Security management: samenvatting: H4:

Threat intelligence frameworks

 Quotes relevant for cybersecurity
o Know the Enemy and Know Yourself
o All Warfare is Based On Deception
o Attack him Where he is Unprepared, Appear Where you are Unexpected
o Just As Water Retains No Constant Shape, In Warfare There Are No Constant
Conditions
o In the Midst of Chaos There Is Also Opportunity

1 German u-boats attacking allied ships in WWII

 Allied broke the code used by the german u-boats
 combines passive defence, active defence and intelligence

2 Threat intelligence
 Actionable threat intelligence
o threat intelligence that can be readily used: proper support of visibility and context,
useful indicators for prioritizing, integrated with the security solutions used by the
organization, and with a clear path to remediation

3 Types of threat intelligence

 Strategic
o is high-level information consumed by decisionmakers.
o The purpose is to help strategists understand current risks and identify further risks
of which they are yet unaware
 Operational
o is information about specific impending attacks against the organization and is
initially consumed by higher-level security staff, e.g., security managers or heads of
incident response team
 Tactical
o is often referred to as Tactics, Techniques, and Procedures (TTP) and is information
about how threat actors are conducting attacks
 Technical
o is information that is normally consumed through technical resources
 IOC
o Indicator of compromise, part of technical intelligence
 ATT&CK
o is a major example of tactical threat intelligence

4 Threat intelligence frameworks

 IOC
o are the typically the low-level technical intelligence indicators
 TTP
o are the more high-level methods used by the attackers

1
5 Bianco’s pyramid of pain and indicators of compromise

 Indicators of compromise
o  are old fashioned threat intelligence if they are only low level
o pyramid of pain extends this to higher levels (up to TTPs)
 Bianco’s pyramid of pain
o Hash values
 SHA1, MD5 or other similar hashes that correspond to specific suspicious or
malicious files
o IP addresses
 It's, um, an IP address. Or maybe a netblock
o Domain names
 This could be either a domain name itself (e.g., "evil.net") or maybe even a
sub- or sub-sub-domain (e.g., "this.is.sooooo.evil.net")
o Network artifacts
 Observables caused by adversary activities on your network
o Host artifacts
 Observables caused by adversary activities on one or more of your hosts
o Tools
 Software used by the adversary to accomplish their mission
o Tactics, techniques and procedures (TTPs)
 How the adversary goes about accomplishing their mission, from
reconnaissance all the way through data exfiltration and at every step in
between
 The pyramid defines the pain it will cause the adversary when you are able to deny those
indicators to them
 indicator-led threat intelligence
o The most common indicators of compromise are still low level technical (signature
type) indicators that most people feel should not be labelled “intelligence” or should
be labelled “technical threat intelligence”

2
6 Cyber kill chain
 Lockheed Martin kill chain
o important model, and it also helps you to describe the goal of the attack and how he
entered
o look at an incident from an attacker’s perspective
o helps to identify the threats and risks, and the COA (Courses of Action) matrix helps
to decide on technical measures based on this model
 OA matrix is part of the defence perspective
 For each phase of the kill chain
o  white diamond indicates relevant, but passive, detections were in place at the
time of that month’s intrusion attempt
o  a black diamond indicates relevant mitigations were in place
o  empty cell indicates no relevant capabilities were available

7 Adversarial threat process

 Main (and most interesting) part of ATT&CK  is still post-compromise
 Attack patterns covered in a previous chapter always use some system weakness
 A post-compromise technique does not always need to be based on a system weakness,
because the adversary is already inside the system

8 Detection maturity model

9 Diamond model of intrusion analysis

 In addition to intrusion life cycle models, there are also attributional models

3
  Diamond Model’s atomic element  event
o event describes the four core features present in every malicious event that for every
intrusion event there exists an adversary taking a step towards an intended goal by
using a capability over infrastructure against a victim producing a result
o the core features
 adversary, infrastructure, capability and victim
o every core feature  connected with every other core feature
 except for adversary and victim that have no direct relationship
o Infrastructure
 infrastructure used by the adversary to attack the victim, not the
infrastructure under attack
o relationship/vertices between features are based on analytic pivoting
 Diamond  expanded by 2 additional meta-features
o  which define the technology and social-political meta-features
 technology meta-feature
o connects the infrastructure and capability and describes the technology enabling the
infrastructure and capabilities to interact effectively
 social-political meta-feature
o describes the always existing, and sometimes enduring, relationship between
adversary and victim
 Concept further extended into the centered approaches
o six approaches, from the four core features of the Diamond plus the technological
and social-political meta-features, enumerate all of the potential methods to discover
cyber threats

