Cyber Tradecraft Report

STIX

(Structured Threat Information eXpression) is a standardized language developed by MITRE to represent structured information about cyber threats. Aims for consisitency

TAXII

(Trusted Automated eXchange of Inidicator Information) is a collection of services and message exchanges to enable the sharing of information about cyber threats. It is the transport vehicle for STIX structured threat information

According to ODNI how can analysts assess responsibility for a cyber attack?

1. Point of origin (neighborhood, city, state, country, region) 2. Specific digital device or online persona 3. Individual or organization that directed the activity

Assessment Factors

33 factors across the 5 components of the framework

General AI (Soft)

A machine that exhibits human intelligence (doesn't exist yet)

Cyber Kill Chain

A model for cyber attacker activity that represents the (possible) lifecycle phases of a cyber attack

Threat Modeling Methods

Abstraction of system, profiles of attackers, catalog of threats

Cyber Hygiene

Activities to ensure data and system security

MITRE ATT&CK

Adversarial Tactics, Techniques, and Common Knowledge. A structured and standardized way to categorize and document the tactics and techniques used by cyber adversaries during different phases of a cyber attack, from initial access to data exfiltration.

Narrow AI (Hard)

An algorithm to carry out one particular task

Tactical Analysis

Analysis of specific threats, incidents, vulnerabilities

Cyber Threat Intelligence

Analysis of threats in the cyber domain

Operational Analysis

Analysis of threats, campaigns, intentions, capabilities

DREAD and what type of framework is it

Assesses risk along dimensions and assign numerical score: damage potential, reproducibility, exploitability, affected users, discoverability (risk centric)

Threat Analysis

Assessing technical and non-technical data pertaining to specific threats to your organization to inform cybersecurity operations and strategic analysis

Attack Modeling (PASTA)

Attack surface analysis Attack tree development, attack library management Attack to vulnerability and exploit analysis using attack trees

What are some AST Tool Type Decision Factors?

Authorship, target platform, integration level, source code availability.

DHS AIS

Automated Indicator Sharing through CISA. Enables real-time exchange of machine-readable cyber threat indicators and defensive measures between public and private-sector organizations

Define Technical Scope (PASTA)

Boundaries of the technical environment Infrastructure, software, application dependencies

Define Objectives (PASTA)

Business objectives Security and compliance requirements Business impact analysis

Correlation Tools

Central repository for findings from others AST tools; helps to reduce noise

Threat Analysis Workflow

Collect/normalize data, conduct tactical analysis, add context, enhance leadership decisions

Facilitated by Human and Machine Teaming

Combining human analytical acumen with computational power

CVE

Common Vulnerabilities and Exposures (CVE). Instances of problems

CWE

Common Weakness Enumeration; Classification system for vulnerabilities

Reporting and Feedback

Communication between analysts and decision-makers, peers, and other intelligence consumers regarding their products and work performance. Reporting and feedback help identify intelligence requirements and intelligence gaps

Technical Cyber Intelligence KSAs

Computing (Networking fundamentals), Programming and Coding (Python, C++), AI/ML, Data Science, Big Data Analytics, Scripting, Cloud Analysis, Mobile, Malware Analysis

Reporting and Feedback Best Practices

Creating variety of reports, actionable and predictive analysis, leadership involvement

Why is ROI important?

Cyber intel teams can demonstrate how they matter

What are some ways to show cost avoidance?

Cyber intelligence influencing leadership to not open a facility in a foreign location saves costs. Cyber intelligence passed to cybersecurity teams (SOC, Incident Response, Vulnerability Team, Network Defense) leads to new mitigations and controls that protect the organization. Showing organizational impact/costs of specific threats targeting industry partners—and if the threat targeted the organization itself.

Difference between Cybersecurity & Cyber Intelligence

Cyber intelligence is proactive, combines info, strategic. Cybersecurity is reactive, focused on attacks, tactical

Data Gathering

Data and information is collected from multiple internal and external sources for analysts to analyze to answer organizational intelligence requirements

AI/ML Security Threats

Data leaks, inaccurate predictions, missed malicious activity, revealing sensitive information, performance degradation, denial of service

Priority Intelligence Requirements

Detailed and operationally focused, align to IRs

Dynamic Application Security Testing (DAST)

Detect conditions indicative of a security vulnerability in an application in its running state

Cyber Kill Chain Counter Measures

Detect, deny, disrupt, degrade, deceive, contain

Data Intelligence Requirements (DIR)

Determining data needed to fulfill IERs

Information Extraction Requirements (IER)

Determining data science methods

Cyber Intelligence Lifecycle

Direction, collection, processing, analysis, dissemination, feedback

Unsupervised Machine Learning

Discovering previously unknown patterns in data, clustering → data widely available, implementation and verification tricky.

