A Gentle Introduction to Build a Threat Intelligence Team

Hello everyone and thank you for joining. I'm Anastasios and in this presentation I'm going to talk about an introduction to building a Threat Intelligence Team. The talk is more for the new people in the area, so people that are starting to learn and they want to understand the process and more or less what entails to build a Threat Intelligence Team. Also, before I start, a big thanks to the B-Sides team that managed to organize the event and still pull it through, although we had all of the challenges that we had with the pandemic. So, first of all, a disclaimer. Everything you are going to hear are my opinions and of course they do not represent my employer. I have used many different sources for

what you are going to see and of course my experience as well in that space. And talking about that, I'm currently working as a principal security engineer at Booking.com and I have done a few other things. Some people might know me from a blog that I have been writing for some time or my Twitter that used to be more active than it is now. And for the last probably 5 years I have been focusing more and more on threat intelligence that includes both doing a lot of trainings but also helping implement that team in very large companies and in smaller companies as well and being part of the community. Now what we are going to talk about today in this presentation it is first of all the

definition to make sure we all speak the same language You might see definitions like TI or CTI, I can use them interchangeably in this context. It could mean threat intelligence or cyber threat intelligence, but for our purpose it is fine to use them as one. In reality there is a small difference but it doesn't matter for this presentation. Then we're going to how to build such a team, some very introductory concepts in threat intelligence, what you should be aware of and things that can really help you in that journey. So without any other introductory slides, let's start with the definitions. So what is threat intelligence? The easiest way to do that is split the two words in the two different

parts, threat and intelligence, and try to define them with the best industry standard terms that we have today. So starting with the threat. It is very vague but in reality it has a very simple definition. So in order to consider someone being a threat and eventually even if we talk about malware or if we're talking about phishing or any sort of campaign eventually there is a person behind it. So a threat is a person and you typically hear that being referred to as an actor or a group. A threat actor or a threat group. That threat actor or threat group, in order to harm somebody, whether this is again a phishing campaign, taking over an account, a targeted intrusion, it doesn't matter. They need to

be able to do that. They need to have the capability to do that. That means the technical knowledge, the tooling, the infrastructure, they need to be capable of pulling this through. So this is the first part of what a threat is. The second part is the opportunity. And once again it doesn't really matter if they are the most capable threat actor out there if they never have the opportunity to use their capabilities. And if someone has both of these, it is a potential threat. And think about it also, someone let's say have a zero-dabler ability for some software or hardware that you use and you also expose this in a way or another to the internet so then suddenly that actor becomes a potential threat for you

now to be a full threat like a real real threat they also need to have the intent to do that And if you think about it, there are many, many, let's say, advanced threat actors out there that have the capability and opportunity to compromise many systems, but they don't do it because they don't have the intent to do that. And you can see also in that slide all of the intermediate stages, what could be an impending threat or an existential threat. But the easiest way to clarify what a threat is, is someone with an intent to harm you that has the intent, capability and opportunity to do that. This is key throughout this process since with the amount of information that is flowing around today it

is very easy to have countless of reports and updates and information about different threats that are out there but unless that is a threat to your business it's not really relevant. It might be relevant for situational awareness for your team, but to share it with the rest of the security teams or other stakeholders, it is not always relevant. And that clears out hopefully what threat means in the threat intelligence. And now we go to the second part, the intelligence. Let's say an easy definition is to understand the enemy and help anticipate future attacks and support planning for a response. This is the goal of what intelligence should be doing. They should be driving proactive controls more or less. And the key part in this definition is

this one: the future. What you are after when you are doing threat intelligence is defining what will happen in the future if no actions are taken. whether this is let's say a threat actor that has been targeting you now they started using a new malware so suddenly you should adjust let's say your controls to cater for this malware or they started using a new phishing kit that let's say for example suddenly it blocks your sandbox in a way. In any case, the concept of intelligence is that you are looking at the proactive side of security. And the intelligence by itself is not going to help you do any of that, but it can support to make a response. Intelligence doesn't include

