Intro to Cyber Threat Intel

Introducing cyber threat intelligence and related topics, such as relevant standards and frameworks.

Introduction

Cyber Threat Intelligence (CTI) is crucial for investigating and reporting against adversary attacks with organizational stakeholders and external communities.

Cyber Threat Intelligence

CTI is evidence-based knowledge about adversaries. Their indicators, tactics, motivations, and actionable advice can be utilized to protect critical assets while informing cybersecurity teams and management business decisions.

Data - Indicators associated with adversary such as IPs, URLs, hashes

Information - Multiple data points that answer questions such as “How many times have employees accessed tryhackme.com within the month?”

Intelligence - Correlation of data and information to pull patterns of actions based on contextual analysis

CTI's objective is to understand the relationship between your operational environment and adversary and how to defend against any attacks. To achieve this, develop cyber threat context with the following questions:

Who’s attacking you?
What are their motivations?
What are their capabilities?
What artifacts and indicators of compromise (IOCs) should you look out for?

Under those questions, threat intelligence would be gathered under these categories:

Internal:
- Corporate security events such as vulnerability assessments and incident response reports.
- Cyber awareness training reports.
- System logs and events.
Community:
- Open web forums.
- Dark web communities for cybercriminals.
External
- Threat intel feeds (Commercial & Open-source)
- Online marketplaces.
- Public sources include government data, publications, social media, financial and industrial assessments.

Threat intel can be broken down into the following classifications:

Strategic Intel: High-level intel looking into the organization's threat landscape, mapping out the risk areas based on trends, patterns and emerging threats that may impact business decisions.
Technical Intel: Incident Response teams can use this intel that looks into evidence and artifacts of attack used by an adversary to create a baseline attack surface to analyze and develop defense mechanisms.
Tactical Intel: Assesses adversaries’ tactics, techniques, and procedures (TTPs). This intel can strengthen security controls and address vulnerabilities through real-time investigations.
Operational Intel: Security teams may use this intel that looks into an adversary’s specific motives and intent to perform an attack to understand the critical assets available in the organization (people, processes and technologies) that may be targeted.

What does CTI stand for?

Cyber Threat Intelligence

IP addresses, Hashes and other threat artefacts would be found under which Threat Intelligence classification?

Technical Intel

CTI Lifecycle

Threat intel is obtained from a data-churning process transforming raw data into contextualized and action-oriented insights geared toward triaging security incidents. The transformational process follows a six-phase cycle:

Direction

Threat intel programs define objectives and goals, involving identifying these parameters:

Information assets and business processes that require defending.
Potential impact to be experienced on losing the assets or through process interruptions.
Sources of data and intel to be used towards protection.
Tools and resources that are required to defend the assets.

This phase allows analysts to pose questions related to investigating incidents.

Collection

Once objectives are defined, analysts gather required data to address them by using commercial, private and open-source resources. Due to faced volume of data, it is recommended to automate this phase to provide time for triaging incidents.

Processing

Raw logs, vulnerability information, malware and network traffic may be disconnected when investigating an incident. The phase ensures data is extracted, sorted, organized, correlated with appropriate tags and presented visually in a usable, understandable format. SIEMs achieve this and allow quick parsing of data.

Analysis

Once the information aggregation is complete, security analysts must derive insights. Decisions to be made may involve:

Investigating a potential threat through uncovering indicators and attack patterns.
Defining an action plan to avert an attack and defend the infrastructure.
Strengthening security controls or justifying investment for additional resources.

Dissemination

Organizational stakeholders will consume the intelligence in varying languages and formats. For example, C-suite members will require a concise report covering trends in adversary activities, financial implications and strategic recommendations. At the same time, analysts will more likely inform the technical team about the threat IOCs, adversary TTPs and tactical action plans.

Feedback

The final phase covers the most crucial part, as analysts rely on the responses provided by stakeholders to improve the threat intelligence process and implementation of security controls. Feedback should be regular interaction between teams to keep the lifecycle working.

At which phase of the lifecycle is data made usable through sorting, organizing, correlation and presentation?

Processing

During which phase do security analysts get the chance to define the questions to investigate incidents?

Direction

CTI Standards & Frameworks

Standards and frameworks provide structures to rationalize the distribution and use of threat intel across industries, allowing for common terminology, helping in collaboration and communication.

MITRE ATT&CK

The ATT&CK framework is a knowledge base of adversary behaviour, focusing on the indicators and tactics. Security analysts can use the information to be thorough while investigating and tracking adversarial behavior. More info can be found here.

TAXII

The Trusted Automated eXchange of Indicator Information (TAXII) defines protocols for securely exchanging threat intel to have near real-time detection, prevention and mitigation of threats. The protocol supports two sharing models:

Collection: Threat intel is collected and hosted by a producer upon request by users using a request-response model.
Channel: Threat intel is pushed to users from a central server through a publish-subscribe model.

STIX

Structured Threat Information Expression (STIX) is a language developed for the "specification, capture, characterization and communication of standardized cyber threat information". It provides defined relationships between sets of threat info such as observables, indicators, adversary TTPs, attack campaigns, and more.

Cyber Kill Chain

the Cyber Kill Chain breaks down adversary actions into steps. This breakdown helps analysts and defenders identify which stage-specific activities occurred when investigating an attack. The phases defined are shown in the image below.

Over time, the kill chain has been expanded using other frameworks such as ATT&CK and formulated a new Unified Kill Chain. More information can be found here.

The Diamond Model

The diamond model looks at intrusion analysis and tracking attack groups over time. It focuses on four key areas, each representing a different point on the diamond. These are:

Adversary: The focus here is on the threat actor behind an attack and allows analysts to identify the motive behind the attack.
Victim: The opposite end of adversary looks at an individual, group or organisation affected by an attack.
Infrastructure: The adversaries' tools, systems, and software to conduct their attack are the main focus. Additionally, the victim's systems would be crucial to providing information about the compromise.
Capabilities: The focus here is on the adversary's approach to reaching its goal. This looks at the means of exploitation and the TTPs implemented across the attack timeline.