Cyber Threat Intelligence: ”Is it a mythical animal?”
Is ”a bunch of IOCs named for marketing” a CTI? or ”we did an IR response against a top tier APT, here are the only things the lawyer will let us say” a CTI? or ”this is a new threat; we have some generic and entirely impractical mitigation advice” a CTI? Or all of them plus many other definitions of CTI construct CTI? Is CTI a mythical animal like Pegasus, i.e., a horse with wings? This blog will briefly discuss about CTI and how today’s CTI is still evolving. Why it is good or not to share CTI and why systems thinking is very important to Cyber Security and CTI is a good helper to achieve this. Hopefully, someday we can say that CTI can help us going far together in Cyber Security.
”They sway’d about upon a rocking horse, And thought it Pegasus. Ah dismal soul’d!” - ”Sleep and Poetry” (1816) by John Keats1
1 It All Starts with Connectivity
On early morning May 7, 2021, a ransomware note was alerted in Colonial Pipeline Co.’s control room, then the entire pipeline was shut down. It seemed that hackers gained entry into the networks of Colonial more than one week before, based on an investigation by cybersecurity firm Mandiant, part of Fire- Eye Inc.. The attack vector discovered was a compromised password for virtual private network account use for remote access. Thus, the first lesson learned is that the hackers utilized a ”Simple Attack Vector!” [12]. However, the attack has a tremendous impact both operational and financial, namely crippling of the fuel deliveries up and down the East Coast and $5 million USD ransom [13]. Privately-held Colonial is one of the largest pipeline operators in the United States and provides roughly 45% of the East Coast’s fuel, therefore shutting it down for almost a week created a chaos on fuel supplies across impacted areas in the US. Furthermore, we learned that the culprit was DarkSide who claimed to be responsible for the attack.[7]
The ransomware impacting pipeline alert was published by Cybersecurity and Infrastructure Security Agency (CISA) as Alert (AA20-049A) [5]. The report detailed the attack technically based on the network configuration and impacted assets. Furthermore, it provided planning and operational mitigation. The question is ”Can we do better?” such that we evolve from Reactive to Proactive
2 Blind Men And An Elephant
Figure 1: Blind Men And An Elephant2
I believe many of us are familiar with the story of blind men who touch an elephant and describe the elephant differently3. One may say the elephant is like a tree, another may say it is like a fan, and so on. However, if only they would coordinate for a collective learning, then they might figure out the complete picture of an elephant. This goes similarly for Cyber Security, we do need to work together by sharing knowledge because many attacks do not target a single organization in isolation, but target several organizations, often in the same sector [11]. Thus, when we response to threats we need to keep in mind the collaboration of an entire system, industry, sector, or across sectors. This can be facilitated by an approach coined as Cyber Threat Intelligence (CTI). CTI has many definitions. One definition of CTI was proposed by Gartner:
Threat intelligence is evidence-based knowledge, including con- text, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.
Another definition of CTI was proposed by Dalziel:
Threat intelligence is an information that should be relevant (i.e., potentially related to the organization and/or objectives), actionable (i.e., specific enough to prompt some response, action, or decision) and valuable (i.e., the information has to contribute to any useful business outcome). [6]
From both definitions we can learn that CTI involved evidence, the context of the environment to give value and actionable situation. For interested readers, a introductory overview of CTI is available on [1]. CTI is information-driven and the types of information itself according to the European Network and Information Security Agency (ENISA) are:
- low-level: e.g., network flow records captures
- detection indicators: e.g., artifacts related to malware
- advisories: e.g., exploit code
- strategic reports: e.g., highly summarized threat analyses
If we discuss about CTI information, then we need to revisit Pyramid of Pain by Bianco [2]. At the bottom of the pyramid, we have Hash Values which are Trivial to deal with but have a high volume of data. Until the at the top of the pyramid, where we have Tactics, Techniques, and Procedures (TTPs) which are Tough to deal with but have a limited volume of data. For interested readers, the full article is available on [2].
After understanding the types of the information in CTI and how we can obtain them, the next important issue is how to share CTI. For this, we can utilize Traffic Light Protocol (TLP), which is developed by US-CERT as a set of designations to classify information based on its sensitivity. TLP has four levels
RED: personal for named recipients only
AMBER: limited distribution
GREEN: community wide
WHITE: unlimited
As we have seen CTI covers various information, thus CTI differs and based on [4] CTI can be classified to four subdivisions:
Technical TI (TTI) Information that is normally consumed through technical resources and typically feeds the investigative or monitoring functions of an organization e.g., firewalls.
Tactical TI aka Tactics, Techniques, and Procedures (TTPs) Information about how threat actors are conducting attacks consumed by incident responder to ensure that their defenses and investigation are prepared for current tactics.
Operational TI Information about specific impending attacks against the organization and is initially consumed by higher-level security staff, e.g., security managers
Strategic TI High-level information consumed by decision-makers to help strategists understand current risks and identify further risks of which they are yet unaware
Most of the time the CTI referred are TTI and TTPs. Furthermore, the CTI components and capabilities evolve, and the trend is the integration of CTI with other products e.g., Security Information and Event Management (SIEM). CTI uses data enrichment by integrating with other intelligence platforms, or by ingesting Open Source Intelligence (OS-INT) and commercial feeds, or by mapping malicious indicators. CTI also has many use cases such as CTI for enterprise security monitoring, incident response (alert triage, threat detection), and fusion for threat discovery, and security planning.
