1. Objectives:
1.1. Understanding Adversaries
1.1.1. Attacker Tactics, Techniques & Procedures (TTPs)
1.1.1.1. Attacker Tendencies
1.1.1.1.1. Examples
1.1.1.2. Attacker Profile
1.1.1.2.1. Name
1.1.1.2.2. Description
1.1.1.2.3. Threat Types
1.1.1.2.4. Sophistication
1.1.1.2.5. Motivation
1.1.1.2.6. Intended Effects
1.1.1.3. Preferred Methods of Attack
1.1.1.3.1. Examples
1.1.1.4. Campaigns
1.1.1.4.1. Group of related Events/Incidents/Indicators/Malware/etc observed over time for which a clear set of TTPs (Tactics, Techniques, and Procedures) can be defined
1.1.2. Motivation
1.1.2.1. Financial Gain
1.1.2.1.1. Attack a target for financial gain through...
1.1.2.2. Political Agenda
1.1.2.2.1. Attack a target as a means to spread their political agenda or because their target opposes their political stance
1.1.2.3. Test of Skill
1.1.2.3.1. Attacking a target as a means of testing their skills or to prove themselves to a community
1.1.2.4. For "Fun"
1.1.2.4.1. Attacking a target for the fun of it
1.1.3. Behaviour
1.1.3.1. Destructive
1.1.3.1.1. Involves destruction of critical or sensitive data belonging to either the target or the target's customers - usually in tandem with Disruptive
1.1.3.2. Information Proliferation
1.1.3.2.1. Obtaining information for their purpose, usually non-destructive to avoid raising suspicion of their presence
1.1.3.3. Disruptive
1.1.3.3.1. Disrupt target's operations, causing financial loss of the target - usually in tandem with Destructive
1.2. Current Threat Landscape
1.2.1. Gathering intelligence on adversaries, their methods and their tools can help organisations identify their adversaires and understand their threat landscape
1.3. Improving Defences
1.3.1. With proper knowledge of threat actors' method of attack, defenders are able to better deal with attacks on their organisation.
2. Sources of Data
2.1. System Logs
2.1.1. Monitor and logs ongoing activities & changes on the system
2.1.2. Collects:
2.1.2.1. Changes to system files
2.1.2.2. User account additions
2.1.2.3. Timestamps
2.2. Access Logs
2.2.1. Monitors and logs user access to specified files/folders
2.2.2. Collects:
2.2.2.1. Time Stamps
2.2.2.2. Country of Origin
2.2.2.3. IP address
2.2.2.4. File Activity
2.2.2.4.1. Creation
2.2.2.4.2. Deletion
2.2.2.4.3. Modification
2.2.2.4.4. History
2.3. Correlation mechanism
2.3.1. Use of logs to search for particular protocols used by system
2.3.1.1. Dynamic input source provided that updates in real time
2.3.2. Utilising search commands to send alerts whenever a protocol is in use
2.3.2.1. Splunk search command
2.3.3. Collects from
2.3.3.1. Access Logs
2.3.3.2. IPS/IDS
2.3.3.3. Firewall Logs
2.3.3.4. System Logs
2.3.3.5. Registry Monitor
2.3.3.6. Process Monitor
2.4. IPS/IDS
2.4.1. Alerts user when system is being compromised
2.4.2. Collects:
2.4.2.1. Time Stamps
2.4.2.2. IP address
2.4.2.3. File Activity
2.4.2.4. Country of Origin
2.4.2.5. Ports
2.4.2.6. Network changes
2.5. Firewall
2.5.1. IP Address
2.5.1.1. Whitelist
2.5.1.1.1. Allows inbound/outbound connections to/from whitelisted IPs
2.5.1.2. Blacklist
2.5.1.2.1. Blocks inbound/outbound connections to blacklisted IPs
2.5.2. Stringent firewall configuration that allows certain services to be run
2.5.2.1. Controls access to the resources of a network through a positive control model
