CTI Fundamentals

Introduction to Cyber Threat Intelligence

Today, the success percentages of target-oriented cyber attacks are increasing significantly. It is not possible to protect a corporate structure at 99% level with security solutions (such as Firewall, IPS/IDS, NIDS, AV) applied in old traditional approaches. Based on this situation; Considering that threat actors and APT attacks can also bypass security mechanisms, at least when there is an infiltration into the system, threat hunting aims to detect the attackers while they are inside with 24/7 SOC services, to reduce the time they are inside, to prevent the action they want to take as a result, and even to stop the attackers before they can infiltrate.

Through threat hunting and cyber threat intelligence, the tactics, tools and methods of attackers are identified. In this context, when a malware that bypasses the antivirus is seen, this does not mean that the Endpoint Protection solution is insufficient. Or, a firewall that is bypassed by tunnelling cannot be seen as useless. If the traffic caused by a malware cannot be blocked by IPS, the entire bill of the attack cannot be billed to the security device.

Cyber security is an issue that needs to be handled like a jigsaw puzzle with all its aspects. At this point, when many points such as secure configuration, access lists, correct integration, conscious network configuration, system tightening, timely penetration tests, secure code development, correct human resources, continuous training are taken into consideration, cyber security can only be ensured with the right vision.

Despite all these, the system can still be hacked! At this point, continuous monitoring from security operation centres, defined rules/alarms and incident response with threat hunting actions can prevent the activities that threat groups or APT actors want to do. Therefore, this is a continuous process. Although devices and products are important, talking about cyber security only by purchasing products is nothing but lack of vision and lack of knowledge. Therefore, human resources, the suitability of the personnel for the work they do, their knowledge, the cyber security vision and perspective of the team are very important.

In order to be able to talk about cyber security, it is essential that entire systems and network are properly configured, devices are placed in the correct topology, development of applications must be securely, tightening is done, penetration tests are carried out in full, regular (periodic) vulnerability scanning and management is carried out, threat hunting is done, cyber threat intelligence feeds and reports are utilised, and continuous training is required. In all of these, the proper human resources must be selected and the cyber security organisation chart must be properly established. It is of vital importance that the proper personnels, supported by the right certifications, are supported by training in certain periods and that cyber security managers are selected in line with the right vision and skills.

Key Concepts in Cyber Threat intelligence

What is Cyber Threat Intelligence (CTI)?

Cyber Threat Intelligence (CTI) is a cyber security approach that focuses on gathering information by analyzing both current and potential risks/attacks that threaten the security of a company or organization’s physical and digital assets. CTI teams enable the organizations they serve to take action as soon as possible with the information they provide.

Similar terminology can be found in the definition of threat intelligence provided by the EC-Council “threat intelligence is the examination of data using tools and processes to provide meaningful information about existing or emerging threats targeting the organization that helps manage risks”.

With the data collected, organizations become aware of possible threats and risky parts of the organization in advance. Therefore, in-house information increases and organizations become prepared against threats.

As a result of cyber intelligence studies, institutions and organizations can focus on current threats and take measures against possible attacks that may occur through threat discovery and analysis processes. The intelligence wheel is a process that continues without stopping during this intelligence period.

What is the Purpose of Cyber Threat Intelligence?

The purpose of cyber threat intelligence is to help institutions and organizations understand the risks of cyber attacks or cyber threats. These attacks can range from zero-day attacks, malwares, APTs (Advanced Persistent Threat), botnets or exploits.

What are the Benefits of Cyber Threat Intelligence?

Cyber threat intelligence aims to raise awareness about directly affecting and possible threats. It is a necessary area for intervening in-house undesirable events before they happen. In this way, security solutions are maximized and necessary precautions are taken. Among the benefits of cyber threat intelligence are; data loss prevention, data breach detection, incident response, threat analysis, data analysis, threat intelligence sharing.

Why is Cyber Threat Intelligence so Important?

