What is the aim?
The aim of providing a threat intelligence and data for technical leads capability is to create a detailed technical awareness of relevant and sector-specific threats.
Why do it?
It provides an immediate reference point for indicators of compromise and allows technical leads to understand if a particular threat has been seen before or is new and therefore requires a new approach. It is a critical part of incident response as being able to identify a threat / malware type quickly and accurately allows responders to understand what they are dealing with and eradicate it from a network.
What are typical outputs?
- Routine monthly reporting detailing the generic threat landscape with technical data for defenders to use on intrusion-detection services.
- A searchable repository of historic data for cybersecurity analysts to interrogate.
- Tailored intelligence report based on the specific threat landscape of that country.
- Immediate reporting by exception based on new or changing intrusion sets that pose a specific threat –for example if a new vulnerability is found then an exception-based report should be issued to raise awareness of this new threat.
How is it delivered?
Normally as a service by threat intelligence specialists who provide access to an online portal and alerts via email for urgent reporting.
How easily can a country do it themselves?
There are so many good products out there in open source, it is very easy to get started using threat intelligence however, it’s much harder to produce propriety data and analysis.
What good practice guidance is available?
CREST are the UK market leaders in threat intelligence best practice training but also the UK NCSC run a platform called CISP which provides threat intelligence and the opportunity for business and organizations to share data.
- Before a client purchases this capability from a vendor it is important to first map out the threat landscape relevant to the client. This means that the client requirement is mapped to a vendor’s expertise. For example, some companies specialize in Russia, while others might focus on criminal gangs. However, they will all cover the same baseline of threats.
- Should the client wish to build their own capability then they need to focus on the diversity of skills required to take complicated subject matter and turn it into a report that a non-technical person can make a decision on. The UK NCSC assessment team are leaders in this, and their reporting can be found on the NCSC CiSP platform.
- The most effective solution is a blend of in-house expertise, professional reporting, and open source –making sure that relevant content is cherry picked to suit the threat landscape.
Cost
Subscription –free to $105,250 USD per year for big name vendors. For training an in-house team $6,580 USD of training per person + salary. However, a base level of technical knowledge is required.
Duration
Subscriptions are normally yearly and to train someone from scratch requires about 3 months of training, mentoring and experience before they are effective -assuming a base level of technical understanding.
Scenario 1
In 2018, CYSIAM were instructed by a UK-based organization to investigate the activity of a critical piece of infrastructure over a given time period in order to establish a baseline for future updates to their security plan. The organization had previously been susceptible to attacks and therefore also requested that we investigate likely threat actors for similar future attacks. We engaged with them to establish the scope, and began by gathering technical data of previous attacks, and Open Source Intelligence (OSINT) of attacks to similar organizations and infrastructure.
Through OSINT and, in particular, dark-web investigation of the likely threat actors, we discovered a wing of a well-known overseas group publishing instructions on how to carry out cyber attacks on similar organizations to our customer. This included PDF instruction manuals and videos promoting their group. The content of the website, videos and PDFs was translated into English and revealed several TTPs (Tactics, Techniques and Procedures) including tools used, victim type and the vulnerabilities they looked for when choosing the victim.
After analyzing the data that we had gathered, we suggested that the motivation for this campaign was anti-Western political activism with the aim that the attacks would remain deniable, due to the fact that they were publishing instruction manuals for other individuals. We immediately collated the relevant information in relation to this campaign into a brief intelligence report and delivered it to our customer, who was able to ensure that their critical infrastructure was hardened against these known vulnerabilities as soon as possible.
Scenario 2
In 2019, we were asked by an Eastern European client to help develop their threat detection capability. They were starting from a very low level of maturity, consequently developing their own threat intelligence as per scenario 1 was too much of stretch. Instead, we helped them create a process for identifying sources of threat intelligence that were free and easy to access.
We used a combination of FireEye’s Mandiant Advantage Free and the Malware Information Sharing Platform (MISP) to provide point and click reports on new threats. These platforms provide indicators of compromise and MISP provides an indicator-sharing function for partners who are also signed up to the service. This gave the client immediate access to threat intelligence.
Next, we advised on a development roadmap that would enable their own staff to be better equipped to perform their own analysis using research honey pots and other forms of data collection. We chose the CREST development roadmap for our students and supported them with ongoing mentoring.
This strategy enabled them to reach an immediate level of capability whilst developing in-house capacity in parallel. Within 3 months they were developing their own threat intelligence and sharing information with the international community.