Skip to main content

Cyber Threat Intelligence

Demystifying Cyber Threat Intelligence (CTI): From Noise to Action Let's delve into the world of Cyber Threat Intelligence ! Whether you are a SOC analyst or a business leader, understanding how we transform data into defense is the first step toward a resilient security posture. Defining Intelligence For of all, what do we mean by intelligence ? One definition I found that I quite like is: Intelligence is information that has been refined and analysed to make it actionable . This is important in cyber security, as we want to take cyber intelligence, refine it from noise and make it actionable by defending ourselves against threats . In an era of "alert fatigue," the ability to distinguish a true threat from background noise is what allows a security team to prioritize effectively. The Intelligence Cycle To achieve this refinement, we follow a structured Intelligence cycle . This ensures that our findings are not just interesting, but actually useful to the organizati...
Post a Comment

Cyber Threat Intelligence

Demystifying Cyber Threat Intelligence (CTI): From Noise to Action

Let's delve into the world of Cyber Threat Intelligence! Whether you are a SOC analyst or a business leader, understanding how we transform data into defense is the first step toward a resilient security posture.

Defining Intelligence

For of all, what do we mean by intelligence? One definition I found that I quite like is: Intelligence is information that has been refined and analysed to make it actionable.

This is important in cyber security, as we want to take cyber intelligence, refine it from noise and make it actionable by defending ourselves against threats. In an era of "alert fatigue," the ability to distinguish a true threat from background noise is what allows a security team to prioritize effectively.


The Intelligence Cycle

To achieve this refinement, we follow a structured Intelligence cycle. This ensures that our findings are not just interesting, but actually useful to the organization:

  1. Requirements: Defining what needs to be protected and what questions need answering.

  2. Data collection: Gathering raw information from various internal and external sources.

  3. Data processing: Organizing and cleaning the data so it can be interpreted.

  4. Analysis: Looking for patterns and turning processed data into actual intelligence.

  5. Dissemination: Getting the right information to the right people at the right time.

  6. Feedback and continuous improvement: Learning from the process to make the next cycle even sharper.

Breaking the Kill Chain

Another important term is Kill Chain. The term "kill chain" refers to the concept that an adversary must complete a sequential series of stages—a chain of events—to successfully achieve their ultimate objective. This could include actions like:

  • Stealing sensitive data.

  • Deploying devastating ransomware.

  • Publishing malicious npm packages to compromise the supply chain.

The beauty of this model lies in its simplicity for the defender: If a defender can break just one link in this chain, the entire attack fails. By understanding the adversary's steps, we don't have to be perfect everywhere—we just have to be successful once.

Why This Matters

Ultimately, CTI exists to enable a threat-informed defense. By focusing on the motivations, intentions, and methods of adversaries, we stop chasing every ghost in the machine and start defending against the threats that actually matter to our mission.



Understanding the Core of CTI: From Theory to Application

To build a truly resilient security posture, we have to look beyond just the tools we use and focus on the knowledge behind the threats. Cyber Threat Intelligence (CTI) is knowledge about adversaries and their motivations, intentions, and methods that is collected, analysed, and disseminated in ways that help security and business staff at all levels protect critical assets of the enterprise.

But why do we do this? The ultimate goal is to enable threat-informed-defense. By understanding the "who" and the "how," we stop defending in the dark.

Defining Threats and Risk

Before we can defend, we must understand what we are up against. According to NIST, a threat is any circumstance or event with the potential to adversely impact organisational operations, assets, or individuals through an information system via unauthorised access and destruction, disclosure, modification of information and or denial of service.

When we evaluate these threats, we look at Risk, which can be simplified into a fundamental equation:

Risk = impact + likelihood

The Three Levels of Intelligence

Not all intelligence is the same. To be effective, CTI must be tailored to the audience consuming it:

  1. Strategic: Focuses on broad trends and actor motivations. This is designed for C-Level Executives to help with long-term decision-making.

  2. Operational: Looks at specific behavior and capabilities. This is the domain of Threat Hunters and threat researchers.

