Skip to content

Cyber Threat intelligence

Jump to bottom
Mahesh Shukla - JailBreaker edited this page Jun 10, 2024 · 1 revision

Cyber Threat Intelligence (CTI)

  • ctf_process

Definition:

  • Cyber Threat Intelligence (CTI) is evidence-based knowledge about adversaries, including their indicators, tactics, motivations, and actionable advice. This intelligence helps protect critical assets and informs cybersecurity teams and management business decisions.

Distinguishing Between Data, Information, and Intelligence:

  • Data: Discrete pieces of evidence, such as IP addresses, URLs, or file hashes, associated with adversarial activities.

    • Example: An IP address (192.168.0.1) found in log files that match known malicious activity.
    • Information: Aggregated data points that answer specific questions.
    • Example: The number of times employees accessed a suspicious website (e.g., tryhackme.com) within a month.

  • Intelligence: Correlated data and information analyzed to identify patterns and provide contextual insights.

    • Example: Analysis revealing a pattern of phishing emails originating from certain IP addresses targeting the finance department, indicating a focused spear-phishing campaign.

Goals of CTI To understand the relationship between your operational environment and adversaries, and how to defend against attacks by answering questions like:

  • Who is attacking you?
  • What are their motivations?
  • What are their capabilities?
  • What Indicators of Compromise (IOCs) should you look for?

Sources of CTI

Internal Sources

  • Corporate security events (e.g., vulnerability assessments).
  • Incident response reports.
  • System logs and events.
  • Example: Logs showing repeated login attempts from unknown IP addresses could indicate a brute force attack.

Community Sources:

  • Open web forums.
  • Dark web communities.
  • Example: Discussions on hacker forums about new vulnerabilities in widely used software.

External Sources:

Strategic Intelligence:

  • High-level intelligence focusing on the organization's threat landscape, mapping out risks based on trends, patterns, and emerging threats that may impact business decisions.
  • Example: Reports on geopolitical tensions affecting cybersecurity policies.

Technical Intelligence:

  • Detailed evidence and artefacts of attack methods used by adversaries.
  • Example: Technical analysis of malware code to understand its behavior and impact.

Tactical Intelligence:

  • Assessing adversaries' tactics, techniques, and procedures (TTPs).
  • Example: Documenting how phishing emails are crafted and delivered to evade spam filters.

Operational Intelligence:

  • Specific motives and intent behind an adversary’s attacks.
  • Example: Intelligence revealing a group's intent to steal intellectual property from biotech companies.
  • Threat Intelligence Process
  • The threat intelligence process transforms raw data into contextualized and actionable insights through a systematic six-phase cycle.

Direction:

  • Objective Setting: Define goals and objectives for the threat intelligence program.
  • Key Parameters: Identify information assets, assess the impact of their loss, determine data sources, and identify necessary tools and resources.
  • Investigation Questions: Pose questions to guide the investigation.
  • Example: What are the most critical assets that need protection from ransomware attacks?

Collection:

  • Data Gathering: Collect data aligned with the defined objectives from various sources.
  • Automation: Use automation to handle large volumes of data.
  • Example: Using scripts to collect threat data from multiple security feeds and forums.

Processing:

  • Data Formatting: Extract, sort, organize, and correlate raw data.
  • Visualization: Present data visually for better understanding.
  • Tools: Utilize SIEMs for quick data parsing.
  • Example: Using a SIEM to correlate network traffic logs with known malicious IP addresses.

Analysis:

  • Insight Derivation: Analyze aggregated information to derive actionable insights.
  • Decision Making: Make decisions based on threat investigation, action plans, and security controls.
  • Example: Identifying a spike in network traffic to a command and control server and planning a response.

Dissemination:

  • Communication: Share intelligence with stakeholders in appropriate formats.
  • Reports: Provide concise reports to executives and detailed reports to technical teams.
  • Example: Sending a high-level summary of threat trends to the C-suite and detailed technical reports to IT security teams.
  • Feedback:

Interaction

  • Collect feedback from stakeholders to improve the process.
  • Process Improvement: Use feedback to enhance threat intelligence efforts.
  • Example: Adjusting data collection methods based on feedback from security analysts about the relevance of certain threat feeds.

