Introduction to Cyber Threat Intelligence PDF
Document Details
Uploaded by TriumphantMossAgate853
Yihao Lim
Tags
Related
- Chapter 8 - 02 - Discuss Various Threat Intelligence Feeds and Sources PDF
- NTU Cyber Threat Intelligence Lifecycle Intro PDF
- CSC 1029 Week 02 Cyber Security Fundamentals PDF
- Tema 2. Auditoría de Incidentes de Ciberseguridad PDF
- Cyber Threat Management - Module 03 PDF
- Diamond Model of Intrusion Analysis PDF
Summary
This document provides an introduction to cyber threat intelligence, including a self-introduction section and an overview of module 1. It also includes a syllabus with details about topics and assessment categories.
Full Transcript
Introduction to Cyber Threat Intelligence Yihao Lim Self Introduction - Heads Cyber Threat Intelligence engagement efforts in Mandiant, Google Cloud - Spearhead thought leadership efforts and shape regional cyber threat intelligence narrative via speaking engagements, c...
Introduction to Cyber Threat Intelligence Yihao Lim Self Introduction - Heads Cyber Threat Intelligence engagement efforts in Mandiant, Google Cloud - Spearhead thought leadership efforts and shape regional cyber threat intelligence narrative via speaking engagements, conferences, webinars. - Engage internal stakeholders and client c-suite via briefings, strategy development, solution identification, scoping, and proposal development. Self Introduction Your Turn 1. Name, Which Year are you in? 2. Why did you take this course? 3. What do you want to achieve out of this course? 4. What CCA are you in? Module 1 Overview - Introduce the Foundational Principles of Intelligence - Understand the Intelligence Cycle and how it functions as the 'working model' for Intelligence Operationalization - Introduce Structured Analytical Techniques and understand their importance - Introduce Threat Modelling and understand why we use Threat Models - Understand how to Write Intelligence Products and determine improvements to current communications - Display understanding of the basic concepts of Intelligence through Exercise participation Syllabus Overview Lectures Tutorials Module Topics (Hours) (Hours) Introduction to Cyber Threat Intelligence 1 - What is cyber threat intelligence 2 1 - Why use cyber threat intelligence - Types of cyber threat intelligence Cyber Threat Intelligence Operations 2 - Introduction to the cyber-attack lifecycle 2 1 - Analyst Tradecraft - Cognitive Bias Analytic Skills - Applying Bias to Cyber Threat Intelligence 3 - Structural Analysis Techniques 5 2 - Quantitative Analysis - Determining Confidence Cyber Artifacts - Introduction to Indicators of Compromise 4 - Host-based indicators 5 2 - Network-based indicators - Threat hunting Week (Starting From) Topic 1 (12 Aug 2024) Intro to Threat Intelligence Syllabus Overview 2 (19 Aug 2024) Intro to Threat Intelligence (Part 2) 3 (26 Aug 2024) Analytical Skills + Quiz 1 4 (2 Sep 2024) Cyber Artifacts + Release Group Project Assessment Categories Weightage (%) 5 (9 Sep 2024) Cyber Artifacts In-class Quizzes (Online) 6 (16 Sep 2024) OSINT Intel Collection Techniques (Part 1) Quiz 1 – 15% 45 Quiz 2 – 15% Quiz 3 – 15% 7 (23 Sep 2024) OSINT Intel Collection Techniques (Part 2) Group Project 30 (30 Sep 2024) - Recess Week Group Presentation 25 Total 100 Quiz 2 + OSINT Intel Collection Techniques 8 (7 Oct 2024) (Information Ops) Develop Raw Info into Threat Intelligence + 9 (14 Oct 2024) Submit Group Project *Quiz consists of MCQ + Short Ans + Long Ans questions 10 (21 Oct 2024) Group Presentation *Quiz will be done on lockdown browser (in-person) 11 (28 Oct 2024) Group Presentation * NO Final Exams in this course 12 (4 Nov 2024) Group Presentation 13 (11 Nov 2024) Quiz 3 18 Nov 2024 Onwards (Exam Period) What is Intelligence 7 What is Intelligence HUMIT – Human GEOINT – Geospatial MASINT – Measurement and Intelligence Collection Intelligence Collection signature intelligence SIGINT – Signal Intercept Intelligence OSINT – Open Source Intelligence 8 What is Intelligence 9 Case Study - Operation Bodyguard Counter intelligence efforts - Positioned that D-day will start later - Used different locations than Normandy - Used fake armaments positioned along England - Used double agents that leaked fake information Objective: Cause confusion and cause them to make wrong strategic allocations of resources 10 Analysis Analysis requires analysts to immerse Analytical judgement should have process themselves into ambiguous situations searching for, sorting, structuring and evaluating data and information - Data or information may not be useful - Generate hypothesis to determine - “analysis of competing hypothesis” possible answers - Never enough time or data, decision - Test hypothesis against evidence should still be made 11 Thinking About How You Think Derive conclusion should be like a forensic process – - Defensible - Repeatable - Understandable -Everyone views issues in different ways -Perception should be active process instead of passive one -Do not let your views jade your analysis because critical situations are ambiguous situations 12 Example - WannaCry In 2017 Wannacry infected 300,000+ machines. NSA assessed that adversary was North Korea Questions asked - Why did NK do this? - Is NK capable of doing this? - What is their intention? Adversary intent or attribution is one of the hardest questions to crack in Cyber Security Understanding of actor intent, helps structure defences 13 Why is Cyber Security Important 14 What is Business Intelligence 15 Why is Business Intelligence Important 16 Why is Business Intelligence Important A few ways that business intelligence can help