Over the past several years, cyber threat intelligence or CTI along with threat hunting has become a mainstay in most organizations. However, for a long time CTI has been nothing more than just the sharing of indicators of compromise or IOCs. Basically the IP addresses and file names or hashes for known attacks.

Then with the creation of STIX and TAXII, MITRE ATT&CK, and the pyramid of pain the industry has begun to talk about higher order concepts like the techniques, tactics, and procedures or TTPs of a threat actor. These TTPs help defenders understand more about how a threat actor or intrusion set is actually doing what they are doing. The idea being that simple indicators like IP addresses and file hashes are simple to change, but TTPs are really difficult to change.

But now there is a new effort from the US Cybersecurity and Infrastructure Security Agency or CISA and Johns Hopkins University’s Applied Physics Laboratory to start using Indicators of Behavior.

Today on Smarter Everything™ I will be talking with Charlie Frick, a Chief Scientist from Johns Hopkins University’s Applied Physics Laboratory. Charlie has led many key initiatives and research efforts around cybersecurity, threat intelligence sharing, and cybersecurity automation for over 2 decades. He is also leading the effort around Indicators of Behavior for US Critical Infrastructure.