the response part. And intelligence is not a new concept, it's not a new concept at all, it has been around for a very very long time, probably it is one of the earliest jobs that was out there. And this is a nice quote from the Art of War, that "If you know the enemy and know yourself, you need not fear the results of hundred battles" and more or less it refers to intelligence. Especially the part "Know the enemy" is exactly that. How can you know the enemy if you don't have intelligence on your enemy? In the more modern language that could be a threat actor. How can you know the threat actor if you don't have intelligence on them? For the same reason... Before I go

in there, another part that is confusing a lot of people is this one. Intelligence is not a single thing and depending on the context it can change. There are two sides of it. One is What do you produce? So let's say you wrote a report for a threat actor or you are sharing some indicators of compromise for a new ransomware. All of these are intelligence products. At the same time, all of the steps that you took to make those something actionable and share it, it is also intelligence. It's the intelligence process. So depending on the context, you might hear one or the other. but it should be quite easy to distinguish which one is being mentioned at this time. And I'm going to also go a little

bit into both of them. Now, in the product, yes, typically you have reports. It is the most, let's say, common approach for intelligence products and probably one of the oldest ones that has been around for probably hundreds of years. Then you have briefings that again it depends on the audience and what they prefer, bulletins that are more informal or you might provide full detection packages. Let's say a threat hunting package for this threat actor which includes all of the IOCs, the TDPs that they use and people can use it in their different platforms. So let's say if you're using a certain product you can create detection packages for that product. Now the product is dependent on your audience. It doesn't really matter what you like,

what matters is what your customers like to see. And by customers I mean anyone that can request intelligence from your team. If they prefer a briefing, you can deliver the intelligence in a briefing. If they prefer an informal email, you can do it via email. Keep this in mind that there is no wrong or right answer in the intelligence product, it is what works for your customers. And the process, it is a very old concept but still works just fine. So as you can see this is from Operation Security Threat Handbook from 96 and the same intelligence cycle that you see here is the same intelligence cycle that is used today in almost any threat intelligence team and also almost any intelligence agency if we're

moving outside of the threat intelligence aspect. It's called the intelligence cycle and I'm going to go more into that on a step by step so it will be more clearer in the next few slides. Now, okay, probably we all speak the same language when we say threat intelligence by now. But why is it important? Why do we even care about dedicating resources, cost, time to have a team doing that? The reason is simple. So let's take a real world scenario, like a physical world scenario. Let's say that we live in an area that there are a lot of home intrusions. And you move just in that area. So you have heard in the news, okay, there are

a lot of break-ins in that neighborhood and they just moved in. Wouldn't you really love if you knew like how are those break-ins happen? How the thieves are getting into the house? Do they use the doors? Do they break the windows? I don't know, do they climb on the balconies and they get in? Like who is doing that? Is it let's say an organized crime group that is like a mafia? Or is it a few individuals that are just starting to do that recently? That changes a lot your perspective if you think about it. Like if you are going to protect your house against the mafia, yeah probably you don't have as much chances as if it was let's say a random guy that just breaks in with a

window and tries to get in. Then another important piece of information would be what are they after? Then you know, okay, these are the things that I have to protect or these are the things that I have to demonstrate to the world that I don't have them. so that my house suddenly is not an attractive target. Then another important thing is when do they do it, what time of the day? Do they do it when people are at home, do they do it at night, at day? Now, all of that is actual intelligence. It is real valid questions and typically in the intelligence world all of these questions are referred to as intelligence requirements. The reason why they refer to us intelligence requirements is because

they are given to an intelligence team as a requirement to find answers to them. So if you had all of this information, it could be very, very valuable. But going back to the cyber side, When can you say that "Okay, now is a good time to start into looking at this area, start looking into what we can find proactively before it even happens?" And to be honest, in some cases it might not happen. It doesn't mean that you are going to always be producing intelligence products that are directly to the point. You will have a few misses and that's fine, you can learn from them and improve in the future. An excellent resource that you can use for that is from Robert Lee from

