08

Applying
Threat
Intelligenc
e
In this chapter you will learn:

■ The types of threat intelligence

■ The various attack frameworks and their use in

leveraging threat intelligence

■ The threat modeling methodologies

■ How threat intelligence is best used in other security

functions

■ The tactics of threat hunting

 8.1 Levels of Intelligence
• At the highest level, organizations think about their conduct in a strategic manner,
the results of which should impair adversaries’ abilities to carry out what they’re trying
to do.
• The application of a company’s cybersecurity strategy occurs at the operational
level, and planning will address concepts such as what the organization is trying to
defend, from whom, for what duration, and with what capabilities.
• Decisions at the tactical level are focused on how, exactly, a defender will engage
with the adversary, including any technical countermeasures. The results of these
activities may sometimes ripple out broadly to affect operational and strategic
decision-making.
 8.2 Threat Research
• Thanks to the increasing acceptance of intelligence concepts across security teams
and the use of attack frameworks, threat research is gaining the analytic rigor and
completeness required to be a repeatable and scalable practice.
• There are many different approaches we can use to get answers to these questions,
but often we must conduct some sort of initial enrichment to determine the next steps.
• Next are a few effective methods to getting answers to those questions.
 Reputational
• Security team members need valid malware signatures and reputation data about IPs
and domains to help filter the vast amount of data that flows through the network.
• There are many free and commercial services that assign reputation scores to URLs,
domains, and IP addresses across the Internet.
• Scores that correlate to the highest risk are associated with malware, spyware, spam,
phishing, command and control (C2), and data exfiltration servers. Reputation scores
can also be assigned to computers and websites that have already been identified as
compromised.
• Some are VirusTotal, Cisco Talos Intelligence, AbuseIPDB, Criminal IP, etc.
 Behavioral
• Isolation environments or sandbox is usually instrumented to assist the security
analyst in understanding what a running executable is doing as samples of malware
are executed to determine their behaviors.
• There are many free and commercial services that assign reputation scores to URLs,
domains, and IP addresses across the Internet.
• Cuckoo Sandbox is a popular open-source isolation environment for malware analysis
• Using these tools, we may get insight into how a particular piece of software behaves
when executed in the target environment.
 Indicator of
Compromise
• An indicator of compromise (IoC) is an
artifact that indicates the possibility of
an attack or compromise.
• IoCs need two primary components:
data and context.
• The Pyramid of Pain is used to show how
much cost we can impose on the
adversary when security teams address
indicators at different levels.

Pyramid of Pain
 Common
Vulnerability
Scoring System
• A well-known standard for
quantifying severity is the
Common Vulnerability Scoring
System (CVSS).
• This system ensures accurate
quantitative measurement so
that users can better understand
the impact of these weaknesses.
• The Common Vulnerability
Scoring System is the de facto
standard for assessing the
severity of vulnerabilities.
 8.3 Threat Modeling Methodologies
• Threat modeling promotes better security practices by taking a procedural approach
to thinking like the adversary.
• Threat modeling techniques are used to create an abstraction of the system, develop
profiles of potential attackers, and bring awareness to potential weaknesses that may
be exploited.
• Some threat models may be used to gain a general understanding about all aspects of
security, while others may be focused on related aspects such as user privacy.
• To gain the greatest benefit from threat modeling, it should be performed early and
continuously as an input directly into the software development lifecycle (SDLC).
• Threat modeling examines several facets of a threat actor and threat event, including
adversary capability, attack surface, attack vector, the likelihood that a threat will be
successful in exploiting a weakness, and the impact if it does. These facets are
 Adversary Capability
• The first step in understanding adversary capability is to document the types of threat
actors that would likely be threats, what their intent might be, and what capabilities
they might bring to bear in the event of a security incident.
• We can develop an understanding of adversary TTPs with the help of various attack
frameworks and resources such as MITRE ATT&CK.
 Total Attack Surface
• The attack surface is the logical and physical space that can be targeted by an
attacker.
• Logical areas include infrastructure and services, while physical areas include server
rooms and workstations.
• As each component is addressed, defenders need to keep track of how the overall
attack might change as compensating controls are put into place.
• Analysis of the attack surface is usually conducted by penetration testers, software
developers, and system architects, but as a security analyst, you will have significant
influence in the architecture decisions as the local expert on security operations in the
organization.
 Attack Vector
• The next step is to determine the most likely path for the adversary to get their hands
on the assets and information.
• This can be done using visual tools, as part of a red-teaming exercise, or even as a
tabletop exercise.
• The goals of mapping out attack vectors consist of identifying realistic or likely paths
to critical assets and identifying which security controls are in place to mitigate
specific TTPs.
 Likelihood
• The possibility of a threat actor successfully exploiting a vulnerability that results in a
security incident is referred to as likelihood.
• NIST, provides a formal definition of likelihood as it relates to security operations as “a
weighted factor based on a subjective analysis of the probability that a given threat is
capable of exploiting a given vulnerability or a set of vulnerabilities.”
 Impact
• Impact is simply the potential damage to an organization in the case of a security
incident.
• Impact types can include but aren’t limited to physical, logical, monetary, and
reputational.
• The Common Vulnerability Scoring System is the de facto standard for assessing the
severity of vulnerabilities.
 STRIDE
• STRIDE is a threat modeling framework
that evaluates a system’s design using
flow diagrams, system entities, and
events related to a system.
• STRIDE is among the most used threat
modeling methods, suitable for
application to logical and physical
systems alike.
• Microsoft has also developed a freely
available threat modeling tool based on
STRIDE that anyone can use.

