“Pivoting” is an often overlooked but critical feature of the day-to-day work of a Cyber Threat Intelligence (CTI) analyst. Possibly the earliest reference to the concept is within a cornerstone work for CTI, “The Diamond Model of Intrusion Analysis”, with the idea elaborated in the graphic below:
Fig 1: The Diamond Model and the applications of pivoting for a comprehensive background of an intrusion event
The “pivots” exist on the axes of the diamond model shown in Figure 1 as the arrows indicate a transition from Victim to Capability and so on. In more practical terms, pivoting within a CTI context can be defined as:
Drawing meaning from data sources that would not have been revealed without the pivot between the data sets.
The classic example of this is the relationship between an IP address and domain registration details, whereas the “so what?” meaning is only drawn from understanding the relationships between the two data points within the context of the threat. Shown below is a visual representation of the pivoting technique in action inside Mandiant’s Classic APT 1 paper.
Fig 2: APT1’s intrusion activity diagram with additional IOCs discovered from pivoting (use of Whois registry and primary intelligence from the APT1 – Exposing One of China’s Cyber Espionage Units report by Mandiant)
Clearly pivoting is a critical, if often overlooked tool within the CTI analyst’s arsenal of techniques and needs to be an integral part of any effective CTI tool – so where can you pivot within Elemendar’s READ. tool you may ask?
Pivoting in READ.
READ. has a number of functional elements that allow the CTI analyst to conduct a pivot:
- Between the Annotation View & the Source Document
- Between the Annotation View & Graph View
- Through a Collection view across various sources.
Between the Annotation View & the Source Document
There is the option to view the document that is meant to be annotated at its original web page or PDF. This switching itself acts as a pivot that the analyst can use to confirm the veracity of the document to be annotated.
Fig 3: Toggling between the Annotation View & Source Document
Between the Annotation View & Graph View
When annotating a document, the user can also toggle into the Graph view in order to see the context of a specific sentence with the entities and relationships added to it.
Fig 5: The example from our APT 37 blog of pivoting between various sources on APT 37’s MITRE ATT&CK patterns to provide a more holistic view of the group’s attack tactics and techniques.
Taken together, the pivot powers of READ. help draw meaning from CTI sources that would not have been obvious at first glance. For example, as applied to the APT 37 case, READ. extracted 27 unique techniques across 5 reports, most of which could not have been from any single report.
Found this blog interesting? Subscribe to our newsletter to find out more!