Cyber Threat Intelligence

Presented By: Rushika Shah

(000FSMTCS1718038)
 Index
► What is Threat ?
► What is Threat Intelligence ?
► Overview of Threat Intelligence
► Pyramid of pain
► Types of Threat Intelligence
► Threat Intelligence Life cycle
► Threat Intelligence Formats
► Threat Intelligence Platform
► Indicator of Compromise
► Benefits of Threat Intelligence
 What is Threat ?
“The possibility of a malicious attempt to damage or disrupt a computer network or system.”

Cyber threats are often executed by hackers, trying to achieve unauthorized access to an individual’s
personal information for either financial gain to perform troublesome and mischievous acts, they hope to
access private files by infiltrating and stealing data.

Example: Phishing, Malware, Botnets, DDOS, MITM, Ransomware, etc.

Sources of Threat:
Others

Malicious Insiders

Terrorists

Hactivists

Foreign Government

Crackers/Untrained Insiders

Genera hacking Community

0 5 10 15 20 25 30 35 40 45 50
Series 1
 What is Cyber Threat Intelligence?
“Evidence-based knowledge, including context, mechanisms, indicators, implications
and actionable advice about an existing or emerging menace or hazard to assets that can
be used to inform decisions regarding the subject’s response to that menace or hazard.”
-Gartner

Details of the motivations, intent, and capabilities of internal and external threat actors.
Threat intelligence includes specifics on the tactics, techniques, and procedures of these
adversaries. Threat intelligence's primary purpose is to inform business decisions
regarding the risks and implications associated with threats.”
- Forrester
Overview of Threat Intelligence Threat Actors

►Threat Actors
Different types, targets Goals

►Goals and Strategy

Strategy
Define what the attackers want and how the
plan to achieve it
Tactics
►Tactics, Techniques and Procedures
Define what the attackers will do to implement Techniques
their strategy and achieve their goals
Procedures
►Indicators
Define the evidence left behind by the
attackers Indicators
Pyramid of Pain
This simple diagram shows
the relationship between the types of
indicators you might use to detect an
adversary's activities and how much pain it
will cause them when you are able to deny
those indicators to them.
Hash Values
► Hashes are, by far, the highest confidence indicators.

► Unfortunately, they are extremely susceptible to change (even accidentally).

► Hashes are probably the least useful type of indicators.

IP Addresses
► IP addresses are quite literally the most fundamental indicator, but if they are using an anonymous
proxy service like Tor or something similar, they may change IPs quite frequently and never even
notice or care.

► VPNs, Tor, open proxies all make it trivial to change your IP.

► If it’s hardcoded into a config, maybe adversaries have to do a little work to update it.
Domain Names

► One step higher on the pyramid, we have Domain Names (still green, but lighter).

► These are slightly more of a pain to change, because in order to work, they must
be registered, paid for (even if with stolen funds) and hosted somewhere.

► That said, there are a large number of DNS providers out there with lax
registration standards (many of them free), so in practice it's not too hard to
change domains.

► New domains may take anywhere up to a day or two to be visible throughout the
Internet, though, so these are slightly harder to change than just IP addresses.
Network/ Host Artifacts

► In the middle of the pyramid and starting to get into the yellow zone, we have the Network and Host
Artifacts.

► This is the level, at last, where you start to have some negative impact on the adversary.

► When you can detect and respond to indicators at this level, you cause the attacker to go back to their lab
and reconfigure and/or recompile their tools.

► A great example would be when you find that the attacker's HTTP recon tool uses a distinctive User-
Agent string when searching your web content. If you block any requests which present this User-Agent,
you force them to go back and spend some time
a) figuring out how you detected their recon tool, and
b) fixing it.
► Sure, the fix may be trivial, but at least they had to expend some effort to identify and overcome the
obstacle you threw in front of them.
Tools

► The next level is labelled "Tools" and is definitely yellow.

► At this level, we are taking away the adversary's ability to use one or more specific arrows in their quiver.

