What is threat intelligence?
Threat intelligence is evidence-based knowledge about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard.
Threat intelligence introduction
Cyber threat intelligence is a subset of intelligence focused on information security. This curated information is intended to help you make better decisions about how to defend yourself and your business from cyber-based threats. Some of the questions threat intelligence can answer include:
"Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard."
Types of threat intelligence
Cyber threat intelligence is generally categorized by three different types:
Utilizing each type of intelligence is important because they serve different functions. Analysts leveraging the sum knowledge of these three types of intelligence are better able to determine what security solutions to use, how they should be leveraged, and how to proactively and reactively respond to threats.
Why?
Tactical threat intelligence
Tactical threat intelligence is the most basic form of threat intelligence. These are your common indicators of compromise (IOCs). Tactical intelligence is often used for machine-to-machine detection of threats and for incident responders to search for specific artifacts in enterprise networks.
Using tactical threat intelligence
Tactical threat intelligence and IOCs are meant to historically document cyber attacks, serving both as a corpus of evidence (for compliance, law enforcement, investigations, legal purposes, etc.) and also as reference material for analysts to interpret and extract context for use in defensive operations.
IOCs are provided to analysts to serve as examples of a particular threat, such as a malware sample, malware family, intrusion campaign, or threat actor. Analysts can enrich alerts from security solutions with tactical threat intelligence to provide more context and determine which threats are worth worrying about and which can safely be ignored.
Tactical threat intelligence for APT29
Tactical threat intelligence for education sector
Operational threat intelligence
Operational threat intelligence provides insight into actor methodologies and exposes potential risks. It fuels more meaningful detection, incident response, and hunting programs. Where tactical threat intelligence gives analysts context on threats that are already known, operational intelligence brings investigations closer to uncovering completely new threats.
This kind of intelligence is most frequently used by forensic investigators and incident responders, and typically includes the following types of items:
Consider the following from an incident response perspective: If you are responding to an intrusion event, you may wonder how a particular actor performs privilege escalation, lateral movement, or data theft. If you are hunting for undiscovered malicious activity, you might want to start your hunt by looking for a specific actor's behavior. Whatever your scenario, you need to answer the question “How do you search for this actor within your environment?”
Using operational threat intelligence
Operational threat intelligence is knowledge gained from examining details from known attacks. An analyst can build a solid picture of actor methodology by piecing together tactical indicators and artifacts and derive them into operational intelligence. This can help to achieve a number of defensive goals, like enhancing incident response plans and mitigation techniques for future attacks and incidents.
Analysts can also implement and bolster a proactive discovery program (“hunting program”) to identify suspicious files and activity that have bypassed traditional security technologies. From there they can develop detection methodologies that are not dependent on IOCs, ensuring broader coverage of threats in a more timely fashion.
Examples of operational threat intelligence
- Scheduled Tasks for most backdoors
- WMI by manual installation for backdoors that do not have persistence built-in
- Legitimate file replacement of Windows Error Reporting file (wermgr.exe)
Strategic threat intelligence
Strategic threat intelligence provides a big picture look at how threats and attacks are changing over time. Strategic threat intelligence may be able to identify historical trends, motivations, or attributions as to who is behind an attack. Knowing the who and why of your adversaries also provides clues to their future operations and tactics. This makes strategic intelligence a solid starting point for deciding which defensive measures will be most effective.
Strategic threat intelligence might include information on the following topic areas:
Using strategic threat intelligence
Strategic threat intelligence is built upon a huge body of knowledge and includes expert opinions and insights that are based on aggregating both operational and tactical threat intelligence from known cyber attacks. This intelligence is particularly useful for people in leadership roles such as CISOs and executive leadership who must justify budgets and make better-informed investment decisions. Some uses of strategic threat intelligence include:
Examples of strategic threat intelligence
- APT10 aka “MenuPass Group”
- APT22 aka “Barista Team”
- APT29 aka “The Dukes”
Threat intelligence and business objectives
Threat intelligence always has a purpose – to inform decision making and drive action. However, it’s not uncommon for businesses to struggle when determining the value of their threat intelligence team, processes, and tools. The terminology of threat intelligence is usually not compatible with the business lexicon, leading to misunderstandings of its purpose and value.
Businesses can help derive value from their intelligence programs by aligning them to a generic, macro-level set of priorities as can be seen below (not all-inclusive):
Once the threat intelligence team understands the business objectives, they can align their operations and efforts to support the business. Not all of the business priorities will perfectly align with threat intelligence capabilities, and that’s okay. You can develop granularity and nuance as you build out your requirements. Here are some starting goals for any threat intelligence team:
- Collaborate with the Fraud team to determine the top 3–5 types of fraud and ask what information would help them detect and prevent this in the future?
- What does the analysis of Incident tickets reveal about the nature and type of data targeted in previous data breach events?
- What vulnerabilities were exploited and by what means?
- What systems store PII and how do the vulnerabilities of those systems line up with known exploitation vectors?
- TI can focus on reducing risk due to data loss and external threats by identifying actors and deriving intelligence on external threats targeting their industry, ensuring detection techniques and mechanisms are in place and able to catch these threats.
Threat intelligence evolution
Threat intelligence will continue to evolve and be a key security function. Integrating tactical, operational, and strategic threat intelligence will provide valuable insights into IOCs and threat actor's methodologies. This will lead to more secure environments where you can identify your adversaries. A growing number of public and private sector organizations are now using cyber threat intelligence. Recent research published by the Ponemon Institute revealed that 80% of organizations are using it and that an even higher percentage regard it as critical.
Organizations using cyber threat intelligence are meeting numerous security challenges. They are detecting and responding to advanced threats. They are preventing data breaches and protecting sensitive information. They are lowering cybercrime and fraud costs. Most importantly, they are reducing overall business risk.
