As cyberattacks get more sophisticated, the cyberworld needs a new line of security defenses. This increasing complexity has given rise to greater attack surfaces, which, in turn, led to changes in cyberattacks in forms, sophistication, and functions. These attacks are conducted by well-funded and organized threat actors whose aims range from financial gains to political aims.
With conventional defenses falling short, there is a need for a real-time system for threat intelligence sharing. Advanced Threat Intelligence Platforms (TIPs) offer the ability to receive and share intelligence from TI providers, peers, affiliates, information sharing communities (ISACs/ISAOs), OSINT sources, and dark web. However, there are different types of threat intel for different needs - strategic, tactical, technical, and operational. This educational guide will focus on technical threat intelligence.
What is Technical Threat Intelligence?
Technical threat intelligence
refers to the information obtained from a threat data feed. Simply put, the information consists of technical details of an adversary’s assets, including
the type of attack vector used, Command and Control (C&C) domains employed,
vulnerabilities exploited, and more. As it
focuses on certain indicators and quick dissemination and response, its usable lifespan is shorter as compared to other types of threat intelligence
. It basically caters to the monitoring or investigative functions of an organization, such as firewalls and endpoint security solutions, as well as containment and response functions to address malicious traffic.
Sources of Technical Threat Intelligence
Threat actors or the nature of attacks are not the only things that concern security teams. They are required to be aware of the data fundamentals related to these attacks, which are known as Indicators of Compromise (IOCs). These indicators are collected from active campaigns, data feeds provided by external sources (TI providers, peers, affiliates, information sharing communities, OSINT sources, and dark web), and attacks conducted on other organizations.
IOCs can be classified into three categories:
These can be found in domain names and URLs for C&C and link-based malware delivery. They may comprise IP addresses used to identify attacks from known compromised systems and servers.
A detailed analysis of an infected computer will display these indicators. The most ubiquitous ones include MD5 or SHA-1 hashes of binaries. Other indicators include file artifacts or registry keys as they are not frequently modified by adversaries.
This category of indicators is created when threat actors send socially engineered (phishing or spear-phishing) emails to targets.
Sharing threat intelligence between organizations is a crucial step for defending against cyberattacks. TIP exists for this exact purpose. With efficient collection and automation from a diverse set of sources, a TIP provides extensible, flexible, machine-parsable, and human-readable actionable threat intelligence. Various standards, such as STIX/TAXII, CybOX, OpenIOC, and MAEC, among others, exist for sharing threat information in a standardized way. STIX can embed OpenIOC and CybOX extensions for YARA rules. MITRE ATT&CK Navigator can be utilized by security teams to demarcate and classify adversarial behaviors from real-world observations. It is an organized list of known adversarial behaviors collated into tactics and techniques and implemented in various matrices and STIX/TAXII.
Using Technical Threat Intelligence
With the vast quantity of technical threat data, security teams may get carried away. Thus, there are the following rules to ensure that an organization is able to extract the maximum value:
Supply cannot drive demand
Among all the types of threat intel, technical intel is most likely to be poorly executed. Hence, the best way to optimize it for organizations would be by detecting artifacts from malware that are used to target organizations in a specific vertical.
It is impossible to disseminate manually propagated technical indicators because of their short shelf life and huge quantity. Hence, the formats—STIX/TAXII, CybOX, OpenIOC, and MAEC—mentioned above should be used to standardize the sharing of technical indicators collected through security tools, such as firewalls, blacklists, content and email filters, and intrusion detection systems. These indicators are also accumulated from external sources, such as OSINT, data from independent security researchers, private or commercial threat intelligence feed, publicly available threat indicator blocklists, and vendor blogs.
As the cyber landscape keeps evolving, new entry points surface, and IOCs change. Technical threat intelligence assists in unearthing new malware and furtive cyber attacks, selectively disseminating threat data, and issuing early warnings. It aims to prevent attacks or shorten the timeframe between compromise and detection. Consumption of technical intelligence in an automated manner and placing it into rule sets for network security devices ensure efficacy.