Written by Jeremy Nichols, Director, Intelligence Fusion & Analytics
CTA: Growing and Maturing Through Collaboration
CTA membership has allowed the NTT Global Threat Intelligence Center (GTIC) to continue to mature our research, threat hunting and intelligence dissemination processes through automated and manual intelligence sharing between members. We’ve been busy migrating to the CTA’s new technical intelligence sharing platform and extending our own sharing and collaboration across members.
TRANSFORMING OUR SHARING
Beginning last fall, we began initial work to migrate from the legacy submission process to their new platform while we were also merging companies within NTT. This meant not only a technical change on the intel structure and submission process, but new and changing threat data internally that we wanted to take advantage of.
As a result of all the moving parts, GTIC took a step back and redesigned toward an Extract, Transform, Load (ETL) model which allows us to more easily plug in new data sources without writing new connectors from the ground up. The pipeline brings together telemetry and insights from our threat intelligence platform, MSS platform, backbone data, honeypots and threat feeds to form contextual sightings of threats from NTTs multiple vantage points.
With the platform migration also came the migration from modeling threats in STIX 1.2 packages to structuring our intelligence submissions into STIX 2.0 bundles. For a bit more background, OASIS has done a great overview on the differences between versions here (https://oasis-open.github.io/cti-documentation/stix/compare). STIX 2.x is much cleaner and more contextual than 1.x was, including more robust relationships and sightings. This allows us to better understand attacks and threats being faced from an actor and campaign perspective, as opposed to simply capturing high level details.
COLLABORATIVE OPPORTUNITIES FILLING THE GAPS
NTT continues to participate in CTA working groups and committees. In relation to a malware disruption effort, we have gained tremendous insight into tracking the infrastructure of specific malware families as well as helpful tips for reverse engineering related samples. With such a group of talented personnel, NTT researchers were also able to piece together missing artifacts from current research initiatives regarding the malware. In addition to this, with the vast amount of unique data from all collaborators, we have learned of new processes to efficiently track the elusive campaigns.
One byproduct of the working groups and early sharing is visibility across threats being tracked by members that aren’t ready for dissemination yet. NTT discovered COVID related fraud activity being conducted by Nigerian actors targeting a healthcare manufacturing company. While NTT began working with law enforcement to take action against these actors, we shared some of our findings across members of the CTA Algorithm & Intelligence committee and another member reached out to share similar findings they were actively tracking. While these turned out to be different actors with similar TTPs, this highlights the power of our collaboration and visibility we have within the Cyber Threat Alliance.
CONTINUED MOMENTUM
While we certainly encountered our fair share of hardships during the migration process, we’re quite pleased with the results of our work and the work of all contributing members. The volume of contextual cyber threat intelligence submitted in the last couple months alone is fantastic, and further powered through the formal and informal collaboration between member organizations. The NTT Global Threat Intelligence Center certainly looks forward to the continued evolution of sharing and partnership to protect customers and improve Internet security.