“Operationalizing Threat Intelligence” Notes

Operationalizing Threat Intelligence: A guide to developing and operationalizing cyber threat intelligence programs by Kyle Wilhoit is an informative guide to cyber threat intelligence, covering theory and practice. It recommends and shows how to use many tools. It explains what threat intel is, how to collect it, and how to use it (covering the entire CTI cycle). It contains info that I haven’t encountered in any of the several other threat intel books I’ve read.

My notes follow.

Operationalizing Threat Intelligence by Kyle Wilhoit

This page contains one or more affiliate links. As an Amazon Associate, I earn from qualifying purchases.

Why You Need a Threat Intelligence Program

CTI definition: “it is data and information that is collected, processed, and analyzed in order to determine a threat actor’s motives, intents, and capabilities; all with the objective of focusing on an event or trends to better inform and create an advantage for defenders.”

TAG: Threat Actor Group

Technical CTI focuses on IoCs; tactical CTI focuses on TTPs.

https://urlscan.io analyzes URLs to see if they’re malicious.

Traits of good CTI

• Accuracy
• Completeness
• Reliability
• Relevance
• Timeliness

Admiralty source ratings

• A: Reliable (authentic; history of reliability, authenticity, completeness, trustworthiness).
• B: Usually reliable (doubts about authenticity, completeness, or trustworthiness; history of valid data/info/intel a majority of time).
• C: Fairly reliable (doubts about authenticity, completeness, or trustworthiness; history of valid data/info/intel some of time).
• D: Not usually reliable (significant doubts about authenticity, completeness, or trustworthiness; history of valid data/info/intel some of time).
• E: Unreliable (lacking authenticity, completeness, or trustworthiness; history of invalid data/info/intel).
• F: Cannot be judged (not enough info to evaluate).

Admiralty data credibility ratings

1. Confirmed (confirmed by independent sources; logical; consistent with other info on subject).
2. Probably true (not confirmed; logical; consistent with other info on subject).
3. Possibly true (not confirmed; reasonably logical; agrees with some other info on subject).
4. Doubtfully true (not confirmed; possible but not logical; no other info on subject).
5. Improbable (not confirmed; not logical; contradicted by other info on subject).
6. Cannot be judged (not enough info to evaluate).

PCRs: Prioritized Collection Requirements

EEIs: Essential Elements of Information

F3EAD is more tactical than the threat intel life cycle, which is more strategic.

CTI maturity model

• Threat Intelligence Maturity Model (TIMM): rates org’s CTI maturity (levels 0–4).
• Hunting Maturity Model (HMM): rates org’s threat hunting maturity (levels 0–4).
• Detection Maturity Level (DML): rates org’s ability to detect threat activity.

Threat Actors, Campaigns, and Tooling

Hacktivism campaigns often use #Op at beginning of hashtag (e.g., #OpChile).

Computer Antivirus Research Organization (CARO) malware naming scheme

• Scheme: Type:Platform/Family.Variant!Suffixes
• Type: Adware, Exploit, Trojan, Virus, Worm, etc.
• Platform: OS or platform
• Family: malware grouping, based on common characteristics
• Variant: specific version of malware family
• Suffix: additional details

Guidelines and Policies

Guidelines, procedures, standards, policies

• Guidelines: general rules; usually not required.
• Procedures: step-by-step instructions for daily tasks.
• Standards: mandatory courses of actions or rules; define how to follow policies.
• Policies: guides for decision-making, often resulting from legal requirements or to protect proprietary info; often mandatory and enforceable.

Intelligence requirement: an intel gap that requires info to fill.

Specific Intelligence Requirements (SIRs)

• Highly granular (more than GIRs and PIRs); often related to specific attributes of attack or threat actor, or technical intel observations.
• Very short-term.
• Operational, tactical; focused on specific facts and activities.
• Examples: 1) Identify the C2 infrastructure that a specific threat actor is using today. 2) Describe the specific attributes associated with all REvil ransomware binaries observed in incidents today.

