Ch 2- Using Threat Intelligence
Information Sharing and Analysis Center (ISAC) ?
A not-for-profit group set up to share sector-specific threat intelligence and security best practices amongst its members
● Tactics, Techniques, and Procedures (TTP) ?
Behavior patterns that were used in historical cyber-attacks and adversary actions ▪ DDoS ▪ Viruses or Worms ▪ Network Reconnaissance ▪ APTs ▪ Data Exfiltration
Intelligence Sources: Closed source intelligence Proprietary?
Commercial security vendors, government organizations, and other security-centric organizations do their own information gathering and research, and they may use custom tools, analysis models, or other proprietary methods to gather, curate, and maintain their threat feeds. They do it to keep their threat data secret, they may want to sell or license it and their methods and sources are their trade secrets, or they may not want to take the chance of the threat actors knowing about the data they are gathering. Proprietary- Threat intelligence is very widely provided as a commercial service offering, where access to updates and research is subject to a subscription fee
Operational Threat Intelligence
Composed of highly detailed information allowing response to a specific threat and often includes information about where it came from, who created it or how it has changed over time, how it is delivered or how it spreads, what it attempts to do, how to remove it, and how to prevent it.
Assessing Confidence Levels?
Confidence scores allow organizations to filter and use threat intelligence based on how much trust they can give it. Such as scale: 1-5, 1-10, and High/Medium/Low scales are all commonly used to allow threat intelligence users to quickly assess the quality of the assessment and its underlying data.
ISAC -Healthcare, financial, aviation, government, critical infrastructure?
Critical Infrastructure-Any physical or virtual infrastructure that is considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination of these ICS, SCADA, and embedded system threats are a main focus within critical infrastructure Government -Serves non-federal governments in the US, such as state, local, tribal and territorial governments Healthcare -Serves healthcare providers that are targets of criminals seeking blackmail and ransom opportunities by compromising patient data records or interfering with medical devices Financial-Serves the financial sector to prevent fraud and extortion of both the consumer and financial institutions Aviation-Serves the aviation industry to prevent fraud, terrorism, service disruptions, and unsafe operations of air traffic control systems
Tactical Threat Intelligence
Detailed technical and behavioral information that is directly useful to security professionals and others who are tasked with defense and response.
Explain the importance of threat hunting: -Establish hypothesis, profile threat actors/activities, threat hunting tactics, reduce attack surface area, bundle critical assets, attack vectors, integrated intel, and improve detection capabilities
Establishing a hypothesis. A hypothesis is needed to test and should have actionable results based on the threat that the hypothesis considers. Profiling threat actors and activities. This helps ensure that you have considered who may be a threat, and why, as well as what their typical actions and processes are. Threat hunting tactics. These are key to success in threat hunting activities. The skills, techniques, and procedures are where action meets analysis. This step includes executable process analysis, which the CySA+ exam outline specifically mentions. Reducing the attack surface area. This allows resources to be focused on the remaining surface area, making protection more manageable. Bundling critical assets into groups and protection zones. This helps with managing attack surface area, threat hunting, and response activities, since each asset doesn't need to be individually assessed or managed as a unique item. Attack vectors must be understood, assessed, and addressed based on analysis of threat actors and their techniques as well as the surface area that threat actors can target. Integrated intelligence combines multiple intelligence sources to provide a better view of threats. Improving detection capabilities. This is a continuous process as threats improve their techniques and technology. If you do not improve your detection capabilities, new threats will bypass existing capabilities over time.
Intelligence Cycle: Dissemination
In the dissemination phase of the intelligence cycle, data is distributed to leadership and operational personnel who will use the data as part of their security operations role. refers to publishing information produced by analysis to consumers who need to act on the insights developed ▪ Strategic ▪ Operational ▪ Tactical
Planning Threat Intelligence: Requirements Gathering
In this step you will typically do the following: -Assess what security breaches or compromises you have faced -Assess what information could have prevented or limited the impact of the breach -Assess what controls and security measures were not in place that would have mitigated the breach
How do you assess threat intelligence?
Is it timely? A feed that is operating on delay can cause you to miss a threat or to react after the threat is no longer relevant. Is the information accurate? Can you rely on what it says, and how likely is it that the assessment is valid? Does it rely on a single source or multiple sources? How often are those sources correct? Is the information relevant? If it describes the wrong platform, software, or reason for the organization to be targeted, the data may be very timely, very accurate, and completely irrelevant to your organization.
