Cyber Threat Intel

Cyber Threat Intelligence Standards
- A high-level overview
Christian Doerr
TU Delft, Cyber Threat Intelligence Lab
Delft
University of
Technology
Challenge the future
Friday, November 16, 18

~ whoami
•At TU Delft since 2008 in

area Network Security, Critical
Infrastructure Protection
•Threat Intelligence Lab with
currently 23 team members
Research Themes:
• Fingerprinting Adversarial Procedures
• Secure Threat Intelligence Sharing
• Vulnerability Analysis
• Design of Mitigation Schemes
https://www.cyber-threat-intelligence.com 2
The Devices that Gave Away their Masters
For effective Cyber Defense you need
Cyber Threat Intelligence
Organized crime
Script Kiddies Hacktivists
Cracker Nation-state
Cyber actors
terrorists
Who is out there (and after me)?
What are their capabilities?
What are their intentions?
3
What is Threat Intelligence?
The purpose of threat intelligence is to understand the enemy,
help anticipate future actions and plan a response.
Knowns Unknowns
Things we are aware Things we are aware

Knowns of and understand of but don't understand
Data
Things we are not Things we don't know
Unknowns aware of but would that they exist
understand and don't understand
Understanding
4
What is Threat Intelligence?
The purpose of threat intelligence is to understand the enemy,
help anticipate future actions and plan a response. Improving
Data
Improving
Interpretation Knowns Unknowns
Things we are aware Things we are aware

Knowns of and understand of but don't understand
Data
Things we are not Things we don't know
Unknowns aware of but would that they exist
understand and don't understand
Understanding
4
When is it a threat to me?
Risk = Vulnerability * Impact
Attacker
Opportunity Means Motives
System Access / Capabilities

Vulnerabilities Skill Valuation Goals
Knowledge and Resources
5
When is it a threat to me?
Risk = Vulnerability * Impact * Threat
Attacker
Opportunity Means Motives
System Access / Capabilities

Vulnerabilities Skill Valuation Goals
Knowledge and Resources
Intelligence needs to help me understand these aspects

for adversaries I potentially face.
Threat Intelligence is in essence risk reduction.
5
Strategic Cyber Threat Intelligence
Key goal: Support executives in decision making
All deliverables are written in a language for

a te gic policy makers and strategists
S tr
6
Operational Cyber Threat Intelligence
Key goal: Understand the threat actors and

their modus operandi
Investigate the capabilities, intent and methods

or “techniques, tactics and procedures” (TTPs)
r a te gic
S t Provides input to network architects,
r a ti on al system administrators, etc.
Op e
7
Tactical Cyber Threat Intelligence
Key goal: Apply knowledge about threats

into concrete detection capabilities.
Feed information that can be directly used

S tr a te gic to respond to threats (MD5 file hashes, Bro
signatures, malicious domain names) into
nal
Ope r a ti o controls
c ti ca l
Ta
8
Intelligence starts with a question
and answers it
Analyze available information against some requirements

to make an assessment in decision making.
Intelligence is both product and process!
9
CTI Interaction in the Organization
and Standardization Efforts
open data source Cyber Threat

Intelligence Corpus
commercial feeds
shared intelligence
asset information
10

Stix Intelligence Corpus
Taxii
IODEF
commercial feeds
shared intelligence
asset information
10

Taxii
IODEF
commercial feeds
shared intelligence
asset information
10

Stix Intelligence Corpus Threat Intelligence
Taxii ISACs Provider
IODEF
commercial feeds
subject to active Malicious

research Actor
Internet
shared intelligence Communication Protocol

Cryptographic Protocol
asset information Victim
10

Taxii
IODEF
commercial feeds
subject to active
research
shared intelligence
asset information
10
decision making support

open data source Cyber Threat security policy
Stix Intelligence Corpus resource allocation
Taxii security by design
IODEF
commercial feeds
subject to active
research
shared intelligence
asset information
11

IODEF
commercial feeds
administrators
subject to active CSIRTs / ISACs
research
shared intelligence
asset information
11

IODEF
commercial feeds
administrators
research Sofacy Group
Pawn Storm
shared intelligence Sednit Strontium Fancy Bear
APT28 Tsar Team
asset information
11

IODEF
commercial feeds Threat Modeling e.g. OWASP,
administrators Intel TARA
research Ontologies VERIS
shared intelligence
asset information
11

IODEF
shared intelligence
Terminology
Methods and Techniques
asset information
11
Processing CTI:
The Intelligence Cycle
Planning and
Direction
Dissemination and
Collection
Integration
Analysis and Processing and

Production Exploitation
12
Processing CTI:
Start with intelligence gaps
and prioritize them.
Planning and
Direction
Dissemination and
Collection
Integration

12
Processing CTI:
Planning and
Determine which data sources
Direction you need and how to get
them. Acquire the data.
Dissemination and
Collection
Integration

12
Processing CTI:
Planning and
Direction
Dissemination and
Correlation and validation of
Integration
Collection data. Evaluate its usefulness to
answer the question.