2.5.3. Collects:
2.5.3.1. Inbound IP Addresses
2.5.3.2. Outbound IP Addresses
2.5.3.3. Accessed URLs
2.5.3.4. Ports
2.5.3.5. Protocols
2.6. Threat Intelligence Sources
2.6.1. Provides intelligence/information done and collected by external analysts
2.6.2. Collects:
2.6.2.1. Data
2.6.2.2. Information
2.7. Registry Monitor
2.7.1. Monitors changes to the registry on Windows systems
2.7.2. Collects:
2.7.2.1. Creation of Registry Keys
2.7.2.2. Deletion of Registry Keys
2.7.2.3. Modification of Registry Keys
2.8. Process Monitor
2.8.1. Monitors processes and services running on the system
2.8.2. Collects:
2.8.2.1. Process ID
2.8.2.2. Process Status
2.8.2.3. Process Group
3. removed from final
3.1. Malware Attribute Enumeration and Characterization (MAEC)
3.1.1. Data Models
3.1.1.1. Bundle (Level 1)
3.1.1.1.1. Low Level Actions
3.1.1.1.2. Mid Level Behaviours
3.1.1.1.3. High Level Capabilities
3.1.1.1.4. Bundle Output Format
3.1.1.2. Package (Level 2)
3.1.1.2.1. Package Output Format
3.1.1.3. Container (Level 3)
3.1.1.3.1. Package List
3.1.2. Use Cases
3.1.2.1. Malware Analysis
3.1.2.1.1. Static & Dynamic Analysis
3.1.2.1.2. Malware Visualisation
3.1.2.1.3. Analysis Oriented Malware Repositories
3.1.2.1.4. Standardized Tool Output
3.1.2.2. Intrusion Detection
3.1.2.2.1. A single MAEC characterization, represented by a MAEC Bundle or MAEC Package, can provide data that can be used to detect multiple malware instances
3.1.2.3. Cyber Threat Analysis
3.1.2.3.1. Attribution
3.1.2.3.2. Malware Threat Scoring System
3.1.2.4. Incident Management
3.1.2.4.1. Uniform Malware Reporting Format
3.1.2.4.2. Malware Repositories
3.1.2.4.3. Remediation
3.2. hide?
3.2.1. Function
3.2.1.1. Database to store technical and non-technical information about malware samples, incidents, attackers and intelligence
3.2.1.2. Automatic correlation finding relationships between attributes and indicators from malware, attacks campaigns or analysis
3.2.1.3. Built-in sharing functionality to ease data sharing using different model of distributions
3.2.1.3.1. MISP can synchronize automatically events and attributes among different MISP
3.2.1.3.2. Advanced filtering functionalities can be used to meet each organization sharing policy including a flexible sharing group capacity and an attribute level distribution mechanisms
3.2.1.4. Advanced filtering functionalities and warning list to help the analysts to contribute events and attributes
3.2.1.5. storing data in a structured format (allowing automated use of the database for various purposes) with an extensive support of cyber security indicators along fraud indicators as in the financial sector
3.2.2. Export Formats
3.2.2.1. generating IDS rules
3.2.2.2. OpenIOC
3.2.2.3. plain text
3.2.2.4. CSV
3.2.2.5. MISP XML
3.2.2.6. JSON
3.2.2.7. STIX
3.2.3. Import Formats
3.2.3.1. bulk-import
3.2.3.2. batch-import
3.2.3.3. import from OpenIOC
3.2.3.4. GFI sandbox
3.2.3.5. ThreatConnect CSV
3.2.3.6. text import tool to ease the integration of unstructured reports into MISP
3.2.4. Community Sharing Models
3.2.4.1. Share with your organization only
3.2.4.2. Share with this community only
3.2.4.3. Share with connected communities
3.2.4.4. Share with all communities
3.2.5. APIs
3.2.5.1. RESTful, JSON-based
3.2.5.2. PyMISP Library
3.3. hide?
