A year in Threat Intelligence

In March 2019, I started within the threat intelligence team of ABN AMRO. In this blog, I’ll look back onto my first year of working as a threat intelligence analyst. Before diving into that, I’ll provide some background on what I looked for in a job, and what working in a threat intelligence team embodies. This blog is solemnly based upon my own experiences so far.

My background and wishes

Malware has always had my interest, hence the existence of my Binary Analysis Course. During my studies, I interned and worked as an Android malware analyst. My bachelor thesis covered lesser known anti-virus evasion techniques, meaning that the known injection methods were out of scope. I succeeded in evading all selected anti-virus suites and graduated cum laude in the end of January 2019.

I looked to get a job that involved the technical analysis of malware, but would also involve lesser technical components. This would enforce the need for both a technical and non technical bigger picture. Additionally, I wanted to be in a team that did in-depth research into technical topics.

What is threat intelligence?

In short, a threat intelligence team investigates threats outside of the organisation, and reports about relevant threats to internal teams. Ideally, intelligence is actionable, timely, and contextualised for the recipient(s). If the intelligence is not actionable, one cannot do much with it. If the intelligence is late, it becomes information that can be read in the news. If there is no context, the recipient does know what to do with the given intelligence. If the intelligence is actionable, in time, and contextualised, the receiving party can use it to base their decisions on, or alter them based upon it.

Naturally, this brief explanation does not capture the whole profession accurately. However, it does provide enough of an overview for this blog.

A year in review

Within the threat intelligence team, each person has a different area of expertise, with mine being malware. This ranges from knowing the modus operandi of malware families, to being able to analyse unknown files.

Modus operandi

This is also where I learned the most in my first year: keeping track of modus operandi per family. Previously, I kept track of trends on a more general level. It took me a bit to catch up on the most prominent and relevant families, and that really paid off. In some cases, reports about certain actions sound believable, but make less sense when looking at the modus operandi.

An example of this were several reports about new campaign subjects in Emotet malspam. Some reports spoke about templates for the malspam, but these mails were only sent out by hijacking existing e-mail threads on the victim’s machine. As such, these mails were only sent to a small group, and were not used to spread the Emotet trojan from the actor.

Contacts

This refers to both internal and external contacts. Internally, one should have close contact with relevant teams in case something needs to be relayed. As this is my first job, it took me a bit to fully understand who handled what, and how I should provide the relevant information to them. Different teams require different pieces of intelligence. As such, the provided intelligence should fit the need of the recipient. Based on that, the recipient can directly act based upon the given information.

External contacts are used to exchange information with. Other researchers that closely track one or more malware groups often provide valuable insight. Based on my own knowledge, and armed with the specific facts from external contacts, a well thought decision can be made.

Establishing external contacts is, generally speaking, easier when employed by a company, compared to being a student. Working provides a basis of trust, since one can be fired from his/her job if grave mistakes are made. On the other hand, students do not require this information in general. In my experience, research groups are open to anybody that can contribute to the common goal. This also makes sense, as the information that is shared in such groups isn’t damaging to one or more companies, but about the technical developments of malware.

Technical learning

Aside from knowing who to contact when and where, I also focused on learning more about malware in a technical sense. The MageCart analysis I wrote in March 2019 served as a basis for my recent blogs about MageCart group 12. These blogs, about infected ticket resellers, the jump to new domains, the continued campaign, and the ongoing campaign all hit the international news.

I try to learn at least one new thing every day, which can be as simple as a new hot key in an analysis program, or how to decrypt the strings within a specific malware family.

Conclusion

The threat landscape is evolving, which makes it the duty of any threat intelligence analyst to stay on top of things. Sharing information when possible will weaken the effectiveness of actors. Note that not all information should be shared publicly to avoid tipping off the actors, or because the information has been classified.

To be continued next year!


To contact me, you can e-mail me at [info][at][maxkersten][dot][nl], send me a PM on Reddit or DM me on Twitter @LibraAnalysis.