Originally posted August 1, 2022 By ttheveii0x on Security Risk Advisors blog
UPDATED: January 24, 2023
Establishing Threat Intelligence Requirements should be one of the first things organizations do when starting a Cyber Threat Intelligence (CTI) program. It is possible to establish CTI requirements with a CTI program already in place.
Threat intelligence requirements provide the goals and objectives for CTI teams. When met, CTI requirements provide stakeholders with the knowledge and insight required to enable cybersecurity teams to better protect and defend the organization from cyberattacks.
Let’s start by answering a few frequently asked questions. Next, is a case study, “How A Single Threat Intelligence Requirement Can Be Operationalized”, that will demonstrate how a single Threat Intelligence Requirement can operationalized.
“What are Threat Intelligence Requirements?”
Threat Intelligence Requirements are questions from stakeholders that, when satisfied, fill a gap in knowledge or understanding of threats to the organization. Intelligence requirements should:
- Ask a single question
- Focus on a single fact, event, or activity
- Support a single decision
Example: “Which threat actors are known to target our industry?”
“Why are Threat Intelligence Requirements important?”
Effectively operationalizing CTI through Threat Intelligence Requirements prepares an organization to defend against its top threats and provides strategic guidance for the CTI team. The primary goals and objectives the CTI team seeks to satisfy are these requirements. When satisfied, stakeholders gain knowledge and insight into threats to their organization.
Insight and knowledge of threats is critical because they inform and enrich the following (not an exhaustive list):
- Threat Detection and Prevention
- New preventation capabilities with additional information and context
- New detections based on threat intelligence
- Threat Hunts
- New threat hunts based on cyber attacks the organization is experiencing
- New threat hunts based on threat intelligence requirements
- Threat Emulation/Purple Teams
- New purple team test cases based on threat intelligence requirements
- New purple team test cases that verify new prevention and detection capabilities
- Risk Analysis
- Trends across the threat landscape
- Detection coverage of common attacks
- Defensive capabilities against top threats to the organization
- Vulnerability Management
- Insights into current vulnerabilities so the team can determine risk and prioritize tasks
- Information about threats to the organization
- Organizational Decision-making
- Opportunities for investments that will have the highest impact on defending against cyberattacks
- Prioritize organizational investments in cybersecurity projects and resources
- Influence operational objectives of cybersecurity stakeholders across the organization
“We’re consuming a threat intelligence feed and searching for indicators of compromise across our network. What else should we be doing?”
The first thing many organizations do is consume a threat feed of indicators of compromise (IOCs) and sweep their environment for the presence of those IOCs. Common IOCs include domain names, IP addresses, URLs, and file hashes. While this is a good starting point, it does not answer the questions CTI stakeholders are asking, e.g., “Which threat actors are most likely to target our organization and why?”
Case Study: How A Single Threat Intelligence Requirement Can Be Operationalized
The following is a high-level overview of how a single Threat Intelligence Requirement can inform and enable teams across an organization to operationalize CTI. This example also demonstrates the proactive nature of performing CTI work.
The organization used in this brief case study is fictitious; however, the threat intelligence is real. For brevity, information will be collected from a single report. In practice, information is collected and aggregated from multiple data sources.
During this brief case study, we’ll step through the six (6) phases of the CTI lifecycle: direction, collection, processing, analysis, dissemination, and evaluation.
Before continuing, it’s important to define data, information, threat, and cyber threat intelligence.
Data is a piece or pieces of information. File hashes, IP addresses, and domain names are examples of data.
Information is knowledge about data. For example, the IP address 22.214.171.124 is being used as command and control by malware X.
A threat or adversary is the representation of the human behind the keyboard. Threats are determined by evaluating the intent, opportunity, and capability of potential adversaries. A threat is present when intent, opportunity, and capability overlap.
Cyber Threat Intelligence is the knowledge gained and the product produced and shared after collecting, processing, and analyzing data and information about threat actor motives, targets, and attack methodologies.
