Chapter 2. Utilizing Threat Intelligence to Support Organizational Security
This chapter covers the following topics related to Objective 1.2 (Given a scenario, utilize threat intelligence to support organizational security) of the CompTIA Cybersecurity Analyst (CySA+) CS0-002 certification exam:
• Attack frameworks: Introduces the MITRE ATT&CK framework, the Diamond Model of Intrusion Analysis, and the kill chain
• Threat research: Covers reputational and behavioral research, indicators of compromise (IoC), and the Common Vulnerability Scoring System (CVSS)
• Threat modeling methodologies: Discusses the concepts of adversary capability, total attack surface, attack vector, impact, and likelihood
• Threat intelligence sharing with supported functions: Describes intelligence sharing with the functions incident response, vulnerability management, risk management, security engineering, and detection and monitoring
Threat intelligence comprises information gathered that does one of the following things:
• Educates and warns you about potential dangers not yet seen in the environment
• Identifies behavior that accompanies malicious activity
• Alerts you of ongoing malicious activity
However, possessing threat intelligence is of no use if it is not converted into concrete activity that responds to and mitigates issues. This chapter discusses how to utilize threat intelligence to support organizational security.
“Do I Know This Already?” Quiz
The “Do I Know This Already?” quiz enables you to assess whether you should read the entire chapter. If you miss no more than one of these four self-assessment questions, you might want to skip ahead to the “Exam Preparation Tasks” section. Table 2-1 lists the major headings in this chapter and the “Do I Know This Already?” quiz questions covering the material in those headings so that you can assess your knowledge of these specific areas. The answers to the “Do I Know This Already?” quiz appear in Appendix A.
Table 2-1 “Do I Know This Already?” Foundation Topics Section-to-Question Mapping
1. Which of the following is a knowledge base of adversary tactics and techniques based on real-world observations?
a. Diamond Model
b. OWASP
c. MITRE ATT&CK
d. STIX
2. Which of the following threat intelligence data types is generated from past activities?
a. Reputational
b. Behavioral
c. Heuristics
d. Anticipatory
3. Your team has identified that a recent breach was sourced by a disgruntled employee. What part of threat modeling is being performed by such identification?
a. Total attack surface
b. Impact
c. Adversary capability
d. Attack vector
4. Which of the following functions uses shared threat intelligence data to build in security for new products and solutions?
a. Incident response
b. Security engineering
c. Vulnerability management
d. Risk management
Foundation Topics
Attack Frameworks
Many organizations have developed security management frameworks and methodologies to help guide security professionals. These attack frameworks and methodologies include security program development standards, enterprise and security architecture development frameworks, security control development methods, corporate governance methods, and process management methods. The following sections discuss major frameworks and methodologies and explain where they are used.
MITRE ATT&CK
MITRE ATT&CK is a knowledge base of adversary tactics and techniques based on real-world observations. It is an open system, and attack matrices based on it have been created for various industries. It is designed as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
An example of such a matrix is the SaaS Matrix created for organizations utilizing Software as a Service (SaaS), shown in Table 2-2. The corresponding matrix on the MITRE ATT&CK website is interactive (https://attack.mitre.org/matrices/enterprise/cloud/saas/), and when you click the name of an attack technique in a cell, a new page opens with a detailed explanation of that attack technique. For more information about the MITRE ATT&CK Matrix for Enterprise and to view the matrices it provides for other platforms (Windows, macOS, etc.), see https://attack.mitre.org/matrices/enterprise/.
Table 2-2 ATT&CK Matrix for SaaS
The Diamond Model of Intrusion Analysis
The Diamond Model of Intrusion Analysis emphasizes the relationships and characteristics of four basic components: the adversary, capabilities, infrastructure, and victims. The main axiom of this model states, “For every intrusion event there exists an adversary taking a step towards an intended goal by using a capability over infrastructure against a victim to produce a result.”
Figure 2-1 shows a depiction of the Diamond Model.
