Domain 3: Threat Intelligence

 Introduction
o Threat Intelligence explained
 Information that an organization uses to understand the threats that are
currently targeting them. Or could target them in the future
o Why it is valuable
 It provides information on more sophisticated attacks:
 APTs
 Zero-day vulnerabilities
 Global malware campaigns
o Types of Intel
 SIGNIT
 The interruption of radio signals and broadcast communications
o COMINT
 Communications intelligence related to
communications between people and groups of
people (messages and voice) and is often
synonymous with SIGNIT
o ELINT
 Electronic intelligence is collected from systems not
used directly for communications, such as guidance
communication for missile systems and radars
 OSINT
 Open Source information gathered from public sources. Ex: Driving
records, phone numberts, street addresses, email addresses, domain
names, etc…
 HUMINT
 Human intelligence. Understanding how humans act, feel, think,
etc…
 GEOINT
 Geospatial intelligence. Intelligences that helps during times of
natural disasters, wartime, etc… Satellite imaging is highly used
o Future of threat intel
o Threat intelligence glossary
 Threat Actors and APTs
o Common threat agents
 Cyber criminals. LEAST SEVERE
 Nation States-Cozy Bear (crowd strike), APT-29 (Mandiant)
 Hacktivists-“Anonymous”
 Insider Threat. MOST SEVERE
o Motivations
 Financial motives
 Individual financial motives
 Cybercrime financial motives
o Ransomware
 Government financial motives
o Lazarus Group
  Blue Nor Off--------North Korean APT
 AndAriel-------------North Korean APT
 Political motives
 Stuxnet virus
 Hacktivists
 Disinformation campaigns
 Social motives
 Script kiddies
 Lizard Squad
o DDOS
 Unknown motives
o Actor naming conventions
o What are APTs?
 Advanced Persistent Threats
 Highly Skilled
 State backing
 Real-world APTs
 APT28 (Fancy Bear) (Sofacy) or (Pawn Storm)
o Russian based
 Cobalt Group (Gold Kingswood)
o Leader was arrested in Spain
o Utilizes malware called “Spicy Omelette”
 APT32
o Strong focus on Southeast Asian countries like Vietnam,
Philippines, Laos, and Cambodia
 APTs have sophisticated and advanced tools, attack frameworks, malware,
exploits (including zero-days) and methodologies
o Tools, techniques, and procedures (TTPs)
 The actions that threat actors take when conducting cyberattacks. They’re
used by defenders to track the tactics that different threat groups use
 Operational Intelligence
 All about studying threat actors that might target the organization, gain
information about who they are, motives, and tactics, techniques, and
procedures (TTPs)
o Precursors explained
 Elements of the incident identification and response process that allow both
an attacker and a security researcher or professional to determine the
existence of flaws and/or vulnerabilities
 Types of precursors
o Port scanning, operating system and application
fingerprinting
 Mainly looking to monitor network operations
 Logs from firewalls or web application
firewalls (WAFs) that have rules written to
alert and log when one IP is attempting to
connect to x number of ports over a short
period of time
  Logs from systems that are being scanned
o Social engineering and recon
 Non-employees looking through the organizations
bins
 Non-employees hanging outside the office
 Employees being engaged with non-employees
 Calls from unknown or spoofed numbers
 Documents or office equipment going missing
o OSINT sources and bulletin boards
 An email or online message from a threat group
threatening to attack the organization
 Publicly disclosed vulnerabilities (CVEs) that affect
systems or programs
 Chatter on underground forums about a zer0-day or
new malware being exploited
 Reports stating an increase in vulnerability
exploitation
o Indicators of Compromise (IOCs) explained
 Artifacts that have been observed in relation to malicious activity
 Examples
o Email addresses
o IP addresses. WHOIS lookups can be conducted
o Domain names/URLs
o File hashes/file names shared by their unique hash value
(typically MD5, SHA256, or SHA1)
 File based artifacts
 Malware file name, file size, MD5 hash value, etc…

