January 31, 2019

Cyber Threat Intelligence: weaponizing cyber defense

The ability to dig in deep to understand what a person really cares about, who they are, without their knowledge, is a valuable skill set in the Cyber Intelligence world. The data gathered, such as credentials, personal information, credit card or banking details and access to personal devices (mobile, laptop, etc.), could be used to steal money, or destroy a reputation. It is also illegal. Similarly, for an organization, information gathered related to revenue and profit, company shareholders, brand value, equity, market share and customer details could be used to cause untold amount of damage. A physical battlefield and cyber warfare pose a similar threat to mankind. Cyber threats could be carried out by a threat actor, leveraging the targets’ potential to exploit their vulnerabilities. History has shown that battles have always had strategies and tactics to leverage the enemy’s infrastructure for attack and their destruction, quite similar to cyber-attacks. However, while a physical battle takes time, money and massive effort to change the battle strategy, cyber-attacks are very different. Small groups with little money, but intense skill, can take down larger opponents and quickly pivot to attack or defend as the cyber strategy changes. Every time an adversary comes up with different techniques, procedures, communication processes or knowledge while attacking a target or defending itself from an attack, the tide of the cyber battle can change dramatically in seconds. How can you defend against an enemy so agile and difficult to detect? The following article will shed some light on this and give you a few cyber tools to defend against cyber threat intelligence gathering.

What is cyber threat intelligence?
Sun Tzu once said, “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” Threat intelligence is all about knowing your security threats, identifying them, and making a proper preventive decision.

It is not something which comes inside an Excel-sheet or anything you can get by following some template. It requires an organization to understand their capabilities and that of the threat actors and their adversaries. An organization is an easy target for a malicious actor if the organization does not understand its assets, personnel, infrastructure and the operational process. You must first seek to know yourself.

The core purpose of Threat Intelligence is to analyse and process data about identified threats. A specific intelligence type must follow the intelligence life cycle of planning and direction, collection, processing, analysis and production, dispersion and integration of the information.

For better understanding let’s take an example. We all might have heard about “GameOver Zeus”, one of the most effective cyber-attack ever, infected thousands of people world wide. The operation created zombieswhich stretched the network to the level where it reached nearly one million bots. Operators used those bots for more than two years to steal millions of dollars from banks all over the world using CryptoLocker ransomware.

“GameOver Zeus Botnet was designed to be indestructible” said a researcher who helped in investigation with FBI. To have come to realise that everything was going out of their control,FBI found it better to go after the bot rather than the persons involved behind the scene. They placed a conference meeting and immediately decided to work together with Microsoft and other security firms. They named it as “Operation Tover”.

The plan was to take full control of the botnet efficiently and silently without letting the operators get informed to avoid destruction of evidences against them. FBI and team introduced its own peers inside the botnet to turn the distributed peer-to-peer network into a centralized zone. To mitigate this attack the internet service providers gave FBI the control over the proxy nodes used by the operators to communicate their command and control the botnet. The point bots started connecting to the proxies controlled by the FBI shadow servers. They started feeding communications to do some argumentation on it like finding out the threat vectors, impacted IPs and the number of infected system involved to take over the Command and Control. It was found within few hours the botnet operation went down and the leader behind the GameOver Zeus Botnet was suspected as “Evgeniy Bogachev”.

A schematic reproducing the infrastructure of the GameOver Zeus botnet. (Image: Black Hat slides.)

Operation Tover is the perfect example of real time threat intelligence and this could also be taken as a reference for implementing threat intelligence inside any organization.

 But it does not end there, after the entire process the organization needs to evaluate the information and check its worthiness. The capability of forming a meaningful collection of threat intelligence will help an organization make strategic choices. This can be done through Intelligence Foundations.

Intelligence Foundations:

There are 4 foundational intelligence indicators. In no particular order, they are Indicators of Attack (IoA), Indicators of Compromise (IoC), Tactics Techniques and Procedures (TTPs), and Collaborative Research into Threats (CRITs).

             Indicators of Attack (IoA)
Indicators of Attack (IoA), is the ability to collect and examine the network activities in real-time. IoC helps to understand how the adversary gets into the target, accesses the resources, dump the passwords, performs lateral movement and exfiltrate the data. Security researchers take this data and build modules, which takes the proactive actions against the adversary and stops it before any damage is procured.The following can be considered as  examples of Indicators of Attacks (IoAs)

-          Outbound traffic towards blacklisted IP: An example of SIEM dashboard that displays hosts communicating with feeds (IP, Domain, URL) taken from “ransomwaretracker.abuse.ch” website.

             Indicators of Compromise (IoC):

When any attack happens, we may not see the evidence of it in real time. There is still a strong chance to trace down the activities by using the log files which are left inside the infected system and identified as malicious.

Indicators of Compromise (IoCs) are the collection of the evidence to understand if any cyber-attack has occurred or is currently under way. Using IoCs, an attacker can understand what actually has happened. It can be used as a future reference against types of attacks.

