Chapter 2
Using Threat Intelligence

Security professionals of all types need to fully understand threats in order to prevent them or limit their impact. In order to do this, you need threat intelligence: data about your adversaries, their motivations, capabilities, tools, and methodologies. In addition, you need information about what to look for when your adversaries succeed.

Threat intelligence gathering relies on real-world information gathering, evidence collection, and analysis. Threat intelligence can be categorized into three levels of intelligence. The first is strategic intelligence, which provides broad information about threats and threat actors allowing organizations to understand and respond to trends. Second, tactical threat intelligence includes more detailed technical and behavioral information that is directly useful to security professionals and others who are tasked with defense and response. Finally, operational threat intelligence is composed of highly detailed information allowing response to a specific threat and often includes information about where it came from, who created it or how it has changed over time, how it is delivered or how it spreads, what it attempts to do, how to remove it, and how to prevent it.

In this chapter, you will learn about the many types of threat intelligence, including sources and means of assessing the relevance and accuracy of a given threat intelligence source. There is a broad threat intelligence community, and we will discuss sources that you can use in your work. We will also talk about threat classification, threat actors, and attack frameworks to help you as you model and describe threats. Finally, you will learn about how to apply threat intelligence across your organization.

Threat Data and Intelligence

There are many sources of threat intelligence, ranging from open source intelligence that you can gather from publicly available sources to commercial services that provide proprietary or closed source intelligence information. An increasing number of products and services have the ability to consume threat feed data, allowing you to leverage it throughout your infrastructure and systems.

Regardless of their source, threat feeds are intended to provide up-to-date details about threats in a way that your organization can leverage. Threat feeds often include details such as IP addresses, hostnames and domains, email addresses, URLs, file hashes, file paths, CVE numbers, and other details about a threat. Additional information is often included to help make the information relevant and understandable, including details of what may make your organization a target or vulnerable to the threat, descriptions of threat actors, and even details of their motivations and methodologies.

Open Source Intelligence

Open source threat intelligence is threat intelligence that is acquired from publicly available sources. Many organizations have recognized how useful open sharing of threat information can be, and open source threat intelligence has become broadly available. In fact, now the challenge is often around deciding what threat intelligence sources to use, ensuring that they are reliable and up-to-date, and leveraging them well.

A number of sites maintain extensive lists of open source threat information sources:

In addition to open source and community threat data sources, there are many government and public sources of threat intelligence data. For example, Figure 2.1 shows a recent alert listing from the CISA website.

Government sites:

Vendor websites:

Public sources:

  • The SANS Internet Storm Center: isc.sans.org
  • VirusShare contains details about malware uploaded to VirusTotal: virusshare.com
  • Spamhaus focuses on block lists, including spam via the Spamhaus Block List (SBL), hijacked and compromised computers on the Exploits Block List (XBL), the Policy Block List (PBL), the Don't Route or Peer lists (DROP) listing netblocks that you may not want to allow traffic from, and a variety of other information: www.spamhaus.org

Although these are just a small portion of the open source intelligence resources available to security practitioners, they can give you a good idea of what is available.

Proprietary and Closed Source Intelligence

Commercial security vendors, government organizations, and other security-centric organizations also create and use proprietary, or closed source, intelligence. They do their own information gathering and research, and they may use custom tools, analysis models, or other proprietary methods to gather, curate, and maintain their threat feeds.

There are a number of reasons that proprietary threat intelligence may be used. The organization may want to keep their threat data secret, they may want to sell or license it and their methods and sources are their trade secrets, or they may not want to take the chance of the threat actors knowing about the data they are gathering.

Commercial closed source intelligence is often part of a service offering that can be a compelling resource for security professionals. The sheer amount of data available via open source threat intelligence feeds can be overwhelming for many organizations. Combing through threat feeds to identify relevant threats, then ensuring that they are both well defined and applied appropriately for your organization, can require massive amounts of effort. Validating threat data can be difficult in many cases, and once you are done making sure you have high-quality threat data, you still have to do something with it!

Assessing Threat Intelligence

Regardless of the source of your threat intelligence information, you need to assess it. A number of common factors come into play when you assess a threat intelligence source or a specific threat intelligence notification:

  • Is it timely? A feed that is operating on delay can cause you to miss a threat or to react after the threat is no longer relevant.
  • Is the information accurate? Can you rely on what it says, and how likely is it that the assessment is valid? Does it rely on a single source or multiple sources? How often are those sources correct?
  • Is the information relevant? If it describes the wrong platform, software, or reason for the organization to be targeted, the data may be very timely, very accurate, and completely irrelevant to your organization.