Introduction to OpenCTI

OpenCTI-architecture

Overview

  • OpenCTI is an open-sourced platform for Cyber Threat Intelligence management, providing functionalities like storage, analysis, visualization, and presentation of threat campaigns, malware, and IOCs.

Objective and Development

  • Developed in collaboration with the French National cybersecurity agency (ANSSI), it aims to manage both technical and non-technical threat information and establish relationships between data points. It integrates with the MITRE ATT&CK framework and other threat intel tools like MISP and TheHive.

OpenCTI Data Model

  • Utilizes Structured Threat Information Expression (STIX2) standards for structuring data and supports a GraphQL API, write workers, and various connectors for data ingestion, enrichment, and export.

Dashboard

  • Features include a reputation lookup dashboard with a world map showing email traffic status, tabs for Vulnerability Information, Reputation Center, and other resources for threat intelligence.

Activities & Knowledge

  • Activities cover security incidents in reports for investigation, while the Knowledge section links data on threat actors, targeted victims, and campaigns.

Analysis and Investigation

  • The Analysis tab allows for the input of entities in reports, external references, and creating associations for incidents. The Observations tab lists technical elements and detection rules observed during cyber attacks.

Threats and Arsenal

  • Lists threat actors, intrusion sets, and campaigns targeting organizations, as well as malware, attack patterns, tools, and vulnerabilities.

Entities and Navigation

  • Entities are categorized based on sectors, countries, organizations, and individuals for knowledge enrichment. Navigation tabs include Overview, Knowledge, Analysis, Indicators, Data, and History for detailed investigation.

  • Standards and Frameworks in Threat Intelligence

  • Standards and frameworks provide structured approaches for distributing and using threat intelligence, facilitating common terminology for better collaboration.

MITRE ATT&CK

  • A knowledge base of adversary behavior, focusing on tactics, techniques, and indicators.
  • Example: Using the MITRE ATT&CK matrix to map out an adversary's TTPs and identify gaps in the organization’s defenses.

TAXII (Trusted Automated eXchange of Indicator Information)

  • Defines protocols for securely exchanging threat intelligence.
  • Example: An organization subscribing to a TAXII server to receive real-time updates on emerging threats.

STIX (Structured Threat Information Expression)

  • A language for specifying, capturing, and communicating standardized cyber threat information.
  • Example: Sharing detailed threat reports in STIX format to ensure consistency and readability across different security tools.

Cyber Kill Chain

  • Developed by Lockheed Martin, it breaks down adversary actions into steps.
  • Example: Using the Cyber Kill Chain to analyze and disrupt an ongoing phishing campaign by identifying and blocking the delivery phase.

The Diamond Model

  • diamon_model

  • Focuses on intrusion analysis and tracking attack groups.

  • Example: Analyzing an intrusion using the Diamond Model to identify the adversary, their capabilities, the infrastructure used, and the targeted victim.

  • Example Case Study: Application of CTI Process

  • Scenario: An organization experiences a spike in phishing attacks targeting its employees.

Direction

  • Objective Setting Identify the source and mitigate the phishing campaign.
  • Key Parameters: Protect employee email accounts, assess the impact of potential credential theft, identify data sources (email logs, threat feeds), and tools (phishing detection systems).

Collection

  • Data Gathering: Collect data from email logs, phishing detection systems, and threat intelligence feeds.
  • Automation: Use scripts to automate data collection from threat feeds.

Processing

  • Data Formatting: Organize email logs, tag suspicious emails, and correlate with threat intelligence data. 8 Visualization: Use dashboards to display phishing email patterns and sources.

Analysis

  • Insight Derivation: Analyze the patterns to identify the adversary’s tactics.
  • Decision Making: Develop a plan to block phishing emails, educate employees, and strengthen email security controls.

Dissemination

  • Communication: Share findings with management and IT security teams.
  • Reports: Provide a high-level summary to the C-suite and detailed technical reports to security teams.
  • Feedback:

Interaction: Collect feedback from employees and security teams on the effectiveness of the measures.

  • Process Improvement: Refine phishing detection and response strategies based on feedback.
  • By following this comprehensive approach, organizations can effectively utilize Cyber Threat Intelligence to defend against sophisticated cyber threats.

