Behind almost all the attacks faced by a Security Operations Centre (SOC) there’s always an adversary using multiple complex systems to compromise its information and access its infrastructure

The battle between cybersecurity experts and cybercriminals is a constant struggle which can often seem an asymmetrical fight. It can even be compared to a game of cat and mouse with both sides trying to prove they are smarter than the other.

As shown in the SANS 2018 Cyber Threat Intelligence Survey, cyber threats are increasingly complex and technically sophisticated, which puts the experts in charge of protecting business security at a clear disadvantage against cybercriminals.

This is pushing many businesses to start thinking about the need to add threat intelligence technology to their resources and services. Their clear aim in doing so is obtaining and sharing information that would enable them to act preventatively and, in some cases, be prepared for emerging attacks by trying to take pre-emptive action.

But first of all we should maybe answer the question: What is threat intelligence?

What is threat intelligence?

According to the firm Gartner, it is “evidence-based knowledge, including context, implications and other variables about an existing or emerging threat that can be used to inform decisions”

The term cyber threat intelligence has actually been used in recent years to refer to the work of collecting and analysing data to generate valuable information which contributes to more effective responses to emerging threats.

In short, cyber threat intelligence is used nowadays to identify information of interest to the organisation, sensitive data which may have been exfiltrated, find and/or identify possible attackers and brand haters and provide warning so as to prevent possible cybersecurity events.

Turning information into intelligence

At this point, we don’t want to begin identifying tools and services. It is perhaps more important to clarify that threat intelligence is not based on collecting huge quantities of information but rather, on turning the information gathered, whatever the quantity, into useful data which will help organisations protect themselves against threats. Therefore, we will speak more about how this data or information silos become valuable information. At the end of the day, we want to obtain value (intelligence) from the information we get from different sources (feeds).

Organisations use different information processes on the information they generate in the different products used by their security teams. These include:

  • Tactical Intelligence: is built on recommendations for incident response procedures, and plays an important role in enabling organisations to enhance their security posture.
  • Strategic intelligence: is built on the knowledge base created from tactical intelligence; data analysis can be utilised to help organisations take important decisions, bringing about changes in non-technical processes and other considerations which may greatly reduce risk exposure.
  • Operational intelligence: aims to detect in a quick, efficient, and timely manner any signs of suspicious activity.

In light of the above, we should consider threat intelligence as the process of obtaining, analysing and developing a final product that provides security teams with relevant, accurate, and timely data so they can take decisions based on this information.

The final product must have, amongst others, the following main features:

  • The information must be accurate.
  • The information must be relevant: we can obtain a lot of information but it is important to select information that applies to the organisation’s circumstances and current environment by discarding non-valuable information.
  • Processed information must be timely, it’s important to have the information before the incident happens.
  • All the processed information that has been transformed into intelligence must be integrated into the organisation’s IT systems to improve decision making and protective actions and, whenever possible, pre-empt the incident.

Threat Sharing

If we look at the market, we can see a clear increase in the number of cyber intelligence providers. This shows a growing market. Yet, although there is an ever-growing field of suppliers, none of them can guarantee that they have 100% of the information on the threats which may affect a specific client.

That’s why, and as was shown last year with the WannaCry ransomware, global cooperation between security incident response centres and information sharing are key to quick and efficient action to halt attacks. Different organisations in the same sector are often attacked by the same actor. This is why information sharing networks on indicators of compromise (IOCs) are expanding so as to provide mutual assistance against cybercrime and avoid, as far as possible, duplication of effort.

Indicators of compromise (IOC)

An indicator of compromise, hereinafter IOC, offers and details relevant information in order to detect threats: the information it may include ranges from the items participating in malicious activity to the behaviour patterns that identify said activity. All this information can be configured and categorised.

The information in IOCs enables organisations, experts and the like to share patterns and make updates as and when other analysts identify new behaviours and patterns, and any other information that may be included in a specific IOC.

Therefore, we have a highly useful tool for security analysts, an efficient preventative method that aids proactive detection and incident management. These “signatures” can be implemented in:

  • Network intrusion detection systems (NIDS or HIDS)
  • Intrusion prevention systems (IPS)
  • Firewalls

Although it may seem simple, experience shows us that efficient information sharing between bodies, businesses and experts is not as efficient as it should be. Whilst it is true that there are actually many very good initiatives, led by public bodies, private businesses, and even by industry experts, it can often be very difficult to share this information as there is no common information sharing standard.

There are currently several information sharing standards for indicators of compromise. The vast majority use the XML metalanguage in which we can find various parameters which offer us relevant information. Some of the most well known are:

  • OpenIOC: a standard published under Apache License 2 that allows an investigator to describe the identifying technical characteristics of a threat.
  • Oasis Cyber Threat Intelligence: this initiative is backed by some of the leading security solution providers in the market. It is made up of three subcommittees:
    • STIX: Structured Threat Information Expression
    • TAXII: Trusted Automated Exchange of indicator Information
    • CybOX: Cyber Observable Expression
  • Maec (Malware attribute Enumeration and Characterization):Enumeration and characterisation of malware attributes
  • IODEF (Incident Description Exchange Format) RFC 5070
Figure 1 - STIX object example
Figure 1 – STIX object example

We shouldn’t forget that there are also IOCs based on YARA rules that allow us to search for strings in a file. YARA rules are well known and widely used today by many security investigators. They can therefore be considered as an IOC in and of themselves .This topic would require a separate article to fully explain it.

Figure 2 2 - YARA Rules: https://github.com/Yara-Rules
Figure 2 2 – YARA Rules: https://github.com/Yara-Rules

We can also find IOC repositories and databases such as IOC BUCKET, Citizen Lab Malware Indicator, Openioc DB; platforms fed by user communities, which allow us to find indicators and information on threats so as to improve the security of our own platforms.

We’ve reached the end of the first part now and we’d call on you to keep in touch with us and read the second part of “Threat Intelligence” where we will discuss collaborative platforms and tools for information sharing.

References: