[Strategic sector] High-Tech

The [Strategic Sector] High-Tech dashboard is designed to provide a comprehensive overview of threats reported to be targeting the sector. This dashboards provides a first-look top-down overview of all threats targeting the sector, and can be adapted to address specific Priority Intelligence Requirements (PIRs) targeting the sector.

Overview

• The High Level Indicators section gives aggregate statistics for the entire dataset, giving situational awareness of the total volume of data in the platform
• Active Threats shows the total number of reports for each threat actor that contain this sector or a sub-sector in the report
• Recent Activities shows a timeline of campaigns that contain the sector
• Technical Information shows counts of indicators relating to the sector

Usage

• The High Level Indicators give an idea of the volume of data in your platform that is categorised as relating to the sector. If these figures are low, then the other threat-centric widgets will also have a low count. If you have a low count, common reasons can include: low volume of ingested data; ingested data does not contain sector as a STIX entity; too few reports in the time range set for the dashboard.
• Active Threats shows Intrusion Sets, Threat Actors and Malware that have been reported as targeting the sector within the time range for the dashboard (usually from a report linking the threat to the sector that was received within the time range). Changing the time range to a recent time range, such as 1 or 3 months, will focus on more recent reports of threats against the sector.
• Top Techniques used by Threats shows Attack Patterns (typically MITRE ATT&CK Techniques) known to be used by an Actor or Intrusion Set targeting the sector. Where a report contains the sector as a target, and the actor or intrusion set, then all Attack Patterns / TTPs known to be used by these actors (not just the TTPs included in the reports, or TTPs used against this sector) will be shown here.
• Top Vulnerabilities targeted by Threats shows Vulnerabilities that were reported as being targeted by a Threat Actor or Intrusion Set, that targets the sector. This chart is indicative of vulnerabilities that are at a higher risk of exploitation in organisations within the sector.
• Top Attack Patterns from Reports aggregates the TTPs included in the reports that reference this sector. Unlike the previous TTP graph, this only shows the TTPs that were mentioned in reports about the sector, rather than showing all TTPs known to be used by actors targeting the sector.

Data Pre-requisites

All widgets in this dashboard rely on reports ingested into OpenCTI that contain structured STIX entities, including targeted sector, threat actors, intrusion sets, malware entities, and indicators. If you do not have a stream of reports into OpenCTI that contain these entities, these dashboards will be empty. Most commercial feeds, and some open-source ones, will contain this structur

In addition, you can improve the inclusion of content in this report by:

1. Configuring the OpenCTI Datasets connector, which ingests the master datasets, including sectors, with the UUIDs that are used in this dashboard. Each widget uses the specific UUID for the sector from this specific dataset.
2. Turning on many of the Rules engine rules, that infer relationships between entities that are contained in a report (eg. if actor targets ‘Renewables’, then infer that actor targets ‘Energy’)
3. Reviewing all Sectors, and checking that ‘similar’ sectors from other feeds are merged into the master entity from the OpenCTI Dataset, or at least are a child/subset of it. (eg. ‘Energy-Renewables’ is merged with ‘Renewables’, which is a subset of ‘Energy’)

Specific relationships that are used in these widgets include:

• The relationship of Threat Actor or Intrusion Set targets the sector
• The relationship of Threat Actor or Intrusion Set targets a vulnerability
• The relationship of Threat Actor or Intrusion Set uses an Attack Pattern
• The relationship of Threat Actor or Intrusion Set uses a Malware
• The relationship of Indicator indicates a Malware, Threat Actors, Intrusion Set, Campaign