What is Cyber Threat Intelligence
When one thinks of intelligence, they usually think about the military and intelligence agencies like the CIA or the Marine Corps. If it sounds militant, you are not too far off. Cyber intelligence or Threat Intelligence uses some of the same methods and procedures to defend networks as the intelligence agencies use to defend our country. The driver for the recent popularity of cyber threat intelligence is the increase in advanced persistent threats (APT). APT can loosely be defined as a category of attacks where a group or person is specifically targeting business. These attacks can combine different methods to gain access to a business’ networks. “Script kiddies” or simple hacks are usually simple attacks to use a single method to do one or two things on a network. Vandalizing a website or DoS’ing a network can fall in this category.
Today, threats from hackers on the internet are growing in complexity, scale, and number. The defenses that we used to protect our computers and networks in the past usually started by countering an already existing threat. The standard model for defending against cyber-attacks is the monitor and respond strategy. This usually entails collecting as much information as possible from as many resources as possible to create best configurations as possible to beat the threat. The problem with this strategy is that it is reactive. By the time that the IT staff discover that their configurations were ineffective the attack has already happened. Once the attack happens, an investigation will be conducted to come up with a new configuration or ACL that will hopefully stop that type of attack from occurring again. That reactionary method of developing defenses is inadequate for networks today. Developers and engineers just cannot keep up with the evolving threat coming from hackers. Even using the standard risk analysis can fall short because it can only conduct assessments on known vulnerabilities. How can you defend your networks against an attack that you have not seen yet? The answer is cyber threat intelligence.
So, what is cyber threat intelligence? To answer that we first have to define intelligence. Intelligence can be defined as the product resulting from the collection, processing, integration, evaluation, analysis, and interpretation of available information concerning foreign nations, hostile or potentially hostile forces or elements, or areas of actual or potential operations (Joint Pub 2-0). This definition works well, and with a little imagination, one can understand what cyber intelligence would be. Foreign nations could be nation/state sponsors cyber-attacks. Hostile forces or elements could be hackers.
In 2002, Donald Rumsfeld gave a Department of Defense (DoD) briefing introducing the concept of “knowns.” There are essentially three types of “knowns” that you could have about something. There are known knowns, known unknowns, and unknown unknowns. (Rumsfeld 2002). Known knows are things that we know that we know. An example is what a cyber-attack is and how to defend against it. There are known unknowns such as the assume breach concept. We know that we are eventually going to get hacked, we just don’t know when or how. Lastly, there are unknown unknowns. These unknowns are where we do not know what types of attacks are out there and we do not know when or how they will happen. A good example for this is zero day attacks. We do not know what is an attack is or how and when it is going to happen. Think back to most of the significant data breaches in the past. Most of those attacks happened over the course of months, and the victims never knew that they were even hacked. Cyber Threat Intelligence acts to move as many unknown unknowns into the known unknown’s category. To do this, cyber threat intelligence fills the defense gap by analyzing and sharing information.
One way cyber threat intelligence attempts to solve the unknown unknowns by the exchange of information. Thinking back to traditional intelligence agencies, the spies usually try to sneak around to find out information to give back to their country. That country uses the information in a variety of ways, but mainly it is to clear the “fog of war” or unknown unknowns, to be able to make better decisions. This analogy works the same way in the cyber world. The problem to ask yourself in the realm of cyber security is who are my adversaries and what information do they likely want. By asking this question, you can start to narrow down and focus your efforts. Most businesses do not have an infinite amount of money and time to secure their networks.
When sharing information with other organizations, it is important to establish and maintain a consistent format. By doing this, an organization can more easily find what they are looking for. Different threat information types should be formatted in a way that makes it easy for a user to take action on. There are five main data types. These are Indicators, Tactics, techniques and procedures (TTPs), Security Alerts, Threat intelligence reports, and Tool configurations (Johnson, 2016).
Two reasons why companies may choose not to share information are that they do not believe that they have any information that would be considered valuable to other businesses. The second reason is that some firms do not want to assist or help their potential competition (Chismon, 2015).
Threat indicators or Indicators are technical data that can suggest an attack can happen or is already going on (Johnson, 2016). These indications can be anything from known harmful or malicious IP addresses to suspicious URLs that can indicate malicious activity. By sharing this type of information on Threat Intelligence clearing houses a company can help other business by sharing what they know.
TTPs are the actions that a hacker usually takes on a network (Johnson, 2016). Tactics are the high-level behaviors that hackers take. Techniques are the specific steps that hackers do on a network to gain unauthorized access. An example of this is using Metasploit to drop malware onto a target. Procedures are the actual steps used to conduct the attack.
