Written by Wade Woolwine, Principal Security Researcher, Rapid7
Five years ago, when Rapid7 connected with the Cyber Threat Alliance (CTA), we had just started our entry into the incident detection and response space. With our background in offensive security, we naturally gravitated to detecting threats through user accounts and attacker activity on the endpoints. As we matured, it became apparent that we needed to work to integrate traditional methods of threat detection by way of threat intelligence to best help our customers close the gap between their capabilities and those of the attackers. Joining CTA checked several boxes for us upfront: a network to share indicators, a network to collaborate on improving the quality and context of indicators, and a network of professionals to help advise on the evolution of our own threat intelligence programs.
Helping find and define the threats
At the tactical level, the technology that powers CTA’s intel sharing platform and the community of contributors helps our research team achieve broader dissemination for the findings and data from our research projects. Our incident responders and SOC analysts have a constant source of fresh detections with the context needed to help them make faster and more accurate decisions during alert triage and threat validation. The early sharing program gives us a heads up for new content releases and the opportunity to roll out protections for ourselves and our customers. The Algorithm and Intelligence (A&I) committee gives us a great network of seasoned professionals to collaborate with when researching emerging threats and threat landscape analysis.
Helping guide our maturation
On the strategic level, many Rapid7 “Moose” from our research and executive teams—a side note for the uninitiated, these are our employees, not actual moose—participate in sub-committees such as the Olympics and Elections security working groups; and our own CEO Corey Thomas also sits on the board of CTA. The value in networking offered by CTA to each of our participants has been an additional benefit of our membership. As early members and with such broad participation in CTA, we have been able to see the positive evolution of all aspects of CTA from technology to membership.
Building it right the first time
For me personally, the value in the membership has been the rigor with which indicator sharing is setup. As we began our journey in indicator management, having to comply with adopting STIX and reaching specific content requirements tied to points really drove a lot of our decision making. As a result, today we have an incredibly well-managed and organized set of data with the appropriate context and processes to ensure we can disseminate the right information to our internal and external partners. Data organization is the foundation upon which any threat intelligence program is built, CTA gave us the roadmap to get there.
Author: Cyber Threat Alliance
CTA Webinar – The Cyber Threat Landscape: 2021 Was a Hell of a Ride – 2022 Isn’t Shaping Up Any Better
Join CTA and Radware as Neil, Daniel, and Pascal discuss the most [...]
Cultivating a Diverse Cybersecurity Workforce
Cyberattacks continue to increase in prevalence and impact and recent cyber incidents have brought a wake-up call that we must invest in training and hiring in the cybersecurity field. Because nearly every aspect of society depends on the digital infrastructure, cyberattacks are costly and extremely disruptive. We continue to rely on an inherently insecure internet […]
Incident Response Blog: Cyber Incidents in Ukraine
As Russian forces take military action in Ukraine, cybersecurity companies are reporting various cyber attacks targeting organizations within Ukraine, such as government agencies and critical infrastructure companies, and organizations outside of the country that provide services to Ukraine. Additionally, the U.S. [...]