A Day in the Life of a Cyber Threat Analyst 网络威胁分析员的一天

At its core, Cyber Threat Intelligence is the process of collecting, analyzing, and interpreting data regarding potential or current cyber threats and attacks. This intelligence is not just a repository of data, it is an amalgamation of insights that enable organizations to make informed decisions about their security posture. 

网络威胁情报的核心是收集、分析和解释有关潜在或当前网络威胁和攻击的数据。这种情报不仅仅是一个数据存储库，还是一种洞察力的融合体，可帮助企业就其安全态势做出明智决策。

CTI is derived from a myriad of sources - human intelligence (HUMINT), technical intelligence, network sensors, open-source intelligence (OSINT) including portals, webs, forums, social networks, markets, chats, communication channels, etc. 

网络威胁情报的来源多种多样——人类情报 (HUMINT)、技术情报、网络传感器、开源情报 (OSINT)，包括门户网站、网络、论坛、社交网络、市场、聊天、通信渠道等。

Gathering CTI is a meticulous process involving several stages: 

收集CTI是一个细致的过程，涉及多个阶段：

1. Collection: Collecting the organization requirements, accumulating data from various sources. 

收集：收集组织需求，从各种来源收集数据。

2. Analysis: Sifting through data to identify meaningful patterns, indicators, relationships, trends. 

分析：筛选数据，找出有意义的模式、指标、关系和趋势。

3. Dissemination: Sharing intelligence with relevant personnel. 

传播：与相关人员分享情报。

4. Feedback: Using the outcomes of shared intelligence to refine the CTI process. 

反馈：利用情报共享的结果完善网络威胁情报流程。

CTI simple process

CTI的简易流程

The result of all the CTI process generates reports that are designed to inform and guide organizations in their cybersecurity efforts. These products vary in scope, detail, and purpose, catering to different levels of decision-making within an organization. Here are some examples of typical CTI products: 

所有CTI流程的结果都会生成报告，旨在为组织的网络安全工作提供信息和指导。这些产品的范围、细节和目的各不相同，可满足组织内不同层次的决策需求。以下是一些典型CTI产品的示例：

1. Threat Intelligence Reports: Detailed documents that provide in-depth analysis of specific threats. 

威胁情报报告：对特定威胁进行深入分析的详细文件。

2. Threat Briefings: Regular briefings or bulletins that provide updates on the latest cyber threats, vulnerabilities, and incidents. 

威胁简报：提供最新网络威胁、漏洞和事件的定期简报或公告。

3. Risk Assessments: Reports that evaluate the potential impact of identified threats on an organization. 

风险评估：评估已识别威胁对组织潜在影响的报告。

4. Threat Feeds: Automated streams of intelligence that provide real-time data on threats, such as IoCs, malicious IP addresses, URLs, and hash values. These feeds can be integrated into security tools like SIEM systems for automated alerting and response. 

威胁反馈：提供实时威胁数据（如IoC、恶意 IP 地址、URL 和哈希值）的自动情报流。这些反馈可集成到SIEM系统等安全工具中，用于自动报警和响应。

5. Incident Reports: Detailed analysis of cybersecurity incidents that have occurred either within the organization or in other organizations. 

事件报告：对组织内部或其他组织发生的网络安全事件进行详细分析。

6. Vulnerability Alerts and Advisories: Notifications about new vulnerabilities and patches.  

漏洞警报和公告：有关新漏洞和补丁的通知。

7. Strategic Analysis Reports: High-level reports aimed at executive leadership, providing an overview of the cyber threat landscape.  

战略分析报告：针对行政领导层的高级别报告，提供网络威胁概况。

8. Sector-Specific Threat Intelligence: Intelligence products tailored to specific industries or sectors, addressing unique threats and challenges faced by those sectors (like finance, healthcare, energy, etc.). 

特定行业威胁情报：为特定行业或部门量身定制的情报产品，解决这些部门（如金融、医疗保健、能源等）面临的特别威胁和挑战。

9. Threat Actor Profiles: Detailed profiles of known cybercriminal groups or individuals, including their history, motivations, methods, and known targets. 

黑客档案：已知网络犯罪集团或个人的详细资料，包括其历史、动机、方法和已知目标。

10. Phishing and Social Engineering Reports: Specialized reports focusing on tactics used in phishing and social engineering campaigns, including analysis of phishing email trends, spear-phishing tactics, and defensive recommendations. 

网络钓鱼和社交工程报告：侧重于网络钓鱼和社交工程活动中使用的策略的专业报告，包括网络钓鱼电子邮件趋势分析、鱼叉式网络钓鱼策略和防御建议。

Now after the brief and concise introduction on what the CTI analyst does, let's go into my day. 

在简要地介绍了CTI分析员的工作内容之后，现在来看看我的日常。

8:00 AM: The day starts early with a review of overnight alerts, more than 1100 alerts for today. This is a normal task that I and most of all analysts around the world should go through his day. Automatization can be performed here to take care of some false positives, but it is difficult (in my case I used two in house developed tools). This step is important, it is where we profile and find the threats. 