3.3.1. APIs
3.3.1.1. RESTful, JSON-based
3.3.1.1.1. Write own module to access
3.3.1.1.2. Use existing community projects
4. Intelligence
4.1. Definition
4.1.1. Processed, contextualised and analysed information
4.1.2. Production of Intelligence should be done by either in-house or external Intelligence Analysts.
4.1.3. Since intelligence is very contextual, specific examples cannot be listed here. Instead, we will provide generic examples of things to consider.
4.2. Things to Consider
4.2.1. Context
4.2.1.1. The data you collect and intelligence that you produce should be relevant to your organisation/operating environment
4.2.2. Operating Environment
4.2.2.1. Consider what threats/attack vectors out there affect your operating environment & prioritise your defenses accordingly
4.2.2.2. What vulnerabilities are relevant to your operating environment?
4.2.3. Threat Landscape
4.2.3.1. Who are the main threat actors that you have to be wary of?
4.2.3.2. What are the most common attacks that your organisation faces?
4.2.4. Comprehensiveness
4.2.4.1. How comprehensive is your generated intelligence?
4.2.4.2. How well does it cover your bases?
4.2.5. Volume
4.2.5.1. Do you want large sets of data to identify more threats, or smaller but more comprehensive and contextual data?
4.3. Examples:
4.3.1. Attacker Profile
4.3.1.1. Attacker Information
4.3.1.1.1. Threat Actor
4.3.1.1.2. IPs
4.3.1.1.3. TTPs
4.3.1.2. Attack Vector
4.3.1.2.1. Exploited Apps
4.3.1.2.2. Exploited Services
4.3.1.2.3. Malware
4.3.1.2.4. Phishing Attempts
4.3.2. Areas of Compromise
4.3.2.1. Assets
4.3.2.1.1. Servers
4.3.2.1.2. Files
4.3.2.1.3. Computers
5. Information
5.1. Definition
5.1.1. Processed, sorted Data
5.1.2. Can be used as basic intelligence, although not complete
5.2. Obtained From
5.2.1. Logging
5.2.1.1. Description
5.2.1.1.1. Logs can help to see if any changes were made to the operating environment (network, policy changes, suspicious installations, permission changes etc)
5.2.1.2. Contains
5.2.1.2.1. File Changes
5.2.1.2.2. Permission Changes
5.2.1.2.3. Timestamps
5.2.1.2.4. Network changes
5.2.1.2.5. User account additions
5.2.2. Network Traffic
5.2.2.1. Description
5.2.2.1.1. Network Traffic can help determine if suspicious traffic by a system has been encountered which may contain malicious payloads
5.2.2.2. Contains
5.2.2.2.1. IP Addresses
5.2.2.2.2. Ports
5.2.2.2.3. Commonly used Protocols
5.2.2.2.4. Accessed URLs
5.2.3. Files
5.2.3.1. Description
5.2.3.1.1. Files helps to see if any new files were added to the system. A new file that does not appear to be a part of normal file downloads
5.2.3.2. Contains
5.2.3.2.1. File Data
5.2.3.2.2. File Activity
5.2.4. Processes/Services
5.2.4.1. Description
5.2.4.1.1. Processes/ Services helps to see if any new processes/services were added to the existing processes. A new process/service that is added may indicate a execution of a malicious software
5.2.4.2. Contains
5.2.4.2.1. DLLs Loaded
5.2.4.2.2. Presence
5.2.4.2.3. Process ID
5.2.4.2.4. Status
5.2.4.2.5. Group
5.2.5. Registry Activity
5.2.5.1. Description
5.2.5.1.1. Registry Activity helps to see if any suspicious processes/services have made any changes to registry keys. Changes or addition of registry keys may indicate if the process is malicious
5.2.5.2. Contains
5.2.5.2.1. Creation of Keys
5.2.5.2.2. Deletion of Keys
5.2.5.2.3. Modification of Keys
5.2.6. Email
5.2.6.1. Description
5.2.6.1.1. Emails help to see if any suspicious emails have been received from unknown parties. These emails may contain attachments or links which are malicious in nature.
