Feedly Best Practices for CTI Teams

We explore best practices for how CTI teams use Feedly for Threat Intelligence to collect, analyze, and share actionable open source intelligence.

Aug 16, 2024 - 13:10
 0  10
Feedly Best Practices for CTI Teams
Threat Intelligence

Feedly Best Practices for CTI Teams

Optimize your team's workflows with Feedly for Threat Intelligence

How do Cyber Threat Intel (CTI) teams collaborate within Feedly to increase productivity and reduce blindspots? In this post, we’ll discuss some of the best practices related to team collaboration we’ve observed by interviewing and working with Feedly for Threat Intelligence customers. Best practices are only guides and should be evaluated for applicability based on your team’s needs.

Impact

Saved 66-90% of time spent collecting and sharing intelligence
Analyzed vulnerabilities, threat actors, and TTPs, up to 70% faster
Discovered new vulnerabilities and threats up to 3 days sooner than other tools

Motivated? Read on.

Collecting relevant intelligence

The volume of cybersecurity articles, reports, blogs, and posts on the open web can seem overwhelming. How do you identify what’s important, focus on the intelligence needs of the business, and avoid wasting time on irrelevant or duplicate information? Teams use Feedly Dashboards to get quick insights into trending topics and Team AI Feeds to dial in relevance and keep the focus on their PIRs.

Threat Landscape Dashboard - This dashboard offers a quick overview of the most critical topics trending in cybersecurity. Many teams start their day in the TI Dashboard to identify breaking news that might inform their priorities in daily stand-ups. Teams often view the dashboard several times daily to identify new vulnerabilities or malware or see updates to threat actors or their tactics and techniques.

Threat Landscape Dashboard

TTP Dashboard - The TTP Dashboard is a valuable resource for teams seeking to understand how threat actors change their behavior, modify their Tactics, Techniques, or Procedures, or use malware. Threat hunters can see how threat actors have shifted their campaigns over a customizable time period, export results to the ATT&CK Navigator, and evaluate their organization’s defensive gaps.

TTP Dashboard with link to the ATT&CK Navigator

Team AI Feeds- Teams AI Feeds are machine learning models organized around CTI topics of high importance. AI Feeds improve the relevance of the information compared to keyword searches while also deduplicating articles to increase the signal-to-noise ratio. Teams can focus only on what’s necessary and increase their intelligence-gathering efficiency. Many teams set up their Team AI Feeds around their Priority Intelligence Requirements (PIRs), such as to address the question, “What vulnerabilities are affecting my tech stack?”

Creating a Team Feed with an AI model

Organizing and analyzing intelligence

Once you’ve collected the intelligence that’s relevant to your requirements, you’ll need to start organizing and analyzing the articles. Team Folders are a great way to organize the collected content so your team can quickly find what they need. Feedly also helps teams jumpstart your analysis by automatically highlighting articles with Indicators of Compromise (IoCs), Tactics, Techniques, and Procedures (TTPs), malware, threat actors, and more, along with links to related research.

Folders for Team Feeds - Team feeds are organized into folders. These shared folders can be organized however you like, including by your favorite cybersecurity sources, by topics, or by steps in your research processes. Organizing folders by topics that align with your team’s priority intelligence requirements helps maintain focus on what’s important to stakeholders. Teams can divide and conquer when reviewing the articles in the Team Feeds, save important articles to Team Boards, or tag team members (more about Boards and tagging below).

While Team Folders can help you organize your feeds, many organizations create dozens of folders, so naming becomes critical. Several best practices (for Team Folders as well as Team Boards) have emerged in customer accounts, including naming by:

  • Intelligence requirement (or PIR) to keep teams focused on their stakeholders
  • Sources vs. AI Feeds to help the teams understand what they contain
  • Stages in an intelligence gathering and review process
  • Recipient groups such as the CISO leadership team, vulnerability team, etc.
  • Feeds with high signals that might impact morning stand-ups.
Team Feeds and associated content

Articles - Feedly enriches articles by highlighting malware, IoCs, TTPs, threat actors, and CVE/CVSS information. Feedly also includes links to related articles, detection rules, and the ATT&CK Navigator to facilitate deeper analysis. The enrichment links make it super easy to export, download, or extract these artifacts and share them with your systems or teammates. CTI team members can add notes to summarize content or contribute analysis and perspective to each article.

