats facing the industry
- Advanced Persistent Threat (APT) attack case studies if applicable
- Hacktivism if applicable
- Insider threats / negligence / lack of awareness / malicious (always applicable, but may not always find case studies to mention)
- Techniques, Tactics, and Procedures (TTP) and tools and infrastructure used
- This section would probably not be in a strategic report with an executive or non-technical audience.
- For a tactical report, you could go into the weeds and even provide indicators of compromise (IOCs) at the end of the report.
- For heavily targeted industries, I usually pick the most active groups to dive into.
- Impact on the education sector
- I prefer to focus on financial, legal, reputational, and compliance impacts.
- Draw from case studies
- Discuss the best practices for protecting from these threats.
- Mention any tools that can be used to improve cyber security
I do not usually add a conclusion because I summarize the findings in the executive summary. I try to follow the bottom line up front (BLUF) style of writing so that the most important content is at the beginning of the report. I also always write the executive summaries last for this reason.
People outside of CTI are often surprised when I tell them I perform many investigations with information from publicly available sources. Proprietary knowledge bases or those behind paywalls are nice, but you can get by without them. I had little to no resources when I started in CTI and learned a lot by researching and collecting sources.
Within this blog, I am sharing some helpful resources I use when tasked with an industry-specific threat landscape report, both strategic and tactical. Whether you are a CTI analyst or curious about how to perform a threat landscape investigation, these easy-to-use resources may be beneficial or worth a bookmark for a later date. If I missed any that you know about, reach out to me on social media and let me know so I can update this blog to help the community.
Google is one of the best resources available to a CTI analyst. At one point there was some negativity associated with Googling things when you are unsure about something as if you are just supposed to remember all the things all the time. This is complete crap and this is the exact reason these resources were created. So never feel bad for using Google during your investigations.
Google dorking, also known as Google hacking, is the practice of using advanced search operators to find information that is not easily accessible through a regular Google simple search. It is important to note that dorking can be used for both legitimate and malicious purposes. So, please use responsibly.
To learn more about the specific operators, I recommend checking out this Hacking with Google blog by Shaistha Fathima on Medium. Fathima provides an excellent overview as well as some examples.
Here are some Google dorks I use for industry-specific threat landscape investigations using the Education sector as an example:
Grade schools, districts, or education sector for K-12
(“Education” | “school”) AND (“cyber attack” | “cyberattack” | “hack” | “breach” | “targeting” | “suffer” | “leak”)
(“Education” | “school”) AND (“ransomware” | “hit” | “suffer” | “shutdown” | “targeting”)
(“Education” | “school”) AND (“hacktivism” | “DDoS” | “deface”)
(“Education” | “university” | “college”) AND (“ransomware” | “hit” | “suffer” | “shutdown” | “targeting”)
(“Education” | “university” | “college”) AND (“cyber attack” | “hack” | “breach” | “targeting” | “suffer” | “leak”)
(“Education” | “university” | “college”) AND (“hacktivism” | “DDoS” | “deface”)
I prefer to do separate searches for general cyber attacks and ransomware attacks. Many cyber attacks in the news are ransomware attacks, but this is not always the case. The word ransomware can quickly create noise, so I recommend performing separate searches. You can also add -ransomware or NOT ransomware to ensure those results are removed.
Additionally, all of these queries can be broken down into shorter queries to narrow down the search. I wanted to provide some of the key words I use that are often used in news articles and blogs. You can also add a location or year as a string to search for. [Example: “Education” AND “ransomware” AND “2022” AND (“US” | United States”)]
If you are writing a tactical report with IOCS, you can use Google dork to find them. Here are a few examples:
(“Insert ransomware group name”) AND (“IOC” | “Indicators”)
(“Insert malware name”) AND (“IOC” | “Indicators”)
Publicly available knowledge bases
There are a lot of publicly available knowledge bases that I use for data collection regarding threats to specific sectors. Some of these might be duplicative of some Google dork results, but I am a person of routines so I usually search them anyway. Additionally, some of these resources are for tactical reports and identifying IOCs.
Navigate to the MITRE ATT&CK website and type the industry name into the search bar. Sometimes it takes a little bit to search, but it will show you all the times the industry is mentioned. Note that this information is not always the most timely as the ATT&CK team updates its knowledge base twice a year. However, you can often find some great information here. The resources listed at the bottom of each group or software page are also super helpful.
Palo Alto Unit 42
Palo Alto has two great resources that I use: the Playbook Viewer and the Actionable Threat Objects and Mitigations (ATOMs). If you navigate to the playbook viewer and select filter playbooks, you can filter by industry.
Once the playbooks are filtered, you can select one to see the things such as targeted industries, information about previous campaigns, targeted regions, an ATT&CK mapping, and even (IOCs). Note, I am not sure how often Unit 42 updates this.
To see the IOCs, simply click on indicators as seen below.
The ATOMs have not been around as long as the Playbook Viewer, but do not let their age fool you. The ATOMs are packed with useful information. My guess is the ATOMs viewer will replace the Playbook Viewer, but I am just I do not know for sure. If you navigate to the ATOMs, there is a way to filter the results by industry on the left hand side as seen below.
Once filtered, you can select an ATOM such as the one listed below. You will find a summary within each ATOM as well as previous campaign information, targeted regions and industries, as well as an ATT&CK mapping.
AlienVault Open Threat Exchange (OTX)
If you navigate to Alienvault OTX, you can type an industry name in the search bar. There are several tabs of results as seen below. You may be tempted to select the industries tab, but searching results that way does not allow you to filter the time frame. You will get results from years ago that are no longer relevant.
Notice how long ago these pulses were created. Also, it is a good time to note that pulses are the format the OTX community uses to share information about threats.
Instead, I prefer to search the industry name in the search bar and focus on the pulses tab as seen below. Within this tab, you can filter to recently created. While I have had good luck, it is important to note that any of the OTX community members can create pulses. Perform your source reliability assessment.
Once you select a pulse, you can find information such as a summary of the threat, a link to a blog or source, related pulses, and some useful tags.
Secureworks Threat Profiles
Secureworks has some threat profiles publicly available on their site. Although you cannot filter by industry, you can type the industry name in the search bar. This will return all the profiles that mention that industry. I am not sure how often these are updated. I recently learned about this source.
Electronics Transactions Development Agency (EDTA)
The ETDA has a threat actor encyclopedia that allows you to filter by victim sector. If you navigate to the site and click on search, you can use the drop-down for the victim sector. You will see all of the threat actors they have targeting the specific sector as seen below.
When you select a threat actor, you you will see information such as different aliases, motivation, targeted industries, tools used, and information about previous campaigns among other useful information. I am not sure how often this information is updated.
BleepingComputer is my favorite source for consuming cyber news. The company has been around for a while making its site a treasure trove of knowledge. When performing industry-specific threat landscape reports, I will navigate to the site and type the industry name into the search bar. Next, I like to click on the latest news as seen below which will show you all of the articles they have with the industry tagged.
This is not only useful for finding timely stories for your report, but it is also useful to look back at older stories. If you do not have your own knowledge base to look back on for threat actor/group and malware tracking, you can search here.
If there are any sources that I missed, please comment or message me on social media so I can update the blog and give back to the community. I want to take a moment to thank all the companies I have mentioned that provide this valuable information free of cost to the public. It helps more people than you may realize.
When I started in cyber security, I learned so much from open-source tools and publicly available knowledge bases. I have a mission to give back to the community and make lives easier for analysts just starting. Let me know if you enjoyed this blog. I can do more like this one in the future.