CSIT302 Cybersecurity

Week 10 – Threat Intelligence

& Investigating Incident
Lecturer: Dr Zuoxia Yu
Email: [email protected]
Office: 3.116

1
Overview: Threat Intelligence
• Introduction to threat intelligence
• Open-source tools for threat intelligence
• Microsoft threat intelligence
• Leveraging threat intelligence to investigate suspicious activity

2
Introduction to Threat Intelligence
• Threat intelligence
Ø“Intelligence is knowledge and foreknowledge of the world around us – the prelude
to decision and action…” - US Central Intelligence Agency (CIA)
Ø“Intelligence is information that is received or collected to answer specific questions
on who, what, where, when, how and why…” - UK National Crime Agency (NCA)
Ø“Threat intelligence is threat information that has been aggregated, transformed,
analysed, interpreted, or enriched to provide the necessary context for decision-
making processes.” - NIST SP 800-150
ØIntelligence Collection Disciplines: OSINT, HUMINT, SIGINT,GEOINT and IMINT
• Threat intelligence in other context
ØThe term “threat intelligence” from military, which are mainly based on HUMINT and
SIGINT.
ØIn the context of cybersecurity as well as our subject, threat intelligence refers to
Cyber Threat Intelligence.

3
Introduction to Threat Intelligence
• Cyber threat intelligence
ØUsing threat intelligence towards the collected data can bring more meaningful
results and reveal actions that are not detectable by traditional sensors.
ØThis enables an organization to take proactive approach against known and unknown
threat.à The targeted attacks need the targeted defense!
• The areas where the information obtained from (cyber) threat intelligence
can be used:
ØProfiling motivations: cybercrime, hactivism, cyber espionage (more on next page)
ØAnalyzing attacker tactics: attacker methodologies, tools and strategy
ØAnalyzing techniques (of attacks): indicators of specific malware
ØAssessing operations: assessment of an organisation's ability in determining future
cyber-threats

4
Introduction to Threat Intelligence
• Examples of profiling motivation: Detection can be improved by learning
more about the adversaries
ØCybercrime: One of the main motivations is to obtain financial gains.
ØHacktivism: This group has a broader scope of motivation—it can range from an
expression of political preference to just an expression for a particular cause.
ØCyber espionage/state-sponsored: There are a growing number of cyber espionage
cases as a part of bigger state-sponsored campaigns.
• The question to ask: Which type of attacker among three is most likely to
target our organization?
• Threat Intelligence could help scope data based on the adversary.
ØFor example, if we are responsible for the defense of a financial institution, we want
to obtain threat intelligence from adversaries that are actively attacking the financial
industry.
5
Introduction to Threat Intelligence
• Scoping the adversary
ØUsing an intelligence-led approach has long been accepted as best practice in
the realm of conventional security.
ØWithout it, organisations will invariably defend against too little, because they
don’t understand the threats they face, or try to defend against all potential
threats – an unsustainable approach that may also impair the organization’s
ability to operate effectively.
• The cyber threat intelligence ensures that organizations have their
ability to prevent, detect and respond to realistic, contemporary and
accurate attacks.

6
Introduction to Threat Intelligence
• The Bank of England’s CBEST was the first intelligence-led cyber security testing
frameworks, which ensures that organizations are tested on their ability of cyber
threat intelligence.
• The CBEST framework ensures that security testers and threat intelligence
providers work together, replicating very real attacks from sophisticated
adversaries.
• The principle has since expanded, both internationally to other financial sectors.
These schemes include:
Ø TIBER-NL (Threat Intelligence Based Ethical Red-teaming Netherlands) for the Dutch financial
sector
Ø TBEST for the UK telecoms sector
Ø TIBER-EU for the European financial sector
Ø iCAST (Intelligence-led Cyber Attack Simulation Testing) for Hong Kong’s financial sector
Ø GBEST for UK government departments
Ø ATTEST for the UK aviation industry

7
The levels of cyber threat intelligence
• There are different areas that cyber threat intelligence can be used:
Each area differs in the nature and format of the material conveyed,
its intended audience and its application.

8
The levels of cyber threat intelligence
• Operational threat intelligence:
Øoperational threat intelligence uses the collection of data and information to
respond to a threat or attack as it is in progress. It is meant to be used
immediately and provides real-time alerts that can help your security team
understand the scope of an attack and defend against it. It is a critical part of
detecting active threats and responding to them quickly, so that your
organization suffers minimal harm
ØOperational threat intelligence often relates to details of potential impending
operations against an organisation. Although it is not always easy to obtain,
by using an all-source approach an intelligence provider will be able to detect.
Øe.g., chatter from cyber activists discussing potential targets for an upcoming
campaign, or data leaked or sold on a dark web forum that could be used in
an operation against the company.

9
The levels of cyber threat intelligence
• Technical threat intelligence :
Ø focuses on specific clues or evidence of an attack and creates a base to analyse such attacks,
like scanning for the IoCs of an attack.
• Tactical threat intelligence:
Ø It consists of material relating to the techniques, tactics and procedures (TTP’s) used by
threat actors. Indicators of compromise (IOCs) are the main deliverable for tactical threat
intelligence providers.
Ø These are particularly useful for updating signature-based defence systems to defend against
known attack types, but can also prove useful for more proactive measures, such as threat
hunting exercises.
Ø It is therefore particularly useful to network defenders such as Network Operations Centers
(NOCs). CTI (Cyber Threat Intelligence) providers will generally supply IOCs in machine-
readable formats, whereas intelligence on TTPs will be in human-readable formats and will
require human assimilation and action.
• Strategic threat intelligence
Ø exists to inform senior decision makers of broader changes in the threat landscape.

10
The Levels of Cyber Threat Intelligence

Technical Knowledge

Some Reference for Levels of TI

1. https://www.crest-approved.org/wp-content/uploads/2022/04/CREST-Cyber-Threat-Intelligence.pdf
2. https://www.wallarm.com/what/threat-intelligence 11
Microsoft Threat Intelligence
• For example, Microsoft consumes threat intelligence through
different channels, such as:
ØThe Microsoft Threat Intelligence Center, which aggregates data from:
ü Honeypots, malicious IP addresses, botnets, and malware detonation feeds
ü Third-party sources (threat intelligence feeds)
ü Human-based observation and intelligence collection
ØIntelligence coming from consumption of their service
ØIntelligence feeds generated by Microsoft and third parties

12
Open Source Tools for Threat Intelligence
• Various open source tools (for tactical threat Intelligences):
ØQuick IP validation: https://fraudguard.io/
ØMalware inspection: https://vms.drweb.com/ (Note that malwr.com in the
textbook is not available.)
ØThreat intelligence exchange: https://otx.alienvault.com/

13
Quick IP Validation
• For instance, test IP “220.227.71.226” on 10/27/2017, the result was

14
Leveraging Threat Intelligence to Investigate
Suspicious Activity
• Challenges of interpreting many security alerts
ØAccording to Microsoft's Lean on the Machine report, an average large
organization has to look through 17,000 malware alerts each week, taking on
average 99 days for an organization to discover a security breach.
ØEnd up randomly prioritizing, and in some cases even ignoring, future alerts.
• Threat intelligence assisting incident response
ØThe Blue Team works primarily on the defense system, they do collaborate
with the incident response team by providing the right data that can lead
them to find the root cause of the issue.

15
Leveraging Threat Intelligence to Investigate
Suspicious Activity
• Alert triage
ØThe process of determining the most important threat that must be alerted.
ØFailing/delaying this process can lead to a domino effect, because if triage
fails at this level, the operation will also fail.
• The alert triage usually happens at Network Operations Center (NOC).
Questions at the end of threat intelligence
ØWhich systems were compromised?
ØWhere did the attack start?
ØWhich user account was used to start the attack?
ØDid it move laterally?
ü If it did, what were the systems involved in this movement?

16
Leveraging Threat Intelligence to Investigate
Suspicious Activity
ØDid it escalate privilege?
ü If it did, which privilege account was compromised?
ØDid it try to communicate with command and control?
ü If it did, was it successful?
§ If it was, did it download anything from there?
§ If it was, did it send anything to there?
ØDid it try to clear evidence?
ü If it did, was it successful?

[Additional Reference in Threat Intelligence section]

What is Cyber Threat Intelligence and how is it used? – CREST, 2022

17
Overview: Investigating an Incident
• Scoping the issue
• On-premises compromised system
• Cloud-based compromised system
• Lessons learned

18
Scoping the Issue
• Scoping in the incident investigation
ØA process to determine a given incident is security-related.
• Reasons for scoping
ØNot every incident is a security-related incident and, for this reason, it is vital
to scope the issue prior to start an investigation.
ØSometimes, the symptoms may lead the investigator to initially think they are
security-related, but as the investigator ask more questions and collect more
data, it turns out that the problem was not really related to security.

19
Scoping the Issue
• Scoping example
ØUsers reporting systems running “slow”: Rather than dispatching a security
responder to initiate an investigation, basic performance troubleshooting
should be conducted.
ØDuring this initial scoping stage, it is also important to determine the
frequency of the issue. - If the issue is not currently happening, the
investigator may need to configure the environment to collect data when the
user is able to reproduce the problem.
ØMake sure to document all the steps and provide an accurate action plan for
the end use.

20
Key Artifacts
• More data doesn't necessarily mean better investigation.
• Data collection should focus on obtaining just the vital and relevant
artifacts from the target system.
ØToo much data can deviate security team from the root cause of the problem.
• It is important to make sure you know the information of your system
• In a Windows system, the information is usually located in the registry
key.
• It can be retrieved by PowerShell command (e.g., Get-
ItemProperty).

