2. Problem
• Advanced threats driven by state sponsored
groups, hacktivists and organized crime rings have
made threats increasingly difficult to defend
against with traditional Computer Network
Defense (CND) security practices
• Traditional use of indicator and signature driven
solutions alone are no longer sufficient to protect
against these threats
• Historically intelligence was only being conducted
by military and government organizations
3. Cyber Intelligence
• Purpose
– Cyber intelligence products provide information on cyber
threats, track trends and allow for predictive analysis on
cyber threat groups
• Process
– Process of taking open source research, official reporting
(reporting from credible organizations) and internal
cyber attack data, and fusing them into an actionable
product for information dissemination specific to your
organization
• Intent
– Provide support to other security
operation teams by filling
intelligence gaps and providing
information not currently being
identified or tracked
4. Advanced Threats Categories
• APT
– Malware
– Spear phishing emails and watering holes
• Hacktivists
– Attack in large numbers
– DDoS attacks
– Data compromise
– Public posts of sensitive data
• Crime Rings
– Ransomware
– TOR network
– Blend in
• Unknown
– Similar tactics, techniques & procedures (TTPs)
– Use of buckets or clustering
5. Complexity of Advanced Threats
• Advanced threats often go undetected
– Human operators driving attacks
– Malware
• These advanced attackers create/collect
intelligence through analysis of their targets
• The planning, patience and human driven aspects
of advanced threats makes traditional security
models less effective
6. CND vs. Cyber Intelligence
• Computer Network Defense & Cyber Intelligence…
What is the Difference?
– CND: Direct and immediate impact to operations
– CND: Identify malicious traffic and stop it
– Cyber Intelligence: Understand why attacks are being
conducted and the motivation behind it
– Cyber Intelligence: Understand who is targeting your
organization and what they want
• Think the role of a police officer compared to a
detective
7. Cyber Intelligence & Tracking Adversaries
• Making cyber intelligence actionable
– Targeting
– Infrastructure
– Personas used in advanced attacks
– Malware
– Spear Phishing emails
8. Pivoting
• Using an indicator or information to discover new
related intelligence that is obtained by identifying a
relationship between the two
• Use of open source and commercial services can
assist with pivoting on intelligence to learn about
new unknown information about your adversary
9. Cyber Intelligence Fusion Process
• Track
• Research
• Pivot
• Analyze
• Fuse
• Document
Track
Research
Pivot
Analyze
Fuse
Document
10. Creating Actionable Products
• Use data gained from tracking adversaries and the
cyber intelligence fusion process to create
actionable products which are described in detail
on the following slides
11. Threat Actor Profiling
• Objective:
– Provide a cyber fingerprint of advanced threats to
assist in minimizing the time it takes for an analyst to
recognize activity on their network is from an
advanced threat group
• Provide profiling of:
– Threat actor groups
– CNE operators / hackers – who, where
and what are they targeting
12. Threat Actor “Attack” Time Lines
Create time lines showing the events and
dates of activity targeting your organization
– Identify trends and patterns in
activity, such as most active months,
weeks and days for each threat group
– Identify gaps in activity
– Compare against other campaigns
– Compare against other significant
events (public events, military or
political events, major hacktivists
operations etc.)
– Allow for predictive analysis based on
patterns and trends in the data
13. Malware Intelligence
• Different than a malware report
– Focus is on what can be learned from malware when
tracked from multiple events over time
– Track and plot malware and the files associated with a
malware family
– Can produce links in malware families not traditionally
seen when doing reverse engineering focusing on one
sample
14. Cyber Intelligence + CND reporting
= Fusion
• Fusion reporting is designed to provide value
for organizations by pivoting off of multiple
data sources and connecting the dots
• Fusion reporting focuses on who the attacker
is, what they want and where they are likely
going
• Fusion reporting focuses on intelligence to
track and trend threat actors and provide
insight into the TTPs of the infrastructure,
tools and personas adversaries use
• Fusion done correctly can lead to predictive
analysis
15. Conclusion
• Advanced threats have changed the threat landscape making it
difficult to detect advanced cyber threats
• Mitigating and cleaning up an infection, post compromise, can
cost hundreds of thousands and into millions of dollars
• Cyber Intelligence can be combined with CND capabilities, giving
organizations a much broader view into the who, what, when
and why they are being targeted
• This information can be used to arm CND teams, as well as senior
leadership, with the information they need to make decisions
and get ahead of todays targeted advanced cyber threats
Defending against state sponsored threats, hacktivist groups, and organized criminal organizations has become increasingly difficult with traditional CND methods alone
A frequent topic pertinent to this conversation is to whether benefits of associated with cyber intelligence warrant the cost associated with it
This is a relatively new argument as historically only military and government organizations had the capability and access to the data required to produce intelligence
Cyber Intelligence tells the story behind an attack , a threat actor and even an indicator.
Cyber intelligence allows an organization to properly assess a threat and make decisions such as how to handle the threat and what resources should be allocated to mitigate the threat
For example, cyber intelligence may tell you that an indicator has been associated with a threat group that uses malware which runs in virtual memory and eludes detection and is associated with a group that is known to escalate privileges and use legitimate accounts VPN in and out of your network to exfiltrate data.
