MITRE's publication ‘11 World-Class SOC Strategies. Strategy #6 ‘Use Cyber Intelligence to Combat Attackers’

Ruslan Rakhmetov, Security Vision

The authors of the publication point out that any serious attack is linked to a specific group of attackers, and cyber intelligence (cyber threat analytics) methods allow associating observed IS events or cyber incidents with attackers for a deeper understanding of the goals and possible means of attack, as each cybercriminal group has its own ‘handwriting’, characteristic TTPs and tools. Strategy #6 focuses on how to apply cyber intelligence to SOC centre activities.

1. What is cyber intelligence?

According to the authors of the publication, cyber intelligence or cyber threat analytics (Cyber Threat Intelligence, abbreviated as CTI) is the process of collecting, processing, organising and interpreting the obtained data into actionable, practically applicable information or products that allow to understand the capabilities, abilities, actions, intentions of attackers in cyberspace. In the context of SOCs, cyber threat analytics can be used to understand attackers' actions and behaviour; in doing so, cyber intelligence data can be correlated with the SOC's internal data on IS events and incidents, helping to increase visibility of cyber attacks, reduce damage, and improve decision-making when responding to cyber incidents.

Cyber intelligence data will also help in identifying attackers within the infrastructure, fine-tuning sensors and analytics systems for better monitoring, prioritising SOC resources, enriching and contextualising cyber incident information, preventing or slowing cyber attacks, and predicting attacker behaviour within the company's network. The classic cycle of cyber threat analytics is to plan, collect, process, analyse, disseminate, evaluate cyber intelligence data. It is important to use cyber intelligence data because this approach allows us to move from a reactive model of responding to cyber incidents (after signs are detected) to a proactive one, in which the attacker's actions are predicted and detected before destructive or malicious actions are performed, which are detected by an anti-malware system. The sources of cyber intelligence data can be both external (analytical reports on cyber threats from IS companies, information from other SOCs, cyber intelligence data providers - Threat Intelligence feeds, abbreviated as TI-feeds) and internal (information from analysts and researchers within the customer company).

According to the authors of the publication, a data source related to cyber threats can be considered a source of cyber threat analytics only if it provides information about the attackers (context and details of the attackers' context). Thus, IP addresses, domain names, email addresses, and virus signatures without a link to specific attackers cannot be considered CTI data. At the same time, CTI sources will be considered to be analytical reports on cyber threats issued by vendors and researchers, structured reports (e.g., in STIX format), and TI feeds. Given the potentially large number of possible sources of CTI data, it is recommended to evaluate the following characteristics of the data supplied by the source:

- Can the data obtained be used, e.g., in correlation rules, in proactive cyber threat hunting (Threat Hunting) scenarios, used in attack prevention tools?

- Is the data being generated relevant and up-to-date, and is it not outdated?

- Is the data received relevant to the customer's infrastructure and economic sector, is it from a trusted source with a good reputation, how is CTI data processed and transmitted, and are APIs used for interoperability?

- Is the data received accurate and consistent?

2. Goals and planning for the use of cyber threat analytics.

One of the goals of cyber threat analytics is to help executives focus their attention on significant cyber threats and make informed, risk-based management decisions. Because executives may be at different hierarchical levels within a company, the cyber intelligence provided to them is also categorised into different levels depending on the depth of detail and objectives:

- Strategic level, where informationx is provided to top management for budgeting the cybersecurity function; reports are made on cybercrime trends, cybercriminal groups relevant to the company, and proposed countermeasures and countermeasures.

- Operational level, at which technical details are provided to IT/IS managers and SOC management, including data on malicious campaigns of attackers, motivation of attackers, probable targets of attacks; based on this information, changes in IS architecture, reconfiguration of protection systems, acquisition of new tools for SOC are carried out.

- Tactical level, where detailed information about TTPs, methods and operations of attackers in a structured form is transmitted to the SOC centre to configure correlation rules, sensors and analytical tools.