21
Key Artifacts
• Key artifacts in Windows system
ØThe location (time zone) of the machine
ØThe networks the machine visited
ØUSB usage
ØIf there is any malicious software configured to start when Windows starts
• In addition, traffics and processes dumps can be collected, if this is
live investigation.

22
Key Artifacts
• All security events can be captured :
ØThe audit log was cleared.
ØLogging-on success or failure.
ØA registry value was modified.
ØAn attempt was made to access an object (e.g. unauthorized access to the file
system): This log can be used to drill down who performed this change.
ØA new process has been created: The malware and ransomware have a
cmd.exe [command]. This will create a new process.
ØA scheduled task was enabled or updated.

23
Key Artifacts
• All security events can be captured :
ØThe user account
ü enabled, created, or locked-out account.
ü password reset.
ü denied remote access.
ØPolicies
ü Log policy changed.
ü Domain policy changed.
ü Changes in security-enabled global (or local) group.
ØA change has been made to Windows Firewall exception list.

24
Investigating a Compromised System
On-Premises
• Compromised by phishing email
ØThe end user (victim) was received the content of the email, which triggered
the victim to click the image in the email.
ØThe victim tried to download it but couldn’t and only had a glimpse of a
quickly opening and disappearing window.
ØThen, the victim ignored the email.
• Detection
ØA couple of days later, he receiving an automated report from IT saying that
he accessed a suspicious site and he should call support to follow up on this
ticket.
ØThe victim submitted the suspicious mail as an evidence.

25
Investigating a Compromised System
On-Premises
• Investigation steps
ØThe URL which was linked in the image was investigated.

This was already a

strong indication
that this site was
malicious .

26
Investigating a Compromised System
On-Premises
ØThe next step is to review the event logs. The meaningful logs are:

mimikatz: Used to perform

pass-the-hash attack

PsExec: Used to perform

privileges escalation

procdump: Used to dump the

credentials

27
Investigating a Compromised System
On-Premises
ØThe meaningful logs are:

The attacker cleared logs. It hid

how the attacker achieved
privilege escalation.

28
Investigating a Compromised System On-
Premises
• Summary of the case
ØEverything started with a phishing email.
ØThis email had an embedded image that had a hyperlink to a site that was
compromised.
ØA package was downloaded an extracted in the local system, this package
contained many tools, such as mimikatz, procdump, and psexec.
ØThis computer was not part of the domain, so only local credentials were
compromised.

29
Investigating a Compromised System In a
Hybrid Cloud
• Compromised by phishing email – Cloud version
ØIn this hybrid scenario, the compromised system is located on-premises and
the company has a cloud-based monitoring system.
ØAgain, a user received a phishing email, clicked on the hyperlink, and got
compromised.
ØThe difference now is that there is an active sensor monitoring the system,
which will trigger an alert to SecOps, and the user will be contacted. The users
don't need to wait days to realize they were compromised; the response is
faster and more accurate.
ØThe example of the active sensor is Azure Security Center and four events
were recorded.

30
Investigating a Compromised System In a
Hybrid Cloud

ØAlthough the antimalware software captured the malware, the attacker kept
going and succeeded as the last three events show.
ØThe last three events are related to the serious mimikatz process.

31
Investigating a Compromised System In a
Hybrid Cloud
ØThe following figure shows the mimikatz process, which was executed.

mimikatz should
be run under
high profile
(admin) account

32
Search and you shall find it
• In a real-world scenario, the amount of data that gets collected by
sensors and monitoring systems can be overwhelming.
ØA security monitoring system that can aggregate all these logs, digest them,
and rationalize the result.
ØYou also need searching capabilities to be able to keep digging up more
important information.
ØIt is important to be used to those search capability of the platform that you
are using and familiar with commands to further analysis.
ØAlso, the platform should provide efficient visualizing and searching
interfaces.

33
Lessons Learned
• Every time an incident comes to its closure,
ØEach step that was done during the investigation should be documented.
ØKey aspects of the investigation that need to be either reviewed to improve or
fix should be identified.
• The lessons learned are crucial for the continuous improvement of
the process and to avoid making the same mistakes again.
• the Blue Team should create an extensive report to document the
lessons learned and how this will be used to improve the defense
controls.

34
Lessons Learned
• Lessons learned from the examples: Attacks against a user's
credential are a growing threat and the solution is not based on a
silver bullet product, instead, it is a combination of tasks, such as:
ØReducing the number of administrative level accounts and eliminating
administrative accounts in local computers. (Regular users shouldn't be
administrators on their own workstation.)
ØUsing multifactor authentication as much as possible. Adjusting the
organization’s security policies to restrict login rights.
ØHaving a plan to periodically reset the Kerberos TGT (KRBTGT) account. This
account is used to perform a golden ticket attack.

35