TL;DR TL;DR

This page is based on the aggregation of relevant topics relating to threat intelligence. It aims at giving a global picture on what threat intelligence covers for curious readers. This page also defines the inThreat’s ten commandments.

Definition Definition

Threat intelligence has multiple definitions:

  • From a market perspective (Gartner): "Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard."
  • From an operational perspective (CPNI): "As with traditional intelligence, a core definition is that threat intelligence is information that can aid decisions, with the aim of preventing an attack or decreasing the time taken to discover an attack. Intelligence can also be information that, instead of aiding specific decisions, helps to illuminate the risk landscape."
  • For a security provider as we are (inThreat): "Threat intelligence is the combination of external information about threats and internal context. Depending on the final use, information is refined, correlated or explained to match internal context. Ultimately, threat intelligence is a global capability which helps focus an organization's cybersecurity."

Main Concepts Main Concept

Threat intelligence is a new terminology and has been extensively used since 2012. However, some sub-concepts are much older and come from entities used to managed threat landscape from a long time.


TLP

Traffic Light Protocol (TLP) is used to define how information can be shared amongst structures. Four levels have been created:

  • TLP:White, the information is public and can be redistributed without any restriction
  • TLP:Green, the information can be shared in a community of peers and partners
  • TLP:Amber, the information distribution should be restricted to the organization receiving the information
  • TLP:Red, the information is distributed to a restricted list of people and must not be shared outside this circle

Kill Chain

Cyber Kill Chain is a registered keyword invented by Lockheed Martin. It's a model widely adopted into information security and that fits quite well with targeted attacks. It is divided into seven stages:

  1. Reconnaissance, the attacker collects information on its future target
  2. Weaponization, the attacker develop or adapts his arsenal to make it relevant for the future target
  3. Delivery, some software weapons are distributed onto the target environment
  4. Exploitation, the software weapons use one or several vulnerabilities to gain access to the target environment
  5. Installation, the software weapons are activated into the target environment
  6. Command and control, the communication steps between the attacker and his software weapons
  7. Actions on objectives, the attacker launches the final onslaught of his intrusion

TTP

Tactics, Techniques and Procedures (TTP) is a term often used to describe the attacker’s methodologies and modus operandi. It's the combination of several elements that are commonly associated with a specific threat actor. TTP are sometimes complex to define as they don’t just cover technical indicators but provide as well context on why or how these indicators are generated.


Intelligence Cycle

Intelligence is well known when it comes to defense. The concept of intelligence is tightly associated with military activities.
Intelligence can be divided in five main steps :

  1. Direction: It is the founding ground of intelligence. This aims at addressing what is supposed to be done, which objectives should be met.
  2. Collection: Collection of information can be applied to different kind of sources (Open Source INTelligence/OSINT being one them). Each collector generates data for a precise source that could make sense in the global picture.
  3. Processing: Processing data is made by different mechanisms in order to filter, evaluate, enrich or structure. At the end of this step, human-readable information is made available.
  4. Analysis: Analysis is applied to refined information. The goal of this step is to correlate the various pieces of information with each other and to add context to each of them in order to create final intelligence.
  5. Dissemination: At the end of the cycle, the intelligence report will be distributed to different stakeholders. The sharing can be made privately or publicly, redacted or not. Feedback can also be provided at this step before looping the cycle.

Threat Intelligence applied to the digital world is new compared to the Defense world. However, the process is roughly the same and the intelligence cycle applies as well.


OPSEC

In the intelligence world, the ability to obtain a piece of information is crucial. Operations Security (OPSEC) is a process to protect each information, each part of the puzzle in order to avoid correlation and puzzle resolution by an adversary. Through investigation, analysis and experience threat intelligence tries to circumvent the attacker’s OPSEC techniques in order to recreate those puzzles.


OSINT

Internet is a vast source of information. Some sources are publicly available and that's precisely to these sources that Open Source INTelligence (OSINT) applies. OSINT collectors use the public information to constitute part of the puzzle resolution.


TIP

A Threat Intelligence Platform (TIP) is a solution helping organizations manage the information related to cyber threats. Threat Intelligence Platforms allow users’ connection, feed and indicators management, investigation and sharing within communities. Other features (alerting, incident management, asset management) can also be integrated into a TIP.

