Threat intelligence is information that informs enterprise defenders of adversarial elements to stop them.
It is information that is relevant to the organization, has business value, and is actionable.
If you having all data and feeds then data alone isn’t intelligence.
#Threat #Intelligence #Forensics #ELK #Forensics #VAPT #SOC #SIEM #Incident #D3pak
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
Threat Intelligence
1. EVERY CRIME LEAVES A TRAIL OF EVIDENCE
D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
2. DISCLAIMER
Different organisations are subject to different laws and regulations. This resource is for educational and
research purposes only. Do not attempt to violate the law with anything contained here.
Neither the author of this material, nor anyone else affiliated in any way, is liable for your actions.
Some information from the internet and some of personal experience; doesn’t want to hurt anybody ☺
D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
3. “If you know the enemy and know yourself, you
need not fear the result of a hundred battles”
- Sun Tzu
D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
6. Anything likely to cause damage or danger
+
Ability to acquire and apply knowledge and skills
=
Threat Intelligence
D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
7. D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
“Gartner defines threat intelligence
as "Threat intelligence is evidence-
based knowledge (e.g., context,
mechanisms, indicators, implications
and action-oriented advice) about
existing or emerging menaces or
hazards to assets."
– Gartner
Mail
Metadata
Malware
Phish
Spoof Activity
Audit activities
Click trace
TI Sources
GeoIP
Threat indicators
DLP hits
Machine
infections
Information
Insight/Analysis
Again, What is Threat Intelligence?
8. Strategic: Broader trends typically meant for a non technical audience
Tactical: Outlines of tactics, techniques, and procedures of threat actors for a more technical audience
Operational: Technical details about specific attacks and campaigns
Solution
Integrate with machine learning that connect dots and provide context on indicators of compromise
(IOCs) and tactics, techniques and procedures (TTPs) of threat actor
D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
Threat Intel Categories
9. D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
• Phishing Detection
• Incident Response Knowledge Base
• Vulnerability Prioritisation
• Fraud Detection
• Forensics RCA (root cause analysis)
• Brand Monitoring
Use case examples
Threat Analysis
Collection
Processing
Analysis & ProductionValidation
Dissemination
Projection
10. D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
What am I trying to protect?
Have you identified
your crown jewels and
how they are both
protected and at risk?
Do you know
who/what you are
protecting it
from?
Do you have a plan
for protecting your
assets from actors or
risk identified?
11. D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
Internally Generated Analysis
• IOC hunters – Vendor
• End Point Protection
• Security Operation
• Vulnerability Management
Information Sharing
• Sectoral – Financial services,
public sector
• Geographic – local CERT
• NIS Directive
Organisation Specific
• Your “Organisation” information
• Social media
• Boards
• Dark web
• Customer or organisation phishing
campaigns
Generic External
• Open source
• Subscription based - X-Force, Digital
Shadows, Deepsight
• Raw e.g. XSS, JSON, TXT
• Indicators of compromise (IOCs)
• Tactics techniques and procedures TTPs
Operational Information & Intel Feeds
12. D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
TLP – Traffic Light Protocol
What is TLP?
A set of designations to ensure that sensitive
information is shared with the correct audience and that
the recipient (s) understand if and how the information
can be disseminated.
Who Uses TLP?
US-CERT, public and private sector organizations
within: US, Australia, Canada, Finland, France,
Germany, Hungary, India, Italy, Japan, Netherlands,
New Zealand, Norway, Sweden, Switzerland and the
United Kingdom.
13. Threat Intel Platform (TIP)
Open Source:
• CRITs
• Soltra
• MANTIS
• MISP
• OTX etc
PS: Only for educational purposes
For More:
1. https://github.com/hslatman/awesome-threat-intelligence
2. https://www.senki.org/operators-security-toolkit/open-source-threat-intelligence-feeds/
15. D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
Kill Chain Analysis
MITRE ATT&CK MATRIX
Recon Weaponise Delivery Exploitation Installation C2
Actions &
Objectives
➢ Task: Identify the Attackers’ Step by Step Process
➢ Goal: Disrupting Attackers’ operations
▪ Motivation
▪ Preparation
▪ Configuration
▪ Packaging
▪ Mechanism
of Delivery
▪ Infection
Vector
▪ Technical or
human?
▪ Applications
affected
▪ Method &
Characteristics
▪ Persistence
▪ Characteristic
s of change
▪ Acquiring
additional
components
▪ Communication
between victim
& adversary
▪ What the adversary
does when they
have control of the
system
MITRE ATT&CK:
▪ Active Scanning
▪ Passive Scanning
▪ Determine Domain
& IP Address Space
▪ Analyze Third-Party
IT Footprint
MITRE ATT&CK:
▪ Malware
▪ Scripting
▪ Service
Execution
MITRE ATT&CK:
▪ Spearphishing
Attachment/Link
▪ Exploit Public-
Facing
Application
▪ Supply Chain
Compromise
MITRE ATT&CK:
▪ Local Job
Scheduling
▪ Scripting
▪ Rundll32
MITRE ATT&CK:
▪ Application
Shimming
▪ Hooking
▪ Login Items
MITRE ATT&CK:
▪ Data
Obfuscation
▪ Domain
Fronting
▪ Web Service
MITRE ATT&CK:
▪ Email Collection
▪ Data from Local
System/Network
Share
16. USE CASE : IP Theft
o Employee Resigned
o Joined New Company
o Data theft
o Type of data (pdf, xlsx)
o Browser history cleared
o No data in Recycle bin
o Formatted USB
✓ Forensics Imaging (Physical If required)
✓ Timeline
✓ Machine (Laptop/Desktop) : User info (SID)
✓ Data Recovery (Specific data formats)
✓ Mail Check (pst,ost, lotus etc)
✓ SIEM/DLP logs (Data copied)
✓ Firewall (3rd party URL data uploaded)
D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
Q U E S T I O N A N S W E R