Cyber

Threat
Intelligence

</Ismail Ahamed Hassan>

 whoami
An enthusiastic developer who aim to improve, generate And solve
problems about cybersecurity to provide security And the privacy for
organizations and individuals all over the world !

https://github.com/thearrival

https://www.linkedin.com/in/engismail2020/

esmail19980@gmail.com
Contents
Sections one
- Introduction about Cyber Threat Intelligence
- Indicators Of Compromises (IOCs) Vs Indicators Of Attack (IOAs)
- What is Cyber Kill chain ?
- Technique, Tactics and procedures (TTPs)

Sections two
- Email analyzing methodology

Sections two
- Cybersecurity at Emirates
- Statistic Cyber-attack at UAE during 2020
- Advanced Persistent Threat Group Targeting United Arab Emirates
- Reference
- Introduction about Cyber Threat Intelligence

Cyber Threat Intelligence is the method in which information from multiple sources is collected. Then
analyzed to identify and detect threats against any environment. The information collected could be evidence-
based knowledge that could support the context, indicators ,mechanism or implications about an already
existing threat against an environment . And/or the knowledge about an upcoming threat that could
potentially affect the environment. This information could then be used to take necessary action to protect
against an attack from adversaries. The whole breakdown of the process is defined in the CTI cycle.
The Intelligence cycle
When we are given the task with a specific project, we implement a five-step process called the intelligence Cycle. This process
ensures that we do our job correctly as we work through a system of balances and checks. Lets take a closer look at each step:

PLANNIN
COLLECTION
G

DESSEMINATION EXPLOITATION

ANALYSIS AND PRODUCTION

1 – PLANNING
Planning refers to the leadership decision of collection and analysis priorities. This information could assets and business processes that need to be
protected.

2 – COLLECTION
Collection is the process of gathering information to address the most important intelligence requirements. Information gathering can occur
organically through a variety of means.

3- EXPLOITATION
Despite that, gathering all important information we need about the target. then we put it into an intelligence report. This information could be
useful for exploitation part.

4 – ANALYSIS AND PRODUCTION

After processing he intelligence into a proper format, analyzing the intelligence for getting refined information is performed in this phase.

5 – DISSEMINATION
Dissemination involves getting the finished intelligence output to the places it needs to go.
Types of Cyber Threat Intelligence
As with conventional the nature and format intelligence, there are different levels of cyber threat intelligence: operational, tactical, and
strategic. Each level differs in of the material conveyed, its intended audience and its application.

Strategic
Strategic threat intelligence exists to inform senior decision makers of broader changes in the threat
landscape.

Tactical
Tactical threat intelligence consists of material relating to the techniques, tactics and procedures
(TTP’s) used by threat actors.

Operational
Operational threat intelligence often relates to details of potential impending operations against an
organization.
- Indicators Of Compromises (IOCs) vs Vs Indicators Of Attack (IOAs)
There are two main methods of detection in the security marketplace—Indicators of Attack (IOA) and Indicators of Compromise (IOC). The two
methods approach detection in vastly different ways. IOC is the way how do system works by detecting IOC are reactive. They look at events in
retrospect essentially flagging problems after they’ve happened. IOA have a different philosophy to IOC. When reacting to something like a
vulnerability that has already been implemented, IOA have a proactive philosophy.
IOC Tools / OpenIOC , Yara, Feeds and APIs

IOCs IOAs
Malware, Signatures, Code Execution,
Exploits, Persistence, Stealth,
Vulnerabilities, IP Command Control,
Addresses Lateral Movement
- What is Cyber Kill Chain ?
cyber kill chain it's work to defend the world's most critical networks and platforms.

• It derived from military kill chain

• Describe the structure of an attack
• 7 stages of a target attack

How can it be used for Defense

• break the kill chain is the defense

• each stage present opportunity to detect and react
• Technique, Tactics and procedures (TTPs)
The term Tactics, Techniques, and Procedures (TTP) describes an approach of analyzing an APT’s operation or can be used as
means of profiling a certain threat actor.

 Tactic
The way the threat actor operates during different steps of its operation/campaign. Tactics represent the “why ”of an Attack
technique. It’s the adversary’s tactical objective : the reason for performing an action.

 Technique
The approach the threat actor uses to Facilitate Tactic.