o MITRE ATT&CK Framework

 Adversarial tactics, techniques, and common knowledge
 Knowledge base and model for cyber adversary behavior reflecting
the various phases of an attacks lifecycle and who they are known to
target
 One of the most respected and referenced resources for cyber
security
o Lockheed Martin Cyber Kill Chain
o Attribution and its limitations
 Determining what info is reliable
 Metadata (IP addresses, email data, etc…) can all be faked
o Pyramid of pain
 TTPs (Tough)
 Tools (Challenging)
 Network Artifacts (Annoying)
 Domain Names (Simple)
 IP Address (Easy)
 Hash Value (Trivial
 Pyramid Layer Explained
  Hash Values
o They can provide the highest confidence indicators yet are
vulnerable to modification by the attack or accidentally by
the end-user. By the degree that these can change and how
often, these would be THE LEAST USEFUL INDICATORS
 IP Addresses
o Though having a unique address is beneficial, it’s uncommon
to change these with VPS, TOR browsing, or open proxies
 Domain Names
o Can be changed, but require registration and hosting. Many
DNS providers don’t have the same standards in terms of
legality. Not as easy to change as IP addresses but just need
more time.
 Network/Host Artifacts
o Provide more difficulty to the attacker once you begin
implementing defenses against these tools and methods.
Could be determined by finding where directories are
commonly created, specific registry values, files, etc…
 “Lucky Spam” showcased
 Different domain names
 Different IP Addresses
 Different Hashes
 Tools
o Tools are hard to change. Identifying one or more tools they
are using to distribute attacks and halt their use puts a
severe bend in their hose. This requires re-tooling,
researching, or building another method of attack
 TTPs (Tools, techniques, and procures)
o Not just tools, but these are behavior patterns. You learn
their methods by profiling behavior. EXAMPLE: Spearfishing
with PDF files.
 WHICH OF THE FOLLOWING CAN CAUSE
ISSUES WITH ATTRIBUTION?
o Other groups conducting copy-cat attacks
o Criminals sharing infrastructure on the All are Correct
internet
o Threat actors changing their tactics and
techniques
 A single actor performing port scanning from a single
IP
o Both IOCs and Precursors
 Tactical Intelligence
  Technical in nature and is of immediate value to an organization. Shared in
the form of IOCs which are known malicious artifacts such as URLs, domains,
email addresses, file hashes, etc…
 Example: List of email addresses (IOCs) that are being used to send
phishing emails such as Emotet malware
 Threat feed that can be subscribed to, which includes malicious IPs
 Public report from a threat intelligence company that includes a
number of IOCs
o Threat exposure checks explained
o Watchlists/IOC monitoring
 IOC monitoring can help alert security analysts to malicious activity by
monitoring for the presence of any precursors or IOCs across the
environment
 This allows threat exposure checks (TECs) to be conducted continuously
without a need for a human threat intelligence analyst to perform the
searches themselves. EXAMPLE: Malicious IP Watchlist
o Public exposure checks explained
o Threat intelligence platform (TIPS)
 MISP, threat connect, threat Q, Lookingglass, Insights, and Anonali
 TIPs can be deployed as software-as-a-service or an on-premises solution to
effectively manage a large volume of cyber threat intel
 TIPs provide the following functionality for security teams
 Aggregation and normalization of intelligence collected from
multiple sources
 Integrate with existing security controls such as firewalls and
intrusion prevention systems
 Analysis and sharing of threat intelligence
 Strategic Intelligence
o High-level, non-technical information.
 Examples
 Presentations that cover global events and links them with cyber
activity
 A report on patterns of cyber attacks (covid pandemic resulting in
increased tailored phishing attacks.)
 Keeping the internal security team informed about activity related to
threat actors
 Intelligence sharing and partnerships
 Intelligence Sharing
o Info sharing and analysis center (ISAC)
o Industry-specific groups comprised of multiple organizations
in order to share actionable intel such as IOCs, precursors,
and information about attacks and threats
 IOC/TTP gathering and distribution
 OSINT vs Paid-For Sources
 OPEN SOURE
o Tweet IOC
o Spamhaus
 o URLhaus
o Alienvault open threat exchange
o Virus share
o List of free threat feeds
o Anomali weekly threat briefing
 PAID-FOR INTELLIGENCE
o Fire Eye
o Recorded future
o Crowd strike
o Flashpoint
o Intel471
 Traffic Light protocol (TLP)
 Originally created in the early 2000s by UK Government National
Infrastructure Security Coordination Center
 Purpose of TLP
o Allow the author of the original information to state how
they want their information circulated, such as sharing only
with specific individuals within an organization, within
trusted communities, or in public domain
 Global Malware campaigns
o Malware used by threat-actors
o Global Campaign: Trickbot
o Global Campaign: Sodinokibi
o Global Campaign: Magecart
o Global Campaign: Emotet

Threat Intelligence Lifecycle

 Planning and direction

o Research and learn more about the hacking group, including who is involved, and
how sophisticated they are
o Check for public exposure in order to understand the attack surface of the
organization
o Discover the most appropriate actions that can be taken to defend against this threat
 Collection
 Processing
 Analysis
 Dissemination
o You need to ask:
 What threat intelligence do they need, and how can external information
support their activities
 How should the intel be presented to make it easily understandable and
actionable for that audience
 How often should we provide updates and other information
 Through what media should the intel be disseminated
  How should we follow up if they have questions
 Feedback

Examples of Intelligence:

 Cyber threat context

 Incident prioritization
 Investigative enrichment
 Information sharing

Threat Actor Naming

 Crowdstrike
o Panda
 Umbrella term for nation-state activity tied to China
o Jackal
 Tied to Syria/Iran
o Spider
 ECrime (Mummy spider) Group behind EMOTET
o Chollima
 North Korea
o Jackal
 Hactivist
o Tiger
 India
o Kitten
 Iran
o Bear
 Russia
o Buffalo
 Vietnam
o Leopard
 Pakistan
 Mandiant/Fire Eye: “APTxx”
o APT28 or APT 39
 Taken from international country codes
o China
 APT1, APT2, APT3, APT10, APT19, APT20, APT30, APT40, APT41
o Iran
 APT33, APT34, APT35, APT39
o North Korea
 APT37, APT38
o Russia
  APT28, APT29
o Vietnam
 APT32
 Financially motivated cybercrime groups
o Under Fire Eye, the prefix “FIN” is used
 FIN4, FIN5, FIN6, FIN7, FIN8, FIN9, FIN10
 Unclassified Groups
o “UNC”