Threat intelligence

Today, I will discuss about one popular keyword, Threat Intelligence which is also popular among security teams.‍‍‍‍‍‍
‍‍‍‍‍‍ 
 Threat Intelligence

Threat Intelligence can be defined as knowledge that can protect or mitigate cyber attacks.‍‍‍‍‍‍
‍‍‍‍‍‍ 
Nowadays, cyber attacks become to improve into APT (Advanced Persistent Threat) level. There also occurs data breaches throughout the world. Using Threat Intelligence ensures organizations deeply to know threat patterns and behaviors that are going on their network and help in decisions making effectively how to prevent these threats or attacks. ‍‍‍‍‍‍
‍‍‍‍‍‍ 
 Difference between Threat Data and Threat Intelligence‍‍‍‍‍‍
‍‍‍‍‍‍ 
 Threat Data (Threat Feeds)
Threat data is a raw collection of malicious domains, IP addresses, or hash values that does not provide any context on attacks or threats.‍‍‍‍‍‍
‍‍‍‍‍‍ 
 Threat Intelligence (TI)
Threat Intelligence essentially requires Threat Context that is based on nature of attacks and threats. By analyzing and refining raw threat data into threat context, threat Intelligence can provide actionable information that enables organizations to better align their security and business goals.‍‍‍‍‍‍
‍‍‍‍‍‍ 
 How Threat Intelligence Works
I’ll use my cat for an example to explain Threat Intelligence working process. Let’s assume that intelligence is a collection of data and my cat past activities. If the water bowl is empty, he is going to jump up on the table and drink out of my glass that has water in it. Historically I’m collecting these data points. And we break down these points into data feeds. If A happens, when the water bowl empty and B happens when my glass on the table is full of water, we can predict the possibility of becoming Case C that my cat will jump onto the table and drink out of the glass based on previous two cases. It’s the same philosophy with Threat Intelligence. If A happens, if we know that a specific threat actor group is doing A, and historically speaking, they’ve always done B, and you start to see one, you can statistically predict that the next piece is going to happen because of that data.‍‍‍‍‍‍
‍‍‍‍‍‍ 
 Different source types of Threat Intelligence
‍‍‍‍‍‍ 
I will share some different sources of threat data feeds as much as I know.‍‍‍‍‍‍
‍‍‍‍‍‍ 
 Malware Processing
Identifying malware patterns and running it in a sandbox environment to change into threat data.‍‍‍‍‍‍
‍‍‍‍‍‍ 
 Scanning/Crawling
Systematically crawling the internet to find exploits, attacks, or malicious entities‍‍‍‍‍‍
‍‍‍‍‍‍ 
 Honeypots
By creating traps, analyzing attacker’s behaviour‍‍‍‍‍‍
‍‍‍‍‍‍ 
 Human Intelligence
Human analysts create an incident and explore vulnerabilities in this incident‍‍‍‍‍‍
‍‍‍‍‍‍ 
 Social Listening
Gathering threat data via social media like twitter, LinkedIn and Facebook. Twitter has been widely used for sharing TI feeds in real time.‍‍‍‍‍‍
‍‍‍‍‍‍ 
Before an organization start to implement Threat Intelligence, it must know its feed requirements. For an example, if our own organization is Manufacturing Company but we use FS-ISAC (financial sector) data feeds, we cannot focus on industrial security threats. 
‍‍‍‍‍‍ 
So, an organization must access itself based on the following:
‍‍‍‍‍‍ 
1️⃣ Network Infrastructure
2️⃣ Current Security Posture
3️⃣ Finance
4️⃣ Capability of managing threat intelligence when the feeds receive
5️⃣ Will this information provide me with valuable information to build our long-term knowledge base and strategy?
‍‍‍‍‍‍ 
After these requirements are considered, we have another question whether TI fees are free or commercial.‍‍‍‍‍‍
‍‍‍‍‍‍ 
TI feeds are Free or Paid Subscription?
‍‍‍‍‍‍ 
Publicly available feeds are available on the internet. Private feeds need to be purchased from security vendors.‍‍‍‍‍‍
‍‍‍‍‍‍ 
Public Sources for Free Threat Intelligence Feeds
‍‍‍‍‍‍ 
1️⃣ Open-Source intelligence (OSINT)
2️⃣ SHODAN (In trial period and limited)
3️⃣ Threat Connect (In trial period and limited)
4️⃣ Virus Total (In trial period and limited)
5️⃣ Alien Vault OTX (Open Threat Exchange) (In trial period and limited)
6️⃣ Zeus Tracker
7️⃣ The dark web from where you can obtain feeds
‍‍‍‍‍‍ 
Public TI feeds might not have the required quality in terms of updates.‍‍‍‍‍‍
‍‍‍‍‍‍ 
 Private Threat Intelligence Feeds
‍‍‍‍‍‍ 
Commercial TI feeds can be obtained from some TI vendors (described in Free TI Feeds) in paid subscription after trial period, Microsoft Cyber Trust Blog, Secure Works Blog, Anomaly and more.‍‍‍‍‍‍
‍‍‍‍‍‍ 
I would like to suggest that we can create effective Threat Intelligence in detail by collecting both Private and Public TI feeds.‍‍‍‍‍‍
‍‍‍‍‍‍ 
TI has been used in reactive phase for the last 4 or 5 years. Reactive phase means reducing attack risks during an incident. Reactive way is only a part of TI. It’s not the real purpose of TI. Anomaly’s Senior Director of TI said that TI will be transformed into its’s real purpose, Proactive way which allows organization to mitigate and prevent before attack happen in next coming 5 or 6 years.

Don’t forget to share this post!