Cyber Threat Intelligence Services- Anticipate the Unknown
You have probably noticed that in organizations from multinational enterprises to midmarket companies, information security teams are racing to add threat intelligence to their security program. But you may also have heard some misconceptions: that threat intelligence is just data feeds and PDF reports, or is simply a research service for the incident response team, or requires a dedicated team of high-priced, elite analysts.
ValueMentor’s Unit 22 is a team of elite professionals powering all of Valuementor’s MDR Services.
An Intelligence-led Approach
Threat intelligence provides unique, comprehensive information surrounding active and evolving threats, with insight into adversary TTPs. Selecting a vendor with a frontline view of what industry- and business-specific threat actors are targeting, along with the tools they are likely to use, is critical when maturing a cyber security program.
There are three main sources of intelligence—adversary, victim and machine. Combined, they provide a holistic view of the threat landscape that includes visibility into adversary behaviors and motivations, an understanding of how security measures are bypassed and a view into malicious campaigns as they unfold.
- Adversary Intelligence
Understand who the adversaries are, what they’re after, and the risks they pose to an organization.
- Machine Intelligence
Visibility into attacker telemetry and proliferation, and visibility into emerging campaigns.
- Victim Intelligence
Learn what the attackers were after, where an organization’s security controls failed, and how those attackers continually evolve their TTPs
Six Reasons Why CTI Matters
1. Lowering Risks
Cybercriminals with the intention or ability to harm others and organizations are continuously exploring new ways to penetrate organization networks. Cyber threat intelligence provides proper visibility into such emerging security hazards to reduce the risk of information loss, minimize or block disruption in business operations, and maximize regulatory consent.
2. Avoid loss of data
A cyber threat intelligence system acts as a watchdog when suspicious IP addresses or domains try to communicate with your network to collect important information. Here, a cyber threat intelligence system helps in preventing or blocking such addresses from infiltrating the network and stealing sensitive data. These intrusions, if not responded to in time, may turn into a distributed denial of service attack causing extreme damage to a system.
3. Maximizing staffing
A threat intelligence system improves the efficiency of the security team of an organization by correlating threat intelligence with anomalies flagged by tools on the network. A threat intelligence team can integrate threat intelligence into an organization’s foundation to lower security response time and allows the company’s staff to focus on other essential tasks.
4. In-depth Threat Analysis
Cyber threat intelligence really helps the organization analyze the different techniques of a cybercriminal. By analyzing such cyber threats, the organization can determine whether the security defense systems can block such an attack.
5. Threat Intelligence Sharing
Sharing crucial cybersecuirty information, such as how hackers’ plan a security breach, might help others prevent such an attacks from occurring. The more the organization can defeat these attacks, the less the hackers execute such devastating attacking plans.
6. Lowering Costs
Cyber threat intelligence can lower your overall expenses and save your business capital because improved defenses help mitigate an organization’s risk. In the aftermath of a data breach, the enterprise not only suffers data loss but it also has to bear with many costs like post-incident remediation and restoration, fines, lawsuit fee, investigation expenses, damage to their reputation and market position and more.
Threat Intelligence Lifecycle @ ValueMentor
The direction phase of the lifecycle is where we set goals for the threat intelligence program. This phase includes the following stages.
- The information assets and business processes that need to be protected.
- The potential impacts of losing those assets or interrupting those processes.
- The types of threat intelligence that the security organization requires to protect assets and respond to threats.
- Priorities about what to protect
All these procedure helps us to keep our focus to right direction.
Collection is the process of gathering information to address the most important intelligence requirements. Information gathering can occur organically through a variety of means, including:
- Subscribing to threat data feeds from industry organizations and cybersecurity vendors.
- Holding conversations and targeted interviews with knowledgeable sources.
- Scanning open source news and blogs.
- Scraping and harvesting websites and forums.
- Infiltrating closed sources such as dark web forums.
The data collected typically will be a combination of finished information, such as intelligence reports from cybersecurity experts and vendors, and raw data, like malware signatures or leaked credentials on a paste site.
We keep our indicator database updated with the latest indicators, which are collected from reputed external sources and is filtered using our threat intelligence tools to flush out the false positives.
Threat Intel Collection Platform
Our threat intelligence platform “Threatcat” is the heart of Threat Intel collection system.