5.2.6.2. Contains
5.2.6.2.1. From
5.2.6.2.2. Attachments
6. Artefacts
7. Production & Sharing of Information & Intelligence
8. Raw Data
8.1. Definition
8.1.1. Disorganised statistics collected for the purpose of analysis or reference
8.2. Consists of:
8.2.1. File Changes
8.2.1.1. Which files have been created or deleted
8.2.2. Permission Changes
8.2.2.1. Which files have had their permissions modified
8.2.3. Email From List
8.2.3.1. Incoming email addresses should be tracked to check for phishing attempts from phishing email addresses
8.2.4. Email Attachments
8.2.4.1. Attachments may be of a malicious nature and should be monitored / checked.
8.2.5. Creation of Registry Keys
8.2.5.1. Installations can create new registry keys for the program, same is applicable for malicious programs.
8.2.6. Deletion of Registry Keys
8.2.6.1. Keys are deleted occasionally by the operating system, but malware can also delete keys for destructive purposes
8.2.7. Modification of Registry Keys
8.2.7.1. Malware can modify registry keys for various purposes, most commonly to run on startup.
8.2.8. Timestamps
8.2.8.1. Timestamps in logs of suspicious connections can shed light on...
8.2.8.1.1. Time of day that the threat actor operates in
8.2.8.1.2. Local time of target of which they'd target
8.2.8.2. Timestamps can also help to see when files or folders were accessed without authorisation
8.2.8.2.1. Show presence of possible malicious insider or whether the network has been breached
8.2.9. Network changes
8.2.9.1. Firewall changes
8.2.9.1.1. Changes to the firewall can include "backdoor" like behaviour (opening up ports), disruptive behaviour (closing important ports, dropping traffic), etc
8.2.9.2. IP whitelist/blacklist
8.2.9.2.1. Changes to the IP whitelist/blacklist can allow inbound/outbound connections to malicious IPs.
8.2.10. User account additions
8.2.10.1. Granting admin control/permissions
8.2.11. IP Addresses
8.2.11.1. IP Addresses are able to help determine where attacks originate from or whether there was inbound or outbound connections made by the compromised system
8.2.11.2. Location
8.2.11.2.1. Connections to and from suspicious locations (eg China, CIS region [Commonwealth of Independent States]) may help to narrow down the threat actor behind an attempted/already successful attack.
8.2.11.3. Inbound Connections
8.2.11.3.1. Inbound connections from a suspicious IP address can indicate an attempted attack on the target
8.2.11.4. Outbound Connections
8.2.11.4.1. Outbound connections to a suspicious IP address can indicate that a breach has occurred
8.2.12. Ports
8.2.12.1. Ports used by applications
8.2.12.1.1. Suspicious connections to ports used by certain applications can indicate that a threat actor is they are attempting to exploit vulnerabilities in said application.
8.2.12.2. Commonly used/targeted ports
8.2.12.2.1. 1. Port 445 (Microsoft DS)
8.2.12.2.2. 2. Port 23 (Telnet)
8.2.12.2.3. 3. Port 1433 (Microsoft SQL Server)
8.2.12.2.4. 4. Port 3389 (Microsoft Terminal Services)
8.2.12.2.5. 5. Port 80 (HTTP)
8.2.12.2.6. 6. Port 22 (SSH)
8.2.12.2.7. 7. Port 135 (Microsoft RPC)
8.2.12.2.8. 8. Port 8080 (HTTP Alternate)
8.2.12.2.9. 9. Port 3306 (MySQL)
8.2.12.2.10. 10. Port 443 (SSL)
