The ability to dig in deep to understand
what a person really cares about, who they are, without their knowledge, is a
valuable skill set in the Cyber Intelligence world. The data gathered, such as credentials,
personal information, credit card or banking details and access to personal
devices (mobile, laptop, etc.), could be used to steal money, or destroy a
reputation. It is also illegal. Similarly, for an organization, information
gathered related to revenue and profit, company shareholders, brand value,
equity, market share and customer details could be used to cause untold amount
of damage. A physical battlefield and cyber warfare pose a similar threat to
mankind. Cyber threats could be carried out by a threat actor, leveraging the
targets’ potential to exploit their vulnerabilities. History has shown that
battles have always had strategies and tactics to leverage the enemy’s
infrastructure for attack and their destruction, quite similar to cyber-attacks.
However, while a physical battle takes time, money and massive effort to change
the battle strategy, cyber-attacks are very different. Small groups with little
money, but intense skill, can take down larger opponents and quickly pivot to
attack or defend as the cyber strategy changes. Every time an adversary comes
up with different techniques, procedures, communication processes or knowledge
while attacking a target or defending itself from an attack, the tide of the
cyber battle can change dramatically in seconds. How can you defend against an
enemy so agile and difficult to detect? The following article will shed some
light on this and give you a few cyber tools to defend against cyber threat
intelligence gathering.
What
is cyber threat intelligence?
Sun Tzu once said, “If you know the enemy
and know yourself, you need not fear the result of a hundred battles. If you
know yourself but not the enemy, for every victory gained you will also suffer
a defeat. If you know neither the enemy nor yourself, you will succumb in every
battle.” Threat intelligence is all about knowing your security threats,
identifying them, and making a proper preventive decision.
It is not something which comes inside an
Excel-sheet or anything you can get by following some template. It requires an
organization to understand their capabilities and that of the threat actors and
their adversaries. An organization is an easy target for a malicious actor if
the organization does not understand its assets, personnel, infrastructure and
the operational process. You must first seek to know yourself.
The core purpose of Threat Intelligence is
to analyse and process data about identified threats. A specific intelligence
type must follow the intelligence life cycle of planning and direction,
collection, processing, analysis and production, dispersion and integration of
the information.
For better understanding
let’s take an example. We all might have heard about “GameOver Zeus”, one of
the most effective cyber-attack ever, infected thousands of people world wide. The
operation created zombieswhich stretched the network to the level where it
reached nearly one million bots. Operators used those bots for more than two
years to steal millions of dollars from banks all over the world using CryptoLocker
ransomware.
“GameOver Zeus Botnet
was designed to be indestructible” said a researcher who helped in
investigation with FBI. To have come to realise that everything was going out
of their control,FBI found it better to go after the bot rather than the
persons involved behind the scene. They placed a conference meeting and
immediately decided to work together with Microsoft and other security firms.
They named it as “Operation Tover”.
The plan was to take
full control of the botnet efficiently and silently without letting the
operators get informed to avoid destruction of evidences against them. FBI and
team introduced its own peers inside the botnet to turn the distributed
peer-to-peer network into a centralized zone. To mitigate this attack the
internet service providers gave FBI the control over the proxy nodes used by
the operators to communicate their command and control the botnet. The point
bots started connecting to the proxies controlled by the FBI shadow servers. They
started feeding communications to do some argumentation on it like finding out
the threat vectors, impacted IPs and the number of infected system involved to
take over the Command and Control. It was found within few hours the botnet operation
went down and the leader behind the GameOver Zeus Botnet was suspected as
“Evgeniy Bogachev”.
Operation Tover is
the perfect example of real time threat intelligence and this could also be taken
as a reference for implementing threat intelligence inside any organization.
But it does not end there, after the entire process the organization
needs to evaluate the information and check its worthiness. The capability of forming a meaningful
collection of threat intelligence will help an organization make strategic
choices. This can be done through Intelligence Foundations.
Intelligence
Foundations:
There are 4 foundational intelligence
indicators. In no particular order, they are Indicators of Attack (IoA),
Indicators of Compromise (IoC), Tactics Techniques and Procedures (TTPs), and
Collaborative Research into Threats (CRITs).
