The Watchlist: Collaborating to Build Better Adversary Dossiers FasterPOSTED BY KEVIN LIBBY
Have you ever wanted to be alerted about new information related to the TTP of an adversary? Well now that’s possible!
The ThreatQ Operations and Management Platform provides intelligence analysts with a tremendous cross-functional team collaboration opportunity.
A recently released feature within ThreatQ can help analysts to build and share a watchlist of objects of interest. This feature allows security teams to drive the curation of adversary dossiers in the Threat Library.
Let’s look at an example. I’ve been working on an adversary called Tosca and have added Tosca to my watchlist. This adversary has been targeting organizations I’m tracking by leveraging spearphishing campaigns against senior executive teams.
After spending time pounding away on the keyboard analyzing various data points within the ThreatQ threat intelligence platform user interface, I’m pulled away from the screen for other commitments.
When I return to my desk, I log into the ThreatQ User Interface and am able to see any recent activity related to this adversary.
As other analysts automated threat intelligence feeds, integrate messages, and contribute to the data within the Threat Library, any alterations to Tosca are immediately added to my watchlist, visually notifying me of the change.
In addition to adversaries, the Watchlist is also able to track other object types, including: attachments, events, indicators, and signatures.
An API endpoint makes it easy for analysts to interact with their watchlists through any custom integrations or scripts.