Cyber Threat Intelligence (CTI) can be defined as evidence-based knowledge about adversaries, including their indicators, tactics, motivations, and actionable advice against them. These can be utilised to protect critical assets and inform cyber security teams and management business decisions.

It would be typical to use the terms “data”, “information”, and “intelligence” interchangeably. However, let us distinguish between them to understand better how CTI comes into play.![An image depicting data from the web, servers and firewalls being collected through a funnel and being sorted.

Data: Discrete indicators associated with an adversary, such as IP addresses, URLs or hashes.

Information: A combination of multiple data points that answer questions such as “How many times have employees accessed tryhackme.com within the month?”

Intelligence: The correlation of data and information to extract patterns of actions based on contextual analysis.

The primary goal of CTI is to understand the relationship between your operational environment and your adversary and how to defend your environment against any attacks. You would seek this goal by developing your cyber threat context by trying to answer the following questions:

  • Who’s attacking you?
  • What are their motivations?
  • What are their capabilities?
  • What artefacts and indicators of compromise (IOCs) should you look out for?

With these questions, threat intelligence would be gathered from different sources under the following categories:

  • Internal:

    • Corporate security events such as vulnerability assessments and incident response reports.
    • Cyber awareness training reports.
    • System logs and events.

  • Community:

    • Open web forums.
    • Dark web communities for cybercriminals.

  • External

    • Threat intel feeds (Commercial & Open-source)
    • Online marketplaces.
    • Public sources include government data, publications, social media, financial and industrial assessments.

Threat Intelligence Classifications

threat_intelligence_lifescycle

Threat Intel is geared towards understanding the relationship between your operational environment and your adversary. With this in mind, we can break down threat intel into the following classifications: 

  • Strategic Intel: High-level intel that looks into the organisation’s threat landscape and maps out the risk areas based on trends, patterns and emerging threats that may impact business decisions.

  • Technical Intel: Looks into evidence and artefacts of attack used by an adversary. Incident Response teams can use this intel to create a baseline attack surface to analyse and develop defence mechanisms.

  • Tactical Intel: Assesses adversaries’ tactics, techniques, and procedures (TTPs). This intel can strengthen security controls and address vulnerabilities through real-time investigations.

  • Operational Intel: Looks into an adversary’s specific motives and intent to perform an attack. Security teams may use this intel to understand the critical assets available in the organisation (people, processes and technologies) that may be targeted.

Sources

Threat Intelligence Process:

Threat intelligence is obtained through a systematic data-churning process that transforms raw data into contextualized and actionable insights aimed at triaging security incidents. This process follows a six-phase cycle:

1. Direction

  • Objective Setting: Define the goals and objectives of the threat intel program.
  • Key Parameters:
    • Information Assets: Identify assets and business processes that need protection.
    • Impact Assessment: Determine the potential impact of losing these assets or process interruptions.
    • Data Sources: Identify sources of data and intel to be used for protection.
    • Tools and Resources: Identify necessary tools and resources to defend the assets.
  • Investigation Questions: Allow security analysts to pose questions related to incident investigation.

2. Collection

  • Data Gathering: Collect data based on the defined objectives.
  • Sources: Utilize commercial, private, and open-source resources.
  • Automation: Automate data collection to manage large volumes of data and free up time for incident triaging.

3. Processing

  • Data Formatting: Extract, sort, organize, and correlate raw logs, vulnerability information, malware, and network traffic.
  • Tagging and Visualization: Apply appropriate tags and present data visually in an understandable format.
  • Tools: Utilize SIEMs (Security Information and Event Management systems) for quick parsing of data.

4. Analysis

  • Insight Derivation: Analyze the aggregated information to derive insights.
  • Decision Making: Make decisions involving:
    • Threat Investigation: Uncover indicators and attack patterns.
    • Action Plans: Define plans to avert attacks and defend the infrastructure.
    • Security Controls: Strengthen controls or justify investment in additional resources.

5. Dissemination

  • Stakeholder Communication: Communicate intelligence to organizational stakeholders in appropriate formats and languages.
  • Reports:
    • C-suite: Provide concise reports covering trends in adversary activities, financial implications, and strategic recommendations.
    • Technical Teams: Inform technical teams about threat IOCs, adversary TTPs, and tactical action plans.

