Threat intelligence basics: crawling, walking, and analysis (Part 2)

Threat intelligence basics: crawling, walking, and analysis (Part 2)

This is the second article in the basic threat intelligence trilogy. We will discuss how to use threat intelligence and its basic principles in security operations.

Cooks, tailor, soldiers, and spies: intelligence utilization can be divided into multiple types

As described in the previous article, intelligence appears at different operation layers. enterprises can use different types of intelligence to effectively respond to threats.

Don't laugh-the best explanation of "intelligence" is the "CIA children's zone" (the CIA's official Popular Science website for Year 6 to Year 12 teenagers ).

They subdivided intelligence into several types:

Science and Technology: Provide information about competitor technologies and capabilities;

Dynamic: Pay attention to routine events and their impacts;

Warning: Pay attention to emergencies and issue notices;

Estimation: focus on possible events;

Research: provides an in-depth study for an event.

Although most organizations do not use all types of intelligence at the same time, unless you are the same as the CIA (but don't tell me what you did ), so it is necessary to understand these different types of intelligence and the content they provide. Different types of intelligence require diverse personnel analysis and time differences. For example, technical intelligence is easy to automate and can be generated at the pace. However, research on threat trends relies heavily on human analysis.

 

Technical intelligence

In information security operations, technical intelligence is used to explore the capabilities and technologies of competitors. It includes many details, such as IP and C & C addresses and domain names, malicious file names and hash values, and some TTP details, such as a vulnerability targeting a specific target or a specific callback mode used to direct the implantation.

Technical intelligence is most often used in "machine vs Machine" operations, just because machines need to process as much information as possible. Generally, machines do not care about people's content. Therefore, in many cases, technical intelligence does not cover much content. The firewall does not use a clear reason to block a malicious domain name. It only needs to do so. People on the other end of the firewall may want to know, so a large number of alarms may be triggered. Enterprises must analyze technical intelligence before consumption. Otherwise, they can only obtain data or information, not intelligence! For more information, read Robert Lee's article "data VS information VS intelligence".

If you do not use your own technical intelligence, you must be clear about the source of the technical intelligence and how to apply it to analysis, especially automated analysis. At this moment, I feel like I am here alone: generating threat intelligence through "machine-to-machine" automation ...... Don't say I'm wrong. Do some analysis!

Dynamic intelligence

Dynamic intelligence processes events and situations that may require immediate responses every day. I once heard people say that "news is not intelligence", which is true. However, when you need to analyze your specific organization, network, or activity, news in the public domain becomes threat intelligence.

A dynamic intelligence example is reported that a development tool was integrated with a new vulnerability exploitation tool three days ago. Generally, you may experience attacks within 27 days according to the patch cycle of 30 days. Knowing how this threat affects your organization and how to detect and block malicious activities is a dynamic intelligence. Dynamic intelligence can also be obtained from the Organization's website information. Analysis of an intrusion or phishing attack against executives can also generate dynamic intelligence, which requires immediate execution.

When your network generates dynamic intelligence, record them! This can be used for subsequent analysis of intelligence trends and threat environments. At the same time, this information can be shared with other organizations.

Threat trend (estimation)

All intelligence collected at the tactical level (technical intelligence and dynamic intelligence) can be analyzed to generate threat trends. The acquisition of threat trends takes time. You need to analyze patterns over time to observe how things change or remain as they do. Threat trends can be specific threat analysis that repeatedly affects the network, or analysis of an organization or malware family. Your network or organization is more directly related to threat trends, which is more helpful to you.

Threat trends allow us to avoid false predictions or false positives of future threats from an analysis.

Threat Situation Research

Speaking of trends, threat analysis has long attached importance to timeliness, and dynamic intelligence needs to be accumulated through long-term strategic research. The number of strategic layers and technical IOC (input/output controllers) in the community compared to tactical intelligence resources ). How many new projects focus on providing "real-time intelligence" and "in-depth analysis ". Of course, the reason is that there are not enough analysts to do the work, and they usually focus on time-sensitive times. In addition, we often do not have enough data to analyze the strategic layer. Likewise, we are not used to collecting data from our own networks, and most people are reluctant to share strategic threats, only willing to share information about the actual impact of threats on them.

We need to change this situation, because you cannot or should not ignore the importance of strategy in future security projects, and you cannot rush to develop security policies without understanding the logic behind it. Threat situation research refers to the long-term threat analysis in the environment-what are their attacks, how they attack, and how you respond to these threats-all of which affect your policy. The strategic layer information you collect from the network and the analysis based on the daily activities of the Network belongs to the threat situation. The dynamic information of you and the public domain can serve the threat situation research. BRID creates a framework for capturing and analyzing such information called VERIS (Event Recording and sharing forms ). Remember, this type of intelligence analysis requires a lot of time and effort, but everything is worthwhile.

Information sharing

Currently, sharing IOC and other technical information is particularly important. However, any type of information we have discussed in this article is suitable for sharing, there will be unexpected gains in sharing information with best practices and procedures.

Sharing information in the network of an organization is a good way to understand new threats. It also helps improve the situation awareness capability. Information sharing is essentially intelligence that generates threat warnings. As information sharing becomes more automated, this means that more information is available. For more information, see Alex Pinto's recent research on threat Intelligence effectiveness measurement.

Even if you still have doubts about the value of collecting intelligence from your own environment, to digest threat intelligence, you still need to analyze and understand why it is related to you, and what actions you should take. Understanding and using different types of intelligence can guide you in analysis and decision-making.