Last week I attended the eighth annual SANS Cyber Threat Intelligence Summit in Crystal City, Virginia. I want to take some time to recap the event for those that were not able to attend. I have been fortunate to be involved with this event since it started in 2013, first as a presenter, and more recently as a co-chair. My first CTI Summit presentation, “If it bleeds we can kill it, Leveraging CTI to take the fight to the adversary,” is still one of my favorites. The talk is an homage to Arnold Schwarzenegger’s Predator with some cyber threat intelligence sprinkled in.
This year, I teamed up with my fantastic co-chairs, Rebekah Brown, and Katie Nickels to run the summit. We also had the support of our great Advisory Board: Amy Bejtlich, Chris Cochran, Kristen Dennesen, Ryan Kovar, and Kris McConkey. Last but not least, Jennifer Santiago was very effective at cat herding.
You can find the presentations on the SANS DFIR Archive page. Search for “Cyber Threat Intelligence Summit & Training 2020 (January 2020)” to find them. You will be able to see videos of the talks on the SANS DFIR YouTube channel over the coming months. We had several talks that weren’t recorded as they revealed sensitive information about threat actors.
One of the great things about this event is our community; I’ve made some great friends over the years. The friends you make are the ones that are going to share their struggles with you and how they overcame them. These friends are the ones you will commiserate with as you deal with the challenges of being a threat intelligence analyst. This year, we tried some new activities to nurture our community further and help the attendees strengthen existing relationships as well as build new ones.
- Cyber Threat Intelligence Jeopardy | On Sunday night, we had Cyber Threat Intelligence Jeopardy hosted by our very own “TRebekah Brown.” We wanted to have a casual and amusing event to kick off the summit. We had to compete against the NFL playoffs, but since the Dallas Cowboys weren’t playing, I wasn’t interested. One of the highlights for me was listening to David Bianco explain the origin story of the Pyramid of Pain. We had some excellent audience participation helping us out with the “Fill in the Blank” and “Hey, this may be a bad idea, but …” categories.
- First CTI Summit Workshop | On Tuesday, we had our first ever workshop. Katie designed a capture the flag event centered on the Stark Banking Group, which required each team to conduct intelligence analysis and then to write a one-page report for the bank’s executives. It was great to see the various groups getting to know each other and collaborating on the assignment. Despite the IMINT collected from the workshop below, I can assess with high confidence that Katie isn’t helping her former MITRE ATT&CK colleagues with the exercise.
- Mystery Science Theater 3000 | On Tuesday night, we also tried another new event. We had Mystery Science Theater 3000 night, where Brian Moran, Ryan Kovar, and I roasted two horrible “cyber” shows. We took in Scorpion and Level9 in all their glory. When we do it again next year, I’d love to rotate out commentators, so everyone has a chance to throw some shade at awful shows.
Cyber Threat Intelligence Summit Major Themes
When we were putting together our wrap up summary for the summit, we decided to frame it around the Intelligence Cycle. I made a joke that it was the end of the second day, and no one had put up the Intelligence Cycle, so we were overdue. Rob M. Lee possibly drew it during his session, but because he is a much better speaker than an illustrator, it is unclear. Now your Intelligence Cycle might not map to mine 100%, but it frames the content well. I’m going to cover some of the major themes that resonated with the co-chairs (Katie, TreBekah and I) during the summit. Our slides are available here.
1. Planning and Direction
- Microsoft’s Cristin Goodwin had a great keynote, and a concept that she continually mentioned was to be measured, pragmatic, and principled. All of these are foundational to any security program. If you take this approach to your Planning and Direction activities, you will set your program up for success.
- Using his threat intelligence EASY framework, Chris Cochran talked about spending two months traveling to various Netflix offices to meet with stakeholders and help develop his program’s intelligence requirements.
- Andreas Sfakianakis‘ first history lesson was on “Intelligence Direction.” He talked about Crown Jewels analysis, which is essential. He also spoke about connecting with the business and enterprise risk management cycles. You can check out his GitHub page for all the things.