companies make smarter, data-driven decisions: - Identify ways to increase profit - Analyse customer behaviour - Compare data with competitors - Track performance - Optimize operations - Predict success - Spot market trends - Discover issues or problems 17 So what do we mean by Cyber Intel? Gartner Research created a reasonable definition: - “Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard.” 18 Difference between Info and Intel Information Intelligence Raw, unfiltered feed Processed, sorted information Unevaluated when delivered Evaluated and interpreted by trained intelligence analysts Aggregated from virtually every Aggregated from reliable sources and cross source correlated for accuracy May be true, false, misleading, Accurate, timely, complete as possible, assessed incomplete, relevant, or irrelevant for relevancy Not Actionable as-is Actionable 19 Threats Are Usually Targeted Towards - Asset – o Resources (people), data (information) and property. Holds some value that requires protection. - Vulnerability – o Weaknesses able to be exploited to gain unauthorized access to an asset - Threat – o Anything that can exploit a vulnerability to harm an asset (“existing or emerging menace or hazard”) - Risk – o The probable frequency and magnitude of future ($) loss o Expressed as: What is the assessed risk of [THREAT GROUP] creating loss by affecting the [CONFIDENTIALITY, INTEGRITY, or AVAILABILITY] of [ASSET]? 20 Why do we need to identify threats? - To deal with the threat (prevent, mitigate, solve, etc.) - Make the correct decisions (“…inform decisions regarding the subject's response”) to: - To prevent significant losses (life, financial, reputational) - To keep ourselves safe - To keep our family and friends safe - To protect the sovereignty (independence) of our society - To keep our society secure - Fundamentally, identifying and mitigating threats (not just cyber!) ensures our safety and security 21 What is Cyber Threat Activity? - How would you define Cyber Threat Activity? - How would different countries define threats? Consider ideology, political system, culture, history, etc. o The US? o China? o Russia? - As an analyst, why is it important to consider how others regard threats? 22 The Advantage of Intelligence-led Security Understand the true risk - Mitigate Risk - Provide Decisional Advantage - Prioritize Resources See the risk over the horizon, Inform the - Ensure Value of Operations demand the right business and - Sync b/w Intel & Core Business budgets, drive develop risk the right mitigation investments Build proactive and reactive strategies 23 What role does Cyber Threat Intel contribute? Commoditized Feeds: Raw Data Threat Intelligence - Threat intelligence curates data - Misses the threats that matter. sources to create high-fidelity, Commoditized threat precise alerts to surgically intelligence is too broad and identify targeted attacks out-of-date to protect against surgical attacks - True threat intelligence scopes the problem with the context - Becomes part of the problem. and attribution required to Typically leads to voluminous prioritize and build response to alerts that require additional the threats that represent the personnel to identify the true greatest risk threats from within the noise 24 Different types of Cyber Threat Intelligence Tactical Intelligence Malware and Exploits Adversary Infrastructure Lateral movements Operational Intelligence Tactics, Techniques, and Organizational Threats Threat Actors (APT/FIN) Procedures (TTPs) Strategic Intelligence Industry Threats Regional Trends Threat Sponsors 25 Different types of Cyber Threat Intelligence 26 Challenges with Cyber Threat Intelligence - How do we know what Intelligence we need? - Where do we get Intelligence? - How do we know we’re getting the correct Intelligence? The most relevant? - How do we handle Intelligence? Who gets access? How? - Who is responsible for obtaining information? - Who is responsible for recording decisions made? - How can we tell if our assessments are correct? - Who needs to receive our assessments? - What happens when something changes? New information? More information? 27 Summarizing Different Types of Intelligence Tactical Level Operational Strategic Level Level Security Roles Security Operations Center Incident Response Team Chief Information Security Network Operations Center Forensics Team Security Management Vulnerability Management Team Red Team/ Pen Testing Intel Analysts Tasks Indicators to security tools Determine attack vectors Allocate resources Patch systems Remediate Communicate with executives Monitor, escalate alerts (triage) Hunt for breaches Problems False positives Event reconstruction resource No clear investment priorities Difficult to prioritize patches intensive Executives are not technical Alert overload Difficult to identify damage Value of CTI Validate and prioritize indicators Add context to reconstruction Demystify threats Prioritize patches Focus in on potential targets Prioritize based on business risk Prioritize alerts 28 Summarizing Different Types of Intelligence 29 Summarizing Different Types of Intelligence 30 Strategic Threat Intelligence - Broad overview of an organization’s threat landscape. It’s intended to inform high-level decisions made by executives and other decision makers at an organization — as such, the content is generally less technical and is presented through reports or briefings. - Good strategic intelligence should provide insight into areas like the risks associated with certain lines of action, broad patterns in threat actor tactics and targets, and geopolitical events and trends. 