BLOG@CACM
Computing Profession

The Key to Successful Threat Intelligence

Posted

Imagine that you are at your workplace, turn on your computer and realize that your company's website is down, the cargo is stuck at the customs and cannot reach the warehouse. To add insult to injury, the accountant approaches you, saying that some of your organization's funds have been withdrawn and employees' personal data has been spilled all over the Internet. At this point, you get it – you fell victim to a data breach.

You could avoid this if you used a threat intelligence (TI) system. Let us figure out how TI works and protects.

Threat intelligence is intended to collect and analyze information on relevant threats in order to predict and prevent possible cyber-attacks. It includes the following stages: collecting threat data from diverse sources, enriching and analyzing this data, and then using the obtained knowledge.

Data collection

The following tools and techniques facilitate the process of harvesting threat information:

Crawlers – automated systems that scour various online sources for data about known threats.

Sandbox – an isolated environment allowing you to safely execute suspicious code in order to identify and analyze malicious software.

Botnet monitoring – keeping track of computer networks supervised by  perpetrators' Command & Control servers.

Honeypot – a network fragment segregated from the organization's IT infrastructure that serves as bait for the attacker.

Sensors – agent programs that harvest valuable data from corporate devices.

Open-source intelligence (OSINT) provides additional feeds that span the following types of information:

  • • IP addresses and URLs that are known to distribute harmful files.
  • • Samples and hashes of malicious files.
  • • The lists of phishing sites.
  • • Email addresses involved in phishing campaigns.
  • • The activity of C&C servers.
  • • URLs used for scanning networks in order to identify system versions and vulnerabilities.
  • • IP addresses associated with brute-force attacks.
  • • Signatures for detecting malicious software.

CERT analytic centers and independent researchers' blogs also can provide helpful information. These sources can give you the lowdown on existing vulnerabilities, the appropriate detection rules, and the investigation workflows. 

The system can also be augmented with information on past data breaches and sensitive details that ended up on the Internet illegally. These can include account credentials for systems and services, email addresses, credit card details, passwords, etc.

The threat intelligence system can also be supplemented with data on vulnerabilities and attack vectors recently discovered by partners, vendors, and contractors.

The TI solution additionally harvests data from information security systems, such as traffic analysis tools, logs, file history data, antimalware suites, IDS/IPS, Web application firewalls, etc.

The entire harvested data is accumulated within a single platform that allows for enriching, analyzing, and using threat information.

TI data enrichment

The information collected on specific threats is augmented with contextual details. Data enrichment is an important milestone here. It denotes a process of retrieving additional technical attributes for known attacks, including:

  • • URLs
  • • IP addresses
  • • Domain names
  • • Whois information
  • • DNS records
  • • GeoIP, that is, geographic details of an IP address
  • • Samples and hashes of malicious files
  • • Statistical and behavioral information, such as the Tactics, Techniques, and Procedures (TTP) used by attackers

Analysis

During the analysis phase, the system combines events and attributes related to an attack using the following properties: territory, timeframe, targeted industry, criminal group, etc. The threat intelligence solution performs a correlation of different events.

To process the feeds, it is necessary to select their source depending on the targeted sector's specificity, the types of attacks relevant for the specific company, as well as the attributes and IOCs (indicators of compromise) that bridge the gap in addressing the risks unattended by the rules of the protection system. The next stage is to determine the feeds' value and prioritize them based on the following criteria:

  • • The feed's data source — chances are that the source is an aggregator of OSINT data and thus does not provide any analytics of its own.
  • • Relevance and "freshness" of the information being processed. The time that elapsed from the moment of attack discovery is vital. Data should be as fresh as possible. The source should provide feeds frequently enough to ensure the relevance of threat data.
  • • Uniqueness — the amount of data not available in other feeds, as well as the scope of original analytics provided by the feed.
  • • Occurrence in other sources. At first sight, it may seem that an attribute or IOC is more trustworthy if it is encountered in feeds from several sources. In fact, some feeds may harvest data from the same source, whose information may be unverified.
  • • Completeness of the context — how well the information has been sorted, whether there are indications of the attack goals, economy sector, criminal group, instruments used, attack duration, etc.
  • • Quality (false positives ratio) of the rules for information security systems based on feed data.
  • • Data usefulness — applicability of the feed's data for incident investigation.
  • • Format of data presentation. The convenience of processing data and uploading it to the platform is also taken into account. The questions to be answered: Does the threat intelligence platform of choice support the required formats, and whether or not some data is lost along the way.

The following instruments can be used to classify feed data:

  • • Tags
  • • Taxonomies – the set of libraries categorized by attack deployment processes, threat distribution, information exchange, etc. For example, ENISA, CSSA, VERIS, Diamond Model, Kill Chain, CIRCL, and MISP have taxonomies of their own
  • • Clustering – the set of libraries classified by static indicators of threats and attacks. Some examples include the economy sectors being targeted; the instruments and exploits being leveraged; Tactics, Techniques and Procedures for infiltration, exploitation, and persistence in the system based on the ATT&CK Matrix

Analysts uncover the attackers' TTP characteristics, overlay data and events upon the system intrusion model, and build chains of attack deployment. It is important to form a general view of the compromise, considering the overall architecture of the system being protected ,as well as the ties between components. It is also worth taking into account the probability of a more complex attack, one that will affect most hosts and exploit several vulnerabilities at a time.

Using the results of the analysis 

Prediction is the essential task to perform based on the conducted analysis. The TI system determines the most likely attack vectors given the industry peculiarities, geolocation, timeframe, offensive tools, and degree of severity. The discovered threats are subject to prioritization depending on the potential damage.

Threat intelligence data helps detect leaks of the organization's proprietary information that may have ended up on the Internet. It also allows for managing risks to the brand emanating from discussions of attack plans on darknet forums, illicit use of the brand name for phishing campaigns, disclosure of trade secrets, and the abuse thereof by competitors.

The aggregated knowledgebase can be applied to create attack detection rules for information security systems and conduct incident response and investigation within the SOC (Security Operations Center).

Security experts should regularly review the threat model and reassess the risks based on new circumstances.

Summary

Such a multilayered approach will allow you to thwart breaches at their early stage when the adversaries are only attempting to infiltrate the information system. The TI platform can also help your enterprise comply with security regulations. Overall, taking advantage of cyber intelligence professionals' experience in harvesting, processing, and applying threat data allows IT security departments to take their companies' data protection mechanisms to a new level.

 

Alex Vakulov is a cybersecurity researcher with over 20 years of experience in malware analysis and strong malware removal skills.

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More