Establishing Threat Intelligence Requirements should be one of the first things organizations do when starting a Cyber Threat Intelligence (CTI) program. Requirements provide goals and objectives for CTI teams that, when met, equip stakeholders with the required knowledge that will enable teams to better protect and defend the organization from cyberattacks.
“We’re consuming a threat intelligence feed and searching for indicators of compromise across our network. What else should we be doing?”
The first thing many organizations do is consume a threat feed of indicators of compromise (IOCs) and sweep their environment for the presence of those IOCs. Common IOCs are domain names, IP addresses, URLs, and file hashes. While this is a good starting point for organizations, it does not answer the questions CTI stakeholders are asking, e.g., “Which threat actors are most likely to target our organization and why?”
“What are Threat Intelligence Requirements?”
Threat Intelligence Requirements are questions from stakeholders that when satisfied fill a gap in knowledge or understanding of threats to the organization. Requirements should:
- Ask a single question
- Focus on a single fact, event, or activity
- Support a single decision
Example: “Which threat actors are known to specifically target our industry?”
“Why are Threat Intelligence Requirements important?”
Effectively operationalizing CTI through Threat Intelligence Requirements prepares an organization to defend against its top threats and provides strategic guidance for the CTI team. These requirements are the primary goals and objectives the CTI team seeks to satisfy. When satisfied, stakeholders and teams across the organization gain insights into high-confidence threats. These insights are important because they inform and enrich:
Threat detection and prevention
- Preventative capabilities with additional information and context
- New detections based on recent threat intelligence gathered on threat actors of interest
- Trends across the threat landscape
- Detection coverage of common attacks
- Defensive capabilities against top threats to the organization
- Insights into current vulnerabilities so the team can determine risk and prioritize
- Information about threats to the organization
- Opportunities for investments that will have the highest impact on improving cybersecurity
- Priority cybersecurity investments and resources
- Operational objectives of teams across the organization
Case Study: How A Single Threat Intelligence Requirement Can Be Operationalized
The following is a high-level overview of how a single Threat Intelligence Requirement can inform and enable teams across an organization to operationalize CTI. This example also demonstrates the proactive nature of performing CTI work.
The organization used in this brief case study is fictitious; however, the threat intelligence is real. For brevity, information will be collected from a single report. In practice, information is collected and aggregated from multiple data sources.
During this brief case study, we’ll step through the six (6) phases of the CTI lifecycle: direction, collection, processing, analysis, dissemination, and evaluation.
Before continuing, it’s important to define ‘data’, ‘information’, ‘threat’, and ‘threat intelligence’.
Data is a piece or pieces of information. File hashes, IP addresses, and domain names are examples of data.
Information is knowledge about data. For example, the IP address 184.108.40.206 is being used as command and control by malware X.
A threat or adversary is the representation of the human behind the keyboard. Threats are determined by evaluating intent, opportunity, and capability. A threat is present when intent, opportunity, and capability overlap.
Threat Intelligence is the understanding or assessment of contextualized information concerning a threat or adversary. For example, we assess with high confidence that the adversary will likely target our systems for financial gain.
For more information on the relationship between data, information, and intelligence see the following SANS blog post by Robert M. Lee, https://www.sans.org/blog/data-information-and-intelligence-why-your-threat-feed-is-likely-not-threat-intelligence/
Background – Fictitious Organization Overview
A fictitious healthcare organization provides patient care services, medical education, and biomedical research.
Planning & Direction
The CTI team met with stakeholders across the organization and identified Threat Intelligence Requirements from the C-Suite, Legal, Human Resources, and Security Operations Center leadership team. One requirement shared across most teams is, “What are the top three ransomware threats to the organization?”
Answering this requirement requires ongoing research into threat actors and attacks against peer organizations.
The CTI team performed research on the following:
- Recent attacks on industry peers
- Current ransomware and malware trends
- Threat actor profiles
Based on evidence from multiple sources, the following threat actors were assessed with high confidence to be the top three (3) ransomware threats to healthcare organizations.
The next step is to perform research and identify tactics, techniques, and procedures (TTPs), IOCs, and any other useful information associated with the ransomware groups.
