“Cyber Threat Intelligence”
What Is Needed For Identification and Response?
What is cyber threat intelligence?
CTI “Cyber Threat Intelligence “is a term
used to address any information which can be used to protect your organization
IT assets against an attacker.
This IT (Threat Intelligence) can be of
many forms like internet bases IP addresses, Attacker geolocations TTP’s (Tools
, Tactics and Procedures ), which would work as an indicator OR early warnings
of attacks or an attempt to harm the IT Infrastructure in turn harming
business.
There are number vendors on the globe who
give TI feeds which can be integrated with your security controls like SIEM,
GRC tool and other correlation engines.
This is an attempt to identify the
information which is needed as actionable TI which can used to defend your
organization.
1.
Drivers
a.
These are conditions of the attacks like a Zero
Day, Business related breaking news/ announcements for the organization.
2.
Prerequisites
a.
What would the attacker need to generate and
trigger an attack on your organization e.g.:
Type of security controls on your perimeter, network and endpoints. Type
of devices (endpoints, internet facing web servers, routers firewalls etc. ) which are exposed to the internet.
3.
Capabilities
a.
Capabilities of the attacker and the attack
itself e.g.: The script Kidde’s would be able to generate an attacks but then
would not possess the capability of post attack activity. OR a professional
attacker would have the capabilities of generating an attack but the defense
mechanism would be able to partially stop the attack where the attack would not
get the attacker the intended results.
4.
Components
a.
Attacking component TTP’s (Tools, Tactics and
Procedures) which are used in past attacks conducted by the attacker. This
would help us with indicators for defending the attack.
5.
Measurement
a.
This component is important as the measurement
of the attack in terms of number and type of security events generated pre-
attack condition.
6.
What is the threat?
a.
Measurements the threat of the past attack would
help us in mapping the threat findings with our organization
7.
What are the threat vectors,
a.
These vectors would be more of a “type of
attacks” which would be seen in the attack phase.
8.
Where else the threat vector seen on the globe?
a.
Historical threat vectors used by the attacker
in past should be a part of the TI information.
9.
What was the threat impact?
a.
Historical threat impact on the victims would
help to measure the attackers TTP’s
10.
What were the parameters of compromise?
a.
What would be the needed condition and
parameters for a successful compromise to be conducted?
11.
What could be the early warnings?
a.
Early warnings and indicators of past attacks
conducted by the attacker.
12.
What would be a practical and approachable
defense mechanism?
a.
Historical data in terms of approach taken by
the defender to defend the attacks.
13.
What would be the business impact?
a.
What was the business impact on victims in terms
of data theft, ransomware and business dis-continuity
14.
What type of IT for Zero Days?
a.
What information would the TI share in terms of
Zero Days in terms of IP addresses, Geolocations, Domains names, ISP
information, file names, MD5 hashes etc.?
15.
Pattern of attacks in past
a.
What patterns where generated by the attackers
OR what type of internet traffic (Inbound/Outbound) per-attack conditions
16.
Attack timelines before a successful compromise.
a.
These timelines would help us to understand the
skills of the attacker and allow us the decide max time frame to respond
against a business accepted condition of a known vulnerability
17.
Zero Day detection and patterns based on
packet, ports and geolocations.
a.
What type of traffic patterns are generated in
case of Zero Days for a pre-compromise conditions
18.
What and how security controls where bypassed?
a.
The historical data of the TTP’s for bypassing
of the security controls is very important as this would give us pinpointed
information which would help us to defend such attacks.
19.
Post compromise (Forensics Investigation)
information.
a.
Post compromise information like...
i.
File names
ii.
MD5 hashes
iii.
Inbound and Outbound Traffic
iv.
Internal traffic patterns
v.
Detection by internal security controls
vi.
Auto-defense OR events generated by security
controls
vii.
OS and application level errors generated by the
attack vector
The above are few indicators which a TI
tool vendor should provide. I strongly believe that if the above information is
provided by the vendors, we can surely respond and try to defend attacks.
Comments and inputs are most welcome.