► Most likely this happens because we just got so good at detecting the artifacts of their tool in so many
different ways that they gave up and had to either find or create a new tool for the same purpose. This is a
big win for you, because they have to invest time in research (find an existing tool that has the same
capabilities), development (create a new tool if they are able) and training (figure out how to use the tool
and become proficient with it). You just cost them some real time, especially if you are able to do this
across several of their tools.

► Some examples of tool indicators might include AV or Yara signatures, if they are able to find variations
of the same files even with moderate changes.
Tactics, Techniques and Procedures

► Finally, at the apex are the TTPs. When you detect and respond at this level, you are operating directly
on adversary behaviours, not against their tools.

► TTPs are the expression of the attacker’s training.

► Retraining is probably the hardest thing you can do once, let alone continually.

► This becomes so expensive that they have to question their commitment to attacking you. Win!
Types of Threat Intelligence
Strategic Threat Intelligence (Who/Why)
► Target Audience: The Board, Executive Management, Senior Business Leader – CISO, CIO, Risk officer, etc.
► Strategic intelligence may be able to identify historical trends, motivations, or attributions as to who is behind
an attack.
► Focus on Changing risks, high level topics: Geopolitics, Foreign markets, Cultural background
► Informs business decisions and used to prioritize defence and direct cybersecurity investments.
► “Known Known”-Threat is understood and can be acted on / mitigated

Operational Threat Intelligence

► Target Audience: Strategic Security Teams, SOC/NOC Managers and Threat Analyst
► Focus on Threat Actors, Nation-State actors, future attacks etc.
► Focuses on how they plan, conduct, and sustain attack campaigns.
► Vision timeframe: Hours to Month
► “Known Unknown” – Confirmed existence of actual threat
Tactical Threat Intelligence
► Target Audience: System Admins, Pen Testers, Hunters, SOC/NOC Operators
► Focus on TTPs (Tactics, Techniques, Procedures
► Focuses on threat indicators to hunt for and defence against adversaries.
► Vision timeframe: Weeks to Months
► The effort to detect and respond to on-the-wire events that are technical.
► “Unknown Unknown” – Something weird is going on

Technical Threat Intelligence

► Target Audience: SOC, IR, Firewall, Admins
► Focus on Indicators of Compromise, malware domains, artefacts, signatures etc.
► Vision timeframe: Hours to Years
Threat Intelligence Life Cycle
Planning and
Direction

Dissemination Collection

Analysis and
Processing
Production
Planning and Direction

► Determine Intelligence requirements

► Develop a CTI Team
► Create a Collection Plan
► Generate requests for Information

Collection
► Collect data to satisfy intelligence requirements using:
► All Source Collection:
Critical Application
Network Infrastructure
Security Infrastructure
Processing
► Interpret raw data
► Convert Interpreted data into a usable format(information)
for analysis

Analysis and Production

► Fuse information from Processing
► Provide facts, finding and forecasts
► Analysis should be:
► Objective
► Timely
► Accurate
► Actionable
► Use Confidence Method
Dissemination
► Deliver the finished product to intelligence consumers at various
levels:
Strategic (CISO)
Operation
Tactical (TTP)
 Threat Intelligence Formats
CybOX : Standard for defining
indicator details known as
observables.
STIX : Structured threat Information Expression
Standard to define patterns of observables in context

TAXII : Trusted Automated eXchange of

Indicator Information Standard
to exchange CTI.
CybOX

► CybOX is used for defining details regarding measurable events and stateful properties.
► The objects that can be defined in CybOX can be used in higher level schemas like STIX.
► Goal of CybOX : Enable the ability to automate sharing of security information.
► There are resources available for working with CybOX.
► CybOX objects can be an email message that is received from a specific address, a network
connection that is established toward a specific address, the MD5 hash of a file, a process, a URI or
the modification of a registry key.
► CybOX can be used for threat assessment, log management, malware characterization, indicator
sharing and incident response.
STIX : Structured Threat Information Expression

► Structured Threat Information Expression (STIX) is for defining threat information including
threat details as well as the context of the threat.
► STIX is designed to support four cyber threat use cases:
Analysing Cyber Threats
Specifying Indicator Patterns
Managing Response Activities
Sharing Threat Information
► It uses XML to define threat related constructs such as exploit target, incident, indicator, threat
actor and TTP.
The STIX language has a number of constructs or components, including the following:

► Observable: A dynamic event or stateful property, represented in CybOX.

