CTI: Intelligence Sources and Formats
Please describe each STIX ATTACK- BASED object and describe its major properties
- A Campaign is a grouping of adversarial behaviors that describes a set of malicious activities or attacks (sometimes called waves) that occur over a period of time against a specific set of targets. - Campaigns usually have well defined objectives and may be part of an Intrusion Set. - An Intrusion Set is a grouped set of adversarial behaviors and resources with common properties that is believed to be orchestrated by a single organization. - An Intrusion Set may capture multiple Campaigns or other activities that are all tied together by shared attributes indicating a common known or unknown Threat Actor. - Threat Actors are actual individuals, groups, or organizations believed to be operating with malicious intent. - A Threat Actor is not an Intrusion Set but may support or be affiliated with various Intrusion Sets, groups, or organizations over time.
Please describe each INCIDENT RESPONSE-BASED object and describe its major properties
- A Course of Action is an action taken either to prevent an attack or to respond to an attack that is in progress. - For example, a course of action to mitigate a vulnerability could describe applying the patch that fixes it. - Reports are collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details. - They are used to group related threat intelligence together so that it can be published as a comprehensive cyber threat story.• A Vulnerability is "a mistake in software that can be directly used by a hacker to gain access to a system or network." - For example, if a piece of malware exploits CVE-2015-12345, a Malware object could be linked to a Vulnerability object that referencesCVE-2015-12345
Please describe each STIX TTP-BASED object and describe its major properties
- Attack pattern is a type of TTP that describe ways that adversaries attempt to compromise targets. - Attack Patterns are used to help categorize attacks, generalize specific attacks to the patterns that they follow, and provide detailed information about how attacks are performed. - An example of an attack pattern is "spear phishing." - Malware is a type of TTP that is also known as malicious code and malicious software, and refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or of otherwise annoying or disrupting the victim. - Tool is legitimate software that can be used by threat actors to perform attacks. - Remote access tools (e.g., RDP) and network scanning tools (e.g., Nmap)are examples of Tools
What are the roles of counter intelligence?
- Counter espionage: use knowledge of intelligence activities of threat actors to learn more about actors themselves - Defensive analysis: take what the threat actors see and discover new vulnerabilities in ourselves - Disinformation: deceive threat actors to hide vulnerability/assets/exploitation
Please describe each STIX IDENTITY-BASED object and describe its major properties
- Identities can represent actual individuals, organizations, or groups (e.g., ACME, Inc.) as well as classes of individuals, organizations, or groups (e.g., the finance sector)
Please describe each STIX INDICATOR-BASED object and describe its major properties
- Indicators (of compromise) contain a pattern that can be used to detect suspicious or malicious cyber activity. - In general, an Indicator is considered to have "matched" (or been "sighted") when the conditions specified in the structured pattern are satisfied in whatever context they are evaluated in. - Observed Data conveys information that was observed on systems and networks using the Cyber Observable specification. - For example, Observed Data can capture the observation of an IP address, a network connection, a file, or a registry key. - Observed Data is not an intelligence assertion, it is simply information: this file was seen, without any context for what it means
What are some considerations when selecting intelligence feeds?
- Need - what type of intelligence does your company need - Specialization - publicly available intelligence feeds tend to specialize in certain aspects of threat intelligence more. - Support - commercial data feeds will usually have more support than publicly available. - Cost -commercial data feeds will usually charge for services
What is STIX?
- Structured Threat Information eXpression (STIX), is the most commonly used CTI language - STIX captures as much information as possible about events, including threat actors, exploit targets, response actions, time, source IP, IOC's, etc. and stores the values in a JSON/XML format.
What is human intelligence?
- manual research and collection of data - Things an automated approach (e.g., bot) cannot do. - E.g., Participating with hackers in forums
What does intelligence collection and aggregation entail?
1. Intelligence Sources 2. Internal Intelligence 3. Open Source Intelligence
What are the common intelligence sources?
1. Open Source Intelligence(OSINT) 2. Internal Intelligence 3. Human Intelligence (HUMMINT) 4.Counter Intelligence 5. Finished Intelligence
What are counter intelligence principles?
Assess - Analyze and classify the attacker including - The types of attacks they like to perform - A trace of when and where they have performed their attacks - Where they are physically located - Their operating system type• Web browser type and version - Browser plugins - Various software versions they are running Respond - The aggressive portion of counter intelligence is known as "Offensive Counter Intelligence" - This is where you probe or attack the hacker in order to gather more detailed information about them - Threat analytics can perform actions within the attacker's browser -changing page content, redirection, additional assessment, and more.
Human Intelligence (HUMMINT)
BOTH Value: Provides very precise and deep knowledge Description: Manual research and data collection Example: Direct hacker interactions
Finished Intelligence
BOTH Value: Refined, analyzed intelligence Description: Finished intelligence ready for dissemination Example: Commercial data feeds
Counter Intelligence
BOTH Value: Safely identify tools and methods used by attackers Description: Providing false information to deceive attacker Example: Honeypots, anti-human intelligence
Open Source Intelligence(OSINT)
EXTERNAL Value: Provides comprehensive views of external threat landscape Description: Data that can be collected from the internet or from other CTI companies Example: Vulnerability/exploit feeds, social media, IRC, public statements, commercial data feed
What is the value of intelligence formats in CTI?
Helps ensure that CTI can be consumed and used efficiently
Internal Intelligence
INTERNAL Value: Provides information about activities internal to an organization Description: Data collected from internal cyber assets Example: Network logs, database access events, IDS/IPS logs
What are the pros and cons of human intelligence?
PROS - Although time-consuming and high cost, it can add significant value: - Not all threat data is handed to you. - HUMINT can be used to extract data from difficult places. - HUMINT can achieve deeper levels of intelligence. CONS - There are many risks associated with HUMINT: - May attract threats to your organization. - Can be less reliable than direct observation and may even result in subversion. - May return nothing at all
Data markings
Traffic Light Protocol (TLP) - TLP:RED = Not for disclosure, restricted to participants only. - TLP:AMBER = Limited disclosure, restricted to participants' organizations. - TLP:GREEN = Limited disclosure, restricted to the community. - TLP:WHITE = Disclosure is not limited
What is a honeypot?
a server placed on the network posing as an enticing target for hackers to attack
Good CTI is ________, _______, and _______.
adaptive, informative, and timely.