1. Threat Connect
2. Anamoli Limo
3. IBM Threat Exchange
Processing is the transformation of collected information into a format usable by the organization. Different collection methods often require different means of processing. Human reports may need to be correlated and ranked, deconflicted, and checked. An example might be extracting IP addresses from a security vendor’s report and adding them to a CSV file for importing to a security information and event management (SIEM) product.
Analysis is a human process that turns processed information into intelligence that can inform decisions. Depending on the circumstances, the decisions might involve whether to investigate a potential threat, what actions to take immediately to block an attack, how to strengthen security controls, or how much investment in additional security resources is justified. For the ease of communication, documentations shared keeps the following:
- Be concise (a one-page memo or a handful of slides)
- Avoid confusing and overly technical terms and jargon
- Articulate the issues in business terms (such as direct and indirect costs and impact on reputation)
- Include a recommended course of action
Dissemination involves getting the finished intelligence output to the places it needs to go, at this point of time to MDR-SOC Services & customers.
Team at Unit-22 believe that, it is critically important to collect the feedback which can help us understand your overall intelligence priorities and the requirements of security that will be consuming the threat intelligence. What types of data to collect –
- How to process and enrich the data to turn it into useful information
- How to analyze the information and present it as actionable intelligence
- To whom each type of intelligence must be disseminated, how quickly it needs to be disseminated, and how fast to respond to questions.
Typical Indicators That We Look For
This diagram shows the relationship between the types of indicators used to detect an adversary’s activities and how much pain it will cause them when you are able to deny those indicators to them.
SHA1, MD5 or other similar hashes that correspond to specific suspicious or malicious files. Often used to provide unique references to specific samples of malware or to files involved in an intrusion. It is so easy for hash values to change, and there are so many of them around, that in many cases it may not even be worth tracking them.
It’s, an IP address. Or maybe a netblock. Any reasonably advanced adversary can change IP addresses whenever it suits them, with very little effort. That’s why IP Addresses are green in the pyramid. If you deny the adversary the use of one of their IPs, they can usually recover without even breaking stride.
One step higher on the pyramid, we have Domain Names (still green, but lighter). These are slightly more of a pain to change, because in order to work, they must be registered, paid for (even if with stolen funds) and hosted somewhere. That said, there are a large number of DNS providers out there with lax registration standards (many of them free), so in practice it’s not too hard to change domains.
Network and Host Artifacts
This is the level, at last, where you start to have some negative impact on the adversary. When you can detect and respond to indicators at this level, you cause the attacker to go back to their lab and reconfigure and/or recompile their tools. A great example would be when you find that the attacker’s HTTP recon tool uses a distinctive User-Agent string when searching your web content (off by one space or semicolon, for example. Or maybe they just put their name.
If you block any requests which present this User-Agent, you force them to go back and spend some time-
a. figuring out how you detected their recon tool,
b. fixing it.
The next level is labelled “Tools” and is definitely yellow. At this level, we are taking away the adversary’s ability to use one or more specific arrows in their quiver. This is a big win , because they have to invest time in research (find an existing tool that has the same capabilities), development (create a new tool if they are able) and training (figure out how to use the tool and become proficient with it).
Tactics, Techniques & Procedures
Finally, at the apex are the TTPs. When you detect and respond at this level, you are operating directly on adversary behaviors, not against their tools. For example, you are detecting Pass-the-Hash attacks themselves (perhaps by inspecting Windows logs) rather than the tools they use to carry out those attacks. From a pure effectiveness standpoint, this level is your ideal. If you are able to respond to adversary TTPs quickly enough, you force them to do the most time-consuming thing possible: learn new behaviors.
ValueMentor - Your Threat Intelligence Provider
- Fully Integrated with ValueMentors MDR-SOC Service
Threat Intelligence is an Integral part of ValueMentors MDR-SOC Service offerings & You don’t have to invest further on a different vendor when it comes to Threat Intelligence.
- Here Threat Intelligence is not just about IP, Domain & Hashes
Threat Hunters at Unit-22, relies on field experiences for Network & Host Artifacts, Tools & TTPs for threat-intelligence that really matters & what really hurts adversaries.
- A Unique Combination of Human Analysis & Automation
At Valuementor, we still believe in an Expert Human analysis as foundation for Automations & hence greatly reduce risk of automated data analysis missing adversaries. Our Inhouse Developed Platform “Threatcat” act as core of our Threat Intelligence services.