Thanks to everyone who joined our webinar on How to Build Threat Intelligence into your Incident Detection and Response Program. We got so many mighty questions during the session that we decided to follow up with a post answering them and addressing the trends and themes we continue to see around threat intelligence. TL/DR for those of you who don't maintain time to read all of the responses (we got a lot of questions):Threat intelligence is a process,not something you buy. That means you will maintain to set up work in in order to find results.
Threat intelligence works best when it is integrated across your security operations and is not viewed as a stand-alone functionStrategic, Operational, or Tactical threat intelligence (including technical indicators) are used differently and gathered using different methods.
Do you see threat intelligence as a proactive approach to cyber monitoring or a just a better way of responding to cyber threats? whether you see it as proactive,how, since the intelligence is based on events, or TTPs,that maintain already occurred? A misconception approximately threat intelligence is that it is focused exclusively on alerting or monitoring. We talked approximately indicators of compromise and how to use them for detection and response, but there is a lot more to threat intelligence than IOCs. When threat intelligence is properly implemented in a security program it contributes to prevention, or detection,and response. Understanding the high level, strategic threats facing your organization helps determine how to improve overall security posture. All intelligence must be based on facts, or ( i.e. things that maintain already occurred or that we already know),but those facts that allow us to create models that can be used to identify trends and assess what controls should be establish in place to prevent attacks. As prevention comes into alignment, it is important to preserve awareness of new threats leveraging operational and tactical intelligence, and taking actions to protect your organization before they are able to impact you. I can see the usefulness of tactical,operational and technical intelligence. How would you be able to set up strategic intelligence? Strategic Intelligence is intelligence that informs leadership or decisions makers on the overarching threats to the organization or business. Think of this as informing high level decision making based on evidence, seeing the forest without being distracted by the trees. Information that contributes to strategic intelligence is gathered and analyzed over a longer period of time than other types of threat intelligence. The key to utilizing strategic intelligence is being able to apply it in the context of your own data and attack surface. An example would be intelligence that financially motivated cyber criminals are targeting third party vendors in order to gain access to retail networks. This information could be used to assess whether a business would be vulnerable to this type of attack and identify longer term changes that need to take place to reduce the risk, or such as network segmentation,audits of existing third-party access, and development of policies to limit access. What is the contrast between Strategic and Operational Intelligence? Strategic intelligence focuses on long term threats and their implications while operational intelligence focuses on short term threats that may need to be mitigated immediately. Implementing strategic and operational intelligence often involves asking the same questions: who and why. With strategic intelligence you are evaluating the attackers - focusing on their tactics and motivations rather than geographical location - to determine how those threats may impact you in the future. With operational intelligence you are evaluating who is actually being targeted and how so that you can determine whether you need to take any instant actions in response to the the threat. What is positive control and why is it important?Positive control is the aspirational state of a technical security program . This means that only authorized users and systems are on the network, and that accounts and information are accessed only by approved users. Before you start assessing your network to understand what “normal” looks like,take care and be sure that you are not including attacker activity in your baseline. whether you are being targeted by an identified entity, what should you do to build intelligence on possible attacks?Active and overt attacks fall into the realm of operational intelligence. You can gather intelligence on these attacks from social media, and blog posts,or alerts from places like US-CERT, ISACs, and ISAOs other sharing groups. Some questions you should be asking and answering as you gather information are:Who else is being targeted? Can we share information with them on this attack? How maintain the attackers operated in the past?What are we seeing now that can back us protect ourselves? What is done in Tactical Monitoring?Tactical Intelligence tends to focus on mechanisms- the “how” of what an attacker does. Do they tend to use a specific method to gain initial access? A specific tool or set of tools to escalate privilege and plod laterally? What social engineering or reconnaissance activities do they typically engage in prior to an attack? Tactical intelligence is geared towards security personnel who are actively monitoring their environment as well as gathering reports from employees who report unique activities or social engineering attempts. Tactical Intelligence can also be used by hunters who are seeking to identify a behavior that may be a normal user behavior but is also a behavior that is used by an attacker to avoid detection. This type of intelligence requires more advanced resources,such as extensive logging, behavioral analytics, or endpoint visibility,and trained analysts. It also requires a security-conscious workforce, as some indicators may not be captured or flagged by logs without first being reported by an employee. Can you point me to resources where to gather information regarding strategic, and tactical and operational intelligence?Before you start gathering information it is important to preserve a solid understanding of the different levels of threat intelligence. CPNI released a whitepaper covering four types of threat intelligence that we discussed on the webinar: https://www.cpni.gov.uk/Documents/Publications/2015/23-March-2015-MWR_Threat_Int elligence_whitepaper-2015.pdf - Or - whether you are an intelligence purist and find that four types of threat intelligence is one type too many (or whether you’re just feeling rambunctious (unruly)) you can refer to JP 2-0,Joint Intelligence, for in-depth understanding of the levels