► Indicator: An observable with context. An indicator can contain a time range, information source,
intrusion detection system rules, etc.
► Incident: A set of activity associated with the same adversary along with context.
► Tactics, Techniques and Procedures (TTP): Represents the modus operandi of the adversary.
► Exploit Target: A weakness of a victim in light of a TTP.
► Course of Action (COA): Defensive actions against a threat (prevention, remediation, mitigation).
► Campaign: A set of related TTPs, indicators, incidents and exploit targets.
► Threat Actor: The cyber adversary.
TAXII : Trusted Automated eXchange of Indicator Information

► Trusted Automated eXchange of Indicator Information (TAXII) supports sharing of CTI data.
► The Mitre definition for TAXII states, “Defines a set of services and messages exchanges for
exchanging cyber threat information.”
► TAXII is not an information sharing program and does not define trust agreements.
► Rather, it is a set of specifications for exchanging cyberthreat information to help organizations
share information with their partners.
TAXII has the following three sharing models:

► Hub and Spoke: One central clearinghouse.

► Source/Subscriber: One organization is the single source of information.
► Peer-to-Peer: Multiple organizations share their information.

TAXII defines the following four services, where each service is optional and services can be combined in
different ways for different sharing models:

► Inbox: A service to receive pushed content (push messaging).

► Poll: A service to request content (pull messaging).
► Collection Management: A service to learn about and request subscriptions to data collections.
► Discovery: Learn which services are supported and how to interact with them.
 Threat Intelligence Platform
“By importing threat data from multiple sources and formats, correlating that data, and then
exporting it into an organization's existing security systems or ticketing systems, a TIP automates
proactive threat management and mitigation.”

TIP is defined by its capability to perform four key functions:

► Aggregation of intelligence from multiple sources

► Curation, normalization, enrichment, and risk scoring of data
► Integrations with existing security systems
► Analysis and sharing of threat intelligence
Data Aggregation
A Threat Intelligence Platform automatically collects and reconciles data from a various sources and formats.
Ingesting information from a variety of sources is a critical component to a strong security infrastructure. Supported
sources and formats include:

Sources:
► ​Open source
► ​3rd party paid
► ​Government
► ​Trusted Sharing Communities (ISACs)
► ​Internal

Formats:
► ​STIX/TAXII
► ​JSON and XML
► ​Email
► ​.csv, .txt, PDF, Word document
Normalization & Enrichment of data

Collecting data across a wide variety of feeds results in millions of indicators to sort through per day, making it
vital to process data efficiently. Processing includes several steps, but is comprised of three main elements:

► Normalization - Consolidating data across different sources formats

► ​De-Duplication - Removal of duplicate information
► ​Enrichment - Removal of false positives, scoring of indicators, and addition of context
Integration
Data that has been normalized, vetted, and enriched must then be delivered to systems that can use it for
automated enforcement and monitoring. The purpose of this is to provide these technologies with what is
essentially a “cyber no-fly list”, much like the kind of no-fly list you’d encounter at an airport. Based on
background knowledge, certain IPs, domains, and more should not be accessed or allowed within the
network.

Possible security product integrations include:

► ​SIEM
► ​Endpoint
► ​Firewall
► ​IPS
► ​API
 Indicator Of Compromise
Indicators of compromise (IOCs) are “pieces of forensic data, such as data found in system log entries or
files, that identify potentially malicious activity on a system or network.”

Threat indicator is an entity that indicates the possibility of an attack or compromise of some kind. The
most common types are file hashes (signatures), and reputation data on domains and IP addresses that
have been associated with attacks.

Example: IP addresses, URL, Domain Names, File hashes, etc.

 Tools for Indicator of Compromise:
Malware Signature
► When the binary code is located, the scan engine compares all the detection signatures it has in its
database to the binary code.
► If a match is found, then the binary is tagged as malicious.

