Threat Intelligence in an Active Cyber Defense (Part 2)

February 24, 2015 • Robert M. Lee

Active Cyber Defense Cartoon Part 2

In this second part of the discussion on threat intelligence (read part one here) we will explore how organizations can incorporate threat intelligence to better achieve security. Threat intelligence can be used in a number of ways – especially as part of an active defense. In this piece, one strategy for active defense, the Active Cyber Defense Cycle (ACDC), will be used.

Active Cyber Defense Cycle

Figure: Active Cyber Defense Cycle

ACDC has no defined beginning or end but it is helpful to think of a beginning phase for the purpose of visualizing the model. We will start with Threat Intelligence Consumption. One issue organizations often have with threat intelligence is when they access external information they often find the “threat” presented is not a threat to their specific organization or systems and the “intelligence” is usually just a data feed. Intelligence is a formalized process and product, not just information. A threat is specifically something that has the capability, intent, and opportunity to damage an organization.

For example, when the Heartbleed vulnerability was identified and there were adversaries seen using it – many organizations saw this as a threat. However, if the organization did not have the specific vulnerable versions of OpenSSL then the malicious capability and intent of the adversary would not have had the opportunity to damage the organization. Thus it would not be a threat.

In the Threat Intelligence Consumption phase the analysts are responsible for understanding the organization’s environment and mission – this helps accurately identify what could constitute a real threat. This combination of environment understanding with potential threats is called the threat landscape. Here, the analysts should identify intelligence sources and data feeds both internal and external to the organization related to their threat landscape. This information can then be passed to the other team members taking part in ACDC starting with those performing network security monitoring.

Asset Identification and Network Security Monitoring (NSM) personnel are responsible for identifying network changes (the Asset Identification piece) useful to understanding their environment. Those performing the architecture of the networks should maintain baseline network topology maps but these baselines always change and the Asset Identification and NSM personnel are best suited to quickly notice. Identifying changes in the environment can be fed back to those performing Threat Intelligence Consumption to identify potential changes to the threat landscape. Those performing NSM use information processed through the Threat Intelligence Consumption personnel such as Indicators of Compromise (IOCs) and adversary tactics, techniques, and procedures (TTPs) to identify threats. Upon identification they will determine if the threat is a true threat to the organization and if it meets the organization’s threshold for initiating incident response.

The Incident Response (IR) phase is where personnel move to further identify the scope of the threat in the network and follow response procedures to contain and eradicate it. Threat intelligence passed through the cycle helps with this process. As an example, system level IOCs such as registry key modifications, presence of certain files, or identified abnormalities can be searched for quickly even in large enterprise environments. By having threat intelligence during the IR phase the time required to fully scope the threat and contain it is significantly reduced while increasing effectiveness. The IR personnel also have the responsibility of collecting information or samples of the threat so it can be better understood – especially if its malware related.

Threat and Environment Manipulation personnel work to understand the threat, document information about it, and work with architecture teams to make logical or physical changes to the network to reduce the effectiveness of the threat. As an example, if the threat is malware related it can be analyzed using various reverse engineering malware techniques to identify requirements for the malware. The malware might need to connect back to specific command and control servers that can be logically re-routed and neutralized in the network, it might require specific versions of vulnerable software which can be updated within the organization by security personnel, or it might have hardcoded information where physical network changes would make it ineffective.

Threat intelligence supports the efforts of these analysts by providing supporting information and ensuring that there is no duplication of work if the threat has already been fully analyzed elsewhere. Threat and Environment Manipulation efforts also generate information useful for IOC and TTP creation which can be passed back to the Threat Intelligence Consumption personnel. Here the cycle can continue where defenders not only work to counter the threat and its variations but also document lessons learned to better the organization’s security. In this way, ACDC forces organizations to get better over time, maintain knowledge sets even with personnel turnover, and quickly identify and respond to threats.

Each step of ACDC is as important as the last but threat intelligence especially adds value to each phase. When threat intelligence is leveraged appropriately it reduces time and effort expended by the active defense personnel while enabling a better and more long term approach to security.

Robert M. Lee

Robert M. Lee (@RobertMLee) is the co-founder of the critical infrastructure cyber security company Dragos Security LLC. He is also a PhD candidate at Kings College London, author of SANS ICS/SCADA 515 Active Defense, co-author of SANS FOR 578 Cyber Threat Intelligence, and writer for the Web comic Little Bobby.