STRIDE
 PASTA
• PASTA, or the Process for Attack
Simulation and Threat Analysis, is a risk-
centric threat modeling framework
originally developed in 2012.
• Focused on communicating risk to
strategic-level decision-makers, the
framework is designed to bring
technical requirements in line with
business objectives.
• Microsoft has also developed a freely
available threat modeling tool based on
STRIDE that anyone can use.
PASTA
 8.4 Threat Intelligence Sharing
• The end goal of using threat intelligence is to protect assets and reduce the possibility
of threats infiltrating your infrastructure.
• Proactive use of threat intelligence can also be used in security engineering to design
secure systems from the beginning.
• Integrating threat intelligence concepts enables responders to act more quickly in the
face of uncertainty and frees them up to deal with new and unexpected threats when
they arise.
 Incident Response
• Incident responders are required by any organization because of their ability to rapidly
and accurately address potentially wide-ranging issues on a consistent basis.
• Incident response is not usually an entry-level security function because it requires
such a diverse skill set—from malware analysis to forensics to network traffic analysis.
• At the core of a responder’s modus operandi is speed.
• Security teams must do whatever they can to prepare themselves for the possibility of
a security event.
• Threat intelligence information is a critical part of the preparation phase because it
enables teams to more accurately develop strong, consistent processes to cope with
issues should they arise.
• These not only dramatically reduce the time needed to respond, but as repeatable and
scalable processes, they reduce the likelihood of analyst error.
 Vulnerability Management
• Vulnerability management is the ongoing, regular process of identifying, assessing,
reporting on, managing and remediating cyber vulnerabilities across endpoints,
workloads, and systems.
• Threat intelligence takes vulnerability management concepts a step further and
provides awareness about vulnerabilities in an operational context.
• Threat intelligence communicates exploitation relevant to the organization instead of
general exploitability.
• By identifying what is being exploited versus what can be exploited, these teams can
make better decisions about where to place resources.
• Many times, vulnerabilities with high scores may not be the ones actually being
exploited in the wild.
 Risk Management
• Risk management is the continuing process to identify, analyze, evaluate, and treat
loss exposures and monitor risk control and financial resources to mitigate the adverse
effects of loss.
• Risk is the impact to an asset by a threat actor exploiting a vulnerability
• Three components need to be present for a threat to be accurately described:
capability, intent, and opportunity. Threat intelligence is designed to provide answers
to these questions.
• Good threat intelligence will also be able to predict what the threat will likely be in the
future, or if there are likely to be more.
• Predicting the future is what all risk team members want to do, and though that’s not
really possible, threat intelligence does provide answers to questions that risk
managers and security leaders ask.
 Security Engineering
• Security engineers regularly benefit from threat intelligence data.
• Threat intelligence gathered from security research or criminal communities can offer
insight into the effectiveness of security measures across a company.
• This feedback can then be analyzed and operationalized by your organization’s
security engineers.
 Detection and Monitoring
• Threat intelligence as applied to security operations is all about enriching internal
alerts with the external information and context necessary to make decisions.
• For analysts working in a security operations center (SOC) to interpret incoming
detection alerts, context is critical in enabling them to triage quickly and move on to
scoping potential incidents.
• Automated threat intelligence tailored to the needs of the detection team improves
the analyst workflow by providing timely details.
• A detection team can easily leverage automation techniques to query threat
intelligence data to extract reputation information, passive DNS details, and malware
associations linked to that domain.
 8.5 Threat Hunting
• Threat hunting is a proactive and iterative approach to defense, rooted in a mindset
that the attacker is already in your system.
• This approach means making fewer potentially damaging assumptions about your
organization’s security posture.
• Just because a breach isn’t visible doesn’t mean it hasn’t already occurred
• Threat hunting requires analysts to see beyond alerts and dig deep to find malicious
actors in the network that may have slipped past defenses.
• Threat hunting can benefit tremendously from technologies such as machine learning
(ML) and user and entity behavior analytics (UEBA). However, the practice can never
be fully automated because hunting often requires analysts to step into the minds of
attackers and see things from their point of view.
 Threat Hunting
• At the very least, you should address
the following questions before moving
forward:
 What is the purpose of the hunt?
 Where will it be conducted?
 What resources do I need to conduct
the hunt?
 Who are the key stakeholders?
 What is the desired outcome of the
hunt?