ClamAV Virus Signature:

Clam AntiVirus (ClamAV) is a free, cross-platform and open-source antivirus software toolkit able to
detect many types of malicious software, including viruses.

► sigtool –hex-dump hello world

► To convert this into a usable signature, you need to format it according to the ClamAV signature syntax
► TestHelloWorld:0:*:48656c6c6f20576f726c640a
► To use these signatures, you need to place them into a file with a .ndb extension
► When using the custom signature database, you need to specify its location on the command line for
clamscan using the -d flag.
► clamscan -d clam_helloworld.ndb test.txt
Yara Rules:
► Rules are generally composed of two sections: strings definition and condition.
► The strings definition section can be omitted if the rule doesn’t rely on any string, but the condition section is
always required.
► An example is given below.

Rule ExampleRule
{
strings:
$my_text_string = "text here"
$my_hex_string = { E2 34 A1 C8 23 FB }
condition:
$my_text_string or $my_hex_string
}

► Select the unique strings which can be used in identifying sample file.
► Put these strings as variable under strings section as shown in previous example.
► Save the rule file as RuleName.yar
► Run the command: yara RuleName.yar FileToScan
► A rule file can contain more than one rules.
► Yara can scan more than one files/folders at a time.
 Tools for Indicator of Compromise:
ThreatMiner
ThreatMiner is a free threat intelligence portal designed to allow analysts to find additional information
on indicators of compromise (IOC).

Indicator Type:

► IP

► Domain

► Hash

► Email Address

► File Name

► URLs
 Tools for Indicator of Compromise:
ThreatCrowd
ThreatCrowd is a system for finding and researching artefacts relating to cyber threats. Threat Crowd is
another search engine for artifacts related to threats. It returns results through a graph interface that makes
it easier to see relations between different artifacts, and the creators also maintains a blog that is updated
semi-regularly.

Threatcrowd, also available in MALTEGO, is a well-known project providing feeds of blacklisted /

malware-spreading websites with hash details. OTX (Open Threat Exchange) by AlienVault is
an open threat intelligence sharing platform; it enables the community to share the actionable intelligence
with other people.
 Tools for Indicator of Compromise:
AlienVault OTX
The AlienVault Open Threat Exchange (OTX) is the world’s most authoritative open threat information
sharing and analysis network. OTX provides access to a global community of threat researchers and
security professionals, with more than 50,000 participants in 140 countries, who contribute over four
million threat indicators daily. OTX allows anyone in the security community to actively discuss,
research, validate, and share the latest threat data, trends, and techniques.
 Tools for Indicator of Compromise:
VirusTotal
VirusTotal is the best online virus scanner because in addition to scanning URLs, IP addresses,
and files against several different antivirus engines, it can also be used over email or from a desktop to
scan running processes.

Dozens of different antivirus engines are

used to scan files sent to VirusTotal,
which means several different
perspectives are used to
determine whether or not a file is
malicious.
 Network Based Analysis: IP Analysis
Here, I have one IP address to check whether it is malicious or not. I use different tools to check it.
IP Address: 52.08.203.224

Malware
Detected
Another Tool: AlienVault
 Network Based Analysis: Domain
Analysis
Domain Name: allinfo.xyz.com
Using ThreatMiner:
 Host Based Analysis: File Hash
File Hash Value: 0002097DD98D27D54379C84EA1DCF444
Using VirusTotal:
 Benefits of Threat Intelligence
Managed security services can provide key threat intelligence benefits such as:

► Elimination of the need to manually gather, research, and analyse the volumes of threat data from
numerous sources, mostly across the internet.

► Security analysts are on staff and their focus is exclusively on intelligence. In-depth analysis is
performed on vulnerabilities and any emerging threats.

► An enterprise is given access to expertise and resources that make an ongoing threat intelligence
program a known and budgeted operating expense.

► Some services will provide guidance to assist specific kinds of enterprises reduce their risks. The
threat intelligence service may also provide remediation and mitigation services if there is a
compromise made to a client organization.