Cyber Tradecraft Report
STIX
(Structured Threat Information eXpression) is a standardized language developed by MITRE to represent structured information about cyber threats. Aims for consisitency
TAXII
(Trusted Automated eXchange of Inidicator Information) is a collection of services and message exchanges to enable the sharing of information about cyber threats. It is the transport vehicle for STIX structured threat information
According to ODNI how can analysts assess responsibility for a cyber attack?
1. Point of origin (neighborhood, city, state, country, region) 2. Specific digital device or online persona 3. Individual or organization that directed the activity
Assessment Factors
33 factors across the 5 components of the framework
General AI (Soft)
A machine that exhibits human intelligence (doesn't exist yet)
Cyber Kill Chain
A model for cyber attacker activity that represents the (possible) lifecycle phases of a cyber attack
Threat Modeling Methods
Abstraction of system, profiles of attackers, catalog of threats
Cyber Hygiene
Activities to ensure data and system security
MITRE ATT&CK
Adversarial Tactics, Techniques, and Common Knowledge. A structured and standardized way to categorize and document the tactics and techniques used by cyber adversaries during different phases of a cyber attack, from initial access to data exfiltration.
Narrow AI (Hard)
An algorithm to carry out one particular task
Tactical Analysis
Analysis of specific threats, incidents, vulnerabilities
Cyber Threat Intelligence
Analysis of threats in the cyber domain
Operational Analysis
Analysis of threats, campaigns, intentions, capabilities
DREAD and what type of framework is it
Assesses risk along dimensions and assign numerical score: damage potential, reproducibility, exploitability, affected users, discoverability (risk centric)
Threat Analysis
Assessing technical and non-technical data pertaining to specific threats to your organization to inform cybersecurity operations and strategic analysis
Attack Modeling (PASTA)
Attack surface analysis Attack tree development, attack library management Attack to vulnerability and exploit analysis using attack trees
What are some AST Tool Type Decision Factors?
Authorship, target platform, integration level, source code availability.
DHS AIS
Automated Indicator Sharing through CISA. Enables real-time exchange of machine-readable cyber threat indicators and defensive measures between public and private-sector organizations
Define Technical Scope (PASTA)
Boundaries of the technical environment Infrastructure, software, application dependencies
Define Objectives (PASTA)
Business objectives Security and compliance requirements Business impact analysis
Correlation Tools
Central repository for findings from others AST tools; helps to reduce noise
Threat Analysis Workflow
Collect/normalize data, conduct tactical analysis, add context, enhance leadership decisions
Facilitated by Human and Machine Teaming
Combining human analytical acumen with computational power
CVE
Common Vulnerabilities and Exposures (CVE). Instances of problems
CWE
Common Weakness Enumeration; Classification system for vulnerabilities
Reporting and Feedback
Communication between analysts and decision-makers, peers, and other intelligence consumers regarding their products and work performance. Reporting and feedback help identify intelligence requirements and intelligence gaps
Technical Cyber Intelligence KSAs
Computing (Networking fundamentals), Programming and Coding (Python, C++), AI/ML, Data Science, Big Data Analytics, Scripting, Cloud Analysis, Mobile, Malware Analysis
Reporting and Feedback Best Practices
Creating variety of reports, actionable and predictive analysis, leadership involvement
Why is ROI important?
Cyber intel teams can demonstrate how they matter
What are some ways to show cost avoidance?
Cyber intelligence influencing leadership to not open a facility in a foreign location saves costs. Cyber intelligence passed to cybersecurity teams (SOC, Incident Response, Vulnerability Team, Network Defense) leads to new mitigations and controls that protect the organization. Showing organizational impact/costs of specific threats targeting industry partners—and if the threat targeted the organization itself.
Difference between Cybersecurity & Cyber Intelligence
Cyber intelligence is proactive, combines info, strategic. Cybersecurity is reactive, focused on attacks, tactical
Data Gathering
Data and information is collected from multiple internal and external sources for analysts to analyze to answer organizational intelligence requirements
AI/ML Security Threats
Data leaks, inaccurate predictions, missed malicious activity, revealing sensitive information, performance degradation, denial of service
Priority Intelligence Requirements
Detailed and operationally focused, align to IRs
Dynamic Application Security Testing (DAST)
Detect conditions indicative of a security vulnerability in an application in its running state
Cyber Kill Chain Counter Measures
Detect, deny, disrupt, degrade, deceive, contain
Data Intelligence Requirements (DIR)
Determining data needed to fulfill IERs
Information Extraction Requirements (IER)
Determining data science methods
Cyber Intelligence Lifecycle
Direction, collection, processing, analysis, dissemination, feedback
Unsupervised Machine Learning
Discovering previously unknown patterns in data, clustering → data widely available, implementation and verification tricky.
