CTA & The Importance of Building and Learning Through Action
By Wade Woolwine, Principal Security Researcher, Rapid7
Five years ago, when Rapid7 connected with the Cyber Threat Alliance (CTA), we had just started our entry into the incident detection and response space. With our background in offensive security, we naturally gravitated to detecting threats through user accounts and attacker activity on the endpoints. As we matured, it became apparent that we needed to work to integrate traditional methods of threat detection by way of threat intelligence to best help our customers close the gap between their capabilities and those of the attackers. Joining CTA checked several boxes for us upfront: a network to share indicators, a network to collaborate on improving the quality and context of indicators, and a network of professionals to help advise on the evolution of our own threat intelligence programs.
Helping find and define the threats
At the tactical level, the technology that powers CTA’s intel sharing platform and the community of contributors helps our research team achieve broader dissemination for the findings and data from our research projects. Our incident responders and SOC analysts have a constant source of fresh detections with the context needed to help them make faster and more accurate decisions during alert triage and threat validation. The early sharing program gives us a heads up for new content releases and the opportunity to roll out protections for ourselves and our customers. The Algorithm and Intelligence (A&I) committee gives us a great network of seasoned professionals to collaborate with when researching emerging threats and threat landscape analysis.
Helping guide our maturation
On the strategic level, many Rapid7 “Moose” from our research and executive teams—a side note for the uninitiated, these are our employees, not actual moose—participate in sub-committees such as the Olympics and Elections security working groups; and our own CEO Corey Thomas also sits on the board of CTA. The value in networking offered by CTA to each of our participants has been an additional benefit of our membership. As early members and with such broad participation in CTA, we have been able to see the positive evolution of all aspects of CTA from technology to membership.
Building it right the first time
For me personally, the value in the membership has been the rigor with which indicator sharing is setup. As we began our journey in indicator management, having to comply with adopting STIX and reaching specific content requirements tied to points really drove a lot of our decision making. As a result, today we have an incredibly well-managed and organized set of data with the appropriate context and processes to ensure we can disseminate the right information to our internal and external partners. Data organization is the foundation upon which any threat intelligence program is built, CTA gave us the roadmap to get there.