One way to summarize the threat intelligence assessment data is via a confidence score. Confidence scores allow organizations to filter and use threat intelligence based on how much trust they can give it. That doesn't mean that lower confidence information isn't useful; in fact, a lot of threat intelligence starts with a lower confidence score and that score increases as the information solidifies and as additional sources of information confirm it or are able to do a full analysis. Low confidence threat information shouldn't be completely ignored, but it also shouldn't be relied on to make important decisions without taking the low confidence score into account.

Threat Indicator Management and Exchange

Managing threat information at any scale requires standardization and tooling to allow the threat information to be processed and used in automated ways. Indicator management can be much easier with a defined set of terms. That's where structured markup languages like STIX and OpenIOC come in.

Structured Threat Information Expression (STIX) is an XML language originally sponsored by the U.S. Department of Homeland Security. STIX 2.0 (its current version as of this writing) defines 12 STIX domain objects, including things like attack patterns, identities, malware, threat actors, and tools. These objects are then related to each other by one of two STIX relationship object models: either as a relationship or as a sighting. A STIX 2.0 JSON description of a threat actor might read

 { 
   "type": "threat-actor", 
   "created": "2019-10-20T19:17:05.000Z", 
   "modified": "2019-10-21T12:22:20.000Z", 
   "labels": [ "crime-syndicate"], 
   "name": "Evil Maid, Inc", 
   "description": "Threat actors with access to hotel rooms", 
   "aliases": ["Local USB threats"], 
   "goals": ["Gain physical access to devices", "Acquire data"], 
   "sophistication": "intermediate", 
   "resource_level": "government", 
   "primary_motivation": "organizational-gain" 
 }

Fields like sophistication and resource_level use defined vocabulary options to allow STIX 2.0 users to consistently use the data as part of automated and manual systems.

Since its creation, STIX has been handed off to OASIS (the Organization for the Advancement of Structured Information Standards), an international nonprofit consortium that maintains many other projects related to information formatting, including XML and HTML.

A companion to STIX is the Trusted Automated Exchange of Indicator Information (TAXII) protocol. TAXII is intended to allow cyberthreat information to be communicated at the application layer via HTTPS. TAXII is specifically designed to support STIX data exchange. You can read more about both STIX and TAXII in detail at the OASIS GitHub documentation site: oasis-open.github.io/cti-documentation/.

Another option is the Open Indicators of Compromise (OpenIOC) format. Like STIX, OpenIOC is an XML-based framework. The OpenIOC schema was developed by Mandiant, and it uses Mandiant's indicators for its base framework. A typical IOC includes metadata like the author, the name of the IOC, and a description; references to the investigation or case and information about the maturity of the IOC; and the definition for the indicator of compromise, which may include details of the actual compromise.

The Intelligence Cycle

Using threat intelligence well requires planning and forethought. Thus, many organizations adopt a threat intelligence life cycle, as shown in Figure 2.2.

Schematic illustration of the threat intelligence cycle.

FIGURE 2.2 The threat intelligence cycle

Planning Threat Intelligence: Requirements Gathering

The first phase in the intelligence cycle is to plan for your intelligence requirements. Your requirements may be created as a result of successful breaches and compromises, industry trends, or risk assessments conducted for your organization. In this step you will typically do the following:

  • Assess what security breaches or compromises you have faced
  • Assess what information could have prevented or limited the impact of the breach
  • Assess what controls and security measures were not in place that would have mitigated the breach

Data Collection

Once you have your information requirements, you can collect data from threat intelligence sources to meet those requirements. This phase may repeat as additional requirements are added or as requirements are refined based on available data and data sources.

Data Processing and Analysis

The threat intelligence data that you gathered in the data collection stage will likely be in several different formats. Some may be in easy-to-access formats that your existing tools and systems can consume. Other data may be in plain-text or written form, or it may be almost entirely unformatted. In this stage you must first process the data to allow it to be consumed by whatever tools or processes you intend to use, and then you must analyze the data itself. The output from this stage could be data fed into automated systems or other tools, or written reports to distribute to leadership or others across your organization.

