How to Automate System Hardening With Technical Threat Intelligence
October 3, 2018 • The Recorded Future Team
- Technical threat intelligence focuses on specific technical indicators relating to threat actors’ tools and infrastructure.
- The most common sources of technical threat intelligence are threat intelligence feeds provided by vendors and communities that share intelligence.
- Technical threat intelligence is available in huge quantities and has a short usable lifespan. To maximize value, technical indicators should be fed automatically into security technologies such as firewalls and content filters.
- Technical threat intelligence should not be relied on in isolation. A powerful threat intelligence capability must cover all four intelligence categories.
When most people think about threat intelligence, they imagine rooms full of highly trained analysts searching for (and responding to) the earliest signs of an attack.
But not all threat intelligence requires human intervention.
In fact, some of the most common and easily applicable intelligence can be collected, analyzed, and implemented without requiring an extreme level of human analysis.
What Is Technical Threat Intelligence?
Technical threat intelligence encompasses technical data relating to threat actors’ tools and infrastructure. Unlike tactical threat intelligence, which relates to threat actors’ tactics, techniques, and procedures (TTPs), technical threat intelligence focuses on specific indicators of compromise (IOCs) and is intended for rapid distribution and response.
For example, the fact that a threat group is targeting a subset of organizations using business email compromise (BEC) campaigns would comprise tactical threat intelligence, while a set of email subject lines from an observed campaign would be technical threat intelligence.
Common examples of technical threat intelligence include:
- Malware hashes (e.g., MD5 or SHA-1)
- Registry keys or file artifacts from malware samples
- Subject lines or email content from phishing campaigns
- Maliciously registered URLs
- IP addresses of confirmed C2 infrastructure
Typically, this form of intelligence has a short usable lifespan, as threat actors routinely adapt their tools and implementation methods to maximize the efficacy of attacks.
Sources of Technical Threat Intelligence
Technical indicators are most often ingested via threat intelligence feeds, which are typically high volume and relate to a specific type of indicator (e.g., malware hashes or phishing subject lines).
These threat feeds are produced by a variety of security vendors, industry groups, and communities that share intelligence, and they’re usually ingested using a threat intelligence platform or specialist solution.
Rules for Effective Use of Technical Indicators
It’s easy to get carried away when it comes to technical threat intelligence, particularly because such a vast quantity is available. To you extract maximum value from your threat intelligence operation, it’s important to adhere to three simple rules:
1. Don’t allow supply to drive demand.
There’s a common misapprehension that “doing threat intelligence” is simply a case of using a platform to consume a variety of free and paid feeds. We’ve written about this phenomenon before, but it’s worth noting here because technical threat intelligence is the most likely of all intelligence categories to be poorly implemented.
When setting requirements for technical threat intelligence, many organizations revert to some variation of, “Consume and react to X, Y, and Z feeds.” Unfortunately, this approach is unlikely to yield good results because threat feeds aren’t designed to meet the needs of specific organizations.
A better requirement would be: “Identify artifacts from malware being used to target organizations in our sector.” This approach will likely require the consumption of a variety of threat feeds and the use of rules (or a specialized threat intelligence solution) to extract only those indicators relevant to your specific organization.
2. Automation is essential.
Technical threat intelligence has two major characteristics: It has a short useful lifespan, and it’s available in massive quantities.
Realistically, the combination of these two factors makes manual dissemination and the use of technical indicators impossible. In order for technical threat intelligence to be truly valuable, there must be a mechanism (e.g., STIX, TAXII, or an API) by which technical indicators can be fed directly into security technologies such as firewalls, AVs, intrusion detection systems, blacklists, and email or content filters.
3. Don’t forget about the past.
The primary use of technical threat intelligence is obvious: To enable defenders to promptly respond to (or, even better, to block) immediate threats.
However, there’s a secondary use that’s widely overlooked: To help identify breaches that have already happened.
It’s not always possible to prevent breaches from happening. When they do happen, it’s important to identify and triage them as quickly as possible. Unfortunately, according to the Ponemon 2018 Cost of a Data Breach study, it takes an average of 206 days for U.S. companies to realize a breach has occured.
Cross-referencing logs from security technologies with the latest technical indicators is an effective way to identify past breaches, and it can dramatically reduce the costs associated with remediation.
Addressing Common Criticisms
A common criticism of technical threat intelligence is the notion that it’s a simple matter for threat actors to tweak their tools and infrastructure periodically, thus avoiding detection. Malware hashes are a frequently cited example of this issue, as even the slightest change to a malware sample will result in a different hash value.
In particular, detractors point out that technical threat intelligence can almost never be relied on to identify or block targeted attacks. The tools and infrastructure used for a targeted campaign will usually be prepared specifically for that campaign, and thus won’t be detected using even the most current technical indicators.
To this argument, we say, “Yes, but that’s not what technical threat intelligence is for.”
Remember, in addition to tactical threat intelligence, there are three other categories of intelligence to consider:
- Strategic — A broad view of your organization’s threat landscape
- Operational — Details of specific attacks or campaigns
- Tactical — Details of threat actors’ tactics, techniques, and procedures (TTPs)
Technical threat intelligence is an extremely powerful tool for mitigating more generalized cyberattacks and for identifying past breaches or malicious activity. By contrast, tactical and operational threat intelligence are outstanding from the perspective of anticipating and responding to highly targeted or sophisticated campaigns.
Each of the four categories of threat intelligence has its own uses, advantages, and drawbacks. Only by incorporating all types of threat intelligence can an organization expect to be well prepared for incoming attacks.
The Guide to Threat Intelligence
In this series, we’ve attempted to clear up some common misconceptions about what threat intelligence is, how the different categories of threat intelligence differ, and how they can be used to improve the security profile of an organization.
Still, we recognize that threat intelligence is a daunting topic. Everybody seems to be “doing” it, but many organizations still struggle to know whether their implementation is truly effective, and how it could be enhanced.
To address this issue, a recent guide from Gartner explains in detail how threat intelligence can be used to improve the security profile of a modern organization. The guide includes:
- Definitions of common terminology
- Where, why, and how threat intelligence is commonly used (12 use cases)
- How to align common use cases with your specific requirements
- How to evaluate threat intelligence vendors based on your business needs
To learn more, download your free copy of Gartner’s “Market Guide for Security Threat Intelligence Products and Services.”