Cyber threat intelligence can identify and analyze cyber threats against your business. Therefore, cyber threat intelligence can help you to:

  • Focus on alarms that actionable upon; the traditional threat intelligence service only offered feeds and IOCs (Indicator of Compromise) that could not be taken action upon. Organizations, however, began to require more and more of the most recent information about them. Organizations must identify phishing websites that target their consumers using real-time intelligence on threat actors, botnets, and malware, as well as information from the deep web and dark web.
  • Collect, confirm, and prioritize external threats. Cyber threat intelligence can do the grunt work for your company by providing richer information that enables you to implement more intelligent defense and enhancement procedures.
  • Discover overlooked assets and keep an eye on the attack surface in real-time; cyber threat intelligence can identify blind spots by constantly monitoring the shifting attack surface.
  • Prevent data loss by employing cyber threat intelligence to identify cyber threats and stop security breaches from revealing sensitive information.

Why Do You Need Cyber Threat Intelligence?

Cyber attackers who are talented, well-resourced, well-organized, and technologically proficient deploy methods that make security measures obvious to technology alone. Organizations must understand how hackers function, what strategies they employ, and how to establish a security strategy against them.

Through the use of cyber threat intelligence, businesses may better understand the causes and effects of risks, enhance security procedures, and lower the chance of an attack while defending their network.

Why Do You Need a Threat Intelligence Feed?

Your organization can get timely, actionable information about the most recent threats and vulnerabilities through a cyber threat intelligence feed. This kind of insight can assist you in preventing future risks to your systems and data as well as responding to attacks swiftly and effectively.

You can better defend yourself from attacks in the future by understanding the motives and strategies of your adversaries with the use of feeds. A threat intelligence feed can also give you information on new developments in the field of cyber security so you can keep on top of things.

In conclusion, a cyber threat information feed can be a priceless instrument for safeguarding your company from cyber security risks. We strongly advise you to think about using a feed if you aren’t already.

The Cyber Threat Intelligence Lifecycle

Cyber threat intelligence forms a closed loop and consists of six key elements. These elements carry the information to the next part of the process and are all dependent on their previous step. Any type of intelligence can be processed through this system.

What are the Types/Categories Cyber Threat Intelligence?

Strategic Cyber Threat Intelligence

Questions: Who? Why? Where?
An summary of the potential effects of future cyber attacks is provided using thorough pattern and emerging risk analysis.

Operational Cyber Threat Intelligence

Questions: How?
In terms of present and future threats, historical resources, affiliations, and the objectives of threat actors, it is primarily utilized to make resource management decisions.

In operational cyber threat intelligence, IoCs are written by processing the data obtained from TTP. This is the category sought for the question of how the attackers implemented their attacks. Operational and tactical cyber intelligence can be considered as a holistic approach, but it is categorised separately for more detail. The threat hunter does not wait for rising an alert from the systems, but tries to detect potential events from an offensive perspective. In fact, if security systems were able to intercept all attacks or if sensors could provide alerts while all attacks were taking place, there would be no need for threat hunting and threat intelligence.

Tactical Cyber Threat Intelligence

Questions: What? When?
Its primary audience is a technically skilled one, and it enables them to learn more precise information about the tactics, techniques, and procedures used by threat actors (TTPs).

To create a TTP map, Mitre ATT&CK can be mapped using Cyber Kill Chain or DIMOND Model.
What were the toolkit used by the attackers? When was the attack organized?

Technical Cyber Threat Intelligence

It concentrates on the technical elements that point to a cyber-security risk, like phishing email subject lines or dangerous URLs.



Within the scope of this information, precautions can be taken in advance during the preparation and attack detection phases with cyber threat intelligence. This information; Adversary, that is, TTPs of attacking groups, may include IoCs specially prepared for the attacks of these groups, information published on social media and threat sharing platforms such as Alienvault OTX, IBM X-Force, malicious addresses, domains, hash values. In this way, valuable resources can be protected against attacks by malicious actors. Threats can include APT groups, cybercrime groups, hacktivists.

Even before the preparation phase;

  • What assets does your infrastructure contain?
  • Have you organized inventories according to criticality level?
  • Which APT groups can target your data?
  • Do you have a SOC team working 24/7?
  • Did the Blue team set up IPS/IDS/Firewall etc. properly?
  • Is DLP being used?
  • Are you using a network-wide NAC device or 802.1x authentication configuration?
  • Have you implemented Layer 2 PortSecurity, DHCP Snooping, IP Source Guard, ARP Inspection?
  • Are access controls and encryption in place where necessary?
  • Do you have any disaster scenarios?
  • How well do you implement standards such as ISO27001?
  • How hard are your servers? For example, if you are using a Windows server, do you take advantage of features such as WSUS, EMET? What can and cannot be run with the GPO? Is NTLMv1 allowed on the server?