31 Strategic Threat Intelligence - Common sources of information for strategic threat intelligence include: - Policy documents from nation-states or nongovernmental organizations - News from local and national media, industry- and subject-specific publications, or other subject-matter experts - White papers, research reports, and other content produced by security organizations - Producing strong strategic threat intelligence starts with asking focused, specific questions to set the intelligence requirements. It also takes analysts with expertise outside of typical cybersecurity skills — in particular, a strong understanding of socio-political and business concepts. 32 Strategic Threat Intelligence - Strategic intelligence (who/why) is the 100,000 foot view, providing a big picture look at how threat and attacks are changing over time. - Strategic intelligence might include information on the following topic areas: - Attribution for intrusions and data breaches - Actor group trends - Targeting trends for industry sectors and geographies - Mapping cyber attacks to geopolitical conflicts and events (South China Sea, Arab Spring, Russia-Ukraine) - Global statistics on breaches, malware and information theft - Major attacker TTP changes over time 33 Strategic Threat Intelligence Some of the questions we are trying to answer with strategic intelligence are: - Who are my adversaries and how might they attack us? - Is my current technology stack adequate to ameliorate future threats? - Why am I a target and is our risk profile changing? - Based on future threats’ Tactics Techniques and Procedures (TTPs), will any processes require revision? - What targeting may we face due to industry, location, or geopolitical events? 34 Operational Threat Intelligence - Operational intelligence considers historical capabilities, affiliations and motivations of threat actors, and is used mostly to make resource-allocation decisions around real and perceived threats. - Operational intelligence is most often written with a target audience of Incident Response, Forensics Investigators and Hunt Teams in mind. - Operational intelligence is concerned with answering the “How” and “Where” questions associated with threats, to better prepare security groups with information to help them locate, isolate, and remediate network intrusions. 35 Operational Threat Intelligence Some of the questions we are trying to answer with operational intelligence are: - How does a given threat actor’s attack patterns and frequency evolve over time? - Are threat infrastructures, methodologies or tactics evolving, and if so how? - Is our attack surface more or less vulnerable to these changes? - Where is the best place, within the network environment, to expose potential risks or bad actors? - How can a given bad actors past behaviors provide clues on how to expose them? 36 Tactical Threat Intelligence - Tactical intelligence is the most granular form of intelligence. This intelligence is the atomic indicators associated with known bad actors. Commonly called Indicators of Compromise (IOCs), these are machine readable artifacts of known bad actor signatures, tools, and infrastructure. - Tactical threat intelligence outlines the tactics, techniques, and procedures (TTPs) of threat actors. It should help defenders understand, in specific terms, how their organization might be attacked and the best ways to defend against or mitigate those attacks. - It usually includes technical context, and is used by personnel directly involved in the defense of an organization, such as system architects, administrators, and security staff. 37 Tactical Threat Intelligence Some of the questions we are trying to answer with tactical intelligence are: - What malware is being employed by a threat? - What command and control infrastructure should we expect to see from a threat? - What signatures are associated with a given malware? Tactical intelligence is focused on answering the “What” questions associated with threats. Usually it is done with a mix of reporting. Data enrichment and IOC management is a large part of this, but also written products such as time sensitive Threat Alerts. By helping to validate and manage IOCs intelligence teams provide immediate help within the security environment. Finally, by applying follow on technical reporting with details of the threat, the decision-making requirement of intelligence is met. 38 Tactics, Techniques, and Procedures (TTP) - Tactics o These represent the “why” of a technique and describe what an adversary is trying to accomplish. In general, it’s a tactical objective and the reason behind the action. - Techniques o A technique represents how the threat actor achieves a tactical objective. - Procedures o Analysis of the procedures used by the adversary can help to understand what the adversary is looking for within the target’s infrastructure. 39 Models to Convey Cyber Activity Mandiant Attacker Lifecycle MITRE ATT&CK 40 Models to Convey Cyber Activity Diamond Model of Intrusion Analysis Pyramid of Pain TTPs Tools Network/Host Artifacts Domain Names IP Addresses Hash Values 41 Pyramid of Pain: Mastery and Denial Strategic intelligence: Who has the means, motive, Tactics, Techniques and and Procedures opportunity? Operational intelligence: Tools Strategic Where is this activity being seen? Identity Network Artifacts How often is it occurring? What is being targeted? Host Artifacts Common Attributes? Operational Tactical intelligence: Characteristics Domain Names Attack indicators? Malware? Infrastructure? Tactical IP Addresses Activity Hash Values ©2021 Mandiant 42 Considerations to Write a Report Principle Explanation Based on the customer, you will have an understanding where you are in 1. Define Your Audience the intelligence arc, which will help dictate how you tell the story and level of technical depth. Executive Summary: List main conclusions. Body: Identify what is happening that prompted us to write the piece; why 2. Establish Your Message now tied to current geopolitical, socioeconomical, or technology trends; include a relevant outlook, and opportunities that are customer-centric. 