🌔

2.1. Intro to Cyber Threat Intel

May 13, 20247 min read

Task 1: Introduction

This room will introduce you to Cyber Threat Intelligence (CTI) and various frameworks used to share intelligence. As security analysts, CTI is vital for investigating and reporting against adversary attacks with organisational stakeholders and external communities.

This is the first room in a new Cyber Threat Intelligence module. The module will also contain:

Task 2: Cyber Threat Intelligence

Cyber Threat Intelligence (CTI) can be defined as evidence-based knowledge about adversaries, including their indicators, tactics, motivations, and actionable advice against them. These can be utilised to protect critical assets and inform cyber security teams and management business decisions.

  • Data: Discrete indicators associated with an adversary, such as IP addresses, URLs or hashes.
  • Information: A combination of multiple data points that answer questions such as “How many times have employees accessed tryhackme.com within the month?”
  • Intelligence: The correlation of data and information to extract patterns of actions based on contextual analysis.

The primary goal of CTI is to understand the relationship between your operational environment and your adversary and how to defend your environment against any attacks. You would seek this goal by developing your cyber threat context by trying to answer the following questions:

  • Who’s attacking you?
  • What are their motivations?
  • What are their capabilities?
  • What artefacts and indicators of compromise (IOCs) should you look out for?

With these questions, threat intelligence would be gathered from different sources under the following categories:

  • Internal:
    • Corporate security events such as vulnerability assessments and incident response reports.
    • Cyber awareness training reports.
    • System logs and events.
  • Community:
    • Open web forums.
    • Dark web communities for cybercriminals.
  • External
    • Threat intel feeds (Commercial & Open-source)
    • Online marketplaces.
    • Public sources include government data, publications, social media, financial and industrial assessments.

Threat Intelligence Classifications

Threat Intel is geared towards understanding the relationship between your operational environment and your adversary. With this in mind, we can break down threat intel into the following classifications: 

  • Strategic Intel: High-level intel that looks into the organisation’s threat landscape and maps out the risk areas based on trends, patterns and emerging threats that may impact business decisions.
  • Technical Intel: Looks into evidence and artefacts of attack used by an adversary. Incident Response teams can use this intel to create a baseline attack surface to analyse and develop defence mechanisms.
  • Tactical Intel: Assesses adversaries’ tactics, techniques, and procedures (TTPs). This intel can strengthen security controls and address vulnerabilities through real-time investigations.
  • Operational Intel: Looks into an adversary’s specific motives and intent to perform an attack. Security teams may use this intel to understand the critical assets available in the organisation (people, processes and technologies) that may be targeted.

Questions

What does CTI stand for?

IP addresses, Hashes and other threat artefacts would be found under which Threat Intelligence classification?

Task 2: CTI Lifecycle

Threat intel is obtained from a data-churning process that transforms raw data into contextualised and action-oriented insights geared towards triaging security incidents.

The transformational process follows a six-phase cycle:

  • Direction: Every threat intel program requires to have objectives and goals defined, involving identifying the following parameters:
    • Information assets and business processes that require defending.
    • Potential impact to be experienced on losing the assets or through process interruptions.
    • Sources of data and intel to be used towards protection.
    • Tools and resources that are required to defend the assets.
  • Collection: Once objectives have been defined, security analysts will gather the required data to address them. Analysts will do this by using commercial, private and open-source resources available. Due to the volume of data analysts usually face, it is recommended to automate this phase to provide time for triaging incidents.
  • Processing: Raw logs, vulnerability information, malware and network traffic usually come in different formats and may be disconnected when used to investigate an incident.
    • This phase ensures that the data is extracted, sorted, organised, correlated with appropriate tags and presented visually in a usable and understandable format to the analysts.
    • SIEMs are valuable tools for achieving this and allow quick parsing of data.
  • Analysis: Once the information aggregation is complete, security analysts must derive insights. Decisions to be made may involve:
    • Investigating a potential threat through uncovering indicators and attack patterns.
    • Defining an action plan to avert an attack and defend the infrastructure.
    • Strengthening security controls or justifying investment for additional resources.
  • Dissemination: Different organisational stakeholders will consume the intelligence in varying languages and formats.
    • For example, C-suite members will require a concise report covering trends in adversary activities, financial implications and strategic recommendations. At the same time, analysts will more likely inform the technical team about the threat IOCs, adversary TTPs and tactical action plans.
  • Feedback: The final phase covers the most crucial part, as analysts rely on the responses provided by stakeholders to improve the threat intelligence process and implementation of security controls. Feedback should be regular interaction between teams to keep the lifecycle working.

Questions

At which phase of the CTI lifecycle is data converted into usable formats through sorting, organising, correlation and presentation?

During which phase do security analysts get the chance to define the questions to investigate incidents?

Task 4: CTI Standards & Frameworks

Standards and frameworks provide structures to rationalise the distribution and use of threat intel across industries. They also allow for common terminology, which helps in collaboration and communication. Here, we briefly look at some essential standards and frameworks commonly used.

  • MITRE ATT&CK: The ATT&CK framework is a knowledge base of adversary behaviour, focusing on the indicators and tactics. Security analysts can use the information to be thorough while investigating and tracking adversarial behaviour.
  • TAXII: The Trusted Automated eXchange of Indicator Information (TAXII) defines protocols for securely exchanging threat intel to have near real-time detection, prevention and mitigation of threats. The protocol supports two sharing models:
    • Collection: Threat intel is collected and hosted by a producer upon request by users using a request-response model.
    • Channel: Threat intel is pushed to users from a central server through a publish-subscribe model.
  • STIX: Structured Threat Information Expression (STIX) is a language developed for the “specification, capture, characterisation and communication of standardised cyber threat information”. It provides defined relationships between sets of threat info such as observables, indicators, adversary TTPs, attack campaigns, and more.
  • Cyber Kill chain
  • Diamond Model

Questions

What sharing models are supported by TAXII?

When an adversary has obtained access to a network and is extracting data, what phase of the kill chain are they on?

Task 5: Practical Analysis

As part of the dissemination phase of the lifecycle, CTI is also distributed to organisations using published threat reports. These reports come from technology and security companies that research emerging and actively used threat vectors. They are valuable for consolidating information presented to all suitable stakeholders. 

Some notable threat reports come from Mandiant, Recorded Future and AT&TCybersecurity.

Questions

Inside the virtual website

What was the threat actor’s extraction IP address?

What was the threat actor’s email address?

What software tool was used in the extraction?

What user account was logged in by the threat actor?

Who was the targeted victim?

The “question” questions (idk what to call it :v)

What was the source email address?

What was the name of the file downloaded?

After building the threat profile, what message do you receive?

Conclusion

This room has no conclusion whatsoever so I made up one :v

My conclusion is this was one of the room of all times

Search

SearchSearch

Graph View

Backlinks