cyber tradecraft report

Cyber Hygiene

Activities to ensure data and system security

Cybersecurity

Measures to protect data and computer systems

Cyber Threat Intelligence

Analysis of threats in the cyber domain

Data

Values of subjects with respect to variables

Information

Formatted data for human utilization

Intelligence

Product of collecting, processing, analyzing information

Cyber Kill Chain

A model for cyber attacker activity that represents the (possible) lifecycle phases of a cyber attack

Lockheed Martin Cyber Kill Chain

Ronnie Wanted Delicious Eggs In California, Always Ordering (reconnaissance, weaponization, delivery, exploitation, installation, command and control, actions on objectives)

Cyber Kill Chain Counter Measures

Detect, deny, disrupt, degrade, deceive, contain

Hacker Activities

Reconnaissance, network scanning, exploitation, maintaining access, covering tracks

Applications

Weakest link in cybersecurity: software vulnerabilities, web applications

CWE Intel Sources

Sans Top 25 Most Dangerous Software Errors

OWASP Top 10

Injection, Broken Authentication, Sensitive Data Exposure, XML External Entities(XXE), Broken Access Control, Security Misconfiguration, Cross-Site Scripting (XSS), Insecure Deserialization, Using Components with Known Vulnerabilities, Insufficient Logging &Monitoring

CVE Intel Sources

NIST National Vulnerability Database, MITRE

Cyber Intelligence Framework

Environmental context, data gathering, threat analysis, strategic analysis, reporting and feedback

Facilitated by Human and Machine Teaming

Combining human analytical acumen with computational power

Assessment Factors

33 factors across the 5 components of the framework

Environmental Context Best Practices

Knowing attack surface, aligning roles, having enough people

Environmental Context Common Challenges

Silos, unclear roles, difficulties recruiting, aligning too closely with cybersecurity

Data Gathering Best Practices

Have intelligence requirements process, do data source validation

Data Gathering Common Challenges

Lack of organization-wide requirements, difficulties with third-party providers

Threat Analysis Best Practices

Threat analysis workflow, timeliness and accuracy, diversity in technical disciplines

Threat Analysis Common Challenges

No formal workflow, inadequate reporting, lack of technical diversity

Strategic Analysis Best Practices

Understanding difference from threat analysis, strategic analysis workflow, diversity in strategic disciplines

Strategic Analysis Common Challenges

Inability to implement, lack of process, over-reliance on third-party providers

Reporting and Feedback Best Practices

Creating variety of reports, actionable and predictive analysis, leadership involvement

Reporting and Feedback Common Challenges

Lack of resources, lack of predictive analysis, lack of feedback mechanisms

Cyber Intelligence Metrics

External reports, new and repeat consumers, vulnerabilities identified and fixed, phishing pages taken down, website visits, threats identified, report downloads, business decisions influenced

Cyber Intelligence Key Best Practices

Understanding cyber intelligence, establishing a fusion center, building a collection management team

Cyber Intelligence Key Challenges

Lack of formal workflows, difficulty accessing data, lack of resources

Components of a Fusion Center

Security operations, engineering, program management, cyber intelligence, insider threat, physical security, technology development

Fusion Center vs SOC

Fusion center: multiple teams collaborating, SOC: focused on cybersecurity operations

NIST NICE Framework

Workforce composition for cyber intelligence, cybersecurity, technology development, program management

Difference between Cybersecurity & Cyber Intelligence

Cyber intelligence is proactive, combines info, strategic. Cybersecurity is reactive, focused on attacks, tactical

Intelligence Lifecycle

Planning, collection, processing, analysis, dissemination

Cyber Intelligence Lifecycle

Direction, collection, processing, analysis, dissemination, feedback

Intelligence Requirements

Reflect leadership concerns, baseline for collection plan

Priority Intelligence Requirements

Detailed and operationally focused, align to IRs

Specific Intelligence Requirements

Operational, tactical, technical, change frequently

Tactical Analysis

Analysis of specific threats, incidents, vulnerabilities

Operational Analysis

Analysis of threats, campaigns, intentions, capabilities

Threat Analysis Workflow

Collect/normalize data, conduct tactical analysis, add context, enhance leadership decisions

Strategic Analysis Workflow

Fuse threat analysis, analyze technologies and geopolitics, enhance executive decisions

Differences between Threat Analysis & Strategic Analysis Workflows

Threat analysis is immediate, tactical. Strategic analysis is holistic, strategic

What is the purpose of threat modeling?

to provide defenders with a systematic analysis of the probable attacker's profile, the most likely attack vectors, and the assets most desired by an attacker.