12
Processing CTI:
Planning and
Direction
Dissemination and
Collection
Integration
Evaluate relevance to answer

Analysis and Processing and gap, draw conclusions.
12
Processing CTI:
Planning and
Direction
Dissemination and
Collection
Integration

Distribute and package the
information for the customer. The
format, language and medium is
as important as the message!
12
OODA
Main takeaway: Observe

Structure how you operate.
(Remember intelligence and incident response is a process.)
Act Orient
You can also use strategy to disrupt the
activities of the adversary.
Decide
13
OODA
Main takeaway: Observe

Structure how you operate.
(Remember intelligence and incident response is a process.)
Act Orient
You can also use strategy to disrupt the
activities of the adversary.
Decide
Observe Orient Decide Act Observe Orient Decide Act
O O D A O O D A
13
Cyber Kill Chain
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command
and Control
Actions
Pre-Compromise Compromise Post-Compromise
Cost to Defender
14
Cyber Kill Chain can help you structure
knowledge about adversarial TTPs
Reconnaissance
Weaponization
Which hosts/employees Delivery

were targeted? Exploitation
Which vector How was the Installation
was used? payload delivered? Command
Which vulnerabilities and Control
were used? Actions
Which modules, filenames
contained the malware? To which C&C servers
Analysis
! would the malware connect? Synthesis
Detection
These insights can then be mapped to tactical CTI for detection.

15
Diamond Model
Main idea: Intrusions are a series of events connected in

activity threads.
As resources are reused, connections between common
elements are drawn. persona (mail, handles),
network assets
Adversary
Infrastructure Capability
IP, DNS, email malware, exploit kits,
stolen TLS certs, tools
Victim
persona, network assets,
email addresses
16
Diamond Model

activity threads.
network assets
Adversary
Intention
Victim
email addresses
16
Diamond Model

activity threads.
network assets
Adversary
TTP
Victim
email addresses
16

IODEF
shared intelligence Detection Formats Snort, Bro, Yara
SIEM / SOC / IR
pentesting
Terminology
forensics
Methods and Techniques Modeling Adversarial Behavior
asset information
MITRE ATT&CK
18
CTI Education
(Training + Quality Standards)

IODEF
shared intelligence Detection Formats Snort, Bro, Yara
SIEM / SOC / IR
pentesting
Terminology
forensics
Methods and Techniques Modeling Adversarial Behavior
asset information
MITRE ATT&CK
18
Key Takeaways
•There is not one CTI Standardization effort:

A broad portfolio of activities covering various aspects of the lifecycle
•Standardization activities are to some extent bottom up or are driven
by individual organizations and become de-facto standards
•We are still missing agreement / standardization on
a significant number of components in the CTI landscape
19
Thank you
Christian Doerr
Cyber Threat Intelligence Lab
https://www.cyber-threat-intelligence.com
c.doerr@tudelft.nl
20

Cyber Threat Intel

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cyber Threat Intel

Uploaded by

Copyright:

Available Formats

Cyber Threat Intelligence Standards

Challenge the future

Friday, November 16, 18

•At TU Delft since 2008 in

What are their capabilities?

What are their intentions?

Things we are aware Things we are aware

Things we are aware Things we are aware

Risk = Vulnerability * Impact

Opportunity Means Motives

System Access / Capabilities

Risk = Vulnerability * Impact * Threat

Opportunity Means Motives

System Access / Capabilities

Intelligence needs to help me understand these aspects

Key goal: Support executives in decision making

All deliverables are written in a language for

Key goal: Understand the threat actors and

Investigate the capabilities, intent and methods

Key goal: Apply knowledge about threats

Feed information that can be directly used

Analyze available information against some requirements

Intelligence is both product and process!

open data source Cyber Threat

open data source Cyber Threat

open data source Cyber Threat

open data source Cyber Threat

subject to active Malicious

shared intelligence Communication Protocol

asset information Victim

open data source Cyber Threat

decision making support

decision making support

decision making support

decision making support

decision making support

Analysis and Processing and

Analysis and Processing and

Analysis and Processing and

Analysis and Processing and

Evaluate relevance to answer

Analysis and Processing and

Main takeaway: Observe

Main takeaway: Observe

Observe Orient Decide Act Observe Orient Decide Act

Pre-Compromise Compromise Post-Compromise

Which hosts/employees Delivery

These insights can then be mapped to tactical CTI for detection.

Main idea: Intrusions are a series of events connected in

Main idea: Intrusions are a series of events connected in

Main idea: Intrusions are a series of events connected in

decision making support

decision making support

•There is not one CTI Standardization effort:

You might also like