Exploring Threat Intelligence and Threat Hunting Concepts

Threat Actors

  • Threat actors are individuals, groups, or organizations responsible for malicious activities.
  • Motivated by financial or political gain, or the desire to cause harm.
  • Understanding threat actors, their tactics, and methods is crucial for effective defense.

Threat Actor Types

Nation-State
  • Nation-states possess cybersecurity expertise and use cyber weapons for military and commercial objectives.
  • Mandiant's APT1 report significantly influenced the understanding of cyberattack lifecycles.
  • Nation-state actors target energy and electoral systems.
  • Goals are primarily espionage and strategic advantage, but can include commercial gain (e.g., North Korea).
  • Each state might sponsor multiple groups with varying objectives and resources.
Organized Crime
  • Cybercrime surpasses physical crime in incidents and losses in many countries.
  • Organized crime operates across international jurisdictions, complicating prosecution.
  • Activities include financial fraud and blackmail.
Hacktivist
  • Hacktivist groups (e.g., Anonymous, WikiLeaks) use cyberattacks to promote political agendas.
  • Tactics include data leaks, DoS attacks, and website defacement.
  • Targets include political, media, financial, environmental, and animal advocacy groups.
Insider Threat
  • Insider threats come from individuals with authorized access.
  • Subdivided into:
    • Insiders with permanent privileges (employees).
    • Insiders with temporary privileges (contractors, guests).
  • Insiders can be intentional or unintentional.
    • Intentional insiders: Aware of their actions with clear intent and goal.
    • Unintentional insiders: Cause damage through neglect or exploitation by external attackers (e.g., misconfiguration, phishing, Shadow IT).
Script Kiddie
  • Script kiddies use existing hacking tools without understanding their functionality or how to create new attacks.
  • Attacks might lack specific targets or reasonable goals beyond gaining attention.
  • Can still cause significant harm despite limited skills.

Advanced Persistent Threat (APT)

  • APT describes the behavior of advanced adversaries like nation-states and organized crime groups.
  • Originally referred to the group but now describes the tools they use.
  • APT aids threat modeling.
  • Detection involves scanning for C&C software and unusual network activity, beyond basic virus/Trojan signatures.
  • A defining characteristic is anti-forensics, where adversaries remove attack evidence.
  • APTs target large organizations with valuable PII, especially government and political figures.
  • Target governments for political objectives, election interference, and espionage.
  • APT groups are identified with unique identifiers and code names; different entities may use different names for the same group.
  • Focus on maintaining persistent access to networks and systems.
  • Use custom software development and stealth for their attacks.
  • Classified as notorious and harmful threats to organizations and governments.

Tactics, Techniques, and Procedures (TTPs)

  • TTPs describe a core concept in computer security.
  • Cybersecurity teams use TTPs to fingerprint adversaries' methods in cyberattacks.
  • Analysts deconstruct and document methods of known threat actor groups to create profiles.
  • Profiles help improve defensive capabilities by understanding attacker methods.
  • TTPs help security researchers associate attacks with known groups and establish relationships between threat actors.
  • Allows for prioritizing defenses against popular attack methods.
  • The MITRE ATT&CK Matrix illustrates specific actions to accomplish tactical objectives.
  • Examining the tactics in the ATT&CK Matrix helps track, identify, and counter adversary methods.

Open-Source Intelligence (OSINT)

  • Reconnaissance often precedes attacks.
  • Understanding reconnaissance techniques reveals how much information is unintentionally provided to threat groups.
  • Reconnaissance serves as a counterintelligence tool to profile adversaries.
  • Companies and employees publish vast amounts of information online.
  • Attackers use "cyber stalking" to gather information.
  • OSINT refers to publicly available information and tools for aggregating/searching it.

OSINT Uses for Attackers

  • Allows an attacker to develop compromise strategies such as:
    • Blackmail/entrapment via dating site information.
    • Compromised device entry via auction site information.
    • Facilitating break-ins, theft, or social engineering by knowing routines or locations.

