In part one of this blog post series, we briefly looked at why IoC threat data enrichment is important, the value of knowing who your enemy is, and the process of turning threat data into threat intelligence. If you haven’t had a chance to read the first part of this series, take a few minutes to get caught up and then jump back into part two, where I will cover: threat data saturation and the arduous indicator pivoting and analysis process.
Threat Data Overload
In order to add meaning and greater significance to the retrieved IoCs, it is necessary to sift through the mountain of existing threat data. We will be focusing primarily on available Open Source Intelligence (OSINT) data, but understand that there are critical resources within the darknet to scour for deeper levels of threat perspective. There is definitely not a shortage of available threat data, so it is crucial to maintain focus on data that is relevant to the impacted organization.
This supporting metadata can be obtained through threat intelligence feeds, threat sharing groups, and by using a tactically driven manual search methodology (covered in the next section). There are also paid threat intelligence monitoring services, but we will focus on what is readily available to any analyst.
Sample of Threat Intelligence Feeds:
• AlienVault OTX (https://otx.alienvault.com/browse/pulses)
• Ransomware Tracker (https://ransomwaretracker.abuse.ch/tracker/)
• PhishTank (https://www.phishtank.com/login_required.php)
Sample of Threat Sharing Groups: (https://www.dhs.gov/cisa/information-sharing)
• Industry/Sector Information Sharing and Analysis Centers (ISAC)
• National Cybersecurity and Communications Integration Center (NCCIC)
• Information sharing and Analysis Organizations (ISAO)
To assist with automated aggregation of the threat intelligence gathering process there are also a number of open source threat intelligence frameworks available.
Sample of Threat Intelligence Frameworks:
• Malware Information Sharing Platform (MISP) (https://www.misp-project.org/)
• Your Everyday Threat Intelligence (YETI) (https://github.com/yeti-platform/yeti)
• Collective Intelligence Framework (CIF) (https://csirtgadgets.com/collective-intelligence-framework)
Within Incident Response, the end goal is to derive useable IoC threat intelligence, which is why it is paramount to scrutinize the retrieved threat data. The intelligence gathered can provide an organization with greater understanding of their security exposure, as well as add critical incident telemetry and best-case scenario threat actor or threat group attribution.
Pivot and Analyze – Rinse, Wash, Repeat
Using threat intelligence automated feeds and frameworks is definitely helpful for rapid mass consumption of the threat data, but it still doesn’t provide actionable threat-related data. This is where tactical manual verification and IoC pivoting takes over. The pivot process takes the retrieved individual IoC data points (listed in IoC section) and attempts to pull relevance against the retrieved threat data. Once this data is inspected for applicability, it must then be validated against evidence found within the impacted organization. If significance is identified, then the attribution circle starts to tighten and greater levels of telemetry are brought forth around relevant threat campaigns, threat actors, or threat groups of interest. A stronger threat hypothesis can now take shape and becomes useful and relevant surrounding the incident.
One critical point to remember as you are performing your IoC threat hunting: threat actors may be monitoring your investigative due diligence. For sophisticated threat actors, this would mean a change in attack sequencing, change in infrastructure, or possibly even going dormant.
C2 Domain IoC
Examples of information to pivot from:
• Who may own the domain?
• Has the domain been recently compromised?
• Has there been recent change in domain infrastructure?
MD5 Hash IoC
Examples of information to pivot from:
• When was the hash first seen?
• What domains or IP addresses is it affiliated with?
• What campaigns is it associated with?
External IP Address IoC
Examples of Information to Pivot From:
• Is the IP address affiliated with malicious activities?
• Is the associated AS number affiliated with malicious activities?
• Is the associated Subnet affiliated with malicious activities?
The IoC examples above are only a small set of information that you can use to hunt with. A notable value from pivoting actions is the correlation capabilities that can be derived. For example, one could initially pivot off a domain IoC and end up identifying that it is also associated with hosting files with hash values of interest, tied to malicious SSL certificates, affiliated with other malware campaigns, affiliated with known threat actor or group malicious frameworks, etc. Pivoting is a circular investigative process and must always coincide with relevance of the given incident.
As you can see, identifying IoCs during an incident is only the first step in a very long and arduous vetting and validation process. As the indicator threat data is enriched, stronger data-points are derived that lead the analyst toward developing a focused attack hypothesis. The focus throughout this hunting process needs to be on the impacted organization, the associated products, the relevant business sector, and geographical regions of presence. For organizations, IoC threat data is not threat intelligence until manual validation and significance have taken place.
Cyber attacks – What are the financial impacts?
Cyber threat intelligence: The cyber defender’s most valuable weapon
How Pivoting Can Help Your Incident Response Process