At this time last year, the SOCshare project was just being started. In that year, together with our partner, Vilnius City Municipality Administration, we have not only carried out various work to increase our threat intelligence maturity (from purchasing additional detection technologies, to training staff and creating new processes for CTI), but we also created and shared a significant amount of relevant and actionable threat intelligence.

Over the last nine months of sharing activities, each organisation has produced over 100 events each, resulting in 215 published events (at the time of writing). The events then contained 1137 attributes across 133 objects, and almost 50 unique new correlations. While these numbers may not seem impressive – each of them is created and reviewed by our SOC experts, rather than the result of completely automated processes. This in turn means that these events should contain data that is highly actionable and accurate, with a low risk for false positives. In addition, the data was picked from targeting or relevant to our region, which is highly lacking in other data feeds or sources. The correlations between various events, some almost a year apart and targeting completely different organisations, show that there are many attacks targeted and catered specifically to certain industries and sectors. On the other hand, while many phishing attacks contain similar elements or may be part of the same campaign – the large amount of these attacks and small number of correlations show just how varied these attacks are, and that better collection and sharing is required to effectively stop such campaigns.

As the project progresses and our capabilities are further developed, we aim to ensure accurate mapping between the produced data with MITRE ATT&CK. Various techniques have been observed over the year, from Phishing and Spearphishing, various reconnaissance activities such as Vulnerability Scanning and Active Scanning, to specific Malware and Public-Facing Application Exploits. Where possible, the attacks were identified as specifically targeting a specific sector, and 10 such sectors were identified from CTI sharing. As the project progresses, we aim that the increased quality and quantity of produced threat intelligence and sharing will allow us to not only help protect those sectors, but further identify more targeted sectors and get them involved as well.

As always, we look forward to seeing those of you interested in the CTI field at our next sharing meeting, on September 10^th, where we’ll be happy to share more details and get you involved in the community.