Integrating cyber threat analytics products and services into SOC processes and tools provides the following benefits:

- Enables selection and prioritisation of correct countermeasures based on relevant cyber threats;

- Increases the effectiveness and completeness of response actions;

- Reduces the success rate of cyberattacks, including APT attacks;

- Improves detection of cyber threats, which reduces the time attackers are invisible in the infrastructure;

- Increases situational awareness and knowledge of cyber threats through informative and detailed reporting;

- Increases visibility of context and linkages between incidents and business impact;

- Increases awareness of peers from other SOCs by sharing data on cyber threat handling experiences;

- Increases cost effectiveness and justification of SOC operations through the application of accumulated cyber threat knowledge;

- Increases awareness of the customer company's threat profile and possible targets of cyber attacks;

- Provides insight into cyber defence gaps and motivates to address them.

Effective application of cyber threat analytics requires a deep understanding of the customer company's operations, business processes and assets to profile groups of potential attackers. An understanding of the following aspects is required:

- Context: understanding who will attack the company and why, what capabilities the attackers have, what consequences the attack may have;

- Analysis: understanding what has already happened and when, what is happening now, what attack scenarios and TTPs are being used;

- Action: understanding where and what malicious activity is occurring now, what countermeasures should be taken, how to apply CTI in specific antimalware systems (e.g. SIEM, SOAR) to find, contain, eliminate the threat.

The use of CTI will be efficient and effective if the SOC has the following knowledge:

- Information about attackers: context, motives, plans, attackers‘ “M.O.”, technical indicators (e.g., IoT used, and indicators of compromise - abbreviated as IoCs, Indicators of Compromise), trends and previous successful attacks by attackers, attackers’ capabilities (resources, ability to conduct stealthy and sophisticated cyber operations, approximate size of cybercriminal group), tools, infrastructures, resources they use;

- Relevance: SOC team members' understanding of the customer company's characteristics (business processes, competitive advantages, valuable assets, key employees, protected information, applicable legal requirements), understanding of partner relationships with counterparties, as well as other information that may be of interest to attackers and relevant to their goals;

- Technical environment: IT and OT network architecture, cloud and on-prem infrastructure, state of digital assets, vulnerability data, behavioural profile of users, systems and entities, and other IS-relevant technical information (alerts, audit logs, data from endpoints and network devices, etc.).

The authors of the publication emphasise that a key aspect for preventing cyber attacks using cyber intelligence techniques will be to understand the goals, motives, and ‘M.O.’ of cyber criminals, as well as attributing (matching) cyber threats and specific incidents to specific groups of attackers. Such groups may appear in specialised reports as APT groups (Advanced Persistent Threat) with specific sequence numbers (e.g. APT33 or APT41) or proper names (e.g. Darkhotel or Silence); a reference list of these groups can be found on the MITRE ATT&CK project website, which also contains a description of the main stages and TTPs of modern cybercrime groups. In general, understanding which group is likely to be preparing or has already carried out a cyberattack allows predicting the attackers' next steps, while creating a profile of a company's cyberthreats allows narrowing down the range of potential APT groups that are likely to try to attack the company and, consequently, better preparing to repel such attacks using APT-specific tools. At the same time, accurately attributing a cyberattack to a specific APT group can be very resource-intensive and is not always feasible, so the authors suggest using attacker association methods - searching for likely links between malicious activities and possible cybercriminal groups, which will help establish relationships between attackers and attack attributes (e.g., compromise indicators, TTPs). This analysis will provide insight into what malicious activities the attackers have already carried out, may carry out in the future, as well as their motivation and ultimate goal of the attack. The knowledge that CTI-analysts obtain as part of their research should be shared with parent, subsidiary, partner SOC centres and IS departments in a controlled manner, and reported to the client company's interested executives. When receiving information about an impending cyber-attack, it will be important to prepare not only defensive measures, but also to use a system of decoy hosts for attackers to better understand their TTPs.

3- Use of cyber threat analytics tools.

The authors of the publication recommend considering the following factors when deciding which CTI tools to use:

- Applicability to the technology component of the SOC: does the CTI tool produce data that is applicable to the SOC toolkit and useful to the SOC team?