Figure 2-1 Diamond Model
The corners of the Diamond Model are defined as follows:
• Adversary: The intent of the attack
• Capability: Attacker intrusion tools and techniques
• Infrastructure: The set of systems an attacker uses to launch attacks
• Victim: A single victim or multiple victims
To access the Diamond Model document see https://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf.
Kill Chain
The cyber kill chain is a cyber intrusion identification and prevention model developed by Lockheed Martin that describes the stages of an intrusion. It includes seven steps, as described in Figure 2-2. For more information, see https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html.
Figure 2-2 Kill Chain
Threat Research
As a security professional, sometimes just keeping up with your day-to-day workload can be exhausting. But performing ongoing research as part of your regular duties is more important in today’s world than ever before. You should work with your organization and direct supervisor to ensure that you either obtain formal security training on a regular basis or are given adequate time to maintain and increase your security knowledge. You should research the current best security practices, any new security technologies that are coming to market, any new security systems and services that have launched, and how security technology has evolved recently.
Threat intelligence is a process that is used to inform decisions regarding responses to any menace or hazard presented by the latest attack vectors and actors emerging on the security horizon. Threat intelligence analyzes evidence-based knowledge, including context, mechanisms, indicators, implications, and actionable advice, about an existing or emerging menace or hazard to assets.
Performing threat intelligence requires generating a certain amount of raw material for the process. This information includes data on the latest attacks, knowledge of current vulnerabilities and threats, specifications on the latest zero-day mitigation controls and remediation techniques, and descriptions of the latest threat models. Let’s look at some issues important to threat research.
Reputational
Some threat intelligence data is generated from past activities. Reputational scores may be generated for traffic sourced from certain IP ranges, domain names, and URLs. An example of a system that uses such reputational scores is the Cisco Talos IP and Domain Reputation Center. Customers who are participants in the system enjoy the access to data from all customers.
As malicious traffic is received by customers, reputational scores are developed for IP ranges, domain names, and URLs that serve as sources of the traffic. Based on these scores, traffic may be blocked from those sources on the customer networks.
Behavioral
Some threat intelligence data is based not on reputation but on the behavior of the traffic in question. For example, when the source in question is repeatedly sending large amounts of traffic to a single IP address, it indicates a potential DoS attack.
Behavioral analysis is also known as anomaly analysis, because it also observes network behaviors for anomalies. It can be implemented using combinations of the scanning types, including NetFlow, protocol, and packet analyses, to create a baseline and subsequently report departures from the traffic metrics found in the baseline. One of the newer advances in this field is the development of user and entity behavior analytics (UEBA). This type of analysis focuses on user activities. Combining behavior analysis with machine learning, UEBA enhances the ability to determine which particular users are behaving oddly. An example would be a hacker who has stolen credentials of a user and is identified by the system because he is not performing the same activities that the user would perform.
Heuristics is a method used in malware detection, behavioral analysis, incident detection, and other scenarios in which patterns must be detected in the midst of what might appear to be chaos. It is a process that ranks alternatives using search algorithms, and although it is not an exact science and is somewhat a form of “guessing,” it has been shown in many cases to approximate an exact solution. Heuristics also includes a process of self-learning through trial and error as it arrives at the final approximated solution. Many IPS, IDS and anti-malware systems that include heuristics capabilities can often detect so-called zero-day issues using this technique.
Indicator of Compromise (IoC)
An indicator of compromise (IoC) is any activity, artifact, or log entry that is typically associated with an attack of some sort. Typical examples include the following:
• Virus signatures
• Known malicious file types
• Domain names of known botnet servers
Known IoCs are exchanged within the security industry, using the Traffic Light Protocol (TLP) to classify the IoCs. TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. Somewhat analogous to a traffic light, it employs four colors to indicate expected sharing boundaries to be applied by the recipient.
Common Vulnerability Scoring System (CVSS)
The Common Vulnerability Scoring System (CVSS) version 3.1 is a system of ranking vulnerabilities that are discovered based on predefined metrics. This system ensures that the most critical vulnerabilities can be easily identified and addressed after a vulnerability test is met. Most commercial vulnerability management tools use CVSS scores as a baseline. Scores are awarded on a scale of 0 to 10, with the values having the following ranks:
Note
The Forum of Incident Response and Security Teams (FIRST) is the custodian of CVSS 3.1.