Article enriched with data to help speed analysis

CVE Insight Cards - These Cards provide all the open source information you need to quickly understand a vulnerability, including the affected software, criticality based on CVSS score or estimates of criticality when unavailable, the EPSS score, and available remediations. Teams can analyze further by investigating highlighted attack vectors, links to malware or threat actors, and supporting articles. Vulnerability management teams leverage the CVE cards to jumpstart their research and accelerate priority assessments of new vulnerabilities.

Launching into a CVE Insights Card from an Article

Sharing intelligence

Sharing the intelligence your team has collected, analyzed, and curated is a key activity of most CTI teams. However, many teams spend hours per day on this part of the process using manual report creation sent through email lists. Feedly makes this easier by providing several ways of sharing the intelligence, from article tagging and Slack integration to automated newsletters to fully automated workflows that pass data through the Feedly API to your other security tools.

CVE Insights Card showing severity, trendline, and related events

Articles - Articles can be shared in multiple ways. Teams can share them with individuals through email or Slack simply by mentioning the person’s email address or Slack name in the notes. Articles can also be shared with multiple people through Microsoft Teams or a Slack channel. You can also save articles to Evernote, share them on social media, add them to a team dataset, or automate sharing to your TIP or SIEM through the API or MISP integration (more below).

Article Tagging for email, Slack, or MS Teams

Team Boards - Team boards serve as a collaborative virtual storage space where you can save articles and set up unique workflows. Many teams save important articles to the appropriate Team Board as a best practice. It helps highlight key articles worth broader viewership, enables you to organize the board by target audience or topic, and sets the stage for wider sharing.

Example Team Boards

Newsletters - Teams can use Newsletters to share relevant articles with stakeholders by auto-populating articles from Team Folders or Team Boards or by curating based on specific topics or relevance. Newsletters can include additional analysis by the CTI team to summarize the threat, the risk to the organization, and the actions taken to mitigate the risk.

We’ve observed several uses of Newsletters to meet different needs including:

  • Daily or weekly security briefs
  • CISO or executive round ups
  • Targeted to specific teams like the vulnerability management team

To simplify the process, teams often set up Newsletters for each board, and Feedly will pull the articles into the appropriate Newsletter for automatic distribution. (One customer told me an analyst on their team saves 4 hours daily with Newsletters alone!)

Example Newsletter

API and workflow automation - As discussed above, Feedly enriches articles with a tremendous amount of metadata, including IoCs, malware, TTPs, detection rules, threat actors, vulnerability data, and more. Many teams automate collecting and sharing these Threat Intelligence artifacts by leveraging the Feedly API to share them with their TIP, MISP instance, SIEM, and more. This reduces the time and manual effort, speeds up the implementation of blockers and detection rules, and helps expand protection against threats.

Sharing Feeds and data through the API and built-in integrations

Concluding remarks

How do leading CTI teams collaborate within Feedly to increase productivity and reduce blindspots?

They start by collecting open source intelligence that’s relevant and timely. They leverage the Feedly AI models to find the most relevant content to meet their intelligence requirements. And, with millions of sources in Feedly, they are expanding their open source intel coverage as they accelerate threat awareness.

Next, teams organize their content with Team Folders and Team Boards structured around PIRs or stakeholders. The data enrichment of articles and CVEs, helps teams jumpstart their analysis, protection, or remediation activities.

Finally, CTI teams easily share information with stakeholders through article tagging, stakeholder Newsletters, or integrations with their SOC tools via the Feedly API.

If you’d like to learn more about Feedly for Threat Intelligence, start an Enterprise Trial.

What's Your Reaction?

like

dislike

love

funny

angry

sad

wow