An overview of Threat Intelligence in Cybersecurity

Security is growing faster than ever, and some concepts need to be a must-know in order to be able to understand the security posture of our company. In this brief overview, I’ll explain what is Threat Intelligence, the importance, the frameworks and models, and some types!

What is threat intelligence?

But what the heck does this means? Imagine that a thief is targeting all the houses that are alone in the neighborhood. We only know that after two days a house was compromised. A lot of concerns and questions are asked, such as: How do we know if he robs alone or with other people? Are they looking for specific targets? Or looking for something else? How do they get into the house? These questions are similar to the questions that we ask in the security field, and to be able to answer those we get the help of the Threat Intelligence, so we can use it to understand how an attacker acts and try to prevent their intrusion into our house.

Threat Intelligence can be seen as a huge database of Indicators Of Compromise, in which we can associate a specific TTP (Tactics, techniques, and procedures) to a specific exploit. We will check this deeper later in this article.

Why it is important?

When talking about computer systems, it helps us to be one step ahead of those Zero-Day exploits which are also the most dangerous ones!

When zero-day exploits come in, there is a time window in which the zero-day vulnerability is known until it gets fixed and added to the Intelligence database and AV (antivirus). During this Window of Vulnerability (refer to Figure #1) The SOC team and the Threat analysts must be working hard to understand the tools used, methods, and vulnerabilities used in order to create automation scripts to monitor these behaviors to avoid this vulnerability from being exploited. That is why it is so important!

Figure #1. Zero-day timeline

Pyramid of pain (For the attacker)

To understand it better, when trying to generate a “background” for a specific malware or Trudy we may want to track which hosts they are using, maybe IP Addresses or calculate the hash values for the malware, BUT this is all volatile information and really easy to change from the attackers perspective.

So this pyramid explains (right bullets) how difficult for the attacker it is if we target the hard to change things! For example: Changing the tools is really difficult, or changing the TTP is really tough for them, so the Threat intelligence tries to mitigate the damage with the volatile one and understand how is Trudy’s course of action, so we can improve our IDS, IPS, and other tools.

Figure #2. Pyramid of pain

But how do we get on top of that pyramid? There are different ways to achieve these:

  • Setup your own honeypot networks to understand the techniques
  • Reverse engineer malware to understand system artifacts
  • Use dark web monitoring service

Types of Threat Intelligence

  • Technical: Refers to all the IP Addresses, URLs, Hash Values and this can be received from thread feeds, honey pots, and malware analysis. Basically provides information above an attacker’s resources that are used to perform the attack. You can use Threat hunting in your SOC for this type.
  • Tactical: Directly related to the TTP, procedures, toolkits, exploits, and frameworks usually consumed by cyber security professionals to understand the technical capabilities and goals of the attackers alongside the attack vectors. You can use correlation and detection in your SOC for this type.
  • Operational: This is all about human intelligence, provides info above specific threats against the organization. For example, the Threat actors, malware campaigns, are useful for predictions.
  • Strategic: Long-term impact, is related to high-level information about cyber security posture, threats, details regarding the money impact of various cyber activities. Is mostly within the kind of a report that primarily focuses on high-level business ways. Here you can have a countermeasure planning.
Figure #3. Types of Threat Intelligence

Attack frameworks & Intrusion analysis models

Diamond Model: This is an Intrusion Analysis Model which focuses on helping to understand the intrusions in your environment by applying scientific principles to intrusion analysis: Measurement, testability, and repeatability. The thing is that it appears to be simple, but is remarkably complex.

The Diamond looks like figure #4 below, in which the adversary is the attacker, the capability means what the attackers use, for example, exploits, malware anything that will hurt your system. Infrastructure refers to what was used to get access, which can be IP addresses, domain names, email addresses… And the victim can be an asset, a person, or an email chain.

Those 4 edges are correlated one to another, for example, The Adversary uses the Infrastructure and also will develop the capability, and the victim is exploited by the capability and the victim connects to the infrastructure.

It is really good since allowing us to understand who was the attacker, who is the victim, which part of the infrastructure they use and how they did it

Figure #4. Diamond Model

MITRE ATT&CK: A framework that Identifies points of intrusion and helps us to understand methods used to move around, ideal to find potential security techniques to block future attacks. You can see it here https://attack.mitre.org/

Cyber Kill Chain: It’s a model for the identification and prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective. From the Recon to the delivery and exploitation. Here is a cool image from the Cybots site that defines the 7 steps in general terms:

Figure #5. Cyber kill Of Chain

How Threat Intelligence information is consumed and shared?

Some of the Open Sources to get Threat Intelligence Information are:

  • Abuse.ch
  • OSINT Framework
  • shodan.io

Some of the Commercial ones:

  • IBM X-Force Exchange
  • Anomali ThreatStream
  • Palo Alto Netoworks AutoFocus

Usually, this threat intelligence feed can be also automated to check for specific IP, or domains to improve the speed of the monitoring phase. And usually, all the events, information, and IoC are correlated and analyzed using a SIEM solution such as ArcSight ESM, Splunk, or Q-Radar. If something seems to be suspicious activity, the Threat Analyst must check what is going on and confirm if it is a false positive or a false negative.

I hope this post was worth your learning, and I’ll see you in the next post!
Cheers!

--

--

Sr. Security software engineer working in the DevSecOps area. CompTIA Sec+, C|EH

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Josué Carvajal

Sr. Security software engineer working in the DevSecOps area. CompTIA Sec+, C|EH