3. Structure Does the piece flow or would it be best ordered differently? Images help break up word blocks. Use images that are contextually 4. Use Visuals relevant. 5. Style/Art Form Apply proper template based on the specific art form. Use direct prose, explicitly identify the actor, activities conducted, against 6. Clear Language, Active Voice whom, and key parts. Avoid ambiguity. Brevity is your friend. Find the most effective way to review your work. This may be identifying 7. Edit! peers, reviewing a printed copy, or reading aloud. 43 Estimate Language to Convey Uncertainty Description Synonyms Percent Certain Complete, expected, known 100% Highly Likely Highly probable, high confidence, 90% High credible Likely Probable, anticipated, practicable 75% Medium/Moderate Even/May Balanced, constant, possible 50% Unlikely Low confidence, not expected, 30% unreasonable Low Highly Unlikely Highly doubtful, highly improbable 10% Impossible Never, no confidence 0% o Justification on why the confidence level was chosen o Enforce consistent use across the organization otherwise it degrades the message 44 Watch Out - Mixing Fact with Assessments o This is why we use estimative language because there is almost always uncertainty involved, especially when attempting to ascribe adversary intentions. o Analysis deals with what we know (data, facts) and what we think (assessment, opinion, confidence) - Failure to Acknowledge Intel Gaps - Sweeping generalizations, lack of appropriate caveats - K.I.S.S. - Cognitive biases o Anchoring biases o Groupthink Thank You Cyber Threat Intelligence Intro Yihao Lim Defining the Threat Type Information Cyber Espionage Financial Crime Hacktivism Operations Cyber espionage is primarily used Financially motivated A cyber hacktivist is an Information operations (IO) are as a means to gather sensitive or cybercriminals are individuals or individual or group who utilizes coordinated actions taken to classified data, trade secrets or groups who engage in illegal hacking techniques to promote influence, disrupt, or exploit an other forms of IP that can be used activities online with the primary a political or social agenda. adversary's decision-making by the aggressor to create a goal of making money. Their Unlike financially motivated process while safeguarding competitive advantage or sold for actions typically revolve around cybercriminals, hacktivists are one's own information and financial gain. exploiting vulnerabilities in driven by ideology and a desire information systems. computer systems or networks to to effect change, rather than In some cases, the breach is steal sensitive data, extort personal profit. simply intended to cause money, or disrupt operations for reputational harm to the victim by financial gain. They often target organizations exposing private information or or governments they perceive questionable business practices. These criminals are driven by as corrupt, unjust, or oppressive. profit, not ideology or activism. 2 Group Presentation Topics 1. Define and explain cyber threats to 5G networks, what are the implications and how can it affect consumers’ lives? 2. Define and share more about state sponsored cyber espionage. Explore case studies related to state sponsored cyber attacks 3. Define and explain cyber threats to mobile applications and devices 4. Define and explain misinformation / information operations campaigns, what is the motive and why is it important ? 5. Define and explain threats to cloud platforms / infrastructure? 6. Define and explain the cyber criminal trends in Southeast Asia. Consider Dark web / social media / telegram groups etc. 7. Define and explain types of threats to social media end users (FB/IG/TikTok etc.) why is it important and how can it affect consumers lives? 8. Explore the different types of financial scams that are happening in Singapore in 2024, explore the different kinds of lure themes and explain why is still a persistent problem 9. Consider any regional event (e.g G20 meeting , Singapore national day) and share insights into any cyber attacks related to the incident 10. Explain what is a Zero-day, and explain the recent uptick of zero day attacks in 2024 11. Singapore is due for a general election soon. Define and explain the kinds of cyber threats to elections, infrastructure, voters, candidates etc. 3 Cyber Operations – Team Sport Supporting Elements Action Arm Vulnerability Researcher Software Engineer Infrastructure Administrator Analyst Cyber Operator Examines code to find Create operational tools: Purchases Examine network On keyboard operations vulnerabilities and Develop or integrate infrastructure architecture, Identifies systems and determine whether they exploits into chains or tool such as VPS and traffic, and survey information worth can be exploited frameworks domains compromised collecting Create proof of concept Create unique tools or Configure systems’ Uses multiple tactics, exploit code re-use code from existing network nodes to reconnaissance techniques, and Prioritize based on malware collect exfiltrated data to inform procedures intelligence requirements Create modular malware data future actions Defines requirements for needed exploits 4 4 Analyst Tradecraft - Intelligence as a discipline has existed for a long time - Analytical process, inductive / deductive reasoning, source evaluation, confidence levels… - Technology also has its own disciplines - Hardware and software engineering, systems integration, networks and protocols, exploits and vulnerabilities… - Only recently have we tried to apply the intelligence process to data from computer operations and intrusions - Many intelligence analysts don’t sufficiently understand technology - Many security researchers don’t sufficiently understand the intelligence process This is why attribution is hard…and why it’s so prone to error What are the downsides of wrong attribution? 