● Indicators of Attack (IoA)
Indicators of Attack (IoA), is the ability to collect and examine the
network activities in real-time. IoC helps to understand how the adversary gets
into the target, accesses the resources, dump the passwords, performs lateral
movement and exfiltrate the data. Security researchers take this data and build
modules, which takes the proactive actions against the adversary and stops it
before any damage is procured.The following can be considered
as examples of Indicators of Attacks
(IoAs)
-
Outbound
traffic towards blacklisted IP: An example of SIEM dashboard that displays
hosts communicating with feeds (IP, Domain, URL) taken from “ransomwaretracker.abuse.ch”
website.
● Indicators of Compromise (IoC):
When any attack happens, we may not see the
evidence of it in real time. There is still a strong chance to trace down the
activities by using the log files which are left inside the infected system and
identified as malicious.
Indicators of Compromise (IoCs) are the
collection of the evidence to understand if any cyber-attack has occurred or is
currently under way. Using IoCs, an attacker can understand what actually has
happened. It can be used as a future reference against types of attacks.
Security researchers review IoCs to analyze
the behavior of new malware and its activities to understand the threats better
and provide actionable intelligence against any incident. They will then share
it within the internal community to improve any organization’s remediation and
incident response strategies.The following IoCs can
be taken as examples.
- Unknown files, applications and processes in the system.
- Large amount of compressed data found in the locations where they should not be.
- Irregular traffic in countries in an organization that does not have any business relation.
- Suspicious activities from Administrators or privileged accounts.
● Tactics Techniques and Procedures
(TTPs)
Tactics Techniques and Procedures (TTPs)
are the terms mainly used for the detection of Advanced Persistent Threats
(APTs) or profiling the adversary.
Tactics: Tactics as an APT can be described as the way the adversary
performs the attack starting from the beginning to end. It outlines the way the
attacker performs the different stages of operations to establish a foothold
inside the target.
Techniques: In order to achieve attacks successfully, the threat actor uses
different types of techniques, such as tools or scripts to initially facilitate
access to the target. They will then maintain the connectivity to Command and
Control servers, and exfiltrate data attempting to stay hidden. Lateral network
movements are also used to make detection more difficult. That helps to profile
the APT life cycle and understand what tools and techniques have been used.
Procedures:
It is not always possible to get into the
system with a single attempt, so the attacker will use other techniques as
well. Analyzing various Tactics and Techniques will create more attack patterns
for the APT groups. Procedures can be defined itself as the aggregated form of
these patterns. In most of the cases it helps to identify attacks at their
initial phase only if the procedures they follow is already known.
TTPs from the
perspective of tools are often sold at Darkweb forums since it has knowledge of
what can be used to leverage the target
and also how toavoid from getting caught. For example, a hacker knows an
environment locks a user account after five failed login attempts so the
attacker will try to brute force the system with four attempts before starting
a new session, to avoid detection.
The counter action
against this TTPs could be to lower the threshold value to three and trigger an
alert of login failed attempt in Security Information and Event Management
(SIEM).
● Collaborative Research into Threats (CRITs):
When the concern is about
information security, the risk is similar for every organization. Thusit is
better to collaborate and helpeach other to take proactive actions against the
threat actors. The main goal is to share experiences about TTPs of attacks and
the possible remediation against them.
Collaborative Research into Threats (CRITs)
is aweb-basedtool that consists of an analytics engine and a cyber-threat
database. This repository of attack data gives the platform for conducting
malware analysis, correlating incidents and hunting threats.
● TAXII
(Trusted Automated eXchange of Indicator Information):
A set of services and message exchanges that
help to share the actionable threat intelligence across organizational, product
and service boundaries. TAXII is not an information sharing platform and also
does not entertain any kind of trust agreements. Rather, it allows the exchange
of specific cyber threat information with their partner organizations.
