Threat Intelligence

Cyber threat intelligence is a subset of intelligence focused on information security. This curated information is intended to help you make better decisions about how to defend yourself and your business from cyber-based threats. Some of the questions threat intelligence can answer include:

Who are my adversaries and how might they attack me?
How do attack vectors affect the security of my company?
What should my security operations teams be watching for?
How can I reduce the risk of a cyber attack against my company?

"Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard."

Gartner definition of threat intelligence

Types of threat intelligence

Cyber threat intelligence is generally categorized by three different types:

Strategic: Answering the “Who” and “Why”
Operational: Answering the How and Where
Tactical: Answering the What

Utilizing each type of intelligence is important because they serve different functions. Analysts leveraging the sum knowledge of these three types of intelligence are better able to determine what security solutions to use, how they should be leveraged, and how to proactively and reactively respond to threats.

Type	Tagline	Half-life of utility	Focus	Built on the analysis of	Output data types
Strategic	Who? Why?	Long (multiyear)	Non-technical	Big campaigns, groups, multi victim intrusions (and operational intel)	Long-form writing about victimology, YoY methodology, mapping intrusions and campaigns to conflicts, events, and geopolitical pressures
Operational	How? Where?	Medium (one-year+)	Mixed	Whole malware families, threat groups, human behavior analysis (and tactical intel)	Short-form writing, bulleted lists, about: persistence and comms techniques, victims, group profiles, family profiles, TTP descriptions, triggers, patterns, and methodology rules
Tactical	What?	Short (months)	Technical	Security events, individual malware samples, phishing emails, attacker infrastructure	Atomic and machine-readable indicators such as IPs, domains, IOCs, "signatures"

Tactical threat intelligence

Tactical threat intelligence is the most basic form of threat intelligence. These are your common indicators of compromise (IOCs). Tactical intelligence is often used for machine-to-machine detection of threats and for incident responders to search for specific artifacts in enterprise networks.

Using tactical threat intelligence

Tactical threat intelligence and IOCs are meant to historically document cyber attacks, serving both as a corpus of evidence (for compliance, law enforcement, investigations, legal purposes, etc.) and also as reference material for analysts to interpret and extract context for use in defensive operations.

IOCs are provided to analysts to serve as examples of a particular threat, such as a malware sample, malware family, intrusion campaign, or threat actor. Analysts can enrich alerts from security solutions with tactical threat intelligence to provide more context and determine which threats are worth worrying about and which can safely be ignored.

Tactical threat intelligence for APT29

628d4f33bd604203d25dbc6a5bb35b90
2aabd78ef11926d7b562fd0d91e68ad3
3d3363598f87c78826c859077606e514
meek-reflect.appspot.com
portal.sbn.co.th
202.28.231.44
hxxps://files.counseling[.]org/eFax/incoming/150721/5442.zip
googleService.exe
GoogleUpdate.exe
acrotray.exe
PCI\VEN_80EE&DEV_CAF

Tactical threat intelligence for education sector

d9b7b0eda8bd28e8934c5929834e5006
support@securitygrade[.]org
46.244.4.37

‍

Operational threat intelligence

Operational threat intelligence provides insight into actor methodologies and exposes potential risks. It fuels more meaningful detection, incident response, and hunting programs. Where tactical threat intelligence gives analysts context on threats that are already known, operational intelligence brings investigations closer to uncovering completely new threats.This kind of intelligence is most frequently used by forensic investigators and incident responders, and typically includes the following types of items:

Tools for particular threat groups (utilities, backdoor families, common infrastructure)
Tactics, Techniques, and Procedures (TTPs) for particular threat groups (staging directories, file naming conventions, ports, protocols, favorite file types)
Emerging TTPs (new persistence methods, exploits, phishing schemes)

Consider the following from an incident response perspective: If you are responding to an intrusion event, you may wonder how a particular actor performs privilege escalation, lateral movement, or data theft. If you are hunting for undiscovered malicious activity, you might want to start your hunt by looking for a specific actor's behavior. Whatever your scenario, you need to answer the question “How do you search for this actor within your environment?”