Threat Modeling Process

Identify Assets, Create an architecture overview, Decompose the application, Identify the threats, Document the threats, Rate the threats

DoD Cybersecurity Test and Evaluation (CSTE) Guidebook enumerates six phases for cybersecurity evaluation

Phase 1—Understand the Cybersecurity Requirements

Phase 2—Characterize the Attack Surface

Phase 3—Cooperative Vulnerability Identification

Phase 4—Adversarial Cybersecurity DT&E

Phase 5—Cooperative Vulnerability and Penetration Assessment

Phase 6—Adversarial Assessment

Threat Modeling Methods

Abstraction of system, profiles of attackers, catalog of threats

STRIDE and what kind of framework is it

Spoofing, tampering, repudiation, information disclosure, denial of service, escalation of privileges (software centric threat modeling framework)

MITRE ATT&CK

Adversarial Tactics, Techniques, and Common Knowledge. A structured and standardized way to categorize and document the tactics and techniques used by cyber adversaries during different phases of a cyber attack, from initial access to data exfiltration.

PASTA and what is it

Process for Attack Simulation and Threat Analysis (risk centric threat modeling framework)

Steps of pasta

Otters Travel Along The Vivid, Amazing River.

define Objectives,

define Technical scope,

Application decomposition,

Threat analysis,

Vulnerability and weakness analysis,

Attack modeling,

Risk and impact analysis

Persona Non Grata and what type of framework is it

Focuses on attackers' motivations and abilities (motivation/attacker centric)

DREAD and what type of framework is it

Assesses risk along dimensions and assign numerical score: damage potential, reproducibility, exploitability, affected users, discoverability (risk centric)

Attack Trees (root and leaves)

diagrams that depict attacks on a system in tree form. The tree root is the goal for the attack, and the leaves are ways to achieve that goal.

DeWitt Clause

License provision preventing publication of software benchmarks. a common end-user license agreement provision for proprietary software that prevents anyone (such as researchers and scientists) from publishing information about their products (like benchmarks) that name the software unless its supplier approves it.

AI/ML Security Threats

Data leaks, inaccurate predictions, missed malicious activity, revealing sensitive information, performance degradation, denial of service

Information Extraction Requirements (IER)

Determining data science methods

Data Intelligence Requirements (DIR)

Determining data needed to fulfill IERs

Cyber Threat Indicator

Indicator of cyber threat such as Unusual network traffic patterns or spikes in data usage, Suspicious login attempts or failed login activity, Anomalous system or application behavior.

Reconnaissance

Involves researching potential targets, finding their vulnerabilities, discovering which third parties are connected to them (and what data they can access), and exploring existing entry points as well as finding new ones. Can take place both online and offline.

Weaponization

Attacker creates new types of malware or modifies existing tools to use in a cyberattack.

Delivery

The intruder launches the attack. The specific steps taken will depend on the type of attack they intend to carry out. For example, the attacker may send email attachments or a malicious link to spur user activity to advance the plan.

Exploitation

The malicious code is executed within the victim's system.

Installation

The malware or other attack vector will be installed on the victim's system. This is a turning point in the attack lifecycle, as the threat actor has entered the system and can now assume control.

Command & Control

cybercriminals communicate with the malware they’ve installed onto a target’s network to instruct cyberweapons or tools to carry out their objectives.

Actions on Objectives

Do bad things. I.e weaponizing a botnet to interrupt services with a Distributed Denial of Service (DDoS) attack, distributing malware to steal sensitive data from a target organization, and using ransomware as a cyber extortion tool.

