Knowledge is one of the most powerful currencies. Some might even say it’s the ultimate currency. Knowledge of a situation leads to what reaction you will take. Imagine having knowledge that the stock market was going to crash before it happens verse reacting to the event with no knowledge that the event was going to occur. That little piece of information can make the difference between being extremely wealthy or bankrupted. A similar comparison can be applied to the world of cybersecurity. Having knowledge of a threat allows you to prepare a response rather than reacting to the impact of the threat, which at that point is too late. This is why threat intelligence has become and will continue to be a critical component of a successful security operation center (SOC).
Some common misconceptions about threat intelligence are it is a security product feed or update. Yes, that is a form of threat intelligence however, it is very limited. Vendors provide the same updates to any customer, which means updates are generic and not specific to each customer’s needs. Internal intelligence relates to customer vulnerabilities and threats but what about the gaps between the limited vendor generic data and threats happening outside of an organization’s network? That gap is essentially the target for acquiring external threat intelligence.
There are four different types of threat intelligence
Strategic – This category covers non-technical data typically used by decision-makers. Imagine executives in a board room speaking about the risk associated with moving a data center to a new country or the cloud. Non-technical intelligence can help understand current risks, the likelihood of encountering attacks, and other elements that would help with their decisions.
Tactical – Tactical intelligence covers what the industry calls tactics, techniques, and procedures “TTPs” used by threat actors. This data allows defenders to understand the potential threats so they can adapt their defense capabilities and strategies. An example would be details on a form of ransomware such as TelsaCrypt.
Operational – Tactical data is more general while operational intelligence is looking at specific campaigns. This allows an organization to gain awareness of rising threats and proactively prepare. An example of operational data would be monitoring Twitter regarding new adversaries and finding leads on a new threat group creating fake COVID19 support pages used to launch TelsaCrypt Ransomware. The Tactical intelligence would inform you about the ransomware however, context such as where the threat actors are based, details on the phishing being used and other specific context would be operational intelligence. Chatrooms, industry expert blogs, dark websites, chat rooms are all examples of potential resources for operational data.
Technical – Technical intelligence is specific indicators of compromise and malicious artifacts without any high-level context. These feeds are typically used to push into security tools to enhance detection and prevention capabilities. An example is adding a list of hashes that a security tool can use to block if a matching artifact is found.
The key to success is not only what intelligence is collected but how it is used. First, you need to validate the quality of the intelligence. If it’s free, it’s likely made up of open source feeds. Paid however, does not mean better. In general, you want to look for a few key elements.
- Accurate – How accurate are the results? If the data is prone to false positives or inaccurate data, it won’t be worth the investment
- Relevant – Are the threats likely to impact your organization? I always recommend to acquire threat feeds that are scoped to your industry to keep the data relevant. For example, if you are a school, you should look for education-based feeds. Yes, it may be valuable to know Walmart or a Bank has been attacked but it would be more relevant to know if other schools are being attacked.
- Timely – Using old data can be harmful for a few reasons. First, you will not be aware of current events and second, you will have a false sense of security that you are aware of current events when you really are not. Tactical threat intelligence tends to have a very limited shelf life since attackers are constantly changing their techniques.
- Unique – It’s great to have useful data but how much of that data is unique compared to what you already have? There is some value in seeing the same event more than once in regard to understanding trends and impact, however, if you are populating a security tool’s block list, overlapping hashes or IP addresses will just be dropped.
Best practice for kicking off of a threat intelligence project starts with picking actions or goals you want to achieve from the data. Doing so will allow you to have a way to measure the return on investment as well as be tactical about what type of feed you will need for your project. I find the most common reason for failure in threat intelligence projects is when organizations just add feeds for the sake of doing so. Tools such as SIEMs are based on logic, which custom reports and displays can break if the wrong data is introduced. The results can overwhelm analyst with alerts and force the need to re-engineer existing use-cases all leading to the SOC choosing to disable the threat intelligence.
Example Use Case with Twitter
Let’s walk through a threat intelligence project. For this example, our goal is to be alerted to upcoming threats before our security vendors are aware and providing their own updates. We decide to target Twitter being it is a popular social media platform and not only used for personal chatter but also used by security researchers, dumping spot for honey pots and bots that share recent indicators of compromise and threat detection rules. The challenge is identifying data of interest within all of the noise as well as obtaining the data in a format that could be processed within my SIEM. For this project, we will use a free open source scraper called Twint. This will allow me to search Twitter for keywords such as “0-day”, “CVE-“, CVE-2020-*”, and “bug bounty” and scrape data of interest such as hashtags. Hashtags can be stored in a CSV format so my SIEM can upload and apply them display widgets as well as they can be validated against various detection tools.
Why go through this effort using Twitter when other resources such as paid threat feeds could have similar data? Think of the speed of information released on a resource such as Twitter. If a new hash starts to appear in my SIEM, I could research it using Twint to pull in more details gaining a real-time view of the current state of that threat. Using this approach would keep your SOC aware of trending threat research allowing decisions to be made regarding a potential response before the threat makes big news, which is typically too late for many organizations that have already experienced a breach.