Chapter 04: Threat Intelligence Flashcards
Threat Feed Details
Threat feeds will often contain things like:
* IPs
* Hostnames
* Domains
* Emails
* URLs
* File hashes
* File paths
* CVE numbers
* Details of what may make your org a target or vulnerable to threat
* Descriptions, motivations, methodologies of threat actors
OSINT
Open Souce Intelligence
Intel acquired from publicly available sources
Public sites:
* Senki.org
* The Open Threat Exchange by AlienVault
* MISP (malware information sharing platform)
* Threatfeeds.io
* SANS Internet Storm Center
* VirusShare
* VirusTotal
* Spamhaus
Government sites:
* US Cybersecurity and Infrastructure Security Agency (CISA)
* US DoD Cyber Crime Center
* CISA’s Automated Indicator Sharing (AIS) program
* CISA’s Sharing and Analysis Organizations (ISAOS / ISAC) program
Vendor sites:
* MS Threat Intelligence Blog
* Cisco’s Threat Security Site
Other locations:
* Social media, but difficult to determin veracity of information
* Blogs and forums
* Computer emergency response teams (CERT) websites
* Cybersecurity incident response team (CSIRT) websites
* Dark web / deep web
Closed Source Intelligence
The opposite of OSINT
Commercial security vendors, govt orgs, and other security-centric orgs create and use proprietary, closed source intel
They do all their own research and information gathering, and use custom tools / analysis models / proprietary methods to gather, curate, and maintain their threat feeds
Sometimes you can access these as paid feeds, but sometimes they keep it for internal use only
Threat Intel Confidence Level
Is It Timely?
* A feed that operates on delay can cause you to miss a threat or to react after the threat is no longer relevant
Is the Information Accurate?
* Can you rely on what it says, and how likely is it that the assement is valid?
* Does it rely on a single source or multiple sources?
* How often are those sources correct?
Is the Information Relevant?
* If it describes the wrong platform, software, or resource for the org to be targeted, the data may be very timely, very accruate, but completely irrelevant to your org
Threat Intel Confidence Score
One way to summariez threat intel assessment data is to assign it a confidence score
This allows you to filter and use threat intel based on how much trust you can give it
Low confidence doesn’t mean the intel isn’t useful—sometimes confidence scores start low and increase as the information solidifies
Low confidence just means you shouldn’t fully rely on it to make important decisions in a vacuum
Example confdience rating:
* Confirmed (90-100): Independent sources or direct analysis proves the threat is real
* Probable (70-89): Logical inference, but doesn’t directly confirm threat
* Possible (50-69): Some information agrees with the analysis, but the assessment is not confirmed—somewhat logical to infer from given data
* Doubtful (30-49): Assessment is possible but not the most likely option, or assessment can’t be proven or disproven by information available
* Improbable (2-29): Assessment is possible but not the most logical option, or refuted by other information available
* Discredited (1): Assessment confirmed to be inaccurate or iincorrect
Threat Intelligence Sharing
Threat intel sharing is key for many operational security practices:
- Incident Response: Identifying threat actors as well as their common techniques and tools
- Vulnerability Management: Understanding current, active threats can help assess risk and influence patch cycles and prioritization efforts
- Risk Management and Security Engineering: Provides a useful view ofthe direction of threats and what threats are likely to grow over the lifecycle of a security design, and influences responses to threats that may be integrated into design updates
- Detection and Monitoring: Ensures timely updates and allowing for the creation of new detection rules—faster responses and better behavioral detection capabilities
Page 142 for full descriptions
STIX
Structured Threat Information Expression
Currently in v 2.1 and defines 12 STIX domain objects (SDO) including things like:
* Observed data
* Indicators
* Attack patterns
* Course of Action (COA)
* Identities
* Malware
* Threat actors
* Tools
Standard terminology for IOC and ways of indicating relationships between them that’s included as part of the OASIS Cyber Threat Intelligence (CTI) framework
NOTE: STIX v1 was XML, but STIX v2 uses JSON format, and you can tell it’s JSON because of the curly brackets and type”: id”: etc—if you see JSON on the exam, it’s likely referring to STIX
TAXII
Trusted Automated Exchange of Indicator Information
Companion to STIX, and allows cyber threat information to be communicated at the OSI application layer via HTTPS
TAXII is specifically designed to support STIX data exchange
OpenIOC
Open Indicators of Compromise
Another XML-based framework for threat information sharing, developed by Mandiant and uses their indicators for its base
A typical IOC inclues metadata like:
* Author
* Name of IOC
* Description
* References to the investigation or case
* Information about the maturity of the IOC
* Definition for the IOC, which may include details of the actual compromise
The Threat Intelligence Lifecycle
Comprised of five phases:
- Requirements Gathering
- Data Collection
- Data Processing and Analysis
- Intelligence Dissemination
- Feedback
Page 144 for all in detail
Intel Cycle: Requirements Gathering
Plan for your intelligence requirements, which may be created as a result of:
* Successful breaches and compromises
* Industry trends
* Risk assessments conducted for your organization
In this step, you typically assess:
