frosty29637

Learning Resources

Jan 20th, 2022 (edited)
69
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!

Threat Intelligence Learning

The Basics

Fundamentals

Threat intelligence is the biproduct of processed data and analysed information, intended to enable organisations to understand the conflicts in which they are engaged: Security: e.g. geopolitical, Economic: e.g. criminal, Ideological: e.g. activism. A key objective of intelligence is to enable you to make better informed decisions. By definition, neither raw observations nor speculation are intelligence.

The nature of conflict divides us into two categories: ourselves and our adversaries. To produce threat intelligence we must look at conflict from the perspective of both sides, and especially the adversary. By better understanding an adversary, intelligence can serve to guide a reduction in attack surface based on their intrusion methodology: Hardening, TTP detections, Emulations, Product choices, Incident response.

Threat intelligence can be broken down into 3 categories:

  • Strategic (Mind): High-level information on security posture and relevant threats. Analysis can be in the form of executive briefs that helps recipients to make better strategic decisions. Consumed by leaders and decision makers (CISO, CTO, board, business leaders).
  • Operational (Body): Information regarding specific threats. Helps SOC's to understand adversaries, and provides guidance of required actions. Vulnerabilities, hardening, detection engineering and incident response is given direction and priority. Used by SOC Managers and Senior Defenders.
  • Tactical (Actions): Tactics, Techniques and Procedures and Indicators of Compromise of specific threats. Threats are denied the ability to achieve their objective through the provision of tailored datasets. Used by both SOC Staff and Defensive Systems (SIEM, EDR, Proxy, NGFW).

Example requirements could then be expressed as:

  • Strategic: What industry verticals am I in and what are my critical assets? What adversaries are motivated to target my industry and how might they do so?
  • Operational: How will the adversary exploit my people, processes and technology? What capabilities will the adversary use against me and what infrastructure will these capabilities come from?
  • Tactical: How will the adversary gain access to my organisation across digital, physical and psychological vectors? What tactics, techniques and procedures will the adversary leverage to gain access to my organisation?

We're not trying to find individual adversaries. We're trying to collect information to support strategic and operational decisions:

  • Strategic: future considerations and investment priority.
  • Operational: informed architectural changes, to defend against a vast array of adversaries and any combination of known TTP's they employ.

Don't get too caught up in targeted vs opportunistic activity. This requires an abundance of threat intelligence and doesn't necessarily change response when we consider the re-use of TTP's. Consider that 68% of intrusions do not feature malware.

Process

An effective threat intelligence program has 3 main pre-requisites:
Intelligence goals:
Objectives required of the intelligence team by the wider organisation. Think about them as questions or pain points. You generate intel for other people, not yourself (self-licking icecream cone problem). Talk to analysts and engineers and ask:

  • What are your pain points?
  • Where are you struggling to develop context?
  • If a flood of alerts come in, do you know how to choose what's most important?
  • If faced with hardening an environment, what work should be prioritised?

Threat model:
Specific to the organisation:

  • What is the industry vertical? What actors are targeting this?
  • What security requirements does the organisation have?
  • What is it that they do that requires protection and/or makes them a target?
  • What risks are there that may impact the ability to deliver operations longer term (i.e. place risk on long term health)?
  • Out of the risks, what requires priority?

Collection management framework:
What data must be collected to achieve the goals and where it is sourced from? Example: Intel471 GIR.

Further to this, it consists of 3 main disciplines:

  • Intel enrichment: gain more context about observables. Support analyst efforts.
  • Threat monitoring: monitor for threats against business interests (e.g. compromised credentials, exposure, new vulnerabilities and adversaries).
  • Threat reporting: consume information on adversary motives, TTP's, etc. Understand posture. (what, so what, what next).

Tying this altogether, a process is formed:

  1. Threat Model.
  2. Intelligence Objectives and Use Cases.
  3. Collection Process.
  4. Intelligence Analysis.
  5. Operationalised Intelligence.

Read more about the Cyber Threat Intelligence Lifecycle in the resources below.

Examples of good intelligence requirements are:

  • What infrastructure is used to socially engineer my customers?
  • What exploits are likely to be used to compromise the software or hardware of our users?
  • What infrastructure has a known threat group built that is likely to be used in a campaign against our users?
  • What tactics, techniques and procedures are likely to be used by adversaries to compromise or attack our crown jewels?

Types of Data

IOC's (e.g. hashes, IPs, domains, URLs) are one of many forms of raw data. In themselves, they are not intelligence. They are inherently atomic and serve to facilitate enrichment by describing adversary infrastructure. You are very rarely going to outpace Microsoft, Crowdstrike, Palo Alto or Google in obtaining knowledge of an IOC, however it's meaning to your organisation - when presented alongside intelligence - may be unique. If your firewall or endpoint vendor isn't flagging an IOC you'd expect them to, that's on them - not you. Atomic indicators must be provided in a timely fashion and with high confidence to be useful in active defense, and this is rarely the case for in-house intelligence programs. The Pyramid of Pain can be used to illustrate this, where the observable types at the bottom cause adversaries the least amount of pain when detected, and those at the top the most.

For example, hash detections are easily avoided through techniques such as hash busting and obfuscation, but it's far more difficult to maintain access to a host when known methods of persistence are able to be detected or prevented. Attackers use the same techniques over and over again, in different combinations. What is already available to them works just fine. Atomic IOC's can change at any moment, and in doing so you lose detection capability.

On the other hand, intelligence communicates a full picture, associating a specific actor with high confidence IOC's, detailing their TTP's, and providing analysed information such as a timeline of infrastructure and operations. It is only with this analysed information that informed strategic, operational and tactical decisions can be made.

Or, more simply:

  • Data: what, where, when, who?
  • Information: how?
  • Intelligence: why?

Resources

Attribution

Detection Engineering

DFIR

Documentation

Tools:

EDR

Engineering

Hunting

Labs

Malware Analysis

Models and Frameworks

OSINT Feeds

RSS:

Clients:

Twitter:

Ensure these are made as private lists.

Clients:

Purple Teaming

Red Teaming

SIEM

Threat Intelligence

Tooling

TTPs

Other Resources

RAW Paste Data Copied