10 Approaches to analytic pivoting

 Victim-centered approach
o analyzing data related to a potential victim reveals the other related (and Diamond-
connected) elements
o  honeynet project
 capability-centered approach
o capability to adversary pivot, using the social-political meta-feature to strengthen
confidence in attribution
 Infrastructure-centered approach
o focuses on the malicious infrastructure of the adversary
 Adversary-centered approach
o It involves monitoring an adversary directly to discover their infrastructure and
capabilities
 Social-political-centered approach
o capitalizes on an expected adversary-victim relationship to hypothesize who may be a
victim and what may be their adversaries, or alternatively who may be an adversary
and their expected victims
 Technology-centered approach
o allows an analyst to target potential misuse or anomalous use of a technology to
discover previously unknown infrastructure and capabilities which utilize such
techniques

4
11 Activity thread
 Once activity is discovered and events have been characterized and analysed, they are
ordered by the phases of malicious activity and linked by their causal relationship into
threads
 Attack trees = attack graphs
 Activity-attack graph
o Taking into account intelligence of adversary operations during planning not only to
deduce existing operations paths, but also to potentially predict future paths based
on adversary preference
 Activity groups
o Groups of common/similar malicious events, adversary processes, and threads
o Further organized into activity group families
 Horizontal correlation
o The analytic process of causally linking events between vertical threads across
adversary-victim pairs, identifying common knowledge gaps between threads, and
using knowledge from one thread to fill knowledge gaps in another
 Vertical correlation
o The analytic process of identifying knowledge gaps, filling those gaps with new
knowledge, and establishing causal relationships (and associated arc labels) within a
single vertical adversary-victim activity thread

12 Kill chain course of action matrix

 Courses of action are
o Discover
 To discover or discern the existence, presence, or fact of an intrusion into
information systems by looking at historical log data
o Detect
 To discover or discern the existence, presence, or fact of an intrusion into
information systems based on detection rules set up for future traffic
o Deny
 To prevent the adversary from accessing and using critical information,
systems, and services
o Disrupt
 To break or interrupt the flow of information
o Degrade
 To reduce the effectiveness or efficiency of adversary C2 [command and
control] or communications systems, and information collection efforts or
means
o Deceive
 To cause a person to believe what is not true, to seek to mislead adversary
decision makers by manipulating their perception of reality, e.g. using a
honeypot
o Destroy
 To damage a system or entity so badly that it cannot perform any function or
be restored to a usable condition without being entirely rebuilt; this is an
offensive action; arresting the hackers is also part of this
 Courses of action = mitigations

5
  Cyberwarfare context  C3  command, control and communication
 More offensive acronym  C4ISR
o Command, Control, Communications, Computers, Intelligence, Surveillance and
Reconnaissance

13 Cyber data ecosystem

 Vulnerabilities
o more low-level details that go wrong and that are typically solved by patching to the
most recent version or by modifying the way the system is configured
o always about the past
o linked to specific platform configurations and configuration settings
 Attack patterns
o Methods used by attackers
o Exploit weaknesses or vulnerabilities
 TTPs
o are the tactics, techniques and procedures used by the attacker, but we look at the
attack from the point of view of defence
o linking to known software (tool and malware) and known threat actor groups
 Group  general term  = campaign
 Emulated mission
o scenario created for the purpose of adversary emulation
 Analytics indicators
o that help to detect adversary behaviour linked to a specific TTP.
 SIRP (Security Incident Response Platform)
o Managing incidents
o type of tool, not a specific tool nor a database
 CVE database
o Detailed vulnerabilities for a specific software and version number, including its
severity provided by a scoring system from 0 to 10 (CVSS) with 10 the most severe
 OVAL
o specifies which vulnerabilities (CVE) occur in which platform configurations (CPE) and
referring to which configuration settings (CCE)
 Protect software against future problems  CVE database not enough
  CWE  weaknesses instead of vulnerabilities
o CVE’s linked to CWE’s
o Scoring system  CWSS
 system is more generic because it is strongly dependent on your specific
business context
o CCSS
 Scoring system for configurations, i.e., it provides metrics for software
security configuration vulnerabilities
 CWRAF
o Risk assessment framework
o Linked to the weaknesses
o From MITRE

