An Overview of Threat Intelligence and Threat Hunting

December 22, 2022

Assume you have already been breached, or soon will be.

Often, when digging into cases where an organization’s environment has been compromised, the adversary had been within the environment for a large amount of time before being detected. So, working under the assumption that threat actors are already in your environment or are actively attempting to gain access, what are your next steps? Where do you look and what do you look for?

Enter threat intelligence and threat hunting. Both disciplines are essential considerations for proactively securing and monitoring networks, endpoints, and infrastructure.

Threat Intelligence

I’ll touch on threat intelligence first. Threat intelligence is the knowledge that allows you to prevent or mitigate attacks. Context is a key point here, context such as who might attack you, their capabilities and motivations, and what indicators of compromise (IOC) to look for. This context enriches raw data and helps you make informed decisions about your security.

Therefore, a threat intelligence effort consists of collecting actionable intelligence, curating and determining which intel feeds to use, and enriching indicators by adding context to them. This intelligence gives direction on where to look and what to look for, which is then delivered to leadership and security teams through reports and other appropriate formats.

Data, Information, and Intelligence

Threat intelligence efforts are all about gathering data that can be processed into information, which can then be refined into intelligence. Data != information != intelligence. Data can be defined as discrete indicators and raw data. These can take the form of IOCs such as domains, IPs, and hashes. Information is data that has been further processed by adding context and placing it within a narrative. That information is then used to make informed decisions and answer fundamental questions. It can then be used as intelligence, a correlation of the data and information gathered that can be used to identify patterns based on contextual analysis. A great definition of intelligence that I’ve found is the following:

Intelligence is the product resulting from the collection, evaluation, collation, interpretation, and analysis of all available data and information concerning the intentions, capabilities, and objectives of known or suspected current or future adversaries vital to an organization’s development and execution of plans, policies, decisions, and courses of action.

To sum up, threat intelligence is data left behind from previous attacks + context about your environment + informed decision-making. This intel can then be used to answer questions such as:

Who’s attacking you?
What are their motivations?
What are their capabilities?
What artefacts and indicators of compromise (IOCs) should we look for?

Strategic, Technical, Tactical, Operational

There are three types of threat intelligence reports which can be curated for specific audiences:

Tactical: Outlines of the TTPs of threat actors for a more technical audience.

Operational: Technical details about specific attacks and campaigns.

Strategic: High-level intel typically meant for leadership or a non-technical audience. It is primarily concerned with the threats relevant to the organization and identifies risk areas that may impact business operations and decisions.
Technical: The nitty-gritty of IOCs and IOAs which can then be used to better understand your organization’s attack surface and create specialized security rules and protocols.
Tactical: Presents the adversary’s most likely to pose a threat and their tactics, techniques, and procedures (TTPs). Used to inform the security team in their preemptive hardening and hands-on investigations.
Operational: Concerned with the motives, intent, and capabilities of threat actors. This also includes the areas of interest attributed to certain adversaries and the assets (people, processes, and technologies) within your organization that are likely to be attacked.

Lifecycle

The entire pipeline of data to actionable reports follows a lifecycle. This lifecycle illustrates what is of value at each stage and provides a framework that analysts can use to direct their focus and improve their methodologies. The lifecycle is as follows:

Direction: Identifying the objectives of a threat intelligence effort

Collection: Gathering data pursuant to the objectives previously identified

Processing: The data is sorted, prioritized, correlated, and presented in some usable format

Analysis: Analysts derive insights from the processed data

Dissemination: Various individuals and groups in the organization receive the polished intelligence, packaged in appropriate verbiage and formats

Feedback: Threat intelligence is improved by receiving feedback from those who consume it

Threat Hunting

Now that we have established what threat intelligence is and how it is gathered, it is time to use it. This is threat hunting, the proactive, hypothesis-driven discipline of looking for suspicious activity and intrusions. All threat-hunting tasks are carried out under the assumption that the network has been compromised and that threat actors are already present. Using the gathered threat intelligence, you can make informed decisions on where to spend your time searching. This can take the form of reviewing logs, endpoint analysis, reviewing antivirus alerts, etc.

Say you work for a financial institution and the threat intelligence team found some data containing the IOCs of a certain APT group that targets such institutions. In addition to the IOCs, they also learned that the APT group has recently been observed ramping up their activity in the last few months. The team also found some of the favorite TTPs of said group. All of this is condensed into a report/feed that paints a clear picture of a likely threat to the organization. This picture can be used to form hypotheses on how the APT may be able to evade your security defenses, and perhaps already be inside your environment. You now have a defined hypothesis and framework to use to hunt for those threats.

The above example highlights the importance of threat intelligence. Quality threat hunting does not exist when not preceded by quality threat intelligence. In its absence, there is simply too much to look at and not enough time to do it in.

The following is a white paper that I highly recommend. It is from Lockheed Martin and outlines real-world attacks that they experienced, how they responded, and what they learned:

https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf

Conclusion

With threat intelligence and threat hunting, the emphasis is on being proactive. Proper implementation of a threat intelligence to threat hunting pipeline is not scanning headlines and checking to see if you have the same vulnerabilities that “X” corporation had last week when they announced that they had been breached. This is reactive. Instead, invest time in gathering IOCs, querying for them within your environment, researching the favored TTPs of threat actors targeting your industry or of those who have targeted your organization in the past, staying abreast of new exploits, etc. Throughout all of this, automation is key so that analyst time can be redirected to necessary critical analysis and investigation.

No defenses are perfect. However, even when security measures are evaded by malicious entities, threat intelligence and threat hunting coupled with adequate monitoring and antivirus solutions, will catch those that slip through the cracks early and quickly, hopefully before they can take action on their objectives..

Intel Feeds and Resources

Tags:Blog, Cybersecurity, Threat Hunting, Threat Intelligence