上午8:00：一天的工作从查看隔夜警报开始，今天的警报超过1100个。这是我和全世界大多数分析员每日的常规工作。可以采用自动化处理误报，但这很困难（我使用了两个内部开发的工具）。这一步非常重要，我们能够由此剖析和发现威胁。

For those who do not know how one CTI alert looks like, please check the image below.  

如果你不了解CTI警报的界面是什么样子，请查看下图。

Example or CTI alert

 CTI警报示例

This is only one third of one alert; as you saw there are a lot of alerts and most of the alerts are false positives (this is not “magic,”) and our work is to find the needle in the haystack. 

这只是警报的三分之一；如你所见，警报很多，且大多数都是误报（这并不是“魔术”），我们的工作就是要大海捞针。

9:30 AM: After filtering the most obvious false positives, continue with the pre-selected alerts checking it more in depth. In this step, the ACME leak breach exploit alert pops up, that alert was made using keywords related to leaks, exploit and ACME, also in the three most used languages of the world; the objective behind this alert is to catch any undetected leak, POC or unknown exploit (zero-day vulnerability). 

上午9:30：过滤掉最明显的误报后，我继续对预选警报进行更深入的核查。在这步中，ACME泄密或漏洞利用告警弹出，该警报使用了与泄密、利用和 ACME 相关的关键词以及世界上最常用的三种语言，旨在捕捉任何未检测到的泄密、POC 或未知利用（0Day漏洞）。

This time the alert was triggered because the messages contain our English key words and ACME; at first sight doesn't looks very promising, but because our work force us to be meticulous, I dig in it finding they are talking about one unknown technique and exploit to bypass a security measure in one famous ACME product. The new finding turned my inner awareness sense to a high-priority investigation mode. 

这次警报触发的原因是因为这些消息中含有我们的英文关键词和ACME。乍一看似乎不太靠谱，但由于我们的工作性质需要一丝不苟的工作态度，我对其进行了深入调查，发现这些消息都涉及一种未知的技术和漏洞，试图绕过某著名ACME产品的安全措施。我下意识将这一新发现列为优先调查的事项。

10:30 AM: Using OSINT and the initial data (the name of the bad actors and the name of the bypassed security measure), start to look for the source of the alert. First, using different search engines, checking for bad actor names, general information to understand them, what the bypassed technology do, where is used and ACME product forum. Also searched in specific CTI forum and different communication channel.  

上午10:30：利用OSINT和初始数据（恶意攻击者和被绕过的安全措施的名称）寻找警报来源。首先，使用不同的搜索引擎，核对恶意攻击者的名称、了解其基本信息、被绕过的技术的用途、作用对象以及 ACME产品论坛。同时在特定的CTI论坛和不同的通信渠道进行搜索。

11:30 AM: After searching in many places, reading different articles and feeds, finally discovered the actors are part of “M team”, a new created team of cyber hacktivist specialized in finding security flaws and development of exploits on UR security measures. Also discover his web page, where they speak out saying: “we are going to release the exploit in December in here, stay put!” The website also has the list of team members. 

上午11:30：经过多方搜索，阅读不同的文章和信息源，终于发现这些攻击者属于“M团队”，该团队是一个新成立的网络黑客团队，专门寻找安全漏洞并开发针对UR安全措施的漏洞。我还找到了该团队的网页，页面显示 "我们将于12月在这里发布漏洞利用程序，敬请期待！“，网站上还有其团队成员名单。

In that moment and according with the risk evaluation matrix (check image bellow) , the threat likelihood status increases from possible to very likely (the maximum value before complete confirmation), they look serious enough about it to create a web page and speak out, but I am still facing the next problems: 

此时，根据下图风险评估矩阵可知，威胁可能性状态从“可能”上升到“极其可能”（完全确认前的最大值）。他们创建了网页并大肆宣扬，不像是在开玩笑，但我仍面临以下这些问题：

1. I don’t have the exploit or detailed information to verify by myself the threat. 

2. I cannot assess the impact of the threat, i don’t have a complete view to see if the exploit use ACME product or how they bypass our UR technology. 

1. 我需要验证情报真实性的漏洞或详细信息。

2. 我需要评估该威胁的影响，因为我无法确定该漏洞是否影响ACME产品，或者他们是如何绕过我们的UR技术的。

risk evaluation matrix 

风险评估矩阵

11:45 AM: With the urgency of the situation, I continued my research finding a public chat channel on D platform, after joining it I found the team use it to discuss about his activities and contain at least three months of conversations. In that moment, I realized they have a sub-thread where they share technical information about one project called S, the same name used to publicize the exploit. Finally, I can get hands on the the source or at least technical information. 

上午11:45：由于情况紧急，我继续调查，并在D平台上找到了一个公共聊天频道。加入该频道后，我发现M团队使用这一频道讨论他们的活动，使用时长至少三个月。这时，我发现他们有楼中楼聊天区，他们在那里分享了一个名为S的项目的技术信息，并使用相同的名字公开漏洞。终于，我能掌握威胁源或至少是技术信息了。

12:30 PM: A quick lunch break provides a brief of the incident with Mr. Jiang, and Boss, though the case weighs heavily on my mind. 