Prioritized Intelligence Requirements (PIRs)

• Less granular than SIRs, more granular than GIRs.
• Determine and outline priority of IRs.
• Time-based.
• Should only ask 1 question.
• Focus on specific activity/event.
• Provide intel required to support decisions.
• Provide latest time info is of value (LTIOV) (time by which info must be delivered to requestor).
• Examples: 1) Where along the perimeter will the adversary attack? 2) What vulnerabilities could be available to the adversary?

General Intelligence Requirements (GIRs)

• Most general/broad IRs (less granular than SIRs or GIRs).
• Collection of knowledge gaps that require CTI collection to fill.
• Example: How is ransomware being hosted, distributed, and installed?

Intelligence requirement criteria

• Necessity
• Feasibility (possibility of collecting required info/intel)
• Timeliness (fast enough to be actionable)
• Specificity

General items of interest for IRs

• Environment (societal, technological, economic, political, environmental factors)
• Actors
• Motivation
• Capability and skill development
• Activity
• Planning and coordination
• Tools and techniques
• Target selection (how actors select targets)
• Infrastructure
• Outcome (types of activities to accomplish objective)
• Impact
• Exploitation of results (how actors use results)

IR prioritization

• High: info was needed yesterday; may be critical to org’s success.
• Medium: info needed today; needed for org’s success.
• Low: info needed tomorrow; needed for org’s continued success.
• Passive: info org would like to know; needed to augment org’s success.

GIR features

• Unique ID
• Priority
• IR (clear definition of info to collect)
• Description (exact definition of IR, examples of where to find info)

Focused Collection Requirements (FCRs)

• Prioritize and identify requestor.
• Map GIR, data inputs, blockers, desired outputs.
• Can be internal (sourced from org-based data) or external (sourced from services, feeds, OSINT).
• Should be updated twice annually, and any time new GIR is pushed or threat landscape has major shift.

FCR features

• FCR identifier
• FCR (collection requirement)
• Priority
• Description
• Requestor
  Defined GIR (mapped GIR that FCR attempts to solve)
• Scope (definition of internal or external data sources)
  Data types
• Output (technical, such as API feed, or non-technical, such as report)

Information Extraction Requirements (IERs): mapped directly to FCR; responsible for defining specific requirements for extraction and collection of data.

IER features

• IER identifier
• Information extraction requirement (high-level description)
• Priority
• Description
• Defined GIR
• Scope (internal or external data sources)
• Data dependency (dependencies that could prohibit collection or enrichment of data)
• Data types

Data Intelligence Requirements (DIRs)

• Capture requirements related to specific data being gathered or processed.
• Specific to data types used by org.
• Look at current and future considerations in way that intel data is stored and transmitted.
• Intended to uncover dependencies and requirements that might exist during gathering and processing of data.

DIR features

• DIR identifier
• IR
• Priority
• Description
• Defined GIR
• Defined FCR
• Data requirement (specifics about storage or processing of data)
• Data type

An IR should focus on attack surface or threat actor (and their campaigns and TTPs), not both.

Operational Security (OPSEC)

OPSEC process

• Identify info or actions that you’re trying to protect.
• Evaluate your operations, identify any weaknesses or threats.
• Before beginning an operation, assess risks.
• Apply appropriate OPSEC countermeasures.

Don’t overly indulge info about persona/sock puppet; try to hide as much info as possible from threat actors, until it benefits you to reveal info.

Technical OPSEC

• Avoid disclosing identifiable info about yourself, org, affiliates.
• Assume your activity is monitored by third parties.
• Diversify sources of info.
• Avoid behaving in predictable patterns.
• Separate professional and personal work.
• Avoid intermingling investigations or personas.

