Wednesday, April 15, 2015
“Cyber Threat Intelligence” What Is Needed For Identification and Response?
“Cyber Threat Intelligence”
What Is Needed For Identification and Response?
What is cyber threat intelligence?
CTI “Cyber Threat Intelligence “is a term used to address any information which can be used to protect your organization IT assets against an attacker.
This IT (Threat Intelligence) can be of many forms like internet bases IP addresses, Attacker geolocations TTP’s (Tools , Tactics and Procedures ), which would work as an indicator OR early warnings of attacks or an attempt to harm the IT Infrastructure in turn harming business.
There are number vendors on the globe who give TI feeds which can be integrated with your security controls like SIEM, GRC tool and other correlation engines.
This is an attempt to identify the information which is needed as actionable TI which can used to defend your organization.
a. These are conditions of the attacks like a Zero Day, Business related breaking news/ announcements for the organization.
a. What would the attacker need to generate and trigger an attack on your organization e.g.: Type of security controls on your perimeter, network and endpoints. Type of devices (endpoints, internet facing web servers, routers firewalls etc. ) which are exposed to the internet.
a. Capabilities of the attacker and the attack itself e.g.: The script Kidde’s would be able to generate an attacks but then would not possess the capability of post attack activity. OR a professional attacker would have the capabilities of generating an attack but the defense mechanism would be able to partially stop the attack where the attack would not get the attacker the intended results.
a. Attacking component TTP’s (Tools, Tactics and Procedures) which are used in past attacks conducted by the attacker. This would help us with indicators for defending the attack.
a. This component is important as the measurement of the attack in terms of number and type of security events generated pre- attack condition.
6. What is the threat?
a. Measurements the threat of the past attack would help us in mapping the threat findings with our organization
7. What are the threat vectors,
a. These vectors would be more of a “type of attacks” which would be seen in the attack phase.
8. Where else the threat vector seen on the globe?
a. Historical threat vectors used by the attacker in past should be a part of the TI information.
9. What was the threat impact?
a. Historical threat impact on the victims would help to measure the attackers TTP’s
10. What were the parameters of compromise?
a. What would be the needed condition and parameters for a successful compromise to be conducted?
11. What could be the early warnings?
a. Early warnings and indicators of past attacks conducted by the attacker.
12. What would be a practical and approachable defense mechanism?
a. Historical data in terms of approach taken by the defender to defend the attacks.
13. What would be the business impact?
a. What was the business impact on victims in terms of data theft, ransomware and business dis-continuity
14. What type of IT for Zero Days?
a. What information would the TI share in terms of Zero Days in terms of IP addresses, Geolocations, Domains names, ISP information, file names, MD5 hashes etc.?
15. Pattern of attacks in past
a. What patterns where generated by the attackers OR what type of internet traffic (Inbound/Outbound) per-attack conditions
16. Attack timelines before a successful compromise.
a. These timelines would help us to understand the skills of the attacker and allow us the decide max time frame to respond against a business accepted condition of a known vulnerability
17. Zero Day detection and patterns based on packet, ports and geolocations.
a. What type of traffic patterns are generated in case of Zero Days for a pre-compromise conditions
18. What and how security controls where bypassed?
a. The historical data of the TTP’s for bypassing of the security controls is very important as this would give us pinpointed information which would help us to defend such attacks.
19. Post compromise (Forensics Investigation) information.
a. Post compromise information like...
i. File names
ii. MD5 hashes
iii. Inbound and Outbound Traffic
iv. Internal traffic patterns
v. Detection by internal security controls
vi. Auto-defense OR events generated by security controls
vii. OS and application level errors generated by the attack vector
The above are few indicators which a TI tool vendor should provide. I strongly believe that if the above information is provided by the vendors, we can surely respond and try to defend attacks.
Comments and inputs are most welcome.