These are some very basic and simple questions for security. If you have doubts at this point, you should reconsider your entire structure. These questions will help you categorize your data and threats.

Threat hunting is the whole of efforts such as the preparations made as a result of the analysis of threats by blue or purple team members, the development of attack monitoring, analysis and defence mechanisms on active network for immediate response to cyber attacks, or open source cyber intelligence collection. Professionals who will do threat hunting should have the mindset of attackers by knowing the attack techniques well. They should have a good understanding of methodologies such as Cyber Kill Chain so that they can analyse and stop the attack chain. The threat hunting person should also be able to collect cyber threat intelligence reports and protect the system as a result of their analyses before a possible attack against the system.

Detecting network intrusions, stopping the attack before it reaches its goal and permanently cleaning up the attack components are the main responsibilities of the threat hunter.

Let us now briefly touch on the terms that are frequently used in the world of cyber threat intelligence.

What is Intrusion?

Intrusion is an attempt to gain access to a computer network, regardless of the degree of success.

What is Adversary?

The concept of adversary, which we can also perceive as a threat, is the name given to individuals or groups participating in intursion or APT attacks. Threat is not a vulnerability or a tool. Threat can be considered as a person or APT groups targeting computer networks. Threat or APT groups consist of people. At this point, capability, intent and opportunity should be taken into consideration when analysing threats.

What is Vulnerability?

Cyber security vulnerability is defined as backdoors detected in an electronic system, weaknesses that are open to attacks and similar errors. By detecting these vulnerabilities, cyber attackers can attack, damage or capture these systems after specific processes.

What is Impact?

Effects on the system caused by the attacks of threat actors. For example; locking/encryption of systems or files as a result of a ransomware attack.

What is Compromise?

It is the name given to the process by which threat groups realise their intentions by infiltrating the computer or network, that is, taking over computers in the network they have targeted. It is usually called data exfiltration.

What is Pivoting?

The methods exhibited by the attackers who succeeded in infiltrating the internal network to achieve their goal are called lateral movement.

What is Victim?

At this point, depending on the type of attack, a person, a computer or a system can be a victim. For example, while the victim in a social engineering attack using only a phone call is an individual, the server that is compromised without human interaction with a remote command/code execution (RCE) vulnerability can be seen as a victim in its own case.

What is Target?

The victim which is targeted in the attack process.

What is IoC (Indicator of Compromise) ?

IoC (Indicator of Compromise) are digital traces left by the attacker to detect the attack. Hashes, IP addresses, domains, opened processes and threads, executed commands, tampered regedit records, mail headers, EXE names, DLL files, strings and similar identifiers can be used to create IoC. After creating IoC, it is possible to scan other systems by creating a rule file over YARA with the tokens here. We can use Host or Network remnants when writing IoC. For example, in network ruins, IoC can be written with abnormal port communications, packets that do not comply with RFC, packets with attack signature, transferred files, SQL statements, HTTP packets with Javascript codes, HTTP packets with expressions such as “Shell, exec, can not be run dos mod, exe, dll, fsock” etc. in traffic, unusual user-agents. On the host side, 80 & 443 connections not made from the web browser and specific regedit records, netstat outputs, port states, imported DLLs can be used.

If you can create identifying signatures for the tools used by the attacker group, this will indeed provide an important protection against the attacker. For example, it is possible to see the Nmap banner in scans made with Nmap and Nikto‘s traces in specific places in Nikto. Likewise, if the Sqlmap tool is used for SQL Injection, the traces left by it are also obvious. If you are someone who has done pentest before, you should easily understand what we want to tell. APT groups usually either use existing tools by modifying them or develop their own tools from scratch. The purpose of this is to escape from security mechanisms as much as possible. In both cases, the tools used necessarily leave a trace on the network. When you catch this trace, IoC can be removed. After the IoC is extracted, the TTP report is written to prepare for the actual report. TTP also reveals the training and equipment of the attacking group.

