Cyber Threat Intelligence
It's Halloween which makes it the perfect time to talk about what keeps Information Security professionals up at night -- threats! But not all threats should have you checking the closet and looking under the bed each night. So how do you know which bumps in the night are just your imagination? Fortunately, Cyber Threat Intelligence can help us understand what we should (or shouldn't) be fearing. Think of it as the organization’s rational skeptic who doesn’t believe in ghosts.
(Hanna & Barbera, 1969)
Cyber Threat Intelligence (sometimes written as Cyberthreat Intel, we will call it CTI for short) is a function of Information Security that focuses on understanding what adversaries exist and how those adversaries may attack the organization that an Information Security team is tasked with defending. A CTI program aims to produce actionable intelligence that can help an organization reduce risk. It achieves this by evaluating the organization's defenses, architecture, and technology stack against the bad actors who target the org. While it is just as important to know what an adversary is capable of, it's equally valuable to see how those capabilities could affect the organization. Not every organization uses the same technology stack or controls or has the same level of risk tolerance, so each new threat or adversary will affect organizations differently. Not every new vulnerability is critical and needs to be patched right away. The CTI Team understands the variables a play and their output allows the organization to make timely, intelligent decisions on allocating time, resources, and money to protect the organization.
Intelligence Types
Like many Information Security Principles, CTI has its roots in the military and shares a lot of the same terminology. There are several different types of intelligence -- below are examples of a select few:
OSINT
OSINT (Open Source Intelligence) is one of the more common types of intelligence. Nearly everyone has done some form of OSINT in their life. It involves using freely available and public information without needing to intercept communications or invade the privacy of your adversary. Examples of OSINT include recording what somebody Tweeted, wrote on a website, shown in a picture on Instagram, said in a newspaper interview, etc. "If any specialist skills, tools, or techniques are required to access a piece of information, it can't reasonably be considered open source" (The Recorded Future Team, 2019).
Regarding CTI, OSINT typically involves observing rumblings, rumors, or chatter on communication platforms where adversaries hang out and may divulge details about a current or upcoming attack, a new exploit, or a new capability.
SIGINT
On the other hand, SIGINT (Signals Intelligence) requires far more advanced effort and tools to collect information because it involves intercepting communications that were not intended to be public. Knowing what an adversary is communicating when they are under the impression their conversation is private gives the SIGINT collecting party an upper hand on developing actionable intelligence to improve defense or thwart an attack. Sometimes you may not even be able to decrypt or decipher communications between two other parties but knowing who is communicating with who and at what times and frequencies can still be valuable information.
SIGINT is primarily done by governments and nation-state actors who have legal authority in their origin country and the necessary resources to perform SIGINT operations (think: NSA). However, governments will often publish intelligence reports through the Cybersecurity and Infrastructure Security Agency (CISA) for the private sector to consume to help strengthen the nation's resiliency.
TECHINT
TECHINT (Technical Intelligence) is all about assessing your adversaries' advancements in technology so that you are less likely to be caught off-guard by new adversarial capabilities resulting from them achieving a technological breakthrough. In his book "Practical Cyber Intelligence," Wilson Bautista Jr. gives an excellent example of TECHINT in the private sector as one organization learning a new product in development from a competitor. Knowing any information about the product, or even the hint of development of a product, from a competing organization before it's publicly known allows for strategic action to begin today rather than have it be reactionary when it's made known to the rest of the world.
Platforms
Whether an organization consumes threat intelligence from a third party or publishes its own, reviewing and managing a staggering amount of information (all with varying degrees of urgency and relevancy) can be challenging. One of the ways the Information Security industry attempts to solve these challenges is through CTI platforms. These platforms collect intelligence from trusted sources and consolidate them into a centralized console for analyst review. Some of the information you could expect to consume from sources through a CTI platform would be:
- A summary of the alert/announcement
- Traffic Light Protocol (TLP) rating
- Criticality scoring (CVSS) of associated CVEs
- Products or Technologies affected
- Mitigations or recommendations
- Links to related research or sources
- Indicators of compromise
- IP addresses
- Domains
- Hashes
- Behaviors
In addition, automation and orchestration can help route alerts and bulletins to different channels, which get the information to appropriate audiences within an organization. It also facilitates internal intelligence bulletin publishing and commenting, tagging, and alerting so CTI teams can focus on the intelligence rather than managing communication and awareness logistics. Below are a few options available today. None of the examples below are sponsored or endorsed.