For more information on the relationship between data, information, and intelligence see the following SANS blog post by Robert M. Lee, https://www.sans.org/blog/data-information-and-intelligence-why-your-threat-feed-is-likely-not-threat-intelligence/
Background – Fictitious Organization Overview
A fictitious healthcare organization provides patient care services, medical education, and biomedical research.
Planning & Direction
The CTI team met with organizational stakeholders and identified Threat Intelligence Requirements from the C-Suite, Legal, Human Resources, and Security Operations Center leadership team. One requirement shared across most groups is, “What are the top three ransomware threats to the organization?”
Ongoing research into threat actors and cyberattacks against peer organizations is necessary to meet this requirement.
The CTI team performed research on the following:
- Recent cyberattacks on industry peers
- Current ransomware and malware trends
- Threat actor profiles
Ongoing research into threat actors and cyberattacks against peer organizations is necessary to meet this requirement.
Based on evidence from multiple sources, the following threat actors were assessed with high confidence to be the top three (3) ransomware threats to healthcare organizations.
The next step is to perform research and identify tactics, techniques, and procedures (TTPs), IOCs, and any other useful information associated with the ransomware groups.
For this case study, we will use CISA Alert (AA21-265A) as our data source. In practice, a mature CTI program would include multiple sources of data. A CTI platform can be used to centrally store and aggregate data and information for further processing.
During this phase raw data is prepared for analysis. This includes storing, organizing, tagging, structuring, and aggregating data from multiple sources.
Processing data and information can be accomplished several ways. As an organization’s CTI program matures, so should its processing capabilities. For example, automation can be introduced to import data from different sources into a threat intelligence platform (TIP), apply appropriate tags, and export data for specific uses.
For this case study we’re using a single report that contains data, information, and intelligence. Processing the report will include:
- Organizing IOCs and TTPs in a spreadsheet
- Creating a MITRE navigator layer
- Drafting mitigations in a document
Analysis & Production
Analysts working at organizations with mature CTI programs should leverage multiple types of structured analysis techniques as part of their workflow, such as link analysis, temporal data analysis, trend analysis, analysis of competing hypotheses, and intrusion analysis (using the Diamond model).
Analysis is not required for this case study. However, there are several technical details, data, and information in the CISA Alert that needs to be pulled out, tagged, and stored for future analysis.
For example, initial access is often gained through malicious Word documents sent via email. The malicious documents contain embedded scripts used to download or drop other malware such as TrickBot, IcedID, and/or Cobalt Strike. The additional malware enables lateral movement and other capabilities intending to deploy Conti ransomware.
Data, information, and intelligence pulled from the CISA Alert include the following:
- Technical details about Conti including
- Conti’s ransomware-as-a-service (RaaS) model
- Initial access techniques
- Spear phishing campaigns that use malicious Word documents to download or drop other malware such as Trickbot, IcedID, and/or Cobalt Strike
- Stolen or weak Remote Desktop Protocol (RDP) credentials
- Software Trojans
- Other malware
- Vulnerabilities in externally facing assets
- Details about Conti’s execution phase
- Tool used to scan for and brute force specific network devices
- Kerberos attacks
- Data exfiltration
- Rclone command is used to exfiltrate data
- Double extortion is part of Conti’s operation
- IP addresses of command and control (C2) infrastructure
- Unique Cobalt Strike server IP addresses are used for each victim
- Additional resources
- Resources should be reviewed and included in the collection process
Dissemination & Integration
Threat intelligence that has been produced after collection, processing, and analysis needs to be distributed to the appropriate stakeholders. Before being distributed to stakeholders, analysts should consider the following:
- Who should receive the intelligence?
- How much detail should be included?
- How urgent is the intelligence?
- What format does the intelligence need to be delivered in?
- Should the report include prevention and/or detection recommendations?
Different reports may need to be created for different stakeholders.
Operationalizing Cyber Threat Intelligence
IOC Sweeps (SOC)
IP addresses and domains should be shared with the SOC team, preferably through automation, so that searches can be performed across the organization’s environment.
Threat Hunts (Hunt Team)
TTPs and details around Conti’s execution phase can be used to create a Conti-specific threat hunt. Threat hunts may need to be updated periodically when new information is available. Additionally, information about the tools leveraged by Conti threat actors can be used to create detections and hypothesis-driven threat hunts. These activities should be prioritized accordingly.
