At LookingGlass Cyber we want to make sure you get answers to important product questions so you can use scoutTHREAT as efficiently and effectively as possible.
Below are frequently asked questions from customers about scoutTHREAT features and functionalities. We hope that this information can help you accomplish your security goals and mission.
Feel free to also submit your questions at, [email protected].
Q. What are some common workflows for using scoutTHREAT?
A. One of the most common workflows is creating a threat actor object. You can use scoutTHREAT to create the object itself, and use TICE to obtain intelligence from our data feeds so that you stay informed about the threat actor's latest tactics, techniques, and procedures (TTPs).
Click here for a very detailed workflow for creating and tracking threat actors using scoutTHREAT and TICE.
Q. How do I track malware threats?
A. You can use scoutTHREAT to create a profile of an existing malware object and track how it's being used in past and ongoing cyber attacks.
Creating the malware object will require specific information required by STIX version 2.0 such as the malware type. There are other details you can add that are optional. For a complete workflow on creating a malware object, click here.
After you create the malware object, you can use TICE to obtain the latest data about the malware you're tracking. For more information on how to track objects on TICE, click here.
Q. How can I use relationships on scoutTHREAT?
A. A "relationship" in STIX (and scoutTHREAT) serves to link together two or more objects. For example, a malware object to a threat actor object, or, an organization to a cyber attack.
Relationships are connections that allow the analyst to build more complete object profiles of an adversary's tactics or modus operandi. For more details on how relationships work, click here.
Q. How does TICE and scoutTHREAT work together?
A. You create and manage intelligence objects on scoutTHREAT, as well as set up workbenches and run queries. TICE, on the other hand, is the system that delivers and shares intelligence on those objects from the different data feeds.
Delivering Intelligence to scoutTHREAT
Let's say that you add a threat actor object for a hacker group called "APT21" on scoutTHREAT, for example. Once you create the object you can add a query that TICE will run. Once TICE has run the query, it will return the intelligence or data you're seeking. For more information on how TICE retrieves data, click here.
Sharing Data from scoutTHREAT to TICE
You can also use scoutTHREAT to share data on TICE with others in your organization or anonymously to other tenants (users).
If you'd like to submit a question, send an email to: [email protected]. We'll get back to you as soon as possible.