  3. Tactical: Deals with technical IOCs (Indicators of Compromise) and threat indicators. This provides the day-to-day data needed by SOC Analysts.

TTPs: The Adversary’s Playbook

To understand how an attacker operates, we use the framework of TTPs (Tactics, Techniques, and Procedures):

  • Tactics: The high-level description of the behaviour and strategy of a threat actor.

  • Techniques: These are the non-specific guidelines and intermediate methods that describe how a tactic action can be realised.

  • Procedures: These refer to the sequence of actions performed using a technique to execute on an attack tactic, involving detailed descriptions of activities.

Example in Action: A Tactic might be Reconnaissance. The Technique used to achieve this is Scanning. The specific Procedure is performing a Vulnerability Scan.

IOC vs. IOA: Knowing When You're Under Fire

It is crucial to distinguish between two types of indicators:

  • IOC (Indicator of Compromise): This is evidence on a system that indicates that the security of the network has been breached (e.g., a known malicious file).

  • IOA (Indicator of Attack): This focuses on detecting the intent of what an attacker is trying to accomplish and its behavior, regardless of the malware or exploit used.

Adopting a Threat-Informed Defense

A threat-informed defense isn't just about technical settings; it’s about asking the right questions to understand your organization's unique position:

  • What is the mission of my organisation?

  • What threat actors are interested in my organisation's industry?

  • What are the motivations of those threat actors?

  • What TTPs are those threat actors using?

  • How can I detect and protect my organisation against those TTPs?

By answering these questions, we move from a reactive "catch-all" approach to a precision-based defense strategy.




Moving Toward Proactive Defense: Threat Hunting and Frameworks

In the world of cybersecurity, we cannot always wait for an alert to fire. Sometimes, the most dangerous threats are the ones that have already slipped past your initial defenses. This brings us to a critical practice: Threat Hunting.

What is Threat Hunting?

Threat hunting is the practice of proactively searching for cyber threats that are lurking undetected in your environment. Unlike traditional monitoring, which is reactive, hunting assumes a breach may have already occurred and seeks to find the "silent" adversary.

There are two primary models for conducting these hunts:

  • Intelligence-based hunting: This model leverages technical indicators such as IOCs, hash values, IP addresses, domain names, or host artifacts to find known malicious activity.

  • Hypothesis-based hunting: This is a more behavioral approach where you hunt based on the IOA (Indicators of Attack) and TTPs of adversaries.

Where Does the Intelligence Come From?

To hunt effectively, you need reliable data. There are various sources we can leverage for CTI:

  • Enterprise Sources: High-fidelity data from major security vendors like Microsoft, CrowdStrike, and Cisco.

  • OSINT (Open Source Intelligence): Publicly available tools and platforms such as VirusTotal, Shodan, PulseDive, and even social media.

CTI Frameworks: The Diamond Model

To make sense of the data we collect, we use structured frameworks. One of the most essential is the Diamond Model.

The Diamond Model is used to analyze an intrusion by looking at the relationships between four core features:

  1. Adversary: The "Who" behind the attack.

  2. Infrastructure: The physical or logical resources the adversary uses (IPs, servers).

  3. Capability: The tools or techniques the adversary employs.

  4. Victim: The target of the activity.






Lockheed martin cyber kill chain -




Mastering the Frameworks: MITRE ATT&CK®

To truly understand how an adversary operates, we need a common language. This is where MITRE ATT&CK comes in. ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. It is a globally accessible knowledge base of adversary behavior based on real-world observations.

Integrating Models

In the Diamond Model, the MITRE ATT&CK framework sits specifically at the TTP (Tactics, Techniques, and Procedures) level. While the Diamond Model helps us understand the relationship between actors and victims, ATT&CK provides the granular detail on exactly what the adversary is doing during an intrusion.

The ATT&CK Matrices

Adversaries don't use the same methods on a laptop as they do on a power grid. Because of this, the framework is divided into specific ATT&CK matrices:

  • Enterprise: Focusing on traditional office networks and cloud environments.

