In this blog post, we explore how organizations can use public threat intelligence frameworks like Alienvault OTX, MITRE, and others alike, to enrich data into actionable intel to thwart future attacks.
Demystifying threat intelligence
Cyber attacks are at an all-time high. We hear about DDoS attacks, phishing campaigns, malware campaigns, etc. daily. To protect against these, organizations implement multiple protection layers, compounded with firewalls, antivirus software, monitoring systems and many other available security solutions. These security measures do perform their jobs but some gaps always remain — and that’s where threat intelligence (sometimes also called cyber threat intelligence or CTI) comes into play.
First things first, what is threat intelligence? In simple terms, threat intelligence is the collection of information and knowledge, private or public, regarding cyber-attacks and associated threats. Now here’s the fun part: these knowledge bases are very thorough. They contain data like origin/destination IPs, malicious domains, file hashes, and a lot of other technical data. Alongside the technical data, threat intelligence also consists of abstract information about these attacks: attacking group movements in the past, using IOCs to figure out the APT behind the attack, predicting the next moves, etc. These are called tactics, techniques, and procedures or TTPs.
We sure threw some abbreviations around — you might be wondering what IOC, APT, TTP, etc. are. Let’s take a look at frequently used terms when talking about threat intelligence.
Explaining the jargon
Let’s break down a few terms you will encounter often while discussing threat intelligence. As we mentioned before, CTI is “cyber threat intelligence” (which is pretty self-explanatory), used as a collective term for all the actionable threat data. Another term you might see being used is APT or Advanced Persistent Threats. APTs are threat actors or a group of threat actors, performing cyber attack campaigns at large levels. Most APTs are nation-states or state-sponsored to some extent. As a popular example, a whole unit of the PLA (China’s army) is known as APT 1 (specifically PLA Unit 61398). Publicly available lists are present, containing extensive information about multiple APTs, which by no means is exhaustive.
It’s time to get technical now! We mentioned “IOC” in the previous section. These are “indicators of compromise”, a piece of technical information that was observed during a previously encountered attack. If spotted within a system, they might suggest with a high degree of certainty that an intrusion has taken place. Multiple IOCs exist; IP addresses, file hashes (MD5, SHA1, etc), malicious domains, crypto wallets associated with known miners, phishing emails, etc.
Let’s take a practical example — say in an attack a few months back, traffic from the infected machine was seen towards IP
22.214.171.124. This could be a beacon, data exfiltration, or anything. Now say you find the same IP i.e
126.96.36.199 as the destination address in recent traffic logs. There is a big chance the server is compromised and you can now take actions against it. But there is a caveat with IOCs: they emerge _after _ the attack has occurred and can be bypassed easily by attackers. Bad actors can spawn new IPs, register new domains, or they can just change a variable in the source code of a binary which can result in completely new file hashes!
Fig: Pyramid of Pain, introduced by David Bianco in 2013 explains how much “pain” each type of IOC might cause adversaries while protecting against them.
That’s where TTPs come into play: tactics, techniques, and procedures (or TTPs) are abstract information about the way APTs carry out their attacks, in essence, TTPs reflect their modus operandi. Sometimes, TTPs are considered a type of IOC (as shown in the Pyramid of Pain), and they are strongly guarded confidential information kept by security vendors like Mandiant, Recorded Future, etc.
TTPs are also considered better protective measures than IOCs because attackers might easily evade IOCs (as explained earlier) to bypass TTPs. However, a complete overhaul of the existing methodology is required — which, more often than not, is not feasible. Still, TTPs are greatly sought after by attackers, to have an insight into how much is known about their techniques. This was the case in the popular SolarWinds supply chain attack campaign, more than a year ago, where UNC2452 (APT behind the attacks) made sure to get their hands on the TTPs collected about them when they breached FireEye.
If you have reached this point in the post, you must be fairly sure about what cyber threat intelligence is. This gives way to the question: but how can CTI be leveraged?
CTI in action
Leveraging cyber threat intelligence and deploying it for protective measures could prove crucial while battling against cyber attacks. The majority of cyber attacks go undetected but proper usage of CTI just might prevent that.
Talking about threat intelligence is incomplete without bringing the MITRE corporation into the conversation. The MITRE Corporation is a non-profit organization that helps companies all over the world fight cybercrimes by providing a curated and collated collection of threat intelligence in the form of their ATT&CK framework. In their own words “MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.”
The ATT&CK framework has multiple techniques that are part of an attack, with categorization and sub techniques to provide more granularity. If you want to know which APT uses which specific tool to perform a certain action, ATT&CK will have your answer. Recently, they introduced the D3FEND framework and matrix which is more focused on defensive operations, highlighting techniques that can be used to protect systems.
Other open-source players in CTI also exist, like Alienvault OTX, AbuseIPDB, ThreatMiner, and many more. These provide IOCs which are confirmed to be a part of an attack or known malicious activity in the past. Plug these feeds into your onsite SIEM and SOAR tools, coupled with MITRE techniques for classification of threat intel generated within your organization, and you will end up with CTI put effectively to work and thwarting attacks!
There is no denying security products do a great job in minimizing the risk from cyber attacks— but they are not enough. To further minimize the gaps in the security posture, it's also necessary to use a mixture of reactive (IOCs) and proactive (TTPs) cyber threat intelligence.
It’s also important to note that sharing threat intelligence information with the security community is a critical step in the process of collectively leveraging knowledge and experience to better understand threats.
Lastly, CTI is a very broad topic that goes beyond the scope of this blog article, but we hope that we made you curious enough to explore this extremely interesting field and use it for securing your assets.