Supervised Machine Learning

Makes predictions, regression, classification, (most common)

Unsupervised Machine Learning

Discovering previously unknown patterns in data, clustering → data widely available, implementation and verification tricky.

Reinforcement Learning

Optimization in complex but constrained tasks, still largely academic

Narrow AI (Hard)

An algorithm to carry out one particular task

General AI (Soft)

A machine that exhibits human intelligence (doesn't exist yet)

Statistics

art and science of learning from data

Data Science

refers to managing and analyzing large amounts of data

MISP Threat Sharing

an open source threat intelligence platform

Kali Linux Metasploit

open source platform that supports vulnerability research, exploit development and penetration testing

STIX

(Structured Threat Information eXpression) is a standardized language developed by MITRE to represent structured information about cyber threats. Aims for consisitency

TAXII

(Trusted Automated eXchange of Inidicator Information) is a collection of services and message exchanges to enable the sharing of information about cyber threats. It is the transport vehicle for STIX structured threat information

Zeek

sensor that interprets what it sees and creates compact, high-fidelity transaction logs, file content, and fully customized output

VirusTotal

threat analysis tool that aggregates many antivirus products and online scan engines called Contributors.

DHS AIS

Automated Indicator Sharing through CISA. Enables real-time exchange of machine-readable cyber threat indicators and defensive measures between public and private-sector organizations

SBOM

Key building block in software security and software supply chain risk management. A structured list of all the software components and dependencies that are used in a particular software application or system

SPDX

Software Package Data eXchange is an open standard for communicating SBOM information

Define Objectives (PASTA)

Business objectives

Security and compliance requirements

Business impact analysis

Define Technical Scope (PASTA)

Boundaries of the technical environment
Infrastructure, software, application dependencies

Application Decomposition (PASTA)

Identify use cases, entry points, and trust levels
Identify actors, assets, services, roles, and data sources
Data flow diagraming and trust boundaries

Threat Analysis (PASTA)

Probabilistic attack scenarios analysis
Regression analytics on security events
Threat intelligence correlation and analytics

Vulnerability & Weakness Analysis (PASTA)

Queries of existing vulnerability reports and issues tracking
Threat to existing vulnerability mapping using threat trees
Design flaw analysis using use and abuse cases
Scorings (CVSS/CWSS) and Enumerations (CVE/CWE)

Attack Modeling (PASTA)

Attack surface analysis

Attack tree development, attack library management

Attack to vulnerability and exploit analysis using attack trees

Risk & Impact Analysis (PASTA)

Qualify and quantify business impact
Countermeasure identification and residual risk analysis
ID risk mitigation strategies

Intelligence Community Directive 203

High performing organizations use this as the foundation and guideline for applying analytic standards to their cyber intelligence analysis workflows. Such organizations will incorporate analytical standards into cyber intelligence analysis workflows, specifically when performing Strategic Analysis.

Environmental Context

Understanding your organization including its attack surface. Knowing the threats, risks, and opportunities targeting your organization

Threat Analysis

Assessing technical and non-technical data pertaining to specific threats to your organization to inform cybersecurity operations and strategic analysis

Strategic Analysis

Holistically assessing threats, risks, and opportunities to enhance executive decision-making

Data Gathering

Data and information is collected from multiple internal and external sources for analysts to analyze to answer organizational intelligence requirements

Reporting and Feedback

Communication between analysts and decision-makers, peers, and other intelligence consumers regarding their products and work performance. Reporting and feedback help identify intelligence requirements and intelligence gaps

Example Jobs for Fusion Center

Vulnerability assessment analyst, Cyber Defense Incident Responder, Threat Warning Analyst, Mission Assessment Specialist, Cyber Legal Advisor, Cyber Defense Forensics Analyst, All-Source Analyst, All-Source Collection Manager

Technical Cyber Intelligence KSAs

Computing (Networking fundamentals), Programming and Coding (Python, C++), AI/ML, Data Science, Big Data Analytics, Scripting, Cloud Analysis, Mobile, Malware Analysis

Non Technical Cyber Intelligence KSAs

Knowledge of threat actors, cross-domain intelligence analysis (critical thinking), communication skills and technical aptitude, privacy analysis, OSINT