FIRST Cyber Threat Intelligence 2022 conference in Berlin

Cert-IST attended the FIRST conference on Cyber Threat Intelligence (CTI) from November 1 to 3, 2022 in Berlin. Below are some of the conferences we selected as the most interesting and we wanted to share with our community.

The complete program of all conferences can be found here: https://www.first.org/events/symposium/berlin2022/program.
Also, all the TLP:CLEAR contents have been recorded and are available on the FIRST YouTube channel.
The first day was dedicated to the training sessions and the following two days to the conferences plenary sessions.

Each title below links to a description of the presentation on the conference website, and in most cases includes the presentation material that was used.

 

Cyber Threat Intelligence Sharing Platforms: A Comprehensive Analysis of Software Vendors and Research Perspectives
Clemens Sauerwein (University of Innsbruck, Department of Computer Science, AT)
[TLP:AMBER]

This conference focuses on the first real scientific work that includes the analysis, comparison and evaluation of the different information sharing platforms, called TIPs (Threat Intelligence Platforms).

Mr. Sauerwein identified that the Dempsey Intelligence Cycle was not considered enough in the research works that were done in the past. This cycle defines the need, collection, refining, analysis and dissemination of information and is here at the center of the study.

The speaker presented his methodology: firstly, he extracted 13 relevant scientific reports from an initial selection of 420 articles. Then, he selected 13 TIPs and identified a list of features that each platform is able to offer. Finally, he interviewed more than 80 experts, from different areas of Threat Intelligence, to select the evaluation criteria.

This study will be published in early 2023 and many TIPs providers showed their interest to see the results.

In addition to the final –anonymized - ranking of these platforms, which saw only 3 TIPs out of 13 being classified as highly functional, Mr. Sauerwein shares some interesting elements with us. In general, all the TIPs offer good functionalities concerning data analysis and do implement data protection and privacy measures (related to GDPR, for example). However, data quality assessment as well as measures to increase confidence in IOCs are not sufficiently addressed. Finally, there is a lack of scientific productions concerning the process of "Planning and Direction" of the information cycle.

 

Let's Make Needles Glow in Timesketch
Thomas Chopitea (Google, CH), Alexander Jäger (Google, CH)
[TLP:CLEAR]

The issue raised by the authors of this conference is the very high number of events to be analyzed during the forensic analysis of a potentially compromised system; for example, a fresh install of a Windows system has already more than 4 million events!

Their idea is therefore simple but relevant: bring the CTI within the forensic analysis in order to focus on the truly malicious events. To do so, they detailed their process, which therefore combines Threat Intelligence, through usage of indicators of compromise for example, and Timesketch, an open-source tool for chronological forensic analysis.

The first step is to get rid of the noise (i.e. any file specific to the operating system). For this, they produce a hash for each of the system files (tool used: hashr), send them on VirusTotal and ignore those that return a no-threat score. Then, by combining Yara rules (to classify files by type), Sigma rules (to work on log files) and a third-party module to have a source of indicators of compromise (YETI), the researchers are able to establish repeatable and automatable investigation process. For example, to answer the question “Is there evidence of lateral movement, or persistence?”, they are able to create predefined queries, which will facilitate the work of the analyst during the investigation of a system.

Finally, they pointed out some areas for improvement for the future, such as being able to anonymize a timeline in order to share it with the community.

 

ORKL: Building an Archive for Threat Intelligence History
Robert Haist (TeamViewer, DE)
[TLP:CLEAR]

The speaker presented a tool (ORKL) intended to be a real Threat Intelligence report database.
Its objective is to create a library manager of Threat Intelligence reports, accessible from a website.

For a given report, the tool will save copies in .PDF and .TXT formats, as well as the cover page (for the visual displayed in the tool). Then, ORKL extracts certain metadata such as the publication date of the report, its author, its title, its source or a URL. Currently, seven sources of information are used such as Malpedia, Alienvault or even CyberMonitor.

In addition to this metadata, the tool is used to collect, store and update attacker group profiles, using the same sources. For these groups, information related to their name and aliases can be found in ORKL. It should be noted that some aliases seem to be filtered out by the tool, if they are rarely used in the reports. The same goes for the malicious tools used by these groups of attackers.

Finally, an interesting feature of this tool is the full-text search. This allows you to search very quickly, within the text versions of all the reports, the occurrence of certain words. This could be for example MITRE ATT&CK techniques or indicators of compromise such as IP addresses.

For the future, the author shared some ideas, such as letting the community contributes and associate their metadata to Threat Intelligence reports.

This conference was very well received by the audience, who hastened to follow the project on Twitter (https://twitter.com/orkleu) and on its website (https://orkl.eu/).