Threat Analyst Insights: Weekly Threat Intelligence Report Template

March 5, 2019 • Parker Crucq

Monday mornings mark the start of a new week, with a new set of cybersecurity topics and issues for employees across all teams to review and discuss. Like many of us returning from an all too short weekend, we (hopefully) used the time to relax and recover from last week’s malware infections, zero-day vulnerabilities, and that troublesome employee who clicked on one too many phishing emails.

One optimal method of recounting notable security events from the past week is to receive a weekly threat intelligence report catered to your organization’s intelligence requirements and goals. Ideally, these weekly reports function as one of the most anticipated reports for members of multiple teams and sufficiently aggregate events from all sources. Tailoring this report to ensure it provides value on a regular basis requires timely planning and execution.

Ultimately, one of the most important aspects of your weekly threat intelligence report will be its structure, with a template devoting sections to encompass all notable events that have impacted your environment, relevant industries, and the general cybersecurity field. The following are three examples of sections we at Recorded Future consider to be essential for an actionable and relevant weekly threat intelligence report.

1. Information Specific to Your Environment

This section of a weekly threat intelligence report would ideally be devoted to highlighting some of the most significant events that had or may have an impact on your organization’s environment.

As far as what we refer to as a “significant” event, it’s important to allow for flexibility based on your organization’s intelligence requirements or business strategy. Examples can include online discussion among threat actors planning to target company infrastructure, leaked credentials associated with employees (or customers), or vulnerabilities observed in technology leveraged within your enterprise.

This section will highlight and provide analysis regarding events captured by your respective security teams as well as third-party organizations you may be utilizing for threat intelligence services. Leveraging the technical capabilities of third parties allows organizations to receive input on events they may have missed or events that require additional context from an outside party.

2. Information Specific to Your Industry

Weekly intelligence reports also must highlight what events are impacting your industry peers and how it may impact trends observed by your team. Naturally, there will be limitations when researching these events in that disruption campaigns or threat actor targeting of industry peers would very likely be kept under wraps by the organizations dealing with those issues.

This section will help identify potential future campaigns from nation-state or well-resourced actors who are more likely than others to think about targeting in terms of multiple industries. Research for this component of the weekly report places a great deal of emphasis on open source intelligence techniques to cover cyber threat reporting uploaded to blogs and security news sites, as well as government or academic publications and reporting. Examples such as a piece of malware compromising a competitor can often be just as newsworthy as if it had impacted your own environment and potentially serve as an indicator of an impending security event that could be mitigated entirely.

3. Information Specific to the Cybersecurity Field

A section devoted to “prominent” security events is highly recommended in a customized weekly intelligence report for a security team, with events such as the 2017 WannaCry ransomware outbreak serving as grim reminders of the potential devastation that cyber events can potentially inflict on a global scale. This section is used to inform coworkers or leadership about topics impacting all industries, as well as trending security topics. Events compiled here have far-reaching ramifications and may serve as the groundwork for strategic analytic products.

Never Stop Adapting

The most important consideration when developing a template for weekly threat intelligence reports is that each story (regardless of headers or section titles) should not serve as a mere summary of the event. Every article must contain the thoughts of the analysts observing or reporting on the event and how they relate to their company’s (or customers’) mission. Every story must answer the question: How does this impact me?

Additionally, we encourage organizations to never stop adjusting the template of a weekly report to address the current threat landscape or company focus. Devote sections to more specific topics requested by your leadership, such as cyber events impacting a particular geographic region or events referencing a trending variant of malware. It is not unusual for sections, such as the ones we covered, within your weekly report to become outdated — for example, a variant of malware may become less notable as security patches emerge and awareness from your security team helps mitigate the threat as time goes on.

Many security professionals do not have the opportunity to proactively identify and compile events while meeting the varying schedules of multiple writers. With Recorded Future, security teams can utilize our many analytic products — our Weekly Threat Landscape report being just one — customized to align with their intelligence requirements.

Feel free to download your own copy of our Weekly Threat Landscape report template for inspiration, and to learn more about how Recorded Future can help organizations better understand and prevent threats, request a personalized demo today.

Parker Crucq

Parker Crucq is a threat intelligence analyst at Recorded Future.