 Procedure
The exact ways a particular adversary or piece of software implements a technique.
- Email analyzing methodology from cyber threats

Malicious emails pose substantial threats to businesses. Whether it is a malware attachment or a URL leading to malware,
exploitation or phishing, attackers have been employing emails as an effective way to gain a foothold inside organizations of all kinds.
To combat email threats, especially targeted attacks, traditional signature- and rule-based email filtering as well as advanced
sandboxing technology both have their own weaknesses.

Email Message Types

2% 1%

13%

84%

Spam Not Spam Newsletter Malware

• Extract IOC from an email
An email message is composed of two parts: header and body. The email header contains lines of information, including common
fields such as Date, From, To, Subject, etc. Besides, the header keeps track of information that is normally not displayed to the end
user, such as the entire path an email takes from the origin to the destination which includes the originating sender IP address, mail
server domains/IPs, along with corresponding timestamps. Extracting IOC help malware analyst to understand and identify
compromised systems. the process of extracting these IOCs, and having your log searching platform match these IOCs against your
proxy/firewall/email logs.

Experiment setup
Before getting started the experiment we must prepare the operating basis to do the test. Our experiments will be based on windows
10 pro with intel(R) Core(TM)i5-6200U CPU at 2.30 GHz , a Graphics Processing Unit(GPU) NVIDIA GeForce 920M with a 4GB of
memory and 8 GB of DDR4 RAM. The techniques will be as the following is to create an spam email by using Metasploit framework
to generate spyware application and delivered to my email then I will analyze it by using Meioc tool based on python (
https://github.com/drego85/meioc.git) to extract IOC details. The whole process will implemented on Kali Linux operating system.
Step one (creating spyware):
Step two (send it to my email):
Step three and last one (Malware analyzing via meioc)
Discover if the email legit or phishing
As we know phishing is one of the most common methods of cyber crime. Demonstrate email if it’s legit or phishing depends on
many factors:

 The email is poorly written

 It includes suspicious attachments or links
 The message creates a sense of urgency
 The message is sent from a public email domain
 The domain name is misspelt
- Cybersecurity in Emirates
As a regional leader of digitization and global cultural, financial , hub the UAE in the unenviable position of needing to protect against a
continuous stream of cyberattacks and lead the region toward cybersecurity preparedness . The increased connectivity and technology
penetration mean that the Emirates are vulnerable to attacks from many sides, including regional political rivals and financially motivated cyber
criminals. More than half of United Arab Emirates population experienced cyber crime in 2019 and more than $5.9 million (Dh21.65m) were lost.
Statistic Cyber attacks in UAE in 2020
The number of cyber attacks against smartphones in the UAE dropped 24.3 per cent year-on-year in the first quarter of 2020 and users remained
increasingly cautious as they continued to operate remotely to curb the spread of Covid-19.

Source: Kaspersky
Advanced Persistent Threat Group Targeting United Arab Emirates
In the beginning of this year, APT 41 a Chinese hacker group was created in the end of 2019. where targeting multi high-profile companies in
Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden,
Switzerland, UAE, UK and USA. The following industries were targeted: Defense Industrial Base, Government, Healthcare, High Technology,
Higher Education, Legal, Manufacturing, Media, Non-profit, Oil & Gas, Petrochemical, Pharmaceutical, Real Estate, Telecommunications,
Transportation, Travel and Banking/Finance .

Tools/Malware :
- Winnti - Gh0st RAT – PoisonIvy – HydraQ
– Hikit – ZxShell -Deputy Dog – Derusbi
– PlugX – HTRAN – HDRoot - Fscan

An example shown HTTP request downloading ‘2.exe’ VM Protected Meterpreter downloader via CertUtil.
- Reference

 Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020.
 Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who’s Reading Your Text Messages?. Retrieved May 11, 2020.
 Using Ioc (indicators Of Compromise) in Malware Forensics Hun-ya.
 https://www.fireeye.com/solutions/cyber-threat-intelligence/ intelligence-capability-development.html
 https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
 https://github.com/drego85/meioc
 https://aptmap.netlify.app/
 https://www.tra.gov.ae/userfiles/assets/Lw3seRUaIMd.pdf (Telecommunications Regulatory Authority‫الت‬,,‫التصا‬,,‫ا‬ ,‫نظيم‬
,,,‫) = هيئة ت‬
 Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains Eric M. Hutchins ∗,
Michael J. Cloppert, Rohan M. Amin, Ph.D. Lockheed Martin Corporation
 https://www.cfr.org/interactive/cyber-operations/axiom

GOOGLE DORKS !
I appreciate you taking the time