Cyber Threat Intelligence

Sandeep Singh
OWASP Delhi & null Delhi
30 January 2015
Disclaimer
I am not an intelligence analyst but would love to be
The topic is close to my heart
Do not expect any FM (Freakin Magic )
The objective is to help attendees get familiar with the
world of threat intel
Agenda
Overview of Threat Intel
Understanding Threat Intel
What is Cyber Threat Intelligence
Types of Threat Intel
Intelligence Lifecycle
Threat Intel Classification & Vendor Landscape
Threat Intel Standards
Open Source Threat Data/Intel Sources
Bonus Agenda
What is Threat
Intelligence?
Overview
Buzzword
Growing field
- $250M in 2013
- $1.5B in 2018
Lots of new service providers entering the
market
and still maturing
 Threat
Risk = Vulnerability * Threat * Impact
Threat = Intent * Capability

We like the term "Threat Actor". May be any of:

Cybercrime
State-sponsored
Hacktivism
Insider
Industry competition
 Intelligence
a.k.a. Renseignement, r-enseignement

Environment Data Information Intelligence

Intelligence is a cyclic process
Analysis and contextualization
Models help counter diversity with abstraction
Actionable Intel
Accurate
Relevant
Timely
Aligned
Predictive
Integrated
Cyber Threat Intelligence
Cyber Area of interest/ of collection

Threat Subject of interest

Intelligence Process
Key Elements of Threat Intel
Types of Threat Intel
 Strategic TI
Target audience: decision-makers
Focus on changing risks, high level topics
Geopolitics
Foreign markets
Cultural background
Vision timeframe: years

Note: You may never have heard of this; could be explained by

lack of maturity in orgs
 Operational TI
Target audience: defenders
Focus on current & future attacks:
Who, what, when?
Early warning on incoming attacks
Social media activity
Vision timeframe: months, weeks, hours

Note: Hard for private companies to obtain on advanced attackers;

traditionally collected through HUMINT / SIGINT
 Tactical TI
Target audience: architects & sysadmins
Focus on "TTPs":
Attacker modus operandi
Blue team / red team tools
Exfiltration / C2 methods
Persistence / stealth / deception mechanisms
Vision timeframe: weeks to a year
Note: The most common form of threat intel (and marketing )
produced today; easy to obtain
 Technical TI
a.k.a. Data
Target audience: SOC, IR people
Focus on raw observables:
Indicators of compromise
Host and network artifacts
Yara, Snort, OpenIOC rules
Vision timeframe: hours to years

Note: Man-hours are valuable. Technical TI is abundant. Processing

should be as automated as possible.
 Weaponry
Strategic Will feed SWOT, risk assessments,
Porter Diamond model...

Tactical Cyber Kill-chain, Diamond model, ACH

Operational OODA Loop, Pyramid of Pain

Technical F3EAD, CIF, FIR, MISP, Malcom,

Maltego,.
Intelligence Cycle
Intelligence Cycle applied to CTI in orgs

Planning
What are you looking for?
Collection
OSINT/HUMINT
Logs/Data points inside the org
Honeypots/nets/docs, social networks
FM-5
Processing
Synthesizing the collected data so that intelligence analyst can
work
Analysis
Finished Intelligence
Dissemination
Present to the right audience
Threat Intel - Classification

Threat Intel Platform

Threat Intel Enrichment

Threat Intel Integration

Threat Intel

Open Source Intel (OSINT)

Human Intel (HUMINT)

Technical Intel

Adversary Intel

Vulnerability Intel

Strategic Intel
Vendors
Can you guess the price of commercial
threat Intel?
 Symantec's 12-month retail subscription to its
reputation feed costs $95,300 (INR 6100000
approx.)

FireEye threat intelligence appliances cost around

$17000 at starting price and increase upto $175000
per unit
Managing Threat Intel
As tough as it sounds
not mature
but lots of stuff is going on

MISP - Event-based indicator sharing

FIR - Incident management platform + indicator correlation
CRITS - Platform to store threat-related information
Malcom - Correlation of network traffic with maliciousness feeds
CIF - Query indicators + variety of output formats
Grr, osquery - Endpoint hunting
Whats so nice about standards

MITRE - STIX, TAXII, CybOX, MAEC

IETF - IODEF
Mandiant - OpenIOC
VERIS
MANTIS
Open Source Threat Data Sources
Black List IP Address Sources
emergingthreats.net
binarydefense.com
zeustracker.abuse.ch
palevotracker.abuse.ch
feodotracker.abuse.ch
sslbl.abuse.ch
spamhaus

Phishing URL Sources

openphish.com

Vulnerability Database Sources

scip.ch
cxsecurity.com
exchange.xforce.ibmcloud.com
packetstormsecurity.com
Honeypots/Honeynets
Bonus Agenda
CIF: Collective Intelligence Framework
Developed by REN-ISAC
http://csirtgadgets.org/collective-intelligence-framework/
Does not generate data, simply takes sources normalizes it and
then outputs by given types
Limited in the types of data it can handle
URLs
Domains
IPs
MD5s
Certainly more to threat intel than this, but its a start
CIF Architecture
F3EAD
A target-centric approach
to intelligence analysis
Bridge between operations
and intelligence
a.k.a. Hunting
Conclusion

TI is closely related to traditional intelligence

Models help but have limitations
The quality of your TI directly influences the quality of your
response
Tools to store, analyze, and share intelligence exist, but
there's room for improvement
References:
http://sroberts.github.io
http://direct.tomchop.me/slides
http://frodehommedal.no/presentations/first-tc-oslo-
2015
https://www.mwrinfosecurity.com/system/assets/909/
original/Threat_Intelligence_Whitepaper.pdf
Google
 Q&A

Thank you,
Sandeep Singh Chapter Leader, OWASP Delhi & null Delhi
sandeep.singh@owasp.org
san@null.co.in
@Sandy1sm