Purple Teams (Red and Blue Teams)
TTPs can be used to create a MITRE ATT&CK Navigator heatmap. The heatmap will show which TTPs Conti threat actors are using. The heatmap can be used to communicate with non-technical teams and used to evaluate existing security controls.
This information should be used as part of a purple team to determine the efficacy of security controls and detections. Goals can be set and prioritized to ensure security controls and detections are in place to log, block, and neutralize the threat.
A Purple Team campaign based on Conti data can be loaded into VECTR™ and conducted to track progress against the threat.
IOCs and TTPs should be shared with the forensics team for situational awareness. If something related to Conti should surface, the forensics team will be better prepared to respond during a Conti-related investigation.
Vulnerability Scan (VM Team)
The VM team should review vulnerabilities targeted by Conti threat actors, and a determination should be made as to whether the organization is affected. Scanning the organization’s external perimeter, internal network, and cloud environments for vulnerable devices can help identify potentially vulnerable devices.
Mitigations should be shared with and actioned by the appropriate teams, e.g., SOC, IT, Vulnerability Management, etc.
Briefs (Security Leadership)
A summary of the CISA Alert and actions taken by the various teams should be created and shared with the executive team. Keeping the executive team updated on the latest threats impacting the organization and how the actions taken by the various teams will satisfy their concerns is a critical step in the CTI lifecycle and should validate the organizations’ investments in cybersecurity. Sharing these details with the executive team will enable them to validate and prioritize investments. This approach enables a data-based decision-making process.
CTI reports for the executive team may be their only view into CTI and security operations. CTI analysts must identify and understand the executive team’s technical needs, requirements, and considerations and map those to the organization’s mission. Reports should be meticulously created, edited, proofed, cross-examined, and held to the highest standard.
“Are there general Threat Intelligence Requirements we can use to get started?”
Yes! Any organization can use the list of general threat intelligence requirements below as a starting point.
General Threat Intelligence Requirements
The general Threat Intelligence Requirements included below can be used by any organization as a starting point for developing their requirements. Use these Threat Intelligence Requirements to generate discussion among the CTI team and the various stakeholders. Consider your organization’s mission and business objectives as you review the general Threat Intelligence Requirements provided below.
I organized the Threat Intelligence Requirements into the following categories:
- Threat Actors
- Malware & Tools
- Tactics, Techniques, and Procedures
Cyber threat actors can be nation states, criminal groups, hacktivists, or individuals. Looking at patterns of activity attributed to a threat actor, an organization can prioritize the implementation of security controls.
CTI Requirement: Which threat actors are targeting our business sector?
- Nation States
- Criminal Actors
- Hacktivist Actors
Malware & Tools
Malware and tools are types of software used by threat actors when attacking an organization. Many threat actors use the same malware and tools but implement attacks in different and distinct ways.
CTI Requirement: Which malware and tools have threat actors used when targeting our business sector?
- Remote Access Trojans (RATs)
- Web Shells
Tactics, Techniques, and Procedures (TTPs)
TTPs represent actions and patterns used by an adversary. Tactics describe the high-level adversarial behavior, e.g., Initial Access. A technique is a detailed description of behavior in the context of a tactic, e.g., adversaries send phishing messages to gain access to a target’s computer. Procedures provide a low-level description in the context of a Technique. When establishing Threat Intelligence Requirements, I recommend focusing on tactics and techniques, as they are more generally applicable. The following Threat Intelligence Requirements align with the MITRE ATT&CK framework.
CTI Requirement: Which TTPs will threat actors most likely use when targeting our business sector?
- Initial Access
- Privilege Escalation
- Lateral Movement
- Command and Control
With Threat Intelligence Requirements established, CTI analysts have the goals and objectives they need to focus on and guide their research. Stakeholders will gain valuable insights into their questions and concerns around the most impactful threats to their organization. Insights gained will enable teams to effectively action threat intelligence and better defend the organization against cyberattacks.