Cyber Threat Intelligence teams are barraged with consistent updates and changes to threat actor activity clusters. This presentation highlights a methodology (threat actor baseball cards) to collect and store information about threat actors to understand the group’s history, recent activity, tools, infrastructure, and use MITRE ATT&CK to display the actor’s flow. During this presentation, we will demonstrate how to create one of these cards based on an active Advanced Persistent Threat (APT33) from start to finish, and present use cases for how a baseball card would be used to create finished intelligence products and collaborate with other Information Security teams. Participants will leave with a collaborative methodology to collect threat actor information (including a template) and specific use cases to engage with other teams such as Cyber Threat Hunt and Red Team.
