What is threat intelligence?

Threat intelligence is evidence-based knowledge about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard.

Threat intelligence introduction

Cyber threat intelligence is a subset of intelligence focused on information security. This curated information is intended to help you make better decisions about how to defend yourself and your business from cyber-based threats. Some of the questions threat intelligence can answer include:

Who are my adversaries and how might they attack me?
How do attack vectors affect the security of my company?
What should my security operations teams be watching for?
How can I reduce the risk of a cyber attack against my company?

"Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard."

Gartner definition of threat intelligence

Levels of threat intelligence

Cyber threat intelligence is generally viewed in three levels:

Strategic: Answering the “Who” and “Why”
Operational: Answering the How and Where
Tactical: Answering the What

Utilizing each instance of intelligence is important because they serve different functions. Analysts leveraging the sum knowledge of these three types of intelligence are better able to determine what security solutions to use, how they should be leveraged, and how to proactively and reactively respond to threats.

Strategic
Who?
Why?
Long (multiyear)
Non-technical
Big campaigns, groups, multi victim intrusions (and operational intel)
Long-form writing about victimology, YoY methodology, mapping intrusions and campaigns to conflicts, events, and geopolitical pressures
Operational
How?Where?
Medium (one-year+)
Mixed
Whole malware families, threat groups, human behavior analysis (and tactical intel)
Short-form writing, bulleted lists, about: persistence and comms techniques, victims, group profiles, family profiles, TTP descriptions, triggers, patterns, and methodology rules
Tactical
What?
Short (months)
Technical
Security events, individual malware samples, phishing emails, attacker infrastructure
Atomic and machine-readable indicators such as IPs, domains, IOCs, "signatures"

Tactical threat intelligence

Tactical threat intelligence is the most basic form of threat intelligence. These are your common indicators of compromise (IOCs). Tactical intelligence is often used for machine-to-machine detection of threats and for incident responders to search for specific artifacts in enterprise networks.

Using tactical threat intelligence

Tactical threat intelligence and IOCs are meant to historically document cyber attacks, serving both as a corpus of evidence (for compliance, law enforcement, investigations, legal purposes, etc.) and also as reference material for analysts to interpret and extract context for use in defensive operations.

IOCs are provided to analysts to serve as examples of a particular threat, such as a malware sample, malware family, intrusion campaign, or threat actor. Analysts can enrich alerts from security solutions with tactical threat intelligence to provide more context and determine which threats are worth worrying about and which can safely be ignored.

Tactical threat intelligence for APT29

628d4f33bd604203d25dbc6a5bb35b90
2aabd78ef11926d7b562fd0d91e68ad3
3d3363598f87c78826c859077606e514
meek-reflect.appspot.com
portal.sbn.co.th
202.28.231.44
hxxps://files.counseling[.]org/eFax/incoming/150721/5442.zip
googleService.exe
GoogleUpdate.exe
acrotray.exe
PCI\VEN_80EE&DEV_CAF

Tactical threat intelligence for education sector

d9b7b0eda8bd28e8934c5929834e5006
support@securitygrade[.]org
46.244.4.37

Operational threat intelligence

Operational threat intelligence provides insight into actor methodologies and exposes potential risks. It fuels more meaningful detection, incident response, and hunting programs. Where tactical threat intelligence gives analysts context on threats that are already known, operational intelligence brings investigations closer to uncovering completely new threats.

This kind of intelligence is most frequently used by forensic investigators and incident responders, and typically includes the following types of items:

Tools for particular threat groups (utilities, backdoor families, common infrastructure)
Tactics, Techniques, and Procedures (TTPs) for particular threat groups (staging directories, file naming conventions, ports, protocols, favorite file types)
Emerging TTPs (new persistence methods, exploits, phishing schemes)

Consider the following from an incident response perspective: If you are responding to an intrusion event, you may wonder how a particular actor performs privilege escalation, lateral movement, or data theft. If you are hunting for undiscovered malicious activity, you might want to start your hunt by looking for a specific actor's behavior. Whatever your scenario, you need to answer the question “How do you search for this actor within your environment?”

Using operational threat intelligence

Operational threat intelligence is knowledge gained from examining details from known attacks. An analyst can build a solid picture of actor methodology by piecing together tactical indicators and artifacts and derive them into operational intelligence. This can help to achieve a number of defensive goals, like enhancing incident response plans and mitigation techniques for future attacks and incidents.

Analysts can also implement and bolster a proactive discovery program (“hunting program”) to identify suspicious files and activity that have bypassed traditional security technologies. From there they can develop detection methodologies that are not dependent on IOCs, ensuring broader coverage of threats in a more timely fashion.

Examples of operational threat intelligence

Example operational threat intelligence for APT29
Preferred Infection Vector: spear phishing with self-extracting RAR
First Stage Malware Families: COZYCAR, SWIFTKICK, TADPOLE
Second Stage Malware Families: SEADADDY, MINIDIONIS, SPIKERUSH
Persistence Techniques
  • Scheduled Tasks for most backdoors
  • WMI by manual installation for backdoors that do not have persistence built-in
  • Legitimate file replacement of Windows Error Reporting file (wermgr.exe)
Use of TOR for C2
Use of Google Docs for C2
Use of Google Cloud Apps for C2 forwarding (as a proxy)
Use of HTTP POST requests over 443 for C2
Use of backdoors configured for ports 1, 80, 443, 3389 for C2
Use of PowerShell scripts
Use of Py2Exe to modify and recompile backdoors with variance in C2 protocols and C2 infrastructure
Example operational threat intelligence for the education sector
Common attack vectors are spear phishing, watering holes, and SQL injection
Spear phishing university professors who specialize in incorporating new technology into classrooms
Spear phishing to recruiters and people involved in hiring processes
Common attacks are spear-phishing and SQL injection (SQLi)
Common malware families: PISCES, SOGU, LOGJAM, COBALT, COATHOOK, POISONIVY, NJRAT, NETWIRE
Common pentesting families: Meterpreter, PowerShell Empire, Metasploit Framework
Use of Dropbox for C2
Use of HTTPS and custom TCP protocols for C2
Use of .ru, .su TLDs for C2 domains
Use of yandex.ru and bk.ru for email addresses
Theft of databases containing student names, administrative credentials, billing information, social security numbers, and other PII.

Strategic threat intelligence

Strategic threat intelligence provides a big picture look at how threats and attacks are changing over time. Strategic threat intelligence may be able to identify historical trends, motivations, or attributions as to who is behind an attack. Knowing the who and why of your adversaries also provides clues to their future operations and tactics. This makes strategic intelligence a solid starting point for deciding which defensive measures will be most effective.

Strategic threat intelligence might include information on the following topic areas:

Attribution for intrusions and data breaches
Actor group trends
Targeting trends for industry sectors and geographies
Mapping cyber attacks to geopolitical conflicts and events(South China Sea, Arab Spring, Russia-Ukraine)
Global statistics on breaches, malware, and information theft
Major attacker TTP changes over time

Using strategic threat intelligence

Strategic threat intelligence is built upon a huge body of knowledge and includes expert opinions and insights that are based on aggregating both operational and tactical threat intelligence from known cyber attacks. This intelligence is particularly useful for people in leadership roles such as CISOs and executive leadership who must justify budgets and make better-informed investment decisions. Some uses of strategic threat intelligence include:

Inform your executive leadership about high-risk threat actors, relevant risk scenarios, and threat exposure in the public-facing technology sphere and criminal underground.
Perform thorough risk analysis and review of the entire technology supply chain.
Learn which commercial ventures, vendors, partner companies, and technology products are most likely to increase or decrease risk to your enterprise environment.

Examples of strategic threat intelligence

Strategic threat intelligence for APT29
APT29 is a Russia-based actor that typically engages in cyber espionage with the purpose of data theft.
APT29 victims include many global organizations in government, education, high-technology, finance, non-profit, pharma, and the Defense Industrial Base.
APT29 is an adaptable, sophisticated group with the ability to develop custom attack tools, convoluted command-and-control infrastructure, and unlike historical behaviors of Russian state-sponsored actors, this group has the audacity to continue to operate long after they have been detected.
APT29 has been historically tasked to pursue operations surrounding foreign government policy issues, especially those involving the Russia-Ukraine conflict. Furthermore, the group has targeted several Western national government agencies, defense and government contractors, and academic institutions.
Strategic threat intelligence for the education sector
Educational IT infrastructure has a diverse user base and is thus typically comprised of a myriad of operating systems, computer types, software, and tons of servers and websites that are publicly accessible from the internet. This makes universities and academic research facilities prime targets for attackers as both places from which to steal valuable data and also as hop points for further intrusion operations.
The education industry will continue to see cyber-espionage activity in the foreseeable future. We expect threat actors from China, Russia, Iran, and other countries to conduct espionage operations for data theft, trade information, economic intelligence, and monitoring of diaspora.
Several groups have been observed conducting intrusion operations that have affected academic institutions including universities and research centers:
  • APT10 aka “MenuPass Group”
  • APT22 aka “Barista Team”
  • APT29 aka “The Dukes”

Threat intelligence and business objectives

Threat intelligence always has a purpose to inform decision making and drive action. However, it’s not uncommon for businesses to struggle when determining the value of their threat intelligence team, processes, and tools. The terminology of threat intelligence is usually not compatible with the business lexicon, leading to misunderstandings of its purpose and value.

Businesses can help derive value from their intelligence programs by aligning them to a generic, macro-level set of priorities as can be seen below (not all-inclusive):

Grow revenue
Lower expenses
Reduce and mitigate risk
Customer satisfaction and retention
Employee satisfaction and retention
Compliance-regulation

Once the threat intelligence team understands the business objectives, they can align their operations and efforts to support the business. Not all of the business priorities will perfectly align with threat intelligence capabilities, and that’s okay. You can develop granularity and nuance as you build out your requirements. Here are some starting goals for any threat intelligence team:

Reduce expenses related to fraud and cybercrime
  • Collaborate with the Fraud team to determine the top 3–5 types of fraud and ask what information would help them detect and prevent this in the future?
Prevent data loss
  • What does the analysis of Incident tickets reveal about the nature and type of data targeted in previous data breach events?
  • What vulnerabilities were exploited and by what means?
Protect PII
  • What systems store PII and how do the vulnerabilities of those systems line up with known exploitation vectors?
Reduce business risk
  • TI can focus on reducing risk due to data loss and external threats by identifying actors and deriving intelligence on external threats targeting their industry, ensuring detection techniques and mechanisms are in place and able to catch these threats.

Threat intelligence evolution

Threat intelligence will continue to evolve and be a key security function. Integrating tactical, operational, and strategic threat intelligence will provide valuable insights into IOCs and threat actor's methodologies. This will lead to more secure environments where you can identify your adversaries. A growing number of public and private sector organizations are now using cyber threat intelligence. Recent research published by the Ponemon Institute revealed that 80% of organizations are using it and that an even higher percentage regard it as critical.

Organizations using cyber threat intelligence are meeting numerous security challenges. They are detecting and responding to advanced threats. They are preventing data breaches and protecting sensitive information. They are lowering cybercrime and fraud costs. Most importantly, they are reducing overall business risk.