Threat intelligence introduction
Cyber threat intelligence is a subset of intelligence focused on information security. This curated information is intended to help you make better decisions about how to defend yourself and your business, from cyber-based threats. Some of the questions threat intelligence can answer includes:
- Who are my adversaries and how might they attack me?
- How do attack vectors affect the security of my company?
- What should my security operations teams be watching for?
- How can I reduce the risk of a cyber attack against my company?
Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard.
There are generally three "levels" of cyber threat intelligence: strategic, operational, and tactical.
Collecting each flavor of intelligence is important because they serve different functions. Analysts leveraging the sum knowledge of these three types of intelligence are better able to determine what security solutions to use, how they should be leveraged, and how to proactively and reactively respond to threats.
We’ll use APT29 and the Education Sector to illustrate the differences between these three types of intelligence.
|Type||Tagline||Half-life of utility|
(for good guys and bad guys)
|Focus||Built on the analysis of||Output data types|
|Long (multiyear)||Non-technical||Big campaigns, groups, multi victim intrusions (and operational intel)||Long-form writing about victimology, YoY methodology, mapping intrusions and campaigns to conflicts, events, and geopolitical pressures|
|Medium (one-year plus)||Mixed (both really)||Whole malware families, threat groups, human behavior analysis (and tactical intel)||Short-form writing, bulleted lists, about: persistence and comms techniques, victims, group profiles, family profiles, TTP descriptions, triggers, patterns, and methodology rules|
|Tactical||What?||Short (months)||Technical||Security events, individual malware samples, phishing emails, attacker infrastructure||Atomic and machine-readable indicators such as IPs, domains, IOCs, "signatures"|
Levels of threat intelligence
Tactical threat intelligence
Tactical threat intelligence is the most basic form of threat intelligence. These are your common indicators of compromise (IOCs). Tactical intelligence is often used for machine-to-machine detection of threats and for incident responders to search for specific artifacts in enterprise networks.
Using tactical threat intelligence
Tactical threat intelligence and IOCs are meant to historically document cyber attacks, serving both as a corpus of evidence (for compliance, law enforcement, investigations, legal purposes, etc) and also as reference material for analysts to interpret and extract context for use in defensive operations.
IOCs are provided to analysts to serve as examples of a particular threat, such as a malware sample, malware family, intrusion campaign, or threat actor. Analysts can enrich alerts from security solutions with tactical threat intelligence to provide more context and determine which threats are worth worrying about and which can safely be ignored.
Tactical threat intelligence for APT29
Tactical threat intelligence for education sector
Operational threat intelligence
Operational threat intelligence provides insight into actor methodologies and exposes potential risks. It fuels more meaningful detection, incident response, and hunting programs. Where tactical threat intelligence gives analysts context on threats that are already known, operational intelligence brings investigations closer to uncovering completely new threats.
This kind of intelligence is most frequently used by forensic investigators and incident responders, and typically includes the following types of items:
- Tools for particular threat groups (utilities, backdoor families, common infrastructure)
- Tactics, Techniques, and Procedures (TTPs) for particular threat groups (staging directories, file naming conventions, ports, protocols, favorite file types)
- Emerging TTPs (new persistence methods, exploits, phishing schemes)
Consider the following from an incident response perspective: If you are responding to an intrusion event, you may wonder how a particular actor performs privilege escalation, lateral movement, or data theft. If you are hunting for undiscovered malicious activity, you might want to start your hunt by looking for a specific actor's behavior. Whatever your scenario, you need to answer the question “How do you search for this actor within your environment?”
Using operational threat intelligence
Operational threat intelligence is knowledge gained from examining details from known attacks. An analyst can build a solid picture of actor methodology by piecing together tactical indicators and artifacts and derive them into operational intelligence. This can help to achieve a number of defensive goals, like enhancing incident response plans and mitigation techniques for future attacks and incidents.
Analysts can also implement and bolster a proactive discovery program (“hunting program”) to identify suspicious files and activity that have bypassed traditional security technologies. From there they can develop detection methodologies that are not dependent on IOCs, ensuring broader coverage of threats in a more timely fashion.
Examples of operational threat intelligence
Example operational threat intelligence for APT29
- Preferred Infection Vector: spear phishing with self-extracting RAR
- First Stage Malware Families: COZYCAR, SWIFTKICK, TADPOLE
- Second Stage Malware Families: SEADADDY, MINIDIONIS, SPIKERUSH
- Persistence Techniques
- Scheduled Tasks for most backdoors
- WMI by manual installation for backdoors that do not have persistence built-in
- Legitimate file replacement of Windows Error Reporting file (wermgr.exe)
- Use of TOR for C2
- Use of Google Docs for C2
- Use of Google Cloud Apps for C2 forwarding (as a proxy)
- Use of HTTP POST requests over 443 for C2
- Use of backdoors configured for ports 1, 80, 443, 3389 for C2
- Use of PowerShell scripts
- Use of Py2Exe to modify and recompile backdoors with variance in C2 protocols and C2 infrastructure
Example operational threat intelligence for the education sector
- Common attack vectors are spear phishing, watering holes, and SQL injection
- Spear phishing university professors who specialize in incorporating new technology into classrooms
- Spear phishing to recruiters and people involved in hiring processes
- Common attacks are spear-phishing and SQL injection (SQLi)
- Common malware families: PISCES, SOGU, LOGJAM, COBALT, COATHOOK, POISONIVY, NJRAT, NETWIRE
- Common pentesting families: Meterpreter, PowerShell Empire, Metasploit Framework
- Use of Dropbox for C2
- Use of HTTPS and custom TCP protocols for C2
- Use of .ru, .su TLDs for C2 domains
- Use of yandex.ru and bk.ru for email addresses
- Theft of databases containing student names, administrative credentials, billing information, social security numbers, and other PII.