8.2.12.3. Idle Ports
8.2.12.3.1. Ports may be opened by malware to "listen" for a command from attackers
8.2.13. Commonly used Protocols
8.2.13.1. TCP/IP
8.2.13.2. SSH
8.2.13.2.1. SSH is commonly used and if not secured properly, can become a vector of attack.
8.2.13.3. UDP
8.2.13.4. HTTP
8.2.13.4.1. Exploits to web servers will often use the HTTP protocol
8.2.13.5. TLS
8.2.13.5.1. Exploits related to transmission of sensitive data may require that this protocol to not be in use
8.2.13.6. NTP
8.2.13.6.1. NTP amplification DDoS Attack
8.2.13.7. SSL
8.2.13.7.1. Exploits related to transmission of sensitive data may require that this protocol to not be in use
8.2.13.8. DNS
8.2.13.8.1. Exploits to vulnerable domain name systems may be used to poison the DNS cache
8.2.13.9. SMTP
8.2.13.9.1. Malicious traffic may be sent via this protocol to disrupt mail servers with poor security
8.2.14. Accessed URLs
8.2.14.1. URLs to phishing sites are commonly posted in phishing emails.
8.2.14.2. Employees of organisations may be social engineered into accessing phishing/malicious sites
8.2.14.3. If Internet Access is not properly controlled in the organisation environment, employees may be able to access malicious sites.
8.2.15. File Data
8.2.15.1. File Type
8.2.15.1.1. Executables
8.2.15.1.2. Microsoft Office Documents
8.2.15.1.3. PDFs
8.2.15.2. Hashes
8.2.15.2.1. Hashes of malware can also be compared against a database of known malware to identify the type and variant
8.2.15.2.2. Hashes of files can be used to verify the integrity of the file
8.2.15.2.3. Examples
8.2.15.3. Size
8.2.15.3.1. Changes to a file's size can indicate that modifications may have been made to it
8.2.16. File Activity
8.2.16.1. File Creation
8.2.16.1.1. Files can be created by malware or malicious installs. This can be for configuration purposes, downloading more malware, etc
8.2.16.2. File Deletion
8.2.16.2.1. File may be removed by attackers via malware or other means. This may be for destructive purposes or in order to leverage on an exploit
8.2.16.3. File Modification
8.2.16.3.1. Files may be modified by attackers themselves or by malware (depending on the motive)
8.2.16.4. File History
8.2.16.4.1. Logging changes to files can help to alert to intruders in the network and track intruders' movements and tendencies.
