This workflow example consists of two parts: Using scoutTHREAT and Using TICE.
Following all the steps from the two parts will provide you with a good, first experience of what's possible when using these tools.
PART 1: Using scoutTHREAT
A lot of your cyber threat intelligence work will be spent creating and updating Threat Actor profile objects. Below are the basic steps for getting started with creating your first object.
Before you begin you must ensure scoutTHREAT has been configured correctly and that an Identity has been created for you and/or your organization. For steps on creating an Identity, see Workflow Example: Adding and Identity Object.
Once an Identity has been created, you can add a new Threat Actor profile. Follow these basic steps:
1. To add a Threat Actor Object, navigate to Intelligence, then click on Threat Actor.
2. If any exist, a list of Threat Actor objects will load with the item Name, Type, date Created and Modified.
3. Click on Create New on the top right side of the page.
4. Enter a Name and Description for your Threat Actor object profile.
5. On the right panel of the page, select the Confidence level you have about this Threat Actor. Choose a number from 1 to 10, 1 being the highest level.
6. Then, select the Threat Actor Type from the drop-down menu (e.g., hacker, competitor, nation-state, etc.).
7. Click on the empty field under Aliases to add alternative names used to identify this Threat Actor. Type the name of the alias then click on Create.
8. Next, you can choose from the drop-down menu the level of Sophistication the Threat Actor has when it comes to the skill, specific knowledge, special training, or expertise to perform an attack.
9. A Threat Actor can play many Roles such as agent, author, etc. Choose from the drop-down the role your Threat Actor object generally plays.
10. Next, choose the Threat Actor's Resource Level from the drop-down menu. This can include the organizational level at which this Threat Actor typically works, which in turn determines the resources available they can use in an attack.
11. Under Primary motivation, you can select the primary reason, motivation, or purpose behind this Threat Actor. The motivation is why the Threat Actor wishes to achieve the goal (what they are trying to achieve).
For example, a Threat Actor with a goal to disrupt the finance sector in a country might be motivated by ideological hatred of capitalism.
12. You can also add the Threat Actor's Secondary motivation. This property specifies the secondary reasons, motivations, or purposes behind this Threat Actor.
13. Next, you can select the Threat Actor's possible Personal motivations. This can include notoriety, revenge, coercion, personal-gain, and others.
14. It is optional to add dates for when the Campaign was First seen and Last seen. To add dates, click on Select Date fields to choose from the calendar.
15. Click on the + in the center of the page to save the information.
You can also add Notes, Opinions, Checklists, and Relationships to the profile. For more detailed steps, see Audit, Notes, & Opinions.
After creating the Threat Actor object you can receive and gather intelligence data from the TICE cloud.
PART 2: Using TICE
Before you log in to the Threat Intelligence Collaboration Environment (TICE) module to view intelligence data from the cloud, you must first create and trigger a Threat Query for the Threat Actor profile.
A Threat Query is a saved search for finding Threat Actor names, Malware names, etc. in the system. For more information, see Threat Queries.
1. On scoutTHREAT, navigate to Search.
2. Next, type in the name of the Threat Actor in the search box.
3. Checkmark the Threat Actor box under Filters, then click search.
Since this is your first time using scoutTHREAT, it is likely that you will not get any results for your Threat Actor.
4. Next, enable TICE Environment by clicking on the slide button.
5. Click Save as Threat Query on the top right side of the page.
NOTE: You can still save your search even if no results were returned.6. A pop-up window will be displayed asking you to enter a name for your Threat Query. When you are done, click OK.
7. Next, confirm your threat query was saved by navigating to Workflow then to Threat Queries.
8. Click on the TICE Environment slide button.
9. Look for the Threat Query you had saved on the list and click on Run Now in the Actions column to trigger it.
10. After waiting about 15 minutes, you can go back to Search, click on TICE Environment, then run another search.
11. If any intelligence was found in the cloud it will now appear in the search results. Click on Download in TICE.
12. Next, log in to the TICE Module and navigate to the Validation page to look for the item(s) you clicked to download during your search.
13. To download the data item(s) to your scoutTHREAT system, you must follow the validation process to Approve or Reject the item.
14. Click on Review and ensure the destination of the data is scoutTHREAT.
15. If all the information on the page looks good to you, click Approve.
Once you have downloaded intelligence data from the TICE Module, it will populate various areas of scoutTHREAT depending on the intelligence type.
For example, if you approved and downloaded a Threat Actor item, you will now see that object in your scoutTHREAT system.
For more information on using TICE, see The Threat Intelligence Collaboration Environment (TICE).