WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 25, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
updated Sept 7, 2023
Cyber threat intelligence (CTI) frameworks simplify and organize intelligence gathering, ensuring the collection, analysis, and sharing of relevant information with stakeholders.
A CTI framework is a structured approach used to gather, analyze, and utilize information about potential cyber threats. They can vary in structure and focus. However, they typically consist of several parts: threat identification, threat intelligence feeds, analysis techniques, incident response procedures, information sharing protocols, and continuous monitoring.
They help organizations better understand the threat landscape, improve their security posture, and make more informed decisions to mitigate risks.
As the CTI industry continues to grow, so does the discipline’s thinking tools, or frameworks. Whether your intelligence team uses the cyber Kill Chain, Diamond Model, or MITRE ATT&CK, you can find a one that helps your security team gather and organize intelligence.
We are likely to see even more frameworks emerge in the near future as CTI security and threat landscapes continue to develop. This is an advantage in many ways. The proliferation of frameworks highlights the growth of the CTI industry. Building common vocabulary and concepts to articulate what are often highly complex threats ultimately makes CTI more digestible.
ReliaQuest utilizes frameworks like MITRE ATT&CK to provide actionable intelligence on significant incidents. One example is the US accusing the Russian GRU. Another example is concerns about the cyber threat following the assassination of Iranian General Qasem Soleimani.
The growing role of these frameworks also poses challenges to the industry. Analysts should focus on the benefits of each approach instead of spending too much time measuring different frameworks against each other. Ultimately, we should not see CTI thinking tools as a zero-sum game. We don’t need one framework to rule them all.
Analysts may adopt CTI frameworks without understanding their purpose or the issues they address, which can be risky. It’s important to have a clear purpose when integrating MITRE ATT&CK, rather than just doing so without any real reason.
Different CTI frameworks can co-exist. Let’s discuss some practical rules to keep in mind when integrating a cyber threat framework into intelligence practices.
Embarking on creating and building a threat intelligence capability? Check out our Threat Intelligence Deep Dive.
Frameworks are, ultimately, thinking tools. Each framework possesses unique characteristics and developers have made different design decisions regarding their degree of abstraction and focus.
It’s better to think of frameworks as options in a cookbook. We can choose the ones that work best for the situation or problem we’re dealing with.
This is an approach widely recognized elsewhere in the industry. After all, there’s no one way to perform penetration testing or malware analysis. Instead, red teamers and malware analysts possess a cookbook (or toolkit) of different programs and techniques. Depending on the challenge at hand, it’s up to them to decide which tools would be most useful and appropriate.
Knowing the strengths and weaknesses of various CTI frameworks is important. However, it is even more crucial to understand when each framework is suitable or not suitable for different situations. This shift in mentality allows for the peaceful coexistence and more agile use of different frameworks.
Despite the clear benefits of using CTI frameworks, there’s a risk of applying them in the wrong way. The following set of rules provides a practical checklist for practitioners looking to integrate these thinking tools into their intelligence processes.
Know Your Audience
CTI frameworks should always be audience centric. This is where the idea of a cookbook is vital. On the one hand, a C-suite audience will struggle to follow along with frameworks considered straightforward in the industry. Intelligence teams should always be aware of the danger of overwhelming non-techies and senior stakeholders.
On the other hand, in other contexts a more detailed frameworks is too simple. Juan Andres Guerrero-Saade cautions that the industry’s current thinking tools may result in a fragmented approach to intelligence. This fragmented approach could hinder consumers from fully comprehending attacks and potentially lead to increased complacency.
Avoid the Reverse-Engineering Trap
Intelligence teams should ideally look at the challenges they face and ask how to solve them. This is the time to consider how various CTI frameworks might help (or not). CTI frameworks should ultimately address a problem and improve a team’s products and services.
Intelligence teams often make the mistake of integrating CTI frameworks before identifying problems to solve. They end up justifying why they used the framework.
Frameworks Aren’t a Magical Elixir
As useful as they can be, CTI frameworks are rarely a substitute for hard work. While it might make analysts’ lives easier, intelligence is not the same as tagging.
Intelligence is an ongoing and dynamic process that often requires nuanced assessment and tradecraft. You should regularly assess the use of frameworks as threat actors change and refine their tactics over time. This highlights the importance of more dynamic forms of adversary profiling. Frameworks can play a role in capturing tactics of threat actors, but they can be implemented in good or bad ways.
Not Everything Needs a Framework
As great as frameworks can be, they should be enablers, not straitjackets. Using a framework for the sake of using a framework helps no one. Analysts should often present intelligence requests via frameworks, but they shouldn’t be afraid to go off-piste. Analysts should discard frameworks if they can present intelligence in a more digestible and straightforward way for the audience at hand.
Don’t Dismiss DIY
Unlike plastic, single-use frameworks don’t have a carbon footprint. You can develop frameworks, fancy tables, and flashy infographics to present a very particular problem, but you’ll will never use them again. They can be thrown away, reassembled, and modified in whatever way makes the most sense. As long as such an approach improves the delivery of intelligence, you should embrace flexibility.
The cyber-security industry is now a vast space that comprises different audiences, communities, and problems. A variety of CTI frameworks should reflect this reality. The growing role of conceptual frameworks within the CTI community presents opportunities to improve the intelligence provided to consumers.
But people can also misuse these thinking tools. Ensure you focus on using framework to solve problems and improve the delivery of intelligence. And the industry will ensure that thinking tools we use play a central role in improve security.
Curious to see how we’ve used cyber threat intelligence frameworks in assessments here at ReliaQuest? Check out some of the examples below.
Mapping Iran’s Rana Institute to MITRE Pre-ATT&CK and ATT&CK
Mapping the ASD Essential 8 to the Mitre ATT&CK™ framework
Mapping the Tyurin Indictment to the Mitre ATT&CK™ framework
Purple Teaming with Vectr, Cobalt Strike, and MITRE ATT&CK
SamSam But Different: MITRE ATT&CK and the SamSam Group Indictment
The 2017 FSB indictment and Mitre ATT&CK
MITRE ATT&CK™ and the North Korean Regime-Backed Programmer
Mitre ATT&CK™ and the FIN7 Indictment: Lessons for Organizations