Cyber Intelligence Framework

Environmental context, data gathering, threat analysis, strategic analysis, reporting and feedback

Static Application Security Testing (SAST)

Examine source code (at rest) to detect and report weaknesses that can lead to security vulnerabilities

Cyber Intelligence Metrics

External reports, new and repeat consumers, vulnerabilities identified and fixed, phishing pages taken down, website visits, threats identified, report downloads, business decisions influenced

Persona Non Grata and what type of framework is it

Focuses on attackers' motivations and abilities (motivation/attacker centric)

Information

Formatted data for human utilization

Strategic Analysis Workflow

Fuse threat analysis, analyze technologies and geopolitics, enhance executive decisions

Fusion Center vs SOC

Fusion center: multiple teams collaborating, SOC: focused on cybersecurity operations

Intelligence Community Directive 203

High performing organizations use this as the foundation and guideline for applying analytic standards to their cyber intelligence analysis workflows. Such organizations will incorporate analytical standards into cyber intelligence analysis workflows, specifically when performing Strategic Analysis.

Strategic Analysis

Holistically assessing threats, risks, and opportunities to enhance executive decision-making

Threat Modeling Process

Identify Assets Create an architecture overview Decompose the application Identify the threats Document the threats Rate the threats

Application Decomposition (PASTA)

Identify use cases, entry points, and trust levels Identify actors, assets, services, roles, and data sources Data flow diagraming and trust boundaries

Strategic Analysis Common Challenges

Inability to implement, lack of process, over-reliance on third-party providers

Cyber Threat Indicator

Indicator of cyber threat

OWASP Top 10

Injection Broken Authentication Sensitive Data Exposure XML External Entities(XXE) Broken Access Control Security Misconfiguration Cross-Site Scripting (XSS) Insecure Deserialization Using Components with Known Vulnerabilities Insufficient Logging &Monitoring

Data Gathering Best Practices

Intelligence requirements process, data source validation

Environmental Context Best Practices

Knowing attack surface, aligning roles, having enough people

Non Technical Cyber Intelligence KSAs

Knowledge of threat actors, cross-domain intelligence analysis (critical thinking), communication skills and technical aptitude, privacy analysis, OSINT

Cyber Intelligence Key Challenges

Lack of formal workflows, difficulty accessing data, lack of resources

Data Gathering Common Challenges

Lack of organization-wide requirements, difficulties with third-party providers

Reporting and Feedback Common Challenges

Lack of resources, lack of predictive analysis, lack of feedback mechanisms

DeWitt Clause

License provision preventing publication of software benchmarks. a common end-user license agreement provision for proprietary software that prevents anyone (such as researchers and scientists) from publishing information about their products (like benchmarks) that name the software unless its supplier approves it.

Supervised Machine Learning

Makes predictions, regression, classification, (most common)

Test Coverage Analyzers

Measure how much of the total program code has been analyzed

Cybersecurity

Measures to protect data and computer systems

CVE Intel Sources

NIST National Vulnerability Database, MITRE

Threat Analysis Common Challenges

No formal workflow, inadequate reporting, lack of technical diversity

Specific Intelligence Requirements

Operational, tactical, technical, change frequently

Reinforcement Learning

Optimization in complex but constrained tasks, still largely academic

Steps of pasta

Our Tasty Apples Vanished; Rabbits Ate Radishes define Objectives, define Technical scope, Application decomposition, Threat analysis, Vulnerability and weakness analysis, Attack modeling, Risk and impact analysis

DoD Cybersecurity Test and Evaluation (CSTE) Guidebook enumerates six phases for cybersecurity evaluation

Phase 1—Understand the Cybersecurity Requirements o Phase 2—Characterize the Attack Surface o Phase 3—Cooperative Vulnerability Identification o Phase 4—Adversarial Cybersecurity DT&E o Phase 5—Cooperative Vulnerability and Penetration Assessment o Phase 6—Adversarial Assessment

Intelligence Lifecycle

Planning, collection, processing, analysis, dissemination

Threat Analysis (PASTA)

Probabilistic attack scenarios analysis Regression analytics on security events Threat intelligence correlation and analytics

PASTA and what is it

Process for Attack Simulation and Threat Analysis (risk centric threat modeling framework)

Intelligence

Product of collecting, processing, analyzing information

Risk & Impact Analysis (PASTA)

Qualify and quantify business impact Countermeasure identification and residual risk analysis ID risk mitigation strategies

What are some future tech concerns?

Quantum computing - encryption, Cloud, IoT, AI/ML a little

Vulnerability & Weakness Analysis (PASTA)

Queries of existing vulnerability reports and issues tracking Threat to existing vulnerability mapping using threat trees Design flaw analysis using use and abuse cases Scorings (CVSS/CWSS) and Enumerations (CVE/CWE)

Hacker Activities

Reconnaissance, network scanning, exploitation, maintaining access, covering tracks

Intelligence Requirements

Reflect leadership concerns, baseline for collection plan

Lockheed Martin Cyber Kill Chain

Ronnie Wanted Delicious Eggs In California, Always Ordering reconnaissance, weaponization, delivery, exploitation, installation, command and control, actions on objectives

CWE Intel Sources

Sans Top 25 Most Dangerous Software Errors

Components of a Fusion Center

Security operations, engineering, program management, cyber intelligence, insider threat, physical security, technology development

Environmental Context Common Challenges

Silos, unclear roles, difficulties recruiting, aligning too closely with cybersecurity

SBOM

Software Bill of Materials. Key building block in software security and software supply chain risk management. A structured list of all the software components and dependencies that are used in a particular software application or system

SPDX

Software Package Data eXchange. SPDX is an open standard for communicating software bill of material information

STRIDE and what kind of framework is it

Spoofing, tampering, repudiation, information disclosure, denial of service, escalation of privileges (software centric threat modeling framework)

Command & Control

The attacker is able to use the malware to assume remote control of a device or identity within the target network. In this stage, the attacker may also work to move laterally throughout the network, expanding their access and establishing more points of entry for the future.