● STAXII (Structured Threat Information expression):STAXII is a
standardized language for representing cyber threat information like TAXII but
it is not related to any sharing of programs or tools rather it works as a
component to support programs or tools. The framework allows us to construct
for both incident and indicators. An incident construct is usedwhen it requires
to provide a history for further analysis or follow up. But if we want to build
a list of items to look for, an indicator construct is used.The seven indicator
construct includes:
- Observable (Activity)
- Indicator (What to watch)
- TTP
- Exploit target
- Campaign (Why)
- Threat actor (Who)
- Course of action
On the surface it
seems the threat intelligence follows a single discipline like security
researchers collect information from a variety of sources, analyse it and use the
output to make decisions. But in reality it is both different and complicated.With
more functionalities threat intelligence can be broken down into different
levels based on the techniques, challenges and use.
Levels
of Threat Intelligence:
There are three basic levels of Threat
Intelligence that are important to understand. Each level progressively moves
from a broad attack understanding to a focus on real-time events.
● Strategic Threat Intelligence
Strategic Threat Intelligence gives the
broad picture about a threat. It shows how threat actor’s behaviors are
changing over time based on the historical data analysis. The main focus of
strategic threat intelligence is to understand the trend of attacks, the
motivation and the purpose.
● Operational Threat Intelligence
Operational Threat Intelligence (OTI) is
the set of data that helps to prioritize tasks, allocate resources and make day
to day decisions. The OTI data builds the capability of analysing and detection
threats and provides attack directions using the Indicators of Compromise
(IoCs).
● Tactical Threat Intelligence
Tactical Threat Intelligence is based on
the real time analysis of data which comes from the organization or other
related resources. This knowledge then gives the ability to make more immediate
decisions on how to deal with the threats.
Information about the
Threat helps to understand different decisions at different levels. Ensuring
that you are in the right choice there are some phases to follow in each level depending upon the situation. Those phases are
divided into seven categories: Hunting, Feature Extraction, Behaviour
Extraction, Clustering, Attribution, Tracking, and Take Down.
Phases
of Threat Intelligence:
Now, to understand the seven phases of
Threat Intelligence and round off knowledge gathering of the enemy: Hunting,
Feature Extraction, Behaviour Extraction, Clustering and Correlation, Threat
Actor Attribution, Tracking and finally Take Down.
Phases of Threat
Intelligence
● Hunting
Threat hunting is a process to identify
threat agents from the environment before they successfully execute. Hunting
for a threat is not a new thing, but hunting while the attackers are active and
ready to evade the defense system makes it more complicated. Threat hunters are
looking for threats that have not been triggered, using methods like analytics,
penetration testing and sandboxing. The challenge is to find the threat agent
without being detected by the threat agent – don’t let the hunted know they are
being hunted. This brings to mind
another great Sun Tzu quote, “All warfare is based on deception. Hence, when we
are able to attack, we must seem unable; when using our forces, we must appear
inactive; when we are near, we must make the enemy believe we are far away;
when far away, we must make him believe we are near.”
● Feature Extraction
The goal behind Feature Extraction is to
identify unique static features from the binaries so that the threats can be
classified into specific threat actors group. The possible features can be:
➔ Detecting the timestamp from the
malicious executable. This can provide knowledge about when the file first came
into existence inside the environment.
➔ Verifying the digital certificates, whether
it’s fake, outdated or stolen from other vendors so that it can’t be detected
by antivirus tools.
➔ Extracting Metadata like language,
such as Russian, Chinese, or English, used or detecting the MIME type in the
code helps in understanding the identity of the threat.
● Behavior Extraction
Behavior Extraction is all about
identifying unique dynamic features from the binaries to classify into
malicious groups. The processes are:
➔ Running samples inside the sandbox
environment to identify those API calls that attept to communicate with the
external network.
➔ Checking for persistence inside the
scheduled tasks, registry, and services.
➔ Executing the malware and dumping the
memory samples. The malware will decrypt itself inside memory and those memory
samples can help detect any malicious string inside.
● Clustering and Correlation
The main objective of Clustering and
Correlation is to identify malicious objects based on their features and
behavior to understand the attack flow.
➔ Clustering: In clustering each of the
threats is treated as an independent node according to their respective
features. Different node groups are created according to their different
behavioral properties.