2015 and he calls it the sliding scale of cybersecurity. This is more or less how most of the organizations mature throughout the years in the development of their security departments. Typically this is how it works. I'm pretty sure that there are exceptions, pretty sure that people have started in different points in that space, but that should cover the majority of the cases, so I'm going to use the same tool that Robert Lee uses. Typically you start with the architecture, so You go to a company, let's say there is no security team and now the security team starts. What do you do? You try to see, okay, what platforms do we use? What is our software stack? What do

we have in place? How are networks interconnected? So more or less, what are the architecture side of the things that you can secure? Then you go a little bit into the passive defense. So passive defense means things that you can deploy and they don't require human interaction to continue operating. So let's say some fire call policies that you deployed and you might once in a while have to update them, but in general they are working on their own. Or let's say an anti-malware solution. Again, you deployed it, 99% of the times you don't have to do a lot of work after that. Most of the organizations after they have went to that stage, they are

going into a stage which is more on the active defense and it means you go into all of this, you have a security operations center that they are having their SIM product or something like that, where they can constantly looking for different alerts, they can create new detections, Nowadays, threat hunting is also very common, where you have people going after and hunting for threats in the network. So at that stage, you are able to identify more things, but you also dedicate way, way more resources. And this is already a pretty good state for a lot of companies, and they don't even need to go beyond that. So just to be clear, it doesn't mean that

you have to go all the way to the offense. Those are just how most of the organizations grow throughout the time. The next step that you have is the intelligence, which is what I'm talking about here. And in that area what you're trying to do is, "Okay, I'm not caring just stopping an attack. I want to understand why this attack happened, who is doing this attack, and who we are going to talk about it later." It's a very interesting area. And also, Can I do something to proactively inform the active defense side that, okay, maybe you should focus in that area because let's say there is a lot of activity in our industry in that area. For example, let's say that we're in an industry that suddenly there

are a lot of attacks on their VPN gateways. then maybe you should focus more on VPN gateway security. Do we have everything in place? Do we have the visibility we need? Maybe do a threat hunt in that area. And if you manage to master that level, which is pretty expensive and again, many organizations don't even need to go that far, but again, if you need to do that, it is nice addition to your maturity and if you want to exceed that you can go to the offensive side and by offensive I don't mean hacking back unless you are authorized to do that which it could be very unlikely unless you work for for government agencies that are authorized to do these things in any other

case offense could be other things so think about legal actions You can easily go to your local cybercrime unit or your local authorities in general and report different cases that you have with all of the incriminating evidence. So in case they manage to catch these people, well, suddenly you are also helped in that bit. Helped in that effort a little bit. Also, there are other things that you can do that some companies are starting doing recently. Like, you can see, I'm not going to name companies, but in any case, if you look around you will see a lot of nation-state sponsored attacks, like what is typically referred to as APT groups, being reported by private companies. And that also has the offensive purpose in terms of, "Okay, I cannot

hack you back, I know that you are a foreign government, I cannot do much even if I report it to law enforcement, But I can do the at least blaming and shaming thing that "okay look at these people and what they are doing". All of these are offensive actions that are very very costly, very very time consuming and they are more risky. If you think about the reputation that something might be phrased a little bit in a strange way and suddenly the press takes it over and it could end up really badly. Also let's say that someone managed to get arrested. Then you have all of the additional costs where you need to have lawyers,

you need to have a lot of forensics from your company and evidence that needs to be provided in the court. So don't think that this is a cheap, let's say, improvement area. And the same goes also for intelligence. Like the more you go to the right of this sliding chair, the more expensive things become. And now I'm going to talk about the intelligence cycle that I mentioned briefly earlier and it's the guiding line for most of the intelligence operations, how things are moving. The cycle is relatively simple and the important part to remember in this one is the feedback loop at the end. I'm going to go again in more detail on the next steps but in general you have your planning, your

collection, processing and exploitation, analysis, dissemination and feedback. Now I'm going to go quickly through each one of them, of the five stages, just to make it as clear as possible especially if you're starting in that journey. So the first part is the intelligence requirements that I mentioned previously. You have a few questions. that you have to make them as specific as possible and to be honest, especially if you are starting a new team, it is very likely that no one around you will know what a good intelligence requirement is. That means that initially probably you have to define them for yourself and eventually as you get more people understanding what you do, what you can offer, start adjusting them to the actual business needs.

