NTU Cyber Threat Intelligence Lifecycle Assignment.pdf
Document Details
Uploaded by CooperativeJacksonville
Nanyang Technological University
Full Transcript
NTU Cyber Threat Intelligence Lifecycle Assignment Welcome to the Cyber Threat Intelligence Lifecycle Course Assignment Briefing. This short presentation is intended to explain the assignment and its purpose, as well as provide directions on how to complete the assignment using the provided Collecti...
NTU Cyber Threat Intelligence Lifecycle Assignment Welcome to the Cyber Threat Intelligence Lifecycle Course Assignment Briefing. This short presentation is intended to explain the assignment and its purpose, as well as provide directions on how to complete the assignment using the provided Collection Management Framework Excel model. You should have already taken the Requirements and Planning Module before completing this assignment. If you have not already done so, please pause this presentation and review the Requirements and Planning Module first. As you'll recall from the Requirements and Planning Module, intelligences are generally broken down into three cascading elements. Intelligence Requirements, or IRs, Essential Elements of Information, or EEIs, and Collection Requirements, or CRs. Essentially, we can think of IRs as analytic questions we're trying to answer, EEIs as the factual pieces of information we would need to answer those questions, and CRs as statements on the specific information or data we would need to collect to fulfill our EEIs. In some frameworks, IRs are further divided into subcategories to differentiate between programmatic requirements and more operational requirements. In these models, the latter are sometimes referred to as Priority Intelligence Requirements, or PIRs, to denote a more immediate and functional type of intelligence requirement. In this assignment, we'll be creating some PIRs, their cascading EEIs, and related CRs. Then we'll collect some open source reports to answer the CRs to see how this all ties together into a Collection Management Framework. Now let's dive into the assignment starting with the scenario. You work for the Chief Information Security Office of a Singapore-based electronics manufacturer. You have been tasked with developing a Collection Management Framework to support your organization's cyber threat intelligence programs. Using the Collection Management Framework Excel model provided in the course materials, you'll be expected to develop at least two Priority Intelligence Requirements that would be applicable to your company, create five Essential Elements of Information to support each intelligence requirement, create at least five Collection Requirements to task collectors for information or reports that answer one or more of your Essential Elements of Information, and lastly, you'll collect at least three publicly available reports or articles that answer one or more of your intelligence requirements. To get started, you'll first need to open the provided Excel file and navigate to the PIRs tab. Before creating your own PIRs, we recommend that you review the sample PIR listed in the document as PIR 0. It's important to note that this PIR and the associated sample EEIs, CRs, and reports does not fit the scenario of your assignment. Rather, this PIR would most likely be associated with a bank or financial institution and was created to provide a tangible example of the collection management process. Most importantly, you'll note that this PIR is analytic in nature, which suggests that any answer to this question would require an analytic assessment or judgment. Now consider the assignment scenario and develop your first PIR, an analytic question that would be of interest to the cybersecurity of a Singapore-based electronics manufacturer. Once you have one, insert your first PIR into the IR description field in column B. We recommend that you work through the following steps of the process, focusing on one PIR at a time. When you've completed your first PIR, return to this step and insert your second PIR into row four. We'll break our PIR down into its constituent EEIs. First, navigate to the EEIs tab and review the sample EEIs. As you'll notice, these EEIs are questions that seek factual answers. For example, to make an assessment on the sample PIR, it might be useful to understand which intrusion sets have already impacted banks as they might target banks again in the future. We've captured this information need as EEI 0.1, what intrusion sets have primarily impacted banks or financial institutions in the last year. Think about your PIR and the evidence or information you would need to make an assessment about it. Now turn those into question-seeking factual answers and you have your EEIs. Once you've developed five, insert your questions into the EEI description fields in rows 9 through 13. Make sure to choose PIR 1 from the drop-down menu in the associated PIR field in column C, as this will be needed for calculations made on the dashboard later. Now we'll create collection requirements to capture the types of data and reports we would need to answer our EEIs. First, navigate to the CRs tab and review the sample CRs. As discussed a moment ago, to answer our sample EEI, what intrusion sets have primarily impacted banks or financial institutions in the last year, we would need information related to cybersecurity incidents impacting banks or financial institutions. So where would we find this type of information? An obvious source might be reports of incidents impacting banks or financial institutions. We've captured that here as CR 1. Now consider the EEIs you created and think about the types of data or reports that might contain the information needed to answer your questions. Once you have them, insert your CRs into the CR description field in column B, starting with CR 6 in row 7. Next, we'll need to choose the EEIs that your CR answers, and this is where things get interesting. As you'll notice in the example collection requirements CR 1, it potentially answers four separate EEIs. The reason being is that if we collect an in- depth report on an incident that impacted a bank or financial institution, it's likely to provide information that answers several of our EEIs at once. In other words, CRs are often one to many EEIs. Circling back to the assignment, you can choose up to five EEIs that each CR would likely answer. Now we'll do some open source collection against our CRs. Before we start, navigate to the reports tab and review the sample reports listed as R001 and R002, both of which are hyperlinked. You'll notice that these reports both come from established cybersecurity vendors and are therefore likely to be relatively accurate and include technical details. While you can use any open sources, we would recommend that you use more established sources such as reporting from cybersecurity vendors or reputable cyber news sources. Once you've found a good report that meets one or more of your CRs, document it by source and report title starting with R003 in row 4. Make sure that you hyperlink the title of each report to its corresponding URL. You can do this by selecting the cell and pressing ctrl-k and then pasting the hyperlink into the source field. Next, you'll need to map the report to your CRs. In columns D through H, you may choose up to five CRs answered by each report. Now that you've completed a full PIR workflow, let's see how it all comes together. First, navigate to the collection management dashboard tab. The data you just inputted should cascade automatically into this tab. What you'll find is a dashboard that includes your PIR, its EEIs and associated CRs, and finally the reports that you've collected that answer each CR. What you'll find in this view is that it provides a single pane of glass for you to understand your available intelligence relative to each PIR. One way a CTI team might use this information is to understand its collection gaps and reporting biases. For example, cells that contain calculation errors highlight collection gaps in which you have a CR that is not answered by any of the reports you collected. In the highlighted example, we have a reporting gap for CR4. If we toggle to the CR tab, we find that CR4 reads deep and dark web reporting on threat actors claiming to have targeted or showing interest in targeting banks or financial institutions. From here, we can see that the CR is the only one that is aligned with EEI 0.6. So now we know that we probably need to seek out a source or vendor that can report on CR4, otherwise we won't be able to answer EEI 0.6, and we would need to do so to robustly assess our PIR. While this might seem fairly straightforward, once you consider that a CTI team might have dozens of PIRs that change over time to meet new stakeholder intelligence needs as well as a rapidly changing threat environment, the need for a collection management process becomes clearer. Lastly, when you've completed the workflow for both of your PIRs, make sure to save a copy of your work as a new file with your surname in the title. We hope this has been a useful aid for completing the course assignment. If you have any questions, please contact either of the course instructors or feel free to raise any issues you're having with the assignment during the scheduled office hours.