Imagine that you came to work, turn on the computer and see that your company's website is down, the cargo is stuck at customs and cannot reach the warehouse. And even on the screen saver of the computer a funny picture, unknown to someone, was put. An accountant comes to you and informs you that all the funds have been withdrawn from the accounts, and your personal data pleases the entire Internet with its presence. You take a cup of coffee and go to the window, and across the road a neighboring company is already producing your once unique product. So your beautiful wife flew away with a more successful competitor. At this moment comes an understanding - you have been hacked.

But you were warned - it was necessary to put TI. But first, let's see how it works and protects.

Threat Intelligence is cyber intelligence, the task of which is to obtain and analyze data on actual threats in order to predict possible attacks and prevent them.

Threat intelligence consists of the following steps: collecting and accumulating data on threats from various sources in a single system, enriching them, analyzing and applying acquired knowledge.

Data collection and accumulation

Threats are collected using the following systems:

Search engines - systems for collecting information about existing sites on the Internet;

Sandbox - an isolated environment for the safe execution of a suspicious code for the purpose of detecting and analyzing malware;

Monitoring botnet networks - computer networks under the control of the attacker's control server;

Honeypot - a network segment dedicated to an intruder as bait, separated from the main organization’s secure network;

Sensors are agent programs that collect useful information from various devices.

Also, the database is replenished with databases of leaks - sensitive information that has got into open sources in an illegitimate way. These can be credentials from systems and services, email addresses, credit card details, passwords.

From open source OSINT come feeds (structured analyzed data) - data about IP addresses and domains from which malicious files are distributed, their samples and hashes; lists of phishing sites and postal addresses of the senders of phishing emails; Active C & C (Command & Control) servers; addresses from which networks are being scanned for the purpose of inventory and detection of system versions, service banners and vulnerabilities; IP addresses from which bruteforce attacks are conducted; Yara signatures for malware detection.

Useful information can be found on the sites of analytical centers, CERT and blogs of independent researchers: discovered vulnerabilities, rules for their detection, descriptions of investigations.

In the process of investigating targeted attacks, analysts get samples of malicious files, their hashes, lists of IP addresses, domains, URLs containing illegitimate content.

Also, the system receives data on detected vulnerabilities in software and attacks from partners, vendors, customers.

Information is collected from SZI: antiviruses, IDS / IPS, Firewall, Web Application Firewall, traffic analysis tools, event loggers, unauthorized access protection systems, etc.

All collected data is accumulated in a single platform that allows you to enrich, analyze and disseminate information about threats.

Data enrichment

The collected information on specific threats is supplemented with contextual information - the name of the threat, the time of detection, geolocation, the source of the threat, circumstances, goals and motives of the attacker.

Also at this stage there is an Enrichment - data enrichment - obtaining additional attributes of a technical nature to already known attacks:

• URL
• IP addresses
• Domains
• Whois data
• Passive DNS
• GeoIP - Geographic IP Address Information
• Samples of malicious files and their hashes
• Statistical and behavioral information - techniques, tactics and attack procedures

Analysis

At the stage of analysis, events and attributes related to a single attack are combined, according to the following criteria: territorial location, time period, economic sector, criminal group, etc.

There is a definition of connections between different events - a correlation.

When working with feeds, the source of feeds is selected depending on the industry specifics; types of attacks relevant to a particular company; the presence of attributes and IOCs that cover risks that are not covered by the rules of protection systems. The value of the feed is then determined and they are prioritized based on the following parameters:

• Feed data sources - it is possible that this source is an aggregator of data from OSINT sources and does not provide any of its own analytics.
• Relevance - timeliness and "freshness" of the data provided. Two parameters must be taken into account: the time from the moment an attack is detected to the distribution of a feed with information about the threat should be minimal; the source must supply feeds with a frequency that ensures the relevance of the threat information.
• Uniqueness - the amount of data not found in other feeds. The amount of own analytics that the feed provides.
• Occurrence in other sources. At first glance it may seem that if an attribute or IOC (Indicator of Compromise) is found in feeds from several sources, it is possible to increase its level of trust. In fact, some sources of feeds may draw data from the same source, in which information may be unverified.
• The completeness of the context provided. How well the information was sorted, whether the targets of the attack, the sector of the economy, the criminal grouping, the tools used, the duration of the attack, etc. are indicated.
• The quality (proportion of false positives) of the rules for GIS based on feed data.
• Data usefulness - the applicability of feed data for incident investigations.
• The format of the data. The convenience of processing and automating their loading into the platform is taken into account. Does the selected platform for Threat Intelligence support the required formats, is a piece of data lost?

The following tools are used to classify data from feeds:

• Tags
• Taxonomies are a set of libraries classified according to the processes of conducting attacks, spreading threats, data exchange, etc. For example, ENISA, CSSA, VERIS, Diamond Model, Kill Chain, CIRCL, MISP have their own taxonomies.
• Clustering is a set of libraries classified by static signs of threats and attacks. For example, sectors of the economy; tools and exploits used; TTP (Tacticks, Techniques & Procedures), stages and methods of penetration, operation and consolidation in the system, based on the ATT & CK Matrix.

Analysts identify tactics, techniques and procedures of the attackers, impose data and events on the model of the invasion of the system and build chains of attack implementation. It is important to form a general view of the attack, taking into account the complex architecture of the protected system and the connections between the components. It takes into account the possibility of a multi-stage attack that will affect several hosts and vulnerabilities.

Application

On the basis of the work carried out, forecasting is carried out - the probable directions of attacks are identified, systematized taking into account industry specifics, geolocation, timeframes, possible tools and the degree of destructive consequences. The identified threats are prioritized depending on the potential damage during their implementation.

Threat Intelligence information allows you to detect leaks of sensitive data from an organization trapped on the Internet and control brand risks — discussing attack plans in darknet forums, illegitimate use of the brand when conducting phishing companies, disclosing trade secrets and its use by competitors.

The assembled knowledge base is used in writing the rules for detecting attacks for GIS, promptly responding to threats within the SOC and investigating incidents.

Specialists update the threat model and reassess risks due to changed conditions.

Conclusion

Such an integrated approach allows you to prevent attacks at the stage of attempts to penetrate the information system.

The platform for collecting and analyzing information on security threats is included in the FSTEC requirements (clause 24) when providing the SOC service. Moreover, Threat Intelligence can help in the exchange of information on threats within the framework of the State Administration for the State Administration of Antimonopacism

Using the experience of cyber prospecting professionals in collecting, analyzing and applying threat data allows information security units to bring their company's information protection to the proper modern level.