Integrating CTI into IR reports
You can incorporate TI information into IR reports regarding threat actors and campaigns and correlate it with the Cyber Kill Chain framework and the Diamond Model of Intrusion Analysis.
There is no doubt that TI and the knowledge of threat actors' behaviors are critical in IR processes, especially in the Identification and Containment phases, but how can we make it actionable?
Lenny Zeltser (Twitter handle @lennyzeltser) created a handy template for the documentation of TI to trigger that information and use it in IR. The Report Template for Threat Intelligence and Incident Response is free for use and distributed according to the Creative Commons Attribution license (CC BY 4.0). You can download it from this URL: https://zeltser.com/cyber-threat-intel-and-ir-report-template/.
To learn how to use this template, we will use the same hypothetical IR case described in this chapter, whereby we will need to identify critical pieces of information...