6. Feedback

  • Stakeholder Interaction: Collect and analyze feedback from stakeholders.
  • Process Improvement: Use feedback to improve the threat intelligence process and security controls.
  • Regular Interaction: Maintain ongoing interaction between teams to keep the lifecycle effective.

Sources

Introduction to OpenCTI

Sources

  • Overview of OpenCTI as an open-sourced platform for Cyber Threat Intelligence (CTI) management.
  • Core functionalities include storage, analysis, visualization, and presentation of threat campaigns, malware, and IOCs.

Objective and Development

  • Developed by collaboration with the French National cybersecurity agency (ANSSI).
  • Objective: To create a comprehensive tool for managing technical and non-technical threat information and developing relationships between data points.
  • Integration with MITRE ATT&CK framework and other threat intel tools like MISP and TheHive.

OpenCTI Data Model

  • Utilizes Structured Threat Information Expression (STIX2) standards for structuring data.
  • Architecture supports GraphQL API, Write workers, and various connectors for data ingestion, enrichment, and export.

OpenCTI Dashboard

  • Reputation lookup dashboard with a world map showing email traffic status across countries.
  • Tabs for Vulnerability Information, Reputation Center, and other resources for threat intelligence.

Activities & Knowledge

  • Activities: Covers security incidents in the form of reports for investigation.
  • Knowledge: Provides linked data on threat actors, targeted victims, and threat campaigns.

Analysis and Investigation

  • Analysis Tab: Input entities in reports analyzed with external references.
  • Events Tab: Records findings and enriches threat intel by creating associations for incidents.
  • Observations Tab: Lists technical elements and detection rules observed during cyber attacks.

Threats and Arsenal

  • Threats: Includes threat actors, intrusion sets, and campaigns targeting organizations.
  • Arsenal: Lists malware, attack patterns, courses of action, tools, and vulnerabilities related to attacks.

Entities and Navigation

  • Entities Tab: Categorizes entities based on sectors, countries, organizations, and individuals for knowledge enrichment.
  • General Tabs Navigation: Overview, Knowledge, Analysis, Indicators, Data, and History tabs for detailed investigation and analysis.

Conclusion

  • OpenCTI provides a comprehensive platform for managing Cyber Threat Intelligence.
  • Integration with STIX2 standards, MITRE ATT&CK framework, and other tools enhances threat analysis and defense tactics.

Standards and Frameworks in Threat Intelligence

Standards and frameworks provide structured approaches to distributing and using threat intelligence across industries. They facilitate common terminology, aiding collaboration and communication. Below are some essential standards and frameworks commonly used in threat intelligence:

MITRE ATT&CK

  • Description: A knowledge base of adversary behavior, focusing on tactics, techniques, and indicators.
  • Usage: Security analysts use it to investigate and track adversarial behavior thoroughly.
  • Key Feature: Provides a matrix of adversary tactics and techniques based on real-world observations.

** mitre **

TAXII (Trusted Automated eXchange of Indicator Information)

  • Description: Defines protocols for securely exchanging threat intelligence for near real-time detection, prevention, and mitigation of threats.
  • Sharing Models:
    • Collection: Threat intel is collected and hosted by a producer upon request by users using a request-response model.
    • Channel: Threat intel is pushed to users from a central server through a publish-subscribe model.

STIX (Structured Threat Information Expression)

  • Description: A language developed for the specification, capture, characterization, and communication of standardized cyber threat information.
  • Key Features: Provides defined relationships between sets of threat information such as observables, indicators, adversary TTPs, and attack campaigns.

Sources

Cyber Kill Chain

  • Description: Developed by Lockheed Martin, it breaks down adversary actions into steps, helping analysts identify stage-specific activities during an investigation.
  • Phases:
    1. Reconnaissance: Gathering information about the victim and tactics.
      • Examples: Harvesting emails, OSINT, social media, network scans.
    2. Weaponization: Engineering malware based on attack needs.
      • Examples: Exploits with backdoors, malicious office documents.
    3. Delivery: Methods to deliver malware to the victim's system.
      • Examples: Email, web links, USB.
    4. Exploitation: Breaching system vulnerabilities to execute code and establish persistence.
      • Examples: EternalBlue, Zero-Logon.
    5. Installation: Installing malware and other tools.
      • Examples: Password dumping, backdoors, remote access trojans.
    6. Command & Control: Remotely controlling compromised systems, delivering additional malware, moving across assets, and elevating privileges.
      • Examples: Empire, Cobalt Strike.
    7. Actions on Objectives: Fulfilling attack goals like financial gain, corporate espionage, data exfiltration.
      • Examples: Data encryption, ransomware, public defacement.