Strategic threat intelligence
Strategic threat intelligence provides a big picture look at how threats and attacks are changing over time. Strategic threat intelligence may be able to identify historical trends, motivations, or attributions as to who is behind an attack. Knowing the who and why of your adversaries also provides clues to their future operations and tactics. This makes strategic intelligence a solid starting point for deciding which defensive measures will be most effective.
Strategic threat intelligence might include information on the following topic areas:
- Attribution for intrusions and data breaches
- Actor group trends
- Targeting trends for industry sectors and geographies
- Mapping cyber attacks to geopolitical conflicts and events(South China Sea, Arab Spring, Russia-Ukraine)
- Global statistics on breaches, malware, and information theft
- Major attacker TTP changes over time
Using strategic threat intelligence
Strategic threat intelligence is built upon a huge body of knowledge and includes expert opinions and insights that are based on aggregating both operational and tactical threat intelligence from known cyber attacks. This intelligence is particularly useful for people in leadership roles such as CISOs and executive leadership who must justify budgets and make better-informed investment decisions. Some uses of strategic threat intelligence include:
- Inform your executive leadership about high-risk threat actors, relevant risk scenarios, and threat exposure in the public-facing technology sphere and criminal underground.
- Perform thorough risk analysis and review of the entire technology supply chain.
- Learn which commercial ventures, vendors, partner companies, and technology products are most likely to increase or decrease risk to your enterprise environment.
Examples of strategic threat intelligence
Strategic threat intelligence for APT29
- APT29 is a Russia-based actor that typically engages in cyber espionage with the purpose of data theft.
- APT29 victims include many global organizations in government, education, high-technology, finance, non-profit, pharma, and the Defense Industrial Base.
- APT29 is an adaptable, sophisticated group with the ability to develop custom attack tools, convoluted command-and-control infrastructure, and unlike historical behaviors of Russian state-sponsored actors, this group has the audacity to continue to operate long after they have been detected.
- APT29 has been historically tasked to pursue operations surrounding foreign government policy issues, especially those involving the Russia-Ukraine conflict. Furthermore, the group has targeted several Western national government agencies, defense and government contractors, and academic institutions.
Strategic threat intelligence for the education sector
- Educational IT infrastructure has a diverse user base and is thus typically comprised of a myriad of operating systems, computer types, software, and tons of servers and websites that are publicly accessible from the internet. This makes universities and academic research facilities prime targets for attackers as both places from which to steal valuable data and also as hop points for further intrusion operations.
- The education industry will continue to see cyber-espionage activity in the foreseeable future. We expect threat actors from China, Russia, Iran, and other countries to conduct espionage operations for data theft, trade information, economic intelligence, and monitoring of diaspora.
- Several groups have been observed conducting intrusion operations that have affected academic institutions including universities and research centers:
- APT10 aka “MenuPass Group”
- APT22 aka “Barista Team”
- APT29 aka “The Dukes”
Threat intelligence and business objectives
Threat intelligence always has a purpose—to inform decision making and drive action. However, it’s not uncommon for businesses to struggle when determining the value of their threat intelligence team, processes, and tools. The terminology of threat intelligence is usually not compatible with the business lexicon, leading to misunderstandings of its purpose and value.
Businesses can help derive value from their intelligence programs by aligning them to a generic, macro-level set of priorities as can be seen below (not all-inclusive):
- Grow revenue
- Lower expenses
- Reduce and mitigate risk
- Customer satisfaction and retention
- Employee satisfaction and retention
Once the threat intelligence team understands the business objectives, they can align their operations and efforts to support the business. Not all of the business priorities will perfectly align with threat intelligence capabilities, and that’s okay. You can develop granularity and nuance as you build out your requirements. Here are some starting goals for any threat intelligence team:
- Reduce expenses related to fraud and cybercrime
- Collaborate with the Fraud team to determine the top 3-5 types of fraud and ask what information would help them detect/prevent this in the future?
- Prevent data loss
- What does the analysis of Incident tickets reveal about the nature and type of data targeted in previous data breach events?
- What vulnerabilities were exploited and by what means?
- Protect PII
- What systems store PII and how do the vulnerabilities of those systems line up with known exploitation vectors?
- Reduce business risk
- TI can focus on reducing risk due to data loss and external threats by identifying actors and deriving intelligence on external threats targeting their industry, ensuring detection techniques and mechanisms are in place and able to catch these threats.
Threat intelligence evolution
Threat intelligence will continue to evolve and be a key security function. Integrating tactical, operational, and strategic threat intelligence will provide valuable insights into IOCs and threat actor's methodologies. This will lead to more secure environments where you can identify your adversaries. A growing number of public and private sector organizations are now using cyber threat intelligence. Recent research published by the Ponemon Institute revealed that 80 percent of organizations are using it and that an even higher percentage regard it as critical.
Organizations using cyber threat intelligence are meeting numerous security challenges. They are detecting and responding to advanced threats. They are preventing data breaches and protecting sensitive information. They are lowering cybercrime and fraud costs. Most importantly, they are reducing overall business risk.
The information on this page should provide you with a solid understanding of what cyber threat intelligence is and the value it provides. However, this is only a starting point. In addition to this information, Anomali provides numerous resources that can help you to make a smart decision about why you should add cyber threat intelligence capabilities to your security stack and how to integrate them with minimal friction.