What you can do to start with? You can have intelligence requirements such as what are the threats in my industry? What are the critical assets that I have? So let's say if your critical assets are a specific ICS product then start focusing on what threats are for these products. If it is a certain software start focusing on that. Then try to find out, okay, what exposure do you have? How can someone get access? Is it like only via the internet? Is it through, let's say you have a lot of connections with many different other companies because you offer a service, then suddenly your exposure might be different. Or let's say that you have a supply

chain, so then your exposure, it could be that you have a lot of people are bringing in different components that you have to put together, whether this is hardware or software, so it might be that one of them has an issue. And another good thing could be, okay, what are the well-known adversaries that are operating in this space? Is it mostly cyber criminals? Is it mostly, let's say, I don't know, like APT groups? Try to find out these things and you can start looking into these areas. But the most important tip from my side and my experience is start very, very small. It goes back to the thing that I mentioned in the beginning. There is so much information nowadays being shared by anyone

from security companies to security researchers, companies that are not into search intelligence but are still doing a lot of security work publicly. Even governments, they have a lot of organizations that are sharing also publicly a lot of information. It is very easy to get overwhelmed. So try to start very small, especially since probably it will not be your full time job in the beginning. Now that you have an idea of what to go after, your intelligence requirements, you can go to the collection. And remember that this, the intelligence requirements drive collection. That means that depending on what you decide to look after, you could look for different sources. So you could look like say who logs into my VPN. what firewall logs

did they have, what let's say, alerts did they have, authentication successes or failures from an active directory LDAP, email logs like headers, if you are looking for phishing for example, if you are looking for some sort of exfiltration or something like this, one of the most valuable sources is passive DNS logs it is usually very very low additional capacity that is needed in terms of loading but it provides a great value, a really great value especially when you're doing historical searches and you might be surprised but it's very common when you're doing intelligence work since you might now find let's say that there was a leak of some malware and suddenly you can go back and look

in your environment and see okay like one year ago I actually had this malware there but I wasn't able to detect it and yeah passive DNS logs are very very useful. Then a dark web monitoring again there are open source solutions, there are proprietary solutions, there are many different things that you can use for that and those are just a few examples since The collection is purely driven by the intelligence requirements and as you can easily deduce that means that it can vary a lot. It could be even interviewing people, talking to different people in different areas to understand how they work, what they do. Just keeping this in mind. Collection, it is just how can I answer the questions that I have from the first

phase. Also, another important part in the collection is you shouldn't really care at this point about how the data are collected. And what I mean by that is not like doing that in any illegal manner, but I mean you shouldn't care so much about what format do they have or how I'm going to use them, at least for now. Of course as you get more mature that becomes part of the process but especially in the beginning focus more on the content and less on the processing side. And the reason for that is also because the next part, the third step in the cycle is the processing and exploitation. And this means exactly that, that from the operational environment that you defined you collect a lot of data. This is

the first part that you see over here. So you collected a lot of data, but this is really just data. So what you have to do now is to do the processing and in our world, in the cyber side, that probably means reformatting them or importing them somewhere where you can search them, index the data, things like that. And then when you have this actual information, that means that you can use that to start answering some questions. And when you do that you can actually start your analysis to produce the final product, the intelligence. Also, yeah, this photo over here is not mine. It's again from a joint intelligence manual from the US government. It is publicly available. It's a very nice document if you want to read

it. It goes through a lot of details about the process for intelligence. And you will be surprised that Everything that you do, whether this is threat intelligence for your company or military intelligence in their case, the process is more or less the same. It doesn't change. Yes, you are looking at different intelligence requirements and your collection apparently will be very different, but the process itself is the same. Now, how you can do that? The process in an exploitation? Typically you have a central repository where all of the security events are being logged and this is very helpful probably you know that also from incident response if you are in a security team. Since it allows you to correlate events quickly, do the historical searches that I mentioned