Security researchers review IoCs to analyze the behavior of new malware and its activities to understand the threats better and provide actionable intelligence against any incident. They will then share it within the internal community to improve any organization’s remediation and incident response strategies.The following IoCs can be taken as examples.

    •  Unknown files, applications and processes in the system.
    •  Large amount of compressed data found in the locations where they should not be.
    • Irregular traffic in countries in an organization that does not have any business relation.
    • Suspicious activities from Administrators or privileged accounts.

             Tactics Techniques and Procedures (TTPs)

Tactics Techniques and Procedures (TTPs) are the terms mainly used for the detection of Advanced Persistent Threats (APTs) or profiling the adversary.

Tactics: Tactics as an APT can be described as the way the adversary performs the attack starting from the beginning to end. It outlines the way the attacker performs the different stages of operations to establish a foothold inside the target.

Techniques: In order to achieve attacks successfully, the threat actor uses different types of techniques, such as tools or scripts to initially facilitate access to the target. They will then maintain the connectivity to Command and Control servers, and exfiltrate data attempting to stay hidden. Lateral network movements are also used to make detection more difficult. That helps to profile the APT life cycle and understand what tools and techniques have been used.

It is not always possible to get into the system with a single attempt, so the attacker will use other techniques as well. Analyzing various Tactics and Techniques will create more attack patterns for the APT groups. Procedures can be defined itself as the aggregated form of these patterns. In most of the cases it helps to identify attacks at their initial phase only if the procedures they follow is already known.
TTPs from the perspective of tools are often sold at Darkweb forums since it has knowledge of  what can be used to leverage the target and also how toavoid from getting caught. For example, a hacker knows an environment locks a user account after five failed login attempts so the attacker will try to brute force the system with four attempts before starting a new session, to avoid detection.
The counter action against this TTPs could be to lower the threshold value to three and trigger an alert of login failed attempt in Security Information and Event Management (SIEM).

             Collaborative Research into Threats (CRITs):

When the concern is about information security, the risk is similar for every organization. Thusit is better to collaborate and helpeach other to take proactive actions against the threat actors. The main goal is to share experiences about TTPs of attacks and the possible remediation against them.
Collaborative Research into Threats (CRITs) is aweb-basedtool that consists of an analytics engine and a cyber-threat database. This repository of attack data gives the platform for conducting malware analysis, correlating incidents and hunting threats.

             TAXII (Trusted Automated eXchange of Indicator Information):

 A set of services and message exchanges that help to share the actionable threat intelligence across organizational, product and service boundaries. TAXII is not an information sharing platform and also does not entertain any kind of trust agreements. Rather, it allows the exchange of specific cyber threat information with their partner organizations.

             STAXII (Structured Threat Information expression):STAXII is a standardized language for representing cyber threat information like TAXII but it is not related to any sharing of programs or tools rather it works as a component to support programs or tools. The framework allows us to construct for both incident and indicators. An incident construct is usedwhen it requires to provide a history for further analysis or follow up. But if we want to build a list of items to look for, an indicator construct is used.The seven indicator construct includes:
  1. Observable (Activity)
  2. Indicator (What to watch)
  3. TTP
  4. Exploit target
  5. Campaign (Why)
  6. Threat actor (Who)
  7. Course of action
On the surface it seems the threat intelligence follows a single discipline like security researchers collect information from a variety of sources, analyse it and use the output to make decisions. But in reality it is both different and complicated.With more functionalities threat intelligence can be broken down into different levels based on the techniques, challenges and use.

Levels of Threat Intelligence:

There are three basic levels of Threat Intelligence that are important to understand. Each level progressively moves from a broad attack understanding to a focus on real-time events.

             Strategic Threat Intelligence

Strategic Threat Intelligence gives the broad picture about a threat. It shows how threat actor’s behaviors are changing over time based on the historical data analysis. The main focus of strategic threat intelligence is to understand the trend of attacks, the motivation and the purpose.

             Operational Threat Intelligence

Operational Threat Intelligence (OTI) is the set of data that helps to prioritize tasks, allocate resources and make day to day decisions. The OTI data builds the capability of analysing and detection threats and provides attack directions using the Indicators of Compromise (IoCs).

             Tactical Threat Intelligence

Tactical Threat Intelligence is based on the real time analysis of data which comes from the organization or other related resources. This knowledge then gives the ability to make more immediate decisions on how to deal with the threats.

Information about the Threat helps to understand different decisions at different levels. Ensuring that you are in the right choice there are some phases to follow in each level depending upon the situation. Those phases are divided into seven categories: Hunting, Feature Extraction, Behaviour Extraction, Clustering, Attribution, Tracking, and Take Down.

Phases of Threat Intelligence:

Now, to understand the seven phases of Threat Intelligence and round off knowledge gathering of the enemy: Hunting, Feature Extraction, Behaviour Extraction, Clustering and Correlation, Threat Actor Attribution, Tracking and finally Take Down.