Commodity Malware?
Malicious software applications that are widely available for sale or easily obtainable and usable. Targeted or custom malware is developed and deployed with a target in mind. Identifying if the malware is commodity or targeted can help determine the severity of an incident
Classifying threats with STRIDE
Microsoft's STRIDE classification model is one method you can use to classify threats based on what they leverage. STRIDE stands for: Spoofing of user identity Tampering Repudiation Information disclosure Denial of service Elevation of privilege
Intelligence Cycle: Data Collection
Once you have your information requirements, you can collect data from threat intelligence sources to meet those requirements. This phase may repeat as additional requirements are added or as requirements are refined based on available data and data sources.
Threat feed/indicator management= Open IOC
Open Indicators of Compromise (OpenIOC) format. Like STIX, OpenIOC is an XML-based framework. The OpenIOC schema was developed by Mandiant, and it uses Mandiant's indicators for its base framework. -forensic data- A typical IOC includes metadata like the author, the name of the IOC, and a description; references to the investigation or case and information about the maturity of the IOC; and the definition for the indicator of compromise, which may include details of the actual compromise.
Strategic Threat Intelligence
Provides broad information about threats and threat actors allowing organizations to understand and respond to trends.
Attack Framework: MITRE
The ATT&CK matrices include detailed descriptions, definitions, and examples for the complete threat life cycle, from initial access through execution, persistence, privilege escalation, and exfiltration. At each level, it lists techniques and components, allowing threat assessment modeling to leverage common descriptions and knowledge.
Intelligence Cycle: Feedback
The final stage in the threat intelligence cycle is gathering feedback about the reports and data you have gathered. Continuous improvement is a critical element in the process, and it should be used to create better requirements and to improve the overall output of your threat intelligence program.
Lockheed Martin's Cyber KillChain?
The seven stages are as follows: Reconnaissance, which identifies targets. In this phase, adversaries are planning their attacks and will gather intelligence about the target, including both open source intelligence and direct acquisition of target data via scanning. Defenders must gather data about reconnaissance activities and prioritize defenses based on that information. Weaponization involves building or otherwise acquiring a weaponizer that combines malware and an exploit into a payload that can be delivered to the target. This may require creating decoy documents, choosing the right command-and-control tool, and other details. The model emphasizes the fact that defenders need to conduct full malware analysis in this stage to understand not only what payload is dropped but how the weaponized exploit was made. Defenders should also build detections for weaponizers, look at the timeline of when malware was created versus its use, and collect both files and metadata to help them see if the tools are widely shared or closely held and thus potentially very narrowly targeted. Delivery occurs when the adversary either deploys their tool directly against targets or via release that relies on staff at the target interacting with it such as in an email payload, on a USB stick, or via websites that they visit. Defenders in this stage must observe how the attack was delivered and what was targeted, and then will infer what the adversary was intending to accomplish. Retention of logs is also important in this stage, as defenders need them to track what occurred. Exploitation uses a software, hardware, or human vulnerability to gain access. This can involve zero-day exploits and may use either adversary-triggered exploits or victim-triggered exploits. Defense against this stage focuses on user awareness, secure coding, vulnerability scanning, penetration testing, endpoint hardening, and similar activities to ensure that organizations have a strong security posture and very limited attack surface. Installation focuses on persistent backdoor access for attackers. Defenders must monitor for typical artifacts of a persistent remote shell or other remote access methodologies. Command and Control (C2) access allows two-way communication and continued control of the remote system. Defenders will seek to detect the C2 infrastructure by hardening the network, deploying detection capabilities, and conducting ongoing research to ensure they are aware of new C2 models and technology. Actions on Objectives, the final stage, occurs when the mission's goal is achieved. Adversaries will collect credentials, escalate privileges, pivot and move laterally through the environment, and gather and exfiltrate information. They may also cause damage to systems or data. Defenders must establish their incident response playbook, detect the actions of the attackers and capture data about them, respond to alerts, and assess the damage the attackers have caused.
Intelligence Cycle: Data Analysis
The threat intelligence data that you gathered in the data collection stage will likely be in several different formats. Some may be in easy-to-access formats that your existing tools and systems can consume. Other data may be in plain-text or written form, or it may be almost entirely unformatted. In this stage you must first process the data to allow it to be consumed by whatever tools or processes you intend to use, and then you must analyze the data itself. The output from this stage could be data fed into automated systems or other tools, or written reports to distribute to leadership or others across your organization.