中午12:30：尽管我非常在意这个事件，但我只是利用短暂的午饭时间简单地向J先生和G老板告知了此事。

1:30 PM: Post-lunch, start to familiarize with the sub-thread, the investigation intensifies because of the large amount of information on it, including discussions in other languages that I do not understand, but focusing on my target “find the technical information help me understand what is the vulnerability that allow them to bypass the UR security measure and how ACME is involved in this matter.” 

下午1:30：午饭后，我开始进一步了解这个聊天区。由于相关信息量巨大，讨论的内容使用了我不了解的其他语言，调查工作也随之加强。但我的目标是“找到相关技术信息，以帮助我了解允许他们绕过UR安全措施的漏洞，以及ACME是如何参与进来的"。

3:00 PM: Finally, I found the target. In the thread I located a kind of writeup, step by step, and what tools are needed to bypass UR security. The Guide contains a set of public URLs that belong to ACME, where the actors download key components (keys and files) for this bypass technique. 

下午3:00：我终于找到了目标。在调查过程中，我找到了绕过UR安全系统所需的书面记录和工具。该指南包含一组属于ACME的公共URL，攻击者可从这些URL下载用于绕过技术的关键组件（密钥和文件）。

Writeup

书面记录

4:00 PM: After analyse all the acquired information, and after contact with the correspondent product lines, we discover the files in ACME URLS are the key of all the bypass technique, without those files, the technique scope is limited and should be performed case by case without automatisation capability. Also, according to ACME data security classification those files are catalogued as internal, that means those files and keys should not be publicly accessible! 

下午4:00：在分析了全部所获信息并与相应的产品线取得联系后，我们发现ACME URLS中的文件是所有绕过技术的关键，如果没有这些文件，技术范围就会受限，而且必须逐个执行，无法实现自动化。此外，根据ACME的数据安全分类规定，这些文件只记录在内部，意味着这些文件和密钥不得被公开访问！

4:30 PM: After all the analysis and correspondent verification, reassess the threat as High, because the consequences of this threat in ACME can be severe, and the likelihood of the threat are very likely. 

下午4:30：经过一系列分析并与接口人核实后，我将威胁等级重新评估为 "高度"，因为 ACME中的这一威胁可能会造成严重后果，而且威胁发生的可能性非常大。

After that and according with our play books, I call a meeting with Mr. Jiang, my manager and brief him about the finding, he also help me to perform one of the most essential steps in CTI the essential “peer review”; the conclusion of the meeting was, “Document all your findings and assess in one report, we are going to inform ACME product line in 1 hour”. 

之后，依据我们的处置流程，我与J先生开了个会，向他汇报了这一情况，他还帮我执行了CTI中最重要的步骤之一，即必不可少的“同行审查”。这次会议的结论是：“在报告中将你所有的发现和评估记录下来，我们将在1小时内通知ACME产品线。”

Threat Report

威胁报告

5:30 PM: After creating the threat report and Mr. Jiang approve it, we contact the director of that business unit, informing him all the findings, where is the problem, what are the compromised URLs, the assess of the threat and finally the potential consequences of the threat. Following he ask us for half hour to contact his technical team to verify our findings and will reach us back. 

下午5:30：在完成威胁报告并获得J先生批准后，我们联系了该业务部门的负责人，向他通报了所有调查结果、问题所在、受到攻击的URL、威胁评估以及威胁造成的潜在后果。之后，他要求我们用半个小时时间联系一下他的技术团队，核实我们的发现，之后会与我们联系。

Documentation and record platform 

文档和记录平台

6:00 PM: The director reaches us back telling us they need 1 hour to remediate the compromised URLs problem (the most urgent). For the initial technical problem, they need two days to assess the problem with the technique staff and after that he estimates they need 4 days. At the end he asks us to wait one hour to verify if the URLs problem is fixed.  

下午6:00：负责人给我们回电，称他们需要1小时来解决URL被攻击的问题（这是最紧急的问题）。对于最初的技术问题，他们需要2天时间与技术人员一起评估问题，后来，他估计他们需要4天时间。最后，他让我们等1小时，以验证URL问题是否已被修复。

6:45 PM: We revisited the URLs and the content already wasn’t available, also we sent request to some search engines to delete the cache related to those URLs. 

下午6:45：我们重新访问了这些URL，发现内容已不可获取。同时，我们向一些搜索引擎发送需求，要求删除与这些URL相关的缓存信息。

7:00 PM: Before calling it a day, send a message to the product line director confirming the remediation and documenting all the findings in our system. 

下午7:00：收工前，我联系产品线负责人，确认修复情况，并在我们的系统中记录所有相关结果。

At the end of the week, I received a letter of thanks for the timely and high-value intelligence that helped the product department avoid another major security incident, and they hope we can continue to gather threat intelligence for product security.

周末，我收到了一封感谢信，感谢我们及时提供了高价值的情报，帮产品部门又一次避免了重大安全事件的发生，并希望我们能够继续收集威胁情报，为产品安全保驾护航。

#03

Conclusion 

小结