Intelligence Dissemination

In the dissemination phase of the intelligence cycle, data is distributed to leadership and operational personnel who will use the data as part of their security operations role.

Feedback

The final stage in the threat intelligence cycle is gathering feedback about the reports and data you have gathered. Continuous improvement is a critical element in the process, and it should be used to create better requirements and to improve the overall output of your threat intelligence program.

The Threat Intelligence Community

In addition to threat intelligence vendors and resources, threat intelligence communities have been created to share threat information. In the United States, organizations known as Information Sharing and Analysis Centers (ISACs) help infrastructure owners and operators share threat information, as well as provide tools and assistance to their members. The National Council of ISACs lists the sector-based ISACs at www.nationalisacs.org/member-isacs.

The ISAC concept was introduced in 1998 as part of Presidential Decision Directive-63 (PDD-63), which asked critical infrastructure sectors to establish organizations to share information about threats and vulnerabilities. ISACs operate on a trust model, allowing in-depth sharing of threat information for both physical and cyber threats. Most ISACs operate 24/7, providing ISAC members in their sector with incident response and threat analysis.

In addition to ISACs, there are specific U.S. agencies or department partners for each critical infrastructure area. A list breaking them down by sector can be found here: www.dhs.gov/cisa/critical-infrastructure-sectors.

Outside the United States, government bodies and agencies with similar responsibilities exist in many countries. The UK's Centre for Protection of National Infrastructure (www.cpni.gov.uk) is tasked with providing threat information as well as resources and guidance to industry and academia, as well as other parts of the government and law enforcement.

Threat Classification

Once you decide to assess the threats to your organization, you will quickly find that you need standard ways to describe them. Fortunately, there are a number of common descriptive schemes and terms used across the industry. Many organizations seek to describe both the threat actors and to classify the threats that they face to better understand the threats themselves.

Threat Actors

The CySA+ exam objectives specifically call out four common threat actors:

  • Nation-state actors often have the most access to resources, including tools, talent, equipment, and time. Nation-state threat actors have the resources of a country behind them, and their goals are typically those of the country they are sponsored by. Nation- state actors are often associated with advanced persistent threat (APT) organizations, and they have advanced tools and capabilities not commonly seen in the hands of other threat actors.
  • Organized crime has played a significant role as a threat actor, with focused attacks typically aimed at financial gain. Ransomware attacks are an increasingly common example of this type of threat from organized crime groups.
  • Hacktivists are activists who use hacking as a means to a political or philosophical end. Hacktivists range from individual actors to large groups like Anonymous, and their technical capabilities and resources can vary greatly. When you are assessing threats from hacktivists, you need to carefully consider what types of hacktivists are most likely to target your organization and why.
  • Insider threats are threats from employees or other trusted individuals or groups inside an organization. They may be intentional or unintentional, but in either case, they can pose a significant threat due to the trusted position they have. Insider threats are frequently considered to be one of the most likely causes of breaches and are often difficult to detect.

Your organization may want to consider other specific threat actors based on your threat models and profile, so you should not consider this a complete list. You should conduct an organizational threat assessment to determine what types of threat actors are most likely to target your organization and why.

Threat Classification

Although there are many ways to classify threats, common classifications include differentiating between known threats, which you are aware of and are likely to have useful information about, and unknown threats, which you can prepare for only through use of general controls and processes. Zero-day threats, or threats that exploit an unknown security vulnerability, are one of the most common types of unknown threats.

Advanced persistent threat actors, particularly those with nation-state resources, commonly acquire zero-day exploit information and leverage it to their advantage.

Threat Research and Modeling

Organizations actively seek to understand the threats that they are likely to face by conducting threat modeling activities. Threat modeling takes many factors into account, but common elements include the following:

  • Assessing adversary capability, or the resources, intent, and ability of the likely threat actor or organization.
  • The total attack surface of the organization you are assessing. This means any system, device, network, application, staff member, or other target that a threat may target.
  • Listing possible attack vectors, the means by which attackers can gain access to their targets.
  • The impact if the attack was successful.
  • The likelihood of the attack or threat succeeding.

All of these items can be scored to help assess organizational risk, as well as to help the organization understand the threats it faces.

