[Cybrary] Intro to Cyber Threat Intelligence course notes

As I said in my last post, I joined invinsec as a Security Incident Handler on the past June 28th, damn, these 2 weeks passed fast as hell, out of nowhere i find myself writing this post in my third week :DD.
Anyway, I was tasked to take some courses from Cybrary, in order to prepare myself to the job, is like an official/unofficial training lol, but the course list is huge and I have to hurry up to finish it, so I started with the course Intro to Cyber Threat Intelligence, it's a nice course on... well the title says it, So while i was watching the video i started writting some notes to remember what the videos/course said, and now I decided to post them here, to have online copy and to make them available to anyone who might find them useful.

The course videos are in total 4 hour long ( I swear they are more), but with time and patience it can be finished, just have patience, as this topic has a lot of theory and sometimes it could feel boring.

Some terminology:
  • Indicators of Attack (IoA): Any kind of suspicious network activities or problems that might be happening.

  • Indicators of Compromise (IoC): Actual evidence that something happened, information is missing or corrupt, antivirus/firewall software is deactivated.

  • TTPs: Tactics, Techniques and Procedures, it is operational tests performed in some scenarios/environment that indicates problems, could be identification of threads, vulnerabilities or that procedures don’t work anymore, example is Risk Assessment tests.

  • CRITs: Collaborative Research into Threats.

  • MITRE -> Database with malware information.

  • Raw data & Aggregated data: Raw data is information that comes from some device in the network or any source that is not ready to be consumed nor it is in a format that facilitates its usage, it needs to be examined, filtered and processed to be made into something useful. The Aggregated data is the information that comes from different aggregated sources, that might not seem interesting separated but once the data is put together something appears and becomes clearer.

  • SIEM: Security Information & Event Management products that manage logs and help categorize them in order to detect/monitor potential attacks.

  • IDS: Intrusion Devices that detect and prevent attacks, most of the time they work in the firewall level.

Attack Stages:
  1. Reconnaissance
  2. Scanning
  3. Access and Privilege Escalation
  4. Exfiltration (hiding and gather information in a hidden place)
  5. Sustainment (keeping access in the system)
  6. Assault (steal more information, destroy it, change a system, whatever is done by the attacker inside the system or network)
  7. Obfuscation (hiding tracks)

It's important to validate external information to avoid bad intelligence.

Indicator of IOCs:

  • Unusual amount of outbound traffic.
  • Unusual amount of activity on privileged accounts.
  • Login related issues.
Tactical Thread Intelligence:
  • Tactical Thread Intelligence analyst role: What should an organization focus during incident response?
    • Look at alerts from IDS, check network infrastructure and all the sources that could provide information related to the event when the incident is happening.
  • Cognitive Bias : When you deviate from norm or rationality in judgement due to interfering factors such as people, situations or anything that make you have a biased 'opinion' of an event.
  • Confirmation bias: tendency to search for, interpret and recall information in a way that confirms one's preexisting beliefs or hypotheses, while giving less consideration/attention to other possibilities.
The IOC Lifecycle:
  1. Discover
  2. Analyze
  3. Leverage

Some tools: FireEye has interesting tools on IOC investigation, it can be checked on their website.

Operational Thread Intelligence Analyst Role:
  • Focused on day to day environment
  • Adversary Oriented activities:
    • Analysis of intruder TTPs.
  • Analyze information collected from internal and external sources:
    • Emphasize on credible threat feeds.
    • Focus on emerging technology.
  • Distribute information that gets generated and distribute it on actors, campaigns, opportunities and intent.

It’s always important to share information with other teams and analysts because it improves the overall analysis of the event and comparing the data with IoCs/IoAs found by other teams is useful since it could correlate it with other events and might be able to detect an advanced attack and escalate the event to a incident.

