2B: Threat Intelligence

Threat research

a counterintelligence gathering effort in which security companies and researchers attempt to discover the tactics, techniques, and procedures (TTPs) of modern cyber adversaries.

Deep web

any part of the World Wide Web that is not indexed by a search engine. Includes pages that require registration, block search indexing, unlinked pages, pages using non-standard DNS, and content encoded in a non-standard manner.

Threat research

a counterintelligence gathering effort in which security companies and researchers attempt to discover the tactics, techniques, and procedures (TTPs) of modern cyber adversaries.

Deep web

any part of the World Wide Web that is not indexed by a search engine. Includes pages that require registration, block search indexing, unlinked pages, pages using non-standard DNS, and content encoded in a non-standard manner.

Dark net

a network established as an overlay to Internet infrastructure by software, such as The Onion Router (TOR), Freenet, or I2P, that acts to anonymize usage and prevent a third party from knowing about the existence of the network or analyzing any activity taking place over the network

Dark web

deliberately concealed from regular browser access - accessible only only over a dark net.

3 main threat intelligence forms

1. behavioral threat research
2. reputational threat intelligence
3. threat data

Reputational threat intelligence

Lists of IP addresses and domains associated with malicious behavior, plus signatures of known file-based malware.

Behavioral threat research

narrative commentary describing examples of attacks and TTPs gathered through primary research sources.

Threat data

computer data that can correlate events observed on a customer's own networks and logs with known TTP and threat actor indicators.

Cyber Threat Intelligence (CTI)

Feeds of threat data that can integrate with a security information and event management (SIEM) platform. The data on its own is not a complete security solution. It must be correlated with observed data from customer networks.

Threat intelligence models:

1. closed/proprietary: research and data is made available as a paid subscription to a commercial threat intelligence platform.
2. vendor websites: many vendors make huge amounts of threat research available on their sites, for free, as a general benefit to their customers.
3. information sharing and analysis centers (ISACs): both public and private sector-specific resources for companies working in critical industries to share threat intelligence and promote best practice.
4. open source intelligence (OSINT): provides threat intelligence on an open-source bases, earning income from consultancy rather than directly from the platform.

Tactic, technique, or procedure (TTP)

a generalized statement of adversary behavior. TTPs categorize behaviors in terms of campaign strategy and approach (tactics), generalized attack vectors (techniques), and specific intrusion tools and methods (procedures).

Indicator of compromise (IoC)

a residual sign that an asset or network has been successfully attacked or is continuing to be attacked. Evidence of a TTP and attack that was successful. Can be definite and objectively identifiable or open to interpretation due to the correlation of many data points. Often slow to diagnose because of this.

Examples of IoCs

Unauthorized software and files
Suspicious emails
Suspicious registry and file system changes
Unknown port and protocol usage
Excessive bandwidth usage
Rogue hardware
Service disruption and defacement
Suspicious or unauthorized account usage

Indicator of Attack (IoA)

A term used for evidence of an intrusion attempt that is in progress.

Threat data feed

The data within a CTI platform - Signatures and pattern-matching rules supplied to analysis platforms as an automated feed.

OASIS CTI framework

designed to provide a format for a threat data feed so that organizations can share CTI.

Structured Threat Information eXpression (STIX)

Part of OASIS CTI framework that describes standard terminology for IoCs and ways of indicating relationships between them. Provides the syntax for describing CTI.

Trusted Automated eXchange of Indicator Information (TAXII)

protocol that provides a means for transmitting CTI data between servers and clients.

Automated Indicator Sharing (AIS)

service offered by Homeland Security for companies to participate in threat intelligence sharing.

Threat map

an animated graphic showing the source, target, and type of attacks that have been detected by a CTI platform.

Common Vulnerabilities and Exposures (CVE)

database of a list of vulnerabilities codified as signatures and scanning scripts that can be supplied as feeds to vulnerability scanning software.

artificial intelligence (AI)

science of creating machines that can simulate or demonstrate a similar general intelligence capability to humans.

Machine Learning (ML)

use of algorithms to parse input data and then develop strategies for using that data.

Predictive analysis

also known as threat forecasting. One of the goals of using AI-backed threat intelligence.