Cyber Threat Intelligence, commonly known as CTI, is used to identify the cyber threats faced by organisations and the threat actors that may
commit them. CTI can be a broad, difficult discipline to try and master. Usually there are companies trying to sell you expensive CTI software or a service. Alternatively, if you try and attempt it yourself, you need to wade through masses of unhelpful or conflicting data to try and get to what you ultimately need; some information that might help protect you or your organisation. This blog post outlines some techniques and resources for CTI and attempts to help organisations take that first CTI step.
A sensible and logical approach to conducting CTI is to mirror that of the UK Banking Sector and the EU. Whilst the UK Banking Sector and the
EU have produced two different frameworks there is one major similarity; they are both ‘intelligence led’.
The Bank of England CBEST Intelligence-Led Testing and EU Threat Intelligence Based Ethical Red Teaming (TIBER) both plan and execute CTI red team testing that has been extensively researched. Both have proven to demonstrate realistic, real world examples that aim to mimic the tactics and techniques used by Threat Actors. The CTI product, i.e. the output, is provided by GCHQ/NCSC accredited CTI analysts, who apply the ‘intelligence led’ approach. This provides a truly focused approached of ‘who is interested in attacking me, and how might they attack’, providing true relevance to a client.
However, these approaches can be expensive to implement and require specialist skill sets, which may not be open or available to everyone. Therefore, what can you do to understand your threats better, and how can you use an intelligence led approach to make better informed cyber investment decisions?
Firstly, you need to understand your online digital footprint as this can help highlight what organisational details are exposed to the internet. This will identify how much information can easily be found about your organisations system that could be used in an attack. Information that can be found will likely include:
- DNS Server
- NS Server
- MX Server
- IP ranges
- Open Ports and Services (Skype, Networked
Storage, IP cameras etc)
- Server types and Software Versions
- Email Addresses
Doing this will help you identify your organisations exposure and learn more about your digital footprint. It will also identify if
there are any open ports or services available that could be exploited by attackers. If there are, these should be secured.
Secondly, it is critical to fully understand what assets, both software and hardware you are using. This allows you to understand your
own systems but also means minimising nugatory effort about threats or risks. There is little point getting concerned about an Apple Zero-day exploit if you are using Microsoft hardware and software, or a Azure exploit when using AWS.
Therefore, a detailed Asset Register is needed to understand your system baseline. It also enables system patching to be planned since this
is one of the most effective measures you can take to protect your system. Keeping your system up to date with OEM system patches is essential. As such it is crucial to understand the following:
- Operating System Version
- Third party databases
- Applications and Plugins version
- Hardware and firmware versions
- Endpoint Updates and Patches
Likewise, understanding items such as Firewall Rule Sets will again identify any open ports or services that if not required for
business need, should be shut down or secured.
Most of this information can be easily found by checking the properties of the product or checking the manufactures asset or serial number.
The final element of intelligence led CTI understanding, is to research who your likely attacker(s) may be, and what methods they
used on previous successful attacks. This will help support prioritisation of cyber defence spending and architectural design.
For example, if you are a business in retail or a restaurant, you may be concerned with criminal groups such as FIN7 or FIN6 that utilise point-of-sale malware attacks and advanced social engineering techniques. If this was the case, you may wish to spend more time and money on policy and procedural training. Conversely, you would not be as concerned with state sponsored groups such as APT28 or APT29 who can create bespoke zero-day exploits, and who predominantly target Government organisations. Most organisations will be concerned about general criminal activity, including ransomware attacks, and as such should take steps to limit attacks that can be launched via email, Cross-Site Scripting or ClickJacking.
It is essential that businesses with limited capacity focus truly on what matters, and what can help. There are a number of sources to
constantly review, some where you can set up for free. These will send alerts that can be tailored to your needs and assets, such as Alien Vault OTX and IBM X Force. These two examples are community driven and change rapidly, but once you have a tailored view of what you are looking for it can be quick and painless.
By taking the steps above you will have a better view of your online presence, an understanding of your assets, and an idea of the types
of cyber-attacks that may be used against you. This understanding will allow you to focus resources on the areas that matter the most, and limit your risk posed by most likely threats.
If you want to understand more about CTI, or require further advice, please contact Logiq to discuss your requirements