Senior Director, Global Threat Intelligence Center
Danny Pickens has more than 17 years of experience in the fields of military intelligence, counter-terrorism and cyber security. As the senior director of threat management operations within Optiv’s managed security services (MSS) practice, Mr. Pickens is responsible for the direction and operations of a staff of more than 40 security professionals, providing threat intelligence, threat analysis, malware analysis and security awareness training to Optiv’s MSS clients.
Operationalizing a Cyber Threat Intelligence Solution
Cyber threat intelligence is a process required to make action-oriented, judgement-based decisions that are not otherwise possible. Optiv recommends considering four essential attributes of threat agents mapped back to a security posture, as well as six essentials courses of action, known as threat modeling, in order to properly produce, consume and act upon cyber threat intelligence.
Operationalizing a cyber threat intelligence solution begins with aligning to a risk management strategy. A cyber threat intelligence solution is focused upon identifying high value assets (crown jewels) and the mitigation controls that are in place to detect or prevent attacks. The outcome of this process is enhanced situational awareness mapped back to risk management for an organization. This results in identification of threats to high-value assets, gaps in controls that need to be mitigated and aligned with assigned risk, and the ability to influence policy decisions both within the security organization and aligned to the strategic goals of the business.
To begin, security organizations need to ask these three questions:
- What is it I am trying to protect?
- Who am I trying to protect it from?
- How do I protect it from who wants it?
This start is known as threat modeling. It is a great way to understand how you can begin security alignment with the business, and should be driven by cyber threat intelligence. Security professionals need to engage with their business stakeholders to understand their most valuable assets from their perspective. For some, these are digital assets, such as sensitive employee data, client lists or intellectual property; for others, these are physical, such as particular office sites in high-risk areas, key executives within the organization or assets that don’t reside full time on corporate property.
Once data is collected, cyber threat intelligence is engaged to determine threat actors or agents that may potentially target sensitive assets and how they would do so. It is necessary for intelligence analysts to keep a repository of relevant threat agents and groups, and the common courses of action they take to meet their goals.
Threat agents are a group of attackers or an individual actor that has the means and opportunity to conduct an attack. It is important to note that threat actors exist regardless of intent. An untrained employee who has access to a critical asset has the same means and opportunity as an internal spy. If there is malicious intent, it is important to understand threat agent means to enable a threat modeler to infer inherent capabilities of the attacker based on historical analysis of kill chain models or the courses of action an attacker may take.
The first step of this process is to categorize and define the types of threat agents that would pose a risk to the organization. Intel Security created a foundational Threat Agent Library that describes 22 types of threat agents and their motivation, such as financial gain, intellectual property theft or business disruption. Once the motivation of the potential threat agent is estimated, you can map out potential courses of action that threat agents take to meet objectives.
Additional analysis of threat agents is then performed to establish considerations that allow for the development of potential courses of action. There are four main attributes the analyst must contemplate:
- Composition and Strength: Is the threat agent a group or individual? If it is a group, what is the association?
- Tactics: Do we have intelligence on historical courses of action?
- Logistics: What does their infrastructure look like; command and control servers; potential nation-state sponsored or funded?
- Effectiveness: Are their previously or historically identified successful attacks; how effective are these attacks?
A threat modeler requires access to intelligence information regarding the above factors. If such intelligence is not available, it is necessary to develop intelligence requirements for the collection and analysis to enable this stage of threat modeling.
Courses of Action
Threat agent courses of action can be described as attack patterns or kill chains. Based off historical patterns and agent means and intent, a threat modeler can develop templates for anticipated courses of action that may be taken to meet an attacker’s objective.
For example, a web application developed for a healthcare provider is targeted by a threat agent to obtain sensitive data. We can use the following attack pattern to develop the threat agent’s course of action if their intent is to sell stolen protected health information (PHI). In this case, we will identify the threat agent as a “data miner”:
- Stage 1: Reconnaissance
Threat agent researches and identifies vulnerable parameter in a web application.
- Stage 2: Develop
Threat agent develops or reuses available tools to create the most effective method of exploitation.
- Stage 3: Attack
Enumerate and escalate: Threat agent tries to identify all accessible data items (enumeration) – as the current user on the current server, and also by trying to increase access to other users and other servers (escalation).
- Stage 4: Exploration
Threat agent prioritizes data identified previously and starts retrieval or exfiltration from the target.
- Stage 5: Theft
Data leverage: Threat agent impersonates users using stolen credentials, makes fraudulent claims using stolen healthcare insurance information and monetizes PHI in the eCrime marketplace.
- Stage 6: Disclosure
The victim, the attacker, researchers and/or journalists disclose breach.
Figure 1: Web Application Attack Course of Action
A threat modeler repeats this process until all potential courses of action are identified. This will provide a full picture of the threat landscape for the asset and/or maximum gain towards their objectives.
Organizations that utilize a cyber threat intelligence model must rely heavily on analyzing and consuming cyber threat intelligence information with a dedicated decision maker influencing risk management. It is imperative that organizations begin this process by identifying recon and development stages mapped against risk management for their crown jewels. This helps ensure proactive protection, and results in the appropriate steps to minimize damage should an incident occur.