CTI tools

• https://www.kali.org
• https://www.sans.org/tools/sift-workstation/
• https://www.f-response.com
• http://sleuthkit.org
• https://remnux.org
• http://www.tekdefense.com/automater
• https://github.com/alexandreborges/malwoverview
• https://github.com/viper-framework/viper
• https://github.com/buffer/ioc_parser
• https://github.com/cyware-labs/Threat-Response-Docker

Source register system

• Source ID
• Source pseudonym
• Description
• Source handler (internal team member who engages with source)
• Source validator (internal team member who can provide objective oversight)

Technical Threat Analysis — Threat Hunting and Pivoting

Infrastructure data points to pivot from

• Registrant contact information
• TLS certs
• Subdomains
• Hosted domains on an IP
• Hosted files

File data points to pivot from

• Original filename
• File size
• File type
• PE file compilation timestamp
• Program Database (PDB) path
• Mutex strings
• Network activity
• File-based behavior
• Registry-based behavior
• Process creation
• API function calls
• Shell commands

Free pivot and hunting tools and services

• Maltego
• AlienVault OTX
• urlscan.io
• Hybrid Analysis
• VirusTotal graphing/hunting
• RiskIQ PassiveTotal

Technical Threat Analysis — Similarity Analysis

YARA rules support hex, regex, text strings.

In YARA rules, try to use 2–3 groups of conditions to avoid false positives.

Hybrid Analysis has a YARA Search Portal.

Import hashing (imphashing): computing hash of Import Address Table (IAT); hash values are created and calculated based on library or imported function names and their order within executable.

Hashing methods for similarity analysis

• SSDEEP
• Trend Micro Locality Sensitive Hash (TLSH)
• dHash

Fingerprinting tools

• JA3/JA3S
• JARM

Preparation and Dissemination

Cognitive biases

• Confirmation bias: seeking evidence to confirm preexisting beliefs.
• Hindsight bias: overestimating ability to have predicted outcome.
• Anchoring bias: relying on 1st piece of info received.
• Availability bias: relying on immediately available info.
• Framing effect: being influenced by wording rather than info.
• Inattention blindness: being so focused on some info that other info is overlooked.

Analytic judgments

• Expert judgment: using analyst’s reasoning.
• Quantitative methods: using math to analyze data.
• Structured analysis: using step-by-step processes (see below).

Structured analytic techniques

• Structured brainstorming: SMEs review data, mind map thoughts.
• Cross-impact matrix: represents impact or probability of specific data points.
• Key assumptions check: separate any conclusions that have been created by examining evidence from those that were created through expert judgment.
• Analysis of competing hypotheses: evaluate every hypothesis, seeking to refute it, to find hypothesis with most evidential support.
• Premortem analysis and structured self-critique: reframe question to view from a different viewpoint.
• What if?: imagine what you’d do if analytic judgment and hypothesis were totally wrong.

Analytic confidence

• High: judgments are based on high-quality info, often from multiple sources.
• Moderate: judgments are based on info that’s credibly sourced but might lack some admiralty or hasn’t been sufficiently corroborated.
• Low: source info has low credibility or uncertain plausibility.

Intelligence Community Directive 203: Analytic Standards

• Objective: be objective; avoid assumptions and biases.
• Independence of politics: base intel on data and analytic judgment, not influence of others.
• Timely: disseminate intel in time for stakeholders to act on it.
• All-sourced intelligence: ensure that analytic judgment is based on all available data.
• Analytic tradecraft standards: use analytic tradecraft standards (see below).

Analytic tradecraft standards

• Describe quality and credibility of sources, data, methodologies; use Admiralty ratings.
• Express any uncertainties associated with any analytic judgments; express likeliness of an event, confidence in analytic judgment.
• Include confidence rating about judgment.
• Distinguish between intel and analyst’s assumptions and opinions.
• Consider other hypotheses or differing opinions.
• Ensure intel is relevant to stakeholders.
• Show how intel supports consistency of judgment or represents a change in judgment.
• Produce most accurate judgment possible based on available data, being aware of knowledge gaps.
• Use visual aids when possible.

Operationalizing Threat Intelligence: A guide to developing and operationalizing cyber threat…