  • Mobile: Covering behaviors targeting mobile devices.

  • ICS: Specialized for Industrial Control Systems.

Tactics: The "Why"

In the ATT&CK framework, Tactics represent the "Why" of an adversary attacking an organisation. A tactic is the adversary’s strategic goal—the reason they are performing an action.

Currently, there are 14 tactics in the Enterprise matrix. To keep communication clear among security professionals, each tactic has a unique ID to make it easier to refer to.

For example, an analyst might refer to TA0001 to quickly identify "Initial Access" without any ambiguity.

Why Use ATT&CK?

By mapping observed behaviors to these tactics and IDs, we can move away from vague descriptions and toward a precise, data-driven defense. It allows us to ask: “Which tactics are we currently blind to?” and “Which techniques are most common in our specific industry?”

Are you currently using ATT&CK IDs in your incident reports, or are you still using more general descriptions of attacker behavior?

Example-



Deep Dive into ATT&CK: Techniques, Groups, and Campaigns

Understanding the high-level strategy of an attacker is a start, but true defense lies in the details of their execution. This is where we look at the mechanics of the MITRE ATT&CK framework.

Techniques and Sub-Techniques: The "How"

While Tactics explain the "Why," Techniques describe the HOW an adversary performs its attack. As the threat landscape evolves, the framework stays updated; there are currently 201 techniques, though this is always subject to change.

To provide even more precision, the framework uses Sub-techniques. These also describe the HOW an adversary performs its attack but more detailed than techniques. Currently, there are 424 sub-techniques (subject to change).

A Practical Example:

  • Tactic: Reconnaissance.

  • Technique: Active Scanning (e.g., using nmap).

  • Sub-technique: Vulnerability Scanning (e.g., using nmap and metasploit).

Data Sources and Telemetry

To fight what we can't see, Data sources are important to provide the source of collected telemetry to help combat TTP. For instance, if an adversary is performing reconnaissance via active scanning and vulnerability scanning, your primary data source would be network traffic.

Mitigations: Reducing the Attack Surface

We use Mitigations as a preventive configuration to reduce the attack surface. While we can't stop an outsider from initiated a vulnerability scan (as it is pre-compromise), we can implement defenses like rate limiting or blocking IPs that attempt to scan or DoS us.

In other scenarios, like Privilege Escalation (priv esc), you can mitigate the risk through privileged account management. This ensures that if an account is compromised and someone gains escalated privileges, it can be flagged by an EDR (Endpoint Detection and Response).

Identifying the Actor: Groups and Campaigns

The security community tracks ATT&CK groups, which represent related behavior tracked with a common identifiable name. Interestingly, different vendors use different naming conventions:

  • Mandiant might use names like APT41.

  • CrowdStrike uses animals + origin, such as Fancy Bear.

  • Microsoft uses weather + origin, like Midnight Blizzard.

Beyond just naming the "who," we also track ATT&CK campaigns. These are intrusion activity conducted over a specific period of time with common targets and objectives. A famous example is the 2016 Ukraine electric power attack (ID C0025).

By categorizing activity into techniques, groups, and campaigns, we move from chasing isolated alerts to understanding the broader narrative of the threats we face.

Putting it all together:




Threat actors:



The Advanced Landscape: APTs, AI, and Collaborative Tools

As we wrap up our look into the world of Cyber Threat Intelligence, it is important to understand the most sophisticated actors we face and the specialized tools we use to track them.

What is an APT?

In the world of CTI, we frequently refer to APTs, or Advanced Persistent Threats. These are sophisticated, sustained cyber attacks. Unlike a "script kiddie" or a random opportunist, an APT is typically a well-resourced group—often state-sponsored—that maintains a long-term presence on a network to achieve specific, high-value objectives.

The CTI Toolkit: Essential Tools

To defend against these threats, analysts rely on a variety of specialized CTI Tools:

  • Pulsedive: A community-driven threat intelligence platform that helps analysts research and manage indicators.

