ThreatConnect builds academic partnerships to train the next generation of threat intelligence analysts
In The Empire Strikes Back, Luke Skywalker heads to the remote Dagobah system to undergo Jedi training. And like the swamp-covered planet, sometimes the threat intelligence landscape can seem “bog-like”. How do I turn this pile of...data into actionable intelligence? Now, the phone just rang - and I’ve lost my train of thought amidst 15 open browser tabs and I have no disembodied voice of Obi Wan Kenobi to guide me.
Add to that the widespread problem facing the entire industry: where do I find talent? Yoda waited about 20 years in exile for one who might bring about the return of the Jedi Order, but with over 200,000 cyber jobs unfilled, that’s not going to work here. Even ThreatConnect suffers from this problem. We’ve assembled a great team of researchers in no small part due to our fervent dedication to extended Star Wars analogies, but the scope of the challenge dwarfs us. As the Director of Research Operations, I want* to see a community of researchers sharing information and building off of each other’s work to tackle tough problems and play around with different techniques to see what’s useful for a threat intel analyst. And so, we turned to a path older than the Force itself: grad students.
* by want, I mean this is part of what ThreatConnect pays me to do
Two weeks prior to the start of the Spring semester, we decided to partner with Dr. Faisal Kaleem’s graduate Cyber Threat Intelligence class at Metropolitan State University in St. Paul, MN. Faisal, who embodies Yoda’s maxim of “Do or do not. There is no try”, was enthusiastic about engaging his 15 students in real world analytical experience. No fictional data. No cookie cutter answers. Faisal wanted his students to not only be doing headstands in the swamp, but publishing their work for all to see in ThreatConnect’s Common Community.
Our task? Design the Jedi training. Our goal? To ensure that our new cadre of threat intelligence analysts develop an understanding of how different tools work together, and gain familiarity with a cross-section of topics that would help prepare them for jobs in our industry; a kind of threat intelligence sampler, if you will.
We started with a case study on BlackEnergy - the malware family allegedly responsible for shutting down power plants in Ukraine - with a focus on how to model your data, grow the graph through collaboration, and look at a real world problem from the tactical indicators through to the strategic level of adversary motivation.
As the students gain confidence working in the platform, we’re layering on additional tools and reinforcing solid analytical tradecraft. One of the foundational tasks of conducting threat intelligence analysis is validating good sources of data so we’re emphasizing how to navigate the vast world of open source intelligence. After examining Point-of-Sale malware, the class investigated phishing URLs to discover which brands are being attacked, how the threat actor is using infrastructure, and other potential phishing sites operated by the same threat actor.
Next, we pivoted to malware samples to discover network indicators, behavior, and static analysis information using publicly available automated malware analysis tools on a recent security vulnerability.
Visiting the ice planet Hoth (or, what happens when the uninitiated travel to Minneapolis-St. Paul in February)
D.C. may have gotten hit hard with a blizzard in January, but we’re strangers to cold so intense it takes your breath away. When Faisal invited us to guest lecture in February (yes, February! It is, after all, Spring semester), we packed all the wool and hoped for the best. Turns out we had nothing to worry about. The students were incredibly engaged, asked thoughtful questions, and a night class that runs from 6:00-9:00pm went until almost 10:00pm. By the end, we knew we were on to something important.
For their group projects, the class is testing out new techniques and developing some beta ThreatConnect apps to see what’s useful for analysts. One group is going to analyze usage of tags in ThreatConnect, which play a fundamental role capturing metadata like malware families, countries, and attack vectors. Another group will conduct an analysis on IP ranges in search of common threat actors. And a third group will develop a temporal infrastructure analysis method to see if a strong correlation between two DNS timelines indicates the domains are part of the same infrastructure operation.
Call for mentorship
We’d like to encourage our community to interact with our newest cohorts of users whether you’re a threat intel Jedi master or a crafty survivalist like Han Solo who has learned lessons the hard way. The students are sharing their work as MetroIntelGroup - so pop into Common Community and help them take their analysis a step further. If you’re an Infosec professional in Minneapolis-St. Paul, we’re assembling a panel the first week of May (when we may only need one or two layers of wool) to hear the students’ group proposals. We would love industry participation! If you are interested, please email: email@example.com.