6
 TARA
o method combining threat modelling and risk assessment
o uses a catalogue that contains data from CAPEC, CVE and ATT&CK
o from MITRE
 MAEC
o Does malware characterization
o Used during incident analysis
o helps to identify specific software using e.g., hashes, but also describing behaviour
and capabilities of malware
o  a vocabulary to describe malware
 The most important information consists of the attack patterns collected in CAPEC
 And TTPS  collected in ATT&CK
 Tactics in ATT&CK
o High level categories (lateral movement)
 Techniques in ATT&CK
o detailed techniques that fit into a category, e.g., stealing credentials in a specific way
 Procedures
o are the actual implementation of a technique, but these are not described in ATT&CK
 PRE-ATT&CK
o preparation phases of the attack
o TTPs are less detailed and are also not platform specific
o making your organization prepared for all of this, so it is typically threat hunting
o CAR and SIGMA
 a repository of analytics
o SIGMA
 Standard format for SIEM tools and traces back to CAR and ATT&CK
 Other formats
o YARA  analyzing files
o Snort/Surricata/Zeek  analysing network traffic
 Caldera  tool for adversary emulation where the attack scenarios are linked to ATT&CK
 Atomic Red Team
o Library (managed by Red Canary) of simple tests that execute one ATT&CK technique
with the purpose of checking your detection capabilities
 Cascade
o a tool for (not a database) automated threat hunting
 MISP
o Threat sharing platform
o Tool
 FIRST
o groups several incident response sources and also provides a MISP instance
 Unfetter
o is a threat reporting and analytics tool linked to CAR, STIX , AT&CK and others
 Engage
o considers the active defence activities that can be done against the ATT&CK TTP’s
 Atlas

7
 o is the result of applying the ATT&CK model to the specific context of machine
learning-based AI systems
 D3FEND
o lists the (passive defence) countermeasures and links them to ATT&CK TTP’s and CAR
 STIX and TAXII
o standards for the specification of the details related to the information mentioned
here (typically the yellow boxes), and for the standardized interchange of them
 Cybox (today called SCO)
o concentrates on the observables
 SCAP
o Security Content Automation Protocol

14 Most people only know CVE

 the viewpoint of considering CVE as the center is far insufficient for threat intelligence

15 MITRE ATT&CK matrix (tactics and techniques)

 Some link with STRIDE-LM  but other parts of STRIDE  concentrate on the effect
o Whereas ATT&CK concentrates on the phase in the attack
 Some similarity between ATT&CK tactics and kill chain
o ATT&CK wants to stress that the sequential idea of the kill chain is not valid for the
ATT&CK tactics
 Main goal of MITRE ATT&CK  describe the tactics and techniques and to be able to detect
behaviour once the attacker is inside the network (post-compromise)
o Dwell time
 Attacker inside network before being detected
 Techniques  further decomposed into sub-techniques
o Why not procedures like TTP
  sub-techniques are more generic than procedures. Procedures are the
actual implementations of techniques or sub-techniques by actors and are
not really stored by ATT&CK
 Enterprise matrix
o groups Windows, macOS, Linux, Cloud, Network and Containers
o post-compromise
 PRE-ATT&CK replaced by
o the reconnaissance and resource development tactics that are pre-compromise
 Mobile tactics
o are a subset of the Enterprise tactics as it does not contain the first two tactics
(reconnaissance and resource development)
 ICS tactics
o they share some commonalities with Enterprise matrix
o Defence evasion in Enterprise is Evasion in ICS. E.g., disabling security software is not
relevant in the ICS world
o Credential access and Exfiltration do not exist in ICS
o Inhibit Response Function (hinder the safeguards put in place, e.g., actively
preventing responses to a known and dangerous scenario) and Impair Process
Control (disrupt control logic) are specific for ICS

8
16 MITRE ATT&CK matrix
 Reconnaissance
o consists of techniques that involve adversaries actively or passively gathering
information that can be used to support targeting
 Resource Development
o consists of techniques that involve adversaries creating, purchasing, or
compromising/stealing resources that can be used to support targeting
 Initial access
o consists of techniques that use various entry vectors to gain their initial foothold
within a network
 Execution
o consists of techniques that result in adversary-controlled code running on a local or
remote system
 Persistence
o consists of techniques that adversaries use to keep access to systems across restarts,
changed credentials, and other interruptions that could cut off their access
 Privilege escalation
o consists of techniques that adversaries use to gain higher-level permissions on a
system or network
 Defence evasion
o consists of techniques that adversaries use to avoid detection throughout their
compromise
 Credential access
o consists of techniques for stealing credentials like account names and passwords
 Discovery
o consists of techniques an adversary may use to gain knowledge about the system and
internal network
 Lateral movement
o consists of techniques that adversaries use to enter and control remote systems on a
network
 Collection
o consists of techniques adversaries may use to gather information and the sources
information is collected from that are relevant to following through on the
adversary's objectives
 Command and control
o consists of techniques that adversaries may use to communicate with systems under
their control within a victim network
 Exfiltration
o consists of techniques that adversaries may use to steal data from your network
 Impact
o consists of techniques that adversaries use to disrupt availability or compromise
integrity by manipulating business and operational processes
 the ATT&CK tactics (and also the techniques of course) are part of the final stages of the
cyber kill chain