8.2.17. Status
8.2.17.1. Running
8.2.17.2. Stopped
8.2.18. Group
8.2.18.1. The Group that owns the process
8.2.19. Process ID
8.2.19.1. Processes have IDs that can be tracked, and can be used to monitor running processes
8.2.20. Presence
8.2.20.1. Viewable in Task Manager
8.2.20.1.1. Most processes and services can be seen in Task Manager
8.2.20.1.2. However, you can also use it to monitor when services that you have disabled start running out of the blue.
8.2.20.2. Background Process
8.2.20.2.1. Malware usually mask their presence by running in the background and their process is not visible from the task manager
8.2.21. DLLs Loaded
8.2.21.1. DLLs loaded by malware can help to identify the variant being used and what it possibly does
9. Sharing of Information & Intelligence
9.1. Sharing Standards
9.1.1. Trusted Automated Exchange of Indicator Information (TAXII)
9.1.1.1. defines a set of services and message exchanges that, when implemented, enable sharing of actionable cyber threat information across organization and product/service boundaries
9.1.1.1.1. empowers organizations to achieve improved situational awareness about emerging threats, and enables organizations to easily share the information they choose with the partners they choose all while using a single, common, set of tools
9.1.1.2. Sharing Models
9.1.1.2.1. Hub and Spoke
9.1.1.2.2. Source/Subscriber
9.1.1.2.3. Peer-to-Peer
9.1.1.3. Specifications
9.1.1.3.1. Services
9.1.1.3.2. Message Binding
9.1.1.3.3. Protocol Binding
9.1.1.3.4. Query Format
9.1.1.3.5. Content Binding
9.1.2. Cyber Observable Expression (CybOX)
9.1.2.1. Is a highly standardised language for encoding and communicating high-fidelity information about cyber observables, whether dynamic events or stateful measures that are observable in the operational cyber domain
9.1.2.1.1. Provides a common structure for representing cyber observables across and among the operational areas of enterprise cybersecurity
9.1.2.2. Cyber Observables
9.1.2.2.1. Can be dynamic events or stateful properties
9.1.2.2.2. Examples
9.1.2.3. Can be used for threat assessment, log management, malware characterization, indicator sharing and incident response
9.1.2.4. Incident response and management can then take advantage of all of these capabilities to investigate occurring incidents, improve overall situational awareness and improve future attack detection, prevention and response
9.1.3. Structured Threat Information Expression (STIX)
9.1.3.1. A language for having a standardized communication for the representation of cyberthreat information
9.1.3.1.1. improves consistency, efficiency, interoperability, and overall situational awareness
9.1.3.2. Components
9.1.3.2.1. Observable
9.1.3.2.2. Indicator
9.1.3.2.3. Incident
9.1.3.2.4. Tactics, Techniques and Procedures (TTP)
9.1.3.2.5. Exploit Target
9.1.3.2.6. Course of Action (COA)
9.1.3.2.7. Campaign
9.1.3.2.8. Threat Actor
9.2. Sharing Intelligence
9.2.1. Intelligence Sharing Platforms
9.2.1.1. Open Source
9.2.1.1.1. MISP
9.2.1.1.2. ThreatConnect
9.2.1.1.3. Eclectic IQ
9.2.1.2. Closed Source
9.2.1.2.1. IBM X-Force Exchange
9.2.2. Sample Sharing
9.2.2.1. Malware/Threat Repositories
9.2.2.1.1. Collaborative Research Into Threats (CRITs)
9.2.2.1.2. Zeltser
9.2.2.1.3. Offensive Computing
9.2.2.1.4. theZoo
9.2.2.2. Vulnerability Repositories
9.2.2.2.1. VulnHub
9.2.2.3. Other Useful Resources
9.2.2.3.1. VirusTotal
10. Production of Intelligence
10.1. Things to Consider When Choosing a Platform
10.1.1. Nature/Type of Data
10.1.1.1. The kind of data you collect can influence the tools that you use.
10.1.1.1.1. Sensitive data (from govt, etc) may restrict usage of cloud-based platforms
10.1.1.1.2. Compatibility with the data collected
10.1.2. Capabilities of Chosen Platforms
10.1.2.1. Not all platforms are alike, and some platforms may have features that others do not have
10.1.2.1.1. Important to weigh your options and choose one that suits your needs
10.1.2.2. Examples
10.1.2.2.1. Having immediate access to shared pool of intel
10.1.2.2.2. Managing your own collections
10.1.2.2.3. GUI
10.1.2.2.4. Visual Correlation of data/information
10.1.3. Compatibility with Chosen/Existing Mechanisms
10.1.3.1. Some sharing platforms provide seamless integration with certain mechanisms/filetypes
10.1.3.1.1. Allows for fast and easy integration with existing systems
10.1.3.2. Compatibility with many mechanisms/file types also allow for "futureproofing" when integrating new mechanisms in the future
10.1.4. Ease of Use
10.1.4.1. Some sharing platforms provide user-friendly interfaces for traversing and managing the data collected
10.1.4.2. Many also provide visual correlation options and functionality to help with analysing
10.1.5. Limiting Sharing of Intel/Data for Purposes of Security
10.1.5.1. Distribution of threat information can be limited by the originator by using a traffic light protocol (TLP) code
10.1.5.2. Restricting distribution for ongoing investigations can minimise the risk of attackers reading how your investigation is progressing