Once an organization has established a threat model, or has made it part of their threat modeling activities, they will conduct threat research. There are a number of types of threat research that you or your organization may choose to conduct. You may look at the reputation of a site, netblock, or actor to determine whether they have a history or habit of malicious behavior. This is called threat reputation, and it is most often paired with IP addresses or domains, but file reputation services and data feeds also exist, as well as other reputation-based tools.

You can see an example of this done via Cisco's Talos Intelligence reputation lookup tools found at talosintelligence.com/reputation_center and shown in Figure 2.3. Note that you can see the host's owner and DNS information, as well as email reputation, web reputation, how much spam email it is sending, and if it is on blacklists. In some cases, you may also get information about the content.

Snapshot of the Talos reputation report for a single host.

FIGURE 2.3 A Talos reputation report for a single host

In addition to reputation research, behavioral assessments are often used to assess a threat. Monitoring for behaviors like those listed in the ATT&CK framework can provide the basis for threat identification and incident response.

Behavioral assessments are particularly useful for insider threats because insider threat behavior is often difficult to distinguish from job- or role-related work. Detecting internal threat behaviors relies heavily on the context of the actions that were performed; a broad view of the insider's actions across all the systems, applications, and networks they interact with; and the availability to provide insight over time. Many insider attacks rely on privileged account abuse, leveraging access to sensitive information, and use of shared passwords. They also often occur outside of normal hours or may require more time, making it possible to identify them through these differences in behavior.

Another measure used to assess threats are indicators of compromise (IOCs). Indicators of compromise are forensic evidence or data that can help to identify an attack. Unlike the other assessment methods, indicators of compromise are used exclusively after an attack has started—but it may still be ongoing! That doesn't mean that they're useless for threat assessment, though.

Knowing which IOCs are associated with a given threat actor, or common exploit path, can help defenders take appropriate steps to prevent further compromise and possibly to identify the threat actor. It can also help defenders limit the damage or stop the attack from progressing.

Attack Frameworks

There have been many attempts to describe attack methodologies in frameworks to help defenders model attacks and appropriate defenses. The CySA+ exam focuses on three specific frameworks, but your organization may use a different model or could create its own either from scratch or by combining one or more frameworks with its own requirements and experience. Frameworks are useful to help think through what an attacker is likely to do so that you can build appropriate defenses against attacks.

MITRE's ATT&CK Framework

MITRE provides the ATT&CK, or Adversarial Tactics, Techniques, and Common Knowledge, knowledge base of adversary tactics and techniques. The ATT&CK matrices include detailed descriptions, definitions, and examples for the complete threat life cycle, from initial access through execution, persistence, privilege escalation, and exfiltration. At each level, it lists techniques and components, allowing threat assessment modeling to leverage common descriptions and knowledge.

ATT&CK matrices include preattack, enterprise matrices focusing on Windows, macOS, Linux, and cloud computing, as well as iOS and Android mobile platforms. It also includes details of mitigations, threat actor groups, software, and a host of other useful details. All of this adds up to make ATT&CK the most comprehensive freely available database of adversary techniques, tactics, and related information that the authors of this book are aware of.

Figure 2.4 shows an example of an ATT&CK technique definition for attacks against cloud instances via their metadata APIs. It provides an ID number as well as classification details like the tactic, platforms it applies to, what user permissions are required, the data sources it applies to, who contributed it, and the revision level of the specific technique.

Snapshot of the ATT&CK definition for Cloud Instance Metadata API attacks

FIGURE 2.4 The ATT&CK definition for Cloud Instance Metadata API attacks

In addition to the ATT&CK website and materials, a variety of third-party projects leverage ATT&CK to build playbooks, tools, and even commercial software. You can find the ATT&CK website at attack.mitre.org.

The Diamond Model of Intrusion Analysis

The Diamond Model of Intrusion Analysis describes a sequence where an adversary deploys a capability targeted at an infrastructure against a victim. In this model, activities are called events, and analysts label the vertices as events that are detected or discovered. The model is intended to help analysts discover more information by highlighting the relationship between elements by following the edges between the events.

The Diamond Model uses a number of specific terms:

  • Core Features of an event, which are the adversary, capability, infrastructure, and victim (the vertices of the diamond).
  • The Meta-Features, which are start and end timestamps, phase, result, direction, methodology, and resources. These are used to order events in a sequence known as an activity thread, as well as for grouping events based on their features.
  • A Confidence Value, which is undefined by the model, but which analysts are expected to determine based on their own work.

