Getting familiar with the cyber threat landscape
To begin with, there should be a cybersecurity strategy. The smart way to create such a strategy is to understand the current threats and the capabilities of adversaries and apply proactive measures to prevent cybersecurity incidents that an organization might face. For example, a small business such as a consulting company that works with small businesses would not expect an attack from state-sponsored groups to perform espionage with high confidence. Construction businesses will most likely face a ransomware attack, while telecom and government entities will likely face espionage attacks. We will discuss these in more detail later in this chapter.
Such a profile referring to the current and evolving state of cybersecurity risks of potential and identified cyber threats is provided in the unifying concept of cyber threat analysis. The unified cyber threat analysis process includes identifying external attack surfaces (all exposed digital assets) and cyber threat intelligence (CTI).
The external attack surface is a new term that combines all internet-facing enterprise assets, such as the infrastructure perimeter, the intellectual property hosted on other third-party services (including source code), project management, CRM systems, and more. Powered by CTI, it provides significant value to organizations to help them better manage their digital assets and give actionable insights into digital risks. Its verdicts are based on vulnerabilities, with improved severity scoring based on the available exploits and their application in cyberattacks, infrastructure misconfigurations, exposures, confirmed compromises, and leaks. However, this class of solutions does not solve the problem of obtaining information about cyber threats facing organizations. For example, the external attack surface management (EASM) solution provides information about current unpatched vulnerabilities or leaked credentials but does not explain current attacks that other organizations face. Thus, this data may feed user and entity behavioral analysis (UEBA) or trigger playbooks in security orchestration, automation, and response (SOAR) solutions, forcing a password reset or a ticket for the IT team to be created to patch vulnerabilities. However, it does not provide some valuable threat intelligence aspects, all of which we will cover later in this section. In addition, EASM may provide information about the source of the credentials leak specifying the malware family, but it won’t explain how to properly discover and mitigate it.
Next, CTI includes the following aspects that pose cybersecurity risks:
- Threat actors and their motivations
- Vulnerabilities
- Compromised and leaked accounts
- Malware
- Tools
- Attack tactics, techniques, and procedures
- Indicators of compromise (IoCs)
Compared to the EASM, threat intelligence provides a complete overview of all these aspects without being tied to the specifics of a particular organization.
Cybersecurity vendors generate and fuel this knowledge database through incident response engagements, observing adversaries’ attack life cycles and motivations, and everything else we have discussed already. In addition, experts perform post-analysis by identifying the threat actor’s infrastructure, which is used to conduct attacks on their victims, leverage open source intelligence research (OSINT), generate patterns to track activity, predict future campaigns, and secure their clients from ongoing attacks.
Three different models explain the different levels of threat intelligence:
|
Strategic |
Strategic |
Strategic |
|
Operational |
Operational |
Operational |
|
Tactical |
Tactical |
|
|
Technical |
Table 1.1 – Threat intelligence tiered models – comparison
For the sake of atomicity, let’s proceed with a four-layered model:
|
Layer |
Description |
|
Strategic |
Executive summary about attackers by activity, country, and industry while considering their motivations, goals, and trends |
|
Operational |
A summary of current and impending attacks from various adversaries, as well as vulnerabilities exploited in the recent breaches |
|
Tactical |
The tactics, techniques, and procedures (TTPs) of threat actors most frequently based on the MITRE ATT&CK ® matrix; exploited vulnerabilities |
|
Technical |
IoCs, detection rules (YARA-, SIGMA-rules), and compromised user accounts |
Table 1.2 – Semantics of the different CTI levels
To summarize, the levels of CTI provide answers to the following questions:
- The who and why – strategic CTI
- The how and where – operational CTI
- The what – tactical and technical CTI
At this stage, you might be wondering how you can apply this knowledge to protect organizations.
Well, the answer to the question is a little intricate, but we can break it down step by step.
To start, the technical layer of threat intelligence should not consume a lot of time and must be automated at the implementation phase by the vendor and in-house security team, as shown in the following table:
|
Type |
Action |
|
IoCs |
Feeding SIEM or other security controls such as NGFW, AV, EDR, sandboxes, DLP, and email security solutions for automated blocking and prevention, as well as alert triggering, which involves including the severity level to attract the security team’s attention. |
|
Detection rules (YARA-, SIGMA- rules) |
YARA rules can be used for one-time or triggered proactive scans, or for custom detections (if the implemented technology capability exists) in AV, EDR, and malware detonation solutions (sandbox). SIGMA rules can be implemented in SIEM detection logic or for the one-time scans of telemetry in EDR. |
|
Compromised user accounts |
Feeding privilege access management (PAM) systems or UEBA for resetting access or a password change by the end user. Triggering a compromise assessment across identified compromised users’ devices to find traces of malware infection or other techniques for credential exposure and remediate it. |
|
Exploited vulnerabilities |
Immediately scanning the attack surface and patching. If there’s a zero-day or one-day vulnerability without a patch available, a workaround can be implemented to reduce the risk of compromise. |
Table 1.3 – Tactical CTI consumption
Tactical threat intelligence is consumed by security analysts to help them hunt down threats, enhance their detection logic, and better respond to them. Techniques and procedures should be used in the threat-hunting process, something we’ll cover later in this book. Generally, there are two types of procedures: generic and tailored to specific threat actors where they’re used in a specific attack. Hunting for tailored procedures usually results in a small number of search hits that can be easily discovered by the analyst. Generic procedures are tougher to spot as many legitimate or business-specific software may use the same methods to operate. For example, discovery techniques such as cmd.exe triggering commands such as net use and net user is one of the most frequently seen procedures during normal activity in big environments, and in 99.9% of cases, they are innocent.
Operational threat intelligence is consumed by cybersecurity team leads and security analysts who are performing regular threat hunting as they analyze threat actors’ campaigns.
Strategic threat intelligence usually focuses on decision-makers such as chief information security officers (CISOs), chief information officers (CIOs), and chief technology officers (CTOs). This empowers the CISO/CIO and any cyber executive to have a technical and tactical understanding. They may use it to identify the risk to the organization and define changes that can be made in investments in cybersecurity or the corporate culture, such as cybersecurity awareness.
The result of applied cyber threat analysis is the cyber threat landscape. Several factors influence the landscape for a specific entity, such as geography, industry, organization size, contracts, possession of valuable data for attackers, and publicity.
Moreover, the threat landscape might change over time due to different events:
- Newly discovered vulnerabilities have been publicly available exploits after a short period and the product vendor isn’t notified of this. It’s important to note that these vulnerabilities are related to public-facing applications (including security controls) or office applications (for example, the Follina – CVE-2022-30190 remote code execution vulnerability in Microsoft Office or the CVE-2023-23397 vulnerability in the Microsoft Outlook mail client).
- A global shift in the consumer and business market. The more users there are, the higher the probability of a successful attack and more potential victims.
- New trends in the IT sector: software development, data processing, delegating data to third parties (for example, cloud computing), and a wider use of shared libraries from package repositories.
- Global events such as the COVID-19 pandemic, which forced organizations to make major changes to their infrastructure to support remote work.
- Military or political conflicts.
At this stage, we are ready to deep dive into the different types of threat actors and their motivations.