For this case study, we will use CISA Alert (AA21-265A) as our data source. In practice, a mature CTI program would include multiple sources of data. A CTI platform can be used to centrally store and aggregate data and information for further processing.
During this phase raw data is prepared for analysis. This includes storing, organizing, tagging, structuring, and aggregating data from multiple sources.
Processing data and information can be accomplished several ways. As an organization’s CTI program matures, so should its processing capabilities. For example, automation can be introduced to import data from different sources into a threat intelligence platform (TIP), apply appropriate tags, and export data for specific uses.
For this case study we’re using a single report that contains data, information, and intelligence. Processing the report will include:
- Organizing IOCs and TTPs in a spreadsheet
- Creating a MITRE navigator layer
- Drafting mitigations in a document
Analysis & Production
Analysts working at organizations with mature CTI programs should leverage multiple types of structured analysis techniques as part of their workflow, such as link analysis, temporal data analysis, trend analysis, analysis of competing hypotheses, and intrusion analysis (using the Diamond model).
Analysis is not required for this case study. However, there are several technical details, data, and information in the CISA Alert that should be pulled out, tagged, and stored for future analysis.
For example, initial access is often gained through malicious Word documents sent via email. The malicious documents contain embedded scripts that are used to download or drop other malware such as TrickBot, IcedID, and/or Cobalt Strike. The additional malware enables lateral movement and other capabilities with the goal of deploying Conti ransomware.
Data, information, and intelligence pulled from the CISA Alert include the following:
- Technical details about Conti including
- Conti’s ransomware-as-a-service (RaaS) model
- Initial access techniques
- Spear phishing campaigns that use malicious Word documents to download or drop other malware such as Trickbot, IcedID, and/or Cobalt Strike
- Stolen or weak Remote Desktop Protocol (RDP) credentials
- Software Trojans
- Other malware
- Vulnerabilities in externally facing assets
- Details about Conti’s execution phase
- Tool used to scan for and brute force specific network devices
- Kerberos attacks
- Data exfiltration
- Rclone command is used to exfiltrate data
- Double extortion is part of Conti’s operation
- IP addresses of command and control (C2) infrastructure
- Unique Cobalt Strike server IP addresses are used for each victim
- Additional resources
- Resources should be reviewed and included in the collection process
Dissemination & Integration
Threat intelligence that has been produced after collection, processing, and analysis needs to be distributed to the appropriate stakeholders. Before being distributed to stakeholders, analysts should consider the following:
- Who should receive the intelligence?
- How much detail should be included for each recipient?
- How urgent is the intelligence?
- What format does the intelligence need to be delivered in?
- Should the report include preventative and/or detection recommendations?
Different reports may need to be created for different audiences.
Operationalizing Cyber Threat Intelligence
IOC Sweeps (SOC)
IP addresses and domains should be shared with the SOC team, preferably through automation, so that searches can be performed across the organization’s environment.
Threat Hunts (Hunt Team)
TTPs and details around Conti’s execution phase can be used to create a Conti specific threat hunt. Threat hunts may need to be updated periodically when new information is made available. Additionally, information about the tools leveraged by Conti actors can be used to create detections and hypothesis-driven threat hunts. These activities should be prioritized accordingly.
Purple Teams (Red and Blue Teams)
TTPs can be used to create a MITRE ATT&CK Navigator heatmap. The heatmap will show which TTPs Conti actors are using. The heatmap can be used to communicate with non-technical teams and used to evaluate existing security controls.
This information should be used as part of a purple team to determine the efficacy of existing security controls and detections. Goals can be set and prioritized to ensure security controls and detections are in place to log, block, and neutralize the threat.
IOCs and TTPs should be shared with the forensics team for situational awareness. If something related to Conti should surface, the forensics team will be better prepared to respond during a Conti related investigation.
Vulnerability Scan (VM Team)
Vulnerabilities targeted by Conti actors should be reviewed by the VM team and a determination made as to whether the organization is affected or not. Scanning the organization’s external perimeter, internal network, and cloud environments for vulnerable devices can help identify potentially vulnerable devices.
