Building a Cyber Threat Intelligence Capability from Scratch – Part IV: Gaining Situational Awareness

Introduction

This is the final article in the mini-series of how you can build a Cyber Threat Intelligence capability from scratch. We have spoken about how frameworks can help focus your efforts, the different ways you can organise your team and how you must understand your own environment in order to determine the threats you could be facing. Which leads us nicely to the final piece of the puzzle. This article will focus on how you can now determine the likely threats your business will face and subsequently how you can align your defensive posture as a result. If you missed the first three articles they are linked below.

1.     Identifying My Vulnerabilities

In terms of our scenario from the previous articles, we have enumerated and mapped our technical environment and have a thorough understanding of our critical assets or otherwise known in security circles as the business 'Crown Jewels'. In the below diagram, you can see the process that we have begun to follow. We have not mentioned how this CTI capability is tied to business risk as that is another article for another time. However, the below diagram at least demonstrates the path you should follow and how other aspects of the business can and must support this process. 

Once we have identified our critical assets, we can then prioritise and analyse the vulnerabilities associated with each of these, which in turn, will help you highlight which threats could likely target them. In terms of vulnerabilities, you should aim to understand both the internal, external, digital and physical factors of what could potentially exploit them. Without guidance trying to accomplish this from scratch is an incredibly daunting task. So to help, here are a few resources. Let me introduce NVD, SCAP, CPE, CVE and CWE as a good place to begin.

a.     National Vulnerability Database (NVD)

The NVD is the U.S. government’s repository of standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP). More on SCAP in a bit. This data enables the automation of vulnerability management, security measurement, and compliance within a business. The NVD includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics. The team behind NVD performs continuous analysis on Common Vulnerabilities and Exposures (CVEs) and subsequently issues impact metrics on Common Vulnerability Scoring System (CVSS), vulnerability types (Common Weakness Enumeration – CWE) and applicability statements (Common Platform Enumeration – CPE) that are pushed to the public domain. It is an incredible repository that should be your first port of call to building an understanding of your vulnerabilities. More information can be found at https://nvd.nist.gov/general

b.     Security Content Automation Protocol (SCAP)

As mentioned above, SCAP is the protocol representation of the NVD and comprises of several open standards that are widely used to enumerate software vulnerabilities and configuration issues related. Applications which conduct security monitoring use the standards when measuring systems to find vulnerabilities and offer methods to score those findings in order to evaluate the possible impact. As always, if you can automate it then do it and this is what SCAP provides. Once established it can be run to update and monitor the vulnerability environment of your business. The SCAP suite of specifications includes but is not limited to:

-       Common Vulnerabilities and Exposures (CVE)

-       Common Platform Enumeration (CPE)

-       Common Vulnerability Scoring System (CVSS)

-       Extensible Configuration Checklist Description Format (XCCDF)

-       Open Vulnerability and Assessment Language (OVAL)

More information can be found at https://csrc.nist.gov/Projects/Security-Content-Automation-Protocol

c.     Common Platform Enumeration (CPE)

Common Platform Enumeration (CPE) is a standardised method of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise's computing assets. More information can be found at https://csrc.nist.gov/Projects/Security-Content-Automation-Protocol/Specifications/cpe

d.     Common Vulnerabilities and Exposures (CVE)

Common Vulnerabilities and Exposures is a list of common identifiers for publicly known cybersecurity vulnerabilities. The CVE List feeds NVD, which then builds upon the information included in CVE Entries to provide enhanced information for each entry such as fix information, severity scores, and impact ratings. As part of its enhanced information, NVD also provides advanced searching features such as by OS; by vendor name, product name, and/or version number; and by vulnerability type, severity, related exploit range, and impact. More information can be found at https://cve.mitre.org/index.html

e.     Common Weakness Enumeration (CWE)

Targeted at developers and security practitioners, the CWE is a formal list of software weakness types created to serve as a common language for describing software security weaknesses in architecture, design, or code. Served as a standard measuring stick for software security tools targeting these weaknesses and provides a common baseline standard for weakness identification, mitigation, and prevention efforts. More information can be found at https://cwe.mitre.org/index.html

The above is enough to get your teeth sunk into and there are other resources out there but we just do not have time to mention all of them here. The NVD and everything above are a great set of resources that you can use to discover where your vulnerabilities lie as an organisation and begin to manage them. Now we have this, we now need to identify the threats that may target our business.

2.     Identifying my Enemies

With this information, we should have a very thorough understanding of our own strengths and weakness and be able to theorise where potential attackers would likely target us and understand the consequences if they were to be successful. The next step on our journey is to conduct a practice called Threat Modelling. This is a process where you begin to establish/theorise which threats are most likely to target you, how they would target you and then attempt to understand the likely attacks you could face. Mapping this attack information will subsequently allow you to put in place security controls prior to being attacked that will in theory, keep the business safe and agile against cyber threats. Below is a very simplistic but excellent representation of one methodology of how Threat Modelling can look. Please click on the picture for the full resource but the diagram simply shows how, in terms of our favourite Dark Knight, his assets have been identified, his current protection controls in place and the threats that are mitigated by these controls.

To Threat Model, you can ask yourself four simple questions;

·       What is my situation?

·       Who is likely to target me?

·       How can we stop them?

·       Are the controls working?