Cyber Intelligence Framework
Environmental context, data gathering, threat analysis, strategic analysis, reporting and feedback
Static Application Security Testing (SAST)
Examine source code (at rest) to detect and report weaknesses that can lead to security vulnerabilities
Cyber Intelligence Metrics
External reports, new and repeat consumers, vulnerabilities identified and fixed, phishing pages taken down, website visits, threats identified, report downloads, business decisions influenced
Persona Non Grata and what type of framework is it
Focuses on attackers' motivations and abilities (motivation/attacker centric)
Information
Formatted data for human utilization
Strategic Analysis Workflow
Fuse threat analysis, analyze technologies and geopolitics, enhance executive decisions
Fusion Center vs SOC
Fusion center: multiple teams collaborating, SOC: focused on cybersecurity operations
Intelligence Community Directive 203
High performing organizations use this as the foundation and guideline for applying analytic standards to their cyber intelligence analysis workflows. Such organizations will incorporate analytical standards into cyber intelligence analysis workflows, specifically when performing Strategic Analysis.
Strategic Analysis
Holistically assessing threats, risks, and opportunities to enhance executive decision-making
Threat Modeling Process
Identify Assets Create an architecture overview Decompose the application Identify the threats Document the threats Rate the threats
Application Decomposition (PASTA)
Identify use cases, entry points, and trust levels Identify actors, assets, services, roles, and data sources Data flow diagraming and trust boundaries
Strategic Analysis Common Challenges
Inability to implement, lack of process, over-reliance on third-party providers
Cyber Threat Indicator
Indicator of cyber threat
OWASP Top 10
Injection Broken Authentication Sensitive Data Exposure XML External Entities(XXE) Broken Access Control Security Misconfiguration Cross-Site Scripting (XSS) Insecure Deserialization Using Components with Known Vulnerabilities Insufficient Logging &Monitoring
Data Gathering Best Practices
Intelligence requirements process, data source validation
Environmental Context Best Practices
Knowing attack surface, aligning roles, having enough people
Non Technical Cyber Intelligence KSAs
Knowledge of threat actors, cross-domain intelligence analysis (critical thinking), communication skills and technical aptitude, privacy analysis, OSINT
Cyber Intelligence Key Challenges
Lack of formal workflows, difficulty accessing data, lack of resources
Data Gathering Common Challenges
Lack of organization-wide requirements, difficulties with third-party providers
Reporting and Feedback Common Challenges
Lack of resources, lack of predictive analysis, lack of feedback mechanisms
DeWitt Clause
License provision preventing publication of software benchmarks. a common end-user license agreement provision for proprietary software that prevents anyone (such as researchers and scientists) from publishing information about their products (like benchmarks) that name the software unless its supplier approves it.
Supervised Machine Learning
Makes predictions, regression, classification, (most common)
Test Coverage Analyzers
Measure how much of the total program code has been analyzed
Cybersecurity
Measures to protect data and computer systems
CVE Intel Sources
NIST National Vulnerability Database, MITRE
Threat Analysis Common Challenges
No formal workflow, inadequate reporting, lack of technical diversity
Specific Intelligence Requirements
Operational, tactical, technical, change frequently
Reinforcement Learning
Optimization in complex but constrained tasks, still largely academic
Steps of pasta
Our Tasty Apples Vanished; Rabbits Ate Radishes define Objectives, define Technical scope, Application decomposition, Threat analysis, Vulnerability and weakness analysis, Attack modeling, Risk and impact analysis
DoD Cybersecurity Test and Evaluation (CSTE) Guidebook enumerates six phases for cybersecurity evaluation
Phase 1—Understand the Cybersecurity Requirements o Phase 2—Characterize the Attack Surface o Phase 3—Cooperative Vulnerability Identification o Phase 4—Adversarial Cybersecurity DT&E o Phase 5—Cooperative Vulnerability and Penetration Assessment o Phase 6—Adversarial Assessment
Intelligence Lifecycle
Planning, collection, processing, analysis, dissemination
Threat Analysis (PASTA)
Probabilistic attack scenarios analysis Regression analytics on security events Threat intelligence correlation and analytics
PASTA and what is it
Process for Attack Simulation and Threat Analysis (risk centric threat modeling framework)
Intelligence
Product of collecting, processing, analyzing information
Risk & Impact Analysis (PASTA)
Qualify and quantify business impact Countermeasure identification and residual risk analysis ID risk mitigation strategies
What are some future tech concerns?
Quantum computing - encryption, Cloud, IoT, AI/ML a little
Vulnerability & Weakness Analysis (PASTA)
Queries of existing vulnerability reports and issues tracking Threat to existing vulnerability mapping using threat trees Design flaw analysis using use and abuse cases Scorings (CVSS/CWSS) and Enumerations (CVE/CWE)
Hacker Activities
Reconnaissance, network scanning, exploitation, maintaining access, covering tracks
Intelligence Requirements
Reflect leadership concerns, baseline for collection plan
Lockheed Martin Cyber Kill Chain
Ronnie Wanted Delicious Eggs In California, Always Ordering reconnaissance, weaponization, delivery, exploitation, installation, command and control, actions on objectives
CWE Intel Sources
Sans Top 25 Most Dangerous Software Errors
Components of a Fusion Center
Security operations, engineering, program management, cyber intelligence, insider threat, physical security, technology development
Environmental Context Common Challenges
Silos, unclear roles, difficulties recruiting, aligning too closely with cybersecurity
SBOM
Software Bill of Materials. Key building block in software security and software supply chain risk management. A structured list of all the software components and dependencies that are used in a particular software application or system
SPDX
Software Package Data eXchange. SPDX is an open standard for communicating software bill of material information
STRIDE and what kind of framework is it
Spoofing, tampering, repudiation, information disclosure, denial of service, escalation of privileges (software centric threat modeling framework)
Command & Control
The attacker is able to use the malware to assume remote control of a device or identity within the target network. In this stage, the attacker may also work to move laterally throughout the network, expanding their access and establishing more points of entry for the future.
