Best Practices: Keywords for Intelligence Requirements

Overview

ThreatConnect’s Intelligence Requirement (IR) feature relies on a user-defined keyword query to identify and surface information related to an IR. It queries across everything you have access to in your ThreatConnect instance and the ThreatConnect Global Intelligence Dataset. When we say it queries across everything, we mean everything. It is not limited to Attributes with a certain number of characters or other standard fields; instead, it searches across all Attributes, Tags, names/summaries of objects, and even the contents of Report files to return a comprehensive set of results for your IRs.

When working with an IR, you can manage its keyword query in two places: on the Keyword Tracking step of the Create Intelligence Requirement (IR) screen during the IR creation process, and on the Keyword Tracking section of the IR's Details screen after the IR has been created. When creating a keyword query during the IR creation process, you will be presented with a set of keyword suggestions based on the text you entered in the Requirement field on the Details step of the Create Intelligence Requirement (IR) screen. These suggestions are meant to help you start building a keyword query; however, their helpfulness may vary based on the type of IR being created and the question or topic you are researching.

Important Definitions

• Keywords: A set of topics or words used in a keyword query for an IR.
• Keyword Query: A combination of keywords added to one or more Includes Any of the Following sections and a single Excludes Any of the Following section that creates a logic-based query used to identify Artifacts, Cases, Groups, Indicators, Tags, and Victims that are likely related to an IR.
• Includes Any of the Following: A section within a keyword query containing the keywords that an object must include to be returned as a result for an IR. When searching for results, the keyword query uses “OR” logic between each keyword defined in this section. Up to five Includes Any of the Following sections may be added to a single IR, each of which is joined by “AND” logic when the keyword query searches for results.
• Excludes Any of the Following: A section within a keyword query containing one or more keywords that an object must not include to be returned as a result for an IR. When searching for results, the keyword query uses “AND NOT” logic before the set of keywords defined in this section, followed by “OR” logic between each keyword. Only one Excludes Any of the Following section may be added to a single IR.

Building a Keyword Query in ThreatConnect

When getting started with keywords for IRs in ThreatConnect, the first thing to consider is that the keyword query builder is designed to guide you through the creation of a Boolean-style query. When adding keywords to Includes Any of the Following sections, be aware that “OR” logic is used between each keyword. For example, an Includes Any of the Following section with “oil,” “gas,” “oil and gas,” and “oil & gas” as its keywords will be converted to the following query on the backend:

("oil" OR "gas" OR "oil and gas" OR "oil & gas")

If you add another Includes Any of the Following section, it will be joined to the first one using “AND” logic. For example, consider another Includes Any of the Following section with the following keywords that are related to a specific threat actor group or intrusion set: “APT34,” “cobalt gypsy,” “evasive serpens,” “helix kitten,” “irn2,” and “oilrig.” On the backend, ThreatConnect joins this Includes Any of the Following section with the first one using “AND” logic and converts it to the following query:

("oil" OR "gas" OR "oil and gas" OR "oil & gas") AND ("APT34" OR "cobalt gypsy" OR "evasive serpens" OR "helix kitten" OR "irn2" OR "oilrig")

If there are items you want to exclude from the query results, then you should define the associated keywords in the Excludes Any of the Following section, which, like the Includes Any of the Following sections, uses “OR” logic between each keyword. Note that “NOT” logic is used before the set of keywords included in this section. For example, consider the Excludes Any of the Following section with the following keywords: “electric” and “electricity.” On the backend, ThreatConnect joins this section with the two Includes Any of the Following sections in the sample using “AND NOT” logic and converts it to the following query:

("oil" OR "gas" OR "oil and gas" OR "oil & gas") AND ("APT34" OR "cobalt gypsy" OR "evasive serpens" OR "helix kitten" OR "irn2" OR "oilrig") AND NOT ("electric" OR "electricity")

Together, “OR,” “AND,” and “NOT” logic can help you build more focused queries that return relevant and useful results for an IR.

Starter Keywords

When creating a keyword query, start with a set of topics at the heart of the IR object you are creating. Depending on the type of IR, these starter keywords might be related to an industry, geography, technology (or set of technologies), MITRE ATT&CK® technique (or set of techniques), intrusion set, malware family, current or recent event, and so forth. Some IRs may have one starter keyword, while others may have several; it all depends on the IR you are creating and the results you want to find.

For example, consider an IR focusing on the following question: What threats are targeting financial institutions based in the United Kingdom? The first keywords that come to mind are “financial” and “United Kingdom,” as the IR is looking for threats to a specific industry (finance) with operations in a particular country (the United Kingdom).

Includes Any of the Following Sections

It is best practice to add each starter keyword to a separate Includes Any of the Following section in the keyword query. Continuing with the example from the previous section, you should add “financial” to its own Includes Any of the Following section and consider other words often used to refer to financial institutions, such as “financial institutions,” “finance industry,” and “finance” (this is not an exhaustive list).

Next, add another Includes Any of the Following section that includes the “United Kingdom” starter keyword. In the first iteration of ThreatConnect's Intelligence Requirement feature, you can retrieve keyword suggestions for an Includes Any of the Following section when at least one keyword is added to it by clicking the Get Suggestions button in this section. For example, if you click the Get Suggestions button in the section with the “United Kingdom” keyword, known variations of this keyword, including things like “UK,” “Great Britain,” and “United Kingdom of Great Britain and Northern Ireland,” will be returned as suggestions. It is important to include these variations of the starter keywords because doing so helps ensure that the results presented for the IR are as comprehensive as possible. It also accounts for scenarios where different vendors use different names or phrases for countries, industries, intrusion sets, and malware families.

After adding these two Includes Any of the Following sections, our query is as follows:

("financial" OR "financial institutions" OR "finance industry" or "finance") AND ("United Kingdom" OR "UK" OR "Great Britain" OR "United Kingdom of Great Britain and Northern Ireland")

Excludes Any of the Following Section

Continuing with the same example, perhaps you are creating a query for an IR focused on threats targeting financial institutions that are not considered banks. To prevent the keyword query from returning results for threats targeting banks, you can add “bank” as a keyword to the Excludes Any of the Following section in the keyword query. Doing so essentially adds AND NOT ("bank") to your query, which tells ThreatConnect to exclude objects that mention banks from the results:

("financial" OR "Financial Institutions" OR "finance industry" or "finance") AND ("United Kingdom" OR "UK" OR "Great Britain" OR "United Kingdom of Great Britain and Northern Ireland") AND NOT ("bank")

Next Steps

Once you are satisfied with your query, click the Next button at the bottom of the Keyword Tracking step on the Create Intelligence Requirement screen to view a preliminary set of results you can expect. This is an opportunity for you to verify that the results align with your expectations; if they do not, you can easily go back and update your query to make it more or less targeted.

ThreatConnect^® is a registered trademark of ThreatConnect, Inc.
MITRE ATT&CK^® and ATT&CK^® are registered trademarks of The MITRE Corporation.

20159-03 v.03.A