CySA Chapter 2

Using Threat Intelligence

Objectives Covered

• Domain 1.0: Threat and Vulnerability Management

• Explain the importance of threat data and management
• Given a scenario, utilize threat intelligence to support organizational security
• Domain 3.0: Security Operations and Monitoring
• Explain the importance of proactive threat hunting
Threat Data and Intelligence
Intro to Threat Intelligence

What is threat intelligence?

• Data and information about
adversaries (motivations, capabilities,
tools, and methodologies)

Why do we need threat intelligence?

• Help security professionals fully
understand threats to prevent them
or to limit their impact
Levels of Threat Intelligence

Threat intelligence can be categorized into three levels of intelligence

StrategicIntelligence
Strategic intelligence - provides broad information about threats and threat
actors allowing organizations to understand and respond to trends

Operational
Operational threat
Threat Intelligence - highly detailed information allowing response to
intelligence
a specific threat
Tactical threat intelligence

Tactical Threat Intelligence - more detailed technical and behavioral information

Threat Intelligence Sources

• Open-source intelligence
• Acquired from publicly available resources
• Need to find reliable and up-to-date ones

• Proprietary and closed-source intelligence

• Perform your own information gathering and research, and may use custom
tools, analysis models, or other proprietary methods to gather, curate, and
maintain their threat feeds
Recent Alerts

https://talosintelligence.com/

https://us-cert.gov/ncas/alerts
Canada also has their hands in it

• The Canadian Centre for Cybe

r Security
• Alerts & Advisories:
https://cyber.gc.ca/en/alerts-
advisories
Assessing Threat Intelligence

• Several common factors come into play when you

assess threat intelligence:
• Is it timely?
Timely Accurate • A feed that is operating on delay can cause you to miss
a threat or to react after the threat is no longer
relevant.

Relevant
Assessing Threat Intelligence

• Several common factors come into play when you

assess threat intelligence:
• Is the information accurate?
Timely Accurate • Can you rely on what it says, and how likely is it that
the assessment is valid? Does it rely on a single source
or multiple sources? How often are those sources
correct?

Relevant
Assessing Threat Intelligence

• Several common factors come into play when you

assess threat intelligence:
• Is the information relevant?
Timely Accurate • If it describes the wrong platform, software, or reason
for the organization to be targeted, the data may be
very timely, very accurate, and completely irrelevant
to your organization.

Relevant
Threat Agent Indicator and Management

• Managing threats requires standardization and tooling to ensure the

information is processed and used in automated ways
• Structured Threat Information eXpression (STIX)
• An XML standard with 12 defined domain objectives, including attack patterns,
identities, malware, threat actors, and tools
• Trusted Automated eXchange of Indicator Information (TAXII)
• Intended to allow cyber threat information to be communicated at the application layer
via HTTPS
• Open Indicators of Compromise (OpenIOC)
• An XML based framework like STIX for indicators of compromise
 The Intelligence Cycle

• A cycle that defines a process of threat

intelligence
Gathering Requirements
• Requirements Gathering
Feedback Gathering • The first phase in the intelligence cycle is to plan for
your intelligence requirements.
• Assess what security breaches or compromises you
Threat
Intelligence
Threat Data have faced
Collection
Dissemination • Assess what information could have prevented or
limited the impact of the breach
Threat Data • Assess what controls and security measures were
Analysis
not in place that would have mitigated the breach
 The Intelligence Cycle

• Threat Data Collection

• Once you have your information requirements, you
can collect data from threat intelligence sources to
Gathering Requirements meet those requirements.
Feedback Gathering
• This phase may repeat as additional requirements
are added or as requirements are refined based on
Threat
available data and data sources.
Threat Data
Intelligence
Collection
Dissemination

Threat Data
Analysis
 The Intelligence Cycle

• Threat Data Analysis

• Process the information that you have collected
• Output from this stage could be
Gathering Requirements • Fed into automated systems or other tools
Feedback Gathering
• Tied into reports to be distributed to leadership

Threat
Threat Data
Intelligence
Collection
Dissemination

Threat Data
Analysis
 The Intelligence Cycle

• Intelligence Dissemination
• In the dissemination phase of the intelligence cycle,
data is distributed to leadership and operational
Gathering Requirements personnel who will use the data as part of their
Feedback Gathering
security operations role.