5 Cyber Attacks: The Challenge of Attribution and Response When attempting to work out who may be behind an attack, incident responders typically assess both indicators of compromise (IoCs) and attackers tactics, techniques, and procedures (TTPs) that had been observed during the respective attack. While IoCs are often a good place to start, attacker infrastructure like IP addresses, domains, can easily be spoofed or generated in a manner which will obfuscate the attackers real identity. In the solarwinds cyber attack, Russian attackers have even been observed hijacking infrastructure used by Iranian state sponsored groups. This was likely to piggyback from their cyber espionage campaign and to attack government and industry organizations, all while masquerading as attackers from the Islamic Republic. ○ This highlights the complexity in providing a confident attribution to individual attacks, given attackers clearly place precedence on covering their tracks. 6 2 Types of Thinking According to Dual Process Theory, we have two forms of thinking: - System 1 - Intuition - Fast How we perceive the world around us, recognise objects, orient attention, - Intuitive avoid losses - and fear spiders! - Draws on past experience - Permits quick judgement - Often accurate - System 2 - Analytic - Slow, deliberate, considered Activated when we do something that does not come naturally and - High effort requires some sort of conscious mental exertion. - Rule based - Abstract 7 Cognitive Bias 8 2 Types of Thinking A common example used to demonstrate the two systems is the following puzzle: A bat and a ball together cost $1.10. The bat costs $1 more than the ball. How much does the ball cost? Faced with this puzzle, the majority of people instantly guess 10 cents. The correct answer, however, is 5 cents - which, again, most people can work out after spending more time thinking about the question. For years, this has been used as a perfect example of how the way we think is ruled by two types of mental processes: fast and intuitive, versus slow and analytical. 9 Cognitive Bias - Mental Errors - Like optical illusions, the evidence appears compelling even when one is fully aware of its nature - 5 most common analytical traps: o Failing to consider multiple hypotheses or explanations o Ignoring inconsistencies o Reject evidence that does not support the hypothesis o Insufficient resource to capture key evidence o Improperly projecting past experience 10 Cognitive Bias “Violent crime is much worse now than 20 years ago”. Availability Heuristic “I knew when I bet on red that I was going to lose”. Hindsight Bias “I will probably vote for this political candidate as they’re going to win anyway”. Bandwagon Effect or “Groupthink” 11 Applying Cognitive Biases to Cyber Intelligence Failure to consider Visibility - A form of “failing to consider multiple hypotheses or explanations” - Different organizations have different views of the threat landscape - Your environment, your country, your industry (locally or globally…) - Applies to security firms as well o Is the firm a product company? Network? Endpoint? Software? o Is the firm a services company? Incident response? Auditing? o What industries or countries does the firm do business in? - Your view may affect your interpretation of events o Example: suspicious email with unknown backdoor sent to CFO…this must be targeted! o Example: this activity is hitting customers of European-based banks…this must be regionally-focused cyber crime! 12 Mixing Fact with Assessments Can result in a failure to “cope with evidence of uncertain accuracy” - Threat intelligence deals with what we know (data, facts) and what we think (assessment, opinion, confidence) o Many analysts don’t clearly differentiate between the two in their analysis o Many security organizations don’t clearly differentiate in their public research o Many media organizations don’t clearly differentiate in their reporting - Example: o “Team Wombat domain “news.myworldnews.com” resolved to IP 12.34.56.78. Domain mail.mediacorp.com also resolved to the same IP.” (fact) o Possible misinterpretation: “Domain mail.mediacorp.com is attributable to Team Wombat.” (assessment) o WHY? 13 Failing to Properly Vet Sources Just like any IT function, threat intelligence lives and dies on the quality of inputs — garbage in, garbage out. Despite this, many organizations start their threat intelligence program by signing up for a series of open source threat feeds without having a proper vetting process in place. This can result in a flood of alerts that are difficult to differentiate or trust. Because so many alerts arrive without context and turn out to be false positives or redundancies, it’s no surprise that around 44% go completely uninvestigated. And of the remaining 56%, only around half get resolved. 