Figure 2.5 shows an example of an analysis conducted for a compromised system. Note that each element helps to identify additional information or areas to review.

Schematic illustration of the Diamond Model analysis of a compromised system

FIGURE 2.5 A Diamond Model analysis of a compromised system

The Diamond Model focuses heavily on understanding the attacker and their motivations, and then uses relationships between these elements to allow security analysts to both understand the threat and consider what other data or information they may need to obtain or may already have available.

You can read the full text of the Diamond Model paper at apps.dtic.mil/dtic/tr/fulltext/u2/a586960.pdf.

Lockheed Martin's Cyber Kill Chain

Lockheed Martin's Cyber Kill Chain is a seven-stage process, as shown in Figure 2.6.

Schematic illustration of the Cyber Kill Chain.

FIGURE 2.6 The Cyber Kill Chain.

The seven stages are as follows:

  1. Reconnaissance, which identifies targets. In this phase, adversaries are planning their attacks and will gather intelligence about the target, including both open source intelligence and direct acquisition of target data via scanning. Defenders must gather data about reconnaissance activities and prioritize defenses based on that information.
  2. Weaponization involves building or otherwise acquiring a weaponizer that combines malware and an exploit into a payload that can be delivered to the target. This may require creating decoy documents, choosing the right command-and-control tool, and other details. The model emphasizes the fact that defenders need to conduct full malware analysis in this stage to understand not only what payload is dropped but how the weaponized exploit was made. Defenders should also build detections for weaponizers, look at the timeline of when malware was created versus its use, and collect both files and metadata to help them see if the tools are widely shared or closely held and thus potentially very narrowly targeted.
  3. Delivery occurs when the adversary either deploys their tool directly against targets or via release that relies on staff at the target interacting with it such as in an email payload, on a USB stick, or via websites that they visit. Defenders in this stage must observe how the attack was delivered and what was targeted, and then will infer what the adversary was intending to accomplish. Retention of logs is also important in this stage, as defenders need them to track what occurred.
  4. Exploitation uses a software, hardware, or human vulnerability to gain access. This can involve zero-day exploits and may use either adversary-triggered exploits or victim-triggered exploits. Defense against this stage focuses on user awareness, secure coding, vulnerability scanning, penetration testing, endpoint hardening, and similar activities to ensure that organizations have a strong security posture and very limited attack surface.
  5. Installation focuses on persistent backdoor access for attackers. Defenders must monitor for typical artifacts of a persistent remote shell or other remote access methodologies.
  6. Command and Control (C2) access allows two-way communication and continued control of the remote system. Defenders will seek to detect the C2 infrastructure by hardening the network, deploying detection capabilities, and conducting ongoing research to ensure they are aware of new C2 models and technology.
  7. Actions on Objectives, the final stage, occurs when the mission's goal is achieved. Adversaries will collect credentials, escalate privileges, pivot and move laterally through the environment, and gather and exfiltrate information. They may also cause damage to systems or data. Defenders must establish their incident response playbook, detect the actions of the attackers and capture data about them, respond to alerts, and assess the damage the attackers have caused.

The entire Lockheed Martin Cyber Kill Chain can be found in greater detail at www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/Gaining_the_Advantage_Cyber_Kill_Chain.pdf.

The Unified Kill Chain

Although the CySA+ exam doesn't specifically mention it, you may find the Unified Kill Chain useful. The Unified Kill Chain combines both Lockheed Martin's Cyber Kill Chain and MITRE's ATT&CK framework (as well as quite a few others!) into a single kill chain model. It uses 18 phases to describe attacks that occur both inside and outside a defended network, addressing complaints about both frameworks. You can read Paul Pols's 2017 proposal for the Unified Kill Chain at www.csacademy.nl/images/scripties/2018/Paul_Pols_-_The_Unified_Kill_Chain_1.pdf.

Common Vulnerability Scoring System (CVSS)

While you are reviewing threat frameworks, you are likely to encounter the Common Vulnerability Scoring System (CVSS). Although CVSS does not cover threats directly, it is often used to help describe vulnerabilities using a numerical score. You can read about CVSS, how CVSS scoring works, and how to use CVSS as part of your vulnerability assessment program in Chapter 4, “Designing a Vulnerability Management Program.”

