Threat intelligence : Know Your Enemy

By


Image : Tripwire

"If you know the enemy and know yourself you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle." - Sun Tzu

Threat Intelligence (TI) is the gathering of evidence-based knowledge, processing, and analyzing them to understand threats, threat actors’ motives, targets, and attack behaviors. Threat intelligence provides vitally important information for defenders to protect their information assets, hence it is a critical component of the organization's overall security posture and risk management process. TI helps understand the nature of threats and identification of vulnerabilities, to deploy appropriate security strategies and controls to reduce risks.

Threat intelligence is important for learning about unknown threats, making better security decisions, revealing attacker motives and tactics, techniques, and procedures (TTP), and risk assessment. It helps optimize defense capabilities,, uncover and track threat actors targeting the organization, prioritize risk levels,  business continuity planning, and accelerate incident response.  It is a systematic cyclic process involving the following phases.

1. Planning & Requirements

The planning stage allows security teams to set goals and methodology for threat intelligence depending on the attackers and their motivations, attack surface, and specific actions required to defend from future attacks.

2. Threat Data Collection

The team will collect data from traffic logs, public data sources, forums, social media, and industry experts to meet requirements set in the planning stage.

3. Threat Data Processing

The raw data will be fed into databases, and spreadsheets,  and evaluated for relevance and reliability.

4. Threat Data Analysis

The analysis aims to create insights from data to find answers to the questions posed in the planning phase.

5. Threat Risk Dissemination

The threat intelligence team presents the results of the analysis and recommendations to the stakeholders for defensive action. 

6. Feedback

This stage's aim is to determine appropriate mitigation action and guide future threat intelligence operations. 

Threat Intelligence use cases are the following. 

  • Blocking bad IPs, URLs, domains, etc
  • Using Threat Intelligence to enhance alerts
  • Linking alerts into incidents
  • Adjust existing security controls
  • Introducing new security controls
  • Seeking evidence on who/what/why/when/how of incidents
  • Finding the root cause of an incident
  • Determining intrusion evidence
  • Reviewing reports on threat actors for detection
  • Assessing the overall threat level for the organization
  • Developing security roadmap

Threat intelligence is three types:

  • Tactical intelligence
  • Operational intelligence
  • Strategic intelligence

Tactical Threat Intelligence is technical in nature hence can be automated like malware analysis. It aims to gain a broader view of threats.  It tries to identify indicators of compromise (IOCs), which are known malicious IP addresses, URLs, file hashes, and domain names. 

Operational Threat intelligence provides insight into how attackers plan, conduct, and execute attacks based on the attacker, motivation, and techniques of the threat. It involves both machine and human analysis and is used in a Security Operations Center(SOC).

Strategic Threat Intelligence is focused on business decisions related to global events, foreign policies, the world’s geopolitical situation, and other local and international movements that can potentially impact organization security. It helps prioritize cyber security strategies.

Threat intelligence in practice. 

1. Learning the Threat Landscape

You can obtain information on the latest threats, and TTP from the following sources.

1. MITRE ATT&CK

The  MITRE ATT&CK framework  (Adversarial, Tactics, Techniques, & Common Knowledge) accessible at attack.mitre.org, is a comprehensive database detailing cyber-criminal TTP. This database provides a full scope of attack descriptions that can be used to improve your security posture. 

2. Common Vulnerabilities and Exposures (CVE

CVE is an online database that identifies, define, and catalog publicly disclosed cyber security vulnerabilities, that are accessible at cve.org. A vulnerability is identified by a unique CVE number, and CVSS scores, for planning and prioritization of vulnerability management programs.

3. National Vulnerability Database (NVD)

The NVD is the U.S. government repository of standards-based vulnerability information (nvd.nist.gov). It includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics.

Following are some of the Threat Intelligence Tools.

Niranjan Meegammana

Comments

Post a Comment

Popular posts from this blog

The 7 Layers of Cyber Security : Attacks on OSI model

By
Image
Source : wallarm The OSI network  communications model is made of  7 layers. Each layer  handles a specific process to enable reliable communication between two or more devices. When the Internet was designed, its focus was on ensuring of reliable communications. The challenges of communication security emerged later.  These 7 layers act like a chain of links. If one lnk breaks, the whole chain of communication breaks. Hence security threat can happen at any of the 7 layers.  These layers are named as Application, Presentation, Session, Transport, Network, Data link and Physical layer. The application layer is your email application, physical layer is your communication cable, and everything else is in between help you communicate. In abstract the application layer provides user interface, while presentation layer handle formating, encoding and encryption. The session layer manages connections. The transport layer handles segmentation, sequencing, and establishi...
Read more

Best Practices for secure Software Development

By
Image
image : OpenSense Labs Are you aware of the  Solarwinds attack in 2020? The hackers exploited software vulnerabilities of Orion IT monitoring and management software used by thousands of enterprises and government agencies. This hack triggered a larger scale supply chain incident which affected thousands of organizations, including the U.S. government. The attackers infliltrated the Solarwinds network, and infected the software used for Network monitoring before it shipped to customers.This insident and many more warn us on the importance of building secure software.  Secure software development is a methodology used for creating robust software by incorporating security practices into every stage of the software development life cycle (SDLC). It begins at planning stage before a single line of code is written, and continue through the life cycle. A bug fixing at implementation stage cost six times than fixing it during design stage. Every new feature added, may carry series o...
Read more

ISO 27001 ISMS in a Nutshell

By
Image
Image : ISO The ISO 27001 certification is the most comprehensive  information security standard recognized globally. It ensures standardizing of your organisation's information security strategies to ensure confidentiality, integrity and availability of your systems and data to conduct your business effectively.  Gaining the certification is a journey with several milestones. It is a carefully planned systematic activity that transforms an organisation to a secure entity,  where everyone becomes a stakeholder in information security. Follow this processes to get to your goal successfully. Step 1. Obtain Management Support . This is the most critical requirement to achieve ISO 27001 status. Your ISMS project will definitely fail if it does not receive to management support. The management should provide, people, money and strategic direction for your ISMS to be a success story. In the sections below you’ll find some tips on how to convince your management, and how much th...
Read more