14 Failure to Account for Human Action In the landscape of computer operations, we deal with data - It’s easy to forget that there is a person behind the keyboard Our minds naturally want to sort and categorize information - We want to make sense of our environment; not always comfortable with grey areas “The simplest solution is the most likely solution” - Except when it comes to people “Threat groups” may be neither monolithic nor self-contained 15 Failure to Account for Human Action If bias is inherent and even an awareness of these biases may not be enough to neutralize them, what can we as analysts do? Heuer posits that when presented with an outcome we ask ourselves the following questions: - “If the opposite outcome had occurred, would I have been surprised?” - “If this report had told me the opposite, would I have believed it?” - “If the opposite outcome had occurred, would it have been predictable given the information that was available?” “The self-interest of the experimental subjects was not at stake, yet they showed the same kinds of bias with which analysts are familiar.” 16 Structural Analysis Techniques - Unstructured techniques rely solely on the investigator’s expertise to make determinations Dispersion Incomplete Expert of Expertise or Judgements and Ambiguous - Structured techniques offer a framework Perspective Reporting or methodology for dealing with incomplete and deceptive information Mindset and Determinations Execution Approach and Results - Structured techniques are intended to: o Promote collaboration and transparency Externalize thought processes Structured Sound and o Transparency, Techniques Un-biased Collaboration, o Provide traceability and illustrate how and Analytic and Challenge Methods Judgments analytic judgements were made 17 Structural Analysis Techniques Data Thinking Activities Known Data Critical Thinking Vetting information Making the case Conveying the message Unknown Data Structured Analysis Diagnostic techniques Imagination techniques Challenge and reframing techniques “Structured analytic techniques involve a step-by-step process that externalizes the analyst’s thinking in a manner that makes it readily apparent to others.” Structured Analytic Techniques for Intelligence - Richards J. Heuer, Jr., Randolph H. Pherson 18 Challenges with Cyber Threat Intelligence - How do we know what Intelligence we need? - Where do we get Intelligence? - How do we know we’re getting the correct Intelligence? The most relevant? - How do we handle Intelligence? Who gets access? How? - Who is responsible for obtaining information? - Who is responsible for recording decisions made? - How can we tell if our assessments are correct? - Who needs to receive our assessments? - What happens when something changes? New information? More information? The Intelligence Cycle – industry best practice - Planning and Requirements o Stakeholders defined o Business needs and information concerns - Collections (Information sources) o Raw Internal and external data o Open source, commercial, and sensitive - Analysis o Collation and aggregation (Threat Intel Platform (TIP)) o Analyst best practices (analytical methodology) The Intelligence Cycle – industry best practice - Production o Estimative language o Challenge analysis - Dissemination and Feedback o Role-based intelligence reporting o Feedback loop firmly established The Intelligence Cycle – Case Study - You are a CTI analyst at Maplewood University, a large American institution of higher education. Located on the East Coast of the United States, Maplewood University boasts an impressive enrollment of over 40,000 students from around the world and employs more than 10,000 staff, researchers, and student workers. - As a nationally recognized research institution, the University invests significantly in research initiatives and the development of sophisticated laboratories across diverse fields of study. - This morning, a tech news outlet reported that a nearby university, Pine Grove, was recently the target of a campus-wide spear-phishing campaign. The Intelligence Cycle – Case Study - According to the article, thousands of staff and student workers received emails claiming to be from the University “Payroll Department”. These messages urgently directed workers to log into their university-issued accounts and immediately update their “outdated” banking information or risk not receiving their due pay. - Pine Grove University promptly responded to the article, stating in a press release that hundreds of university accounts had been compromised as a result of the attack and that the incident was under investigation. - These accounts contained a wealth of personally identifiable information (PII), including such critical information as individuals’ social security numbers and bank account details. The Intelligence Cycle – Case Study - Alarmed by the attack on Pine Grove, the President of Maplewood University approaches your team, concerned that your institution may be in imminent danger. - She wants you to determine the likelihood that Maplewood will also be targeted by this spear-phishing campaign and identify measures the University can implement to defend against any future phishing attacks. The Intelligence Cycle – Case Study - In response to the Pine Grove University attack, a key stakeholder at Maplewood University–the President–establishes two new requirements, and, in doing so, propels the CTI life cycle into motion. She directs you to: - “determine the likelihood that Maplewood will also be targeted by this spear-phishing campaign,” - “identify measures the University can implement to defend against