[EN] Cyber Threat Intelligence

PwnLab.Me

Admin
Katılım
21 Ocak 2024
Mesajlar
202
Tepkime puanı
9
Puanları
18

[EN] Cyber Threat Intelligence​

What is Cyber Threat Intelligence?​


Cyber Threat Intelligence is the name of the research which connects data about attackers and attacks to prevent a possible new attack.

We can break down the threat intelligence into three sub-categories:

  1. Tactical: It is the technical part that examines indicators of compromise and logs. It is useful for the identification of the threat actors and actions. It looks for active threat actors.
  2. Operational: It is the technical part that asks “Who’s attacking” and examines TTP (tactics, techniques, and procedures) and every other information about attackers such as their tools, motivations, and capabilities.
  3. Strategic: It is the non-technical part that works on the big picture of attacks. It looks for the current events which can increase an organizations’ security risk and how these risks can damage the organization politically, socially, and economically.

Cyber Risk Examples​

  • Service Disruption: Organizations can suffer financial losses for failing to provide their services.
  • Employee Related Risk: Organizations have private information about their employees, this information could be exposed.
  • Network Connected Devices: Every hardware which has a network connection such as healthcare devices might be compromised.
  • Reputation Damage: Organizations can lose reputation due to security compromises.
  • Intellectual Property: Organizations’ intellectual properties could be leaked.
  • Customer Related Risk: Organizations have private information about their customers, this information could be exposed.

Risk Tolerances​


We can analyze the tolerances in 4 different categories:

  1. Error Margins
  2. Critical Infrastructures
  3. Obligations
  4. Compromises

Collaboration​


Collaboration with other companies for intelligence sharing is really good. Your organization will be more secure with shared intelligence and your brand value will increase. Some companies might apply intelligence-sharing isolation for gaining marketplace advantage but this posture is likely to make the organization low-hanging fruit.

Security Theatre​


The security theatre concept is useful when explaining an organization that cares about the appearance of the security more than the real security. Security theatre will increase the brand value until the organization gets damaged because of poor security implementations. It would be appropriate for the short term if you want to increase your brand value but at the end of the day, you must implement real security implementations. We can give tightened airport security measures after the September 11 attacks as an example of security theater.

Failure Points​


One of the most important parts of threat intelligence is logging. If your organization has problems with logging, it will probably lead to inaccurate analysis of the data. Here are some examples of logging problems:

  • Too many/too few logs
  • Wrong logs
  • Invisible logs

If you want to prevent the failure of threat intelligence, asset management will be a very critical topic. To make better asset management, you must start early for management. If you start asset management in the middle of the project, you won’t be able to see the big picture and you can’t secure the project if you can’t see the whole of it.

There is one more failure point prevention which I’d like to mention and it is the recontextualization of intelligence. Let’s assume you have an old intelligence and new intelligence. If you context these two data and analyze the final data, you will be likely to conclude that the old intelligence is not valid for now.

Threat Modelling for Attack Surface​


Attack surface models stand for showing the possible interaction points of threat actors.

  • Computers: Threat actors mostly interacts with computers as expected.
  • Physical Security: Organizations have to keep their servers, employees, and other physical infrastructures somewhere. You must secure these physical infrastructures from threat actors.
  • Employees: Threat actors might make social engineering attacks on your employees.
  • Customers: Customers might attack you and you might attack your customers unknowingly as a result of another attack.

Threat Modelling for Threat Actors​


Threat actors are the people who want to attack your organization.

  • Script Kiddies: Script kiddies are the people who know nothing about cyber security. They generally use pre-built automated tools.
  • Hackers: Hackers are the people who know well about cyber security.
  • APTs: Advanced Persistent Threats are the groups/individuals who are dedicated, talented, and generally state-sponsored hackers.
  • Naturel Causes: Your organizations’ physical infrastructure might get damaged because of natural events.

Threat Intelligence Cycle​

  1. Direction: Ask yourself who is your intelligence for and why do you need the intelligence.
  2. Collection: You will need data so you can use tactical, operational, and strategic methods for collecting/monitoring the data.
  3. Processing: Raw data produces in intense volumes and that means it is likely to be inaccurate and false positive. You’ll have misleading intelligence if you do not process the data with tools and experts.
  4. Analysis: Create a story from data, find out the actionable objectives and convert these actionable objectives to a human-readable solution.
  5. Dissemination: Find out who needs data, when they need and how they will use it.
  6. Feedback: Take feedback on your intelligence, find the negative sides of your intelligence and intelligence report. Try to improve yourself and be dynamic.

