If any of you have ever seen my presentations on advanced threats, then one area you know I love to explore is the wonderful world of threat intelligence. If you haven’t seen that presentation, read on.
Many organizations I’ve worked with in the past have always wanted to find newer, better threat intelligence. It’s almost like they are on a Star Trek mission (you do remember, either Star Trek or Marvel is a common theme in my posts).
The final frontier
These are the voyages of the SOC Team Enterprise
Its continuing mission, to explore strange new attacks
To seek out new patterns and new correlations
To boldly hunt where no IR Team has hunted before…
One of the key areas I always recommend to organizations is to get a firm understanding of the types of threat intelligence and how it should be used in on-going SOC/IR operations.
Tactical Threat Intelligence
Tactical Threat Intelligence (TTI) is the kind most people are familiar with. Much of it is the raw data you extract from attacks and then try to disseminate and integrate into your various security solutions to aid in detecting additional attacks against your organization. TTI can be very brittle in nature. By that, many of the data points can be short-lived.
Heading back into Star Trek, you may recall a scene in Star Trek II: The Wrath of Khan where Captain Kirk and Mr. Spock call up Reliant’s command prefix code, ordering the ship to lower her shields, allowing the Enterprise to counterattack.
While Khan is very intelligent, his lack of experience cost him the huge advantage he had over the Enterprise. The Prefix Code is an example of Tactical Threat Intelligence. It is something you can use to take a definitive action, assuming the information is still relevant.
IP Addresses, once discovered being used by an attacker, quickly result in blocking rules being implemented (or at least alerts being generated). But attackers move from IP Address to IP Address, intermediary sites used by an attacker get notified and clean up their compromised systems, and IP Addresses go through reassignment from time to time and registrations expire and new businesses request address space. It is more helpful if you can put some context around the IP Addresses that are populated in your Intel Threat Feed
- Is this IP Address on the list as a result of a watering hole attack?
- Is this IP Address located in a country supportive of cyberattacks?
- Is this IP Address assigned to residential ISP Service?
Domain Names are also brittle in nature and can come under the same scrutiny.
- Was this domain registered recently? (Increased odds the domain itself is hostile)
- Is this a long-established domain? (Increased odds it’s a watering hole attack)
Hashes for files, function calls and function code can also be changed by adversaries that want to ensure they evade your detection capabilities. And also ensuring that hash collisions are not a possible occurrence can help determine the odds of a false negative. There are tools out there today that will take a known good MD5 hash and convert a file of your choice so that it generates the equivalent MD5 hash. You can no longer rely on MD5 hashes to determine if a file is a known good file.
The good news is: knowing the nature of the type of threat intelligence, the possible context that applies to it, and its level of brittleness can help you design effective SOC Correlation and alert prioritization.
Strategic Threat Intelligence
Strategic Threat Intelligence is more an understanding of your enemy’s overall battle plan. Knowing who you are facing, their motives, and what their habits, experiences and ultimate goals are, can give you the edge to win the war (but not necessarily win every battle).
As we rejoin The Wrath of Khan, in the Mutara Nebula battle, Spock makes an interesting observation about their adversary that provides a clear path to victory. Khan exhibits his lack of experience twice. First by not changing Reliant’s prefix code, then again when Khan views space as “two-dimensional” when executing his search pattern.
These are traits that are not changed easily, and identifying these traits is the key to victory.
Tying It All Together
While you can certainly operate a SOC with only one type of intelligence, security teams will find the best results when successfully combining the two together. If you are able to link tactical data points to a known attacker, you can then conduct research into their traits and discover new methods of finding them in your environment. If you can successfully utilize strategic intelligence to discover new artifacts, you can then utilize this information in more tactical ways to proactively discover adversaries before the breach is impactful to your organization.