Reconnaissance
The attacker is able to use the malware to assume remote control of a device or identity within the target network. In this stage, the attacker may also work to move laterally throughout the network, expanding their access and establishing more points of entry for the future.
Weaponization
The attacker is able to use the malware to assume remote control of a device or identity within the target network. In this stage, the attacker may also work to move laterally throughout the network, expanding their access and establishing more points of entry for the future.
Actions on Objectives
The attacker typically uses the access he has achieved to covertly collect information from target systems and transfer it to a remote system (data exfiltration) or achieve other goals and motives
Application Security Testing Orchestration (ASTO)
The idea is to have central, coordinated management and reporting of all the different AST tools running in an ecosystem
Delivery
The intruder launches the attack. The specific steps taken will depend on the type of attack they intend to carry out. For example, the attacker may send email attachments or a malicious link to spur user activity to advance the plan.
Exploitation
The malicious code is executed within the victim's system.
Installation
The malware or other attack vector will be installed on the victim's system. This is a turning point in the attack lifecycle, as the threat actor has entered the system and can now assume control.
Database Security Scanning
These tools check for updated patches and versions, weak passwords, configuration errors, ACL issues, and more
Differences between Threat Analysis & Strategic Analysis Workflows
Threat analysis is immediate, tactical. Strategic analysis is holistic, strategic
Threat Analysis Best Practices
Threat analysis workflow, timeliness and accuracy, diversity in technical disciplines
Interactive Application Security Testing (IAST) / Hybrid Tools
Tools use a combination of static and dynamic analysis techniques. Can test if known vulnerabilities in code are actually exploitable in the running application
Cyber Intelligence Key Best Practices
Understanding cyber intelligence, establishing a fusion center, building a collection management team
Strategic Analysis Best Practices
Understanding difference from threat analysis, strategic analysis workflow, diversity in strategic disciplines
Environmental Context
Understanding your organization including its attack surface. Knowing the threats, risks, and opportunities targeting your organization
Data
Values of subjects with respect to variables
Example Jobs for Fusion Center
Vulnerability assessment analyst, Cyber Defense Incident Responder, Threat Warning Analyst, Mission Assessment Specialist, Cyber Legal Advisor, Cyber Defense Forensics Analyst, All-Source Analyst, All-Source Collection Manager
Applications
Weakest link in cybersecurity: software vulnerabilities, web applications
NIST NICE Framework
Workforce composition for cyber intelligence, cybersecurity, technology development, program management
Mobile Application Security Testing (MAST)
a blend of static, dynamic, and forensics analysis. Specialized features to focus on issues specific to mobile applications
MISP Threat Sharing
an open source threat intelligence platform
Statistics
art and science of learning from data
Simple explanation of ICD 203?
cyber intelligence teams use this as a basis for their standards, applying structured analytical techniques, incorporating likelihood and confidence expressions, and including source validation and intelligence gaps in their reports to enhance the quality and rigor of their analysis.
What is cost avoidance?
developing internal expertise and tools, influencing leadership decisions to prevent unnecessary expenses, implementing new mitigations and controls, saving costs through network updates and policy changes, and adopting virtual fusion center approaches to reduce location-related expenses while highlighting the financial impact of specific threats targeting the organization and its industry partners.
Attack Trees (root and leaves)
diagrams that depict attacks on a system in tree form. The tree root is the goal for the attack, and the leaves are ways to achieve that goal.
What are some categories from Cyber Intelligence Tradecraft Project Threat Prioritization Guide for collecting and analyzing information for attribution?
infrastructure technology coding maturity
Kali Linux Metasploit
open source platform that supports vulnerability research, exploit development and penetration testing
Data Science
refers to managing and analyzing largeamounts of data
Zeek
sensor that interprets what it sees and creates compact, high-fidelity transaction logs, file content, and fully customized output
Origin Analysis / Software Composition Analysis (SCA)
these tools examine software to determine the origins of all components and libraries
VirusTotal
threat analysis tool that aggregates many antivirus products and online scan engines called Contributors.
What is the purpose of threat modeling?
to provide defenders with a systematic analysis of the probable attacker's profile, the most likely attack vectors, and the assets most desired by an attacker.
Why does cyber attribution matter?
to understand and anticipate adversary actions, gather insights into their tactics, and enhance collaboration with government authorities for accountability.
Some example report types?
vulnerability reports, threat analysis report, targeting packages for penetration testing team, industry development
Application Security Testing as a Service (ASTaaS)
you pay someone to perform security testing on your application