Threat Intelligence, or just TI, is sometimes criticized for possibly being inaccurate or outdated. However, there are compelling reasons to incorporate it into your cybersecurity defense strategy. Let’s present some ways to use TI effectively as part of your security operations lifecycle.
What is TI?
Within the scope of this discussion, Threat Intelligence is a knowledgebase of tactical information about threat actors. That information may include IP addresses, domain names, URLs, and filenames—just to name a few. Some TI information may be time-sensitive, such as the most recent time a known threat group used a specific IP address or file to perform an attack.
Image 1: Microsoft Sentinel Threat Intelligence Dashboard. Courtesy Microsoft
What are TTPs, IOCs and APTs?
When discussing Threat Intelligence, it helps to know a few acronyms commonly used, such as TTPs, IOCs and APTs:
- TTPs: Tactics, Techniques, and Procedures are the methods by which tactical threat intelligence is defined. For example, if a state-sponsored Russian hacking group is known to perform phishing attacks followed by ransomware and only attack government institutions, that group of information may be considered a TTP.
- IOCs: Indicators of Compromise are specific values associated with threat intelligence, such as IP addresses, web domains, and hashes.
- APTs: Advanced Persistent Threats are names and numbers assigned to well-known hacking groups that persistently attack one or more industry and/or government categories—a quick note. Tagging threat groups differs within the security community. For example, CrowdStrike likes to use names like “Cozy Bear,” while Mandiant would prefer APT23 to name the same APT group.
How is TI Used?
There are many ways to use TI data within the context of security operations workflows. Some common ways include:
SIEM Correlations
SIEM (Security Information and Event Management) can correlate logged events with lists of information, such as suspicious IP addresses from a TI list. So, if one of the IP addresses in the logs matches one of the IPs from the TI list, an alert can be generated. This feature is a common example used with Firewall and EDR logs, as well as many other log sources.
Threat Hunting
A common threat hunt method is to compare the information in security logs with known bad actor information provided by TI. This task is performed in a similar manner to the SIEM example above, matching logged information with TI lists.
Reporting
Running several different reports is a good way to present a variety of perspectives on logged events that match TI information. Reporting can provide a broader perspective on suspicious activity that was not detected by SIEM or threat hunting. An example would be to search ALL firewall logs from the past week for ANY matches to IP addresses in a TI list. If a match is found, then a threat hunt may be the next step to determine if additional suspicious behavior has occurred around the matching IP.
Situational Awareness Dashboards
When Russia invaded Ukraine, there was an increase in concern around cyberactivity initiated from Russian IP addresses. A situational awareness dashboard is one or more reports that represents activity from a known entity, such as a country’s IP range or other information provided by Threat Intelligence lists.
Mitre ATT&CK
Mitre is a US Government funded organization that researches ‘known threat actors’ and provides information to which other Threat Intelligence providers can map their data. This data provides for richer content. For example, if an IP address is known to be associated with ATT&CK’s threat actor group APT32, then that information can be included in the TI results.
Planning
Understanding your attack surface and knowing where attackers might focus their attention are important strategies when planning how to monitor and protect your network.
TI provides research details that can help identify threat groups targeting your organization or industry. This information can help to pre-emptively prepare for an attack by simulating known security incidents by those threat groups and performing attack simulations to test defenses.
Not Perfect but Useful
Attackers may not use an IP address more than once, in which case TI information associated with that attacker becomes immediately useless. As such, TI data can be very much hit and miss.
Free vs. Paid
If TI data is pulled from a free source, it's less likely to be well maintained than a paid source. Also, some or all of a paid vendor's TI information can be based on free sources, so it's up to the user to validate the information provided by TI.
Trust But Verify
When creating correlations in SIEM, try to add additional conditions that don't depend solely on TI. For example, "EDR alert AND TI match OUTBOUND AND suspicious user activity."
Summary
Although not always the most precise tool for detecting threats, using TI as a part of your security defense strategy can provide useful pre-emptive insights.
References
About This Blog Series
Follow the full series here: Building Defenses with Modern Security Solutions
This series discusses a list of key cybersecurity defense topics. The full collection of posts and labs can be used as an educational tool for implementing cybersecurity defenses.
Labs
For quick walkthrough labs on the topics in this blog series, check out the story of “ZPM Incorporated” and their steps to implementing all the solutions discussed here.
Compliance
All topics mentioned in this series have been mapped to several compliance controls here.
David Broggy, Trustwave’s Senior Solutions Architect, Implementation Services, was selected last year for Microsoft's Most Valuable Professional (MVP) Award.
