Threat Intelligence Learning
Threat intelligence is the biproduct of processed data and analysed information, intended to enable organisations to understand the conflicts in which they are engaged: Security: e.g. geopolitical, Economic: e.g. criminal, Ideological: e.g. activism. A key objective of intelligence is to enable you to make better informed decisions. By definition, neither raw observations nor speculation are intelligence.
The nature of conflict divides us into two categories: ourselves and our adversaries. To produce threat intelligence we must look at conflict from the perspective of both sides, and especially the adversary. By better understanding an adversary, intelligence can serve to guide a reduction in attack surface based on their intrusion methodology: Hardening, TTP detections, Emulations, Product choices, Incident response.
Threat intelligence can be broken down into 3 categories:
- Strategic (Mind): High-level information on security posture and relevant threats. Analysis can be in the form of executive briefs that helps recipients to make better strategic decisions. Consumed by leaders and decision makers (CISO, CTO, board, business leaders).
- Operational (Body): Information regarding specific threats. Helps SOC's to understand adversaries, and provides guidance of required actions. Vulnerabilities, hardening, detection engineering and incident response is given direction and priority. Used by SOC Managers and Senior Defenders.
- Tactical (Actions): Tactics, Techniques and Procedures and Indicators of Compromise of specific threats. Threats are denied the ability to achieve their objective through the provision of tailored datasets. Used by both SOC Staff and Defensive Systems (SIEM, EDR, Proxy, NGFW).
Example requirements could then be expressed as:
- Strategic: What industry verticals am I in and what are my critical assets? What adversaries are motivated to target my industry and how might they do so?
- Operational: How will the adversary exploit my people, processes and technology? What capabilities will the adversary use against me and what infrastructure will these capabilities come from?
- Tactical: How will the adversary gain access to my organisation across digital, physical and psychological vectors? What tactics, techniques and procedures will the adversary leverage to gain access to my organisation?
We're not trying to find individual adversaries. We're trying to collect information to support strategic and operational decisions:
- Strategic: future considerations and investment priority.
- Operational: informed architectural changes, to defend against a vast array of adversaries and any combination of known TTP's they employ.
Don't get too caught up in targeted vs opportunistic activity. This requires an abundance of threat intelligence and doesn't necessarily change response when we consider the re-use of TTP's. Consider that 68% of intrusions do not feature malware.
An effective threat intelligence program has 3 main pre-requisites:
Objectives required of the intelligence team by the wider organisation. Think about them as questions or pain points. You generate intel for other people, not yourself (self-licking icecream cone problem). Talk to analysts and engineers and ask:
- What are your pain points?
- Where are you struggling to develop context?
- If a flood of alerts come in, do you know how to choose what's most important?
- If faced with hardening an environment, what work should be prioritised?
Specific to the organisation:
- What is the industry vertical? What actors are targeting this?
- What security requirements does the organisation have?
- What is it that they do that requires protection and/or makes them a target?
- What risks are there that may impact the ability to deliver operations longer term (i.e. place risk on long term health)?
- Out of the risks, what requires priority?
Collection management framework:
What data must be collected to achieve the goals and where it is sourced from? Example: Intel471 GIR.
Further to this, it consists of 3 main disciplines:
- Intel enrichment: gain more context about observables. Support analyst efforts.
- Threat monitoring: monitor for threats against business interests (e.g. compromised credentials, exposure, new vulnerabilities and adversaries).
- Threat reporting: consume information on adversary motives, TTP's, etc. Understand posture. (what, so what, what next).
Tying this altogether, a process is formed:
- Threat Model.
- Intelligence Objectives and Use Cases.
- Collection Process.
- Intelligence Analysis.
- Operationalised Intelligence.
Read more about the Cyber Threat Intelligence Lifecycle in the resources below.
Examples of good intelligence requirements are:
- What infrastructure is used to socially engineer my customers?
- What exploits are likely to be used to compromise the software or hardware of our users?
- What infrastructure has a known threat group built that is likely to be used in a campaign against our users?
- What tactics, techniques and procedures are likely to be used by adversaries to compromise or attack our crown jewels?
Types of Data
IOC's (e.g. hashes, IPs, domains, URLs) are one of many forms of raw data. In themselves, they are not intelligence. They are inherently atomic and serve to facilitate enrichment by describing adversary infrastructure. You are very rarely going to outpace Microsoft, Crowdstrike, Palo Alto or Google in obtaining knowledge of an IOC, however it's meaning to your organisation - when presented alongside intelligence - may be unique. If your firewall or endpoint vendor isn't flagging an IOC you'd expect them to, that's on them - not you. Atomic indicators must be provided in a timely fashion and with high confidence to be useful in active defense, and this is rarely the case for in-house intelligence programs. The Pyramid of Pain can be used to illustrate this, where the observable types at the bottom cause adversaries the least amount of pain when detected, and those at the top the most.
For example, hash detections are easily avoided through techniques such as hash busting and obfuscation, but it's far more difficult to maintain access to a host when known methods of persistence are able to be detected or prevented. Attackers use the same techniques over and over again, in different combinations. What is already available to them works just fine. Atomic IOC's can change at any moment, and in doing so you lose detection capability.
On the other hand, intelligence communicates a full picture, associating a specific actor with high confidence IOC's, detailing their TTP's, and providing analysed information such as a timeline of infrastructure and operations. It is only with this analysed information that informed strategic, operational and tactical decisions can be made.
Or, more simply:
- Data: what, where, when, who?
- Information: how?
- Intelligence: why?
- Brian Bartholomew & Juan Andres Guerrero-Saade. Wave Your False Flags! Deception Tactics Muddying Attribution in Targeted Attacks
- Jake Williams. Conducting a Successful False Flag Operation. BlackHat Europe 2019
- Katie Nickels. The Attribution Game: When Knowing Your Adversary Matters
- Robert M. Lee. The Problems with Seeking and Avoiding True Attribution to Cyber Attacks
- Thomas Rid & Ben Buchanan. Attributing Cyber Attacks
- Attack Detection Fundamentals
- Azure Sentinel Repository
- Detection Ideas Repo by Vadim Khrykov @BlackMatter23
- Sigma Rules Repository
- YARA Rules Resource
- Cyber Resiliency Design Principles
- Implementing Least-Privilege Administrative Models
- Restricting SMB-based lateral movement in a Windows environment
- David J. Bianco and Cat Self. SANS Threat Hunting & IR Europe Summit 2020
- David J. Bianco. The ThreatHunting Project
- Joshua Stevens. Hunting for the Undefined Threat: Advanced Analytics & Visualization. RSA Conference 2015
- Matt Bromiley. Thinking like a Hunter: Implementing a Threat Hunting Program. SANS Analyst Paper
- Robert M. Lee and David J. Bianco. Generating Hypotheses for Successful Threat Hunting. SANS Analyst White Paper
- Roberto Rodriguez. How Hot is your Hunt Team?
- Roberto Rodriquez. ThreatHunter Playbook
- Sergio Caltagirone. Building Threat Hunting Strategies with the Diamond Model
- Threat Hunting in Security Operation - SANS Threat Hunting Summit 2017
- TTP Based Hunting
- Valentina Costa-Gazcon. Practical Threat Intelligence and Data-Driven Threat Hunting
- Beginner Malware Analysis
- Coleman Kane. Malware Analysis
- hasherezade. How to start RE/malware analysis
- Monnappa K A. Learning Malware Analysis
- MalwareUnicorn RE Workshops
- Zero2Automated: The Advanced Malware Analysis Course
Models and Frameworks
- 5 Phases of the Threat Intelligence Lifecycle
- Chet Richards. Boyd's OODA Loop
- Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains
- Katie Nickels. ATT&CK Your CTI with Lessons Learned from 4 Years in the Trenches
- Sergio Caltagirone, Andrew Pendergast, & Christopher Betz. The Diamond Model of Intrusion Analysis
- Sergio Caltagirone. Building Threat Hunting Strategies with the Diamond Model
Ensure these are made as private lists.
- Automated Adversary Emulation: A Case for Planning and Acting with Unknowns
- Ch33r10's Purple Team Resources
- Jorge Orchilles. Purple Team Exercise Framework Workshop
- Prelude Operator Training
- SCYTHE’s Purple Team Exercise Framework
- SCYTHE's Community Threats
- Server Build Script
- Atomic Red Team by Red Canary
- C2 Matrix
- Red Team Podcast
- Red Teaming Techniques & Experiments
- SpecterOps Blog
- Vincent Yiu's Red Team Tips
- A Tradecraft Primer: Structured Analytic Techniques for Improving Intelligence Analysis
- Amy Bejtlich. Analytic Tradecraft in the Real World
- Andy Piazza. Goldilocks CTI: Building a Program That’s Just Right
- Black Hills Information Security: How to use Threat Intelligence
- Bongsik Shin and Paul Benjamin Lowry. A review and theoretical explanation of the 'Cyberthreat-Intelligence (CTI) capability' that needs to be fostered in information security practitioners and how this can be accomplished
- Brian P. Kime. Threat Intelligence: Planning and Direction
- Conventional Intelligence Analysis in Cyber Threat Intelligence - CTI Summit 2017
- Cyber Threat Intelligence Study Plan
- DFIR Summit 2016: Leveraging Cyber Threat Intelligence in an Active Cyber Defense
- Frank Watanabe. Fifteen Axioms for Intelligence Analysts
- Industrial Control Threat Intelligence
- Intel 471: Developing An Effective Cyber Threat Intelligence Plan from Scratch Recording
- International Cybersecurity Incidents for In-House CTI Analysts
- Rebekah Brown & Robert M. Lee. The Evolution of CTI: 2019 SANS CTI Survey
- Richards J. Heuer, Jr. Psychology of Intelligence Analysis
- Scott J. Roberts. CTI Squad Goals-Setting Requirements
- The Cycle of Cyber Threat Intelligence
- Threat Intelligence: Collecting, Analysing, Evaluating
- Through the Eyes of the Adversary: How to Build a Threat Intel Program
- Adam Pennington. Emulating an Adversary with Imperfect Intelligence. DEF CON 28 Red Team Village
- Characterizing Effects on the Cyber Adversary
- MITRE ATT&CK TTP Training
- MITRE ENGENUITY - ATT&CK Evaluations