TM

to
Cyber Threat Intelligence

Using Knowledge about Adversaries to

Win the War against Targeted Attacks

Jon Friedman
Mark Bouchard, CISSP
Foreword by
 ™

Published by:

1997 Annapolis Exchange Parkway

Suite 300
Annapolis, MD 21401
(800) 327-8711
www.cyber-edge.com
and
™

the CyberEdge Press logo are trademarks of CyberEdge Group, LLC in the United
States and other countries. All other trademarks and registered trademarks are the
property of their respective owners.
Except as permitted under the United States Copyright Act of 1976, no part of this
publication may be reproduced, stored in a retrieval system or transmitted in any
form or by any means, electronic, mechanical, photocopying, recording, scanning
or otherwise, without the prior written permission of the publisher. Requests to the
publisher for permission should be addressed to Permissions Department, CyberEdge
Group, 1997 Annapolis Exchange Parkway, Suite 300, Annapolis, MD, 21401 or
transmitted via email to [email protected].

LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR

MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY
OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM
ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS
FOR A PARTICULAR PURPOSE. THE ADVICE AND STRATEGIES CONTAINED HEREIN
MAY NOT BE SUITABLE FOR EVERY SITUATION. NEITHER THE PUBLISHER NOR THE
AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN
ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A
POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR
OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE
MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD
BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR
DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.

For general information on CyberEdge Group research and marketing consulting

services, or to create a custom book for your organization, contact
our sales department at 800-327-8711 or [email protected].
ISBN: 978-0-9961827-0-6 (paperback); ISBN: 978-0-9961827-1-3 (eBook)
Printed in the United States of America.
10 9 8 7 6 5 4 3 2 1

Publisher’s Acknowledgements
CyberEdge Group thanks the following individuals for their respective contributions:
Susan Shuttleworth
Debbi Stocco
Valerie Lowery
Jonathan Couch, Matt Hartley, Patrick McBride
 Table of Contents
Foreword ............................................................................................................... v
Introduction ........................................................................................................ vii
Chapters at a Glance ....................................................................................... vii
Helpful Icons .................................................................................................. viii

................................................. 1
The Need for Cyber Threat Intelligence ........................................................... 2
The menace of targeted attacks .......................................................... 2
The monitor-and-respond strategy.................................................... 2
Why the strategy is failing .................................................................. 3
.................................................................... 5
Key Characteristics ........................................................................................... 6
Adversary based ................................................................................. 6
Risk focused ........................................................................................ 6
Process oriented ................................................................................. 7
Tailored for diverse consumers .......................................................... 7
........................................................8

................... 9
Assets That Must Be Prioritized ..................................................................... 10
Personal information........................................................................ 10
Intellectual property ..........................................................................11
.................................................... 11
Credentials and IT systems information........................................... 11
Operational systems ..........................................................................12
Adversaries .......................................................................................................12
Cybercriminals ..................................................................................13
Competitors and cyber espionage agents .........................................14
Hacktivists .........................................................................................14
Intelligence Consumers ...................................................................................15
Tactical users .....................................................................................15
Operational users ..............................................................................16
Strategic users ...................................................................................16

............................................ 17
Level 1: Threat Indicators ............................................................................... 18
File hashes and reputation data ....................................................... 18
Technical sources: honeypots and scanners .....................................19
Industry sources: malware and reputation feeds ............................20
Level 2: Threat Data Feeds ..............................................................................21
Cyber threat statistics, reports, and surveys .....................................21
Malware analysis .............................................................................. 23
Level 3: Strategic Cyber Threat Intelligence .................................................. 24
Monitoring the underground ........................................................... 24
Motivation and intentions................................................................ 25
Tactics, techniques, and procedures ................................................ 26

............ 27
Information versus Intelligence .....................................................................28
Validation and Prioritization ..........................................................................28
Risk scores ........................................................................................29
Tags for context ................................................................................29
Human assessment ..........................................................................30
Interpretation and Analysis .............................................................................31
 Reports ..............................................................................................31
Analyst skills ..................................................................................... 32
Intelligence platform ........................................................................ 33
Customization................................................................................... 33
Dissemination .................................................................................................34
Automated feeds and APIs ............................................................... 34
Searchable knowledge base .............................................................. 34
Tailored reports ................................................................................ 34

................................................... 35
IT Operations: Blocking, Patching, and Triage .............................................. 36
Network operations: improve blocking ........................................... 36
IT infrastructure groups: prioritize patching .................................. 37
SOC: triage for alerts ........................................................................38
Incident Response: Fast Reaction and Remediation ..................................... 39
Accelerating attack analysis ............................................................. 39
Assisting investigation and remediation ..........................................41
Management: Strategic Investment and Communications ........................... 43
.......................................................................... 43
Improving management communication ........................................ 43

....................................... 45
Develop a Strategic Roadmap .........................................................................46
Evaluate assets, adversaries, and defenses ..................................... 46
Perform a gap analysis .....................................................................46
Outline investment priorities ...........................................................48
Create a Central Knowledge Base ...................................................................49
Expand Monitoring .........................................................................................50
..............................................50
Monitor external threats ..................................................................50
............................................................................51
.......................................................................................51
Organize Communications ............................................................................. 52
Develop a Hunt Mission Capability ................................................................ 53
......................................................................................... 54

............... 55
Types of Partners ............................................................................................ 56
Providers of threat indicators .......................................................... 56
Providers of threat data feeds .......................................................... 56
Providers of comprehensive cyber threat intelligence .................... 57
What to Avoid ................................................................................................. 57
Important Selection Criteria ...........................................................................58
Global and cultural reach ................................................................. 58
Historical data and knowledge......................................................... 58
Range of intelligence deliverables.................................................... 59
APIs and integrations ....................................................................... 59
Intelligence platform, knowledge base, and portal ......................... 59
Client services ................................................................................... 59
Access to experts...............................................................................60
Intelligence-driven Security ...........................................................................60

............................................................................................................. 61
Foreword

N -
ing its opponent. No general launches a military exercise

opposing forces. And no sensible business leader enters a

market without identifying the major competitors and their
strengths and weaknesses.
Yet every day most cybersecurity professionals go to work
without any idea about the identity and probable actions of
their adversaries.
In information security, if you do not understand the motiva-
tions, intentions and competencies of your opponents, then
you cannot understand the risks to your enterprise or focus
your defenses.
Eight years ago this insight led the founders of iSIGHT

cyber threat intelligence. We knew that enterprises could

compete against increasingly focused and capable threat
actors only by leveraging timely, accurate, relevant intelligence
provided in actionable form.
We started the business to change the game in information
security. Our aim has been to give cybersecurity professionals
an alternative to constantly searching for vulnerabilities and
trying to protect against all possible threats. We have pio-
neered new techniques for understanding the adversaries tar-
geting our clients, and for exposing their tactics, techniques,
and methods.
Today, cyber threat intelligence is a fundamental component

and few people understand it well.

That is why we are pleased to sponsor the
. This short book provides an
overview of the topic and its major activities: developing
intelligence requirements; collecting, analyzing, and dis-
seminating information; and using cyber threat intelligence
to improve security at the tactical, operational, and strategic

intelligence program and selecting the right partner for that

implementation.
I urge you to read this guide and share what you learn with
your colleagues and your community. Cybersecurity has
become more than a job. It is a discipline for protecting our
enterprises, our livelihoods, the wellbeing of our customers
and clients, and sometimes even our values and way of life.

threat actors stay a step ahead. Cyber threat intelligence is

an essential tool for closing the gap and allowing us to thwart
attacks before they cause damage.