CSAP
(Note: This is the only platform I have used on this shortlist)
The commercial CSAP (Cyware Situational Awareness Platform) is Software as a Service (SaaS), so on-premise software and infrastructure are not required to function, meaning CTI teams can begin leveraging out of the box without relying on much engineering support – though it does support integration with other Cyware products and third-party platforms and technologies.
OpenCTI
OpenCTI is an open-source community project that's freely available for anyone to download and use, which can be a draw for smaller teams or those with tighter budgets. This also means you're responsible for infrastructure as well as the care and feeding of the application. It offers many integrations, and because it's open-source, modifications or improvements can be made by the community. It seems to have one of the better interfaces and visualizations of data.
MISP
MISP is another open-source community project worth mentioning that's free and shares the similar benefits and drawbacks of OpenCTI. MISP does have a slightly different angle towards facilitating information sharing between multiple organizations and entities rather than focusing solely on internal consumption. The use-case for MISP is up to each organization, so they can choose to keep their intelligence private or join one of the many purpose-driven "communities."
CVSS Scoring
A key component of CTI is CVSS scoring. CVSS is an acronym for the Common Vulnerability Scoring System and was initially developed as a standard by the National Infrastructure and Advisory Council (NIAC) in 2003 to measure and express how severe a vulnerability is. It's an open standard and has become a default within the industry for rating Common Vulnerabilities and Disclosures (CVEs). Currently, the CVSS standard is maintained by FIRST.org and is on version 3.1.
A CVSS score is broken down into three parts, each containing multiple factors which output a score of 0-10:
Base
This is how severe the vulnerability is, as assigned by the National Vulnerability Database (NVD). It considers the difficulty level of exploitation and compares it to how much of an impact successful exploitation has on the organization's Confidentiality, Integrity, and Availability (CIA) of systems. Some examples:
| CVE | NVD Description | Base Score | Reasoning |
|---|---|---|---|
| CVE-2021-26084 | "In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5." | 10 (Critical) | This was calculated as a 10 because this vulnerability requires the least amount of effort to exploit but has a high impact on the CIA of the organization. |
| CVE-2021-1116 | "NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys), where a NULL pointer dereference in the kernel, created within user mode code, may lead to a denial of service in the form of a system crash." | 5.5 (Medium) | This was calculated at a 5.5 because integrity and confidentiality are unaffected while it can have a high impact on availability. A low attack complexity, low privileges required, and no user interaction would sound detrimental; however, it still requires local access to the victim host. |
| CVE-2021-35633 | "Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Logging). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server." | 2.7 (Low) | This was calculated as a 2.7 because it had a low impact on the availability and no effect on confidentiality or integrity. It also requires a high level of privileges to accomplish; therefore, the scores are relatively low for this vulnerability. |
Temporal
What factors in the world today increase or decrease the potential impact of this vulnerability. It can shift over time due to changes in:
- Exploit code maturity
- Remediation levels
- Report confidence
Environmental
How does the vulnerability affect a specific organization. A CTI team would review vulnerabilities and calculate the environmental factors unique to their organization, raising or lowering the overall score, making it a more helpful rating.
Overall Scoring
You can find a CVE on the NVD and use the CVSS calculator to factor in Temporal and Environmental scoring to get your final, Overall, score unique to your organization. This is an important concept because the NVD may publish a Critical CVSS of 10 for a CVE; low enough Environmental or Temporal scores for your organization can significantly lower the Overall score and reduce the criticality, and therefore the urgency which the CVE needs to be addressed and responded to, allowing your Security teams to prioritize and focus efforts appropriately. Rely on your CTI teams and platforms to help you figure out which mosters are real and which ones are less harmless than they appear.
(Hanna & Barbera, 1969)
References
- Balbix. (2020, April 8). Temporal CVSS Scores. https://www.balbix.com/insights/temporal-cvss-scores/
- Bautista, W. (2018). Practical Cyber Intelligence: How action-based intelligence can be an effective response to incidents. Birmingham, Uk Packt Publishing.
- CISA. (2019). Information Sharing and Awareness. https://www.cisa.gov/information-sharing-and-awareness
- CVE Program. (2021). Overview. https://www.cve.org/About/Overview
- Hanna, W., & Barbera, J. (1969, September 27). Scooby-Doo, Where Are You! (No. 103).
- National Security Agency. (2018). SIGINT FAQs. https://www.nsa.gov/about/faqs/sigint-faqs/
- NIST. (2019). Vulnerability Metrics. https://nvd.nist.gov/vuln-metrics/cvss
- The Recorded Future Team. (2019, February 19). What Is Open Source Intelligence and How Is it Used? https://www.recordedfuture.com/open-source-intelligence-definition/