Threat Hunting
Process
Establishing a
Hypothesis
• Hypotheses can be seen as
educated guesses that need two
key components to be valid:
 The first is some observable
aspect that goes beyond an
analyst’s hunch.
 The second component of
every good hypothesis is it
must be testable.
• Your hypotheses, should be clear
and concise.
 Profiling Threat Actors and Activities
• Threat hunting isn’t spared from one of the biggest problems in defending modern
systems: the volume and complexity of attacks. MITRE ATT&CK and other frameworks
help hunters figure out what to focus on by providing a foundation that brings some
order to the chaos.
• Tactics and techniques are grouped within a matrix that can be used for confirming
hunting hypotheses
 8.6 Threat Hunting Tactics
• A security team doesn’t have to spend significant amounts of money to get a threat
hunting effort started.
• Threat hunters often rely on existing security tools to achieve their key tasks.
Firewalls, endpoint protection software, and intrusion detection systems (IDSs), for
example, can be used to help reveal indicators of compromise.
• Additionally, hunters can use security information and event management (SIEM)
solutions to aggregate vast amounts of log and traffic data to enable statistical
analyses and visualization tools to present trends and highlight anomalies in useful
ways.
 High-Impact TTPs
• Initial Access and Discovery
• Persistence
• Lateral Movement and Privilege Escalation
• Command and Control
• Exfiltration
• Searching
• Clustering and Grouping
• Stacking
 8.7 Delivering Results
• Documenting the Process
• Integrating Vulnerability Management with Threat Hunting
• Attack Vectors (malware, vulnerability exploitation, social engineering, or insiders)
• Integrated Intelligence
• Improving Detection Capabilities
 Focus Areas
• When performing threat hunting, you should always examine certain key areas of the
infrastructure, both when looking for specific threats and when looking for anything in
general that might indicate malicious activity.
• Some areas in the infrastructure warrant specialized or additional attention, such as
device configuration, sensitive network segments, critical business processes, active
defense controls, and security devices used to distract hackers.
 Configurations/Misconfigurations
• Baselining device configuration on your network and standardizing operating systems,
applications, and access controls are two ways to detect when those devices are out of
configuration.
• A change in configuration, particularly one that has not been put through standard
configuration and change management controls, may be indicative of malicious
activity.
• Here are a few configuration items you should pay particular attention to:
Active Directory security policies
User and group privilege assignments
Rule sets configured on network security devices and host-based security
services
Open ports, protocols, and running services
 Isolated Networks
• Isolated network segments that are logically separated include those whose data may
be encrypted to and from specific hosts on the network as well as those that are
separated through the VLAN configuration, for example.
• For isolated systems, you should focus on logical and physical system entry points,
such as through firewalls, over specific ports, as well as traffic from and to specific
hosts.
• In addition to rarely used network connections, you should also focus on physical
access through uncontrolled removeable media, such as portable drives or USB sticks.
 Business-Critical Assets and Processes
• Beyond looking at the technical areas of the infrastructure, such as hosts and
configuration items, you should also examine critical business processes and the
systems that support those processes throughout the organization.
• Business processes that handle critical or sensitive information are particularly
vulnerable to these types of attacks. You should look at all administrative, technical,
and even physical or operational controls that protect these processes.
• Any weaknesses in any of these types of controls make these business processes more
vulnerable.
 Active Defense
• Employing active defenses is one way to reduce the viability of a threat exercising a
vulnerability on the infrastructure.
• You should review configuration and audit trails of security devices when engaging in
active threat hunting.
• Attackers will almost always seek to disable or circumvent a security device or other
security control before and during an attack.
• Intrusion detection systems, firewalls, SIEM systems, and other security-oriented
systems are particularly vulnerable.
 Honeypots and Honeynets
• A honeypot is a device that is used to draw an attacker away from more sensitive
portions of the infrastructure, since it seemingly is more interesting to the attacker or
appears to be less protected.
• The reason for implementing a honeypot is that it gives the cybersecurity analyst an
opportunity to observe attempts or an actual attack in progress.
• A honeynet is a group of these devices that may reside on different segments within
the infrastructure.
• You should make use of this particular strategy in your threat hunting efforts to detect
potentially malicious attacks and threats that may come into your infrastructure and
are attracted to the honeypot first.