Chapter 12
What Is Threat Intelligence?
Abstract
Threat intelligence in the cyber space refers to a bleeding-edge technology and operational disciplines that enable the collection, correlation, and analysis and the meaningful use of data on threats or threat actors to inform and adopt security defenses. A threat intelligence program provides a neutral, unbiased lexicon and forum by which security teams can share threat information with one another, interoperate more effectively with compatriots and law enforcement, and avail the expertise of others to improve and coordinate advanced countermeasures. There are a number of accepted classifications of intelligence, but to set the stage, we will highlight those that are most commonly collected and consumed as part of an enterprise cybersecurity threat intelligence program.
Keywords
Closed source intelligence; Network exploitation; Open source intelligence; Security information and event management; Threat actor; Threat intelligence
Threat intelligence means a lot of things to a lot of people. Its origins, like many of the concepts in this book and in the security industry as a whole, are largely derived from our experience in military acts of identifying, understanding, anticipating, and thwarting the activities of adversaries to a given critical asset. As tools and technologies emerge and trend toward simultaneous innovation, automation, and commoditization, threat intelligence has taken on an air of being something that can be not only amassed, cultivated, and matured, but also purchased wholesale.
However, lest we fall victim to past mistakes regarding the reduction of valuable security elements and metrics to the lowest common denominator, where they inevitably lose fidelity to their core principles and functions, it is important to step back and consider what it means to truly consume and operationalize intelligence, beyond the misleading notion that intelligence is something innately measurable, finite, articulate, uniform, and rote enough to comply with a one-size-fits-all method of collection, implementation, and adoption.
At a high level, and for the sake of conversation, threat intelligence in cyber space refers to technology and operational disciplines that enable the collection, correlation, and analysis and the meaningful use of data on threats or threat actors to inform and adapt security defenses. Threat intelligence platforms and solutions continue to grow in their reach and capacity to collect and interpret information from a multitude of sources. Their receptiveness to interpretation and analytics that point defenders to threats and to mitigating actions that fit their respective environments, vulnerabilities, and available countermeasures is also on the increase.
By aggregating threat data from multiple sources, correlating and interpreting the data, and then porting it elsewhere into the environment for use by other systems and teams, threat intelligence seeks to identify and inform avenues for the mitigation through the implementation of countermeasures.
A true threat intelligence program stands apart from traditional security technologies and products in that it is an ecosystem that can be not only tuned, but also culled, programmed, and continually analyzed to suit the resources and threats with which they are working on a daily basis.
Types of Threat Intelligence
Threat intelligence comes in many forms. Some sources overlap and fall into or include multiple categories, and they frequently reference multiple sources of data, much of which will overlap. Some of these sources are highly academic. Some represent all-too-real-world occurrences, and some are the direct result of law enforcement investigations and takedowns that expose the inner workings of a given attack or vector. Some are corralled or created by idiots who are speculating wildly or are grossly out of touch with the practical application of any of the threats they purport to reference. The source and type of the intelligence you seek to integrate into your threat intelligence program is as important to its value as how or if you use it. It is therefore important to identify the type of intelligence that source represents as you determine what, if any, action to take with it. There are a number of accepted classifications of intelligence, but to set the stage, we will highlight those that are most commonly collected and consumed as part of an enterprise cybersecurity threat intelligence program.
External Intelligence
External intelligence, in a nutshell, is any information gathered and/or interpreted by sources outside your organization. Most commonly, external intelligence takes the form of feeds purchased or subscribed to and is based on data amassed by external analysts and organizations. These sources come from independent security researchers, product or service providers, and law enforcement agencies based on patterns uncovered in previous investigations. These sources often cross-reference and overlap with one another and are subject to constant change.
External intelligence may take into account threats that relate directly to your organization, industry, and attackers, or may speak to goings-on observed in the wild or at the malware level.
Institutional Intelligence
Institutional intelligence, also referred to as internal intelligence, refers simply to any data gathered about your institution, by your institution, and for your institution. The most basic and vast sources are typically your logs from things such as security information and event management (SIEM) systems and firewalls and user behavior analytics. Amusingly enough, low-level system and event logs are often thought of as the most pedestrian and uninteresting collection of data we gather and hoard as technology professionals. They would just as soon drive forks into their eyes as volunteer to work with and review them, but more often than not, when something goes horribly wrong, evidence is right there in our internal logs and can be leveraged to investigate or, if caught earlier, advance or bring about earlier defenses against an attack.
Institutional intelligence, at a more evolved and programmatic level, can include data points gathered from less rote sources, including people (“see something, say something” conversations and behavior monitoring), workflow and interteam operational processes, and incident response and investigations. A level of maturity is often required before these sources of institutional intelligence can be consumed, interpreted, and incorporated into something actionable and repeatable, but they are attainable, nonetheless. Institutional intelligence cannot be bought, and it remains one of the richest, most immediately available, and most relevant sources of usable information an organization can work into its appetite. Contrarily, it is one of the most underappreciated forms of threat intelligence.