• 0: No issues
• 0.1 to 3.9: Low
• 4.0 to 6.9: Medium
• 7.0 to 8.9: High
• 9.0 to 10.0: Critical
CVSS is composed of three metric groups:
• Base: Characteristics of a vulnerability that are constant over time and user environments
• Temporal: Characteristics of a vulnerability that change over time but not among user environments
• Environmental: Characteristics of a vulnerability that are relevant and unique to a particular user’s environment
The Base metric group includes the following metrics:
• Attack Vector (AV): Describes how the attacker would exploit the vulnerability and has four possible values:
• L: Stands for Local and means that the attacker must have physical or logical access to the affected system
• A: Stands for Adjacent network and means that the attacker must be on the local network
• N: Stands for Network and means that the attacker can cause the vulnerability from any network
• P: Stands for Physical and requires the attacker to physically touch or manipulate the vulnerable component
• Attack Complexity (AC): Describes the difficulty of exploiting the vulnerability and has three possible values:
• H: Stands for High and means that the vulnerability requires special conditions that are hard to find
• L: Stands for Low and means that the vulnerability does not require special conditions
• Privileges Required (Pr): Describes the authentication an attacker would need to get through to exploit the vulnerability and has three possible values:
• H: Stands for High and means the attacker requires privileges that provide significant (e.g., administrative) control over the vulnerable component allowing access to component-wide settings and files
• L: Stands for Low and means the attacker requires privileges that provide basic user capabilities that could normally affect only settings and files owned by a user
• N: Stands for None and means that no authentication mechanisms are in place to stop the exploit of the vulnerability
• User Interaction (UI): Captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component.
• N: Stands for None and means the vulnerable system can be exploited without interaction from any user
• R: Stands for required and means successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited
• Scope (S): Captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope.
• U: Stands for Unchanged and means the exploited vulnerability can only affect resources managed by the same security authority
• C: Stands for Changed and means that the exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component
The Impact metric group includes the following metrics:
• Availability (A): Describes the disruption that might occur if the vulnerability is exploited and has three possible values:
• N: Stands for None and means that there is no availability impact
• L: Stands for Low and means that system performance is degraded
• H: Stands for High and means that the system is completely shut down
• Confidentiality (C): Describes the information disclosure that may occur if the vulnerability is exploited and has three possible values:
• N: Stands for None and means that there is no confidentiality impact
• L: Stands for Low and means some access to information would occur
• H: Stands for High and means all information on the system could be compromised
• Integrity (I): Describes the type of data alteration that might occur and has three possible values:
• N: Stands for None and means that there is no integrity impact
• L: Stands for Low and means some information modification would occur
• H: Stands for High and means all information on the system could be compromised
The CVSS vector looks something like this:
CVSS2#AV:L/AC:H/Pr:L/UI:R/S:U/ C:P/I:N/A:N
This vector is read as follows:
• AV:L: Access vector, where L stands for Local and means that the attacker must have physical or logical access to the affected system
• AC:H: Attack complexity, where H stands for stands for High and means that the vulnerability requires special conditions that are hard to find
• Pr:L: Privileges Required, where L stands for Low and means the attacker requires privileges that provide basic user capabilities that could normally affect only settings and files owned by a user
• UI:R: User Interaction, where R stands for required and means successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited
• S:U: Scope, where U stands for Unchanged and means the exploited vulnerability can only affect resources managed by the same security authority
• C:L: Confidentiality, where L stands for Low and means that some access to information would occur
• I:N: Integrity, where N stands for None and means that there is no integrity impact
• A:N: Availability, where N stands for None and means that there is no availability impact
For more information, see https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf.
