The need for Intelligence in responding to cyber threats.
As the threat landscape changes and attack methodologies become more improvised, the defense team needs to also adapt. Reliance on traditional means of containing an adversary within the network may not suffice in the modern world.
Many organizations quickly jump to remediation without fully following the six-step response guide as prescribed. The fear of losing valuable data on critical systems and the high risk involved is what drives most defense teams to quickly “pull out the plug” without proper incident scoping. This method assumes each infected machine is isolated.
Stories of the ghosts past
Statistics show that most intrusions remain undetected for months with the average dwelling time for attackers to be 101 days. Within this period an adversary may have infected other machines, redeployed their tools, and moved within the network to achieve their goals. Reacting quickly without following the six-step leads to a game of “whack-a-mole” — a term coined by incidence responders. Incident responders may be celebrating the win thinking they have outsmarted the attacker only for them to find the adversary still on the network a few months later. Recent attacks such as Solar Winds and Centreon showcases the stealth and dwell time of adversaries.
By creating a threat intelligence team/capability within the organization, threat hunting personnel can be able to proactively hunt for adversaries within the network. Without proper knowledge of what is normal and abnormal within the network, the defense team will not know what to look for. Threat Intelligence should be able to provide context as to where to look, what to look for, and the likelihood of the attack happening. With an understanding of the adversary’s Tactics, Techniques, and Procedures (TTP), an organization can be able to identify the threat actors behind the attack and even how they respond to detection or “whack-a-mole” situation from defenders. It is easier to contain an adversary when a defender has knowledge of the adversary’s goals. Following the “kill chain” we can be able to restrict, limit or even destroy their capabilities.
Intelligence on past incidences is a great place to start to avoid being distracted by new and latest threats provided by vendor solutions that may not have an impact on your organization. Firsthand observables are the Indicators of Compromise (IOCs) left behind by past incidents that can become the first step during a future attack. Most attackers rarely able to change their TTP as described in the Pyramid of Pain. Threat intelligence processes are used to track such adversaries and their analysis may unfold missed details of previous attacks.
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” — Sun Tzu
Intelligence-driven Response
An intelligence-driven response could leverage the F3EAD model to create more intelligence and operationalize aggressive incident response.
- Find. Here, we determine the threats that the organization needs to address. OSINT and internal intelligence, and vendors can feed this process.
- Fix. This may be the identification phase in incidence response. Here, based on the intel provided on the find phase, we can be able to point out where the adversary is on the network and the devices compromised so far.
- Finish. Here, the actual decisive action for incident response is played out. IR mitigation, containment, and remediation phases are in play at this phase of the F3EAD. However, the “finish” phase is the start of the exploit phase.
- Exploit. Gathering all possible IOCs is done such as IP address, malware samples e.t.c
- Analyze. All collected information is developed to map the adversary TTP in a bid to detect, mitigate and remediate the threat.
- Disseminate. Sharing of actionable and clear intelligence with other teams.
F3EAD may seem a complex idea to new security teams, however, the attention should be on the details. Operations enable intelligence, while intelligence enables further operations. With enough intelligence and knowledge of adversaries, organizations can deploy solutions and defenses to critical systems that house the data.
