Threat Intelligence Explained Flashcards
Threat Intelligence Explained
In its simplest form, “threat intelligence is information that an organization uses to understand the threats that are currently targeting them, or could target them in the future”. This knowledge can help security teams to develop better defenses, mitigate cyber risk, and aid with monitoring their networks for any signs of compromise, so teams can remove malicious actors as quickly as possible.
Threat intelligence aims to provide information on more sophisticated threats, such as Advanced Persistent Threats (APTs), zero-day vulnerabilities, and global malware campaigns. It will help the organization to understand who is (or could be) attacking them, why they’re doing it, and the tactics they use so they can be replicated in penetration tests and red team engagements, or defensive measures put in place to stop or slow down attackers.
Typically actual intelligence is shared in the form of indicators of compromise (IOCs) which are artifacts that have been observed in relation to malicious activity. These can be email addresses that have been sending malicious emails, IP addresses that are hosting websites trying to steal user’s account details, or file-based artifacts such as a malware file name, file size, or its’ MD5 hash value.
We will cover all of the above in future lessons, so you can get an idea of what threat intelligence actually involves.
Threat Intelligence LifeCycle
Threat intelligence is all about gathering raw data and transforming it into intelligence that has value and can actually be used. To achieve this, we can follow what’s known as the “Threat Intelligence Lifecycle”. This can vary depending on which organization you’re looking at – so we’ll be combining the best bits of the lifecycles presented by Recorded Future and CrowdStrike.
1) Planning & Direction
This is the most crucial part, as it determines what the scope is for this specific threat intelligence project. Goals need to be set, and the stakeholders need to be clearly defined. This helps the project to stay on track, and not waste time or resources working on intelligence that is not important.
For example, if an organization received intelligence from another company that a foreign hacking group posted on a dark web forum boasting they are about to conduct a prolonged cyber attack against the company, an intelligence program could plan to do the following activities:
Research and learn more about the hacking group, including who is involved, and how skilled/sophisticated they are.
Check for public exposure in order to understand the attack surface of the organization (the total number of ways hackers could break into a network. If a company had all of its systems fully patched, it would have a small attack surface, however, if patches were not applied there are more security flaws attackers can take advantage of).
Discover the most appropriate actions that can be taken to defend against this threat.
2) Collection
This is the stage where the team will go out and collect all of the data they need to achieve their end goal of creating actionable intelligence. In our example, this would include scraping as many posts from the underground forum as they can get access to, any information associated with forum user accounts, performing OSINT searches to try to find information on the group, and anything else they agree is in scope as defined in phase 1. Mature threat intelligence teams typically use a centralized threat intelligence platform (such as MISP, which we will discuss later in this domain) to store indicators and indicators of compromise from a range of public and private threat feeders, which are lists of actionable intelligence shared between organizations.
3) Processing
Now that the team has a vast amount of data, they need to transform it into a clear and readable format so that it can be analyzed, typically by human threat intelligence analysts. Following our example again, it was mentioned that the source of the hacking group’s claim to conduct an attack came from a “dark web forum” and that the actors were foreign. If the posts were not written in English, they would need to be expertly translated to ensure that the exact information was maintained. This is an example of processing collected data to make it easier to analyze.
4) Analysis
This stage involves a human process where processed information (from the previous step) is turned into actionable intelligence that can be used. Depending on the circumstances, the decisions might involve whether to investigate a potential threat, what actions to take immediately to block an attack, how to strengthen security controls, or how much investment in additional security resources is justified.
This information needs to be presented in an appropriate manner based on the audience. If a technical threat intelligence piece was being passed to security analysts then it can remain technical and use security jargon, however, if it is a more strategic piece being presented to a typically non-technical audience such as members of the executive board, then it needs to be simpler and not use jargon, with a focus on how this intelligence affects the business considering factors such as money and reputation.
5) Dissemination
Dissemination involves getting the finished intelligence output to the places it needs to go. This can be SOC or Security Analyst, fellow Threat Intelligence Analysts, and even the executive board (for high-level strategic intelligence, that can be used to inform security budgets and decision making).
For each of these audiences, you need to ask:
What threat intelligence do they need, and how can external information support their activities?
How should the intelligence be presented to make it easily understandable and actionable for that audience?
How often should we provide updates and other information?
Through what media should the intelligence be disseminated?
How should we follow up if they have questions?
6) Feedback
It is critically important to understand your overall intelligence priorities and the requirements of the security teams that will be consuming the threat intelligence. Their needs guide all phases of the intelligence lifecycle and tell you:
What types of data to collect
How to process and enrich the data to turn it into useful information
How to analyze the information and present it as actionable intelligence
To whom each type of intelligence must be disseminated (as mentioned in the dissemination stage), how quickly it needs to be disseminated, and how fast to respond to questions
You need regular feedback to make sure you understand the requirements of each group, and to make adjustments as their requirements and priorities change.
Threat Intelligence Analysis
Cyber threat intelligence analysts have skills that are not seen in other areas. Analysts spend a long time performing in-depth analysis work, so they are highly aware of bias, they will question everything, hunt for evidence, and think outside the box. These roles involve a lot of technical analysis, research, and problem-solving, working to identify malicious actors, track them, and keep on top of their techniques and tactics, allowing organizations to prepare for attacks and respond to them effectively. Tactics will be mapped to frameworks such as the Cyber Kill Chain by Lockheed Martin, or the MITRE ATT&CK Framework, while malicious indicators are compared against the Pyramid of Pain. We will cover all three of these in future lessons. Analysts come from a diverse range of backgrounds, quite often being from police forces or military personnel due to the skills they possess.
