DR DEEPAK KUMAR

DATA AND CYBER INTELLIGENCE

Threat intelligence is evidence-

based knowledge (e.g., context,

mechanisms, indicators,

implications and action-oriented

advice) about existing or emerging

menaces or hazards to assets.

– Gartner
TYPES OF THREAT INTELLIGENCE

Threat intelligence dissent in terms

of information assortment,

knowledge analysis, intelligence

consumption.
CYBER THREATS

Any possible malicious attack that

seeks to unlawfully access data,

disrupt digital operations or damage

information.
 THE CYBER THREAT LANDSCAPE AND ATTACK SURFACE
• Industry Reliance on the Cloud
• Overhead of constantly patching critical software
vulnerabilities
• Emerging New Technologies Mature – AI and
Ab(use) of New Machine Learning
• Rise in Ransomware & DDOS Technology
• Evolving Zero-Day APTs
• Advanced ‘Undetectable’
Malware
• Larger Data Breaches • Endless (Spear) Phishing
Evolving Cyber The • Rise in Insider Threats – The
• (Possible) Targeting of Critical
THE CYBER THREAT LANDSCAPE
Infrastructure Attack
Vectors
IS ALWAYS
Threat SHIFTING AND THE
Weakest
Link
Enemy Within
Landscape • Skills Shortage
ATTACK SURFACE IS ALWAYS CHANGING

• Cheap and readily available

• Cyber Resilience
malicious services
• Fines for PII Breaches

Bad Guys
New • Disguised campaign attack
• Crypto Currency Regulation
Geo Political
Regulation • Tracking of adversaries
CYBER THREATS COME FROM

Cyber threats come from numerous

threat actors including:
PHASES OF CTI LIFECYCLE

A fundamental framework

for all fraud, physical, and

cybersecurity programs

whether mature and

sophisticated in their

operations, or merely

aspiring.

Image Source: https://hackersterminal.com/

IMPORTANCE OF CTI

Threat intelligence is actionable - it’s timely, provides context, and is able to be understood by the people in
charge of making decisions

Boosts the organization’s

Predictive analysis & Speeds up incident Leverages key insights and
and Critical National Strengthen internal alerts
enable better incident investigations, analyses context to prioritize
Infrastructure (CNI) and Policies
prioritization and remediation's vulnerabilities
cyber defense capabilities
IMPORTANCE OF CTI
 ATTRIBUTION

Behind every attack is a “who,” “why,” and “how.”

The “who” is called attribution. The “why” is called
motivation or intent. The “how” is made up of the TTPs
the threat actor employs.
FUTURISTIC CYBER THREAT IDENTIFICATION

When it comes to detecting and mitigating Collection from Conducting Red and Skilled Malware &
Various TI Sources Blue Team Exercise Forensics Team
threats, speed is crucial. Security programs

must be able to detect threats quickly and

Data Intelligence Setting Honeypots, Collaboration with
efficiently so attackers don’t have enough and Predictive Sinkhole Sensors & International
Analysis Traps Organizations
time to root around in sensitive data.

There are several methods available in the Establishment of

Analysing user and
Strengthening the Secure Information
attacker Behaviour
Human Intelligence Sharing and Analysis
defender's arsenal: analytics
Centre (ISAC)
Cyber Threat Intelligence: Medium DR. D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE

CRITICAL INFORMATION INFRASTRUCTURES (CII)

Critical infrastructure is a term used by governments to describe assets that are essential for the functioning of a society
and economy. Most commonly associated with the term are facilities for:

EDUCATION WATER DEFENCE TELECOMMUNICATION FINANCIAL

GOVERNMENT HOSPITAL INDUSTRY ENERGY TRANSPORTATION

• Don’t assume that you’re not a target. Draw up battle plans. Learn from the mistakes of others
• Amateurs hack systems, professionals hack people. — Bruce Schneier
 DR. D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE

HYBRID ATTACK & TECHNOLOGIES

Debugging port open by default, allowing
attackers to gain root access in the system

INTERNET OF THINGS -
LAUNCHERS

UAV - DRONES

AUTONOMOUS DRIVING

AI/ML USED

ROBOTICS

5G NETWORK • Control subverting of traffic signals

• breaking VIP security protocol chains
MULTIPLAYER GAMING
• Create congestion to specific routes
CRYPTOCURRENCY – ILLEGAL • altering police patrolling, etc.
PAYMENT/PURCHASE
• May utilize compromised traffic control system to
attack associated system, for example CCTV
Cyber Threat Intelligence: Medium DR. D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE

TRUST, TLP and IOC

• To Defend your Data, You need Knowledge – Threat Intelligence

• Trust is one of the most challenging attributes of cyber threat intelligence sharing.

