This is the third blog in a series titled, "What is Threat Intelligence?". Continue with the series at the bottom of this page.
In our previous blog we discussed the benefits and applications of strategic threat intelligence, which provides insight into attackers and their motivations. This kind of intelligence is nontechnical and “big picture,” providing people with a general understanding of the threat. To mount a successful defense though organizations require more than just answers on which enemies they’re facing - they also need to know their adversaries’ capabilities. Enter operational threat intelligence. Operational threat intelligence provides context for security events and incidents such that defenders can:
- Expose potential risks
- Gain insight into actor methodologies
- Pursue previously undiscovered malicious activity
- Perform faster and more thorough investigations into malicious activity
This kind of intelligence is most frequently uncovered by forensic investigators and incident responders, and typically includes the following types of items:
- Tools for particular threat groups (utilities, backdoor families, common infrastructure)
- TTPs for particular threat groups (staging directories, file naming conventions, ports, protocols, favorite file types)
- Emerging TTPs (new persistence methods, exploits, phishing schemes)
Consider the following from an incident response perspective: If you are responding to an intrusion event, you may wonder how a particular actor performs privilege escalation, lateral movement or data theft. If you are hunting for undiscovered malicious activity, you might want to start your hunt by looking for a specific actor behavior. Whatever your scenario, you need to answer the question “How do you search for this actor within your environment?”
Example Operational Intelligence for APT29
- Preferred Infection Vector: spearphishing with self-extracting RAR
- First Stage Malware Families: COZYCAR, SWIFTKICK, TADPOLE
- Second Stage Malware Families: SEADADDY, MINIDIONIS, SPIKERUSH
- Persistence Techniques
- Scheduled Tasks for most backdoors
- WMI by manual installation for backdoors that do not have persistence built in
- Legitimate file replacement of Windows Error Reporting file (wermgr.exe)
- Use of TOR for C2
- Use of Google Docs for C2
- Use of Google Cloud Apps for C2 forwarding (as a proxy)
- Use of HTTP POST requests over 443 for C2
- Use of backdoors configured for ports 1, 80, 443, 3389 for C2
- Use of PowerShell scripts
- Use of Py2Exe to modify and recompile backdoors with variance in C2 protocols and C2 infrastructure
Example Operational Intelligence for the Education Sector
- Common attack vectors are spear phishing, watering holes and SQL injection
- Spearphishing university professors who specialize in incorporating new technology into classrooms
- Spearphishing to recruiters and people involved in hiring processes
- Common attacks are spear phishing and SQL injection (SQLi)
- Common malware families: PISCES, SOGU, LOGJAM, COBALT, COATHOOK, POISONIVY, NJRAT, NETWIRE
- Common pentesting families: Meterpreter, PowerShell Empire, Metasploit Framework
- Use of Dropbox for C2
- Use of HTTPS and custom TCP protocols for C2
- Use of .ru, .su TLDs for C2 domains
- Use of yandex.ru and bk.ru for email addresses
- Theft of databases containing student names, administrative credentials, billing information, social security numbers and other PII.
Using Operational Intelligence
Operational intelligence is knowledge gained from examining details from known attacks (also known as tactical intelligence - more on that next time). An analyst can build a solid picture of actor methodology by piecing together tactical indicators and artifacts, and derive into operational intelligence. This can help to:
- Enrich security events and alerts for known-bad atomic IOCs, equipping security personnel with the context they need to make better security decisions
- Enhance incident response plans and mitigation techniques for future attacks and incidents
- Implement and bolster a proactive discovery program (“hunting program”) to identify suspicious files and activity that has bypassed traditional security technologies
- Extract useful redteaming techniques based on attacker methods in the wild
- Perform actor-based and malware family-based analytics for high risk threats to your company, industry, geography or nation
- Develop detection methodologies that are not dependent on IOCs, ensuring broader coverage of threats in a more timely fashion
Check out the other blogs in our series for a deeper look into the types of threat intelligence and how they are used.
What is Threat Intelligence?
What is Strategic Threat Intelligence?
What is Operational Threat Intelligence?
What is Tactical Threat Intelligence?
About the Author
Justin Swisher is a Solutions Manager at Anomali. Building on more than twelve years of IT security experience with an emphasis in network security architecture and monitoring, Mr. Swisher has worked to develop new techniques to improve detection and threat hunting. After spending four years with the Air Force as an intelligence analyst, Mr. Swisher brought those analytical skills to leading cybersecurity vendors in an effort to improve network security detection and response.