  • Shodan.io: Often called the search engine for internet-connected devices, it allows us to see what is exposed to the public web.

  • VirusTotal: A massive database used to analyze files and URLs to detect malware and share those findings with the security community.

Specialized Frameworks and Platforms

As technology evolves, so do our frameworks. We are now looking at specialized tools for modern challenges:

  • MITRE ATLAS: This stands for Adversarial Threat Landscape for Artificial Intelligence Systems. It is a knowledge base of adversary tactics and techniques specifically focused on attacks against AI systems.

  • MISP: The Open Source Threat Sharing platform. MISP is an open-source cybersecurity platform that allows organizations to collect, store, and securely share threat intelligence, such as malware indicators, IP addresses, file hashes, and vulnerability data.

Final Thoughts

Cyber Threat Intelligence is more than just a collection of data points; it is a collaborative effort. By using tools like MISP to share what we find and frameworks like ATLAS to prepare for future threats, we can ensure our defense is always one step ahead.

Whether you're investigating a file on VirusTotal or tracking an APT through the Diamond Model, remember: intelligence is only useful if it is actionable.




Comments

Post a Comment

Popular posts from this blog

Building my own write blocker

  Spoiler — It’s cheaper than buying one I was looking to buy a write blocker to do data recovery/forensics tasks but I quickly noticed that I was window shopping write blockers due to their cost. Some starting at £300, others that cost less were no longer being built or sold, maybe you could find a 2nd hand one with or without the wires. Most of these write blockers were industry standard, used by law enforcement but was it necessary for me to buy such an expensive write blocker….or is it possible to build my own….. So th e  research began, reading through articles, publications, and so on, and with the information gained, I felt that I could build my own write blocker. So what do I need: A Raspberry Pi A Linux distro. HDD/SSD to test the write blocker And to put the information I gained into practice Building the write blocker So, I brought a Raspberry Pi 4 Model B that came with a power supply, HDMI cables, 32GB SD card, a case, and some extras. ( https://www.okdo.com/c/pi-...
Post a Comment
Read more

Malware Analysis: Dissecting a Golang Botnet - Part 1

Introduction In this post, I walk through the process of analyzing a Golang-based botnet sample — specifically a variant of FritzFrog , a peer-to-peer (P2P) botnet known for brute-forcing SSH servers and spreading laterally across networks. The goal here is to share my steps, tools, and insights while preparing for a cybersecurity analyst role.  🐸 1. Downloading the Malware Sample I began by grabbing the malware sample from Da2dalus’ excellent GitHub repository of real-world malware: URL: FritzFrog Sample on GitHub To fetch the raw binary into my WSL environment, I used: wget -O botnet_malware_IM https://github.com/Da2dalus/The-MALWARE-Repo/raw/refs/heads/master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 📤 2. Transferring the Malware to the Flare VM (Windows) My analysis environment was running inside a Windows VM using FLARE VM . Since the malware was downloaded via WSL, I needed a way to securely transfer it to the Windows VM. First, ...
Post a Comment
Read more

Diving Deeper: Unmasking the Spotify Installer's Network Secrets (Or Not!)

My recent bug bounty adventure with the Spotify installer took an interesting turn. After thoroughly investigating potential DLL hijacking vulnerabilities and finding the installer to be surprisingly resilient, the next logical step was to peek into its network communications. After all, the installer prominently displayed a "downloading installer" message, implying it was reaching out to the internet. This blog post chronicles our journey into capturing HTTP/HTTPS requests, battling DNS complexities, attempting local server interception, and ultimately, uncovering more about the installer's robust design. The New Challenge: Capturing Network Traffic Our trusted Process Monitor was fantastic for file system and registry activity, but it falls short when it comes to detailed HTTP/HTTPS requests. For that, we needed a dedicated network analysis tool. While Fiddler Classic is often my go-to for web traffic (especially with its easy HTTPS decryption), we opted for the powerf...
Post a Comment
Read more