MITRE ATT&CK Framework​


MITRE ATT&CK Framework is an information base that shows cyberattack tactics and techniques known by hackers. The attack matrix of MITRE ATT&CK Framework has 14 categories and these categories have +200 techniques and hundreds of sub-categories. Knowledge of this matrix is important for both the defensive and offensive sides of cyber security and threat intelligence. If you want to access a detailed explanation of the attack matrix, you can check this out. Here is a superficial list of the main 14 categories:

  • Reconnaissance
  • Resource Development
  • Initial Access
  • Execution
  • Persistence
  • Privilege Escalation
  • Defense Evasion
  • Credential Access
  • Discovery
  • Lateral Movement
  • Collection
  • Command and Control
  • Exfiltration
  • Impact

STRIDE Model​


STRIDE Model is a threat model developed at Microsoft. It is useful for identifying threats. It has 6 different threats and desired properties:

  • Spoofing -> Authenticity
  • Tampering -> Integrity
  • Repudiation -> Non-repudiability
  • Information disclosure -> Confidentiality
  • Denial of Service -> Availability
  • Elevation of Privilege -> Authorization

The Cyber Kill Chain​


The kill chain is a military concept. It stands for the steps of identifying and destroying the target as you can understand from the “kill chain”. Lockheed Martin implemented this concept to information security as a cyber kill chain. It reveals the 7 phases of a cyber attack:

  1. Reconnaissance: The attacker researches the target and tries to find vulnerabilities.
  2. Weaponization: Attacker makes a cyber weapon such as malware.
  3. Delivery: Attacker delivers the cyber weapon to the target.
  4. Exploitation: Cyber weapon triggers on the target for exploiting.
  5. Installation: Cyber weapon installs backdoors.
  6. Command and Control: Cyber weapon enables persistent access to the target for an attacker.
  7. Actions on Objective: Attacker exfil, destroy, or encrypt the data according to their goals.

Cyber Threat Detection Methods​

1)Honeypots​


Honeypots are trap network systems that aim to gather information about threat actors. They look like a real system that contains sensitive data. Threat actors try to attack these systems and organizations gather information about them. There are some indicators for the quality of a honeypot:

  • Inconspicuous
  • Explorable and wide system
  • Timesink
  • Good Logging

Honeypots divide into 3 according to their interactivity:

  • Pure Honeypots: Pure honeypots are fully configured honeypots that don’t need any other services for running.
  • High-Interaction Honeypots: High interaction honeypots imitates a lot of different services and products. That means they are timesink and they can’t be detected easily but this also means they spend more resources.
  • Low-Interaction Honeypots: Low interaction honeypots just imitate some services which threat actors mostly use. They spend fewer resources than high interaction honeypots so they could be running on the same physical machine as a virtual machine.

Also, honeypots divide 2 according to their deployment.

  • Product Honeypots: Product honeypots are lightweight, tactical, and efficient honeypots that capture limited data. They are generally used on the production networks of specific organizations for improving security.
  • Research Honeypots: Research honeypots are more complex and comprehensive honeypots which makes a lot of operational intelligence. Research organizations, the military, and the government are generally using these honeypots against black hat communities.

Although honeypots are quite useful, they might be dangerous. Threat actors might use honeypots as pivot nodes to harm production networks.

2)Vulnerability Scanners​


Vulnerability scanners are the tools that provide easier security testing. They make automated scanning for known vulnerabilities. Organizations can use these scanners for securing their system also threat actors use them for gathering information about the target system.

3)Dark Web and Clearnet Traffic Monitoring​


Dark Web is the server that mandates certain encryption protocols. Threat actors use both clearnet and dark web. Threat actors have their communities and marketplaces. If you want to gather intelligence via these communities, marketplaces, or forums then you must be careful about what you are doing. If you’re not sure what you’re doing, you should leave it to a specialist.

4)OSINT​


OSINT means open-source intelligence. You can use usernames, e-mail addresses, IP addresses, images/videos, documents, social media services, public/business/traffic records, geolocations, forums, archives, metadata, and a lot of other things for gathering intelligence about a target without any privilege. You can check this website for nearly every possible OSINT method. Automation when doing OSINT would be really. Also if you look for the defense side of OSINT, there are not many things you can do for defending yourself or your company.

5)Log Aggregation​


Log aggregation tools make good filtering for all of your logs. You won’t waste your time by using these tools and you’ll have more accurate results from logs. ELK and Splunk are some examples of log aggregation tools.

Machine Learning and Threat Intelligence​


First of all, we should say machine learning and artificial intelligence are different things. Machine learning is the process that creates intelligence from provided data but artificial intelligence is capable to process and categorize unstructured data on its own.