- Xena Olsen gave a thought provoking and emotional (for me) talk on cyber stalking: “Every Breath You Take: A CTI Review of Stalkerware“. It made me think about a threat model and attack surface I hadn’t considered in the past. Xena also powered through some technical difficulties like a BOSS.
- Sherman Chu had one of my favorite takeaways from the summit. He talked about the concept of “Minimum Viable Collection.” Don’t try and collect all the things, align your collection to your intelligence requirements, and if a source doesn’t bring you joy, stop using it. I also learned a new meme in the process (see Marie Kondo below).
- Joe Slowik talked about our biases towards malware analysis and talked about the limitations of relying upon a single collection source. We need to understand the limitations of any collection source and look for multiple collection capabilities to give us more context for our assessments. Joe is one of those speakers that put out such great content at such a fast pace; you need to go back and listen to it once again to make sure you aren’t missing out.
- In my crowning achievement for the summit, I worked an IG-11 assassin droid and Mando reference to talk about humans and machines working together. I won’t spoil it for those in other countries that haven’t seen the Mandalorian yet.
- MITRE’s Jackie Lasky and Sarah Yoder gave a great talk “Automation: The Wonderful Wizard of CTI (Or Is It?)” on MITRE’s new Threat Report ATT&CK Mapping (TRAM) tool. Adding automation to ATT&CK report mapping is impressive, most impressive. I get that the tool is new and needs to mature, but they had me at automation. In the future, the potential of being able to map privately is very appealing. You can find TRAM here.
- Context was a major theme interwoven across many of the speaker’s talks. I made a joke that “Context is king, still.” We have been talking about threat intelligence context for over a decade now. I see this conversation continuing well into the roaring 20’s as well.
- Cristin Goodwin talked about Microsoft bringing on “Threat Context Analysts” to provide a geopolitical perspective to complement their technical reporting. At Digital Shadows (now ReliaQuest), our intelligence team has regional specialists, so her comments really hit home for me.
- Gerard Johansen also talked about context. In his talk, “The Importance of Cultural and Social Intelligence,” Gerald challenged the audience to think beyond the technical realm and think about the social and cultural components of analysis. He talked about combatting “mirror imaging.” He also included a very controversial hot dog analogy comparing New York Style hotdogs against Chicago style hotdogs. New York is obviously the right choice.
5. Dissemination. If you can’t write in a way that someone will understand, then there is no point in writing an intelligence report. I use the self-licking ice cream cone analogy, which folks that come from the military will appreciate. To help you not be a self-licking ice cream cone, check these out:
- Lenny Zeltser gave a fantastic talk on writing: “Hack the Reader: Writing Effective Threat Reports.” Lenny told us to be ruthless with our writing, cull out at least 20% of our content. He also gave out a ton of links to additional content. One great example you should check out is: “Writing Tips for IT Professionals.”
- Christian Paredes came out of speaker retirement to assist Katie with the writing portion of Tuesday’s workshop. If you have never seen his talk on writing, you must. “Pen-to-Paper & the Finished Report The (Often Overlooked) Key to Generating Threat Intelligence.” Christian, please submit next year!
- Andreas Sfakianakis‘ also had beneficial suggestions for intelligence writing. He built upon Christian’s previous work but also talked about using existing tools within the organization to disseminate to your stakeholders, and he also discussed how your store your CTI products.
Although my BBQ brother Paul Jaramillo was sadly unable to attend the event this year, he did put together some observations on each presentation based on live tweets and the posted presentations. You can check out his excellent work here: “2020 SANS CTI Summit Notes”
If you have never attended the summit, I’d highly recommend you join us in 2021. Please come and join our community. I also want to encourage new presenters to respond to our CFP when it comes out later in the summer. We want to continue having a diverse mix of speakers. Here are some areas that I think we need more content on:
- Building out intelligence requirements
- Running a collection management function
- Practical examples of threat modeling
- Tying threat modeling, intelligence requirements, and collection management together
I hope to see you in 2021! If you’re interested in hearing more from the team around threat intelligence, check out our weekly podcast, ShadowTalk. Be on the lookout for CTI Summit speakers and advisory board members joining us in the very near future.