Applying Threat Intelligence Organizationwide

Building a comprehensive threat intelligence function requires multiple parts of an organization to work together. Security practitioners, system administrators, auditors, and others need to share data to identify threats, monitor for them, detect them using known activities and fingerprints, then respond to them, and finally use the information you have gained to prepare for future threats.

Threat intelligence should be shared to ensure that incident response, vulnerability management, risk management, and security engineering functions understand the likely threat actors, capabilities, and indicators of compromise you will face.

Proactive Threat Hunting

Searching for threats proactively rather than reactively can help you stay ahead of attackers. Proactive threat hunting is often triggered by new data or tools that inspire threat analysts or security professionals to establish a hypothesis about a new threat, a new threat actor, or a new type of threat.

Once you have a hypothesis, the next step is to investigate the threat. The analytical frameworks we discussed earlier in this chapter can provide a foundation that will allow you to profile threat actors, to analyze malware or other tools by doing things like executable process analysis or reverse engineering, or to otherwise investigate the new threat.

If a new threat is discovered, then some form of action is typically undertaken to counter the threat. You might identify a way to reduce your organization's attack surface area, or you might find other ways to reduce the number of attack vectors available to attackers based on your threat analysis.

Keys to this type of proactive activity are the use of integrated intelligence feeds from multiple sources, and improving your organization's detection capabilities so that you can identity threats before they become a serious issue.

The CySA+ exam groups proactive threat hunting activities into a few bullets:

  • Establishing a hypothesis. A hypothesis is needed to test and should have actionable results based on the threat that the hypothesis considers.
  • Profiling threat actors and activities. This helps ensure that you have considered who may be a threat, and why, as well as what their typical actions and processes are.
  • Threat hunting tactics. These are key to success in threat hunting activities. The skills, techniques, and procedures are where action meets analysis. This step includes executable process analysis, which the CySA+ exam outline specifically mentions.
  • Reducing the attack surface area. This allows resources to be focused on the remaining surface area, making protection more manageable.
  • Bundling critical assets into groups and protection zones. This helps with managing attack surface area, threat hunting, and response activities, since each asset doesn't need to be individually assessed or managed as a unique item.
  • Attack vectors must be understood, assessed, and addressed based on analysis of threat actors and their techniques as well as the surface area that threat actors can target.
  • Integrated intelligence combines multiple intelligence sources to provide a better view of threats.
  • Improving detection capabilities. This is a continuous process as threats improve their techniques and technology. If you do not improve your detection capabilities, new threats will bypass existing capabilities over time.

As you prepare for the exam, make sure you consider how each of these plays a role in proactive threat hunting activities and what impact they would have in your organization.

Summary

Understanding the threats that your organization faces is a critical part of your security program and operations. In order to understand those threats, security professionals gather threat intelligence composed of data about your adversaries, their motivations, capabilities, tools, and methodologies.

Open source threat intelligence is acquired from publicly available sources, and closed source threat intelligence is from commercial or other sources that do not make their data available to the public. Both are used by many organizations as part of their threat intelligence efforts. Many open source threat intelligence sources exist, including government sponsored feeds and sites, professional organizations, vendor resources, social media, and even information from individuals.

A source of threat intelligence needs to be assessed, and the level of confidence you have in the data is important to know before you take actions based on it. Threat information also needs to be managed, and standardized formats and languages for describing threat information exist to help make threat information more usable. STIX, ATT&CK, and other tools help to standardize threat information. They also help to classify threats using common terms like nation-state actors and adversary capabilities.

Threat information gathering can be described as a cycle, with requirements gathering, threat data collection, threat data analysis, threat intelligence dissemination or sharing, and feedback and improvement stages all part of the typical threat information process.

Analyzing threats can also be aided by using a framework, and ATT&CK, the Diamond Model, and the Cyber Kill Chain are all common tools intended to assist in threat analysis. Each has advantages and disadvantages, and you should review them carefully to determine whether one is a better fit to your needs than the others.

Once you have built a threat intelligence function, you need to use and maintain it, and that is where organizationwide use of threat intelligence can come in. Many areas within an organization may have a use for threat data or can contribute to the threat intelligence gathering process. That data can be used for proactive threat hunting to identify threats before they successfully complete an attack or exploit.