Attack Framework: Diamond Model of Intrusion Analysis
This model emphasizes the relationships and characteristics of four basic components: the adversary, capabilities, infrastructure, and victims. The Diamond Model uses a number of specific terms: Core Features of an event, which are the adversary, capability, infrastructure, and victim (the vertices of the diamond). The Meta-Features, which are start and end timestamps, phase, result, direction, methodology, and resources. These are used to order events in a sequence known as an activity thread, as well as for grouping events based on their features. A Confidence Value, which is undefined by the model, but which analysts are expected to determine based on their own work. The Diamond Model focuses heavily on understanding the attacker and their motivations, and then uses relationships between these elements to allow security analysts to both understand the threat and consider what other data or information they may need to obtain or may already have available.
Intelligence Sources: Open source
Threat intelligence that is acquired from publicly available sources. (senki, CISA, vendors, MISP, SANS, VirusShare)
Threat feed/Indicator Management= TAXII
Trusted Automated Exchange of Indicator Information (TAXII) protocol. TAXII is intended to allow cyberthreat information to be communicated at the application layer via HTTPS. TAXII is specifically designed to support STIX data exchange.
Threat feed/indicator Management= STIX
defines 12 STIX domain objects, including things like attack patterns, identities, malware, threat actors, and tools. By relationship or sighting. JSON: { "type": "threat-actor", "created": "2019-10-20T19:17:05.000Z", "modified": "2019-10-21T12:22:20.000Z", "labels": [ "crime-syndicate"], "name": "Evil Maid, Inc", "description": "Threat actors with access to hotel rooms", "aliases": ["Local USB threats"], "goals": ["Gain physical access to devices", "Acquire data"], "sophistication": "intermediate", "resource_level": "government", "primary_motivation": "organizational-gain" } Fields like sophistication and resource_level use defined vocabulary options to allow STIX 2.0 users to consistently use the data as part of automated and manual systems.
Threat classification: -Known threats vs unknown -Zero day -APT
known threats-which you are aware of and are likely to have useful information about, and unknown threats, which you can prepare for only through use of general controls and processes. Zero-day threats, or threats that exploit an unknown security vulnerability, are one of the most common types of unknown threats. Advanced persistent threat actors, particularly those with nation-state resources, commonly acquire zero-day exploit information and leverage it to their advantage.
Threat actors?
● Nation-state Actor o A type of threat actor that is supported by the resources of its host country's military and security services ● Organized Crime o A type of threat actor that uses hacking and computer fraud for commercial gain ● Hacktivist o A type of threat actor that is motivated by a social issue or political cause ● Insider Threat o A type of threat actor who is assigned privileges on the system that cause an intentional or unintentional incident ● Intentional o A threat actor who conducts an attack with a specific purpose ● Unintentional o A threat actor that causes a vulnerability or exposes an attack vector without malicious intent o Shadow IT is a form of unintentional insider threat
Port Hopping and Fast Flux DNS?
● Port Hopping o An APT's C2 application might use any port to communicate and may jump between different ports ● Fast Flux DNS o A technique rapidly changes the IP address associated with a domain
Threat classification ● Recycled Threats ● Known Unknowns ● Unknown Unknowns
● Recycled Threats o Refers to the process of combining and modifying parts of existing exploit code to create new threats that are not as easily identified by automated scanning ● Known Unknowns o A classification of malware that contains obfuscation techniques to circumvent signature-matching and detection ● Unknown Unknowns o A classification of malware that contains completely new attack vectors and exploits
Threat Research: -Reputational -Behavioral -IoC
● Reputation Data o Blacklists of known threat sources, such as malware signatures, IP address ranges, and DNS domains ● Indicator of Compromise (IoC) o A residual sign that an asset or network has been successfully attacked or is continuing to be attacked ● Behavioral Threat Research o A term that refers to the correlation of IoCs into attack patterns
Threat Intelligence Sharing?
● Risk Management o Identifies, evaluates, and prioritizes threats and vulnerabilities to reduce their negative impact ● Incident Response o An organized approach to addressing and managing the aftermath of a security breach or cyberattack ● Vulnerability Management o The practice of identifying, classifying, prioritizing, remediating, and mitigating software vulnerabilities ● Detection and Monitoring o The practice of observing activity to identify anomalous patterns for further analysis