Mitigations should be shared with and actioned by the appropriate teams, e.g., SOC, IT, Vulnerability Management, etc.
Briefs (Security Leadership)
A summary of the CISA Alert and actions taken by the various teams should be created and shared with the executive team. Keeping the executive team updated on the latest threats impacting the organization and how the actions taken by the various teams will satisfy their concerns is a critical step in the CTI lifecycle and should validate the organizations investments in cybersecurity. Sharing these details with the executive team will enable them to validate and prioritize investments. This also enables a data-based decision-making process.
CTI reports for the executive team may be their only view into CTI and security operations. CTI analysts must identify and understand the technical needs, requirements, and considerations of the executive team and map those to the organization’s mission. Reports should be meticulously created, edited, proofed, cross-examined, and held to the highest standard.
“Are there general Threat Intelligence Requirements we can use to get started?”
Yes! SRA’s Threat Intelligence Gathering & Research (TIGR) team has compiled a list of general Threat Intelligence Requirements that any organization can use as a starting point.
General Threat Intelligence Requirements
The general Threat Intelligence Requirements included below can be used by any organization as a starting point for developing their own requirements. General Threat Intelligence Requirements are intended to be used to generate discussion among the CTI team and the various stakeholders. Consider your organization’s mission and business objectives as you review the general Threat Intelligence Requirements provided below.
We organized these general Threat Intelligence Requirements into the following categories:
- Threat Actors
- Malware & Tools
- Tactics, Techniques, and Procedures
Cyber threat actors can be nation states, criminal groups, hacktivists, or individuals. Looking at patterns of activity attributed to a threat actor, an organization can prioritize the implementation of security controls.
CTI Requirement: Which threat actors are targeting our business sector?
- Nation States
- Criminal Actors
- Hacktivist Actors
Malware & Tools
Malware and tools are types of software used by threat actors when attacking an organization. Many threat actors use the same malware and tools but implement attacks in different and distinct ways.
CTI Requirement: Which malware and tools have threat actors used when targeting our business sector?
- Remote Access Trojans (RATs)
- Web Shells
Tactics, Techniques, and Procedures (TTPs)
TTPs represent actions and patterns used by an adversary. Tactics describe the high-level adversarial behavior, e.g., Initial Access. A technique is a detailed description of behavior in the context of a tactic, e.g., adversaries send phishing messages to gain access to a target’s computer. Procedures provide a low-level description in the context of a Technique. When establishing general Threat Intelligence Requirements, it is recommended to focus on Tactics and Techniques, as they are more generally applicable. The following Threat Intelligence Requirements align with the MITRE ATT&CK framework.
CTI Requirement: Which TTPs will threat actors most likely use when targeting our business sector?
- Initial Access
- Privilege Escalation
- Lateral Movement
- Command and Control
With Threat Intelligence Requirements established, CTI analysts have the goals and objectives they need to focus and guide their research. Stakeholders will gain valuable insights into their questions and concerns around the most impactful threats to the organization. Insights gained will enable teams to effectively action threat intelligence and better defend the organization against cyber-attacks.
Clay specializes in Cyber Threat Intelligence (CTI) and malware analysis. Clay has extensive experience with malware analysis, binary reverse engineering, Linux, Unix, Windows, software development, application security, digital forensics, incident response, and, most recently, malware development.
Clay is deeply involved in the cybersecurity community as both a leader and organizer of several security groups. Clay is a Director of Blue Team Village, which has been part of DEF CON and other security conferences since 2018. Clay also leads the Philadelphia DC215 security community and is one of the organizers of WOPR Summit, a hardware hacking conference.
Clay enjoys creating capture the flag exercises, training, and mentoring in the cybersecurity community. Clay works to develop cybersecurity training that is released to the public in the interest of developing new cybersecurity talent and training current practitioners.
Prior to Security Risk Advisors, Clay worked in higher education as a Security Engineer. Clay served as a subject matter expert on web application assessments and performed application security reviews.
Clay has presented at numerous conferences including REN-ISAC’s Security Professionals Conference, Blue Team Village at DEF CON, ShellCon, CactusCon, and various local cybersecurity groups.