The goal of threat intelligence (TI) is to recognize indicators of attacks as they progress and act upon those indicators in a timely manner. TI is not a mature area for most organizations.
While tools to automate TI exist and are evolving, most organizations are still using informal ad hoc mechanisms or a small number of email and RSS feeds simply to provide background information to staff. For example, many companies have security staff that subscribe to the SANS@RISK: The Consensus Security Vulnerability Alert email list, SANS NewsBites email list, US-CERT Alerts RSS feed, US-CERT Current Activity RSS feed, and US-CERT Bulletins RSS feed.
Annual or quarterly reports from some security vendors also provide useful information. These often provide statistics about the types of attacks organizations have encountered, the duration of breaches, the mean time to detect breaches. That type of information can help organizations set some security priorities. Examples include: Verizon’s annual Data Breach Investigations Report, FireEye’s M-Trends Annual Cyber Threat Report, Secunia’s Annual Vulnerability Review, and Cisco’s Cybersecurity Report that gets issued twice a year.
As a wikipedia article on Cyber Threat Intelligence (CTI) says, “CTI is based on the collection of intelligence using Open Source Intelligence (OSINT), Social Media Intelligence (SOCMINT) , Human Intelligence (HUMINT) or intelligence in the deep and dark webs.” But this means that information is coming from a wide variety of sources, and analysts often come to different conclusions. In order to get a better common understanding, there have been efforts to create CTI standards, similar to how the use of CVEs and CVSS have created a standard for understanding disclosed vulnerabilities. Unfortunately, at this time there are a lot of standards. These include:
- Open Threat Exchange (OTX)
- Structured Threat Information Expression (STIX)
- Collective Intelligence Framework (CIF)
- Open Indicators of Compromise (OpenIOC) framework
- Trusted Automated eXchange of Indicator Information (TAXII)
- Traffic Light Protocol (TLP)
- Cyber Observable eXpression (CybOX)
- Incident Object Description and Exchange Format (IODEF)
- Vocabulary for Event Recording and Incident Sharing (VERIS)
Many security vendors offer CTI data at various price offerings. These vendors include: Cyveillance, Dell, FireEye, IID, RSA, Symantec, and Verisign.
There are also a large number of open source CTI providers. The GIThub repository lists a number of such sources and the types of information they focus on. Organizations seeking to automate CTI should consider starting with some of these sources of information as they evaluate products and develop a plan for adoption.
It is also important to remember that a company with a comprehensive logging program already has its own source of data to analyze for TI. Companies should be analyzing their own log data for indicators. A place to start is by looking at:
- Activity in accounts of former staff
- Activity on same asset with different user names (within short time period)
- Outside-of-hours logins to systems with critical data
- Outside-of-hours systems’ access by system and user
- Brute force logins
- Privileged accounts created or changed
- Remote email access from countries not typically involved in normal business operations
- Remote logins from countries not typically involved in normal business operations
- Repeated unsuccessful logins (administrative and user) by asset
- Systems accessed as root or administrator
- Traffic between test and development or live environments
- User logged in from two or more assets simultaneously
Paul Hill has worked with SystemExperts as a principal project consultant for more than twelve years assisting on a wide range of challenging projects across a variety of industries including higher education, legal, and financial services. He joined SystemExperts full time in March 2012 and coordinates the SMARTday practice.