Cyber threats of all types evolve frequently to become more elaborate and complex.
For example, a banking Trojan known as Lucifer (also referred to as Guildma or Astaroth) was originally only intended to attack Brazilian banks. But it has since evolved and is now capable of stealing customer information from any kind of bank, as well as enterprises with customer-facing transactional webpages.
In order for banks and businesses to protect themselves, they need a decent view of the cyber threat environment they occupy – something we call threat intelligence. It’s essentially evidence that comes from a variety of sources that points to where the next cyberattack might be coming from.
This intelligence is built upon indicators such as threat type, context, attack vector, possible weaknesses in the attack, and possible outcomes in the event that the cyberattack is successful. These indicators can help an organization’s cybersecurity team to update their incident response, risk assessment, and fraud management policies accordingly. The correct deployment of threat intelligence is a crucial step towards improving any organization’s security posture.
What follows are some areas to pay attention to when constructing a threat intelligence assessment.
Indicators of Compromise
A good starting point for building up your threat intelligence is examining common Indicators of Compromise (IOCs). Simply put, IOCs are all of the evidence-based data from observed threats that can help you detect active and future attacks.
Below are examples of which types of data are categorized as an IOC:
|Host||File Names (Created, Deleted, Modified)
File Hashes (SHA256 / SHA1)
Registry Keys (Created, Deleted, Modified)
|Emails||Sender’s Email Address
Let’s zoom in on two of the most telling IOCs out there:
|Tools||Any Software used to carry out an attack. Examples include the tools used to create backdoors, malicious documents, password crackers, etc.|
|TTPs||“Tactics, Techniques and Procedures” is a set of patterns used by attackers to accomplish their goals. A simple example would be: an LNK file that downloads an XSL to execute a script. More information on TTPs is available on MITRE ATT&CK, a knowledge base of adversary tactics and techniques based on real world threats.|
Why are TTPs and Tools considered to be so effective? The ‘Pyramid of Pain’ by David Bianco offers insight into the relationship between defenders and attackers. Each of the IOCs in the pyramid below is given a ranking from “Tough!” to “Trivial.” The ranking quantifies the amount of pain (or work an attacker must endure) to refine their strategy, once an organization’s security team has identified how the cybercriminals plan to attack:
For example, if an institution has detected a strain of malware based on its hash values, it is very simple for the attacker to recompile the file and change the value. However, if the threat is detected by its TTPs, the attacker is forced to alter the behavior of the attack, which is more difficult and time-consuming.
Understanding the importance of threat intelligence will give organizations a fighting chance to detect a cyberattack before it is deployed – or help them more quickly mitigate any attack that has gotten through their defenses.
Actively compiling data from the threat landscape, and using that data to inform your threat intelligence assessments, is key to keeping your organization safe from active and emerging cyberattacks.
To learn more about threat intelligence, click here.