• Traffic Light Protocol (TLP) is defined into four colors, namely, WHITE (no restrictions),
GREEN (sharing with peers and partners, not publicly), AMBER (sharing only inside own
organization on who-need-to-know basis), and RED (no sharing), and antitrust rules.

• Indicator of Compromise (IOC) in Cybercrime: Domain, URL, IP, Mobile Number, SMS
Gateway, UPI Handle, Wallet, Bank Details, Profile Handle, Emails, Modus Operandi…..
Cyber Threat Intelligence: Medium DR. D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE

CLOUD ATTACK VECTOR ADVERSARIES

Exploitation
Use of cloud
Abuse of of
Credential Vulnerability services for Command and
cloud service misconfigure
theft exploitation hosting control
providers d image
malware
containers
CoT : CYBER OF THINGS

Tier 1-
Collection of Threat Feeds

INPUT ANALYSIS OUTPUT

Static analysis • Advisory

• Predictive Alerts
Dynamic analysis
• Trends & Technology
Memory analysis • New Modus Operandi
• Reports
Malware & VAPT Lab
Cyber Threat Intelligence
(Sandbox)
 DR. D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE

ATTRIBUTION

Source: Group IB Threat Intelligence

Restricted Circulation
 DR. D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE

Restricted Circulation
 DR. D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE

Maltego
Etc.

COTS

Twitter

iMessengers

COLLECTION PROCESS OUTPUT

There are three main steps

in analysing web media:
Gather actionable
• Data identification, • Disseminate to Concern
insights in raw form
• Data analysis, and • Investigation
concerning to Subject, etc.
• Information • Forensics
interpretation.

Restricted Circulation
THE BIG PICTURE - WORLD ECONOMIC FORUM RANKS
‘CYBERATTACKS’ AS A TOP GLOBAL RISK

4.10

Weapons of mass destruction Extreme weather

3.90
Natural disasters
Climate change
3.70 Water crisis
Biodiversity Cyberattacks
collapse
Food crisis
Impact

3.50 Infectious diseases Large scale migration

Critical info infrastructure Interstate conflict Environmental disasters
Fiscal crisis Terrorist attacks
3.30 Regional governance failure Asset bubbles Data fraud or theft
Critical infrastructure State collapse
Energy price shock Financial institution failure
3.10 Adverse technology
Urban planning failure
Illicit trade
Unmanagable inflation Deflation
2.90
2.30 2.80 3.30 3.80 4.30
Likelihood

Source: 2018 WEF survey spanning 684 respondents which assessed [likelihood] and [impact] of each risk on a scale of 1 to 5 [very unlikely / minimal impact] to [very likely / catastrophic]
 DR. D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE

CYBER KILL CHAIN

➢ Task: Identify the Attackers’ Step by Step Process

➢ Goal: Disrupting Attackers’ operations

Actions &
Recon Weaponise Delivery Exploitation Installation C2
Objectives

Motivation ▪ Mechanism ▪ Technical or Persistence

▪ ▪ Configuration ▪ ▪ Communication ▪ What the adversary
Preparation of Delivery human? Characteristic
▪ ▪ Packaging ▪ between victim does when they
SE ▪ Infection ▪ Applications s of change
▪ ▪ Powershell & adversary have control of the
OSINT Vector affected Self0signed
▪ ▪ Add ▪ ▪ VPN system
▪ Phishing ▪ Method & Driver ▪ Data Exfil
Characteristics
▪ APT

MITRE ATT&CK: MITRE ATT&CK: MITRE ATT&CK: MITRE ATT&CK: MITRE ATT&CK: MITRE ATT&CK: MITRE ATT&CK:
▪ Active Scanning ▪ Malware ▪ Spearphishing ▪ Local Job ▪ Application ▪ Data ▪ Email Collection
▪ Passive Scanning ▪ Scripting Attachment/Link Scheduling Shimming Obfuscation ▪ Data from Local
▪ Determine Domain ▪ Service ▪ Exploit Public- ▪ Scripting ▪ Hooking ▪ Domain System/Network
& IP Address Space Execution Facing ▪ Rundll32 ▪ Login Items Fronting Share
▪ Analyze Third-Party Application ▪ Web Service ▪ Surveillance
IT Footprint ▪ Supply Chain
Compromise
Restricted Circulation
CTI SOURCES AND FEEDS

Feeds are just the raw data on threats; an

AlienVault Open
Threat Exchange
Cisco Talos
Intelligence
Group IB Recorded Future analyst extracts the intelligence from them for
creating reports

Monitoring and collection of security data on

Indicator of compromise (IoCs e.g. IP addresses,
Department of SANS Internet Google Alerts Virustotal Hash Value, Domain name etc. from various
Homeland Security Storm Center
(DHS) CISA sources.

Purpose to identify the uncommon activity and

malicious domains and IP addresses
MISP BlueLive ThreatConnect

Note: Some of the CTI tools and services are mentioned. These are not for endorsement purposes.