Thanks to everyone who joined our webinar on How to Build Threat Intelligence into your Incident Detection and Response Program. We got so many great questions during the session that we decided to follow up with a post answering them and addressing the trends and themes we continue to see around threat intelligence.
TL/DR for those of you who don't have time to read all of the responses (we got a lot of questions):
- Threat intelligence is a process, not something you buy. That means you will have to put work in in order to get results.
- Threat intelligence works best when it is integrated across your security operations and is not viewed as a stand-alone function
- Strategic, Operational, and Tactical threat intelligence (including technical indicators) are used differently and gathered using different methods.
Do you see threat intelligence as a proactive approach to cyber monitoring or a just a better way of responding to cyber threats? If you see it as proactive, how, since the intelligence is based on events, TTPs,that have already occurred?
A misconception about threat intelligence is that it is focused exclusively on alerting or monitoring. We talked about indicators of compromise and how to use them for detection and response, but there is a lot more to threat intelligence than IOCs.
When threat intelligence is properly implemented in a security program it contributes to prevention, detection, and response. Understanding the high level, strategic threats facing your organization helps determine how to improve overall security posture.
All intelligence must be based on facts,( i.e. things that have already occurred or that we already know), but those facts that allow us to create models that can be used to identify trends and assess what controls should be put in place to prevent attacks.
As prevention comes into alignment, it is important to maintain awareness of new threats leveraging operational and tactical intelligence,taking actions to protect your organization before they are able to impact you.
I can see the usefulness of tactical, operational and technical intelligence. How would you be able to establish strategic intelligence?
Strategic Intelligence is intelligence that informs leadership or decisions makers on the overarching threats to the organization or business. Think of this as informing high level decision making based on evidence, seeing the forest without being distracted by the trees.
Information that contributes to strategic intelligence is gathered and analyzed over a longer period of time than other types of threat intelligence. The key to utilizing strategic intelligence is being able to apply it in the context of your own data and attack surface. An example would be intelligence that financially motivated cyber criminals are targeting third party vendors in order to gain access to retail networks. This information could be used to assess whether a business would be vulnerable to this type of attack and identify longer term changes that need to take place to reduce the risk, such as network segmentation, audits of existing third-party access, and development of policies to limit access.
What is the difference between Strategic and Operational Intelligence?
Strategic intelligence focuses on long term threats and their implications while operational intelligence focuses on short term threats that may need to be mitigated immediately. Implementing strategic and operational intelligence often involves asking the same questions: who and why. With strategic intelligence you are evaluating the attackers - focusing on their tactics and motivations rather than geographical location - to determine how those threats may impact you in the future. With operational intelligence you are evaluating who is actually being targeted and how so that you can determine if you need to take any immediate actions in response to the the threat.
What is positive control and why is it important?
Positive control is the aspirational state of a technical security program . This means that only authorized users and systems are on the network, and that accounts and information are accessed only by approved users. Before you start assessing your network to understand what “normal” looks like, take care and be sure that you are not including attacker activity in your baseline.
If you are being targeted by an identified entity, what should you do to build intelligence on possible attacks?
Active and overt attacks fall into the realm of operational intelligence. You can gather intelligence on these attacks from social media, blog posts, or alerts from places like US-CERT, ISACs, ISAOs other sharing groups. Some questions you should be asking and answering as you gather information are:
- Who else is being targeted? Can we share information with them on this attack?
- How have the attackers operated in the past?
- What are we seeing now that can help us protect ourselves?
What is done in Tactical Monitoring?
Tactical Intelligence tends to focus on mechanisms- the “how” of what an attacker does. Do they tend to use a particular method to gain initial access? A particular tool or set of tools to escalate privilege and move laterally? What social engineering or reconnaissance activities do they typically engage in prior to an attack? Tactical intelligence is geared towards security personnel who are actively monitoring their environment as well as gathering reports from employees who report strange activities or social engineering attempts. Tactical Intelligence can also be used by hunters who are seeking to identify a behavior that may be a normal user behavior but is also a behavior that is used by an attacker to avoid detection. This type of intelligence requires more advanced resources, such as extensive logging, behavioral analytics, endpoint visibility, and trained analysts. It also requires a security-conscious workforce, as some indicators may not be captured or flagged by logs without first being reported by an employee.
Can you point me to resources where to gather information regarding strategic, tactical and operational intelligence?
Before you start gathering information it is important to have a solid understanding of the different levels of threat intelligence. CPNI released a whitepaper covering four types of threat intelligence that we discussed on the webinar: https://www.cpni.gov.uk/Documents/Publications/2015/23-March-2015-MWR_Threat_Int elligence_whitepaper-2015.pdf
- Or - if you are an intelligence purist and find that four types of threat intelligence is one type too many (or if you’re just feeling rambunctious) you can refer to JP 2-0, Joint Intelligence, for in-depth understanding of the levels of intelligence and their traditional application. http://www.dtic.mil/doctrine/new_pubs/jp2_0.pdf
Once you are ready, here are some places to look for specific types of intelligence:
Strategic Intelligence can be gathered through open source trend reports such as the DBIR, DBIR industry snapshots, or other industry specific reports that are frequently released.