If we want to use machine learning on cyber threat intelligence, we can make some products like network traffic abnormality finders or suspicious event flaggers. First of all, we must train our machines for gathering threat intelligence. There are some ways to train machine learning algorithms using structured data sets:

  • Supervised Learning: In supervised learning, observations are collected about the concept to be learned and the desired output values are given to the learner as a training set. Using this information, a relationship is created between input and output. By using that relationship, the Y′ outputs corresponding to the X′ observations to be encountered in the future can be estimated. They were expensive.
  • Unsupervised Learning: Unsupervised learning, is learning the relationships and structures existing in the data without classifying the data as cause-effect or input-output. It provides inferences about the data by using the distances, relations, and densities of the data samples. Two important approaches to unsupervised learning are dimension reduction and clustering. They’re cheaper than supervised learning.
  • Reinforcement Learning: Reinforcement learning is about how intelligent agents need to take actions in an environment to maximize the cumulative reward. Reinforcement learning doesn’t need classified input/output pairs to be presented and also doesn’t need sub-optimal actions to be corrected. We can give video games as an example.

This part was about training the data. Now we’ll talk about the machine learning models:

  • Artificial Neural Networks: Artificial neural networks try to identify an object through processing supervised data without any training. They use trends and patterns related to the object for learning. If you feed the neural network with a thousand pizza images and show another pizza image to it, it could say it is a pizza even if you didn’t define the pizza concept. Neural networks are composed of neurons. Each neuron process has several inputs and single output from them. An input could be the output of another neuron. Neural networks are layer-based models so each neuron has multiple connections with other neurons. It imitates biology.
  • Decision Trees: Decision trees are classification-based algorithms. It is like a 20 Questions game. It tries to gather the best method for doing some job.
  • Genetic Algorithms: It starts with generating random solutions, then Fitness Algorithm finds new solutions and it repeats itself until it finds the best solution as guidelines.
  • Bayesian Networks: A Bayesian network is a probabilistic graph model (a kind of statistical model) and expresses a set of random variables that have conditional dependencies with each other as a directional non-return graph. It is an ideal type of modeling used to describe an event that occurs in everyday life and to estimate the probability that any of the few known possible causes that may cause that event to occur is a contributing factor. For example, probabilistic conditional relationships between diseases and their symptoms can be modeled using a Bayesian network.

Cloud Threat Intelligence​


Cloud services host hardware for people who want to access their hardware through the internet. If you’re using a cloud provider for hosting your service, then there will be some cyber risks for your service. First of all, the attack surface of your service will be shifting and it will be hard to control that. Also, there will be another party that makes security-based decisions. But if you think the reduced cost for your service and other additional services, then using the cloud would be beneficial for you.

There will be another choice for the cloud. Should you choose private or public cloud service? Public cloud services will be cheaper and maximize scalability. Private cloud services will be more secure and customized. Also, you can select a hybrid cloud that includes self-hosted services.

Finally, don’t forget that cloud providers’ problems might become your problems too and the cloud is not your computer, it belongs to someone else. Cloud services want additional skills for managing it and people can make mistakes when learning them. Threat actors can exploit these mistakes.

Threat Actors​


If even you’re not a military-related organization, it is possible to get attacked by nation-state actors. Governments use their APTs for political objectives because it is cheaper than conventional warfare and it might give unique results that only cyberwarfare can give.

So, we’d like to talk about APTs in this section but there is something that you should know before starting. This informations are mainly from a Western perspective and biased. Also, some APTs might be overlapped, inactive, or not publicly disclosed. There are a lot of APTs, so I’ll give you this resource for detailed information about all APIs.

Information Warfare​


One of the most valuable things on the internet is information and it is one of the biggest targets of threat actors. We can discuss information warfare on 5 topics.

1)Selective Information Disclosure​


Threat actors intentionally exclude some information to affect the decisions of people in selective information disclosures. If you’re suspicious about this situation, ask yourself about the biases of presenters and where the information came from. They are generally products of cyberattacks.

2)Firehoses​


They create a lot of false stories to hide real truths and they generally play to biases of targeted profiles. You can see them on social media.

3)Information Denial​


Information denials are generally carried out by the state due to civil unrest. It tries blocking access to information or it tries to delay the spread of the information. It is some kind of spoofing/interception attack but it also could be as simple as DOS’ing a news website.

4)Information Interception​


The main goal of this attack is to observe the communication. It also could be combined with spoofing.

5)Information Spoofing​


Before information spoofing, the threat actor exploits networks or make phishing attack against targets. Then threat actors use it for spoofing the information. Threat actor-controlled networks or stolen social media accounts could be involved. We can give astroturfing as an example. Also, it could be as simple as a MITM attack.

CVSS Model and CARVER Matrix​


CVSS is the calculator which we use for finding the severity of a vulnerability. It has some metrics for calculation. If you want detailed information about the calculation of these metrics you can visit there, and if you want to calculate the severity of a vulnerability you can navigate there.

CARVER matrix is similar to CVSS Model. It has 6 base metrics: criticality, accessibility, recoverability, vulnerability, effect, recognizability.

They both help you to classify vulnerabilities according to their severity but there is a fact: You can’t patch all vulnerabilities in one day. That means you must make an emergency plan for a crisis. Keep the emergency instructions simple and easy to access.
 
Geri
Üst