Reconnaissance

The attacker is able to use the malware to assume remote control of a device or identity within the target network. In this stage, the attacker may also work to move laterally throughout the network, expanding their access and establishing more points of entry for the future.

Weaponization

The attacker is able to use the malware to assume remote control of a device or identity within the target network. In this stage, the attacker may also work to move laterally throughout the network, expanding their access and establishing more points of entry for the future.

Actions on Objectives

The attacker typically uses the access he has achieved to covertly collect information from target systems and transfer it to a remote system (data exfiltration) or achieve other goals and motives

Application Security Testing Orchestration (ASTO)

The idea is to have central, coordinated management and reporting of all the different AST tools running in an ecosystem

Delivery

The intruder launches the attack. The specific steps taken will depend on the type of attack they intend to carry out. For example, the attacker may send email attachments or a malicious link to spur user activity to advance the plan.

Exploitation

The malicious code is executed within the victim's system.

Installation

The malware or other attack vector will be installed on the victim's system. This is a turning point in the attack lifecycle, as the threat actor has entered the system and can now assume control.

Database Security Scanning

These tools check for updated patches and versions, weak passwords, configuration errors, ACL issues, and more

Differences between Threat Analysis & Strategic Analysis Workflows

Threat analysis is immediate, tactical. Strategic analysis is holistic, strategic

Threat Analysis Best Practices

Threat analysis workflow, timeliness and accuracy, diversity in technical disciplines

Interactive Application Security Testing (IAST) / Hybrid Tools

Tools use a combination of static and dynamic analysis techniques. Can test if known vulnerabilities in code are actually exploitable in the running application

Cyber Intelligence Key Best Practices

Understanding cyber intelligence, establishing a fusion center, building a collection management team

Strategic Analysis Best Practices

Understanding difference from threat analysis, strategic analysis workflow, diversity in strategic disciplines

Environmental Context

Understanding your organization including its attack surface. Knowing the threats, risks, and opportunities targeting your organization

Data

Values of subjects with respect to variables

Example Jobs for Fusion Center

Vulnerability assessment analyst, Cyber Defense Incident Responder, Threat Warning Analyst, Mission Assessment Specialist, Cyber Legal Advisor, Cyber Defense Forensics Analyst, All-Source Analyst, All-Source Collection Manager

Applications

Weakest link in cybersecurity: software vulnerabilities, web applications

NIST NICE Framework

Workforce composition for cyber intelligence, cybersecurity, technology development, program management

Mobile Application Security Testing (MAST)

a blend of static, dynamic, and forensics analysis. Specialized features to focus on issues specific to mobile applications

MISP Threat Sharing

an open source threat intelligence platform

Statistics

art and science of learning from data

Simple explanation of ICD 203?

cyber intelligence teams use this as a basis for their standards, applying structured analytical techniques, incorporating likelihood and confidence expressions, and including source validation and intelligence gaps in their reports to enhance the quality and rigor of their analysis.

What is cost avoidance?

developing internal expertise and tools, influencing leadership decisions to prevent unnecessary expenses, implementing new mitigations and controls, saving costs through network updates and policy changes, and adopting virtual fusion center approaches to reduce location-related expenses while highlighting the financial impact of specific threats targeting the organization and its industry partners.

Attack Trees (root and leaves)

diagrams that depict attacks on a system in tree form. The tree root is the goal for the attack, and the leaves are ways to achieve that goal.

What are some categories from Cyber Intelligence Tradecraft Project Threat Prioritization Guide for collecting and analyzing information for attribution?

infrastructure technology coding maturity

Kali Linux Metasploit

open source platform that supports vulnerability research, exploit development and penetration testing

Data Science

refers to managing and analyzing largeamounts of data

Zeek

sensor that interprets what it sees and creates compact, high-fidelity transaction logs, file content, and fully customized output

Origin Analysis / Software Composition Analysis (SCA)

these tools examine software to determine the origins of all components and libraries

VirusTotal

threat analysis tool that aggregates many antivirus products and online scan engines called Contributors.

What is the purpose of threat modeling?

to provide defenders with a systematic analysis of the probable attacker's profile, the most likely attack vectors, and the assets most desired by an attacker.

Why does cyber attribution matter?

to understand and anticipate adversary actions, gather insights into their tactics, and enhance collaboration with government authorities for accountability.

Some example report types?

vulnerability reports, threat analysis report, targeting packages for penetration testing team, industry development

Application Security Testing as a Service (ASTaaS)

you pay someone to perform security testing on your application