December 12, 2018 • Zane Pokorny
Editor’s Note: Over the next several months, we’re sharing excerpts from our new book, “The Threat Intelligence Handbook.” Here, we’re looking at the eighth chapter, “Analytical Frameworks for Threat Intelligence.” To read the full chapter, download your free copy of the handbook.
We understand the world through conceptual frameworks — mental schema that we map over reality to categorize it and create a sensible narrative. We can also think of conceptual frameworks as paradigms, which Wikipedia defines as “a distinct set of concepts or thought patterns, including theories, research methods, postulates, and standards for what constitutes legitimate contributions to a field.”
Scientific paradigms, for example, represent one important set of shared conceptual frameworks, within which people work together toward a common goal — in the case of science, investigating physical phenomena. If, say, physicists didn’t agree on the definition of words like force, mass, or acceleration, and how to measure them, individual investigations into the nature of physics would not be replicable and the field could not advance.
Creating a shared conceptual framework is an essential prerequisite for the success of any venture, at any scale. Whether we’re talking about a couple of kids opening their first lemonade stand or a Fortune 500 company making their big Q4 push, teams need to have a shared understanding of their goals, what resources they have available, and what their short-term plans and long-term strategies are. In other words, they need to all agree on how their ways and means align with the ends they have in mind, and they need to have a commonly agreed-upon way of talking about it.
Analytical frameworks are essential for learning how to apply threat intelligence effectively and cross-functionally. Threat intelligence is not only for analysts and cybersecurity professionals who have the technical understanding to read over a threat data feed — it also provides much-needed context for high-level decision making around issues like digital risk management and technology investment strategies.
In this chapter from our new book, “The Threat Intelligence Handbook,” which has been edited and condensed for clarity, we will explore a few complementary conceptual frameworks for understanding threat intelligence.
Threat intelligence frameworks provide structures for thinking about attacks and adversaries. They promote a broad understanding of how attackers think, the methods they use, and where in an attack lifecycle specific events occur. This knowledge allows defenders to take decisive action faster and stop attackers sooner.
Frameworks also help focus attention on details that require further investigation to ensure that threats have been fully removed, and that measures are put in place to prevent future intrusions of the same kind.
Finally, frameworks are useful for sharing information within and across organizations. They provide a common grammar and syntax for explaining the details of attacks and how those details relate to each other. A shared framework makes it easier to ingest threat intelligence from sources such as threat intelligence vendors, open source forums, and information sharing and analysis centers (ISACs).
The Cyber Kill Chain, first developed by Lockheed Martin in 2011, is the best known of the cyber threat intelligence frameworks. The Cyber Kill Chain is based on the military concept of the kill chain, which breaks the structure of an attack into stages. By breaking an attack up in this manner, defenders can pinpoint which stage it is in and deploy appropriate countermeasures.
The Cyber Kill Chain describes seven stages of an attack:
Security teams can develop standard responses for each stage. For example, if you manage to stop an attack at the exploitation stage, you can have high confidence that nothing has been installed on the targeted systems and full incident response activity may not be needed.
The Cyber Kill Chain also allows organizations to build a defense-in-depth model that targets specific parts of the kill chain. For example, you might acquire third-party threat intelligence specifically to monitor:
The Cyber Kill Chain is a good way to start thinking about how to defend against attacks, but it has some limitations. One of the big criticisms of this model is that it doesn’t take into account the way many modern attacks work. For example, many phishing attacks skip the exploitation phase entirely, and instead rely on the victim to open a Microsoft Office document with an embedded macro or to double-click on an attached script.
But even with these limitations, the Cyber Kill Chain creates a good baseline to discuss attacks and where they can be stopped. It also makes it easier to share information about attacks within and outside of the organization using standard, well-defined attack points.
The Diamond Model was created in 2013 by researchers at the now-defunct Center for Cyber Intelligence Analysis and Threat Research (CCIATR). It is used to track attack groups over time rather than the progress of individual attacks.
In its simplest form, the Diamond Model looks similar to the image below. It is used to classify the different elements of an attack. The diamond for an attacker or attack group is not static, but rather evolves as the attacker changes infrastructure and targets and modifies TTPs.
The Diamond Model helps defenders track an attacker, the victims, the attacker’s capabilities, and the infrastructure the attacker uses. Each of the points on the diamond is a pivot point that defenders can use during an investigation to connect one aspect of an attack with the others.
Let’s say you uncover command and control traffic to a suspicious IP address. The Diamond Model would help you “pivot” from this initial indicator to find information about the attacker associated with that IP address, then research the known capabilities of that attacker.
Knowing those capabilities will enable you to respond more quickly and effectively to the incident. Or imagine that your threat intelligence solution uses the Diamond Model. If the board of directors asks who is launching similar attacks against other organizations in your industry (attribution), you may be able to quickly find a list of victims, the probable attacker, and a description of that attacker’s TTPs. These will help you decide what defenses need to be put in place.
One of the big advantages of the Diamond Model is its flexibility and extensibility. You can add different aspects of an attack under the appropriate point on the diamond to create complex profiles of different attack groups. Other features of an attack that can be tracked include:
The downside is that Diamond Models require a lot of care and feeding. Some aspects of the model, especially infrastructure, change rapidly. If you don’t update the diamond of an attacker constantly, you run the risk of working with outdated information.
Even with these challenges, though, the Diamond Model can make the jobs of many security people easier by helping get everyone fast answers about threats.
MITRE is a unique organization in the United States: a corporation responsible for managing federal funding for research projects across multiple federal agencies. It has had a huge impact on the security industry, including the development and maintenance of the Common Vulnerabilities and Exposures (CVE) database and the Common Weakness Enumeration (CWE) databases.
MITRE has developed a number of other frameworks that are very important for threat intelligence, including:
The MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) framework was created as a means of tracking adversarial behavior over time. ATT&CK builds on the Cyber Kill Chain, but rather than describe a single attack, it focuses on the indicators and tactics associated with specific adversaries.
ATT&CK uses 11 different tactic categories to describe adversary behavior:
Each of these tactical categories includes individual techniques that can be used to describe the adversary’s behavior. For example, under the Initial Access category, behaviors include Spearphishing Attachment, Spearphishing Link, Trusted Relationship, and Valid Accounts.
This classification of behaviors allows security teams to be very granular in describing and tracking adversarial behavior and makes it easy to share information between teams.
ATT&CK™ is useful across a wide range of security functions, from threat intelligence analysts to SOC operators and incident response teams. Tracking adversary behavior in a structured and repeatable way allows teams to:
Don’t miss out on the full chapter, which includes more helpful tips and further resources that dive deeper into some of these analytical frameworks. You can read it by downloading your full, free copy of the book. Inside, you’ll also find chapters on topics like how threat intelligence can be used for fraud prevention, risk management, and more.