By Robert M. Lee
In the previous blog posts in this series, we looked at cyber intelligence and some of its different focus areas, including intelligence collection operations and counterintelligence. In the final post of the series, we will take a look at threat intelligence and discuss some of its elements.
First and foremost, we need to answer the question – what is threat intelligence? Gartner has defined threat intelligence as: “evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”
In its entirety, this is a good definition but what does it all mean? How can threat intelligence benefit us?
Threat is often an abused term, especially when a threat to one organization may not be a threat to another. Many organizations fail to identify threats and thus, usually appropriate security resources to the wrong areas or spend too long on processes, such as risk and vulnerability analysis, instead of mitigating and fixing issues.
In order for threat to exist, there must be a combination of intent, capability and opportunity. Without these three factors, the ‘menace’ facing a person or organization isn’t a concern at that time. As we break down the components of a threat, we see three distinctive areas that are important to understand:
- Intent is a malicious actor’s desire to target your organization
- Capability is their means to do so (such as specific types of malware)
- Opportunity is the opening the actor needs (such as vulnerabilities, whether it be in software, hardware, or personnel)
As an example, if an actor has the intent and capability but the organization is not vulnerable or there is no opportunity present, then the actor is simply not a threat. This basic understanding is extremely important with regards to threat intelligence and why the term is often abused.
Threat intelligence is often presented in the form of Indicators of Compromise (IoCs) or threat feeds, although despite various attempts by vendors, it does not come in the form of an XML spreadsheet. Hence, threat intelligence requires organizations to understand themselves first and then understand the adversary (admittedly, a very Sun Tzu styled approach).
If an organization does not understand its assets, infrastructure, personnel and business operations – it cannot understand if it’s presenting opportunity to malicious actors. If an organization does not understand themselves fully to thus, identify what malicious actors might be interested in them – then it cannot properly recognize the intent of actors.
Capabilities tend to be easier to identify because many capabilities are public and others are used effectively time and time again, such as phishing emails. There are novel capabilities out there that good threat intelligence can identify, as well as trends of what type of capabilities are being used most for specific targets, but organizations that fail to perform the basics simply do not get the most out of threat intelligence.
Threat intelligence is analyzed information about the intent, opportunity and capability of malicious actors. As a type of intelligence, it is still performed through the intelligence lifecycle: plan, collect, process, produce and disseminate information. The key difference is that it’s focused on identifying threats. This information must be matched against an organization to determine if the threat intelligence is valuable to that organization.
This is where the planning phase becomes vital. If the organization that is receiving threat intelligence does not know how to identify what information is applicable to them – the threat intelligence will be mostly useless. At some point, someone has to make the decision on whether the intelligence is applicable. It can be the vendor tailored to your needs, it can be the customer and ideally it will be both. However, if no one is tailoring threat intelligence it is just an inapplicable mass of data.
The ability to produce or consume tailored threat intelligence to your organization can provide actionable strategic and tactical choices that impact security. One way to share tactical level threat intelligence, and in return help identify the bigger picture for strategic choices, is through the use of Indicators of Compromise.
Indicators of Compromise
Threat intelligence is usually presented in either the form of strategic or tactical intelligence. Strategic threat intelligence would be the broader and higher-level abstracts of the data to identify threats and how the organization needs to react to mitigate the threat. As an example, a business that identifies a certain group located in China is a threat to them might make strategic economic, political and business operation choices to mitigate the exposure to that group. Additionally, strategic decisions can be made on where security budgets are allocated and what focuses personnel are asked to have.
Tactical threat intelligence generally deals with attempting to collect the right type of network information, analyzing it, identifying the threats and respondonding. This process is usually best presented in Network Security Monitoring, where threat intelligence gives analysts IoCs to use in the search for evidence of an intrusion.
IoCs usually present themselves in the form of Atomic (such as IP and email addresses), Computed (such as digital hashes of malicious files) and Behavior (such as a profile of an actor’s patterns) indicators. For a good discussion on IoCs see Michael Cloppert’s Security Intelligence: Attacking the Cyber Kill Chain.
Understanding how to generate and use IoCs requires knowledge in intrusion analysis (The Diamond Model for Intrusion Analysis and Psychology of Intelligence Analysis are pieces I often recommend for improving analysis skills).
Identified IoCs can then be shared through various standards, such as STIX/TAXII and OpenIOC. Specific industries can often get help receiving and sharing threat data through Information Sharing and Analysis Centers (ISACs). Especially for larger organizations, the ISACs are a great starting point for identifying threats to specific industries.
There is no way to cover all of threat intelligence but there are a few takeaways that are vital and can help give people and organizations a head start in this field.
- Beyond the very specific, the things you are looking to understand have been written about or encountered by numerous individuals – gather information that is available before reinventing the wheel. Use known processes and then tailor them to your needs.
- Tools do not provide intelligence. Data feeds do not give threat intelligence. There are no “intelligent” data feeds. Intelligence of any type requires analysis. Analysis is performed by humans. Automation, analytics and various tools can drastically increase the effectiveness of analysts but there must always be analysts involved in the process.
- No matter how much access you have to intelligence it will be nearly worthless without your ability to identify what is applicable to you or your organization. Knowing your organization from the business processes to the assets and services on the network are required.
- The basics of security eliminate countless threats to organizations. When the basics are accomplished, more advanced processes, such as threat intelligence, give value and help organizations identify, mitigate and respond to advanced adversaries. You do not have to do the basics to perfection but there must be an identified point where you are not receiving a return on investment before attempting to more complex methods.
Defense is actually difficult when there are countless threats out there. However, know thyself first and then learn about your adversary with intelligence processes. Accomplishing these two things, as difficult as they may be, makes defense doable and returns the upper hand to the defender. A strong approach towards the basics and a critical eye to discern hype from fact can make cyberspace based intelligence extremely powerful for an organization.
About the Author: Robert M. Lee (@RobertMLee) is an Adjunct Lecturer at Utica College and an instructor at SANS. He is also Co-Founder of Dragos Security LLC, a cybersecurity company. Additionally, Robert is an active-duty U.S. Air Force Cyberspace Operations Officer – his views and this article are his own and do not represent or constitute an opinion by the U.S. Government, DoD or USAF. He has also published and presented on cybersecurity topics in publications and conferences around the world.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.