What is TTP (Tactics, Techniques, Procedures) ?

TTP (Tactics, Techniques, Procedures) is used to reveal the attacker’s method and signature. With TTP, it is understood how the methods used by the attacker are persistent in the network, how they do pivoting, and how they steal data. It is a big mistake to analyse only with hash values. Hash values can be changed very simply and are the least decisive factor. Hash is the name given to a numeric value of a certain length that identifies a data. With algorithms such as MD5 and SHA256, they are character outputs that identify the data without reversing. IP addresses can be used as IoCs, but since advanced malwares use TOR networks, VPNs, proxies, and dynamic DNS services, it is easy to change IP addresses. If the IP addresses which interact with malware are blacklisted, the first thing they will do is to change their IP addresses. There may sometimes be difficulties in using domain names as IoC. It is possible to constantly change DNS names using dynamic DNS providers and Fast Flux networks.

In addition, when Punycode IDN attacks are made, writing IoC with DNS alone may not be enough. Since Internet domain systems are ASCII based, letters specific to the alphabets of different languages such as “ç” and “ö” cannot be used in the domain. IDN has emerged in order to use characters that are not in Chinese or ASCII. In this way, by applying UTF-8 conversion, phishing attacks can be directed to domains starting with “xn” using the Punycode technique. The danger here is that deception operations can be performed over domain addresses using Latin codes of different characters. For example, when we look at the output below, can you see a difference between the two domains?

At this point, it is understood that one of the difficulties in using domain names as IoC is IDN attacks. With the addresses created using the EvilURL tool, it is possible to make phishing attacks on domains to be purchased by converting them into different Punycodes. It will be difficult to use a domain name as IoC for an attacker who constantly changes domains.

The difficulties described above are explained in the form of Pyramid of Pain and shown as follows.

What is Dwelling Time?

Dwelling Time is the time attackers stay inside until they are detected when they access a system. According to Mandiant (2022), this period is 21 days on average.

What is Risk Assessment?

In risk assessment, vulnerability and threat assessments of assets within the organization are made. In addition, it is reported which assets are owned, which are more critical, whether processes such as backup and encryption are performed, and what the effects may be in case of any attack on the systems. Based on this report, disaster recovery scenarios are created. A good analyst always thinks like as a hacker with high skills. If a person has entered the system, s/he should be able to predict his next step. The hunter who reads risk reports understands the structure better and knows better where to focus. In large organizations, it is not the threat hunter’s job to write risk reports, but in small organisations, only one employee may only go threat hunting once a week or once a month because they have a workload in more than one area. But this is not a desirable scenario. What should happen (just an example) is that in a SIEM-controlled environment, 24/7 SOC service is provided and a team that continuously monitors the incident instantly intervenes in the event of an incident.

What is APT (Advanced Persistent Threat) ?

APT (Advanced Persistent Threat) is an advanced/sophisticated cyber attack or malware used in targeted attacks for purposes such as information gathering, espionage, sabotage.

APT Difference from Others:

  • To infiltrate the target system undetected and stay on the target for as long as possible, basically transmitting sensitive information to the source for its purpose.
  • The fact that these attacks are aimed at a specific target, can bypass traditional security mechanisms and operate in target organizations for a long time makes it difficult to detect these attacks.

When the anatomy of APT attacks is analysed, it can be seen that 90% of the attacks start with shell access obtained from web servers in the DMZ or a client-side type attack (phishing, malware distribution).

When analysing APTs, difficulties such as zer0 day exploits, advanced circumvention methods, multi-stage hybrid attacks, insufficient logs, deleted or encrypted logs can be encountered.

We will talk about the steps of APT attacks in the Cyber Kill Chain, which we will explain in the next topic. APT groups, even if they do not have very advanced attack capability, can deal with a target for months because they have plenty of time, personnel and money (+ indirectly) …

One of the subjects of cyber threat intelligence is APT groups. Information about APT group profiles can be accessed via Mitre: https://attack.mitre.org/groups/

In addition, in another study, APT groups were categorised according to countries:
https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/

What is Mitre ATT&CK ?