OSINT Sources

Publicly Available Information
  • Information harvested from public repositories and web searches.
  • Includes IP addresses of DNS servers, address ranges, contact details, and physical addresses from Whois records and directories.
Social Media
  • Sites like Facebook and LinkedIn provide organizational information.
  • Posts and profiles may reveal sensitive data or serve as attack vectors.
HTML Code
  • HTML code can provide information such as IP addresses, web server names, OS versions, file paths, and developer/administrator names.
  • Layout and organization reveal development practices and security awareness.
Metadata
  • Metadata scans on publicly available documents using tools like FOCA reveal information.
  • Microsoft Office documents may expose author names and change history.
  • FOCA can cross-reference files to extract metadata from other domains.

Defensive OSINT

  • Intelligence gathering to identify threats proactively.
  • Helps create a strategy to minimize attack impact before it occurs.
  • Focuses on identifying potential attackers and their methods.

Defensive OSINT Sources

CERT
  • Computer Emergency Response Teams mitigate cybercrime and minimize damage.
  • Coordinate with law enforcement and other organizations.
  • Provide information on trending and observed attacks.
CSIRT
  • Computer Security Incident Response Teams respond to security incidents involving computer systems.
  • Include security professionals, administrators, legal representatives, and stakeholders.
  • Respond quickly and effectively to minimize impact.
Dark Web
  • Serves as an operating platform for cybercrimes.
  • Threat actors organize and sell stolen data, malware, drugs, and weapons.
  • Provides insight into threat actor activities, future attacks, and evidence of breaches.
Internal Sources
  • Evidence of threats, reconnaissance, and suspicious behavior exists within the protected environment.
  • Activity logs are a "goldmine" of information and must be continuously analyzed.

Proprietary/Closed-Source Intelligence Sources

  • Threat intelligence data involves information collected, analyzed, and contextualized.
  • Sources include open-source, human, and technical intelligence.
  • Categorized into strategic and operational types.

Types of Threat Intelligence

Strategic Threat Intelligence
  • Provides a high-level view of emerging trends, tactics, and techniques.
Operational Threat Intelligence
  • Offers granular details about specific threats like IOCs, malware analysis, and network forensics.
  • The ultimate goal of threat intelligence data is to provide actionable insights for better protection against threats.

Attributes of Threat Intelligence

  • Timeliness
  • Relevancy
  • Accuracy

Commercial Threat Intelligence

  • Threat intelligence is widely available as a commercial service.
  • Access to updates and research requires a subscription fee.
  • Some sources repackage public information, while others provide proprietary data.
  • Closed-source data comes from the provider's research and analysis (e.g., honeynets, anonymized customer data).

Commercial Providers

  • Many commercial providers offer platforms for processing and disseminating threat intelligence.
  • Some platform providers do not produce their own security feeds.
Examples
  • CrowdStrike Falcon Threat Intelligence
  • IBM X-Force Exchange
  • FireEye
  • Recorded Future

Threat Intelligence Sharing

  • Crucial for cyber defense teams and organizations.
  • Focuses on finding IOCs, tracking threat actors, documenting findings, and discussing strategies.
  • Leading cybersecurity vendors share information via the Cyber Threat Alliance (CTA).
  • Participating in industry groups that actively share threat information is critical.

Improving Threat Detection

  • Information sharing on an industry-wide scale decreases threat detection time.
  • Proactive sharing strengthens collective resilience and responsiveness.
  • Automated Indicator Sharing (AIS) enables the exchange of machine-readable cyber threat indicators and defensive measures.

AIS Ecosystem

  • Managed by the US Cybersecurity and Infrastructure Security Agency (CISA).
  • Participants share indicators and defensive measures against cyber threats.
  • Helps organizations fortify defenses and limit an adversary's use of specific attack methods.

Threat Hunting Concepts

  • Cyber threat hunters identify threats carried out by internal or external actors.
  • A threat hunt actively searches for malicious events and activities.
  • Threat hunt teams rely on intelligence group communications for swift mitigation.

Purpose of Threat Hunting

  • Analyze routine activities and network traffic to identify potential anomalies.
  • Detect malicious actions that could lead to a breach.
  • A systematic approach to identifying malicious cyber activities.
  • Subscribes to an "assume breach" mentality.
  • Aims to protect against advanced attacks, mitigate intrusions, and develop cyber resilience.

Threat Hunting Process

  • A primarily manual process where a threat hunter reviews information sources.
  • Uses skills and experience to identify potential threats.
  • Based on cyber threat intelligence, known attack techniques, and internal/external data.
  • Develops and validates assumptions about potential threats.