earlier more or less have a good situational awareness of your environment. So this is where most people start with. It could be seeing Or it could be, like MISP is a very popular product especially in most of the European countries. It's an open source project created by the French National Search. It is widely used, what you typically do if you're not familiar is definitely recommend you to go and look at it. You add all of your indicators in there and then you can add tags, you can have sharing with different MISP instances. it automatically does correlation for you. So let's say you added a security event that it was also spotted a few months ago,

it can do that thing for you and tell you "okay you added the malware but i have seen that also in that security event". It is very helpful if you are not familiar with it. And of course there are also dedicated products that are called TIP, Threat Intelligence Platform, And one of them you can see on the left of the screen, this is again an open source project, you can go and download it and check it out, play around, they even have a demo that you can use online, it's called OpenCTI, and there are, for both of the options there are also many many different closed source, like proprietary solutions, which again have their pros

and cons, and I'm not going to go into deep selection in that presentation. This is more to tell you that when you have a tip you get some easier processing and exploitation. What do I mean by that? Most of the tips have modules where you can import thread feeds, so let's say feeds of IOCs, they can automatically parse reports like PDF, Word documents and so on and extract indicators, classifications and so on and make them directly usable. they have workspaces, when you can start, let's say, a case that you investigate, you can share that with other analysts, you can, let's say, if it's a work that takes a long time, you can have it there and resume your work once in a while, you

can... They have, typically, a lot of integrations with different threat providers so that you can do automatic enrichments, so let's say, do whois lookups to anything like what you see here, like a link analysis. Yeah, you can do many many different things in a threat intelligence platform. However, I have to note that MIS recently has been moving more and more to becoming a threat intelligence platform, so don't disregard it as a repository for indicators only. And again, those are open source options, but there are many many different vendors that are doing just this, they are building these products. However, this is the third step in the process. This means that now everything you collected is in a form that you can actually use it. You can do your

research, you can run your queries and what is next is the most critical part of this process, the analysis part. And I really love this image over here. It's from a book called "The Psychology of Intelligence Analysis" If you haven't read it, regardless if you are into intelligence or not, I definitely recommend you that, like, hopefully you are looking at the screen and try to read this. I will leave you like 5, no, let's say 10 seconds. Okay, so I'm pretty sure that the majority of you didn't notice that you have a lot of double words in here. It says Paris is in the spring, once in a lifetime and so on. So this is a great example

of what our brain does. Our brain is very good at creating patterns and simplifying things and this is more or less what the whole book of the psychology of intelligence analysis is about. When you're doing intelligence analysis What you are doing is thinking about thinking. It's constantly evaluating that, okay, maybe the way that I'm thinking about this is not the right way. Maybe what we have here is my biases influencing the outcome. The intelligence analysis itself is a whole new subject. If you're interested, there are many, many resources publicly available. Definitely recommending you to go and check them out. This is a very nice book if you want to start with. There are also a lot of things like structure, analytic techniques and other

methods for intelligence analysis and general analysis. Like if you do any sort of analysis it is very good to know. But more or less the step 4 is the human factor. Now that you have all the information, how can you answer the intelligence requirements? And yeah, it is study critical thinking, intelligence analysis. Very key component here is also try to involve people from diverse backgrounds. We tend to think differently, even if you... like it is human nature. The way you grew up, the place you grew up, your experiences is going to influence how you see things. So it is good to have people with different backgrounds in an intelligence team. Also, question always yourself about your results. and how did you get those results? Did

you actually use real evidence or did you use any personal biases? If you are uncertain, it's fine to split those two in the analysis. Let's say that you have a section, this is what we know, and at different sections, this is what our assessment is. So it is very clear to someone that reads your product that, okay, these are facts and this is what my analyst thinks. Another good approach is to have peer reviews after you have done your analysis. You can send it to another person and tell them "Okay, does this analysis look sound to you? Do you think I missed something?" And try to make it repeatable. If you find that there are

