The cybersecurity industry is increasingly producing enormous amounts of raw threat data. The sheer volume of information threat researchers must sift through makes it difficult to collect, analyze, and research that data in a timely manner. This in turn limits their ability to understand what data is valid and useful and whether threat artifacts will result in legitimate threat indicators.
In fact, it has been estimated that it would take 8,774 analysts working full time for a year to process the same amount of security event data that machine analytics can process in that same time frame.
Even as new threat intelligence tools and services emerge, relatively few enterprises are able to use those tools effectively due to the way threat intelligence and technology evolve. Threat actors are continually changing their methods of attack, and so the threat intelligence that supports detection must take new forms all the time to remain up-to-date. In addition, cloud technology, 5G, edge computing, and the explosion of IoT devices is fundamentally changing the nature of threats and how defenders protect enterprises against them. Threat intelligence researchers are clearly facing a big data problem.
What is cyber threat intelligence?
AT&T Alien Labs™ defines cyber threat intelligence as the actionable information needed to continuously detect threats and prioritize response. This includes the ongoing collection, normalization, research and analysis, and correlation of threat data to drive the appropriate and most effective response. Threat intelligence includes more than atomic indicators (the tools threat actors are using, such as malicious IP addresses, URLs, or hash values). Threat intelligence also provides insight into the overarching behaviors of adversaries, including their motivations, intent, and techniques.
All of this information can be used to develop comprehensive attacker profiles that help researchers draw inferences to better predict future attacks and support resiliency in threat detection. By considering the overall tactics, techniques, and procedures (TTPs) of threat actors, and not just their tools, security professionals can use threat intelligence to its most effective and primary purpose: to drive resiliency against threats and ultimately protect the business, its data, and its customers.
Analysis methods for threat intelligence
The Lockheed Martin Cyber Kill Chain® model for attack analysis accepts threat indicators as the fundamental building blocks of intelligence. This includes any piece of information that objectively describes an intrusion. Threat indicators are threat data, pulled from many different internal and external sources, which have been validated as malicious or known to be malicious. They can be as simple as knowing that, for example, a particular bad actor prefers to target Windows machines. Or, threat indicators can be compiled to create attacker profiles that are as complex as knowing the various targets, aliases, and methods used by a highly successful hacking group such as Winnti, which is believed to have activity dating back to 2011.
Winnti’s behavioral profile includes many variations of TTPs used in attacks that target multiple industries. For example, Winnti may use a phishing email to lure an IT employee into taking an action that ultimately results in their system being infected with malware. The malware, among other things, gives the adversary elevated access credentials and free reign to the business’ network with a trusted VPN. Winnti can then move laterally using common network admin tools and can exfiltrate data through the business’ trusted email services. These behaviors are just a few of dozens associated with Winnti. Researchers have developed a catalogue of attacks performed by this adversary group (or groups), including the common tools and techniques they use and relationships between attacks.
Because the threat landscape is always evolving, researchers and analysts must consider which technologies and methods are the most effective for analyzing, identifying, and containing threats in a particular moment.
What are the most common types of threat intelligence?
Over the years, discussions on the most appropriate types of threat intelligence to use in detection and response have evolved. Some have declared the death of atomic threat indicators (such as IP address, file hashes, and domains) as detection tools, instead turning to behavioral-based approaches that identify and categorize the patterns and behaviors of malware and adversaries.
However, the increasing use of open–source tools among defenders has complicated malware attribution and clustering due to the fact that adversaries are using these same open–source tools to understand and adjust their attack methods. In addition, the emergence of commercialized cybercrime and crime syndicates has significantly impacted the level at which threat intelligence must be delivered due to malware families being modularized and sold on the black market as individual components that can be easily purchased and quickly used in an attack.
Threat researchers, therefore, must use multiple layers of intelligence to identify adversaries whose methods and behaviors will likely fluctuate or malware that may have many variations. These layers span the spectrum of simple indicators of compromise (IOCs) to more complex identification of common adversary TTPs and malware characteristics. By using layered threat intelligence, security professionals are able to better ensure resiliency in threat detection.
Reviewing common threat indicators used for analysis
When it comes to identifying atomic threat indicators, research teams can use various forms of analysis to perform a variety of actions that would otherwise require manual work by a researcher. These tasks may include the daily extraction of threat indicators from dozens of vendor or government reports, alerts, articles/blogs, and social media.
Some examples of threat indicators that can be automatically identified and extracted from reports, analysis, and unstructured data include:
- CIDR Rules: Classless Inter-Domain Routing, a set of IP standards that are used to create unique identifiers for networks and individual devices
- CVE Number: The Common Vulnerability Enumeration identifier of a vulnerability• Domains: The domain name for a website or server
- Email: An email description, content, or headers
- File hashes: Strings of numbers and letters assigned to electronic data by a computer algorithm that provide a unique “digital fingerprint” of a file (e.g. MD5, SHA1, SHA256, PEHASH, and IMPHASH)
- File paths: The file system paths of known files and devices (i.e. the complete location or name of where a computer, file, device, or web page is located)
- Hostnames: The subdomains for a website or server• MUTEX name: A mutual exclusion object (a program object that allows multiple program threads to share the same resource, but not simultaneously)
- IP addresses: An IPv4 or IPv6 address that identifies each machine/device using the Internet Protocol (IP) to communicate over a network
- URI: The Uniform Resource Indicator (URI) describing the path to a file hosted online
- URL: The Uniform Resource Location (URL) summarizing the online location of a file or resource
Simple threat indicators are a useful starting place as a first line of defense and in building malware and threat actor profiles. However, they should not be relied on alone. These are the tools that threat actors can (and do) change frequently and quite easily, often using automation themselves.
How threat intelligence empowers AT&T Cybersecurity solutions
One of our key brand promises is to deliver our customers the tactical threat intelligence needed for timely and resilient detection and response to threats against their organization.
AT&T Alien Labs delivers breakthrough visibility across your business via our unrivaled vantage point of the threat landscape. We collect diverse threat data for analysis, interpretation, and enrichment from our global sensor network, AT&T proprietary data sources, and AT&T Alien Labs Open Threat Exchange (OTX). This tactical threat intelligence is integrated into our Unified Security Management (USM) platform and our Managed Threat Detection and Response service. Learn more by visiting our AT&T Alien Labs main page.