3 To Share or Not To Share?
Figure 2: Food Sharing3
Does Figure 2 remind us that as kids sometimes we hesitate to share our food?4. The similar story goes to CTI. Sometimes organizations hesitate to share CTI when they do not see the benefits. So, what are the benefits of CTI sharing? [11, 8] discussed some of these benefits such as preventing potential cyber attacks and mitigating ongoing attacks and future hazards, and the costeffective tool in combating cyber crime if properly developed. In addition, we can have a better situational awareness of the threat landscape, and a deeper understanding of threat actors and their TTPs.
However sharing CTI also raises many important questions [9] such as ”Who should share information?”, ”What should be shared?”, ”When should it be shared?”, ”What is the quality and utility of what is shared?”, and ”How should it be shared?”
These questions may discourage CTI sharing and become reasons for not sharing such as fear of negative publicity, privacy issues, quality of shared CTI issues, trust with participants, budgeting issues, and the basic one is the natural instinct to not to share.
4 Cyber Security is a Shared Responsibility and CTI is a Good Samaritan
Cyber Security is a trade-off a non-static balancing act between attackers and defenders. The defenders must defend against every possible attack, even against unrealized attacks yet, while attackers have only to find one weakness to penetrate a system. Furthermore, the complexity of new technologies makes it easier for the attackers to find a weakness and harder for the defenders to secure systems. In this situation, attackers have a first mover advantage, by trying new attacks first, while defenders have the disadvantage to be in a constant position of responding [11].
From [10] we learn that Cyber Security is a shared responsibility from various components such as the endpoint security, network security, threat information sharing, orchestration, and automation. Thus systems thinking[3] is very important to Cyber Security and CTI is a good helper to achieve this. So, if we return to our initial questions: Is ”a bunch of IOCs named for marketing” a CTI? or ”we did an IR response against a top tier APT, here are the only things the lawyer will let us say” a CTI? or ”this is a new threat; we have some generic and entirely impractical mitigation advice” a CTI?4; then we can say, currently all of them construct CTI and today’s CTI is still evolving, thus it may look like a mythical animal. However, someday we can say that ”CTI is not a mythical animal but a fundamental component in Cyber Security” and as an African proverb saying
“If you want to go fast, go alone. If you want to go far, go together”
1Credit for picture: KELLEPICS Stefan Keller (https://pixabay.com/photos/ horse-pegasus-archway fantasy-3395135/)
2Credit for picture: Gnazmul (https://imgbin.com/png/F7pvuyHE/ blind-men-and-an-elephant-parable-point-of-view-fable-png)
3Credit for picture: iirliinnaa Irina Ilina (https://pixabay.com/illustrations/ monkey-couple-cartoon-banana-fruit-6399443/)
4Credit for quotes: https://twitter.com/hostilespectrum/status/1388886562344259590
References
[1] C. Ahlberg. The Security Intelligence Handbook Third Edition – How to Disrupt Adversaries and Reduce Risk With Security Intelligence. Recorded Future, 2020.
[2] David Bianco. The pyramid of pain. Enterprise Detection & Response, 2013.
[3] Peter Checkland. Systems thinking, systems practice, 1976.
[4] David Chismon and Martyn Ruks. Threat intelligence: Collecting, analysing, evaluating. MWR InfoSecurity Ltd, 2015.
[5] Cybersecurity and Infrastructure Security Agency (CISA). Alert (aa20-049a): Ransomware impacting pipeline operations. https://us-cert.cisa.gov/ncas/alerts/aa20-049a, October 2020. [Online; accessed 15-Nov-2021].
[6] Henry Dalziel. How to define and build an effective cyber threat intelligence capability. Syngress, 2014.
[7] Charlie Osborne. Colonial pipeline attack: Everything you need to know. https://www.zdnet.com/article/ colonial-pipeline-ransomware-attack-everything-you-need-to-know/, May 2021. [Online; accessed 15-Nov-2021].
[8] Neil Robinson and Emma Disley. Incentives and challenges for information sharing in the context of network and information security. Technical report, European Network and Information Security Agency (ENISA), 2012.
[9] Clemens Sauerwein, Christian Sillaber, Andrea Mussmann, and Ruth Breu.Threat intelligence sharing platforms: An exploratory study of software vendors and research perspectives. In 13 th International Conference on Wirtschaftsinformatik, pages 837–851. WI, 2017.
[10] Ida Siahaan. ”we”llness not ”i”llness: Cyber security is a shared responsibility.https://cyberdailyreport.com/blog/42, May 2021. [Online;accessed 30-Nov-2021].
[11] Wiem Tounsi and Helmi Rais. A survey on technical threat intelligence in the age of sophisticated cyber attacks. Computers & security, 72:212–233, 2018.
[12] William Turton and Kartikay Mehrotra. Hackers breached colonial pipeline using compromised password. https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password, June 2021. [Online; accessed 15-Nov-2021].
[13] Christina Wilkie. Colonial pipeline paid $5 million ransom one day after cyberattack, ceo tells senate. https://www.cnbc.com/2021/06/08/colonial-pipeline-ceo-testifies-on-first-hours-of-ransomware-attack.html, June 2021. [Online; accessed 15-Nov-2021].