An organization would want to respond to that very differently then you would if you identified an indicator associated with ransomware or fake AV
Advanced threat group categories are going to vary from organization to organization however for the purpose of this brief I an advanced threat to be one that is organized and conducts targeted attacks
APT is a term that is often used when referring to a threat associated with a State sponsor. Apt often uses advanced or custom malware that are delivered via spear phishing emails or watering holes
While less sophisticated, hacktivists groups have been fairly successful due to their large scale attacks conducted against targets. Hacktivist groups are known to conduct DDoS attacks as well as post sensitive or proprietary data to public websites with the intent to cause embarrassment to the target
Criminal elements operate differently as their target and motivation is finance based. The attacks conducted by these groups often Point of Sale (PoS) malware, RATs and ransomware
Activity that meets the TTPs of an advanced threat are often identified however the attacker is often unknown. These attacks can be clustered or placed into buckets until further attribution can be made
Generally advanced threats make up less then 10% of cyber threat activity.
Human operators driving attacks make detection more difficult because they can adapt and change tactics and methods to elude detection.
For example malware will often be re-hashed or modified to elude detection.
Advanced threats have often conducted reconnaissance and taken the time to know their target. Doing the same and learning their TTPs can help understand how the threat groups operates and assist in knowing where and what to look for to find them on their network
Individually they both bring value in different ways
Together they provide a much more in depth threat picture that can be used to better defend your networks
CND delivers an immediate action to operations while cyber intelligence helps you understand who is targeting your organizations and may provide insight into the attack vector and tools then my use to try and get onto your network.
A good analogy I once heard on comparing CND to Cyber intelligence roles was to compare the role of a police office to a detective. A police officer identifies a threat or crime and primarily cares about stopping it while a detective is going to be concerned as to why the crime was conducted, if there was any previous related activity that lead up to the crime and if they are associated with any gangs or criminal orgs. Most police departments have both police officers and detectives and so should a good Security Operations Center
Intelligence will tell you the industries, technologies, programs, and organizations that an adversary is targeting.
With infrastructure cyber intelligence tells you id a command & control is attacker owned vs attacker controlled such as legitimate website that has been compromised. That information would make a difference on you treat or handle the domain or IP.
Intel on an adversary personas would tell you who they are trying to masquerade as which can often lead you to what they are after.
Intel will tell you if malware is has been seen in previous targeted attacks as well as if its unique and custom developed or publicly available. Identifying a malware attributes like unique strings, MUTEX or passwords can help with attribution as well as creating signatures
With spear phishing intelligence may tell you of patterns or previous use of sender addresses or X-mailers or if the attacker primarily uses attachments vs URLs which can assist in attribution
Taking an indicator and finding other indicators or intelligence through a relationship with the original indicator is called pivoting
A number of open source and commercial tools are available that make pivoting an easy process.
For example, use of Passive DNS records to tell you what other domains sat on an IP address at the same time that an Adversary Command and Control domain did.
Another example would be using Domain records to identify new domains registered by the same adversary owned registrant address
Or you could search through malware repositories to identify related variants of malware , decoy docs, and C2 infrastructure
Track-Identify threat activity over time that is targeting your organization
Research- use open source intelligence to identify other attacks & information from the same attacker
Pivot- Expand on information learned from the Track and Research phase to identify new previously unknown information
Analyze- Perform analysis on your data as a whole and connect the dots
Fuse- Take all of your results, internal tracking, open source intel, pivot findings, and anlaysis and put it all together
Document- Document your results and distribute within your organization
We talked about the process of creating cyber intelligence and next Im going to discuss how to make actionable products from it
One od the most useful products you can create from cyber intelligence is a threat actor profile or threat card.
They provide a digital fingerprint of advanced threat adversaries. Their purpose of threat actor profiling is to create profiles of threats specific to your organization to get security analysts familiar with threats targeting your organization.
This can assist in mitigating the time it takes for an analyst to identify a threat on their network is advanced and react accordingly to mitigate
A lot of good information can be gained by creating timelines of cyber attacks against your organization.
-You can identify trends and patterns within the activity
-You can often determine the time-zone of your attacker based on the times attacks were conducted
-Timelines assist in identifying significant events or a reoccurring event that takes place prior to the attacks
-You can also use the patterns and trends to assist in conduct smart predicative analysis on when future attacks may occur
You can track attributes of malware to find associations and intelligence that can be used for pivoting as well as assisting in attribution.
Open source & commercial tools can assist in finding relationships in malware. Tools like Cuckoo Sandbox and Maltego can automate analysis and visually plot the malware and the C2 domains the call out.
This can help to visually identify patterns and relationships that you would otherwise not have seen.
Fusion is the process of using cyber intelligence + CND data to tell the story of your adversary
-That story brings knowledge of who is targeting your organization, what they want and the level of sophistication they have to attack you.
-It can allow you to make accurate and educated decisions on how to defend against advanced threats and provides knowledge of high value indicators often unknown to the public and vendors
Cyber intelligence comes from a mix of data and analysis. Many organizations are heavily targeted by cyber threats.
Use the data from your adversaries attacks organization against them. The intelligence is in the data many organization already have and it can be very effective and valuable at defending against cyber threats