07

Fundament
als of
Threat
Intelligenc
In this chapter you will learn:

■ The fundamentals of threat intelligence

■ Characteristics of various threat actors

■ Common intelligence sources and the intelligence cycle

■ Information sharing best practices

■ Effective use of indicators of compromise

 1.1 Foundations of Intelligence
• An incident describes any action that results in direct harm to your system or
increases the likelihood of unauthorized exposure of your sensitive data.
• Antivirus software and more sophisticated security devices work by using signature-
based and anomaly-based methods of detection.
• A Zero-day refers to either a vulnerability or exploit never before seen in public. A
zero-day vulnerability is a flaw in a piece of software that the vendor is unaware of and
therefore has not issued a patch or advisory for.
 Threat
Threat actors Actors
are not equal
in terms of motivation and
capability; neither are they
all necessarily overtly
malicious.
 Advanced Persistent Threats (APTs)
• An APT refers to any number of stealthy and continuous computer hacking efforts,
often coordinated and executed by an organization or government with significant
resources.
• The goal for an APT is to gain and maintain persistent access to target systems while
remaining undetected.
• Advanced persistent threats, regardless of affiliation, are characterized by resourcing,
consistency, and a military-like efficiency during their actions to compromise systems,
steal data, and cover their tracks.
• The concept of automatic threat intelligence sharing is a recent development in the
security community. Many vendors provide solutions that automatically share threat
data and orchestrate technical countermeasures for them.
 Hacktivists
• Hacktivists are threat actors that typically operate with less resourcing than their
nation-state counterparts but nonetheless work to coordinate efforts to bring light to
an issue or promote a cause.
• Unlike other threat actors, hacktivists rarely seek to operate with stealth and look to
bring attention to their cause along with notoriety for their own organization.
 Organized Crime/Crime Syndicates
• These are threat actors whose mail goal is financial gain.
• Cybercrime syndicates have recently embraced new technologies, exploited new
opportunities, delivered new payloads and sought out new targets.
• Despite having a well-understood operational model, organized crime threat actors
still contribute to a significant percentage of security incidents.
 Nation-States
• Nation-state threat actors are frequently among the most sophisticated adversaries,
with dedicated infrastructure, training resources, and operational support behind their
activities.
• Like many government-supported operations, nation-state threat actor activities are
often conducted to achieve political, economic, or strategic military goals.
• They may use toolsets that are not often seen or impossible to detect at the time of
the security event, such as a zero-day exploit.
• Depending on the countries involved, businesses can quickly become a part of the
activity in either a direct or supporting capacity.
• More sophisticated threat actors may incorporate false flag techniques, performing
activities that lead defenders to falsely attribute their activity to another.
• One nation’s intelligence apparatus is another nation’s malicious actor.
 Script Kiddies
• The term “script kiddie” was coined to describe inexperienced or “wannabe” hackers
who have very minimal skills.
• These novices essentially cut-and-paste exploit code or use pre-built GUI tools
developed by more experienced hackers without understanding the intricacies of the
tool or the attack itself.
• They will often use easy-to run exploits that are also simple to defend against.
 Insider Threats
• Insider threat actors work within an organization and represent a particularly high risk
of causing catastrophic damage due to their privileged access to internal resources.
• To address internal threats, it’s critical that the security program is designed in a way
that adheres to the principle of least privilege as it relates to access.
• Mandating annual training on cybersecurity awareness along with implementing
technical controls to prevent unauthorized file access have been shown to reduce the
occurrence and impact of insider threats.
• Intentional insider threat actors may be employees, contractors, or business
partners with established access to internal service, or any of these who have severed
ties with the organization but have not lost access.
• Lack of security education, negligence, and human error are among the top
contributors to unintentional insider security events.
 Supply Chain Threats
• The supply chain of an organization as a source of attack has really only been
considered and analyzed in the past decade.
• Supply chain threats not only can come from suppliers but can also be inadvertently
passed along to an organization’s customers, who receive their hardware, software, or
supplies from the organization.
 Commodity Malware
• Commodity malware includes any pervasive malicious software that’s sold to threat
actors.
• This may not always be the most advanced or stealthy software.
• Malware as a Service (MaaS) is malware designed, built, and sold to customers based
on their individual specifications.
• Many of these tools are offered as a subscription service and based in the cloud,
making it more attractive for potential “customers” to acquire, access, and suspend
these services.
• One of the most common types of MaaS is Ransomware as a Service (RaaS).
 Tactics, Techniques and Procedures
• The term Tactics, Techniques and Procedures (TTP) describes the behavior of a threat
actor and a structured framework for executing a cyberattack.
• TTPs are indicators of system artifacts or behavioral attributes that humans, often
security professionals, actually observe.
• A tactic is the highest-level description of the behavior and strategy.
• Techniques provide a more detailed description of the behavior in the context of a
tactic.
• Procedures provide a lower-level, highly detailed description of the behavior in the
context of a technique.
 Characteristics of Intelligence Source
Data
• Organizations must be able to map the threat intelligence products they acquire or
produce to some distinct aspect of their threat profile.
• Good threat intelligence provides three critical elements to analysts so that they can
appropriately provide answers to decisionmakers. These are:
• Timeliness.
• Relevancy.
• Accuracy.
 Confidence Levels
• Estimative language aims to communicate intelligence assessments while
acknowledging the existence of incomplete or fragmented information.
• Confidence levels reflect the scope and quality of the information supporting these
judgments:
A high confidence level means that threat assessments are based on high-quality
information, and/or the nature of the issue makes it possible to render a solid
judgment.
A moderate confidence level means that the information is credibly sourced and
plausible but is not of sufficient quality or lacks corroboration to warrant a higher level
of confidence.
A low confidence level means that the information acquired is questionable or
implausible and may be too fragmented or poorly corroborated to make solid analytic
 Collection
Methods
and Sources
Threat actors are not equal
in terms of motivation and
capability; neither are they
all necessarily overtly
malicious.
 7.4.1 Open Source
• Open-source intelligence (OSINT) is free information that’s collected in legitimate ways
from public sources such as news outlets, libraries, and search engines.
• Threat analysts often use OSINT sources to help them keep pace with security industry
trends and discussions in near real time.
• From an adversary point of view, it is almost always preferable to get information
about a target without directly touching it.
• This is because fewer fingerprints (or log entries) are left behind for the defenders and
investigators to find.
 Google
• Google can help an attacker gather a remarkable amount of information about any
individual, organization, or network.
• You will not be required to know the specific symbols and words required for advanced
Google searches, but it’s useful as a security analyst to understand the various
methods of refining search engine results, such as Boolean logic, word order, and
search operators.
 Internet Registries
• Five separate corporations control the assignment of IP addresses throughout the
world. They are known as the regional Internet registries (RIRs).
• The activities of the five registries are coordinated through the Number Resource
Organization (NRO), which also provides a detailed listing of each country’s assigned
RIR.
 Social Media
• Social media sites can be rich sources of threat data. Twitter and Reddit, for example,
are two platforms that often provide useful artifacts during high-impact events.
• Community and user forums covering a wide variety of topics can be used to glean
insight on threat events.
• They can also be highly targeted sources for personal information.
• In a social engineering campaign, an attacker uses deception, often influenced by the
profile they’ve built about the target, to manipulate the target into performing an act
that might not be in their best interest.
• Despite the most advanced technical countermeasures, the human element remains
the most vulnerable part of the network.
 Government Bulletins
• Threat intelligence can come from federal, state, and local governments.
• These organizations often have superior threat collection and analysis resources and
may dispense threat intelligence freely across different industries.
• Threat intelligence that comes from government sources could be either open source
or closed source, depending on the level of sensitivity of the threat intelligence and
the intended audience.
 Response Team Intelligence
• Very often, response teams such as computer emergency response teams (CERTs) and
cybersecurity incident response teams (CSIRTs) may publish threat intelligence as
open source based on current threats they have encountered or investigations they
are conducting.
• These teams could either be private or belong to an open-source community.
 Deep/Dark Web
• This is the part of the Internet that most casual users don’t see, but it can be accessed
by technically savvy criminals, terrorists, and other unscrupulous people.
• The dark web is also a good source of threat intelligence for those who are technically
adept and able to access it.
 7.4.2 Closed Source
• A key tenet of intelligence analysis is never relying on a single source of data when
attempting to confirm a hypothesis.
• Closed source data is any data collected covertly or as a result of privileged access.
Common types of closed source data include internal network artifacts, dark web
communications, details from intelligence-sharing communities, and private banking
and medical records.
 Internal Network
• By leveraging threat data from your own network, you can identify potential malicious
activity with far greater speed and confidence than generic threat data.
• The most common sources for raw threat-related data include events, DNS, virtual
private networks (VPNs), firewalls, and authentication system logs.
• By establishing a baseline of normal activity, analysts can use historical knowledge of
past incident responses to improve awareness of emerging threats or ongoing
malicious activity.
 Classified Data
• In some cases, the mere disclosure of the data may jeopardize access to the source
information, or worse, the individuals involved in the collection and analysis process.
• Classified data, or data whose unauthorized disclosure may cause harm to national
security interests, is protected by several statutes that restrict its handling and sharing
to trusted individuals.
• Leaks of classified data may result in steep administrative or criminal penalties.
 Threat Intelligence Subscriptions
• Commercial threat feeds that an organization subscribes to and pays for are
considered closed source.
• The advantage of these threat feed subscriptions is that they are curated, are
sometimes more detailed and of higher quality than open-source threat intelligence,
and are customized for the organization’s business needs.
• The disadvantage is their cost, which can be a low monthly fee or can get quite
expensive.
 Threat
Intelligence
Sharing
Automated tools can be
used to share threat
intelligence between
organizations.
 Information Sharing and Analysis
Communities
• While information sharing occurs frequently between industry peers, it’s usually in an
informal and ad hoc fashion. One of the most effective formal methods of information
sharing comes through information sharing and analysis centers
• ISACs are industry-specific bodies that facilitate sharing of threat information and best
practices relevant to the specific and common infrastructure of the industry.