any future phishing attacks” Planning and Requirements For each intelligence requirement, there are also corresponding collection requirements. These are the data and observables that must be collected in order to answer your intelligence requirements. High-level requirements relate to the overarching interests Functional requirements are similar to high-level and strategic objectives of an organization: requirements, but they focus instead on the operational and technical interests of the organization, like what Geography: where the organization is physically situated software is used and which devices have access to the (e.g. California; South America) internal network. Industry: the industries or verticals in which the organization This offers greater insight into which cyber threats pose the operates (e.g. Healthcare; Fintech) greatest risk to an organization from a practical perspective and helps analysts further refine their requirements Critical Assets: the organizational assets that are most according to the organization’s technical landscape. valued or targeted by adversaries (e.g. PII; Intellectual Property) Historical Incidents: the types of incidents previously This means if Maplewood University uses exclusively experienced by an organization (e.g. account credential Microsoft systems running Windows 11, they probably do theft; corporate espionage) not need to be concerned about malware designed to compromise Apple devices. Adversary: the attackers most likely to target the organization (e.g. hacktivist; nation-state) Planning and Requirements Planning and Requirements Planning and Requirements Planning and Requirements Collections Collections Analysis Analysis Navigate to the spoofed domain–pinegrove[.]online–in a sandbox environment. This allows you to interact freely with the malicious website while mitigating the risk of compromise to your host system. Submitting a fake username and password here redirects you to “pinegrove[.]online/directdeposit” and a virtual form titled “Employee Direct Deposit Form”. This form instructs victims to enter their banking details along with a wealth of personally identifiable information (PII), including their Spoofed Page Social Security Number (SSN) and University ID. Analysis Entering fake data once again leads to a submission confirmation page where victims have the option to “log out”, which returns them to the original spoofed Pine Grove University login page. The inclusion of a spoofed login page in addition to the fake direct deposit form reveals this to be a two-part attack aimed at acquiring both the victim’s account credentials and their banking details; in other words, enough information to both impersonate and defraud them with little difficulty. Analysis To further contextualize the phishing domain, you use the free open-source intelligence tool Whois Lookup by DomainTools, which compiles basic domain registration and infrastructure information. According to the Whois record for pinegrove[.]online, the spoofed site was created just 30 days ago using a domain registrar and hosting provider commonly chosen by malicious actors for establishing phishing sites. Unsurprisingly, the registrant opted to redact all personal identifying information, so it remains unclear who created the domain; however, this record still reveals some interesting information, including the adversary’s infrastructure preferences and the IP address of the host server. The Whois record indicates that this host server IP address is associated with only four other domains, which suggests a potential overlap between them. Analysis To pivot off the host server IP address, you perform a reverse IP lookup, which yields the following four domains: sierrasummit[.]online crescentvalley[.]online aspenstate[.]online libertyhills[.]online Each of these domains appears to be impersonating a legitimate university login page, just like the domain employed for the Pine Grove phishing attack. You pivot once again by performing additional Whois lookups on the four related domains. The Whois records for these domains reveal that each is less than 30 days old and leverages the same basic infrastructure as the impersonated Pine Grove site. This indicates significant overlap between all five domains. To confirm that the four related domains host the same phishing scam, you visit each in a sandbox environment. As expected, all four domains present the same sequence of phishing pages as the spoofed Pine Grove site with only minor aesthetic modifications to better impersonate each institution. Unsurprisingly, each spoofed login site is nearly indistinguishable from the original. Analysis After briefly reviewing the official websites for each institution, a pattern in the victim profile also emerges: each of the five targeted universities is a large R1 research institution located on the East Coast of the United States. This suggests another potential adversary objective: the exfiltration of intellectual property data, namely classified research. Aware that Maplewood University fits your current victim profile and that these five institutions may not be the only targets of the spear-phishing campaign, you search for spoofed versions of the Maplewood University login page that match the naming conventions of the other phishing domains, but none currently exist. However, this does not eliminate the possibility that Maplewood will be victimized by this spear-phishing campaign, as well. Production We chose this method to disseminate the intelligence to the President because it is a familiar channel of communication; executives are accustomed to receiving