John P. Watters
Chairman and CEO
iSIGHT Partners
 Introduction

“C yber threat intelligence” sounds like a glamorous

mashup of James Bond and Bill Gates, or perhaps
Jason Bourne and Mark Zuckerberg. Indeed, today’s headlines
reveal a surprising number of master criminals and shadowy
government agencies bent on world domination. Instead of
stolen atomic devices, giant lasers, and exotic aircraft, they
wield phishing campaigns, polymorphic malware, and DDoS
attacks. The stakes are high, too: billions of dollars, personal
information of tens of millions of customers and employees,
and the protection of national infrastructures.

But information technology professionals don’t have time for

‘intelligence’ mean for cybersecurity? How can cyber threat

intelligence help us do our jobs better? How can we design a
cyber threat intelligence program?”

This book answers those questions. We describe the elements

of cyber threat intelligence and discuss how it is collected,
analyzed, and used by a variety of human and technology

cybersecurity at tactical, operational, and strategic levels,

and how it can help you stop attacks sooner, improve your
defenses, and talk more productively about cybersecurity
issues with executive management.

If you are concerned that the bad guys too often seem to be a
step ahead of the rest of us, then please read on.

Chapters at a Glance
Chapter 1,

Chapter 2,
Requirements,” explains the importance of developing good
requirements related to assets, adversaries, intelligence
consumers, and business operations.
 Chapter 3,
the basic types of cyber threat information and how they are
collected.

Chapter 4,
Intelligence,” reviews the steps involved in preparing

operations, incident response and executives.

Chapter 5,
how intelligence can be used at the tactical, operational, and
strategic levels to identify attacks and improve defenses.

Chapter 6,
step-by-step recommendations for enhancing cyber threat
intelligence capabilities.

Chapter 7,
Partner,” enumerates criteria for evaluating cyber threat
intelligence providers.

The Glossary

Helpful Icons
TIP
Tips provide practical advice that you can apply in your own
organization.

DON’T FORGET
When you see this icon, take note as the related content
contains key information that you won’t want to forget.

CAUTION
Proceed with caution because if you don’t it may prove costly
to you and your organization.

TECH TALK
Content associated with this icon is more technical in nature
and is intended for IT practitioners.

ON THE WEB
Want to learn more? Follow the corresponding URL to
discover additional content available on the Web.
Intelligence

C is a relatively young discipline.

Most of the experts are employed by a handful of spe-
cialized cybersecurity firms, major government agencies,
and large enterprises. Few people have a clear idea of the
practices developed so far by the leading practitioners.
Yet the field is growing rapidly. Cyber threat intelligence
is being covered by the press, and studied in depth by
analysts at Gartner, Forrester Research, IDC, the SANS
Institute, and the National Institute of Standards and

increasing interest to businesses and government agencies

of all sizes.
This chapter discusses why cyber threat intelligence is a
hot topic and provides a brief overview of its key elements.
Threat Intelligence
The surge of interest in cyber threat intelligence owes much
to the devastating record of sophisticated targeted cyberat-
tacks, including now-ubiquitous

have been victimized, sometimes to the tune of tens of mil-

lions of dollars.

The menace of targeted attacks

Ten years ago, IT security professionals mostly worried about
. Today these are regarded as secondary threats

part, security vendors and enterprises defend against them

quickly disseminating and -

detect and block the attacks.

Today, the most serious data breaches and disruptions result

companies or industries. Sophisticated, well-funded attackers

Utilizing social engineering techniques and multi-

simple threat indicators or blocked by frontline

defenses.
Constantly adapting their tools, tactics, and
procedures to evade even advanced cybersecurity
measures.

They have also raised the stakes by systematically targeting

their victims’ most valuable information assets and business
systems.

The monitor-and-respond strategy

Most enterprises have recognized that signature-based

attacks. They have shifted to a defensive strategy that focuses

on monitoring and incident response.
The typical process can be summarized as follows:

1. Collect as many signatures, threat indicators, and

security events as possible.
2. Feed this data to security products that can block mass

and endpoint protection software, and intrusion detec-

3. Use the same data to generate alerts, and monitor

those alerts in the
with a
solution.
4. Have the SOC analysts examine the alerts, perform
triage, and escalate the most serious to the
for validation and analysis.
5. Have the IR team investigate the serious alerts, dig
around in various logs, and reconstruct the elements of
the complex attacks.
6. Use the attack analyses to stop the progress of ongoing
attacks, clean up compromised systems, and protect
against new instances.
7. Periodically report to the CISO the number and types
of attacks so he or she can ask executive management
for a bigger security budget.

Why the strategy is failing

Tactical level

analysts from identifying alerts linked to threats capable of

causing real damage.

Operational level

relevant information about threats, reconstruct the attacks,

and take action to stop them.
TECH TALK The table below goes into some depth about IT security activi-
ties. You can skip it for now if you like; we will be covering the
details later, especially in Chapter 5.

Typical problems defending against cyberattacks and how cyber

threat intelligence helps address them
 Strategic level
At the strategic level, CISOs and IT managers don’t have the
information needed to set priorities or make budgeting and

TIP Executives also need information on what not to fear. Today,

IT and business managers alike are bombarded with an end-
less list of potential threats, along with hyperbolic commen-
tary about breaches from vendors and the press. They need

so everyone can focus on the real risks to the enterprise.

week.

-
ligence and outlining how it helps organizations defend
themselves against targeted attacks.

The groundswell of interest in cyber threat intelligence derives

from the recognition that it is impossible to stop technically
advanced adversaries without foreknowledge of their inten-
tions and methods.
 -

somewhat abstract. So let’s go into a bit more depth and

examine some of the key characteristics of cyber threat intel-
ligence as practiced by the leading experts today.

Adversary based
The types of intelligence we encounter in books, movies, and
-
cal intelligence activities are directed at enemies of the nation.
Law enforcement and anti-terrorism intelligence programs
probe criminal gangs and terrorist organizations. Sports
teams scout upcoming opponents. Competitive analysts com-
pile information on the products, pricing, and plans of rival
businesses.
Cyber threat intelligence activities are also organized around
-
nage agents, and . The enterprise that knows its
opponents can optimize its defenses to protect against those
adversaries and the attacks they employ.

Risk focused
Cyber threat intelligence programs are based on an assess-
ment of the information assets that the enterprise needs to
protect. These assets include data, documents, and intel-

-
 Process oriented
From spying, to law enforcement, to competitive analysis, all
successful intelligence programs follow the same basic process

The steps in an intelligence process

CAUTION Don’t assume that your organization is following this process

informally. Most enterprises never think systematically about
what intelligence is required, what sources are available, or
how to package information to make it readily usable by dif-
ferent audiences. Make this process explicit and document the
tasks at each step. The next four chapters of this guide will
help you by outlining many of those tasks.