** cyberkillchain **

The Diamond Model

  • Description: Focuses on intrusion analysis and tracking attack groups over time.
  • Key Areas:
    • Adversary: The threat actor behind the attack, focusing on their motives.
    • Victim: The individual, group, or organization affected by the attack.
    • Infrastructure: Tools, systems, and software used by adversaries and the victim’s systems providing compromise information.
    • Capabilities: Adversary's approach to achieving their goals, including exploitation means and TTPs.

Illustration of the diamond model of intrusion analysis.

  • Example Use: An adversary targeting a victim through phishing attacks to obtain sensitive information and compromise their system. The model helps analysts pivot along its properties to create a complete attack picture and correlate indicators.

MISP (Malware Information Sharing Platform)

  • MISP is an open-source threat information platform designed to facilitate the collection, storage, and distribution of threat intelligence and Indicators of Compromise (IOCs) related to various cyber threats like malware, cyber attacks, financial fraud, and other intelligence within a trusted community of members.

Key Features of MISP

  1. Distributed Information Sharing: MISP follows a distributed model, supporting closed, semi-private, and open communities for information sharing.
  2. Integration with Security Systems: Threat information from MISP can be integrated with Network Intrusion Detection Systems (NIDS), log analysis tools, and Security Information and Event Management Systems (SIEM).
  3. Use Cases:
    • Malware Reverse Engineering
    • Security Investigations
    • Intelligence Analysis
    • Law Enforcement Support
    • Risk Analysis
    • Fraud Analysis

Core Functionalities of MISP

  1. IOC Database: Stores technical and non-technical information about malware samples, incidents, attackers, and intelligence.
  2. Automatic Correlation: Identifies relationships between attributes and indicators from various sources like malware, attack campaigns, and analysis.
  3. Data Sharing: Facilitates sharing of information using different distribution models among different MISP instances.
  4. Import & Export Features: Allows import/export of events in different formats for integration with other systems.
  5. Event Graph: Visualizes relationships between objects and attributes identified from events.
  6. API Support: Enables integration with other systems to fetch and export events and intelligence.

Key Terminologies in MISP

  • Events: Collections of contextually linked information.
  • Attributes: Individual data points associated with events (e.g., network or system indicators).
  • Objects: Custom attribute compositions.
  • Object References: Relationships between different objects.
  • Sightings: Time-specific occurrences of a data point detected to provide credibility.
  • Tags: Labels attached to events/attributes.
  • Taxonomies: Classification libraries used to tag, classify, and organize information.
  • Galaxies: Knowledge base items used to label events/attributes.
  • Indicators: Information pieces detecting suspicious or malicious cyber activity.

Dashboard and Event Management

  • Dashboard: Provides functionalities to track, share, and correlate events and IOCs identified during investigations.
  • Event Actions: Includes creation, modification, deletion, publishing, searching, and listing of events and attributes.
  • Input Filters: Alters data entry into the instance based on defined rules.
  • Global Actions: Provides access to MISP information, user profile, manual, terms, and active organizations.

Event Creation and Management

  • Describes the process of creating events, populating attributes, attaching files, and publishing events.
  • Distribution options: Your organization only, Community-only, Connected communities, All communities.

Feeds and Taxonomies

  • Feeds: Resources containing indicators for proactive defense against threats.
  • Taxonomies: Classify events, indicators, and threat actors based on tags for effective organization and analysis.

Tagging and Best Practices

  • Tagging: Assigns tags to events/attributes for identifying indicators or threats.
  • Best Practices: Includes tagging at event level, minimal subset of tags (Traffic Light Protocol, Confidence, Origin, Permissible Actions Protocol), and inheritance of tags.

This comprehensive overview covers the functionalities, terminologies, and best practices associated with MISP, highlighting its importance in managing threat intelligence and collaborating within cybersecurity communities.

Clone this wiki locally