information in the form of written reports and formal briefings. By adhering to these professional standards, you increase the likelihood that the intelligence deliverables will be actionable for the President. Estimative Language Description Synonyms Percent Certain Complete, expected, known 100% Highly Likely Highly probable, high confidence, credible 90% Likely Probable, anticipated, practicable 75% Even Balanced, constant, possible 50% Unlikely Low confidence, not expected, unreasonable 30% Highly Unlikely Highly doubtful, highly improbable 10% Impossible Never, no confidence 0% Diamond Model Consider Timestamp: date and time intrusion event occurred Result: outcome of intrusion (e.g., success, failure, or unknown; or confidentiality compromised, integrity compromised, and/or availability compromised) Direction: how event moved through network or host (e.g., Victim-to-Infrastructure, Adversary-to-Infrastructure, Bidirectional) Methodology: category of event (e.g., spearphishing, port scan) Resources: elements required for intrusion (e.g., particular software, hardware, knowledge, funds, facilities, access) Social-political: relationship between adversary and victim, based on victim’s needs and aspirations Technology: tech involved in adversary’s capabilities and use of infrastructure Diamond Model – Apply to The Lapsus Group Background of LAPSUS$ LAPSUS$ Group first became subject to widespread media attention in December 2021, when they launched a ransomware attack against the Brazilian Ministry of Health (Ministério da Saúde). The attackers compromised several of the health ministry’s systems, exfiltrating internal vaccination data and ordering officials to contact LAPSUS$ in order to retrieve the stolen information. It quickly became apparent that members of LAPSUS$ were just getting started. Following the attack in Brazil, the group executed additional cyberattacks against at least 8 major technology companies. With each campaign, the group’s members utilized Telegram to dump stolen data and recruit additional members. In just a few short months, LAPSUS$ had acquired 50,000 subscribers on their Telegram channel and leaked at least hundreds of gigabytes of sensitive information. OKTA Case Study In January 2022, the public security company Okta suffered a cyberattack by LAPSUS$. This incident shook the cybersecurity world, especially given the fact that Okta provides identity management and authentication services to over 15,000 organizations. LAPSUS$ claimed they targeted Okta in order to get access to the company’s customer accounts. Cyber Kill Chain The cyber kill chain is an adaptation of the military’s kill chain, which is a step-by-step approach that identifies and stops enemy activity. Originally developed by Lockheed Martin in 2011, the cyber kill chain outlines the various stages of several common cyberattacks and, by extension, the points at which the information security team can prevent, detect or intercept attackers. Stage 1 – Reconnaissance In this step attackers try to collect as much information as possible about their targets to devise a robust attack. During reconnaissance, attackers may harvest a range of information from target mailing lists, presence in social media, open ports to potential vulnerabilities in target services and applications. Collected information are usually used to decide about best tool of attack (i.e., a targeted exploit, an exploit kit or a worm) to successfully penetrate into target environment and achieve attack objectives Stage 2 – Weaponization During weaponization, attackers Armor their malicious payload with means of by-passing security controls in the target environment (i.e., for a smooth execution) They use a range of techniques from disguising a malware in a benign looking payload, such as Adobe Portable Document Format (PDF) or Microsoft Office documents, to exploiting a remote-access O-day vulnerability to disable target machine security protections Stage 3 – Delivery Vulnerability scanning + phishing emails Regardless of how sophisticated and robust is a weaponized malicious payload, an attacker should find a way to get it delivered to the intended target(s). In the delivery step, attackers are formulating possible means, e.g., through malicious email attachments or USB flash drive Stage 4 – Exploitation Exploitation is when the rubber meets the road. This is when the armoured payload exploits a vulnerability on the target environment and executes its malicious binary payload and provides the attacker with minimum required access to the target environment. Introduction of Crimeware-as-a-Service (CaaS) further reduced attackers hassle at this stage. Stage 5 – Installation In this step, attackers try to further their access to more nodes (i.e., propagating the malware in the network) and install remote administration tools, i.e., Remote Access Trojans (RAT) or Backdoors to persist their presence on the target environment Stage 6 – Command and Control (C2) After being installed on the victim machine(s), it is time for attackers to have their (virtual) hands on the target keyboards through setting up a remote Command and Control (C&C, also known as C2). The C2 channels can be used to deliver attackers commands to the malware or exfiltrate data from the target environment Stage 7 – Actions on Objectives Finally, after successful installation, and C&C establishment, it is time to perform desired action(s) to meet the attack objectives. Attackers could have different objectives from just accessing and exfiltrating private information to encrypting files and denying custodians access to their data Thank You