Note
For access to CVVS calculators, see the following resources:
• CVSS Scoring System Calculator: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?calculator&adv&version=2
• CVSS Version 3.1 Calculator: https://www.first.org/cvss/calculator/3.1
Threat Modeling Methodologies
An organization should have a well-defined risk management process in place that includes the evaluation of risk that is present. When this process is carried out properly, a threat modeling methodology allows organizations to identify threats and potential attacks and implement the appropriate mitigations against these threats and attacks. These facets ensure that security controls that are implemented are in balance with the operations of the organization. There are a number of factors to consider in a threat modeling methodology that will be covered in the following section.
Adversary Capability
First, you must have a grasp of the capabilities of the attacker. Threat actors have widely varying capabilities. When carrying out threat modeling, you may decide to develop a more comprehensive list of threat actors to help in scenario development.
Security professionals should analyze all the threats to identify all the actors who pose significant threats to the organization. Examples of the threat actors include both internal and external actors and include the following:
• Internal actors:
• Reckless employee
• Untrained employee
• Partner
• Disgruntled employee
• Internal spy
• Government spy
• Vendor
• Thief
• External actors:
• Anarchist
• Competitor
• Corrupt government official
• Data miner
• Government cyber warrior
• Irrational individual
• Legal adversary
• Mobster
• Activist
• Terrorist
• Vandal
These actors can be subdivided into two categories: non-hostile and hostile. In the preceding lists, three actors are usually considered non-hostile: reckless employee, untrained employee, and partner. All the other actors should be considered hostile.
The organization would then need to analyze each of these threat actors according to set criteria. All threat actors should be given a ranking to help determine which threat actors need to be analyzed. Examples of some of the most commonly used criteria include the following:
• Skill level: None, minimal, operational, adept
• Resources: Individual, team, organization, government
• Limits: Code of conduct, legal, extra-legal (minor), extra-legal (major)
• Visibility: Overt, covert, clandestine, don’t care
• Objective: Copy, destroy, injure, take, don’t care
• Outcome: Acquisition/theft, business advantage, damage, embarrassment, technical advantage
With these criteria, the organization must then determine which of the actors it wants to analyze. For example, the organization may choose to analyze all hostile actors that have a skill level of adept, resources of an organization or government, and limits of extra-legal (minor) or extra-legal (major). Then the list is consolidated to include only the threat actors that fit all of these criteria.
Total Attack Surface
The total attack surface comprises all the points at which vulnerabilities exist. It is critical that the organization have a clear understanding of the total attack surface. Otherwise, it is somewhat like locking all the doors of which one is aware while several doors exist of which one is not aware. The result is unlocked doors.
Identifying the attack surface should be a formalized process that arrives at a complete list of vulnerabilities. Only then can each vulnerability be addressed properly with security controls, processes, and procedures.
To identify the potential attacks that could occur, an organization must create scenarios so that each potential attack can be fully analyzed. For example, an organization may decide to analyze a situation in which a hacktivist group performs prolonged denial-of-service attacks, causing sustained outages intended to damage the organization’s reputation. The organization then must make a risk determination for each scenario.
Once all the scenarios are determined, the organization develops an attack tree for each potential attack. Such an attack tree includes all the steps and/or conditions that must occur for the attack to be successful. The organization then maps security controls to the attack trees.
To determine the security controls that can be used, the organization would need to look at industry standards, including NIST SP 800-53 (revision 4 at the time of writing). Finally, the organization would map controls back into the attack tree to ensure that controls are implemented at as many levels of the attack surface as possible.
Note
For more information on NIST SP 800-53, see https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.
Attack Vector
An attack vector is the path or means with which the attack is carried out. Some examples of attack vectors include the following:
• Phishing
• Malware
• Exploit unpatched vulnerabilities
• Code injection
• Social engineering
• Advanced persistent threats (APTs)
Once attack vectors and attack agents have been identified, the organization must assess the relative impact and likelihood of such attacks. This allows the organization to prioritize the limited resources available to address the vulnerabilities.
Impact
Once all assets have been identified and their value to the organization has been established, the organization must identify impact to each asset. An attempt must be made to establish the impact to the organization should that occur. While both quantitative and qualitative risk assessments may be performed, when a qualitative assessment is conducted, the risks are placed into the following categories:
• High
• Medium
• Low
Typically a risk assessment matrix is created, such as the one shown in Figure 2-3. Subject matter experts grade all risks on their likelihood and their impact. This helps to prioritize the application of resources to the most critical vulnerabilities.
