Cyber Threat Intelligence
Sandeep Singh
OWASP Delhi & null Delhi
30 January 2015

 I am not an intelligence analyst but would love to be 
 The topic is close to my heart
 Do not expect any FM (Freakin Magic )
 The objective is to help attendees get familiar with the
world of threat intel
Disclaimer

 Overview of Threat Intel
 Understanding Threat Intel
 What is Cyber Threat Intelligence
 Types of Threat Intel
 Intelligence Lifecycle
 Threat Intel – Classification & Vendor Landscape
 Threat Intel – Standards
 Open Source Threat Data/Intel Sources
 Bonus Agenda
Agenda

What is Threat
Intelligence?

• Buzzword
• Growing field
- $250M in 2013
- $1.5B in 2018
• Lots of new service providers entering the
market
• and still maturing
Overview

Risk = Vulnerability * Threat * Impact
Threat = Intent * Capability
We like the term "Threat Actor". May be any of:
• Cybercrime
• State-sponsored
• Hacktivism
• Insider
• Industry competition
Threat

Intelligencea.k.a. Renseignement, ré-enseignement
• Environment → Data → Information → Intelligence
• Intelligence is a cyclic process
• Analysis and contextualization
• Models help counter diversity with abstraction

 Accurate
 Relevant
 Timely
 Aligned
 Predictive
 Integrated
Actionable Intel

Cyber Area of interest/ of collection
Threat Subject of interest
Intelligence Process
Cyber Threat Intelligence

Key Elements of Threat Intel

Types of Threat Intel

• Target audience: decision-makers
• Focus on changing risks, high level topics
• Geopolitics
• Foreign markets
• Cultural background
• Vision timeframe: years
Note: You may never have heard of this; could be explained by
lack of maturity in orgs
Strategic TI

• Target audience: defenders
• Focus on current & future attacks:
• Who, what, when?
• Early warning on incoming attacks
• Social media activity
• Vision timeframe: months, weeks, hours
Operational TI
Note: Hard for private companies to obtain on advanced attackers;
traditionally collected through HUMINT / SIGINT

• Target audience: architects & sysadmins
• Focus on "TTPs":
• Attacker modus operandi
• Blue team / red team tools
• Exfiltration / C2 methods
• Persistence / stealth / deception mechanisms
• Vision timeframe: weeks to a year
Note: The most common form of threat intel (and marketing )
produced today; easy to obtain
Tactical TI

Technical TI
a.k.a. Data
• Target audience: SOC, IR people
• Focus on raw observables:
• Indicators of compromise
• Host and network artifacts
• Yara, Snort, OpenIOC rules
• Vision timeframe: hours to years
Note: Man-hours are valuable. Technical TI is abundant. Processing
should be as automated as possible.

Strategic Will feed SWOT, risk assessments,
Porter Diamond model...
Tactical Cyber Kill-chain, Diamond model, ACH
Operational OODA Loop, Pyramid of Pain
Technical F3EAD, CIF, FIR, MISP, Malcom,
Maltego,….
Weaponry

Intelligence Cycle

Intelligence Cycle applied to CTI in orgs
• Planning
• What are you looking for?
• Collection
• OSINT/HUMINT
• Logs/Data points inside the org
• Honeypots/nets/docs, social networks
• FM-5
• Processing
• Synthesizing the collected data so that intelligence analyst can
work
• Analysis
• Finished Intelligence
• Dissemination
• Present to the right audience

ThreatIntel
Threat Intel Platform
Threat Intel Enrichment
Threat Intel Integration
Open Source Intel (OSINT)
Human Intel (HUMINT)
Technical Intel
Adversary Intel
Vulnerability Intel
Strategic Intel
Threat Intel - Classification

Vendors

Can you guess the price of commercial
threat Intel?

 Symantec's 12-month retail subscription to its
reputation feed costs $95,300 (INR 6100000
approx.)
 FireEye threat intelligence appliances cost around
$17000 at starting price and increase upto $175000
per unit

Managing Threat Intel
As tough as it sounds

• MISP - Event-based indicator sharing
• FIR - Incident management platform + indicator correlation
• CRITS - Platform to store threat-related information
• Malcom - Correlation of network traffic with maliciousness feeds
• CIF - Query indicators + variety of output formats
• Grr, osquery - Endpoint hunting
not mature
…but lots of stuff is going on

What’s so nice about “standards”
• MITRE - STIX, TAXII, CybOX, MAEC
• IETF - IODEF
• Mandiant - OpenIOC
• VERIS
• MANTIS

Black List IP Address Sources
• emergingthreats.net
• binarydefense.com
• zeustracker.abuse.ch
• palevotracker.abuse.ch
• feodotracker.abuse.ch
• sslbl.abuse.ch
• spamhaus
Phishing URL Sources
• openphish.com
Vulnerability Database Sources
• scip.ch
• cxsecurity.com
• exchange.xforce.ibmcloud.com
• packetstormsecurity.com
Honeypots/Honeynets
Open Source Threat Data Sources

Bonus Agenda

• Developed by REN-ISAC
• http://csirtgadgets.org/collective-intelligence-framework/
• Does not generate data, simply takes sources normalizes it and
then outputs by given types
• Limited in the types of data it can handle
– URLs
– Domains
– IPs
– MD5s
• Certainly more to threat intel than this, but it’s a start
CIF: Collective Intelligence Framework

CIF Architecture

• A target-centric approach
to intelligence analysis
• Bridge between operations
and intelligence
• a.k.a. “Hunting”
F3EAD

• TI is closely related to traditional intelligence
• Models help but have limitations
• The quality of your TI directly influences the quality of your
response
• Tools to store, analyze, and share intelligence exist, but
there's room for improvement
Conclusion

 http://sroberts.github.io
 http://direct.tomchop.me/slides
 http://frodehommedal.no/presentations/first-tc-oslo-
2015
 https://www.mwrinfosecurity.com/system/assets/909/
original/Threat_Intelligence_Whitepaper.pdf
 Google
References:

Thank you,
Sandeep Singh – Chapter Leader, OWASP Delhi & null Delhi
sandeep.singh@owasp.org
san@null.co.in
@Sandy1sm
Q & A