The Mitre ATT&CK Framework is a useful tool to help organizations better understand the tactics, techniques and procedures (TTPs) used by threat actors and improve their threat detection, investigation and response capabilities. It was developed based on real-world observations and has a very broad scope.

Mitre ATT&CK, which is supported by many independent researchers and organizations, was first created in 2013 to secure Windows devices. It has since expanded to include scenarios for systems such as macOS and Linux. Mitre ATT&CK, which can be used not only by the defensive blue team but also by the offensive red team, can be used to simulate an attack before the organization is attacked and to improve the defensive skills of the organization.

The ATT&CK Framework is divided into a matrix of before and after phases with tactics and techniques grouped according to the adversary’s objectives. The matrix includes a set of tactics, which are the high-level strategies that threat actors use to achieve their objectives, and a set of techniques, which are the specific methods they use to implement these tactics.

The ATT&CK Enterprise Matrix is the aspect of the framework most recognized by users. This is because it is often used to show states such as the defense coverage of a system, detection capabilities in security products, and the consequences of an incident or red team interactions. In addition, matrices are also available for industrial control systems (ICS) and mobile devices. Each step of the matrix is very important.

The ATT&CK Enterprise matrix has 14 main topics. Each main heading contains specific techniques and some techniques have their own sub-techniques.

What is Cyber Kill Chain Method/Framework?

The Cyber Kill Chain developed by Lockheed Martin is part of the Intelligence Driven Defence model for identifying and preventing cyber attack activities. The model determines what attack actors need to complete to achieve their goals.

Threat actors collect actively and passively information about the target in the first step (reconnaissance). In this step, domains, IP ranges, open ports, web services running on the target, email addresses of the target, topology, social media accounts, geographical location, security devices used by the target are detected.

A sample discovery process: https://devco.re/blog/2016/04/21/how-I-hacked-facebook-and-found-someones-backdoor-script-eng-ver/

In the blog post at above, for the target; What can I find using Google hacking methods? How many B and C class IP addresses are used? Which domain addresses are used? What are the subdomains? What are their preferred techniques and equipment providers? Are there any data breaches of theirs on Github or Pastebin? This example can be given as an example of the recon phase for Cyber Kill Chain. Let’s continue with the Cyber Kill Chain steps.

The second step is called as weaponisation. In this step, FUD (Fully Undetectable) process, creation of new malware, preference/development of appropriate webshell for the target, SQL Injection, XSS, file upload etc. custom tools for vulnerabilities are developed.

In the 3. step, Delivery, the prepared malware is distributed over communication networks such as email services or web services.

In the 4. step, Explotation phase, malicious codes are executed on the target victims to gain access to the system.

In the 5. step (Installation), backdoors are installed for persistence on compromised systems.

In the 6. and 7. steps, threat groups perform operations such as Data Exfiltration to achieve their goals.

These steps are called Cyber Kill Chain.

What is STIX & TAXII ?

As mentioned earlier, we can say that IoC is the evidence and evidence left by malicious activities on the network or systems. Through IoCs created after TTP analysis, data ruins, malicious infected systems and other threats are detected. In this way, attackers are stopped at earlier stages before they can complete their purpose. Various standards have been developed for writing IoCs.

STIX (Structured Threat Information Expression)

IoC is an XML language created and customized for creating and sharing IoC quickly.

TAXII (Trusted Automated Exchangc Of Intelligence Information)

It is designed for the distribution of cyber threat intelligence written in STIX. That is, STIX can be thought of as a general standard for sharing information and TAXII as the protocol that enables it.

—–

Tools such as OpenIOC can also be used to write IoCs. Yara Scanner can be used to scan networks and systems with written IoCs. Yara is a tool that facilitates malware analysts to investigate, identify and classify malware.

Free and Open Source Cyber Threat Intelligence Sharing Platforms

Open source cyber threat intelligence sharing platforms can also be used to collect information or integrate with your systems to prepare for threats. Some sharing platforms as an example:

Author

Cyberthint

Cyberthint is an unified cyber threat intelligence platform. Everything you need is on a single platform! With Cyberthint, you can monitor and identify advanced threats and take early action.