Intro to Cyber Threat Intel
This walkthrough will cover TryHackMe’s Introduction to Cyber Threat Intel room.
Type: #TryHackMe
Links: https://tryhackme.com/room/cyberthreatintel
Cyber Threat Intelligence
Cyber Threat Intelligence (CTI) can be defined as evidence-based knowledge about adversaries, including their indicators, tactics, motivations, and actionable advice against them. These can be utilised to protect critical assets and inform cyber security teams and management business decisions.
The primary goal of CTI is to understand the relationship between your operational environment and your adversary and how to defend your environment against any attacks. You would seek this goal by developing your cyber threat context by trying to answer the following questions:
Who’s attacking you?
What are their motivations?
What are their capabilities?
What artefacts and indicators of compromise (IOCs) should you look out for?
With these questions, threat intelligence would be gathered from different sources under the following categories:
Internal:
Corporate security events such as vulnerability assessments and incident response reports.
Cyber awareness training reports.
System logs and events.
Community:
Open web forums.
Dark web communities for cybercriminals.
External
Threat intel feeds (Commercial & Open-source)
Online marketplaces.
Public sources include government data, publications, social media, and financial and industrial assessments.
CTI Lifecycle
Direction
Every threat intel program requires to have objectives and goals defined, involving identifying the following parameters:
Information assets and business processes that require defending.
Potential impact to be experienced on losing the assets or through process interruptions.
Sources of data and intel to be used towards protection.
Tools and resources that are required to defend the assets.
This phase also allows security analysts to pose questions related to investigating incidents.
Collection
Once objectives have been defined, security analysts will gather the required data to address them. Analysts will do this by using commercial, private and open-source resources available. Due to the volume of data analysts usually face, it is recommended to automate this phase to provide time for triaging incidents.
Processing
Raw logs, vulnerability information, malware and network traffic usually come in different formats and may be disconnected when used to investigate an incident. This phase ensures that the data is extracted, sorted, organised, correlated with appropriate tags and presented visually in a usable and understandable format to the analysts. SIEMs are valuable tools for achieving this and allow quick parsing of data.
Analysis
Once the information aggregation is complete, security analysts must derive insights. Decisions to be made may involve:
Investigating a potential threat through uncovering indicators and attack patterns.
Defining an action plan to avert an attack and defend the infrastructure.
Strengthening security controls or justifying investment for additional resources.
Dissemination
Different organisational stakeholders will consume the intelligence in varying languages and formats. For example, C-suite members will require a concise report covering trends in adversary activities, financial implications and strategic recommendations. At the same time, analysts will more likely inform the technical team about the threat IOCs, adversary TTPs and tactical action plans.
Feedback
The final phase covers the most crucial part, as analysts rely on the responses provided by stakeholders to improve the threat intelligence process and implementation of security controls. Feedback should be regular interaction between teams to keep the lifecycle working.
CTI Standards &
Standards and frameworks provide structures to rationalise the distribution and use of threat intel across industries. They also allow for common terminology, which helps in collaboration and communication. Here, we briefly look at some essential standards and frameworks commonly used. This section also highlights Mitre ATT&CK, TAXXI, STIX, Cyber Kill Chain & The Diamond Model which were previously covered within this learning path.
This room concludes with a practical analysis of an SIEM dashboard