Phases of Threat Intelligence

Threat hunting is a process to identify threat agents from the environment before they successfully execute. Hunting for a threat is not a new thing, but hunting while the attackers are active and ready to evade the defense system makes it more complicated. Threat hunters are looking for threats that have not been triggered, using methods like analytics, penetration testing and sandboxing. The challenge is to find the threat agent without being detected by the threat agent – don’t let the hunted know they are being hunted.  This brings to mind another great Sun Tzu quote, “All warfare is based on deception. Hence, when we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.”

             Feature Extraction
The goal behind Feature Extraction is to identify unique static features from the binaries so that the threats can be classified into specific threat actors group. The possible features can be:
           Detecting the timestamp from the malicious executable. This can provide knowledge about when the file first came into existence inside the environment.
           Verifying the digital certificates, whether it’s fake, outdated or stolen from other vendors so that it can’t be detected by antivirus tools.
           Extracting Metadata like language, such as Russian, Chinese, or English, used or detecting the MIME type in the code helps in understanding the identity of the threat.

             Behavior Extraction
Behavior Extraction is all about identifying unique dynamic features from the binaries to classify into malicious groups. The processes are:
           Running samples inside the sandbox environment to identify those API calls that attept to communicate with the external network.
           Checking for persistence inside the scheduled tasks, registry, and services.
           Executing the malware and dumping the memory samples. The malware will decrypt itself inside memory and those memory samples can help detect any malicious string inside.

             Clustering and Correlation
The main objective of Clustering and Correlation is to identify malicious objects based on their features and behavior to understand the attack flow.
           Clustering: In clustering each of the threats is treated as an independent node according to their respective features. Different node groups are created according to their different behavioral properties.
           Correlation: Correlation draws the lines between different nodes and their groups to give the broad picture to understand the attack in detail.

             Threat Actor Attribution
The focus area of Threat Actor Attribution is to find out who is behind the attack.
           First, find out the threat geographical location.
           Next, understand the industries they are targeting
           Understand their Command and Control infrastructure.
           Investigate their Tactics, Techniques, Procedures (TTPs).

Tracking is something which helps to identify new attacks and variants proactively.
           Passive DNS: if the attacker is frequently changing the domain or the public IP, evidence can be found in the Passive DNS database.
           C2 port scan: If the C2 server listening port or group of ports is identified, the C2 server can be tracked down and a port scan can be performed to understand the attacking environment more closely.

             Take Down
Demolishing the organized threat operation is known as Taking Down the threat. To do this, follow these steps:
           Take down the Command control server.
           Perform MITM in the attacker network and closely monitor the changes.
           Collaborate closely with law enforcement bodies like the FBI, Interpol, and country specific defense systems.

Now that you have become at one with both yourself and your enemy, you are more prepared than ever before to begin to win the war against cyber attackers. One last comment from General Tsu: “If ignorant both of your enemy and yourself, you are certain to be in peril.” So, stay out of peril and in the know by continuously using great Cyber Threat Intelligence practices.

Tzu, Sun. The Art of War. Trans. Thomas Cleary. Boston: Shambala, 2005. Print.


  1. A firewall system is designed to prevent unauthorized access to or from a private network. You can implement a firewall in either hardware or software form, or a combination of both. Firewalls prevent unauthorized Internet users from accessing private networks connected to the internet, especially intranets. A firewall can help secure a network from both internal and external dangers. Firewall Security Services in Australia can help secure a network from potential attackers such as hackers.

  2. These days every big or small organization including government are spending big amount on security to protect their trade secrets, financial data, and some sensitive or critical data. cyber security course in hyderabad

  3. We have a few frameworks today that can breeze through this assessment inside a brief time. cyber security course in hyderabad

  4. Hacking is an emerging field that is taken very seriously in the corporate world especially in the IT sector. That is why ITS (Information Technology Security) experts are increasingly in demand. How to hire a cybersecurity expert

  5. The most effective way of managing this process is to allow delegates to register online via your own website. Agile tech events

  6. This article was written by a real thinking writer without a doubt. I agree many of the with the solid points made by the writer. I’ll be back day in and day for further new updates. traffic secrets

  7. Creative Web Studio - The Cyber Defense Company bietet als zertifiziertes Unternehmen lösungsorientierte und zeitgemässe ICT-Services für KMUs an Hauptfokus: Cloud, IT-Security und Informatik.The Cyber Defense Company

  8. Your content is nothing short of brilliant in many ways. I think this is engaging and eye-opening material. Thank you so much for caring about your content and your readers. ankara dil kursu

  9. Very useful post. This is my first time i visit here. I found so many interesting stuff in your blog especially its discussion. Really its great article. Keep it up digital marketing

  10. If you have high creative intelligence it means you'll be very creative in all situations, whether you're writing a book, cooking or making love. A poet or an artist will tend to have high creative intelligence and high cognitive or general intelligence. management training

  11. Very insightful information you have shared here about cyber security. I appreciate the author's efforts in writing such an amazing article. Thank you for sharing this. Great blog. Cyber crime Pune.