9
17 Defence based on ATT&CK top 8
 that even without sector specific intelligence, you come up with other defence mechanisms
than you would decide on in a traditional way

18 CTID ATT&CK top 10

 Center for Threat Informed Defense (CTID)

19 CTID top 10 from detection point of view

 What data source or component can help me to develop detections for most techniques
o Complex problem
o The conclusion  that process monitoring, process command line parameters and
file monitoring are the most important ones

20 MITRE PRE-ATT&CK
 PRE-ATT&CK and ATT&CK have several fundamental differences
o ATT&CK is tightly coupled to a specific enterprise network (e.g., Microsoft Windows,
Linux, or mobility environment) and therefore provides detailed technical
information relative to the adversary actions and defender mitigations for each
technique
o PRE-ATT&CK is agnostic to these differences since the adversary can operate across
any of these environments for their pre-compromise preparation activities
o The mitigations in ATT&CK can be very specific and effective
o PRE-ATT&CK mitigations are under development and will encompass technical and
policy-based mitigations
o While many of the ATT&CK mitigations required increased end point monitoring, PRE-
ATT&CK largely requires additional data sources to obtain information about
adversarial objectives and activities

21 Engage
 Take as an example the ATT&CK technique “Remote System Discovery”
o when adversaries interact with the environment for this technique, they are
vulnerable to collect, observe or manipulate system artifacts that may cause them to
reveal behaviours
o The adversary engagement activity “Decoy artifacts and systems” satisfies this need
 Engage complements the ATT&CK viewpoint with a defender perspective
 Adversary Engagement
o is a combination of cyber denial and deception activities to interact with cyber
adversaries to achieve the defender’s goals
o Planting decoy credentials and monitoring for their use is an example
 Cyber denial
o is the ability to prevent or otherwise impair the adversary’s ability to conduct their
operations
 Cyber Deception
o intentionally reveals deceptive facts and fictions to mislead the adversary, while
concealing critical facts and fictions to prevent the adversary from forming correct
estimations or taking appropriate actions

10
  Engagement goals
o Prepare, Expose, Affect, Elicit, Understand
o expose adversaries by using deceptive activities to provide high fidelity alerts
 Engagement approaches
o plan, collect, detect, prevent, direct, disrupt, reassure, motivate, analyse
 Pocket litter
o artifacts are placed on a system to reinforce the legitimacy of the system and/or user
 Lures
o are systems and artifacts intended to serve as decoys, breadcrumbs, or bait to elicit a
specific response from the adversary

22 Atlas
 created, a specific knowledge base of the attacker behaviour related to attacking machine
learning based systems, ATLAS stands for Adversarial Threat Landscape for Artificial-
Intelligence Systems
 Adversarial examples
o are crafted for the replicated model, that are then transferred to the production
model

23 ATT&CK vs CAPEC
 CAPEC
o Focus on application security
o Enumerates exploits against vulnerable systems
o Includes social engineering / supply chain
o Associated with Common Weakness Enumeration (CWE)
 ATT&CK
o Focus on network defence
o Based on threat intelligence and red team research
o Provides contextual understanding of malicious behaviour throughout the adversary
campaign
o Supports testing and analysis of defence options
 Comparing ATT&CK, Diamond, Lockheed martin and CAPEC
o The Lockheed Martin Cyber Kill Chain and other kill chains seeks to track adversary
movement, the Diamond Model seeks to correlate threat data into cohesive events,
the MITRE ATT&CK model seeks to define and predict specific behaviours, CAPEC
focuses on exploitations of weaknesses. The kill chain phases are similar to ATT&CK
tactics but ATT&CK does not prescribe the sequencing of the techniques
 ENGAGE
o lists techniques that are not just meant to defend in general, but that are purposely
meant as the set of techniques that can be used to win against these adversaries
 D3FEND
o lists the more typical passive defence countermeasures
 CAR
o is related to ways of detecting the adversary executing the technique

11
24 ICS and ATT&CK
 Some tactics are specific for ICS. The threat motivations are also different
 Adversary motivations are different in ICS context
 Operator evasion is combined with defence evasion as one tactic