Threat Intelligence Platforms are turnkey solution for customers to activate threat intelligence into their environment.


IOCs

Indicator of compromise (IOC) is a keyword first introduced by Mandiant. It is used to describe technical information that can directly show the activity of an attacker at a given time. A framework (OpenIOC) has been developed to allow the creation or sharing of indicators by anyone. The framework provides 500+ types of patterns that can be used to describe an attack.


STIX

Structured Threat Information eXpression (STIX) is the evolution of IOCs and a complex model to describe not only technical indicators but also larger threat concepts around it. STIX is still a relatively new structure, the latest evolution (STIX 2) integrates new ideas to make STIX more "operationable".
STIX is composed of several main objects to generate an exhaustive threat model:

  • threat actor, the attacker behind an attack
  • campaign, information on the campaign launched by the attacker
  • indicator, technical information with specific context
  • observable, pattern that can be identified
  • ttp, specific modus operandi used by an attacker
  • course of action, mitigation strategy that can be enforced to defend against the attack
  • vulnerability, a weakness used by the attacker to target an entity

STIX is not only a single expression language but also the leader initiative of a galaxy turning around and aiming at bringing more value to STIX:

  • Cybox is a model to define precisely the structure of observables. With STIX 2.0, Cybox has been merged directly into STIX
  • MAEC (Malware Attribute Enumeration and Characterization) is a model to define precisely what a malware is constituted of and how it works
  • TAXII is a transport mechanism to exchange threat intelligence between organizations

Chatham House Rule

The Chatham House Rule is an old rule used during international meeting to simplify the communication. It allows participants to speak “off the record” without having to be affiliated with their organization.

Information given during a meeting under Chatham House Rules can be used by each participant as long as he cannot attribute the origin of a precise information to a specific entity.

It can be compared to an anonymization process used when necessary to protect the source and disseminate relevant information to all.


Diamond model

The Diamond model is a concept used during investigations against threat actors. The model represent a square with 4 basic nodes:

  • Adversary
  • Capability
  • Victim
  • Infrastructure

Each node is tied with its neighbors, either technically (capability-infrastructure) or socially (attacker-victim).

The Diamond model can be used as a framework during investigation to make sure pivots stay focused on a precise perimeter.

inThreat's 10 COMMANDMENTS inThreat's 10 COMMANDMENTS

The inThreat approach is fueled by all these intelligence best practices. We have defined our own 10 commandments to make sure our activities are aligned with this:


  1. Focus on the objective

    Cyber Threat Intelligence aims at leveraging security for different types of users. Make sure to provide relevant, adapted and packaged content for each user.


  2. Follow the rules

    In Cyber Threat Intelligence, rules are about trust. Make sure to follow the rules to secure the trust.


  3. Think as an ecosystem

    Threat Intelligence’s efficiency is based on people, process and technologies applied correctly. Training can help people, guidelines can define process, open source tools can generate better intelligence. Make sure to always have contributions that are valuable for the ecosystem.


  4. Share as much as possible

    When it comes to Threat Intelligence, sharing is caring. Information provided to one can help another. Make sure to share when possible.


  5. Never break TLP

    TLP is defined by a source, owner of an information. Make sure to follow TLP classification in all the intelligence cycle.


  6. Do not disclose source / Chatham TLP

    For different reasons, one might not want to be named. Make sure internal processes and tools allow to share without naming.


  7. Remain factual

    Societal aspects of investigations can lead to subjective interpretation. Too many certitudes can also lead to wrong interpretation. Make sure to review all written documents.


  8. OPSEC leads to misinterpretations

    OPSEC will obscure the big picture. It is better to have an incomplete puzzle than a puzzle with the wrong pieces and false positives. Rate confidence and stop the investigation when the confidence is limited.


  9. Use standards as much as possible

    Standards allow interaction between products and organizations. It allows compatible products to reach an homogeneous level of interaction. Make sure tools and data are compliant with standards.


  10. Ask and use feedback step

    The dissemination step of intelligence cycle is valuable when good feedback is provided on it. Make sure to often ask for feedback on deliverables.