Security Alerts are advisories or notifications about specific vulnerabilities, exploits, or other security concerns given by organizations to the general public (Johnson, 2016). One of the first organizations to provide security alerts to the public is the United States Computer Emergency Readiness Team (US-CERT). This organization was created after the Morris Worm wreaked havoc on the internet in the US. Other important organizations are the National Vulnerability Database (NVD), or Microsoft Security Bulletins from Technet.
Threat Intelligence reports are reports that inform about TTPs, hackers, or case studies of attacks that can help inform a company on to secure its networks (Johnson, 2016).
Lastly are tool configurations. These are reports that contain the software or equipment setting used to defend against attacks or what the configurations were when an attack occurred (Johnson, 2016). This report could also be used to instructing someone in how to use AV software or how to remove malware once a computer is infected.
In the United States, Marine Corps (USMC) information is shared all of the time about field exercises or project. The lessons learned are put in reports that get published in the USMC’s Center for Lessons Learned website. These lessons provide anyone who is interested in what went right or wrong for different events. The same applies to information sharing for cybersecurity. When companies exchange information with other businesses, there is a shared awareness among them. This awareness is for events like DDoS attacks or the after effects from a Business Continuity point of view. Situational awareness can be very valuable information for companies that have not had to deal with network outages to learn from. Information sharing can also increase the security posture if companies pay attention. Just like a rising tide raises all boats sharing information can improve security.
A report by the SANS Institute indicated that companies that used threat intelligence saw a 28% better context, accuracy and speed in monitoring and incident handling (Shackleford, 2015). A 51% faster and more accurate detection and response and a 48% reduction in incidents thru early prevention due to Cyber Threat Intelligence (CTI) (Shackleford, 2015). Unsurprisingly, the top user of CTI is the U.S. Government. At the federal level, cooperation between the military and the government have cross-pollinated experience, and both groups have benefited.
One potential weakness with CTI is being overwhelmed with information and not knowing how to use and integrate it. To help with the understanding several different formats and frameworks have been created to help in identifying the information and putting it in a readable form. According to the SANS report, the most popular format is the Open Threat Exchange (OTX) with 51% of companies responding that they use that framework. OTX has almost 26,000 users in 46 groups. Each report in the OTX shows over 929,000 indicators from bad IP addresses to malicious URLs. The OTX can be accessed by going to the Alienvault website.
Another popular framework is the Open Indicators of Compromise (OpenIOC) framework. OpenIOC is a framework created by Mandiant that contains tools to edit and create Indicators of Compromise (IOC). These indicators are the artifacts that are left behind by an attack. Companies that use the framework can create an XML document that put these indicators in a logical format that can be used to adjust the configurations of firewalls, IDS/IPS, and other investigative tools. The standard life cycle of creating IOCs begin with an initial lead or evidence. This could come from a notification from law enforcement or from an anomaly that was detected by a network device. After the initial discovery, IT personnel create the IOC from their existing evidence and the environment of the network. Once the IOC is created, it is deployed to the network. Deploying the IOC can cause changes to the networks ACLs, blacklisted URLs or IP addresses, or other signatures that can alter the IDS/IPSs. After deploying the IOC on the network additional information and indicators can be included if anything new was discovered during the investigation. When the new evidence is included in the IOC, the evidence can be further analyzed to refine, enhance, or create additional IOCs.
There are two ways that companies can begin to add CTI to their network security practices. The first way is to build and grow an intelligence cell from scratch. The benefits to companies creating their CTI cell are that they can stay at the leading edge of the security threats. Because it takes some time to investigate and create intelligence after an attack, companies would likely alter their networks before finalizing any IOCs to publish. One major drawback from creating a CTI cell are the cost. Cost can be significant depending on the size and experience of the intelligence unit. For most smaller businesses, this would be unrealistic despite the need. An alternative to starting their CTI cell would be to subscribe to a managed security service that provides reports and intelligence. This can be a more cost-effective way for small and medium companies to leverage the experience of a larger company. FireEye, Dell SecureWorks, and Symantec are three companies that can provide managed CTI. These businesses can all provide feeds of information that are constantly being updated. The prices for this service can vary from $2000 to $3000 per month for a single feed to $100,000 for a 12-month subscription for 1 to 2500 computers (Tittel, 2015). Companies that are thinking about either one of these options should conduct and risk assessment and analysis what the return on investment would be to make sure that the price is worth it.