Exam Essentials

Understand what drives intelligence source choices. Both open source and closed source or proprietary threat intelligence sources are available, and matching your needs to the right resources is important for threat intelligence programs. Intelligence sharing communities can provide threat data specifically targeted at industries or professional groups. Assessing intelligence sources based on their timeliness, how relevant the data is to your needs, and how accurate they are will help guide your choices of which datasets to use and how much you can rely on them.

Know the standards for indicator management that make intelligence data more useful. Using standardized languages like STIX and interchange protocols like TAXII allows threat intelligence information exchange and management. Describing indicators of compromise using OpenIOC provides organizations with a framework to agree on ratings for threats and events and communicate details of compromise in a known and well-defined format.

Describe threats using classification standards and common terms. Threats are often classified using a few common terms; known versus unknown threats, zero-day exploits, and advanced persistent threats are all commonly used. In addition, threats may be described by the threat actor, with nation-states, hacktivists, organized crime, and both intentional and unintentional insiders frequently identified as threat actors by organizations conducting threat intelligence and analysis activities.

Know that the threat intelligence cycle is ongoing. The threat intelligence cycle from requirements to collection of data, analysis, communication and dissemination, and gathering feedback ensures that threat intelligence does not grow stale and that threat data is consistently and continuously updated.

Be able to describe threats and attacks using frameworks and model them using analysis techniques. Frameworks like the Diamond Model, the MITRE ATT&CK framework, and Lockheed Martin's Cyber Kill Chain all provide ways to assess and describe threats. Using a threat model can help to more fully understand a threat by identifying gaps. Tools like ATT&CK also provide a broad standard taxonomy for threats that allow you to use the data in tools compatible with the framework.

Know that the ongoing process of threat management and intelligence sharing should occur organizationwide. The security processes and functions that an organization uses can benefit from threat intelligence. Threat intelligence has a major role to play in risk assessment, as it can influence the probability and impact assessment as well as provide useful information about risks due to specific threat actors. Proactive threat hunting, from forming a hypothesis, to taking actions such as reducing the organization's attack surface, is a critical part of threat intelligence and management activities. Detection and monitoring systems can more accurately detect attacks if they have good threat intelligence, and vulnerability management, incident response, and security engineering all benefit from ongoing sharing of threat details.

Lab Exercises

Activity 2.1: Explore the ATT&CK Framework

In this exercise, you will use the ATT&CK framework to analyze a threat. You may want to select a recent compromise that you have seen in the news, or one that has impacted an organization that you have worked with. If nothing comes to mind, the 2019 Capital One data breach offers a useful example, and you can find details of the exploit in multiple places with a quick search.

Part 1: Build a threat profile

  1. List what you know about the compromise or exploit, including details about the threat actor, what occurred, what tools were used, and as many other details as you can find.
  2. Review your list against the headings for the appropriate ATT&CK matrix. Do you have items that match the headings?
  3. If you still lack data, you should continue your search or find another example to work through!

Part 2: Analysis

  • Now that you have your basic profile, follow the detailed listings in the matrix to match up the threat to its ATT&CK techniques, threat actors, and other details.
  1. Match each data point to the appropriate ATT&CK entry.
  2. Review the details of each entry so that you become familiar with them.
  3. Identify gaps in your knowledge. What information would you look for if you were researching this threat? What information do you think you could reasonably obtain, and what might you be unable to gather?
  4. Consider what your report to leadership would contain based on what you have found. What would you include for a technical group, and what would you include for senior leaders like a CIO or CEO?

Activity 2.2: Set Up a STIX/TAXII Feed

Anomali's STAXX community version provides an easy way to consume STIX feeds. In this exercise, you will download and install the STAXX client, and then review the data from one of the included feeds.

  1. Visit www.anomali.com/community/staxx and download the STAXX Community edition software. STAXX is a 1 GB download and requires an email to get the download link.
  2. Install the STAXX client. You will need a virtualization environment like VirtualBox or VMWare to open the OVA file. Follow the Anomali setup and installation guide at update.anomali.com/staxx/docs/Anomali_STAXX_Installation_&_Administration_Guide.pdf.
  3. This guide will help you get Anomali set up. When you connect to the web interface, you will need to accept the insecure connection on most major browsers.
  4. When asked, use the Anomali Limo service to gather data for your first feeds.
  5. Once you are in and Anomali has ingested its feeds, explore the dashboards. What is the most common indicator type? Does it match what you would expect?
  6. Advanced: Identify a STIX feed that isn't part of the STAXX default feed list and add it to STAXX.