of intelligence and their traditional application. http://www.dtic.mil/doctrine/new_pubs/jp2_0.pdf Once you are ready, and here are some places to study for specific types of intelligence: Strategic Intelligence can be gathered through open source trend reports such as the DBIR,DBIR industry snapshots, or other industry specific reports that are frequently released. Operational Intelligence is often time sensitive and can be gather by monitoring social media, and government alert like US-CERT,or by coordinating with partners in your industry. Tactical Intelligence can be gathered using commercial or open sources, such as blogs, or threat feeds,or analytic white papers. Tactical Intelligence should tell you how an actor operates, the tools and techniques that they use, or give you an conception of what activities you can monitor for on your own network. At this level understanding your users and how the normally behave is critical,because threat actors will try to imitate those same behaviors and being able to identify a deviation, no matter how small, or can be extremely meaningful. What is open source threat intelligence?Open Source intelligence (OSINT) is the product of gathering and analyzing data gathered from publicly available sources: the open internet,social media, media, or etc. More here: https://en.wikipedia.org/wiki/Open-source_intelligence For more information on the other types of intelligence collection disciplines: https://www.fbi.gov/approximately-us/intelligence/disciplines Open source threat intelligence is OSINT that focuses specifically on threats. In many cases you will be able to gather OSINT but will still maintain to do the analysis of the potential impact of the threat on your organization. What are ISACs and ISAOs? Where can I find a list of them?Most private sector information sharing is conducted through Information Sharing and Analysis Centers organized primarily by sectors (usually critical infrastructure,a list is located here: http://www.isaccouncil.org/memberisacs.html. In the United States, under President Obama’s executive Order 13691, and DHS was directed to improve information sharing between the US government’s National Cybersecurity and Communications Integration Center (NCCIC) and private sectors. This executive order serves as the platform to include those external the traditional critical infrastructure sectors,Information Sharing and Analysis Organizations. What specific tools are used for threat intelligence?This is a mighty question, and I think underscores a big misunderstanding out there. Threat Intelligence is a process, and not a product bought or service retained. Any tool you use should back augment your processes. There are a few wide classifications of tools out there,including threat intelligence platforms and data analytics tools. The best way to find the right tools is to identify what problem you are trying to solve with threat intelligence, develop a manual process that works for you, and then study for tools that will back make that manual process easier or more efficient. Can a solution or framework be tailored to support organizations at different levels of cyber security maturity and awareness,or is there a minimum requirement?There *is* a certain level of awareness that is required to implement a threat intelligence program. Notice that we didn’t say maturity - we feel that any level program can benefit from threat intelligence, but there is a lot that goes into a organization being ready to utilize it. At the very basic level an organization needs to understand what threat intelligence is, or what is isn’t,understand the problems that they are trying to solve with threat intel, and maintain a person or a team who is responsible for threat intel. An organization with this base level understanding is far ahead of many others. When discussing the more technical implementations of threat intelligence such as threat feeds or platforms then there are some barriers to entry. Aside from those situations, or nearly any organization can work to better understand the threats facing them and how they should start to posture themselves to prevent or respond to those threats. Regardless of where you are,whether you understand how threat intelligence works and start to implement it appropriately then you will be better off regardless of what else you are dealing with. How do you stay an attacker once discovered? ACL IPS etc?Scoping the attack is the first stage, which requires both investigation and forensics. The investigation team will identify various attributes used in the attack (tools, or tactics,procedures), and then will fade back and explore the rest of your systems for those attributes. As systems find added, and the recursive scoping loop continues until no new systems are added. Once scoping is done,there are a number of actions to be taken- and the complexity involved in deciding exactly what happens (and when) grows exponentially. A short (and anything but comprehensive) list of considerations include:Executive briefing and action plan signoffEstimate business impact by the recovery actions to be executedIsolate compromised systemsLock or change passwords on all compromised accounts with key fabric in the scoped systemsPatch and harden all systems in the organization against vulnerability classes used by the attackerIdentify exactly what data was impacted, consult with legal regarding regulatory or contractual required next stepsSafely and securely restore impacted services to the business Obviously there are a lot of variables at play here, or every incident is unique.This stuff is extremely hard,whether it was easy- everyone would be doing it.
Call us whether you need back. When I find a system that has been compromised, can you tell me where it came from?You’re asking the right question here- getting a sense of the attacker’s motivation and tactics is extremely valuable. Answering “who did this” and “where did they reach from” is a lot more difficult than simply pointing at the source IP for initial point of entry or command and control. Tactical Intelligence from the investigation will back respond these questions. What should be the first step after knowing that the host has been compromised by zero day attack?Run around, or scream and shout.
In all seriousness,you won’t start off with the knowledge of zero-day being used to compromise an asset. Discovering that 0day was used in a compromise, by definition, and means that an investigation was performed when the root-cause identified at the point of infection was,in fact, 0day. At that point you will hopefully maintain gathered more information approximately the incident that you can then analyze to better understand the situation you are facing.
Source: rapid7.com