@@ -63,7 +63,7 @@ Depending on what we find, we can either raise an incident ourselves, or continu
Purple Team represents a collaborative exercise between the Red Team and Blue Team (our defensive teams, usually [SIRT](../sirt/) or [Signals Engineering](../signals-engineering)). These can be:
- flash operations, which are 1-2 week exercises triggered by [Threat Intelligence Flash Reports](../threat-intelligence/#flash-reports) to rapidly test our defenses against emerging threats, or
- flash operations, which are 1-2 week exercises triggered by [Threat Intelligence Flash Reports](../threat-intelligence/#threat-intelligence-reports) to rapidly test our defenses against emerging threats, or
Please follow our [RFI process](#requests-for-information-rfi) to contact the team.
For urgent security requests, [engage the security team](/handbook/security/security-operations/sirt/engaging-security-on-call/) using the Slack command `/security`.
For a less formal discussion, you can find us in Slack in the `#sd_security_threat_intel` channel.
For all other matters, Threat Intelligence can be contacted by:
- Tagging `@threat-intelligence` in the Slack channel `#security_discuss` for general discussions.
- Tagging `@threat-intelligence` in the Slack channel `#security_help` for general requests.
- Following the [RFI process](#requests-for-information-rfi) for formal, well-defined requests.
## Our Vision
@@ -22,26 +26,21 @@ By staying vigilant and sharing targeted intelligence, we strive to help GitLab
## The Team
### Current Structure
We are in the early stages of our Threat Intelligence journey, and currently have one dedicated engineer. This is augmented by cross-functional participants from SIRT and the Red Team, who dedicate 10-20% of their time to the program while still prioritizing their primary roles. They focus on building capabilities, delivering actionable intelligence, and demonstrating early results.
The Threat Intelligence team consists of one dedicated engineer, reporting to a Senior Manager within Security Operations.
### Current Priorities
The teams's current priorities are:
## Services We Provide
1.**Delivering actionable intelligence**: Preparing and presenting concise, actionable reports that inform GitLab of relevant threats, their potential impact, and recommended actions.
1.**Building meaningful connections**: Establishing relationships with industry peers, government entities, and other experts who specialize in the top threats most impactful to GitLab.
### Security Operations Support
As the program matures, we will focus on program efficiencies using data correlation, automation, and AI.
The Threat Intelligence engineer works closely with SIRT and other security teams, providing specialized expertise that overlays day-to-day security operations. This includes supporting active investigations and incidents through threat hunting, malware analysis, log analysis, and threat actor attribution. Much of this work is driven by team discussions in Slack, open cases, and active incidents rather than formal requests.
## Services We Provide
Supporting S1 incidents will always take priority over all other work.
### Threat Intelligence Reports
Reports are the foundation of our Threat Intelligence program and are always actionable. We use GitLab.com to write the reports, enabling collaboration and allowing direct linking to recommendations and results.
Reports are delivered on an ad-hoc basis in response to rapidly emerging threats, focusing on a specific threat actor, campaign, or vulnerability. They help GitLab make quick decisions to protect our customers and our organization. For themes that require ongoing attention, rolling summaries may be produced as needed.
All reports, regardless of type, consistently:
All reports are written in GitLab.com, enabling collaboration and direct linking to recommendations. They consistently:
- Include linked issues with clearly defined next steps to address each topic covered
- Answer the following questions for each threat addressed:
@@ -49,45 +48,14 @@ All reports, regardless of type, consistently:
- How well is GitLab prepared to deal with this threat today?
- What steps is GitLab taking to better handle this threat?
The specific reports types we offer are described below.
#### Flash Reports
Flash Reports are delivered on an ad-hoc basis in response to rapidly emerging threats. They focus on a single topic, generally a specific threat actor, campaign, or vulnerability.
These reports help GitLab make quick decisions to protect our customers and our organization.
Recommendations linked to Flash Reports are often time-sensitive and critical. They are leveraged for activities like:
Recommendations are often time-sensitive and critical, and are leveraged for activities like:
- Rapid iterations to security controls and detection capabilities
- Threat hunting
- Security communications
- Purple Team Flash Operations
Flash Reports use [this template](https://gitlab.com/gitlab-com/gl-security/security-operations/threat-intelligence-public/resources/threat-intelligence-templates/-/blob/main/.gitlab/issue_templates/flash_report.md?ref_type=heads).
#### Threat Briefings
Threat Briefings offer regular, higher-level updates on the evolving threat landscape by aggregating Flash Reports and other Security Operations activities over each month. Threat Briefings aim to provide on ongoing view into the most relevant trends, actors, and campaigns that could affect GitLab in the coming weeks or months.
These reports help team members stay informed, vigilant, and prepared.