Tailored for diverse consumers

Another key characteristic of cyber threat intelligence is that it
does not stop at distributing raw threat data. Data and analy-
sis must be tailored for each type of intelligence consumer.
For example, in respect to the same alert:

SOC analysts may want just enough context to

know if the alert is worth escalating to the IR team.
The IR team may want very detailed context to
determine if the alert is related to other events
observed on the network.
The CISO might want an evaluation of the risk to
the organization and a summary connecting the
alert to data breaches recently reported in the
press.
 Threat Intelligence
include:
Removing invalid indicators so they don’t create
false positives
Prioritizing patches so the most dangerous vulner-

so they can correlate events with attacks more

quickly and accurately
Prioritizing indicators so SOC analysts can rapidly
identify alerts that need to be escalated

Providing situational awareness and context so

IR teams can expand their investigations from
individual indicators to determine attackers’ inten-
tions, methods, and targets
Allowing IR and forensics teams to quickly
remediate damage done by breaches and prevent
additional attacks in the future

Providing managers with an understanding of

and business processes

Helping CISOs communicate with top executives
and board members about risks to the business,
the probable actions of adversaries in the future,
and the return on investments in security

DON’T FORGET Helping management decide how to budget to adequately miti-

gate risk is one of the most important uses of cyber threat intel-
ligence. Never look at intelligence as a resource for IT security
professionals only.
Intelligence Requirements

C yber threat intelligence requirements guide not only what

intelligence is collected, but also how it is analyzed and
used. Developing a good set of requirements helps the security
organization:

Monitor the right threat actors

Collect the most useful intelligence
Prepare intelligence in the right format and level of
detail for each type of user
Avoid wasting time and money collecting and dis-
seminating trivial data
 Assets That Must Be Prioritized
everything, defends nothing.” That maxim applies equally

monitor every application, network segment, system, and data

alert and security event. No manager can budget for every new
security technology that comes along.
Let’s review the main types of information assets that need to
be considered, and the risks to the business if they are lost.
TIP Cast a wide net when you think about high-value assets. Some

their hands on your draft press releases? What about project

bids and executive emails? Could your CFO’s Facebook posts
provide ammunition for a attack?
DON’T FORGET Besides enumerating information assets that could be
attacked, try to quantify the potential costs if attacks on these
assets are successful.

data
Credit card numbers, bank account numbers, and account
access credentials are extremely valuable to cybercriminals
because they can be sold in bulk on underground websites.
The costs of losing such data are extremely high. They include

Personal information
includes names,
-
tion numbers, and medical records. PII can be employed in
mass phishing attacks, sold on underground websites, and
used to create fraudulent accounts that criminals can mon-
 etize. Cybercriminals and hackers can also use it as the basis
for spear phishing attacks against target enterprises.

attacks.
TIP Today a great deal of personal information is exposed on
social media. Cybercriminals sometimes research executives
on Facebook, LinkedIn, and other sites. They use personal
details acquired there, such as membership in industry, social,
and civic organizations, to create credible phishing email mes-
sages. You should educate your employees on the risks of
posting excessive information on social media.

Intellectual property
-
ware programs, product manuals, technical documents, and
creative works such as videos, music recordings, and books.
Theft of an enterprise’s IP can mean the loss of competitive
advantages. Theft of IP entrusted to you by someone else can
result in violations of license agreements and contractual
obligations.

customer lists, competitive bid information, and trade secrets.

Their loss can result in a diminished competitive position.

releases on those topics can prove costly to stockholders, and

even trigger criminal investigations.

Credentials and IT
systems information
Login credentials and IT systems information can be
extremely valuable to adversaries, potentially opening the way
for the loss of every type of information asset in the enterprise.
CAUTION Be sure that suppliers, service providers, and other third par-
ties with access to your systems are diligent in protecting their
login credentials for your systems. Some of the most damag-
ing data breaches in recent years started when user IDs and
passwords were stolen from third parties.

Operational systems
Operational systems are not assets in the usual sense of
the word. However,
attacks that bring down corporate websites, and malware that

revenue, productivity, and public image.

Adversaries
The second part of developing cyber threat intelligence
requirements is determining which adversaries might target
your enterprise. This analysis can help you decide:

Which categories of threat actors to monitor

priority in your monitoring and incident response

activities
Which adversaries and threat types do not require
-

Table 2-1 summarizes the most important adversary types.

Types of adversaries, their targets, and their weapons

Cybercriminals

or systems, such as customer databases, human resource

TIP

an ongoing process. You need to keep up with new cybercrimi-

nal types and other threat actors as they emerge, and with new
attack types and tools as they evolve.

Competitors and cyber

espionage agents
-
tion to obtain commercial, economic, political, or military
advantages.
Cyber espionage has long been familiar to military organiza-
tions, aerospace and defense companies, and federal govern-
ment agencies. Now it is being detected by an ever-widening
circle of companies that bump up against foreign competitors.
Cyber espionage is carried out by commercial companies, by
government-sponsored agents on behalf of commercial com-
panies, and by government and military organizations. They

can be used to shortcut product development, win competitive

bids, and anticipate business strategies, or to gain advantages
in military or political struggles.
TIP Be sure to involve line of business managers in your assess-
ment of what IP and business information competitors and
cyber espionage agents might target. IT professionals may be
-
ments, designs, and plans. And remember that software pro-
grams are often a key source of competitive advantage!

Hacktivists
Hacktivists attempt to carry out disruptive actions to express
their political, social, or ideological beliefs, or to discredit or
damage representatives of opposing views. They range from
individuals, to loosely connected groups, to well-funded prox-
ies for governments and military forces. In many cases their
desire for publicity leads them to be more openly destructive
than other types of threat actors.
Unfortunately, few enterprises are immune today. Banks,
restaurant chains, retailers, media outlets, social networking
companies, and many others are being targeted as agents of
 capitalism, promoters of disliked cultural values, or symbols
of their home government.
TIP

-
sion into new geographic markets? Are you involved in envi-
ronmental or legal controversies? Are you doing business with
dissidents or with enemies of repressive governments?
Establish a communications process with business managers
so they are aware of the risks and you are not blindsided by
unexpected business decisions.

Intelligence Consumers
To develop cyber threat intelligence requirements, you must
also understand the needs of the people and systems using the
intelligence. Those needs include both the information con-
tent people require to do their jobs and the formats that make
information accessible to people and security systems.
We look at some of these requirements here. In Chapter 5 we

cyber threat intelligence.

Tactical users

malware gateways, IDS/IPS systems, and other gateway secu-

or generating false positives.

Infrastructure groups that manage servers and endpoint
devices want intelligence about which vulnerabilities are most
critical for the enterprise so they can decide which security

SOC analysts monitor alerts and decide which ones should be

escalated for further analysis. They want relevant, accurate,
and timely data fed to their SIEMs, as well as basic context
for alerts so they can quickly decide which ones are isolated
events and which might be part of complex attacks.
Operational users
Operational users of intelligence, such as IR teams, forensic
analysts, and fraud detection departments, need detailed
context around alerts and events. They also need in-depth
intelligence on attacks and adversaries so they can:

Quickly establish if alerts or events are part of

complex attacks
Expand their investigations to identify other ele-
ments in the attacks

Determine which systems have been compromised,

and which systems need to be remediated

The types of intelligence they need for these activities include

analyses of malware, breakdowns of targeted attacks, and
reports on the of

Strategic users
Strategic users, including CISOs and IT managers, want threat
intelligence reports that enable them to understand trends
and make better decisions about security budgets, process

intelligence helps them minimize risks and protect new busi-

ness and technology initiatives.
Threat Information

Information is not intelligence, but it is the raw material out

of which intelligence is produced through analysis.
Enterprises today have access to literally terabytes of cyber
threat information in the form of huge databases of logs, mal-
ware signatures, and other indicators of compromise. Yet most
IT groups fail to take advantage of the full range of informa-
tion sources available to them.
This chapter provides an overview of cyber threat information
types grouped into three categories, as shown in Figure 3-1.
We also discuss where the information can be obtained.
 Categories of threat information

Level 1: Threat Indicators

entity that indicates the possibility of an attack or compromise
-

have been associated with attacks.

File hashes and reputation data

worm, Trojan, rootkit, keylogger, or other type of malicious

algorithm, most frequently MD5 or SHA-1, which creates

15901ddbccc5e9e0579fc5b42f754fe8.
Domain, IP address, and URL reputations are risk ratings of
computers and web pages on the Internet. High risk scores are
assigned to websites and systems associated with:
 Malware and spyware
Spam
Phishing and other frauds
P2P networking and anonymous proxy tools
servers that manage
botnets

Reputation scores can also be assigned to computers and

websites that have been compromised, even if they are not
completely under the control of a malicious actor.
CAUTION Most indicators are merely that – indicators. Some can be
regarded as proof of malicious activity, say the hash of the

by hackers. Many others, however, indicate only the possibil-

ity of an attack. For example, hackers might plant disguised

infected.

Technical sources: honeypots

and scanners
Finding malware

They do this by creating networks of , computers

that simulate the activities of web servers, email servers, and

by corporate systems and users during the course of normal

operations.

program instructions and text strings associated with mal-

researchers create a signature.

Determining domain and IP address reputations

Researchers extract URLs from web pages and emails col-
lected by honeypots. They investigate to see if the source
domains and websites appear to be under the control of threat
actors, or have been compromised by malware.
They also analyze emails found by the honeypots to see if they
contain indicators of spam, phishing attacks, or fraud. Clues
include irregularities in the email header, certain keywords
and phrases, and links to known spam and phishing sites.

web” and test accessible servers for signs of compromise and

malicious activities.
The researchers use the results of these analyses to assign
reputation or risk scores to domains, IP addresses, and URLs.

Industry sources: malware

and reputation feeds
Very few enterprises have the resources to maintain their own
threat research groups. Instead, they obtain malware signa-
tures and domain reputation data from a variety of sources,
including:

Cybersecurity vendors, including antivirus vendors

and domain reputation services

Independent cybersecurity labs and researchers

Open source cybersecurity projects, malware and

providers
Government and industry groups that share threat
data

Some cybersecurity vendors and cyber threat intelligence

 makes it easier for individual enterprises to obtain a very wide
range of data from one signature and reputation feed.
ON THE WEB For lists of malware, connect to StopBadware at: https://
www.stopbadware.org/clearinghouse or to WildList at: http://
www.wildlist.org/CurrentList.txt
For a variety of domain and URL blacklists, connect to the
Spamhaus project at: https://www.spamhaus.org/ or to
OpenBL.org at: http://www.openbl.org/lists.html

Level 2: Threat Data Feeds

Threat data feeds provide information that correlates and
analyzes threat indicators. They help security teams identify
patterns associated with attacks. We also include in this

Cyber threat statistics,

reports, and surveys
Statistics, reports, and surveys help security teams focus on
the most prevalent attacks and alert them to emerging threats.

Statistics
Industry organizations and cybersecurity vendors provide
statistics on malware, spam, botnets, and other elements of
cyberattacks.
ON THE WEB For statistics on malware, try the website of your antivirus
vendor, or connect to AV-TEST Institute at: http://www.av-
test.org/en/statistics/malware/
For statistics on spam, connect to AV-TEST Institute at:
http://www.av-test.org/en/statistics/spam/
For statistics on phishing, connect to the Anti-Phishing
Working Group at: http://apwg.org/resources/apwg-reports/
 reports on various aspects of cyber threats and cybersecurity.
These reports typically include:

Analysis from experts

Survey data can be useful because it gives a picture of the

experiences, successes, and failures of IT organizations in
responding to threats, and because it can be used to bench-
mark an individual organization.
ON THE WEB -
ents analysis of many common threats, and statistics on how

connect to: http://www.verizonenterprise.com/DBIR/

The Ponemon Institute reports provide invaluable data on the
cost of data breaches. To obtain copies, connect to: http://
www.ponemon.org/library/
Other useful reports include the Microsoft Security

TIP Don’t miss our survey of over 800 IT security decision makers
and practitioners, which provides a 360-degree view of orga-
nizations’ security threats, current defenses, and planned
investments. For the CyberEdge Group Cyber Threat Defense
Report, connect to: http://www.cyber-edge.com/2015-cdr
CAUTION Surveys are useful, but sometimes they need to be taken with
 Malware analysis
Malware analysis provides valuable insights into the behavior
of malware samples and the intentions of the attackers behind
them.
The most-detailed automated malware analysis is provided by
dynamic analysis or technology. With sandbox-

environment isolated from the corporate network. The

sandboxing product observes and documents all of the actions

Making unusual entries to the registry

Disabling antivirus software on the system

Making callouts to command and control servers

on the web

stolen data

The observed behaviors not only show whether the sample is

malicious, but also provide evidence about the attacker’s goals
and methods.
CAUTION You can’t rely entirely on sandboxing to identify unknown
-
boxing technologies by executing only if they detect human
activities such as mouse clicks, or by verifying that they are on
a standalone desktop or server and not in a virtual environ-
Threat Intelligence
Strategic cyber threat intelligence is information about the

they pose in the immediate future.

Monitoring the underground

The cybercriminals, cyber espionage agents, and hacktivists
we have been discussing have developed an entire under-
ground universe where participants:

Exchange ideas about targets, tactics, tools, and

other facets of cybercrime, cyber espionage, and
hacktivism
Share expertise on creating and using malware,
exploits, spear phishing campaigns, DDoS attacks,
and other malicious tools and techniques
Plan and coordinate ideologically and politically
inspired attacks and campaigns
Buy and sell exploit kits, weaponized exploits,
obfuscation and evasion tools, and other cyber
attack tools
Provide services to other threat actors, ranging
-

Buy and sell digital assets, including credit card

and Social Security numbers, personal informa-
tion, and login credentials

The media for these exchanges include online forums, email,

instant messaging platforms, social media, and even full-
featured online stores.
While most of these venues are open to the public, some of the
most important operate on an invitation-only basis and are
very hard to crack for outsiders.
 TIP If you want to visit these sites, brush up on your language
skills. According to the RAND Corporation, the majority of
underground forums conduct business in languages other
than English, such as Russian, Ukrainian, Mandarin, German,
and Vietnamese. Also, the most sophisticated groups practice

to build a cover identity and gain access.

ON THE WEB For an eye-opening report on the extent of the cybercrime
underground, download a copy of the RAND Corporation
study, Markets for Cybercrime Tools and Stolen Data:
Hackers’ Bazaar, at: http://www.rand.org/pubs/research_
reports/RR610.html

Motivation and intentions

Researchers can collect a wide variety of information in this
online underground, starting with motivation and intentions.
Motivation and intentions provide evidence of which adver-
saries are likely to attack your industry and your enterprise,
and which of your assets they are most likely to target.
The motive of cybercriminals is usually obvious: to make a

industry.
Competitors and cyber espionage agents exhibit a wider
variety of motivations and intentions. These include stealing
product designs, intellectual property, and business plans,
uncovering the details of bids and proposals, and obtaining
political and defense-related intelligence.
Hacktivists display the widest range of motivations, from
impressing friends, to advancing a cause such as environmen-
talism, to discrediting individuals or companies with opposing
views, to harassing opponents of a government. They may
even aim to shut down part of an economy or national infra-

equally varied, including stealing information that can prove

embarrassing, defacing or disabling websites, taking over
social media accounts, and shutting down crucial services.
Monitoring underground forums can also produce informa-
tion on threat actors’ immediate plans. Some hacktivists
announce their upcoming actions online, either to promote
their ideology or to coordinate the activities of like-minded
individuals and groups.
Although cybercriminals and cyber espionage agents are more
secretive than hacktivists, sometimes it is possible to antici-
pate their actions by looking at information they share. Also,
analyzing the malware and services they trade in underground
marketplaces can disclose their intentions, targets, and tech-
niques—provided you are able to penetrate their forums.

Tactics, techniques, and procedures

Foreknowledge about adversaries’ tactics, techniques, and

enterprises learn what to look for to detect attacks, it guides

processes.
Researchers can often deduce a great deal about adversar-
ies’ TTPs by watching their activities on the web. Valuable
evidence includes:

Discussions of plans and tactics on forums and

social media sites
Exchanges of information about new exploits and
tools being developed
Purchases of tools and services

Sale of credit card numbers, personal information,

and other digital assets

Now that we have looked at the kinds of cyber threat informa-

tion that researchers can collect, we turn our attention to how
they convert that information into useful intelligence.
Threat Intelligence

Information by itself has limited value. Actionable intel-

This chapter looks at what is involved in converting informa-

tion into actionable cyber threat intelligence.

Requirements for actionable intelligence

 Information versus Intelligence
At the time they are collected, most threat indicators are:

Unvalidated and not prioritized

Isolated and without context
Generic, in the sense of not being associated with
any particular type of enterprise

Relying on this kind of information creates serious issues:

overwhelmed by alerts and unable to identify the

in Chapter 1, where only 19 percent of alerts were

campaigns without laborious, time-consuming

research.

Intelligence is information that has been validated and priori-

-
ers within the enterprise.
DON’T FORGET One of the key goals of cyber threat intelligence is to reduce
the amount of time wasted chasing low-level threats, attacks
aimed at companies in other industries, and exploits targeting
applications and systems not present in your enterprise.

Validation and Prioritization

Validation and prioritization are important because a high
percentage of threat indicators are redundant, out of date, or
related to threats such as spam and spyware that are typically
a very low priority for enterprise security.
In addition, security groups want to give priority to the threats
that are most relevant to their own industry, location, applica-
Risk scores
One method of providing validation and adding context to
threat indicators is to attach risk scores. Risk scores can be
used by SIEMs and other automated tools to classify and rank
alerts, and by human analysts to make faster decisions about
which indicators are important.
Risk scores can be created by:

-
tor been associated with attacks on our kind of

threat, and what is the potential impact on our

Tags for context

Both automated systems and human analysts can use context
to determine if an indicator is an isolated event or part of a
complex attack. Context can be provided by adding threat and
technical tags to indicators. For example:

-
nature associated with an attack on ATM systems.

associated with spear phishing attacks on compa-

nies in that region.
-
tors associated with the Citadel credential theft
malware family.

With these tags added, a bank’s SIEM could be programmed

manufacturing company with subsidiaries in Poland and

Hungary could give high priority to indicators with the

-
mation on the cybercriminal groups and attack campaigns
associated with that malware family.
 Human assessment
Sometimes there is no substitute for risk assessments by expe-
rienced threat analysts. Figure 4-2 shows two examples from
a media highlights service. This service comments on threat

the second, the threat is important enough to warrant imme-

diate action.

Analyst evaluations of media reports about threats

ON THE WEB

the iSIGHT Partners blog at: http://www.isightpartners.com/

blog/.
 Let’s look at how interpretation and analysis can convert
threat information into actionable cyber threat intelligence.

Reports

teams, forensics analysts, and anti-fraud groups with detailed

TECH TALK The content of threat analysis reports typically includes:

History of the attack and where it has been

observed

Motives and intentions of the attackers

A description of typical victims and targets accord-
ing to industry, location, vulnerabilities, and other
factors
An assessment of the impact of the attack and the

A breakdown of the tactics used in the attack, such

as reconnaissance steps, phishing and social engi-
neering campaigns, type of malware used, systems
compromised, command and control techniques,

Similarities to other threats

Descriptions of indicators and events that can be
used to identify the attack
Descriptions of mitigation options and actions that
can be taken to protect against the attack
The outlook for future appearances of the attack

ON THE WEB You can see examples of threat analysis reports at:
http://info.isightpartners.com/the-citadel-banking-
malware and http://info.isightpartners.com/
newscaster-iranian-threat-within-social-networks
Threat landscapes

threats facing an enterprise. Typical content includes:

A review of the business risks facing the enterprise

-
prise and similar organizations

An overview of the adversaries most likely to target

the enterprise, including their motivations, inten-
tions, tactics, techniques, and procedures
A ranking of security priorities

Analyst skills
Of course, information doesn’t magically convert itself into
intelligence. The quality of analysis depends on the skills and
experience of the people producing it. The individuals who
interpret and analyze threat information need:

Technical expertise in how malware operates

Knowledge of how cybercriminals and hackers
construct and execute campaigns

Experience with cybersecurity technologies

Intelligence skills on how to uncover
and interpret information about threat actors
Analytic and critical thinking skills to produce
recommendations that are relevant and actionable

People with diverse language skills and cultural backgrounds

are also valuable. Many hacker forums use languages other

outsiders to interpret.
Communications skills are also important. At least some
members of the cyber threat intelligence team need to be able
-
sumers, including non-technical executives.
 Intelligence platform
Threat analysis requires correlating many pieces of informa-
tion to detect patterns and uncover attacks. Analysts can ben-

Key elements of such a platform include:

A knowledge base to store threat information

Automated tools and threat feeds to collect and
process human and technical threat data

Analytical tools to correlate information

Publishing tools to automate the creation and

Customization
Customization should be built into the cyber threat intel-
ligence process at two levels.

Customization for the enterprise

Out of the mass of threat information available, an intelligence

circumstances of the enterprise. These circumstances include

its industry, location, size, regulatory and political environ-
ments, business risks, methods of interacting with customers,
software applications, and use of mobile technologies and
cloud resources.

Customization for the consumer

The intelligence analyst also needs to tailor information and
analysis to each type of consumer, including tactical groups
who want basic information to make decisions quickly, IR and
forensics teams who want as much information as possible to
help them identify and assess attacks, and IT managers who
prefer summaries.
DON’T FORGET Often the same information should be reformatted and sum-
-

points they need.

 Dissemination
often and in what form they receive cyber threat intelligence.
Honoring those preferences can be critical for ensuring that

Automated feeds and APIs

We have mentioned situations where threat intelligence
can be acquired from or shared with SIEMs, antimalware

and the threat intelligence platform or database with auto-

mated feeds and .

Searchable knowledge base

Cyber threat intelligence is cumulative. An indicator or clue
received today often needs to be checked against information
and events going back months or years. Enterprises need a
searchable knowledge base to store historical threat data.

Tailored reports
Most human consumers prefer to receive threat intelligence
in structured reports. The length, level of detail, and focus of
the reports will vary depending on the responsibilities of the
readers. Frequency is also important: some users will want
a constant, up-to-the-minute stream of information, while
others might prefer a daily summary. Management types
might be most receptive to highly summarized information or
reports at monthly or quarterly intervals.
It is important to determine these preferences and needs as

TIP Consider how intelligence consumers in your organization

might want to receive data. Would they read email summaries
or a newsletter? Would it help to push out urgent facts as text
messages, or use a Twitter account?
Intelligence

S o far, we have described how to develop cyber threat

intelligence requirements and how to collect, analyze,
and disseminate intelligence.

how intelligence helps IT professionals do their jobs better.

To do that we return to the framework introduced in Chapter 1,
which looks at the uses of cyber threat intelligence at the tacti-
cal, operational, and strategic levels.
 IT Operations: Blocking,
Patching, and Triage
At the tactical level, cyber threat intelligence improves the

groups prioritize their patching activities, and allows security

decide which alerts require action.

Network operations:
improve blocking

Gateway antimalware products

Intrusion detection and intrusion prevention

close unneeded ports so they can’t be used for reconnaissance

be controlled by threat actors.

However, when the quality of threat indicators is poor, the
-

Cyber threat intelligence, by validating threat indicators such

as malware signatures and domain reputations, can reduce
-
-

TIP

complex attacks. Details about malicious tools and tactics can

-
lar systems.
 IT infrastructure groups:
prioritize patching
Patch management is a major task for groups that manage
servers, endpoints, and network and security devices.
Patching is a very time-consuming process. Infrastructure

-
ate/low” ratings issued by antivirus vendors are not reliable

ON THE WEB

Database at: https://nvd.nist.gov/home.cfm

Cyber threat intelligence helps infrastructure groups prioritize
patches based on rich information about vulnerabilities. That
information can include technical descriptions of vulner-

whether exploit tools are currently available in the wild.

In fact, researchers with strong cyber threat intelligence

where threat actors reveal the vulnerabilities they intend to

exploit, the techniques they are using to create exploits, and

By using this intelligence to improve patching priorities,

infrastructure groups can close the window on immediate
threats faster and spend less time on vulnerabilities that are
low priority or irrelevant to their organization.
 SOC: triage for alerts
In many enterprises the SOC analysts review SIEM alerts and
divide them into categories such as:

team
Investigate when time permits
Ignore

most enterprises generate far more alerts than the SOC and IR
teams can investigate.
Cyber threat intelligence can enhance event prioritization and
situational awareness in two ways:

By attaching risk scores or tags to threat indicators

priority
By allowing the SIEM or the analyst to query the
threat intelligence knowledge base and correlate
alerts with additional context about attacks

to send a query to the intelligence knowledge base to auto-

matically return contextual information about the malware.
This information might include the adversary behind the
attack and whether the malware has been used to target other
manufacturers.
TIP

related threat information, you will automate some of the

most time-consuming tasks required of SOC analysts. These
capabilities enable analysts to quickly and accurately deter-
mine which alerts to escalate, and to be more productive in
managing threat indicators.
 Incident Response: Fast
Reaction and Remediation
At the operational level, cyber threat intelligence helps IR
teams, as well as forensics, security analysis, and fraud detec-
tion groups, analyze complex attacks more quickly and more
thoroughly.

Accelerating attack analysis

When an attack is detected, the IR team needs to answer ques-
tions such as:

Who is behind the attack?

What tactics are they using in their campaign?
What information assets are they targeting?
How far has the attack progressed, what systems
have been compromised, and what data has been
accessed?
What steps can halt the attack, and then remediate

that triggered the initial alarm. Often this is no more than a

single malware sample, or a link to a known command and

pieces together by searching through emails, application logs,

other disparate data sources.

DON’T FORGET

-
trate data and perform other hostile acts.
Cyber threat intelligence can accelerate incident response by
providing rich context around an initial indicator. The intel-
ligence knowledge base can quickly answer questions about

and where it been observed in the past.

The IR team can also query the intelligence knowledge base
for more information, such as which adversaries have used
 this technique, what those adversaries target, and which
infrastructure and tools they use. This information allows the
IR team to
related detail they need.
TIP Rich context not only accelerates incident response, it also
enables IR teams to detect attacks they might otherwise miss
completely. That’s because context helps analysts recognize
that seemingly isolated events are actually part of a multi-part
campaign.

of data.
 Assisting investigation
and remediation
Cyber threat intelligence can also help security teams uncover

the damage.
To increase their odds of success, adversaries often conduct
campaigns that use multiple tools and techniques. The IR
team can use knowledge of these tactics to hunt for additional
breaches these adversaries might have engineered.
DON’T FORGET Intelligence helps with remediation, too. Knowledge of the
tools and tactics used in attacks can help the IR and forensics
teams determine which systems on the network have been
compromised, and how. That insight makes it easier to locate
and remove the attacker’s footprints and to set up defenses to
protect against the same and similar tactics in the future.

Incident Response Management with the Resilient Incident

Reprinted with permission of
Resilient Systems
 Management: Strategic Investment
and Communications

in the headlines and the many security products touted by

vendors, threat intelligence can help identify which ones
should be prioritized. Intelligence can also help the CISO and
IT managers explain threats in business terms so they can
have productive discussions with senior executives and board
members.

Investing effectively
Cyber threat intelligence helps IT managers understand chal-
lenges such as:

New adversaries emerging to target enterprises in

their industry
New tactics and techniques exploiting weaknesses
in current security defenses

hosted in the cloud, and employee information

posted on social networks

This information allows CISOs and IT managers to invest

threats, rather than being forced to react to every headline

describing a new data breach.
TIP Deprioritization is useful too. Determining which threats are
-
sue the threats that are important.

Improving management
communication
cybersecurity with executives when they frame issues in terms
 Cyber threat intelligence helps IT managers put a face on
adversaries and explain their motives in human terms: the
political activists who want to embarrass the company, the
foreign competitor trying to unearth business plans, or the
cybercriminal group trying to make money on stolen Social
Security numbers.
The same approach also helps IT managers describe security
issues in terms of risks to the business, such as the potential
loss of revenue from online sales, the impact on regulatory
compliance, or the inability to deploy a new mobile applica-
tion for the sales force this year.

Report to the CEO, version 2

Report to the CEO, version 1

Implementing an
Intelligence Program

T his chapter explores eight best practices for implementing

a world-class cyber threat intelligence program. Some of

relationships are illustrated in Figure 6-1.

Tasks for implementing cyber threat intelligence

TIP Not all of the best practices described in this section need to

Develop a Strategic Roadmap

A cybersecurity strategic roadmap is a useful tool for the
entire IT organization, and an essential one for the cyber
threat intelligence program. It aligns threat intelligence
requirements and activities with business risks. Let’s take
a brief look at some of the key tasks involved in creating a
strategic roadmap.

Evaluate assets, adversaries,

and defenses
key assets, adversaries, and defenses. Tasks include:

Enumerating information assets that need to be

protected and assessing the impact of losing them.
Identifying IT systems that are critical to business
operations, including business applications, public-
facing servers, and infrastructure and operational
control systems.
Identifying likely adversaries and their targets,
techniques, tactics, and procedures.

ability to monitor, detect, mitigate, prevent, and

remediate targeted attacks from likely adversaries.

Perform a gap analysis

The next step is to perform a gap analysis that highlights
which security systems and processes need improvement. It
should focus on gaps that might expose high value informa-

illustrates this concept.

 A gap analysis helps set priorities

The most important gaps are weak defenses protecting high

value assets. Those defenses must be strengthened as soon as
possible.
The second priority for improvement is weak defenses pro-
tecting low value assets, as well as strong defenses protecting
high value assets. These also must be addressed, but not as
urgently.
Last on the list are low value assets protected by strong
defenses, and assets not targeted by any likely adversary.
Performing a gap analysis is obviously much more compli-
cated than this simple overview suggests, but it is a critical
investment for the cyber threat intelligence program. The
assessment process gives the organization a sound basis
for determining which improvements are most urgent, and
also what cyber threat intelligence needs to be collected and
analyzed.
TIP The gap analysis may suggest simple but pervasive controls
that can mitigate large classes of threats. A good example is
removing administrative privileges from users who are likely
attack targets. This action can minimize damage from many
targeted phishing and malware attacks, because even if the
users’ credentials are compromised, they can’t be used to
access as many critical systems or databases.

Outline investment priorities

should include a series of recommended improvements with

their costs.
An accurate roadmap enables IT managers to conduct pro-
ductive discussions with executive management and frame

on priorities for the cyber threat intelligence program.

by [likely adversaries] who have

item by plugging appropriate terms t h e [ s e c u r i t y te c h n o l o g y o r

process]
[features, performance,
[proposed
[$$,$$$]
improvement]
[defects]
[asset]
[improvements]
in [costs, revenue losses, fines,
[technical or
loss of competitive advantage].
.
 Create a Central Knowledge Base
We now turn to some of the operational steps required to

A repository or knowledge base is a critical tool. A lot of the

The information stored should include threat indicators,

malware and attack analysis reports, and investigative reports
about attacks observed in the enterprise. The information
needs to be easily searchable.
Technologies used for the knowledge base could include docu-
ment management and collaboration systems, SharePoint,
databases, and data management tools like Splunk. To get the
most out of threat data, it should be possible to integrate the
knowledge base with SIEMs and other security systems via an
-

TIP If possible, the knowledge base should include several years of

history. Analysts need to reconstruct attacks spanning months
or even years. In addition, they should be able to check
whether indicators observed today appeared previously.
TIP It is usually a good idea to assign at least a part-time adminis-
trator or librarian to the knowledge base. The administrator
ensures that the knowledge base is updated properly, that
data is organized and normalized so it can be found easily
when needed, and that permissions are set so the right data is
accessible to the right people.
Expand Monitoring
The more security information that is available to security
professionals, the easier it is for them to detect and analyze
attacks.

Organizations must be able to aggregate and correlate log

and security event data from servers, security products, and
network devices. Typically SIEMs and security analytics tools
are deployed for this purpose.
The security organization should also consider placing secu-
rity monitoring devices at strategic choke points in the net-

can then use tools such as full-packet capture systems to

reveal attackers attempting to escalate credentials, to commu-

servers.

Monitor external threats

The security organization should also be systematic in moni-
toring external threats through:

Threat indicator data feeds

events
Detailed reports and contextual threat data about
malware and attacks
Monitoring of adversaries on web forums, under-
ground websites, and hacker marketplaces

Enterprises have the option of outsourcing threat information

collection and external threat monitoring to cyber threat intel-
Train Staff or Find a Partner
In Chapter 4 we discussed some of the skills and experience
required of researchers who collect and analyze cyber threat
information. These attributes include extensive technical
expertise, knowledge about how attacks are constructed,
threat research skills, critical thinking, and a mastery of lan-
guages. Not surprisingly, expert cyber threat researchers and

expertise and educating them about how to:

Explore underground and black market websites

Sift clues and correlate data to create coherent
pictures of adversaries and their methods
-
ligence consumers

threat intelligence as a service. Chapter 7 outlines criteria for

selecting a partner of this kind.

available to analysts immediately as context around a threat

One option we discussed in Chapter 5 is integrating SIEMs

with the threat intelligence knowledge base to support the

For example, when a SIEM receives an alert, it might auto-

matically query the knowledge base, which would return
basic information about the indicator that triggered the alert,
together with tags assigned to that indicator. If one of the tags

alert as high priority.

 When a member of the SOC team decides to investigate the

the alert that would help the analyst decide if it should be

investigated further, remediated in some way, escalated to the
IR team, or ignored. If the alert is escalated, then the context
delivered from the intelligence knowledge base could also be
forwarded to the IR team.

analysts to query the knowledge base manually each time they

the knowledge base has an API or a

Organize Communications
Some threat intelligence should be delivered through auto-

however, the format and timing of communications can be

tailored to the preferences of users. This is particularly true
for written analyses and reports. For example:

newly emerging threats and adversaries, delivered

as soon as information is available, so they can
react immediately to zero-day attacks.
IR and forensics teams need comprehensive
analyses of malware and attacks, provided as soon

also be stored in the knowledge base for retrieval

CISOs and IT managers may prefer summary

information about malware and attacks, along
with statistics and trend data, as well as reports
delivered on a weekly or monthly basis.
Executive managers might request quarterly
high-level summaries tied to business issues. They
might also demand immediate assessments of
breaches and security issues when reports appear
in the business press. Those help them answer
questions from the CEO and members of the board
DON’T FORGET Someone involved in the cyber threat intelligence program
should assess communications preferences and set up appro-
priate processes to reach all members of the IT organization.
Tasks might include maintaining distribution lists for email-
ing or texting time-sensitive information, sending periodic
security updates and newsletters, and ensuring that appropri-

knowledge base.
TIP Remember the employees. They are often the weakest link in
the security chain. Figure out how security information can be
packaged and delivered to them in ways that encourage good
behavior. How about an internal security newsletter, a Twitter
account, or a Facebook page?

Most enterprises use cyber threat intelligence only in a reac-

tive fashion to help respond to alerts and analyze attacks after

security teams have taken a more proactive approach.

The basic idea of a is to anticipate the most
likely threats and aggressively search for indicators that might
reveal campaigns and attacks in their earliest stages. This
process might involve:

monitoring
Tagging these indicators so that when they are
encountered by the SIEMs or security sensors on

Following up immediately by pivoting on the initial

indicator and looking for related indicators that

When a threat is detected, the hunt team can:

See if indicators of the same threat can be found in

other parts of the enterprise, perhaps where detec-
tion may not have been as thorough
 Determine whether the same or similar campaigns
have been logged in the past
Investigate whether the same adversary who
launched the attack has used other tactics and
techniques, and search for those.

If any of these conditions are true, the hunt team investigates

whether a full attack took place, and if so, determines its

Developing a hunt mission capability requires resources, but it

and to identify successful breaches that were not detected by

existing security measures.

static. New adversaries are always emerging and coming up

with new tactics and techniques. Technologies and business
initiatives are always changing. And as your organization
gains experience using cyber threat intelligence, improved
techniques and processes will suggest themselves.
To keep up with these changes, repeat on a regular basis the
analysis performed when the original strategic roadmap was
created. This includes assessing new adversaries and attacks,
updating the gap analysis, and revising your cyber threat intel-
ligence requirements.
TIP Develop and track metrics whenever possible. You may be
able to quantify the quality of alerts, the number of alerts
investigated, and the mean time to complete attack investiga-
tions. You can also use interviews, structured surveys, and
online forums to collect feedback from intelligence consum-
ers. Have them rate on a scale how easy it is to use the intel-
ligece they are getting, and how much it is helping them do
their jobs. Ask them how the information and its delivery
could it be improved.
Threat Intelligence Partner

O nly
agencies, and military organizations have the resources
to handle all aspects of cyber threat intelligence internally.

intelligence requires a worldwide network of sensors, a cyber

threat research lab, expert researchers and analysts with
strong language and communications skills, and a platform to
collect and disseminate threat data.
That’s why the vast majority of enterprises engage one or
more partners to help with information collection and analysis
tasks. But what kinds of partners are available? What is the
best approach to selecting the right ones for your enterprise?
 elements of cyber threat intelligence. Roughly speaking, they
fall into three categories: companies that focus on threat indi-
cators, companies that combine threat indicators with threat
data feeds, and companies that provide comprehensive cyber
threat intelligence services.

Providers of threat indicators

A wide variety of security technology vendors and open source
projects supply indicators, signatures, and screening rules to

cases, the indicators are delivered as raw data; in others, they

are accompanied by risk or reputation scores.
CAUTION Threat indicator feeds are critical at the tactical level for maxi-

they don’t provide context for incident response. Unless they

are validated, they can waste time by creating false positives
and meaningless alerts.

Providers of threat data feeds

A number of technology vendors and security service compa-
-
cators that have been validated and prioritized, plus detailed
technical analyses of malware samples, botnets, DDoS attack
methods, and other malicious tools. They sometimes add

percentage breakdowns of malware types, and locations of

spam attacks and botnets.
CAUTION Threat data feeds help at the tactical and operational levels,

basic context about attackers. However, they rarely provide

information about the intentions or tactics of adversaries, or
 Providers of comprehensive
cyber threat intelligence
-
ligence: validated threat indicators, threat data feeds, and
strategic threat intelligence. The leading companies integrate
the three types, for example providing IOCs that have been
validated, tagged, and connected to rich context about adver-
saries. Typical deliverables include:

Validated threat indicators with tags

Detailed technical analyses of attack tools
In-depth research on adversaries, with data col-
lected from underground websites and private
sources
Detailed studies of existing and emerging threat
actors
Assessments of threat landscapes facing industries
and individual enterprises
Assistance developing cyber threat intelligence
requirements
-
ences at tactical, operational, and strategic levels.

The rest of this chapter discusses what to avoid and what to

seek in selecting a partner to provide comprehensive cyber-
threat intelligence services.

What to Avoid
If you are looking for a partner to provide comprehensive
cyber threat intelligence services, you should avoid:

Security product companies, because their services

are almost always designed to support the use of
their product, not to optimize overall security

Security services companies with a regional focus,

because cyber threat information needs to be col-
lected and assessed on a global basis
CAUTION -
ses. These are useful, but they are not a substitute for intel-
ligence that is collected, analyzed, and disseminated based on

Important Selection Criteria

Every enterprise needs to develop its own list of criteria for
evaluating potential cyber threat intelligence partners, but the
following seven factors should be included.
TIP

that
discusses criteria for selecting partners, and includes short

Gartner client, you can obtain a copy by contacting iSIGHT

Partners at [email protected].

Global and cultural reach

how many of its researchers and analysts are located on each
continent.

Historical data and knowledge

Very few cyberattacks are truly original. Most reuse existing
malware, infrastructure, and methods in new combinations,
or evolve from older techniques. The same adversaries often
attack companies in the same industry repeatedly. For these
reasons, several years of historical data and expert experi-
ence are invaluable for identifying and analyzing the latest
attacks. Ask prospective partners when they created their
threat knowledge base, and the average tenure of their threat
researchers and analysts.
TIP You can also ask a prospective partner how they maintain the
knowledge base and weed out obsolete items.
Range of intelligence deliverables
threat intelligence: validated threat indicators, threat data
feeds, and strategic threat intelligence. They should deliver
indicators with tags that both automated systems and people
can use to connect IOCs to rich context about adversaries and
attacks. A range of intelligence deliverables should be avail-
able with the format, level of detail, and delivery frequency

SOC and IR teams, detailed adversary and threat analyses for

APIs and integrations

We have seen how integrating a cyber threat knowledge base
with SIEM and other security products can help you prioritize
alerts and automate the addition of context to threat indica-
tors. Find out from prospective partners if they support out-
of-the-box integration with your SIEM and security products,
and if their information delivery systems have an API for
creating customized connectors.

Intelligence platform,
knowledge base, and portal
Infrastructure is a crucial enabler for a cyber threat intel-

Describe its platform for collecting, analyzing, and

-

capabilities of its knowledge base

Let you experiment with the customer portal to see
how easy it is to use

Client services
We emphasize throughout this guide that cyber threat intel-
ligence should be customized to provide information tailored
to the industry, geography, applications, and regulatory
 works with its customers to develop intelligence requirements,
to conduct research and perform analysis focused on each
organization’s adversaries and risks, and to disseminate infor-
mation tailored to each type of intelligence consumer.

Access to experts
Find out whether your potential partner gives customers
direct access to its experts to answer questions, clarify analy-

ad-hoc analyses, or are there formal processes for collecting,

analyzing and disseminating intelligence?

establish credibility with your managers and executives and

help justify necessary investments and security initiatives?
DON’T FORGET Always talk to reference customers. There is no better way to

-
tomer service, responsiveness, and willingness to customize
deliverables. Find out if your prospective partner has helped
clients make maximum use of cyber threat intelligence across
tactical, operational, and strategic levels.

cyber threat intelligence partner.

Many enterprises today are stuck in what can be called

on acquiring and implementing the latest security products. A

think strategically about how best to manage risks and invest

resources to defeat the most dangerous adversaries.
We contend that only enterprises that have made this transi-
tion will be prepared to address the increasingly sophisticated
targeted attacks that are destined to emerge over the next few
years.
https://www.linkedin.com/company/threathunting
https://www.twitter.com/threathunting_
advanced persistent threat (APT): A targeted cyberat-
tack that leverages multiple tactics to gain network access
and remain undetected for extended periods.

application programming interface (API): A set of

documented commands, functions, and protocols that
allow software programs to communicate and share data.

attribution: Linking an attack to a specific threat actor.

command and control (C&C) server: A server operated

by a threat actor to provide instructions to bots or to com-
municate with compromised systems inside the network.
Also known as a CnC or C2 server.

cyber threat intelligence: Knowledge about adversaries

and their motivations, intentions, and methods that is
collected, analyzed, and disseminated in ways that help
security and business staff at all levels protect the critical
assets of the enterprise.

distributed denial of service (DDoS) attack: A cyberat-

tack intended to disable a targeted network or host by
flooding it with requests from multiple computers.

hacktivist: A threat actor who uses cyberattacks to

express political or ideological beliefs or to damage
opponents.

honeypot: an Internet-connected computer that simulates

the activities of servers or users in order to collect mal-
ware files and emails used in attack campaigns.

incident response (IR) team: The team responsible for

investigating and analyzing data breaches and other cyber-
attacks. Also known as a computer incident response team

indicator of compromise (IOC): An artifact or event

associated with attacks or data breaches.
mass attack: An attack launched at a large number of
potential victims rather than at a specific target.

network operations center (NOC): A facility for moni-

toring and controlling computer and telecommunications
networks.

Information
that can be used to identify or represent individuals,
including names, addresses, and financial and medical
records.

pivot: -
ing with an initial indicator of compromise and finding
related indicators and events.

sandboxing: Running an unknown file in an isolated

virtual execution environment in order to detect malicious
behaviors. A form of dynamic analysis.

security information and event management (SIEM):

A system or application that collects and correlates secu-
rity alerts and events.

security operations center (SOC): A facility for moni-

toring security alerts and events, initiating investigations,
and remediating damage.

signature: A unique identifier of a file or other artifact

potentially associated with an attack.

software development kit (SDK): A set of software

development libraries and tools that facilitate the integra-
tion of an application with other programs.

spear phishing: Phishing campaigns directed at selected

individuals within a targeted organization.

tactics, techniques and procedures (TTPs): Patterns

of activities and methods associated with specific threat
actors or groups of threat actors.

tradecraft: Operational techniques used in intelligence to

obtain information from adversaries without detection.