Focus on TTPs and IOCs

  • A threat hunter looks for evidence of lateral movement after gaining access to environment in the network.
  • Threat hunters focus on TTPs, Indicators of Compromise (IoCs), Indicators of Attack (IoAs), and threat information data.
  • Aims to identify threats, understand exploits, and reveal attacker activities.

Focus Areas

Misconfiguration Hunting
  • Searching for misconfigured systems, services, or applications.
  • Includes searching for weak passwords, open ports, or unpatched software.
Isolated Network Hunting
  • Searching for vulnerabilities in physical access points that could allow access to isolated networks.
Business-Critical Asset Hunting
  • Searching for vulnerabilities and threats that could impact these assets.
  • Includes unauthorized access attempts, unusual traffic patterns, or suspicious activity.
  • Includes monitoring of processes used to manage critical assets.

Indicators of Compromise (IoCs)

  • Cybersecurity analysts collect IoCs to identify, investigate, and mitigate threats.
  • IoCs suggest a security incident may have occurred.
  • Identifiable in system/application logs, network monitoring software, endpoint protection tools, and SIEM platforms.
  • Security teams can quickly identify and respond to security threats.

IoC Summary

  • Provide a summary of malicious actions.
  • Help identify the potential source of a security incident.
  • Inform a response plan by identifying systems, services, users, and accounts to isolate or monitor.
  • Help protect organizations from future threats.

IoC Validation

  • IoCs do not prove a successful attack.
  • Point to events, patterns, or sequences that may indicate trouble.
  • Analysts must validate IoCs to determine if it is a false positive, warrants monitoring, or requires incident response.

IoC Analysis

  • Identified using digital forensics techniques, analyzing digital artifacts.
  • Artifacts include log files, memory dumps, network traffic, and file system information.
  • Used to generate threat intelligence data for future attack detection and prevention.

Example IoC Input

  • IOCs can be input into security tools like IDS or SIEM systems for real-time detection and response.
  • Digital forensic analysis may reveal vulnerabilities or misconfigurations that led to a breach.

IoC Details

  • Pieces of forensic data providing evidence of a potential intrusion.
  • Indicate a high likelihood of unauthorized access.
  • Help security analysts identify malicious actors early in the cyber kill chain.
  • Attack indicators focus on identifying attacker activities as attacks occur.

Common IoCs

  • Unusual network patterns, account behaviors, configuration changes, and unfamiliar new files.
  • Examples:
    • Unusual outbound network traffic.
    • Logins from unexpected geographic locations.
    • Suspicious privileged user account behavior.
    • Unusual changes in log files.
    • Command-and-control protocols.
    • Traffic to questionable URLs/IPs.
    • DDoS attacks.
    • Suspicious privileged user account activity.

IoC Provision

  • Frequently provided through intelligence reports and electronic data feeds.
  • Update security products like WAFs, EDR solutions, web proxies, and intrusion detection tools.

Threat Hunting Techniques

  • Often require data provided by information-sharing platforms and incident responder field notes.
  • Sites like Uncoder.io provide "cookbook" information for SIEM and EDR formats.
  • Help quickly locate IOCs when an organization becomes aware of specific targeting of certain things in particular industries.

Decoy Methods and Concepts

Active Defense

  • Using offensive actions to outmaneuver adversaries, making attacks harder to execute.
  • Seeks to increase the likelihood that hackers will make mistakes and expose their existence or methods.
  • Can stop attacks in progress while gaining a greater understanding of attacker methodology.

Honeypots

  • Redirect malicious traffic away from live production systems.
  • Provide early warning of ongoing attacks to assist defensive teams.
  • Collect intelligence on attackers and their techniques.
Research Honeypots
  • Focus on collecting information on observed attack methods and malicious activity on Internet-facing systems.
High-Interaction Honeypots
  • Leverage a complete operating system and are more challenging for expert attackers to spot.
Active Decoys
  • Draw attackers away from corporate assets using false information.
  • Reroute malicious traffic away from real assets and toward decoy systems.
  • Some leverage threat intelligence data to identify and respond to emerging threats.

Honeypot Supplement

  • Supplement threat-detection strategy; an additional security layer.
  • Help assess how a security team will react to a live cyberattack.
  • Do not utilize predefined attack signatures or threat intelligence.
  • Can be expensive to operate and maintain due to special knowledge requirements.