We have already completed question one, so we are now trying to discover who is likely to target us. In our scenario, we have not stated the type of company we are but for example, if we were a company that conducts animal testing with cosmetic products then hacktivists are likely to be targeting us. If we held a lot of intellectual property related to technical government projects, we could expect an attack from a Nation State or Organised Criminal Gang. Once set on the likely threat groups (Script kiddies, hacktivists, APTs, Corporate Espionage etc), you can then conduct further research on which specific groups within the general groups would likely target you (i.e. Anonymous or APT28) and analyse the tactics and techniques they employ from historical analysis to ensure our environment could withstand a potential attack. A great aid to do this is the Mitre ATT&CK Navigator (https://mitre-attack.github.io/attack-navigator/enterprise/#). You can use this tool to map your identified threat actors and their known associated Tactics, Techniques and Procedures (TTPs) alongside your current defensive capabilities. The below example is mapping Carbanak (Blue) and FIN7 (Yellow) TTPs to a company’s defences (green). Anywhere there are blue and green squares visible, is where there are attack vectors with no current defensive control to mitigate them. Subsequently, this is where you must concentrate your defensive resources.

You also may be tracking Threat Actors who you discover during incidents, who do not match with any known groups. You then will be building this threat actor from scratch and to help in developing your analysis against these new, undefined threat groups you can use the Environmental Scanning methods mentioned in Article 3 or a method that I created called METRICS (see below). This analytical tool can be used to develop an understanding of a threat actor group that you cannot currently assign to any other group and build an understanding of them. To use, you begin to capture and theorise data in each of the seven headers and along with the Three Column Analysis method mentioned in Article 3 and begin the develop a threat group based on the data. It is vital to capture this information for reference, as it will help you understand and develop the group's capabilities, how they prefer to target you, hopefully identify their weaknesses and allow you to generate a proactive defensive posture against them.

METRICS:

Output

-       METRICS and Three Column Analysis

-       Mitre ATT&CK Navigator

3.     Threat Scenario Testing

We are nearly there in terms of completing our framework and you may be thinking that this is all a lot of work in order to protect a business and you would be correct. Intelligence is a refined skill, almost an art sometimes and for it to be effective, it needs a capable and skilled team delivering it. And when done well, you can track and map your potential adversaries and understand their likely moves, allowing you to train your business against the most likely and most dangerous threats.

Threat scenarios or Tabletop exercises are a great way of training your security response to certain incidents and involve testing the business against popular or specific attack techniques you have been targeted with in the past or attacks you have seen active in the wild. An example exercise could be to test how you respond to an Organised Criminal Gang aiming to compromise your point of sale machines via exploiting one of your supply chain partners. You would have a team acting as the threat actor against your defensive team with a referee controlling the scenario. You can test any number of scenarios in this manner and there are a variety of methods you can use from sitdown tabletop exercises to partial and full live walkthroughs.

This is where most businesses fall down because despite having a security team, the statistics and data on the most likely and dangerous attacks the business face, but they fail to test or train the security team. For example, in the military, you train every day in realistic training scenarios to ensure that when you face similar real-life situations you are prepared and act with speed and efficiency. Business should copy this tried and proven approach in terms of its own security and by developing bespoke threat scenarios and testing them with your employees, you can then deliver effective security training to test against the most likely cyber threat scenarios. Your employees can actually become your greatest defence against a cyberattack rather than liability as they can be both your early warning system and prevention as most attacks involve some form of social engineering.

4.     Gaining Situational Awareness

Now that you have developed the CTI capability to this stage you should have knowledge of the following:

·       The intelligence framework you are using

·       The CTI Team setup

·       Understanding of the business assets

·       Understanding of the business vulnerabilities

·       Understanding of the business crown jewels

·       Understanding of threats against the business

With the above information, if it is maintained and updated regularly you will have ultimately begun to gain situational awareness. A state where you can predict, react and defend quickly and effectively against attacks. Security controls can be applied proactively, intelligence can influence live incidents to a successful conclusion and strategic intelligence for business direction can be consumed by the hierarchy. This knowledge not only extends to cyber threats but can be used for many other functions in the business and can be an incredibly powerful and advantageous tool for any business. You should maintain a roadmap/gap analysis that seeks to identify and close any security gaps you have highlighted in your journey as well.

Putting it all Together

We are at the end of our journey now. This overview of a CTI capability was only ever designed to be a general journey as to discuss all the specifics mentioned would take far too long. So to quickly summarise on how everything I have mentioned fits together, the below structure outlines the relationships between everything we have built and how they all interact with one another. By building this capability, we now have the beginnings of a CTI capability that can protect, advise and mitigate attacks against a business, saving it both money and reputational damage in terms of when, not if, an attack occurs. There is a lot we have not had time to mention but they will be introduced in future articles.

To summarise, we have briefly, although it may not seem it, moved from having zero capability to the start of an effective CTI programme. Some of the concepts have been skimmed over and I only mentioned them very lightly and that is intentional. Some of these topics can have whole articles written about them and future articles will focus on these aspects. Some of the concepts introduced here are my own theories and frameworks that I have developed (METRICS and TEAMCOPPERS for example) and if you feel that they are missing points or do not hit the mark, please let me know. The idea behind this article series was to outline in a very top-down approach, the general approach you can take to set up a CTI capability. If you have further questions or wish to discuss the series more, please do not hesitate to contact me. I hope you have enjoyed reading and there will be more articles coming on CTI in the near future.

*Special thanks go to the many UK CTI specialists whom I have had the pleasure over the last 12 months meeting and working with who have helped shape these ideas and provided inspiration.

If you have any questions or require any assistance regarding your own cyber security issues, please call us on 01273 060080, email us at [email protected] or visit our website at Crucial Academy