certain processes that work nicely and produce really good products in your analysis, try to make them repeatable and consistent for the rest of the team to use. The last part is dissemination, which means how you are going to share what you produced. By now you have the answers to the initial questions, the intelligence requirements, it's time to share this. And that is something that you typically shouldn't define. That is something that your audience should define. How do they want the information to be shared? However, when you have decided how the information should be shared, then try to make it very, very simple. And some ways to do that is use templates, have specific sections that you have each time, have specific formats that you use, and another thing

is have a glossary of the terms that you use. When you say, for example, "likely", what does it mean? When you say this is a high fidelity indicator, what does it mean it's high fidelity? Try to have those defined somewhere so that if you have multiple people producing intelligence, they all mean the same thing. And the other important part is classification. Since we are in a cybersecurity context, definitely TLP should be there, the Traffic Light Protocol. It is one of the industry standards. But then there are other things like this NATO code is used widely for... for rating the credibility and reliability of the sources that you use. So you can say that "ok this source is highly reliable and the

information that provided is also very accurate" But there are many different classifications and depending on what you are after you might want to use them. But at least TLP is nice so that people have an understanding, your customers have an understanding of what can be shared with whom and if it cannot be shared, why it cannot be shared. That covers the intelligence cycle. Apart from feedback. So there is not really a step 6. However, after you have shared your intelligence, you shouldn't consider like a black box like, okay, I shared it, it's done, it's over. No, it's not over. You should look for improvements. Ask for feedback, especially in the beginning, ask for a lot of feedback and see did what you provide answer the question that your customers

had. If not, then start adapting. If let's say it was including a lot of information that was nice but they didn't really care about, then next time try to reduce that information. More or less that step six is going to drive your whole improvement of that team. The whole team is going to be based on that feedback. So although there is no step six officially, please do that.

And now that the intelligence is even more clearer hopefully, how it's done, why it's done and the process, let's go into how you start by building a team, which is the simplest part of the presentation as you probably noticed by far. Typically how it works is in the beginning you do it on your spare time, most of the times it starts from the security operations teams, that they have some people that are enthusiasts and they want to look into that. And since it is not your full-time job at this stage, I really encourage you to start very, very, very, very small. My best advice from what I have seen so far is work on past

incidents. Pick up a couple of incidents that happened in the past and start coming up with the cases around them. Like, okay, can you find out who was the threat actor behind it following the process that I just mentioned? Can you see, let's say, if those incidents in the past were related to each other? So for example, you might find that they were using the same command control infrastructure. So suddenly you can start building a campaign. Or you can start building third actor profiles. Let's say that you see every two, three months an incident that is almost identical. Then you can say, okay, probably it's the same third actor or third group behind this. And

you cannot be of course confident, like 100% confident, but at least you start doing intelligence work instead of just responding to incidents. And that will give you a lot of insights on your organization Since what you're doing is not producing intelligence based on what a news article says or a security company says but what actually happened in your company, what incidents you had to respond to in the past. That will give you a very good idea of what threats are out there and what is the threat that typically targets you. Then what you do after that is typically you try to map what you discover with external activity. So let's say that you discovered a certain command control used widely in a lot of the incidents that you had

and you start looking around and you see that okay this same command control server was reported by many reputable sources that it is related to this threat actor. So suddenly you know that okay there is a high likelihood that this threat actor It is the third actor that targeted me. So what does this mean for you? It means that you can start tracking this third actor and anything new that is being reported, whether this is news or closed sources or anything else, it means that you can use it that, okay, now this third actor is doing these things. We might have to adapt to that if that third actor is consistently targeting us. So more or less you have a more holistic picture not only what happens inside