Operational Intelligence is often time sensitive and can be gather by monitoring social media, government alert like US-CERT, or by coordinating with partners in your industry.
Tactical Intelligence can be gathered using commercial or open sources, such as blogs, threat feeds, or analytic white papers. Tactical Intelligence should tell you how an actor operates, the tools and techniques that they use, and give you an idea of what activities you can monitor for on your own network. At this level understanding your users and how the normally behave is critical, because threat actors will try to mimic those same behaviors and being able to identify a deviation, no matter how small, can be extremely significant.
What is open source threat intelligence?
Open Source intelligence (OSINT) is the product of gathering and analyzing data gathered from publicly available sources: the open internet, social media, media, etc.
For more information on the other types of intelligence collection disciplines: https://www.fbi.gov/about-us/intelligence/disciplines
Open source threat intelligence is OSINT that focuses specifically on threats. In many cases you will be able to gather OSINT but will still have to do the analysis of the potential impact of the threat on your organization.
What are ISACs and ISAOs? Where can I find a list of them?
Most private sector information sharing is conducted through Information Sharing and Analysis Centers organized primarily by sectors (usually critical infrastructure, a list is located here: http://www.isaccouncil.org/memberisacs.html.
In the United States, under President Obama’s executive Order 13691, DHS was directed to improve information sharing between the US government’s National Cybersecurity and Communications Integration Center (NCCIC) and private sectors. This executive order serves as the platform to include those outside the traditional critical infrastructure sectors, Information Sharing and Analysis Organizations.
What specific tools are used for threat intelligence?
This is a great question, and I think underscores a big misunderstanding out there. Threat Intelligence is a process, not a product bought or service retained. Any tool you use should help augment your processes. There are a few broad classifications of tools out there, including threat intelligence platforms and data analytics tools. The best way to find the right tools is to identify what problem you are trying to solve with threat intelligence, develop a manual process that works for you, and then look for tools that will help make that manual process easier or more efficient.
Can a solution or framework be tailored to support organizations at different levels of cyber security maturity and awareness, or is there a minimum requirement?
There *is* a certain level of awareness that is required to implement a threat intelligence program. Notice that we didn’t say maturity - we feel that any level program can benefit from threat intelligence, but there is a lot that goes into a organization being ready to utilize it.
At the very basic level an organization needs to understand what threat intelligence is, what is isn’t, understand the problems that they are trying to solve with threat intel, and have a person or a team who is responsible for threat intel. An organization with this base level understanding is far ahead of many others.
When discussing the more technical implementations of threat intelligence such as threat feeds or platforms then there are some barriers to entry. Aside from those situations, nearly any organization can work to better understand the threats facing them and how they should start to posture themselves to prevent or respond to those threats. Regardless of where you are, if you understand how threat intelligence works and start to implement it appropriately then you will be better off regardless of what else you are dealing with.
How do you stop an attacker once discovered? ACL IPS etc?
Scoping the attack is the first stage, which requires both investigation and forensics. The investigation team will identify various attributes used in the attack (tools, tactics, procedures), and then will go back and explore the rest of your systems for those attributes.
As systems get added, the recursive scoping loop continues until no new systems are added.
Once scoping is done, there are a number of actions to be taken- and the complexity involved in deciding exactly what happens (and when) grows exponentially. A short (and anything but comprehensive) list of considerations include:
- Executive briefing and action plan signoff
- Estimate business impact by the recovery actions to be executed
- Isolate compromised systems
- Lock or change passwords on all compromised accounts with key material in the scoped systems
- Patch and harden all systems in the organization against vulnerability classes used by the attacker
- Identify exactly what data was impacted, consult with legal regarding regulatory or contractual required next steps
- Safely and securely restore impacted services to the business
Obviously there are a lot of variables at play here, and every incident is unique.
This stuff is extremely hard, if it was easy- everyone would be doing it.
Call us if you need help.
When I find a system that has been compromised, can you tell me where it came from?
You’re asking the right question here- getting a sense of the attacker’s motivation and tactics is extremely valuable. Answering “who did this” and “where did they come from” is a lot more difficult than simply pointing at the source IP for initial point of entry or command and control.
Tactical Intelligence from the investigation will help answer these questions.
What should be the first step after knowing that the host has been compromised by zero day attack?
Run around, scream and shout.
In all seriousness, you won’t start off with the knowledge of zero-day being used to compromise an asset. Discovering that 0day was used in a compromise, by definition, means that an investigation was performed when the root-cause identified at the point of infection was, in fact, 0day. At that point you will hopefully have gathered more information about the incident that you can then analyze to better understand the situation you are facing.