Recommendations linked to Threat Briefings are not as time-sensitive as those from a Flash Report. Threat Briefing recommendations are leveraged for more strategic activities like:
- Product roadmap and prioritization
- Standard iterations to security controls and detection capabilities
- Training on security awareness and job-specific skills
- Purchasing decisions and vendor evaluations
Threat Briefings are produced monthly using [this template](https://gitlab.com/gitlab-com/gl-security/security-operations/threat-intelligence-public/resources/threat-intelligence-templates/-/blob/main/.gitlab/issue_templates/threat_briefings.md?ref_type=heads) and include a live presentation with a Q&A session.
### Threat Actor Tracking
Threat Actor Tracking is an ongoing effort where we closely monitor the threat actors that pose the greatest risk to GitLab. By continuously monitoring their activities, tactics, and techniques, we develop a better understanding of their motivations and capabilities.
This intelligence helps us anticipate their next moves and proactively strengthen our defenses. It also helps us attribute early indicators to these groups, giving us a heads-up when they are actively targeting us.
Threat Actor Tracking is done inside our Threat Intelligence Platform (TIP).
Reports use the [Flash Report template](https://gitlab.com/gitlab-com/gl-security/security-operations/threat-intelligence-public/resources/threat-intelligence-templates/-/blob/main/.gitlab/issue_templates/flash_report.md?ref_type=heads).
### Requests For Information (RFI)
@@ -100,28 +68,17 @@ Some examples where an RFI can provide value:
- Helping draft threat-informed communications about GitLab security decisions
- Third-party vendor and product evaluations
Supporting S1 incidents will always take priority over all other work.
Requests for Information use [this template](https://gitlab.com/gitlab-com/gl-security/security-operations/threat-intelligence-public/resources/threat-intelligence-templates/-/blob/main/.gitlab/issue_templates/rfi.md?ref_type=heads).
## How We Measure Success
We measure the success of our threat intelligence program using key metrics that demonstrate our value and effectiveness. We track these metrics using GitLab.com issues and custom labels.
We track the following metrics using GitLab.com issues and custom labels.
### Current Metrics
- Adoption Rate: Measures the extent to which our intelligence-driven recommendations are accepted and implemented.
- RFI Satisfaction: Measures whether RFIs provide actionable information that answers the requestor's needs.
### Future Metrics
As our program matures, we plan to implement additional metrics:
- Impact: Will measure how often our intelligence helps prevent incidents, detect attacks, improve response times, and drive significant product improvements that keep our customers secure.
- Attribution: Will measure the accuracy, relevance, and source of our intelligence by tracking how often it is validated by real-life events.
Monitoring these metrics helps us continually refine our services, prioritize high-impact activities, and demonstrate the value of our program.
### Metric Labels
**Recommendation Classification Labels:**
@@ -143,19 +100,6 @@ Monitoring these metrics helps us continually refine our services, prioritize hi
- RFI partially provided actionable information (`TIRFI::PartiallySatisfied`)
- RFI did not provide actionable information (`TIRFI::NotSatisfied`)
**Attribution Labels (source of validated intelligence):**
- Threat Actor Tracking (`TIAttribution:ThreatActorTracking`)
- Request for Information (`TIAttribution::RFI`)
**Impact Labels:**
- Intelligence prevented an incident (`TIImpact::Prevention`)
- Intelligence allowed us to identify an attempted attack (`TIImpact::Detection`)
- Intelligence allowed us to respond to an incident (`TIImpact::Response`)
## Additional Resources
-[Threat Intelligence Templates](https://gitlab.com/gitlab-com/gl-security/security-operations/threat-intelligence-public/resources/threat-intelligence-templates): Public template repository for reports, RFIs, etc.
@@ -11,8 +11,7 @@ Being a Threat Intelligence Engineer at GitLab involves a mixture of traditional
## Responsibilities
- Prepare actionable [Flash Reports](/handbook/security/security-operations/threat-intelligence/#flash-reports) based on emerging and relevant threat information
- Prepare monthly [Threat Briefings](/handbook/security/security-operations/threat-intelligence/#threat-briefings) focussed on the impact and outcomes of each month's intelligence-driven activity
- Prepare actionable [Threat Intelligence Reports](/handbook/security/security-operations/threat-intelligence/#threat-intelligence-reports) based on emerging and relevant threat information
- Respond to internal [Requests For Information (RFI)](/handbook/security/security-operations/threat-intelligence/#requests-for-information-rfi) from teams across GitLab
- Support incident response, threat hunting and [Purple Team Flash Operations](/handbook/security/security-operations/red-team/purple-teaming/#purple-team-operations) with data enrichment and malware, infrastructure and behavior analysis
- Leverage our Threat Intelligence Platform (TIP) for data collection, analysis, and automation
