Security is growing faster than ever, and some concepts need to be a must-know in order to be able to understand the security posture of our company. In this brief overview, I’ll explain what is Threat Intelligence, the importance, the frameworks and models, and some types!
What is threat intelligence?
If we google it, it will say that “Threat intelligence is information that an organization uses to understand the threats that have, will, or are currently targeting the organization. This info is used to prepare, prevent, and identify cyber threats looking to take advantage of valuable resources.”
But what the heck does this means? Imagine that a thief is targeting all the houses that are alone in the neighborhood. We only know that after two days a house was compromised. A lot of concerns and questions are asked, such as: How do we know if he robs alone or with other people? Are they looking for specific targets? Or looking for something else? How do they get into the house? These questions are similar to the questions that we ask in the security field, and to be able to answer those we get the help of the Threat Intelligence, so we can use it to understand how an attacker acts and try to prevent their intrusion into our house.
Threat Intelligence can be seen as a huge database of Indicators Of Compromise, in which we can associate a specific TTP (Tactics, techniques, and procedures) to a specific exploit. We will check this deeper later in this article.
Why it is important?
By using the same example as before: the thief and the house. We may want to know if he is a mad person, if he works alone or how he chooses which house to compromise, and which tools it uses to achieve the rob. By knowing this we can set up defenses to prepare, prevent and identify anything that could make our house vulnerable. For example: Paying a security guard to do not leave the house alone for a long time, or maybe set up security cameras and alarms to monitor your perimeter, are some examples that we can do in such a scenario.
When talking about computer systems, it helps us to be one step ahead of those Zero-Day exploits which are also the most dangerous ones!
When zero-day exploits come in, there is a time window in which the zero-day vulnerability is known until it gets fixed and added to the Intelligence database and AV (antivirus). During this Window of Vulnerability (refer to Figure #1) The SOC team and the Threat analysts must be working hard to understand the tools used, methods, and vulnerabilities used in order to create automation scripts to monitor these behaviors to avoid this vulnerability from being exploited. That is why it is so important!
Pyramid of pain (For the attacker)
When working with threat intelligence there is a cool pyramid of pain, which is “a model for the effective use of Cyber Threat Intelligence in threat detection operations, with a particular emphasis on increasing the adversaries’ cost of operations.” SANS
To understand it better, when trying to generate a “background” for a specific malware or Trudy we may want to track which hosts they are using, maybe IP Addresses or calculate the hash values for the malware, BUT this is all volatile information and really easy to change from the attackers perspective.
So this pyramid explains (right bullets) how difficult for the attacker it is if we target the hard to change things! For example: Changing the tools is really difficult, or changing the TTP is really tough for them, so the Threat intelligence tries to mitigate the damage with the volatile one and understand how is Trudy’s course of action, so we can improve our IDS, IPS, and other tools.
But how do we get on top of that pyramid? There are different ways to achieve these:
- Setup your own honeypot networks to understand the techniques
- Reverse engineer malware to understand system artifacts
- Use dark web monitoring service
Types of Threat Intelligence
There are 4 types of threat intelligence, each of them focusing on different phases, from the strategic to the operational part. Let’s check those in detail:
- Technical: Refers to all the IP Addresses, URLs, Hash Values and this can be received from thread feeds, honey pots, and malware analysis. Basically provides information above an attacker’s resources that are used to perform the attack. You can use Threat hunting in your SOC for this type.
- Tactical: Directly related to the TTP, procedures, toolkits, exploits, and frameworks usually consumed by cyber security professionals to understand the technical capabilities and goals of the attackers alongside the attack vectors. You can use correlation and detection in your SOC for this type.
- Operational: This is all about human intelligence, provides info above specific threats against the organization. For example, the Threat actors, malware campaigns, are useful for predictions.
- Strategic: Long-term impact, is related to high-level information about cyber security posture, threats, details regarding the money impact of various cyber activities. Is mostly within the kind of a report that primarily focuses on high-level business ways. Here you can have a countermeasure planning.
Attack frameworks & Intrusion analysis models
There are different models such as MITRE, Cyber kill of Chain, and Diamond model to be able to understand the TTP and perform intrusion analysis. The good thing is that you do not have to choose any of those, they are complementary!
Diamond Model: This is an Intrusion Analysis Model which focuses on helping to understand the intrusions in your environment by applying scientific principles to intrusion analysis: Measurement, testability, and repeatability. The thing is that it appears to be simple, but is remarkably complex.
The Diamond looks like figure #4 below, in which the adversary is the attacker, the capability means what the attackers use, for example, exploits, malware anything that will hurt your system. Infrastructure refers to what was used to get access, which can be IP addresses, domain names, email addresses… And the victim can be an asset, a person, or an email chain.
Those 4 edges are correlated one to another, for example, The Adversary uses the Infrastructure and also will develop the capability, and the victim is exploited by the capability and the victim connects to the infrastructure.
It is really good since allowing us to understand who was the attacker, who is the victim, which part of the infrastructure they use and how they did it
MITRE ATT&CK: A framework that Identifies points of intrusion and helps us to understand methods used to move around, ideal to find potential security techniques to block future attacks. You can see it here https://attack.mitre.org/
Cyber Kill Chain: It’s a model for the identification and prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective. From the Recon to the delivery and exploitation. Here is a cool image from the Cybots site that defines the 7 steps in general terms:
How Threat Intelligence information is consumed and shared?
As mentioned at the beginning of this post, Threat Intelligence is like a big database of Indicator Of Compromise (IoC) Which can be public (open source) or sold by different companies using a subscription bulletin.
Some of the Open Sources to get Threat Intelligence Information are:
- OSINT Framework
Some of the Commercial ones:
- IBM X-Force Exchange
- Anomali ThreatStream
- Palo Alto Netoworks AutoFocus
Usually, this threat intelligence feed can be also automated to check for specific IP, or domains to improve the speed of the monitoring phase. And usually, all the events, information, and IoC are correlated and analyzed using a SIEM solution such as ArcSight ESM, Splunk, or Q-Radar. If something seems to be suspicious activity, the Threat Analyst must check what is going on and confirm if it is a false positive or a false negative.
I hope this post was worth your learning, and I’ll see you in the next post!