25 D3FEND
 deals with the problem of linking countermeasures and ATT&CK techniques

26 MITRE cyber analytics repository

 CARET
o exploration tool
o provides the links from the analytics to the ATT&CK techniques and sub-techniques
 Not all analytics proposed are implemented, and the set of analytics proposed is far from
complete
 CAR  silent between 2016 and 2019  being prioritized again
o Existed before D3FEND
 ATT&CK detections are the way to go now
 The analytics in CAR (and the countermeasures in D3FEND) are still evolving
 proposed implementations are in many cases signature-based (looking for a file with a
specific name) rather than behaviour-based

27 CAPEC example
 A similar (but rare) link exists between some CAPEC entries and some ATT&CK entries

28 STIX2.1 architecture
 Structured Threat Information Expression (STIX™)
o is a language and serialization format used to exchange cyber threat intelligence (CTI)

29 CWE (common weakness enumeration

 grouped in three main hierarchies or views:
o research concepts
o software development concepts
o hardware design
 software development hierarchy
o organizes weaknesses around concepts that are frequently used or encountered in
software development
 Hardware design hierarchy
o organizes weaknesses around concepts that are frequently used or encountered in
hardware design
 Research concepts hierarchy
o is intended to facilitate research into weaknesses, including their inter-dependencies,
and can be leveraged to systematically identify theoretical gaps within CWE

30 VCE: common vulnerabilities and exposures

 NVD  National Vulnerability Database

12
31 CVSS scoring system
 to quantify the severity of a particular vulnerability (CVE)
 captures the principal technical characteristics of software, hardware and firmware
vulnerabilities
 Its outputs include numerical scores indicating the severity of a vulnerability relative to other
vulnerabilities
 three metric groups
o Base
o Temporal
o Environmental
 Base metric group
o represents the intrinsic characteristics of a vulnerability that are constant over time
and across user environments
o Exploitability metric
 reflect the ease and technical means by which the vulnerability can be
exploited
o Impact metrics
 reflect the direct consequence of a successful exploit and represent the
consequence to the thing that suffers the impact, which we refer to formally
as the impacted component
 Temporal metric group
o reflects the characteristics of a vulnerability that may change over time but not
across user environments
 Environmental metric group
o represents the characteristics of a vulnerability that are relevant and unique to a
particular user’s environment

32 VERIS
 organize incident data and to identify trends

33 OWASP
 Open Web Application Security Project
 is limited to web applications but provides important details in this area and is considered an
authoritative source to check when deploying your web application

34 OWASP Top 10 risks overview

 Broken access control
o Access control enforces policy such that users cannot act outside of their intended
permissions
 Cryptographic failures
o failures related to cryptography (or lack thereof), which often lead to exposure of
sensitive data
 Injection
o Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted
data is sent to an interpreter as part of a command or query

13
  Insecure design
o Insecure design is a broad category representing different weaknesses, expressed as
“missing or ineffective control design.”
 Security misconfiguration
o most commonly seen issue
o This is commonly a result of insecure default configurations, incomplete or ad hoc
configurations, open cloud storage, misconfigured HTTP headers, and verbose error
messages containing sensitive information
 Vulnerable and outdated components
o Components, such as libraries, frameworks, and other software modules, run with
the same privileges as the application
 Identification and authentication failures
o Application functions related to authentication and session management are often
implemented incorrectly, allowing attackers to compromise passwords, keys, or
session tokens, or to exploit other implementation flaws to assume other users’
identities temporarily or permanently
 Software and data integrity failures
o This focuses on making assumptions related to software updates, critical data, and
CI/CD pipelines without verifying integrity
 Security logging and monitoring failures
o Insufficient logging and monitoring, coupled with missing or ineffective integration
with incident response, allows attackers to further attack systems, maintain
persistence, pivot to more systems, and tamper, extract, or destroy data
 Server-side request forgery (SSRF)
o SSRF flaws occur whenever a web application is fetching a remote resource without
validating the user-supplied URL

35 Adversary emulation
 Caldera
o can be used to test endpoint security solutions and assess a network’s security
posture against the common post-compromise adversarial techniques contained in
the ATT&CK model
 Micro emulation plans
o are smaller, more specific combinations of techniques rather than modelling full-
scope breach scenarios
 The goal of adversary emulation is different from pentesting
o Pentesting tests prevention capabilities and not so much detection
o Adversary emulation primarily tests detection capabilities

36 Threat intelligence and your teams

 Threat hunting starts with the assumption that adversaries are already operating in the
environment, utilizing data mining and breach analytics to find them

14
37 AMITT (ADVERSARIAL MISINFORMATION AND
INFLUENCE TACTICS AND TECHNIQUES) FRAMEWORK
 aims to describe disinformation incidents

15