Open Source Intelligence
Information need not be secretive or esoteric to provide immense value. It may not always be easily found, but it does not have to be impossible to acquire in order to be precious. We sometimes get so wrapped up in the advancement of the adversary that we assume that anything we do as defenders has to be similarly cutting edge, cloak and dagger, and unknowable to the masses to be effective or worth spending time and money on.
Put in this context, we can recognize the folly of that mentality by comparing it to the number of breaches that gain a toehold through exploitation of basic security hygiene failures. Useful, relevant, and otherwise telling data is readily available in the things we read, hear, and see on the Internet every day. In the same way that the innumerable streams of information that we consume as natural observers of our environment, media, and other input streams serves to provide context for our view of our surroundings, circumstances, and conditions, open source intelligence (OSINT) serves to inform security practitioners of the threat and cybersecurity landscapes.
The intelligence community generally refers to this freely available information as OSINT. It includes sources such as:
▪ the Internet (websites, blogs, articles, vulnerability and common vulnerabilities and exposure (CVE) data, etc.)
▪ media and news outlets (broadcasts, newspapers, magazines, etc.)
▪ breach disclosures and corporate filings
▪ research and studies, presentations, and white papers
▪ geospatial information (map and satellite data)
▪ threat feeds supplied by vendors, service providers, and law enforcement for the purpose of information sharing
▪ the dark web (discussed in Chapter 7)
More than 80% of threat intelligence available is open source, so defenders must up their game when it comes to collecting and using it. Publicly available sources frequently offer a low-cost, high-value intelligence tool for analysts, if they know where (and where not) to look, and can be used to identify indicators, perform link analysis, and tune security operations.
There are a number of readily available threat feeds and exchanges that can be feasibly and meaningfully integrated into a threat intelligence program, whether as individual or aggregate feeds. Popular examples often work with accepted threat information sharing specifications, such as STIX/TAXII, to facilitate the automation and consumption of vetted threat data. Two favorites, AlienVault OTX and Hail A TAXII, both leverage STIX/TAXII, among other frameworks, to enable open collaboration and sharing of threat data among practitioners within the security and intelligence communities. They can be very helpful in founding or fueling an organization's threat intelligence program at the technical level.
Closed Source Intelligence
Converse to OSINT, closed source intelligence (CSINT) is information gathered from sources that are not freely available to the community at large. Although this may be broadly interpreted to include intelligence feeds that must simply be paid for to be acquired or accessed, the intelligence community typically distinguishes CSINT as being intelligence that requires a quiet and trusted partnership in order for the information to be shared.
Examples of this definition of CSINT might be data exchanged with law enforcement or government agencies as part or result of ongoing investigations or nation-state actor threats. Infragard is an example of a government partnership with industry, and information is only shared among vetted members. There are industry-specific information sharing and analysis centers (ISACs), where members share threat-related information among themselves. CSINT of this type may also include partnerships between developers and users that make use of the knowledge of code or systems that constitutes trade secrets. It is not to be shared as part of a broader vulnerability or threat disclosure, or in the case of critical infrastructure or systems that would cause greater vulnerability if made publicly known.
CSINT that is regarded as closed, because it requires a subscription or payments in some form may be widely available and feasible to consume. In general, though, CSINT will typically, not constitute more than a small fraction of a threat intelligence program, if any at all.
Human Intelligence
Human intelligence (HUMINT) is intelligence acquired from human sources. This can include the observation of human-to-human interactions. This data gathering exercise is frequently laborious to engage in and even harder to validate or make meaningful use of. However, more cursory and practical examples of HUMINT in the enterprise sector can be found in the reputation and brand protection exercises, where agents of an enterprise seek out mentions of corporate monikers appearing in the wild and monitor communications of employees for signs of disgruntled or reckless behavior that might lead to data leakage.
Some organizations may have a small team of researchers who patrol forums known for trading malware or sensitive data, such as credit card numbers, as a means to check what might be trending or affecting them. They may do this by posing as a criminal. However, generally speaking, the collection and validation of this kind of intelligence is best left to experts and specialists, who typically are law enforcement agencies and service providers in the business of infiltrating adversary communities and checking for or investigating evidence of wrongdoing. It is mostly not feasible to devote the capital resources or manpower to build a posse of personnel, who are well skilled and covert enough to penetrate these darker communities and, furthermore, identify actions that can be taken before assets are compromised. A looser interpretation of HUMINT is keeping an eye on your employees and their watercooler conversations or monitoring corporate chat vehicles.
Threat Intelligence Platforms
Threat intelligence platforms enable practitioners to confront the threats and adversaries directly, tuning and adapting their responses as an attack plays out and evolves. Many times, these things are recognizable. Countless analyses have demonstrated that although the threat actors may change or evolve, they frequently recycle effective attack methods, because they are effective. Even in many new cases for which no malware signature has been derived, the methods themselves are represented by patterns that persist even as the adversaries' tools and targets change. It is very important for an organization to have in place a flexible, cohesive means of collecting, aggregating, reporting, and sharing what would otherwise be an excruciating amount of disjointed detail that would drown operators in minutia and obscure patterns that emerge when incident data is viewed holistically.
