A cybersecurity analyst shares how developing a threat intelligence (TI) feed improved their company’s cybersecurity, leading to the mitigation of a payroll data breach and the discovery of an attack on a competitor.
Commercial TI feeds can be expensive and may not cover niche threats, industry-specific attacker activity, or local hacker forums; therefore, it is necessary to supplement these with bespoke feeds.
The analyst’s system, “Project Owl,” relied on a diverse set of sources including Russian carding forums, GitHub commit exploits, dark web API leaks, and competitor breach reports and used a variety of analytical tools.
Layer 1 of Project Owl is collection engines, which utilizes APIs to gather data from sources at scale, allowing the filter of findings according to parameters such as region, date, or specific threats.
The analyst recommends that any bespoke threat intelligence system should be flexible, allowing the quick introduction of new sources and the refinement of existing ones and trigger automated actions for high-confidence findings.