A day in the life of… a cyber threat intelligence lead

I’m wondering this – not because I have a wild social life – but because cyber criminals never rest. To find out what they’ve been up to while I was asleep, I’m straight onto a malware information sharing platform (MISP). Luckily, I have already automated the extraction of data from our incident response cases. This means I can build a picture of what new cases have come in overnight and, crucially, I can investigate whether there is any overlap between them, anything unusual or something especially interesting.

At Thomas Murray, we embed cyber threat intelligence (CTI) into every service. To make sure my colleagues have the support they need for the day, I set about helping them to prepare for meetings and client calls, and providing them with data they can use to conduct threat hunting, incident response, threat emulation or penetration testing.

Then I look into the open-source data to make sure I know what’s happening across information security, geopolitics and anything else which may affect our world. I also like to keep an eye on who is suffering ransomware or DDoS attacks, or being mentioned on the dark web. This is where the “typical” part of my day ends, and the organised chaos begins.

More coffee is essential.

9am: Organised chaos begins

I spot something particularly interesting in our case data and on one of the feeds. It requires further research and analysis, and I draft a report so that we can inform our clients. Questions from colleagues and clients start coming in, and I research the answers and write them up.

To gather as many sources of information as possible, I manually analyse the malware to gain further context, and do some fact finding with a bit of data enrichment along the way.

At the risk of being too honest, I have a tendency to develop a pre-conceived idea of what the report will look like or what its conclusion will be. I am, however, often incorrect and surprised.

12pm: Speeding the intelligence cycle

I like to automate anything I possibly can. Don’t get me wrong – I also love analysis, so I’m not shortcutting that part! But using workflow tools and Python can remove a lot of the burden when it comes to the collection and processing phases of the intelligence cycle.

The automations regularly need tweaking, so I get to work on improving them. Besides, I’ve thought of something more efficient and useful they can do for me.

We have built automations to enable everyone in the team to access our CTI data, allowing us to make informed and quick decisions.

Speaking of quick, I dash to the kitchen to grab some lunch. I bring my sandwich back to my desk and sigh heavily when I realise I have used natural yoghurt instead of mayo. I do not have time to make another sandwich, and some things you just can’t automate.

2pm: It all kicks off again

Yet another “something interesting” crops up in one of our cases that indicates an active threat.

The examiners (that is, the members of team who deal with digital forensics and incident response) need me to provide any associated malware, scripts or indicators I’ve found in correlated cases. Past experience is a massive help here – I’ve been able to identify how a threat actor gained privileges or disabled anti-virus because I had already collected the scripts from another case. We were then able to determine that these same scripts were indeed the ones executed.

Today’s incident is significant. I’m an extra pair of hands to assist with triage and forensic analysis of the affected endpoints, and this is one of those times when I’m asked to lead an incident response engagement. Not going to lie – I find this really interesting, and a bit exciting. I still enjoy getting into the weeds because it helps me get a feel for what threat actors are doing. Everything I learn from these projects gets fed back into cyber threat intelligence.

For example, it was some time ago now, but I once identified what was then a new strain of ransomware. Thanks to the information gathered, I could track the adversary’s initial access methods, their method of encryptor execution and other associated tooling. Working with a colleague, we decoded the obfuscated launch commands. These sorts of findings really get me excited, and I think it shows the value of threat intelligence, especially when those findings can be shared with the wider community.

As to the current issue, eventually I am going to be able to identify what data the ransomware actor has exfiltrated (stolen) – even though they’ve conducted heavy anti-forensics across the network. But, right now, I’m just starting the painstaking process of piecing together tiny thumbnails from the RDP cache. Once completed, this complex jigsaw puzzle is going to show me the PowerShell prompt where they used Rclone to exfiltrate a large amount of sensitive data to a cloud service.

(PowerShell and Rclone are programs – PowerShell is for task automation and configuration management, and Rclone is for managing files on cloud storage.)

3:30pm: A short break

More coffee (also water and some fruit. I’m trying to set a good example for my son). While I wait for the coffee machine to do its thing, I remember a crazy, yet educational, “4x ransomware case” (yes, four different adversaries were present!), where the victim was totally unaware of the problem until one of the threat actors called to demand a ransom. The victim’s managed service provider (MSP) had – for some reason – stored everyone’s passwords in an Excel document.

The MSP’s domain administrator password had also been breached, and for at least ten years it had been widely available to threat actors. And yet, organisations still trust their third parties to keep their sensitive information secured.

3:45pm: Things get dark

I spend the late afternoon on the dark web, hunting for information about things like data leaks and monitoring general chatter about the client at the centre of today’s major incident.

I’m also looking for breached credentials or access brokering to ensure that the client is aware of any further potential inbound threats. Thomas Murray’s Orbit Security platform provides this sort of data automatically, but I’m doing a one-off search for more detailed analysis. In the past, this type of analysis has found all kinds of data, including sensitive information submitted by an employee into a public sandbox and all kinds of mistakes in the adversaries’ tradecraft, which gives me clues as to which other profiles they collaborate with, and the make-up of a threat group’s membership.

5:30pm: Downtime (sort of)

“Relaxation time” with my two-year-old son is not very relaxing, but it is a lot of fun. Don’t tell anyone, but I think I like playing with his toys more than he does. Fortunately he’s good at sharing, and insists that each one of his toys gets an equal amount of my attention. I do my best, even though my son tries to wrestle me to the floor the whole time.

Once we put him to bed, my wife and I catch up on our extensive watchlist and compare notes about our days. We also plan our next family holiday – threat actors may never take a break, but I am allowed some time off!