➔ Correlation: Correlation draws the
lines between different nodes and their groups to give the broad picture to
understand the attack in detail.
● Threat Actor Attribution
The focus area of Threat Actor Attribution
is to find out who is behind the attack.
➔ First, find out the threat
geographical location.
➔ Next, understand the industries they
are targeting
➔ Understand their Command and Control
infrastructure.
➔ Investigate their Tactics,
Techniques, Procedures (TTPs).
● Tracking
Tracking is something which helps to
identify new attacks and variants proactively.
➔ Passive DNS: if the attacker is
frequently changing the domain or the public IP, evidence can be found in the
Passive DNS database.
➔ C2 port scan: If the C2 server
listening port or group of ports is identified, the C2 server can be tracked
down and a port scan can be performed to understand the attacking environment
more closely.
● Take Down
Demolishing the organized threat operation
is known as Taking Down the threat. To do this, follow these steps:
➔ Take down the Command control server.
➔ Perform MITM in the attacker network
and closely monitor the changes.
➔ Collaborate closely with law
enforcement bodies like the FBI, Interpol, and country specific defense
systems.
Now that you have become at one with both
yourself and your enemy, you are more prepared than ever before to begin to win
the war against cyber attackers. One last comment from General Tsu: “If
ignorant both of your enemy and yourself, you are certain to be in peril.” So,
stay out of peril and in the know by continuously using great Cyber Threat Intelligence
practices.
References:
Tzu, Sun. The Art of War. Trans. Thomas
Cleary. Boston: Shambala, 2005. Print.
https://threatconnect.com
A firewall system is designed to prevent unauthorized access to or from a private network. You can implement a firewall in either hardware or software form, or a combination of both. Firewalls prevent unauthorized Internet users from accessing private networks connected to the internet, especially intranets. A firewall can help secure a network from both internal and external dangers. Firewall Security Services in Australia can help secure a network from potential attackers such as hackers.
ReplyDeleteThese days every big or small organization including government are spending big amount on security to protect their trade secrets, financial data, and some sensitive or critical data. cyber security course in hyderabad
ReplyDeleteWe have a few frameworks today that can breeze through this assessment inside a brief time. cyber security course in hyderabad
ReplyDeleteHacking is an emerging field that is taken very seriously in the corporate world especially in the IT sector. That is why ITS (Information Technology Security) experts are increasingly in demand. How to hire a cybersecurity expert
ReplyDeleteThe most effective way of managing this process is to allow delegates to register online via your own website. Agile tech events
ReplyDeleteThis article was written by a real thinking writer without a doubt. I agree many of the with the solid points made by the writer. I’ll be back day in and day for further new updates. traffic secrets
ReplyDeleteCreative Web Studio - The Cyber Defense Company bietet als zertifiziertes Unternehmen lösungsorientierte und zeitgemässe ICT-Services für KMUs an Hauptfokus: Cloud, IT-Security und Informatik.The Cyber Defense Company
ReplyDeletethank you for your interesting infomation. www.cyberskills.training
ReplyDeleteYour content is nothing short of brilliant in many ways. I think this is engaging and eye-opening material. Thank you so much for caring about your content and your readers. ankara dil kursu
ReplyDeleteVery useful post. This is my first time i visit here. I found so many interesting stuff in your blog especially its discussion. Really its great article. Keep it up digital marketing
ReplyDeleteIf you have high creative intelligence it means you'll be very creative in all situations, whether you're writing a book, cooking or making love. A poet or an artist will tend to have high creative intelligence and high cognitive or general intelligence. management training
ReplyDeleteVery insightful information you have shared here about cyber security. I appreciate the author's efforts in writing such an amazing article. Thank you for sharing this. Great blog. Cyber crime Pune.
ReplyDeletekadıköy lg klima servisi
ReplyDeletemaltepe alarko carrier klima servisi
kadıköy alarko carrier klima servisi
maltepe vestel klima servisi
kadıköy vestel klima servisi
maltepe arçelik klima servisi
kadıköy arçelik klima servisi
kartal samsung klima servisi
ümraniye samsung klima servisi