Cybersecurity is not a static game: the adversaries evolve, and so must we to defend against new threats. We need information to make decisions. This is where threat intelligence comes in; we need to know what the dangers are to know what to protect against and how to do it. This is where threat intelligence comes into play. Should we all set up intelligence analysis units? No, we should not. It depends on what threats you are facing, and how mature your defense is.
First of all, what is threat intelligence? Gartner defines it as follows:
Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.Gartner.com
This means, to make use of threat intelligence you need to gather data, figure out what is important and not, figure out what is credible and not, and figure out what you should do about it. If you want this to work well, the first question you need to ask is: “what do I need to know about?”. There is far too much information out there to deal with, and if you don’t even know what questions you are trying to find answers to, it will be an expensive waste of time and effort.
Define your intelligence requirements
Before starting a program to collect and analyse intelligence, you should determine what your requirements are. To do that, let’s start with the risk picture. What are you worried about?
- Is it primarily ransomware, random phishing attacks, credit card fraud? This is what we consider to be “internet noise”.
- Are you worried about corporate espionage from skilled operators?
- Are you a cog in the wheel of a critical supply-chain, where you are likely to be targeted because attackers are interested in those you sell to?
- Are you worried about advanced targeted attack campaigns, perhaps backed by a nation-state actor?
- Are you worried there has been a big data breach and you are not aware of it? That your customers’ personal data have been exfiltrated from your servers, and now someone is trading it on the dark web?
Now, you could say you should gather information that would make it possible to deal with the things you worry about. However, you also have to think about what you are capable of doing. How mature is your defense? You don’t need threat intelligence if you haven’t already introduced some basic security practices such as:
- Make security part of your corporate governance: measure and report on cyber risk
- Set up backups, patching, two-factor authentication, strong passwords
- Provide security training for your personnel
- Provide basic detection and response capabilities
If you don’t have those four essential practices in place, this is what you should focus on. If all that is in place – you should think about what threat intelligence can do for you. Threat intelligence can range from collecting ip addresses used by malware in command and control and block connections to them on your firewalls, to sophisticated collection and analysis of techniques, tactics and procedures used by threat actors you have reason to believe are targeting you. The following table maps “worry to intelligence practice”, and is provided as an aid to define your intelligence requirements.
|I worry about||I want to know||What I will use it for|
|Ransomware, phishing, internet noise.||If my computers are connecting to C2 networks.||Automated detection and blocking of undesired traffic.|
|Targeted social engineering campaigns||Current tactics used buy cybercriminals and other threat actors.||Better awareness training.|
Aid in incident response and threat hunting.
|Persistent access by advanced threat actors||Tactics they use, tools, likely evidence I should be collecting, correlation and threat hunting aids.||Faster detection and response.|
Red team threat actor emulation.
|Supply chain risks and legal changes affecting my oeprations||Attacks against supply chain partners, new laws, results of court decisions.||Changes to my risk management and compliance programs.|
Sources and collection practices
What kind of information should you then collect, and how should you collect it? That also depends on both what you want to use it for, and how much time you have to collect and review it. A lot of people, when they talk about threat intelligence, are thinking about lists of domain names and ip addresses used in cyberattacks. You can subscribe to such lists and integrate them in your firewall to automatically block connections to C2 networks.
But what if you are interested in knowing about ongoing attacks, vulnerabilities you need to act on, and legislation changes? The first and most obvious source is of course the news. Having a platform to collect the news is helpful, such as an RSS reader. The problem is perhaps, that the volume of news you could be collecting is very big compared to what is relevant. This means that getting a curated collection of news that are meaningful to your intelligence requirements and capabilities to act is a good idea.
Another rich source of information on vulnerabilities and attacks is social media, in particular Twitter. In addition to Twitter, also forums and chats (Discord, IRC, Slack) can be useful. Collecting data from these sources require more involvement than regular news because identify8ing the valuable sources is more difficult and may reqiure active community involvement. In addition, credibility is more difficult to gauge for social sources than for regular news and requires more analyst involvement.
What about human sources? Cybersecurity analysts may hang out in bars, but usually don’t seduce a source a la James Bond. But human sources can also be useful in threat intelligence, especially for getting early warnings about ongoing attacks. Typically such benefits are achieved not through running agents within other organizations, but rather through engaging in intelligence sharing in the community.
There are many other possibel sources one could collect as well. Here are some ideas: court documents, CERT alerts, vulnerability databases, security company blogs, security researcher blogs, bug bounty programs, conference talks, YouTube videos, release notes for new software versions, Github issues, email newsletters, research papers from academia, business news, proposals for new laws. The list can go on and on. And the good news is: you probably don’t need to collect and review all this to make your threat intelligence program useful – it should be mapped back to your worries and your requirements.
Analysis: turning information to actionable intelligence
Say we are able to collect intelligence at scale. How do we make it useful?
At Cybehave we believe in keeping it simple: we have two levels of analysis:
First-level analysis: fast triage
- We tag the information according to category (CVE, TTP, attack, legal, privacy).
- We assess what business sectors and types of organizations this is most relevant for
- We assess the credibility of the information (low, medium, high)
- We summarise the content of the information, the potential impact to technical systems and expected organizational consequences.
- We review if the informaiton should be linked to other already tiraged cases
- We make recommendations on actions to take
Our first-level analysis will be shared with customers in our upcoming threat intelligence portal, where customers can get a curated news feed with recommendations, weekly or daily digest emails or access to the feed as an API.
Second-level analysis: in-depth analysis
We only provide in-depth analysis if we decide the intelligence collected is part of a larger complex that we need to see in a common context, or on request from a customer.
What such an anlysis would entail would vary by type of intelligence (e.g. news about an upcoming legal change in privacy law in India requires different treatment from news about an ongoing phishing campaign against hotels in Europe). Generally we want to establish a timeline, assess any involved threat actors and their motivations and capabilities, review wider impact and look at in-depth business consequences. Our key tools of the in-depth anaysis are issue graphs and attack trees. We aim to give actionable recommendations on strategic and tactical levels.
Second-level analysis will be shared in the form of written reports, and optionally also with an accompanying slide deck.
Using the intelligence for defense
Let’s say we have received an intelligence report with an summary and recommendations. How should we use this? A threat intelligence vendor does not know your exact context, and also not all aspects of your existing defense. The first thing that we would do when reviewing a recomendation is to assess “how does this affect us?” Are we at risk from this? If we decide on “yes”, the next question to ask ourselves is “what protections do I have in place already? Is this good enough?”. If the answer ot that is “yes”, maybe there is not so much to worry about. If “no”, you probably need ot plan some actions to take.
The intelligence report comes with recommendations. Can you implement this? Could it have negative effects on other parts of the business? Will it require unreasonable effort or cost? If not, you should start planning implementation.
When can I get my threat intel from Cybehave?
We aim to launch our platform in May, and give some customers free beta access in the beginning of May. If you are as exited about threat intelligence as we are, sign up now and we will be in touch pre-launch to offer you a free beta trial of our platform!
Everyone who signs up can also download free phishing defense checklist!