What is Operational Threat Intelligence?

March 21, 2018 | Justin Swisher

This is the third blog in a series called, “What is Threat Intelligence?”.  The first blog in the series can be found here and the second on strategic intelligence can be found here.  Stay tuned for future installments in this series.

In our previous blog we discussed the benefits and applications of strategic threat intelligence, which provides insight into attackers and their motivations. This kind of intelligence is nontechnical and “big picture,” providing people with a general understanding of the threat. To mount a successful defense though organizations require more than just answers on which enemies they’re facing - they also need to know their adversaries’ capabilities. Enter operational threat intelligence. Operational threat intelligence provides context for security events and incidents such that defenders can:

  • Expose potential risks
  • Gain insight into actor methodologies
  • Pursue previously undiscovered malicious activity
  • Perform faster and more thorough investigations into malicious activity

This kind of intelligence is most frequently uncovered by forensic investigators and incident responders, and typically includes the following types of items:

  • Tools for particular threat groups (utilities, backdoor families, common infrastructure)
  • TTPs for particular threat groups (staging directories, file naming conventions, ports, protocols, favorite file types)
  • Emerging TTPs (new persistence methods, exploits, phishing schemes)

Consider the following from an incident response perspective: If you are responding to an intrusion event, you may wonder how a particular actor performs privilege escalation, lateral movement or data theft. If you are hunting for undiscovered malicious activity, you might want to start your hunt by looking for a specific actor behavior. Whatever your scenario, you need to answer the question “How do you search for this actor within your environment?”

Example Operational Intelligence for APT29

  • Preferred Infection Vector: spearphishing with self-extracting RAR
  • First Stage Malware Families: COZYCAR, SWIFTKICK, TADPOLE
  • Second Stage Malware Families: SEADADDY, MINIDIONIS, SPIKERUSH
  • Persistence Techniques
    • Scheduled Tasks for most backdoors
    • WMI by manual installation for backdoors that do not have persistence built in
    • Legitimate file replacement of Windows Error Reporting file (wermgr.exe)
  • Use of TOR for C2
  • Use of Google Docs for C2
  • Use of Google Cloud Apps for C2 forwarding (as a proxy)
  • Use of HTTP POST requests over 443 for C2
  • Use of backdoors configured for ports 1, 80, 443, 3389 for C2
  • Use of PowerShell scripts
  • Use of Py2Exe to modify and recompile backdoors with variance in C2 protocols and C2 infrastructure

Example Operational Intelligence for the Education Sector

  • Common attack vectors are spear phishing, watering holes and SQL injection
  • Spearphishing university professors who specialize in incorporating new technology into classrooms
  • Spearphishing to recruiters and people involved in hiring processes
  • Common attacks are spear phishing and SQL injection (SQLi)
  • Common malware families: PISCES, SOGU, LOGJAM, COBALT, COATHOOK, POISONIVY, NJRAT, NETWIRE
  • Common pentesting families: Meterpreter, PowerShell Empire, Metasploit Framework
  • Use of Dropbox for C2
  • Use of HTTPS and custom TCP protocols for C2
  • Use of .ru, .su TLDs for C2 domains
  • Use of yandex.ru and bk.ru for email addresses
  • Theft of databases containing student names, administrative credentials, billing information, social security numbers and other PII.

Using Operational Intelligence

Operational intelligence is knowledge gained from examining details from known attacks (also known as tactical intelligence - more on that next time). An analyst can build a solid picture of actor methodology by piecing together tactical indicators and artifacts, and derive into operational intelligence. This can help to:

  • Enrich security events and alerts for known-bad atomic IOCs, equipping security personnel with the context they need to make better security decisions
  • Enhance incident response plans and mitigation techniques for future attacks and incidents
  • Implement and bolster a proactive discovery program (“hunting program”) to identify suspicious files and activity that has bypassed traditional security technologies
  • Extract useful redteaming techniques based on attacker methods in the wild
  • Perform actor-based and malware family-based analytics for high risk threats to your company, industry, geography or nation
  • Develop detection methodologies that are not dependent on IOCs, ensuring broader coverage of threats in a more timely fashion

Next up - What is Tactical Threat Intelligence?

Justin Swisher
About the Author

Justin Swisher

Justin Swisher is a Solutions Manager at Anomali. Building on more than twelve years of IT security experience with an emphasis in network security architecture and monitoring, Mr. Swisher has worked to develop new techniques to improve detection and threat hunting. After spending four years with the Air Force as an intelligence analyst, Mr. Swisher brought those analytical skills to leading cybersecurity vendors in an effort to improve network security detection and response.

Get the latest threat intelligence news in your email.