By the time an Incident Response consultant is contacted, the security event in question is already in motion. So, the goals become: rapid triage, assist in identifying the related threat risks, and make every effort to identify the threat actors involved. Attribution is very difficult when dealing with seasoned and well-funded threat actors, but it isn’t impossible.

Identifying critical Indicators of Compromise (IoCs) assists in putting together the Tactics, Techniques, and Procedures (TTP) used by threat actors. These indicators are the foundation in forming the initial attack hypothesis. As the IoC threat information is enriched, the attack hypothesis evolves. In this blog post series, the goal is not to cover the Incident Response process or discuss threat intelligence by itself. Rather, the intent is to portray how incident responders can derive context surrounding the associated threat risks and gain intelligence through IoC analysis.

With part one of this blog post series, we will look at how IoC threat data is enriched, the value in knowing who your enemy is, and the process of taking threat data and turning it into threat intelligence.

Enrichment is Key

An IoC is meaningless as a standalone artifact. IoC threat hunting is required to add greater levels of threat enrichment to the particular indicators of interest. Pivoting off these indicators will add meaningful levels of context and telemetry that is specific to the impacted organization.

IoC examples that can be used for pivot-based activities:
• MD5 hashes
• Command and Control (C2) domains
• External IP addresses
• Filenames

Threat enrichment occurs when data-sets are put together during the IoC threat gathering phase. Indicator enrichment increases the level of relevance towards the impacted organization, provides greater level of detail surrounding the particular threat aiding in triage decision making, and provides greater levels of overall insight surrounding the incident. The threat enrichment and pivoting process will be covered in greater detail in the second part of this blog post series.

Knowing Your Enemy

Threat actor attribution is an overwhelming task but understanding the types of threat actors and their related intent and motives helps to tighten the circle of threat attribution. This level of knowledge is paramount in adding deeper layers of supporting perspective to the identification of the threat actors and brings an organization closer to understanding the types of threats that affect their specific organization, the business sector of which they are a part, and the surrounding geographic regions in which they reside. By having greater levels of understanding surrounding the threats targeting an organization, the correlation value between the identified IoCs and known threat actor TTPs significantly increases.

Types of threat actors:

• Organized crime - Attackers are traditionally financially driven.
• Hacktivist - Attackers are usually politically driven or have propaganda-based motivation.
• Nation state - Attackers are very sophisticated and well-funded and usually tied to espionage-related initiatives.
• Opportunistic - Attacks are usually drive-by scenarios used for notoriety or research-driven.
• Insider threat - Attackers are internal individuals or previous employees who are disgruntled or affiliated with the groups listed above.

Threat actor motivation and intent are critical aspects to take into consideration while compiling the threat data. By understanding the threat actor motivations, one could possibly gain knowledge into the purpose and level of the affiliated campaign, specify organizational assets on which to focus, or incident threat hunting steps in which to engage.

Motivations and intent to consider:
• Financially driven
• Intelligence gathering
• Corporate espionage
• Overall destruction

Threat Data vs Threat Information vs Threat Intelligence

Before IoC threat data can provide relevant intelligence value, the data must first be analyzed, classified, and then prioritized.

• Threat data - Either consumed via automated feeds or manually retrieved
• Threat information - When threat data is enriched during the analysis process
• Threat intelligence - Derived from the analyzed threat information

Retrieved IoC threat data by itself is meaningless. This threat data must be analyzed in order to provide the correct levels of associated impact and relevance to the affected organization. This impact analysis drives strategic, tactical, and operational threat prioritization.

Threat Intelligence Types:
• Strategic - Forms overall picture of the intent and capabilities of the associated threats; useful at management and executive levels.
• Operational - Enhanced technical-related information surrounding the identified threats associated with the IoCs; useful at the forensic analyst level.
• Tactical - This is where the specific IoCs fit in; useful at the Security Operations Center (SOC) level.

Closing

As we can see, IoCs by themselves provide no real meaning as to why the attack happened or who the attacker is. Understanding the potential threats targeting the affected organization, sector of business, or geographic region adds correlation value between the particular IoC and the threat actor TTP used. Deeper levels of IoC pivoting and analysis are required in order to derive greater context and telemetry surrounding the incident at hand.

In the second part of this blog post series, we will look at how an analyst can retrieve IoC related meta-data and how the analyst can pivot and analyze the data sets in hopes of turning them into threat related intelligence.

Resources

Cyber attacks - What are the financial impacts?
https://countercept.com/blog/how-much-should-you-care-about-cybersecurity/

Cyber threat intelligence: The cyber defender's most valuable weapon
https://www.accenture.com/us-en/blogs/blogs-cyber-intelligence

Information Sharing
https://www.dhs.gov/cisa/information-sharing

How Pivoting Can Help Your Incident Response Process
https://securityintelligence.com/how-pivoting-can-help-your-incident-response-process/