Threat
Threat Data
Intelligence
Collection
Dissemination

Threat Data
Analysis
 The Intelligence Cycle

• Gathering Feedback
• Gather feedback about the reports and data you
have collected
Gathering
Feedback
Requirements
Gathering
• Continuous improvement is critical in the process,
and it should be used to create better requirements
and overall output of your threat intelligence
Threat
program
Threat Data
Intelligence
Collection
Dissemination

Threat Data
Analysis
Threat Classification
Threat Actors

Nation-state actors Organized Crime

Have the resources of a Conduct focused attacks
country, and work for the typically aimed at financial
country gain

4 Common
Threat Actors

Hacktivists Insider threats

Use hacking as a means to Threats from employees or
a political or philosophical other trusted individuals or
end, ranging from groups inside of an
individual actors to groups organization
 Threat Classification

• Microsoft’s STRIDE model

Spoofing of user identity
• Classification scheme that identifies
STRIDE Model
threats based on what they leverage
Tampering

Repudiation

Information disclosure

Denial of Service

Elevation of Privilege
Threat Research and Modeling

• Organizations typically seek to understand the threats they are likely to

face by conducting threat modeling activities
• Typically includes:
• Assessing adversary capability
• The total attack surface of the organization you are assessing
• Any system, device, network, application, staff member, or other target
• Other possible attack vectors
• The impact if the attack were successful
• The likelihood of the attack or threat succeeding
Attack Frameworks
Attack Frameworks

• Frameworks are useful to help think through what an attacker is likely

to do
• Once considered, they help to form defensive strategies against
attacks
• The three that the certification looks at are:
• MITRE’s ATT&CK Framework
• The Diamond Model of Intrusion Analysis
• Lockheed Martin’s Cyber Kill Chain
• There are more, or your organization may use a different one
altogether
MITRE ATT&CK Framework

• Adversarial Tactics, Techniques and

Common Knowledge
• Include descriptions, definitions, and
examples for the complete lifecycle
• More information can be found at:
https://attack.mitre.org/versions/v8/
The Diamond Model of Intrusion Analysis

• Intended to help analysts discover more

information by highlighting the relationship
between elements by following the edges
between the events
• Uses a few specific terms:
• Core features (adversary, capability, infrastructure and
victim of an event)
• Meta-Features (start and end timestamps, phase, result,
direction, methodology, and resources)
• Confidence Value
Lockheed Martin Cyber Kill Chain
Applying Threat Intelligence OrganizationWide
 PROACTIVE THREAT HUNTING

Hypothesis Profiling • Needed to test

• Should have actionable results

Reduce Attack Hunting

Surface tactics

Group Assets Attack Vectors

Improve Integrated
Detection Intelligence
 PROACTIVE THREAT HUNTING

Hypothesis Profiling • Ensures that you have considered:

• Who is your threat?
• Why are they a threat?
Reduce Attack Hunting • What would their typical actions be?
Surface tactics
• Also
• What assets are they trying to attack
• What could their attack vector be?
Group Assets Attack Vectors

Improve Integrated
Detection Intelligence
 PROACTIVE THREAT HUNTING

Hypothesis Profiling • Skills, techniques, and procedures

• Should include executable process analysis
• What tests can I perform to test my hypothesis?
Reduce Attack Hunting
Surface tactics

Group Assets Attack Vectors

Improve Integrated
Detection Intelligence
 PROACTIVE THREAT HUNTING

Hypothesis Profiling • Secure your systems

• Standard strategies of hardening apply
depending on the type of system
Reduce Attack Hunting
Surface tactics

Group Assets Attack Vectors

Improve Integrated
Detection Intelligence
 PROACTIVE THREAT HUNTING

Hypothesis Profiling • Bundle assets into groups and protection zones

• This is the concept of grouping “like systems”
together such as:
Reduce Attack
Surface
Hunting
tactics
• All authentication servers
• All infrastructure servers
• All application (or web-app) servers
• All database servers
Group Assets Attack Vectors

Improve Integrated
Detection Intelligence
 PROACTIVE THREAT HUNTING

Hypothesis Profiling • Understanding your attack vectors is very

important
• Consider each vector, assess, and mitigate risk
Reduce Attack
Surface
Hunting
tactics
associated with each

Group Assets Attack Vectors

Improve Integrated
Detection Intelligence
 PROACTIVE THREAT HUNTING

Hypothesis Profiling • Determine your intelligence sources

• Where is my intelligence coming from?
• Am I receiving up-to-date information?
Reduce Attack Hunting
Surface tactics

Group Assets Attack Vectors

Improve Integrated
Detection Intelligence
 PROACTIVE THREAT HUNTING

Hypothesis Profiling • A continuous process of improvement as threats

evolve
• Security updates are part of this
Reduce Attack
Surface
Hunting
tactics
• Evaluation of difference software packages
• Evaluation of security-integrated products,
functionality, and features
Group Assets Attack Vectors

Improve Integrated
Detection Intelligence
VIDEO: HACKING WITH THE CYBER KILL CHAIN