In a large enterprise, cyber threat intelligence will usually fall in a Network Operations Center (NOC) or Security Operations Center (SOC). These teams serve two different purposes, but sometimes they can be combined depending on the size and budget of the organization. Larger organizations like government entities usually have separate teams because of the potential for a conflict of interest. You would not want the same system administrators that are responsible for keeping the network running also responsible for auditing the logs for example. Threat intelligence will normally fall within the SOC teams’ responsibility. A SOC team can be responsible for tasks that include risk analysis, IDS/IPS analysis, and threat intelligence. Because there are so many different threats in cyberspace and only so much money to go around risk analysis is the process of discovering all of the vulnerabilities that lie on a network and prioritizes them from the most severe to the least severe. The budget should prioritize to reduce the most severe risks so that the business can get the most “bang for the buck” that they can. If these risks are not prioritized correctly, the company could be wasting money trying to reduce a risk that would have no real impact on the security of their network. This is where threat intelligence can help prioritize the risk. By sharing information with others, each business can use the information about the controls that other companies took and analysis how their effects. If the controls that were implemented were affected and there was a significant reduction in attacks, then that information could be used to help security the network. If the controls were ineffective that company could still learn what controls were least efficient and find an alternative control. Each time companies share information on attacks, controls, or investigations everyone can benefit from the shared knowledge. By using threat, intelligence information sharing makes the risk analysis or effective and efficient.
As with business and the military, they both operate on three different levels. The bottom level is the tactical level. For IT roles, this level is responsible for monitoring the network and managing the users and upgrades and patches. At this level, one of the problems is the number of tasks that need to be completed. It is often difficult to test and manage patches while simultaneously scanning logs and ensuring that the normal users have access to their accounts. CTI can help at this level by contributing to prioritize the efforts of the IT staff to make sure that their efforts will have the most benefit on the networks (Friedman, 2015).
The next level is the operational level and includes the incident response teams and the forensic teams. A problem at this level is that it can be time-consuming and difficult to investigate and attack and to contain the damages of further breaches. CTI can again help prioritize the efforts of the investigating staff and provide case studies and indicators that they can use to speed up their processes (Friedman, 2015).
The top level for businesses is the strategic level. This is the level that the Chief Information Security Officer (CISO) and other C-suite executives work at. One of their problems with IT security is that they often lack a technical understanding of the issues and with that lack of understanding have a difficult time prioritizing funding for investment in new or expanded technologies and tools. CTI can help these executives prioritized their money on the most likely threats and gave the company the most bang for their buck in stopping the most dangerous and likely attacks (Friedman, 2015).
The future is most likely pretty bright for Cyber Threat Intelligence. It should begin to play an even larger role as Artificial Intelligence (AI), and machine learning starts to expand into more industries. The usual methods of adding more hardware to the network are starting to have less of an impact in keeping the networks secure. Cyber Threat Intelligence plays a role in filling the defense gap by sharing information and analyzing previous attacks to help prevent more attacks from occurring.
References
Shackleford, Dave. (February 2015). Who’s Using Cyberthreats Intelligence and How? Retrieved from https://www.sans.org/reading-room/whitepapers/analyst/who-039-s-cyberthreat-intelligence-how-35767
Lord, Nate. (October 2016). What is Threat Intelligence? Finding the Right Threat Intelligence Sources for Your Organization. Retrieved from https://digitalguardian.com/blog/what-threat-intelligence-finding-right-threat-intelligence-sources-your-organization
Rumsfeld, Donald. (February 2002). DoD News Briefing – Secretary Rumsfeld and Gen. Myers. Retrieved from U.S. Department of Defense Web site: http://archive.defense.gov/Transcripts/Transcript.aspx?TranscriptID=2636
Department of Defense. (2013). Joint Publication 2-0 Joint Intelligence. Washington D.C. USDOD.
Johnson, Chris. Badger, Lee. Walternire, David. Snyder, Julie. Skorupka, Clem. (October 2016). Guide to Cyber Threat Information Sharing. Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-150.pdf
Shackleford, Dave. (February 2015). Who’s Using Cyberthreat Intelligence and How?. Retrieved from https://www.sans.org/reading-room/whitepapers/analyst/who-039-s-cyberthreat-intelligence-how-35767
Chismon, David. Ruks, Martyn. (2015). Threat Intelligence: Collecting, Analysing, Evaluating. Retrieved from https://www.ncsc.gov.uk/content/files/protected_files/guidance_files/MWR_Threat_Intelligence_whitepaper-2015.pdf
Friedman, Jon. Bouchard, Mark. (2015). Definitive Guide to Cyber Threat Intelligence. Retrieved from https://cryptome.org/2015/09/cti-guide.pdf
Tittel, Ed. (April 2015). Comparing the top threat intelligence services. Retrieved from http://searchsecurity.techtarget.com/feature/Comparing-the-top-threat-intelligence-services