TINAELLIS\Cybersecurity

Welcome to my blog!

Home Projects .py TI Linux DFED Networks Community

Threat Intelligence Fundamentals

Identifying Intelligence Requirements (IR)

The first stage in the intelligence cycle is identifying the information that the decision makers need. The following example questions can help as a starting pointing when you're trying to identify the IR of an organization

What's the mission of my organization?
What threat actors are interested in my organization's industry?
What threat actors are known for targeting my area of operation?
What threat actors could target my organization in order to reach another company we supply a server for?
Has my organization been targeted previously? If so, what type of threat actor did it? What were its motivations?
What asset does my organization need to protect?
What type of exploits should my organization be looking out for?

Collection Management Framework (CMF)

Once we have identified the intelligence requirements, we can begin collecting the raw data we need to fulfill them. There are two types of sources we can reference: internal sources (networks and endpoints), and external sources (blogs, threat intel feeds, reports, databases, etc.).

Using a collection management framework can aid with this process. Using a CMF allows you to identify data sources and track the info you are gathering for each.

CMF example - Dragos
CMIF example - Software Engineering Institute

Intelligence Frameworks

The following are three of the most commonly used intelligence frameworks that allow us to process and exploit the collected data so that it can be turned into intelligence.

The Cyber Kill Chain

Developed by Lockhead Martin, the Cyber Kill Chain is a means to identify the steps the threat actor should follow in order to achieve their objective. While this model does not fully encompass all the strategies involved in modern attacks, it does provide delimiting points at which an attack can be stopped. The seven steps include

Reconnaissance: Getting to know the victim using non-invasive techniques.
Weaponization: Generating the malicious payload that is going to be delivered.
Delivery: Delivering the weaponized artifact.
Exploitation: Achieving code execution on the victim's system through the exploitation of a vulnerability.
Installation: Installing the final malware piece.
Command and Control (C2): Establishing a channel to communicate with the malware on the victim's system.
Actions on objectives: With full access and communication, the attacker achieves their goal.

The Diamond Model

The Diamond Model provides a way to track breach intrusions by helping us establish the atomic elements involved. It compromises four main features: adversary, infrastructure, capability, and victim. These features are connected by the sociopolitical and technical axes.

Applying Threat Intelligence to the Diamond Model of Intrusion Analysis - RecordedFuture

MITRE ATT&CK Framework

The MITRE ATT&CK Framework is a descriptive model used to label and study the activity that a threat actor is capable of carrying out in order to get a foothold and operate inside an environment. One of the reasons this framework is so widely used, is that it provides a common taxonomy for the cybersecurity community to describe the adversary's behavior. This framework works as a common language that both offensive and defensive researchers understand.

MITRE ATT&CK

Study notes and excerpts taken from Practical Threat Intelligence and Data-Driven Threat Hunting: A hands-on guide to threat hunting with the ATT&CK™ Framework and open source tools, by Valentina Costa-Gazcón.