At various stages of an attack, threat intelligence platforms may serve to identify the threat actor, detect the presence of a threat tool, stop the actions associated with a threat, disrupt the means or infrastructure being used to effect an attack, or just focus on turning the target network and systems into a live laboratory where the threat can be studied. Through threat intelligence, enterprises and researchers can identify the threat details that are the most useful and relevant to their own environment and risks.
When speaking of threat intelligence platforms, we include the tactical processes, tools, techniques, and technologies that are used to carry out the mission of the threat intelligence program. Although a mature threat intelligence program may include a number of layered or ancillary components, at its most fundamental, it should include detection, incident response, threat assessment, threat modeling, threat hunting, and life cycle learning. A well-oiled threat intelligence machine, in as automated a process as possible, throttles the intelligence and experience it gains directly back into explicit operational elements, namely, perimeter defenses [firewalls, intrusion detection system (IDS), etc.], SIEM systems, investigations, and training and awareness programs.
The primary function of a threat intelligence platform is to collect, organize, and interpret. It informs stakeholders and communities in order to respond to threats efficiently and effectively. These intelligence ecosystems enable practitioners to coordinate tactical and strategic activities with operations both inside and outside the security teams, extending the reach of actionable threat and security data to incident response, risk management, and nontechnical line of business owners. However, this is not its only benefit.
One of the greatest ironies of our industry is our hiding of secrets. As we discussed, adversaries do not function in this manner. They readily share tools, tactics, infrastructure, and financial resources to make their shared objectives more successful, while the security community expects to keep pace by putting a stranglehold on its methods, technologies, and failings. To discuss security breakdowns would be to provide a glimpse into failures and would subject us to judgment by our peers, customers, and enemies. Without a sincere and overnight shift in this line of thinking, information sharing will not occur even within an organization, and never in the greater security community. A threat intelligence program provides a neutral, unbiased lexicon and forum by which security teams can share threat information with one another, interoperate more effectively with compatriots and law enforcement, and avail themselves of the expertise of others to improve and coordinate advanced countermeasures.
There are several tools available to organizations. The Collaborative Research Into Threats (CRITs) is an open source tool for analysts engaged in threat defense. Soltra Edge, which is distributed by the Financial Services ISAC, provides a single platform to process many intelligence feeds, as well as providing a variety of analytic tools.
Threat Intelligence Platform Capabilities
Threat intelligence platforms comprise several functional areas that actualize and embody an intelligence-driven security approach. Ideally, a mature platform enjoins these functions by automated workflows that streamline threat detection, management, analysis, and defensive processes and track it through to completion. However even a largely manual effort that is well established and documented will increase the efficacy of a security program by an order of magnitude. Threat intelligence platforms should provide the following foundational elements:
▪ Collection: Collects and aggregates multiple sources and formats of data, such as CSV (comma separated value) files, STIX (Structured Threat Information Expression), Custom XML/JSON, CVE (Common Vulnerabilities and Exposures), OpenIOC (indicators of compromise), device logs, and email. This is not your SIEM. Although SIEM systems can handle multiple threat-intelligence-related feeds, they are improperly instrumented for taking in and interpreting the unstructured formats of the free-form, text-heavy unstructured data that frequently characterize intelligence feeds. It is not uncommon to augment a threat intelligence platform with an SIEM, but it is not good to attempt to replace it with one.
▪ Correlation: Facilitates the automatic analysis and correlation of data so that an attack can be mapped out, linkage can occur, and countermeasures can be deployed. Human sanity checks and creativity should prevail and be involved in the evaluations of correlated data, but automation and machine learning are all that is required for this function to be met at even a basic level.
▪ Context: Provides enrichment and circumstantial details on given events, without which they remain arbitrary and without reporting patterns and linkage. Information is organized data. Intelligence organized information, with context. A threat intelligence platform should be able to take in and relate additional details garnered from other events and investigations to properly and intelligently make decisions and take action.
▪ Analysis: Evaluates and draws conclusions surrounding threat indicators. Analysis identifies the intricacies of relationships between events to deliver meaningful threat intelligence from the otherwise unrelated data in pivoting sets.
▪ Integration: Supports operational workflow and funnels threat intelligence data into security tools and products for action and life cycle maintenance. Platforms should gather and redistribute normalized, interpreted data to other operational tools such as SIEM systems and perimeter defense technologies, as well as other processes, including incident management, reporting, and/or ticketing systems.
▪ Action: Accelerates and manages the processing and validation of subsequent action and response, whether inside or outside an organization. Action in this context includes cooperative efforts within the security team and other lines of operations and business within an organization as well as between an organization and other contributing parties or stakeholders, such as regulatory bodies, law enforcement, or (ISACs), with whom the organization has sharing or response relationships.
Summary
Threat intelligence provides an opportunity to understand the threats so that you can better prioritize countermeasures to prevent attacks. Additionally, the more you know about the threats, the better you are able to both detect and react to them. Understanding them allows you to anticipate their actions and optimize your defenses and reactions. We further discuss the application of threat intelligence in defining your security program in Section 5.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.