* What security breaches or compromises you’ve faced
* What information could have prevented or limited the impact of the breach
* What controls and security measures were not in place that would have mitigated the breach
Intel Cycle: Data Collection
Once you have the information requirements, you can collect data from threat intel sources to meet those requirements
This phase may repeat as additional requirements are added, or as requirements are refined based on available data and data sources
Intel Cycle: Data Processing and Analysis
The threat intel data you gather will likely be in multiple different formats
Here, you have to process the data so it can be consumed by the tools or processes you use
Then you have to analyze that data
Intel Cycle: Intelligence Dissemination
Data is distributed to leadership and operational personnel who will use it as part of their security operations role
We can break this data dissemination up into three categories:
1. Strategic: Addresses broad themes and objectives, usually affects projects and business priorities over weeks, months, and years
2. Operational: Day to day priorities of managers and specailists
3. Tactical: Informs real-time decisions made by staff as they encounter alerts and system indications
Intel Cycle: Feedback
Gather feedback about the reports and data you’ve gathered
This is an oppty for continuous improvement so you can create better requirements and improve the overall output of your threat intel program
* Lessons learned
* Measurable success
* Evolving threat issues
Nation-State Threat Actors
They have the most access to resources including tools, talent, equipment, and time
They have the full resources of an entire country behind them as well, and their goals are sponsored by that country
Associated with APT organizations and they have advanced tools and capabilities unrivaled by other threat actors
Organized Crime Threat Actors
They have focused attacks typically aimed at financial gain, like ransomware attacks
Hacktivist Threat Actors
Activists who use hacking as a means to a political or philosophical end
They range from individuals to large groups like Anonymous, and their tech capabilities and resources vary greatly
When assessing threats from hacktivists, carefully consider what types of hacktivists are most likely to target your org and why
Script Kiddie Threat Actors
Malicious actors who use preexisting tools, often in relativelty unsophisticated ways
Still very dangerous, don’t underestimate them
Insider Threats Threat Actors
Threat actors from withing your org, like employees or trusted individuals and groups
They might be intentional or unintentional, but either way they pose a significant threat due to their trusted position
Frequently considered one of the most likely causes of a breach, and difficult to detect
NOTE: The exam will break insider threats into intentional and unintentional, so know both
Supply Chain Threat Actors
They can act as part of the supply chain, inserting malicious software or hardware, compromising devices, or inserting backdoors
They can also attack the supply chain itself, disrupting the ability to obtain goods and services
TTP
Tactics, Techniques, and Procedures
APTs are one of the most concerning attackers that an organization can face
As they’re studied, they’re identified and classified based on their TTP
When you know that, you can successfully counter APT activity—it makes information about them exceptionally valuable
Proactive Threat Hunting
Searching for threats proactively, rather than reactively, can keep you ahead of attackers
To implement this proactivity, use the following steps:
* Establishing a Hypothesis: A hypothesis is needed to test and should have actionable results based on the threat that the hypothesis considers
* Profiling Threat Actors and Activities: This helps ensure that you have considered who may be a threat, and why, as well as what their typical actions and processes are
* Threat Hunting Tactics: These are key to success in threat hunting activities—the skills, techniques, and procedures are where action meets analysis
* Reducing the Attack Surface Area: This allows resources to be focused on the remaining surface area, making protection more manageable
* Bundling Critical Assets Into Groups and Protection Zones: This helps with managing attack surface area, threat hunting, and response activities, since each asset doesn’t need to be individually assessed or managed as a unique item
* Understanding, Assesing, and Addressing Attack Vectors or the Means By Which an Attack Can Be Conducted: This step must be based on analysis of threat actors and their techniques as well as the surface area that threat actors can target
* Integrated Intelligence: This step combines multiple intelligence sources to provide a better view of threats
* Improving Detection Capabilities: This is a coninuous process as threats improve their techniques and technology—if you don’t improve your detection capabilities, new threats will bypass existing capabilities over time
Three Major Areas of Focus for Threat Hunting
- Configurations and misconfigurations that may lead to compromise, or that may indicate that an attacker has modified settings
- Isolated networks, which are typically used to protect sensitive or specialized data and systems—threat hunting here can be a bit easier since traffic and behaviors should be fully understood, but it could also mean deploying and using centrally managed tools which can be challenging
- Business-critical assets and processes are a focus area due to their importance—focus on these due to their organizational risk profile and the importance of ensuring they remain secury