Information Sharing and Analysis Center (ISAC): A organization that provides resources for information gathering on cyber threats and a way to share information between the private and public sector. Some of its activities include:

  • Establish a plan for data collection.
  • Identify key stakeholders from companies.
  • Specify producers/consumers of information.
  • Create incentives for stakeholders.
  • Analyze, store and share information.
The Diamond model:
        Infrastructure  /     \  Capability
                        \     /

First Malware is discovered in the victims infrastructure, then after researching its capabilities and how it behaves, we need to research the malware and find its C&C, and which ip/infrastructure is related to it, then we check in our logs/firewall/network monitoring software if there are more clients communicating with the C&C using the host/ip of the C&C and finally based on the ip we could somehow determine who is the adversary using the ip and gathering more information on the host.

  • Thread actors: The ones performing the attack, they could be cyber criminals, hacktivists, state sponsored cyber attack groups,or an insider.
Strategic Threat intelligence:
  • Is longer than normal threat intelligence analysis, it can take up to months or years, and the analyst must focus on the long term and with some specific goals.
  • Making a long term organization defense plan.
  • Used by senior management in order to measure risks and make risk based detections.
  • Make objectives and a plan that aligns with the business goals.
  • Business risk, cyber treats and that kind of related risks are correlated and analyzed.
Threat Modeling:

Risks assessments involves threat model: (Still on strategic threat intelligence) Change Management and Security Posture:
Analogy is that it is like a castle, has several layers of security(in this case physical), a good infrastructure has different layers of security (physical and cyber) that is used to protect the company assets.

  • Identify: First is important to identify what critical assets the company has and what data could be dangerous in case it gets disclosed.

  • Good Documentation: There should be a handbook and good documentation on incident response, having in mind the multiple cases that could happen in a security breach, like the responses between an incident of a breach/attach against an email server and the incident of a hacked database server are totally different since the data they handle are different, so there should be a plan for each case so if something really happens the cyber security analyst doesn’t have to waste time figuring out how to research and proceed in the incident and can actually focus on

  • Compliance audit: Determine if the assets go in hand with the corresponding policies or even laws, it means that you have achieved a good configuration of your assets and that they are securely handled, examples are such as Password policies, PCI compliance and others.

  • Security Control Assessment: Perform an assessment security analysis from time to time, it can include penetration testing events, perform meetings to review the security policies, check the recent incidents, and evaluate how's the company behaving in stuff related to cybersecurity.**

  • Penetration testing: Helps us to identify the vulnerable assets, what kind of information breach or incident could happen and its effects.

**:The key part of this is that it should be done with some frequency, because if it is done only the first time the policies and controls get reviewed and created, it might happen that the documents get outdated and doesn't include new vulnerabilities, attack vectors, don’t follow the new standards and that could lead to a major incident with the company and its assets. Another important thing is to perform these actions after an event or incident happens, that way the analysts can decide if they company policies are up to date and able to content those kind of attacks.

VERIS - Vocabulary for Event Recording and Incident Sharing:
  • Database with common language to describe security incident, gathers data from customers, vendors and different sources related to cybersecurity, allows sharing between partners.
  • VCDB: VERIS Community Database:
Cyber kill chain:

Nice read on what it is and how it appeared

  • Introduced by Lockheed Martin
  • Received criticism since it focuses more on the 'external' perimeter, and doesn't include a lot of aspects such as insiders, social engineering... And somehow its getting outdated.
  • Steps:
    1. Reconnaissance
    2. Weaponization
    3. Delivery
    4. Exploitation
    5. Installation
    6. C2/C&C Command and control
    7. Action on objectives

Related Read: Operational Levels of Cyber Intelligence

Preparing for the CTI (Cyber Threat Intelligence):
  • Establish incident response procedures
  • Get engagement and support from executives (financial, advocacy, policy)
  • Create a communications plan and identify the stakeholders.

Some tools for OSINT:

Disclaimer: If I made a mistake with some term, I misunderstood something, I wrote something wrong or anything, well, I did my best when writing this, pausing the videos and writing this to remember it better, but maybe I didn't got anything as it was intended, also the course covers a lot more than this (obviously) but maybe it was some topic that I would already know, so I skipped writing that part (I already said this was for my personal use, heh). So if you find something wrong, or want to expand it, or clarify something, don't hesitate to tell me so I can correct the post :) The idea is to share information and to learn a lot more. :D