Figure 2-3 Risk Assessment Matrix
Once the organization determines what it really cares about protecting, the organization should then select the scenarios that could have a catastrophic impact on the organization by using the objective and outcome values from the adversary capability analysis and the asset value and business impact information from the impact analysis.
Probability
When performing the assessment mentioned in the previous section, the organization must also consider the probability that each security event occurs; note in Figure 2-3 that one axis of the risk matrix is impact and the other is probability.
Threat Intelligence Sharing with Supported Functions
Earlier we looked at the importance of sharing intelligence information with other organizations. It is also critical that such information be shared with all departments that perform various security functions. Although an organization might not have a separate group for each of the areas covered in the sections that follow, security professionals should ensure that the latest threat data is made available to all functional units that participate in these activities.
Incident Response
Incident response will be covered more completely in Chapter 15, “The Incident Response Process,” but here it is important to point out that properly responding to security incidents requires knowledge of what may be occurring, and that requires a knowledge of the very latest threats and how those threats are realized. Therefore, members who are trained in the incident response process should also be kept up to date on the latest threat vectors by giving them access to all threat intelligence that has been collected through any sharing arrangements.
Vulnerability Management
Vulnerability management will be covered in Chapter 5, “Vulnerabilities Associated with Specialized Technology,” and Chapter 6, “Threats and Vulnerabilities Associated with Operating in the Cloud,” but here it is important to point out that there is no function that depends so heavily on shared intelligence information as vulnerability management. When sharing platforms and protocols are used to identify new threats, this data must be shared in a timely manner with those managing vulnerabilities.
Risk Management
Risk management will be addressed in Chapter 20, “Applying Security Concepts in Support of Organizational Risk Mitigation.” It is a formal process that rates identified vulnerabilities by the likelihood of their compromise and the impact of said compromise. Because this process is based on complete and thorough vulnerability identification, speedy sharing of any new threat intelligence is critical to the vulnerability management process on which risk management depends.
Security Engineering
Security engineering is the process of architecting security features into the design of a system or set of systems. It has as its goal an emphasis on security from the ground up, sometimes stated as “building in security.” Unless the very latest threats are shared with this function, engineers cannot be expected to build in features that prevent threats from being realized.
Detection and Monitoring
Finally, those who are responsible for monitoring and detecting attacks also benefit greatly from timely sharing of threat intelligence data. Without this, indicators of compromise cannot be developed and utilized to identify the new threats in time to stop them from causing breaches.
Exam Preparation Tasks
As mentioned in the section “How to Use This Book” in the Introduction, you have several choices for exam preparation: the exercises here, Chapter 22, “Final Preparation,” and the exam simulation questions in the Pearson Test Prep Software Online.
Review All Key Topics
Review the most important topics in this chapter, noted with the Key Topics icon in the outer margin of the page. Table 2-3 lists a reference of these key topics and the page number on which each is found.
Table 2-3 Key Topics in Chapter 2
Define Key Terms
Define the following key terms from this chapter and check your answers in the glossary:
Diamond Model of Intrusion Analysis
Common Vulnerability Scoring System (CVSS)
Review Questions
1. Match each corner of the Diamond Model with its description.
2. The _______________ corner of the Diamond Model focuses on the intent of the attack.
3. What type of threat data describes a source that repeatedly sends large amounts of traffic to a single IP address?
4. _________________ is any activity, artifact, or log entry that is typically associated with an attack of some sort.
5. Give at least two examples of an IoC.
6. Match each acronym with its description
7. In the following CVSS vector, what does the Pr:L designate?
CVSS2#AV:L/AC:H/Pr:L/UI:R/S:U/ C:P/I:N/A:N
8. The _________________CVSS metric group describes characteristics of a vulnerability that are constant over time and user environments.
9. The ____________ CVSS base metric describes how the attacker would exploit the vulnerability.
10. Match each CVSS attack vector value with its description.
