#089: Cybersecurity Series – Cyber Threat Intelligence (CTI)

#089: Cybersecurity Series – Cyber Threat Intelligence (CTI)

This is Venyu Podcast #89 for Friday, March 24th, 2023. In this cybersecurity focused podcast, Eric, Michael, and I take a deeper dive into cyber threat intelligence (CTI).

How Did We Get Here?

• Like with almost anything, there’s a beginning. CTI can’t exist without Intelligence in a traditional sense (think CIA or military) and its principles.
• CTI is basically a merging of cybersecurity and traditional intelligence. CTI is not just a data feed or some magic tool.

Types of CTI

• Tactical – This intelligence is highly detailed and can come in the form of malicious IPs/domains, hashes, or other IOCs. (think SecOps and incident response teams)
• Operational – This intelligence focuses on TTPs that threat hunter or IR teams put together to help SOC teams or vulnerability management teams in their day-to-day operations.
• Strategic – This intelligence helps to frame threats within the context of the business. This helps the C-suite to allocate resources to protect the organization from a threat.

Frameworks and Models

• Lockheed Martin Cyber Kill Chain – A 7 phase chain developed by Lockheed Martin that defines attacks on a network by a
  threat actor (TA). It’s important for Threat Hunters to understand the Cyber Kill Chain to have an understanding of how far along a TA is if the Threat Hunter finds malicious activity. Lockheed even provides a course of action matrix to help organizations know what controls can be put in place to thwart TA’s at each step of the kill chain.
  • Reconnaissance – TA researches the target. A lot of this can be performed via OSINT (think viewing employees of an organization via LinkedIn to prep for a phishing attack)
  • Weaponization – Pairing of an attack vector with an exploit or vulnerability
  • Delivery – Sending the target a weaponized bundle (email, USB, etc.)
  • Exploitation – Finding a vulnerability within a system to exploit
  • Installation – Installation of the malware
  • Command and Control (C2) – Establishing persistence with remote access and lateral movement.
  • Actions on Objectives – TA can begin to exfiltrate, encrypt, or destroy data (depending upon their goal)

• MITRE ATT&CK – A knowledge base of adversary TTPs. The ATT&CK matrix is shown in Tactics (columns) with techniques
  and sub-techniques listed under each tactic. This is extremely useful because it ties TTPs to threat groups and provides mitigations and
  detections for each tactic and technique. You can also read more about specific threat groups, so if you know that a certain group is targeting organizations in your industry, you can research more about the tactics, techniques, and even software that they use. This can help an organization proactively create defenses.
  • A quick example is the reconnaissance tactic with active scanning as a technique, and vulnerability scanning as a sub-technique.
  • MITRE DEFEND exists to help organizations deploy protect their network from TTPs sited in ATT&CK.

• Diamond Model – Maps relationships between and adversary (TA), their capabilities (malware, tools, exploits, etc.), their
  infrastructure (IP addresses, domain names, etc.), and the victim organization. Threat analysts can use the diamond model to learn about
  adversary behavior from events that have occurred and to track said adversary over a period of time. This can and should be used with other models (kill chain and MITRE ATT&CK).
  • Sample exercise – A piece of malware is found on the network and you can pull a hash. If known the hash can be run on VirusTotal or if it can be pulled from memory, forensics can be run to see if the malware sample contains IPs or domains. These can be used to map to an adversary. Once the adversary is known analysts can read more about the adversary to determine if they target a specific type of organization and also how to better defend against them in the future.

• What’s the Ultimate Goal of Using All These Frameworks and Models?
  Pyramid of Pain – It’s made up of 6 levels (Hash Values, IP Addresses, Domain Names, Network/Host Artifacts, Tools, TTPs).
  Starting with the bottom and working up the pyramid, it illustrates how difficult (from trivial to tough) it would be for a TA to change their IOCs (traditional or behavioral) if said IOCs were to start being blocked by organizations.

Links

• https://attack.mitre.org/
• https://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf
• https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf
• https://medium.com/katies-five-cents/a-cyber-threat-intelligence-self-study-plan-part-1-968b5a8daf9a
• https://medium.com/katies-five-cents/a-cyber-threat-intelligence-self-study-plan-part-2-d04b7a529d36

Lockheed Martin Cyber Kill Chain