Home - center-for-threat-informed-defense/cti-blueprints GitHub Wiki

Introduction

CTI Blueprints is a free suite of templates and tools that helps Cyber Threat Intelligence (CTI) analysts create high-quality, actionable reports more consistently and efficiently. CTI analysts face many challenges in creating consistent, actionable reports, including time and resource constraints, lack of analytic training and guidance, and lack of feedback from customers on what works. This project provides a set of solutions that increase the operational relevance of reports through a standardized set of templates that help analysts answer specific analytic questions for common cyber security use cases, sample reports that demonstrate best practices for each type of report, and a set of tools for publishing both human and machine-readable reports.

Who is CTI Blueprints For?

CTI Blueprints is targeted at any CTI team seeking a standard format for report production and/or to reduce manual processes in their workflow. Each template is designed to address the needs of common CTI customers, including (but not limited to):

  • SOC analysts
  • Threat hunters
  • Red/Purple Teamers
  • Executives

Everyone does CTI differently, but we believe that CTI producers of all different resource levels and CTI consumers will find value in this attempt to standardize and streamline certain aspects of the process. For example, some teams may choose to customize and deploy the Word templates. Other teams may adopt the CTI Blueprints Suite for authoring and publishing reports in a highly flexible, tailored manner.

Use Cases

The CTI Blueprints project is designed to support cyber intelligence teams in their production. It enables scale, repeatability, and targeted dissemination of reports, analysis, and data, acting as a force multiplier for teams.

Scale

CTI teams struggle with the amount of data that must be curated, inputted, and disseminated in their reporting in support of different critical mission functions. CTI Blueprint's plugin framework is designed to enable the automation of this data curation and ingestion to reduce production times and human error. In the future, this extensible framework will allow analysts to embed Attack Flow and heat map diagrams, link to D3FEND countermeasures, and automatically fill tables from a CSV file. It can also be built out to automatically import IOCs from existing TIPs, greatly reducing the time it takes to produce a complete report. This automation enables CTI teams to focus on analysis–rather than data entry–and reduces human error.

Repeatability

Bringing new members of the team up to speed quickly, reducing the likelihood of human error, and ensuring that reports have the same information and tone regardless of authorship are all challenges that CTI teams must overcome. CTI Blueprint's focus on discreet templates with example reporting enables analytic training and acts as a forcing function for addressing the essential elements that provide value to the end consumer of the intelligence product. The templates and tool create an environment where exclusion of data must now be a conscious choice rather than accidental omission. This will help teams create lasting, standardized production that is uniform across all team members.

Targeted Dissemination

The tool, with its multiple plugins, enables an analyst to produce a single report that upon publication, can create a machine-readable JSON that can be automatically ingested into defensive systems and knowledge management systems. This reduces the amount of time required by analysts to maintain systems and deal with cleaning the data, freeing them up to focus on analysis and producing high impact reports.

architecture_diagram_touch_up copy 1

Project Goals

We intend to impact the industry in the following ways:

Advance the quality and standardization of CTI reporting

Currently, CTI is produced with different data, in different formats, and of varying quality. This inconsistency and lack of standardization imposes costs on both CTI producers as well as CTI consumers, who struggle to rapidly identify relevance to their job role in a pile of unstructured data. CTI Blueprints increases the operational relevance and quality of CTI reporting through a set of standardized templates with baked-in guidance that includes the essential elements of information required by a specific customer. We developed these templates by identifying the key decisions that CTI consumers, such as the SOC, need to make. From there, we identified the key decision-enabling data points, provided by CTI, and included those data points as fields in the template with prescriptive guidance on how to fill them out for maximum impact. We also designed a suite of tools to increase the quality and usability of CTI reporting through a machine-readable JSON export format.

Increase analytic rigor in the CTI community

It has been argued that CTI is a product without a process and simply throws more technology at the problems when, in fact, CTI needs a more rigorous analytic framework for understanding the threat environment and creating actionable reports (Oosthoek and Doerr, 2020). Through this project, we sought to encourage basic analytic tradecraft in the templates to enable higher quality reporting in the following ways:

  • Intelligence Requirements
    • Encourage analysts to work with their customers to generate a set of questions that the CTI team needs to answer to ensure that their reporting is actionable for that specific audience.
    • Planning and Direction is the first step of the Intelligence Cycle and guides the execution of the following steps.
    • Writing reports to a set of Intelligence Requirements will help CTI analysts prioritize their data collection and analysis efforts, identify gaps, and be better equipped to measure the success of their reports.
    • Note: This field does not contain specific guidance, as it needs to be customized by individual teams.
  • Feedback
    • Feedback is critical, as CTI analysts have no way of knowing if their report was actionable without a dialogue with their customers.
    • Encourage CTI analysts to elicit feedback from their consumers on whether the report addressed their Intelligence Requirements, how the report could be more actionable, additional Intelligence Requirement questions to answer, etc.
    • Ideally, there should be a feedback loop to eliminate silos and optimize CTI production.
    • Note: The templates suggest that CTI analysts provide a point of contact (e.g., an email address) for customer feedback, but teams should use whatever feedback mechanism works best for them. The sample reports provide an example survey that CTI teams can use for feedback.
  • Probability Matrix
    • Encourage CTI analysts to properly express and explain uncertainties associated with major analytic judgments.
    • Consistency in the terms used is critical for success in expressing uncertainty.
  • Data Sources
    • Encourage CTI analysts to cite the underlying sources that underpin the analysis to back up their assessments.
  • Intelligence Gaps
    • Encourage CTI analysts to identify information that, if known, would change their assessments.

Make it easier to consume and share CTI

Most CTI is shared as prose without much structured data (aside from IOCs). Having a standard for what makes a good CTI report, a common machine-readable JSON format, and a means of transforming that JSON into an easily consumable product for a specific audience makes it easier to consume and share CTI.

Reduce manual processes in report building

The CTI Blueprints Suite of tools reduces manual processes through a set of plugins that save time, reduce user error, and connect reports to other data sources. In the future, the built-in plugins will allow analysts to automatically fill tables from CSVs, connect and auto-search from MITRE ATT&CK, and integrate with Attack Flow and D3FEND. Analysts can also build their own plugins to tailor the tool to their resources and needs, and we hope that the project will continue to expand its plugin library.

Support increased integration between CTI teams and their stakeholders to enable better outcomes

The CTI Blueprints templates were designed to enable the CTI teams to provide their customers the data they need when they need it. For example, the Intrusion Analysis template was built so that CTI teams can provide more tactical information faster to the Incident Response (IR) team, which is typically a fast-moving unit. We designed the template in the hope of increased dialogue between IR and CTI teams, with the CTI team providing net new information to enable intel-led detection and reduce the burden on the IR team. The Executive template was designed to provide executives with the information they need to make decisions in a format that is easily digested by them.

Which Template Should I Use?

The templates are designed to provide key intelligence in support of one of the four goals of Know, Find, Change, and Inform. Each template is designed to help intelligence teams provide actionable intelligence for their end consumers. This information is also provided within the CTI Blueprints Authoring Tool Splash Page.

Know

The Threat Actor Report is designed to be an encyclopedia for the organization for a given threat actor or category of activity. This report should be treated as a living document that should be maintained on a periodic basis by the intelligence team. The primary purpose of this report is to provide an easy reference for tactical teams to understand how the threat actor relates to your organization, what is already known about the group, and useful technical information that can inform follow on actions.

Find

The Intrusion Analysis Report is designed to be used in support of active hunting and incident response operations. This report should be treated as an iterative document that focuses more on speed to publication than completeness of information. Given the primary support to incident response teams, this analysis provides actionable indicators for analysts to search for in information systems. It is intended to provide tactical, real-time support to those trying to prevent harm to company systems.

Change

The Campaign Report is designed to highlight new information related to a threat actor or capabilities. This should focus on new information and highlight how it poses a changed risk to your organization. This should not be an exhaustive product cataloguing all information about the topic, but rather a succinct report designed to convey a change in the status quo to the intended recipient.

Inform

The Executive Report is designed to inform senior decision makers about a particular risk. This should be focused on executive audiences and in support of strategic problems. It will focus on why and how, rather than what and when. This report will be devoid of technical details and appendices in support of long-form, narrative writing to enable better business decisions.

To download templates and sample reports, see: CTI Templates.

Get Started

Here are a few ways for you to learn more and get started with CTI Blueprints.

  1. Check out the templates and sample reports. Reviewing the templates and their baked-in guidance is a great place to start learning about CTI Blueprints. Each template has an accompanying sample report to demonstrate how the published report could look.
  2. Create your own report. Use the provided Microsoft Word templates or use the web-based Authoring Tool.
  3. Tell us what you think. Find us on LinkedIn or email us at [email protected] and let us know how you're using CTI Blueprints and what ideas you have to improve it.
  4. Spread the word! Our goal is to increase adoption of CTI Blueprints in the community and have analysts integrate it into their production workflow. CTI Blueprints is open-source, so go ahead and share it in your professional network!