Aims to produce actionable output after processing and interpreting the data collected by multiple sources, and to inform organizations against cyber attacks through these outputs to minimize damages. Aims to understand Techniques, Tactics, and Procedures of attackers. # CTI Lifecycle Planning and Direction > Information Gathering > Processing > Analysis and Production > Dissemination and Feedback > step 1 ## Planning and Direction This is the foundation of a structure that must function flawlessly. Enables analysts to find answers to questions for - what exactly is expected from intelligence - who will consume obtained intelligence - which teams will take action as result of obtained intelligence Requests help clarify scope of intelligence ### Does Organization Have a SOC Team - a team that will actively use the intelligence obtained - can go down to the technical details of obtained intelligence ### Has Organization been Attacked Before - success rate of attacks can be used to reduce success rate of future attacks by putting intelligence on basis of established structure - how often to use intelligence - how often data is pulled from internal and external sources - frequently updated and consumed quickly for high value targets ### Do attacks target organization or individuals - Defining External Attack Surface Management Area helps make threat surface as clear as possible and to follow it up regularly for attacks targeting the organization - digital risk protection is crucial for attacks targeting individuals - user login credentials, phishing attack exposure, and password policy strength ### Similar Company Exposure - working with other companies being attacked exposes us to their IOC related to those attacks, which allow us to avoid those attacks with minimal damage ## Information Gathering Collection of data from internal and external sources - Hacker Forums - Ransomware Blogs - Deep/Dark Web Forums and Bot Markets - Public Sandboxes - Telegram/ICQ/IRC/Discord/Twitter/Instagram/Facebook/LinkedIn - Surface Web(Cybersecurity Blogs etc.) - Public Research Reports - File Download Sites - Github/Gitlab/Bitbucket etc. - Public Buckets (Amazon S3/Azure Blob etc.) - Shodan/Binary Edge/Zoomeye vb. - Sources that provide IOC (Alienvault, Abuse.ch, MalwareBazaar vb.) - Honeypots - SIEM, IDS/IPS, Firewalls - Public Leak Databases ## Processing Filtering of data Clean from false positives as much as possible Pass data through rule sets Subject to correlations ## Analysis and Production Data is interpreted and analyzed Consumable intelligence obtained as an output of analysis Reports are prepared according to who will consume intelligence ## Dissemination and Feedback Intelligence delivered to users via appropriate channels Feedback to make intelligence better and more efficient at end of process is received # Types of CTI ![[type_of_cti_edited2.png]] ## Technical Output of studies based on IOCs To create rulesets and protect the organization against attacks by using report containing hashes of malicious IP addresses Generally used by technical personnel like SOC Analysts and Incident Responders in the organization ## Tactical Used to understand TTP of the attackers Answers questions like - what vulns does the attacker use the most - in which countries does attack originate - motivation of attacker - methods attacker uses Used by management personnel leading technical teams ## Operational focuses on TTP, but used for threat hunting Can focus on specific type of attack or singular attacker to carry out investigation to narrower scope Used by security managers or Threat Hunters ## Strategic Intended for top executives of the organization Generally used for long term asks like product purchasing, budget, and planning for organization in long run by weighing tactical CTI outputs # Determining the Attack Surface ## Importance of Attack Surface in Threat Intelligence Classical intelligence models continue to fall short. External Attack Surface has shown us inadequacy and closed deficiencies. Extended Threat Intelligence (XTI) has gained popularity - creates an attack surface belonging to the organization to create intelligence specifically pertaining to the organization - visibility can help catch forgotten endpoints or subdomains - know inventories and know which assets to defend ## Determining Attack Surface ### Domains typically primary domain of the organization ### Related Domains use **Host.io** to provide all domains hosted on same IP Also found on Host.io - Backlinks - Links to - Redirects - reverse whois ### Subdomains Useful Tools: - security trails - aquatone - sublist3r - assetfinder - https://subdomainfinder.c99.nl/ Get data from as many sources as possible ### Websites Examine domains/subdomains that respond to http/https requests HTTPX tool will list all domains (provided via text file) that respond to requests httprobe will also provide similar functionality ### Login Pages scripting with python to detect the following - "login" phrase - form tag usage - username/password expressions on input fields - login or similar expressions in title or header ### Technology Used on Websites Wappalyzer tool will scan webpage for all integrations Whatcms.org does the same Examine headers from developer console ### IP Addresses determining open ports is vital to the network Analyze domans+subdomains, then analyze related IP addresses by sending request and resolving or viewing A records ### IP Blocks detect IP blocks by looking for patterns in IP addresses we obtained from domain and checking whois info on consecutive IPs Also check Shodan Binaryedge/zoomeye can serve as alternatives to Shodan ### DNS Records Google's only dig tool or dnslytics to view records Also access with dig via cmdline ### C-Level Employee Mails use Fake email and LinkedIn account Chrome extensions: salesQL, RocketReach, Apollo, ContactOut ### Network Applications and Operating Systems Query IPs via shodan or detect with active scanning ### Bin Numbers and Swift Codes Important for detection of stolen credit cards bincheck.io freebinchecker.com bintable.com wise.com bank.codes theswiftcodes.com Detect Swift codes - Can also make bank based inquires on these sites ### SSL Certificates Add SSL certificates to asset list if they exist. Possible to collect SSL manually, prefer to use tools to make it easier - censys - crt.sh # Gathering Threat Intelligence Shodan - BinaryEdge - Zoomeye - Censys ### Resources Providing IOCs - Alienvault - Malwarebazarr - Abuse.ch - Malshare - Anyrun - Virustotal - Hybrid-Analysis - Totalhash - Phishunt - Spamhaus - Tor Exit Nodes - URLscan - Zone-h - Rats - Sorbs - Barracuda ### Hacker Forums Sales of access to hacked systems Preparation for attacks ### Ransomware Blogs http://ransomwr3tsydeii4q43vazm7wofla5ujdajquitomtd47cxjtfgwyyd.onion/ ### Black Markets Credit Cards Stealer Logs RDP accesses Prepaid Accounts Minimal API access, extract only with self-written scripts and parsing returned requests ### Chatters Telegram ICQ IRC Discord ### Code Repositories Access Information Login information sensitive configuration files secret API keys Github Gitlab Bitbucket ### File Share Websites Share anonymously Anonfiles Mediafire Uploadfiles WeTransfer File.io Detect unique keys via guessing algorithm Send to application server - large processing power method capture index files and pull to server via Dork script - low power, more simple ### Public Buckets Should be closed to the outside Detect via bruteforce in bucket name field - bucketname.amazonaws.com wordlist for org names amazons3, azure blobs, google cloud storage ### Honeypots Easy to breach, attractive to attackers Build own, or use popular honeypots - kippo - cowrite - glastopf - nodepot - Google Hack Honeypot - ElasticHoney - Honeymail ### SIEM/IDS/IPS/Firewalls Written rules and logs from security products are great sources of intelligence # Threat Intelligence Data Interpretation Data is initially very large and must be processed properly to prevent false positives and taking too long to respond to. Convert legitimate data of IPs, Hashes, domains, URLs to whitelists, apply to filter, clean and legitimize # Using Threat Intelligence Can be used in the following areas: - External Attack Surface Management (EASM) - Digital Risk Protection (DRP) - Cyber Threat Intelligence (CTI) The three above combined form XTI structure. ## EASM Any assets on the network pose a risk for the organization, must be monitored constantly. Adding newly purchased domain to asset list or discontinuing a domain is part of this effort. ### New Digital Assets Detected Check if asset belongs to organization and created by authorized users of our organization ### Domain Information Change Detected Whois information on domain changes - compare new and old data - verify change made by authorized users of organization ### DNS Information Change Detected DNS record change - compare new and old - verify change made by auth users ### DNS Zone Transfer Detected - check records for relevant assets to verify ### Internal IP Address Detected Since IP addresses specified in A records are public, ensure they are not Internal IP addresses ### Critical Open Port Detected monitor via Shodan close or filter if they are not actively used update services running and keep them up to date If services are actively used, update services and ensure necessary configurations are in place ### SMTP Open Relay Detection investigate mail server in question and verify status by contacting POC of server ### SPF/DMARC Record Not Found Must be configured correctly for security of mail servers, contact POC to verify status ### SSL Certificate Revoked or Expired Monitor regularly Any communication without SSL poses high risk of data transmission being seen by third parties ### Suspicious Website Redirection Ensure to receive feeds that provide status codes of websites and where they are redirected If alert is received, a website on asset list is redirecting to website not on asset list - indicates potential breach - check redirection and escalate to appropriate team ### Subdomain Takeover Detected investigate DNS record to find when event took place and share with escalated team ### Website Status Code Changed Typically service interruption related, but needs to be remedied immediately regardless ### Vulnerability Detected Match in data and current technologies Immediate action is needed and suggested fixes applied Accuracy rate lower if coming from outside CVE data ## Digital Risk Protection Contributes most intelligence to the XTI after all sources are mapped ### Potential Phishing Domain Detected If domains mimic brand/content, contact domain registrar and ISP to request takedown Still monitor if non suspicious ### Rogue Mobile Application Detected Received if pirated APK files detected. Analyze in safe environment and remediate if found to be malicious ### IP Address Reputation incident is occuring affecting reputation - blacklisted on any source for any reason - found in feed containing harmful IOCs - involved in activity on torrent network ### Impersonation of Social Media Account review and determine if unintentionally similar or intent to mimic Request account be closed by SM support team ### Botnet Detected at Black Market detection if included in botnet data in black markets Reset user password, forensic investigation conducted, isolate system from network, reset network credentials further investigation conducted to determine if system is still infected or not ### Suspicious Content Detected at Deep&Dark Web All D&D environments are monitored and data is collected regularly Posts that threaten organization must be analyzed thoroughly to inform necessary actions ### Suspicious Content Detected at IM Platforms Telegram, ICQ and IRC are typical environments for Threat Actor Communication Data analyzed should provide context of mention to determine threat to organization and inform necessary actions ### Stolen Credit Card Detection Banks should monitor dark webs to alert customers of stolen cards Fraud team immediately informed to cancel card. ### Data Leak Detected on Code Repository Look for sensitive data on reports Takedown option if someone outside of organization manages the repository ### Company Related Information Detected on Malware Analysis Services Public sandboxes help detect malicious files May target org directly or upload by attacker to smear org Alerts should be investigated and analyzed ### Employee and VIP Credentials Detected Apply credential resets immediately # Threat Intelligence and SOC Integration Easily integrated into SOC due to the nature of threat intelligence Combine with SIEM for unified defense approach