Activity 2.3: Intelligence Gathering Techniques

Match each of the activities to the phase of the threat intelligence cycle where it fits.

Requirements gathering Update requirements for your intelligence gathering program
Threat data collection Provide information about a threat to an IPS administrator
Threat data analysis Assess missing controls from a recent breach
Threat intelligence dissemination Download data via STIX
Gathering feedback Convert manually gathered threat data to STIX format

Review Questions

  1. Which of the following measures is not commonly used to assess threat intelligence?
    1. Timeliness
    2. Detail
    3. Accuracy
    4. Relevance
  2. What language is STIX based on?
    1. PHP
    2. HTML
    3. XML
    4. Python
  3. Which of the following activities follows threat data analysis in the threat intelligence cycle?
    1. Gathering feedback
    2. Threat data collection
    3. Threat data review
    4. Threat intelligence dissemination
  4. Susan wants to start performing intelligence gathering. Which of the following options is frequently conducted in the requirements gathering stage?
    1. Review of security breaches or compromises your organization has faced
    2. Review of current vulnerability scans
    3. Review of current data handling standards
    4. A review of threat intelligence feeds for new threats
  5. What organizations did the U.S. government help create to help share knowledge between organizations in specific verticals?
    1. DHS
    2. SANS
    3. CERTS
    4. ISACs
  6. Which of the following threat actors typically has the greatest access to resources?
    1. Nation-state actors
    2. Organized crime
    3. Hacktivists
    4. Insider threats
  7. Organizations like Anonymous, which target governments and businesses for political reasons, are examples of what type of threat actor?
    1. Hacktivists
    2. Military assets
    3. Nation-state actors
    4. Organized crime
  8. Jason gathers threat intelligence that tells him that an adversary his organization considers a threat likes to use USB key drops to compromise their targets. What is this an example of?
    1. His organization's attack surface
    2. A possible attack vector
    3. An example of adversary capability
    4. A probability assessment
  9. What type of assessment is particularly useful for identifying insider threats?
    1. Behavioral
    2. Instinctual
    3. Habitual
    4. IOCs
  10. Cyn wants to send threat information via a standardized protocol specifically designed to exchange cyberthreat information. What should she choose?
    1. STIX 1.0
    2. OpenIOC
    3. STIX 2.0
    4. TAXII
  11. What phase of the Cyber Kill Chain includes creation of persistent backdoor access for attackers?
    1. Delivery
    2. Exploitation
    3. Installation
    4. C2
  12. What common criticism is leveled at the Cyber Kill Chain?
    1. Not all threats are aimed at a kill.
    2. It is too detailed.
    3. It includes actions outside the defended network.
    4. It focuses too much on insider threats.
  13. Which of the following is not a common technique used to defend against command and control (C2) capabilities deployed by attackers?
    1. Network hardening
    2. Patching against zero-day attacks
    3. Deploying detection capabilities
    4. Tracking new C2 methods and technology
  14. What term describes an analysis of threat information that might include details such as whether it is confirmed by multiple independent sources or has been directly confirmed?
    1. Threat quality level
    2. STIX level
    3. Confidence level
    4. Assurance level
  15. What drove the creation of ISACs in the United States?
    1. Threat information sharing for infrastructure owners
    2. The Cybersecurity Act of 1994
    3. Threat information collection network providers
    4. The 1998 ISAC Act
  16. STRIDE, PASTA, and LINDDUN are all examples of what?
    1. Zero-day rating systems
    2. Vulnerability assessment tools
    3. Adversary analysis tools
    4. Threat classification tools
  17. OpenIOC uses a base set of indicators of compromise originally created and provided by which security company?
    1. Mandiant
    2. McAfee
    3. CrowdStrike
    4. Cisco
  18. Advanced persistent threats are most commonly associated with which type of threat actor?
    1. Insider threats
    2. Nation-state actors
    3. Organized crime
    4. Hacktivists
  19. Gabby wants to select a threat framework for her organization, and identifying threat actor tactics in a standardized way is an important part of her selection process. Which threat model would be her best choice?
    1. The Diamond Model
    2. ATT&CK
    3. The Cyber Kill Chain
    4. The Universal Threat Model
  20. Forensic data is most often used for what type of threat assessment data?
    1. STIX
    2. Behavioral
    3. IOCs
    4. TAXII