- Data quality check: if the CTI tool produces inaccurate data, there should be tools to adjust the confidence in the information received;

- Tracking the origin of CTI data: how does CTI data change, where does it come from, what source data was used to generate the CTI data, is the source reliable?

- Define and maintain rules for attacker attribution/association: define in advance the probability and confidence levels for attributing or associating groups of attackers based on CTI data;

- Define and maintain monitoring and response rules: agree in advance when activity can be limited to monitoring and when active response actions should be performed when pre-defined conditions are met.

CTI primarily requires skilled, experienced cyber threat analysts, but technology solutions such as TIP (Threat Intelligence Platform) can be used to assist them. TIP systems are designed to process CTI data, i.e. to capture, organise, correlate, exploit large amounts of attacker-related data, including indicators of compromise; TIP solutions also enable effective management of cyber threat knowledge within a company. TIP will be most effectively used in conjunction with SOC technology tools that enable correlation, enrichment, and collaboration with CTI data, such as SIEM and SOAR systems and Big Data processing platforms. The TIP platform can help answer questions about the duration of attackers' presence in the infrastructure, the nature of the actions they performed, as well as the origin of CTI data and CTI reports describing similar malicious activity.

The following platform characteristics should be considered when selecting a TIP solution:

- The TIP platform should enable collaboration between cyber threat analysts, as well as tracking of detected artefacts, attacker activity and their malicious campaigns;

- Integration capabilities: the TIP solution should correctly interact with CTI data sources (commercial and Open Source) and with SOC tools (SIEM, SOAR, Big Data);

- Out-of-the-box TI feeds: a good TIP should by default provide options for integrating and retrieving data from multiple CTI data sources, and provide deduplication of the resulting data;

- Feedback and scoring: the TIP solution should allow scoring (evaluation) of the received CTI data based on its quality and applicability, and prioritise the processing of CTI data in the SOC based on the evaluation;

- Confidentiality: CTI data received may come from a variety of sources and its processing may be restricted by confidentiality requirements (e.g. TLP tags, Traffic Light Protocol) - these circumstances need to be considered in the TIP;

- Manual analysis: A TIP solution should allow the cyber threat analyst to independently link attacker activity, correlate, and group similar entities;

- Audit and change management: the TIP system should keep a record of actions performed and roll back changes if incorrect data is entered or inaccurate association or attribution is made;

- Scalability, performance: TI feeds may contain millions of indicators of compromise, which the TIP system must process promptly.

4. Complexities and challenges in dealing with CTI data.

The authors of the publication remind that the task of cyber threat analytics is broader than simply processing indicators of compromise (signatures, hashes, IP addresses, etc.), which can be easily changed by attackers to bypass an ISA; in cyber intelligence it is important to understand attackers' TTPs, use attack indicators and contextualised information in the analysis. Some typical misconceptions common in the creation of CTI function in SOC are also pointed out:

- CTI data is created in different ways: some CTI sources use publicly available CTI data and repackage it to add their own analytics, so it is important to understand the origin and original sources of CTI data; it is also important to understand what exactly is meant by CTI data in each case (it can be lists of indicators of compromise or unstructured cyber investigation reports);

- Too much CTI data can create information noise rather than be useful: it is the applicability and impact of CTI data that matters, not the quantity;

- Not all CTI data is useful for all SOCs: when analysing cyber threats, you should focus on the TTPs of those cybercrime groups that tend to attack the sector of the economy in which the SOC customer operates;

- The cost of CTI services and data is not always important: some large cyber threat analytics teams may successfully use publicly available CTI data and information sharing with partner SOCs, while some smaller SOCs may favour commercial CTI tools and feeds;

- VPO and CTI are different: cyber threat analysis should not focus on monitoring the use of VPO by attackers, as legitimate utilities and tools are often used in an attack (living off the land technique); VPO may be used at some stages of an attack, but the focus of CTI analytics should be on understanding the targets and TTPs of the attackers in order to correctly build defences;

- IoCs and CTI are different: indicators of compromise can provide some ‘food for thought’ but are not cyber threat analytics in and of themselves; it is important that cyber intelligence answers decision makers' questions and provides applicable context.