the company but how that relates to outside of the company. Typically somewhere in that stage, and it could be anywhere in the beginning or somewhere in the external threats phase, but if you are going to get a team you will probably start getting it at that stage. Now, it is very very important to clearly define the mission and the vision of that team and share it with everyone so that at least everyone knows that your team exists and what you can offer. At that point you typically have dedicated resources, so dedicated people and typically budget. And what I propose is start having KPIs. And KPIs could be, for example, how many teams did you help with the intelligence that you produced? Or, how many

cases did the incident response team handle because of the intelligence that you provided? So let's say they didn't know about it, but because of the intelligence you provided, now they started a new case and they discovered an incident. Or it could be, how many times did you report something that didn't actually happen? Let's say, or it was false information. All of that can help you start improving and improving your processes, how you work, how you share information and more or less becoming a more and more mature team. But at this stage it is already together ball rolling. Like KPI's can help you with a continuous improvement. Then if you want to go to that next level, it is, okay, you started

in that area, the cyberspace, cyber threat intelligence, but what about the rest of security? Can you provide intelligence for, let's say, the office location? Is your office in a location where there are a lot of threats? Let's say that it is an area that there is a lot of criminal activity, or it is an area that is very unstable for geopolitical reasons. or it will become very unstable for geopolitical reasons. Then you can start providing intelligence products to the whole security, to everyone that's interested in the security aspect. And again, this is already a really mature state and many companies don't even have to do that, but it is up to you and how far you want to push with threat intelligence team building. Now, I'm

running a little bit over time, but to go back to the example I gave. So how did break-ins happen? That could be what we call tactics, techniques and procedures, a report on the tactics, techniques and procedures of the threat actors. Who is doing it? It could be a threat actor profile. Why? It could be a threat landscape for your industry, or in that case your home. And when it goes again to TTPs. Now, when it comes to DTPs, this is a nice resource, the Pyramid of Pain. This is, on the right side you see how difficult it is for an attacker to overcome this. If you are going to be giving hash values to your teams to detect, then it's very easy as you can guess for

someone to change them and as you go up the pyramid it becomes harder. If you manage to identify how a threat actor behaves, the TTPs, how let's say first they do phishing, then they do that, then they use that tool to... Then you can make it very tough for them to get away from your teams.

Now to conclude, yeah, don't make this an echo chamber. Intelligence is to provide value to others, not to yourself. So... Attribution also matters, which is about the who, but you have to keep in mind you don't always have to find the real person that is doing the attack. Sometimes even a code name is fine as long as you know it's the same actor, I don't care who is it as a person, but I know it's this same actor. It could be fine. Or even a group, or even a campaign. The who depends really on what you are after. If you want to prosecute legally someone, yes, you need to know the real person. But if you just want to block the new

malware campaign, then knowing the threat group should be more than enough. Another key thing is that most companies don't fall under one industry. Typically most companies are doing many different things. They might be building a mobile application, they might have a banking site, they might have a public facing site. So keep this in mind, don't get like "oh we are in that industry so this is what we should be focusing on". Keep a more open mind, you might be in more industries than just one. Also, because of everything I've talked about here, you cannot buy intelligence. You can definitely buy a lot of tools, a lot of intelligence enrichment content, but you cannot really buy

intelligence. This is something that is very very specific to each organization, so you have to support it in one way or another, if you are willing to do that. And the best practice is yes, start small, use internal data first. If you don't have intelligence requirements, which is very very very likely when you start with, well create them. As I mentioned in the first slide, start with your own and tune them as you go. Also in the beginning it's fine to communicate more and as you go again you will start making more focus and at the end it will be very very actionable intelligence that you know that this person only wants to know about X, Y and Z and that's it. But in the beginning it's fine

to be a little bit more verbose. And also start with simple products. Let's say you do a monthly thread briefing. What happened this month? What threads are relevant to us? Or a weekly one, something like that. Yeah, I ran a little bit out of time, but those are the references that I used in this presentation. So thanks a lot for your time. Also thanks a lot to the BSIH team. for making this happen and if you need me for anything I'm also on Twitter and on LinkedIn feel free to drop me a message or yeah add me to your network and again thanks a lot