Using operational threat intelligence

Operational threat intelligence is knowledge gained from examining details from known attacks. An analyst can build a solid picture of actor methodology by piecing together tactical indicators and artifacts and derive them into operational intelligence. This can help to achieve a number of defensive goals, like enhancing incident response plans and mitigation techniques for future attacks and incidents.Analysts can also implement and bolster a proactive discovery program (“hunting program”) to identify suspicious files and activity that have bypassed traditional security technologies. From there they can develop detection methodologies that are not dependent on IOCs, ensuring broader coverage of threats in a more timely fashion.

Examples of operational threat intelligence

Example operational threat intelligence for APT29

Preferred Infection Vector: spear phishing with self-extracting RAR
First Stage Malware Families: COZYCAR, SWIFTKICK, TADPOLE
Second Stage Malware Families: SEADADDY, MINIDIONIS, SPIKERUSH
Persistence Techniques
Scheduled Tasks for most backdoors
WMI by manual installation for backdoors that do not have persistence built-in
Legitimate file replacement of Windows Error Reporting file (wermgr.exe)
Use of TOR for C2
Use of Google Docs for C2
Use of Google Cloud Apps for C2 forwarding (as a proxy)
Use of HTTP POST requests over 443 for C2
Use of backdoors configured for ports 1, 80, 443, 3389 for C2
Use of PowerShell scripts
Use of Py2Exe to modify and recompile backdoors with variance in C2 protocols and C2 infrastructure

‍

Example operational threat intelligence for the education sector

Common attack vectors are spear phishing, watering holes, and SQL injection
Spear phishing university professors who specialize in incorporating new technology into classrooms
Spear phishing to recruiters and people involved in hiring processes
Common attacks are spear-phishing and SQL injection (SQLi)
Common malware families: PISCES, SOGU, LOGJAM, COBALT, COATHOOK, POISONIVY, NJRAT, NETWIRE
Common pentesting families: Meterpreter, PowerShell Empire, Metasploit Framework
Use of Dropbox for C2
Use of HTTPS and custom TCP protocols for C2
Use of .ru, .su TLDs for C2 domains
Use of yandex.ru and bk.ru for email addresses
Theft of databases containing student names, administrative credentials, billing information, social security numbers, and other PII.

‍

Threat intelligence and business objectives

Threat intelligence always has a purpose – to inform decision making and drive action. However, it’s not uncommon for businesses to struggle when determining the value of their threat intelligence team, processes, and tools. The terminology of threat intelligence is usually not compatible with the business lexicon, leading to misunderstandings of its purpose and value.Businesses can help derive value from their intelligence programs by aligning them to a generic, macro-level set of priorities as can be seen below (not all-inclusive):

Grow revenue
Lower expenses
Reduce and mitigate risk
Customer satisfaction and retention
Employee satisfaction and retention
Compliance-regulation

‍

Once the threat intelligence team understands the business objectives, they can align their operations and efforts to support the business. Not all of the business priorities will perfectly align with threat intelligence capabilities, and that’s okay. You can develop granularity and nuance as you build out your requirements. Here are some starting goals for any threat intelligence team:

Reduce expenses related to fraud and cybercrime
- Collaborate with the Fraud team to determine the top 3–5 types of fraud and ask what information would help them detect and prevent this in the future?
Prevent data loss
- What does the analysis of Incident tickets reveal about the nature and type of data targeted in previous data breach events?
- What vulnerabilities were exploited and by what means?

Protect PII
- What systems store PII and how do the vulnerabilities of those systems line up with known exploitation vectors?
Reduce business risk
- TI can focus on reducing risk due to data loss and external threats by identifying actors and deriving intelligence on external threats targeting their industry, ensuring detection techniques and mechanisms are in place and able to catch these threats.

Threat intelligence evolution

Threat intelligence will continue to evolve and be a key security function. Integrating tactical, operational, and strategic threat intelligence will provide valuable insights into IOCs and threat actor's methodologies. This will lead to more secure environments where you can identify your adversaries. A growing number of public and private sector organizations are now using cyber threat intelligence. Recent research published by the Ponemon Institute revealed that 80% of organizations are using it and that an even higher percentage regard it as critical.Organizations using cyber threat intelligence are meeting numerous security challenges. They are detecting and responding to advanced threats. They are preventing data breaches and protecting sensitive information. They are lowering cybercrime and fraud costs. Most importantly, they are reducing overall business risk.