UNIT-IX Threat Intelligence

and Threat Modelling

Introduction to Threat Intelligence
• “Details of the motivations, intent, and capabilities of internal and
external threat actors. Threat intelligence includes specifics on the
tactics, techniques, and procedures of these adversaries. Threat
intelligence’s primary purpose is to inform business decisions
regarding the risks and implications associated with threats”.
Contd..
• Gartner summarizes threat intelligence as evidence-based knowledge,
which means you can rely on it to make informed decisions about how to
respond to a threat.
• This means if I give you a bunch of IP addresses with no context such as a
warning list posted on a website, you won’t understand what they mean—
those IP addresses are just data.
• If I tell you that these IP addresses are bad but I do not explain why,
• only one specific use of the IP addresses, which is to block them.
• That would represent threat data, which can be a form of threat
intelligence depending on how it is used, but by itself is not threat
intelligence.
• Many people have a misconception about threat data.
Threat Data
• All threat-related data is not threat intelligence.
• Many security tools are driven by a specific type of threat data, but
that doesn’t mean the data provided to the tool gives you, the user,
any value.
Data vs. Intelligence
• An effective cybersecurity intelligence system makes a clear distinction between
• threat data collection and threat intelligence to stop threat actors.
• Cyber threat intelligence includes
• data collection and processing to detect, stop, and mitigate threats.
• Data collection, on its own, provides useless information until it is analyzed in the
context of intelligence.
• The analysis reveals operational intelligence such as the types of threats that may
be imminent, weaknesses in the network, and the different sources of threats.
• This is collated and implemented into a cyber threat intelligence and analysis
system.

• In other words, data collection is one of the building blocks of cyber threat
intelligence.
 Threat perspectives
What is Cyber TI and how can you use it? Author name her

Definition - Threat intelligence is evidence-

based knowledge, including context,
mechanisms, indicators, implications and
use

actionable advice, about an existing or

termuse

High level Attacker

emerging menace or hazard to assets that
Longterm

information on methodologies
changing risk and tactics.
can be used to inform decisions regarding
Long

The board Architects and

Admins
the subject's response to that menace or
Details of
specific
Indicators of hazard. Gartner 2013
specific
use

incoming malware.
Immediateuse

attacks. SOC staff

Defenders Expectation - Understanding the threat
Immediate

landscape from a dynamic and strategic

perspective helps an organisation to prepare
High Level Low Level for and react appropriately to Cyber events
High Level Low Level
High Level Low Level
 Threat perspectives
Some Current Challenges Author name her

• TI is poorly understood e.g. threat feeds vs threat

intelligence
• Immature partial implementations – a lot are
missing information sharing and strategic input

• Application of TI needs a lot of human input we

are a long way from fully automated TI
• Security is viewed as an overhead so all initiatives
need to have KPIs that show value
• Noise… reaction required? Yes/None/Urgent
 Threat perspectives
Operational information & intelligence feeds
Author name her

Internally generated Analysis

• IOC hunters – Darktrace Information sharing
• End Point Protection • Sectoral – Financial
• Security Operation services, public sector
• Vulnerability Management • Geographic – local CERT
• NIS Directive

Generic external Organisation specific

• Open source • Branded “mybank” information
• Subscription based - X-Force, • Social media
Digital Shadows, Deepsight • Boards
• Raw e.g. XSS • Dark web
• Indicators of compromise (IOCs) • Customer or organisation
• Tactics techniques and procedures phishing campaigns
TTPs
.
 Threat perspectives
Use case examples Author name her

• Phishing detection Threat Analysis

• Incident Response knowledge base Collection

Projection

• Vulnerability prioritisation
• Brand monitoring
Dissemination
• Fraud detection Processing

Validation Analysis & Production

Threat Actors
• The first step towards developing threat intelligence capability is the
understanding of different threat actors
– Different Threat Actors (e.g. government, organized crime, activists etc.)
– Associate risk level depends on the context
• Important to distinguish between:
– Threat Actors carrying out the attack
– Threat Actors “commissioning” the attack
Sample Threat Actors
Observables and Indicators
• Observable
– Any piece of information related to the operations of computers and
networks
• Indicator
– Any piece of information (observable) that, enriched with contextual
information, allows to represent artifacts and/or behaviors of interest within a
cyber security context such as attacks, intrusions etc.
• Context turns an observable into an indicator
– An IP address used in attack
– The hash of an executable found on a system
Samples
• Typical indicators address by cyber threat intelligence include
– Domain name, IP address, hash (MD5, SHA1, SHA256), email address, SSL
hash (SHA1), malware name (e.g. Trojan.Enfal), filename (e.g. .scr,
resume.doc), URI string (e.g. main.php), User-Agent string (e.g. Python-
urllib), a registry key string
• Support for indicators varies across CTI solutions
About Cyber Threat Intelligence
• CTI is about managing risk exposure
– Likelihood of a threat manifesting itself
– Impact of attacks
• Three main use cases
– Monitoring
• Monitoring the risks from the threats we know about
– Threat Assessments
• Assessing risks from new threats
– Investigations
• Learning about current and future threats
Types of Threat Intelligence
Strategic Threat Intelligence
• It gives stakeholders a bird’s eye view of the organization's threat
landscape and its risk.
• This helps those in the audience, such as
• executives and key decision-makers, to make high-level decisions as to how to
use the information in the context of intelligence.
• Strategic threat intelligence and analysis may use internal policy
documents, news reports, white papers, or other research material
provided by the analysts of security organizations.
Tactical Threat Intelligence
• Tactical intelligence, one of the key requirements, defines threat
actors' techniques and procedures as they pertain to the company's
risk.
• It is intended to help defenders understand how the organization
could be attacked and how to use intelligence to defend against or
mitigate those cyber attacks.
Operational Threat Intelligence
• Operational threat intelligence involves presenting information
regarding cyber attacks, whether they are singular events or long-
term campaigns.
• Operational intelligence and analysis gives stakeholders insights that
can be used by incident response teams to better comprehend attack
elements, such as their timing, purpose, and how they are carried
out.
OSINT (Open-Source Intelligence)
• OSINT Framework, as its name implies, is a cybersecurity framework,
a collection of OSINT tools to make your intel and data collection
tasks easier.
• This tool is mostly used by security researchers and penetration
testers for digital foot-printing, OSINT research, intelligence gathering,
and reconnaissance.
• It provides a simple web-based interface that allows you to browse
different OSINT tools filtered by categories.
Advantages of Using OSINT
• Open source intelligence gathering comes with several benefits. Let’s
take a look at some of them:
• If you’re on a budget, conventional information collecting techniques and
tools may not be an economically viable solution.
• One of the main benefits of employing OSINT to gather intelligence is that it
involves a minimal level of financial investments.
• The information obtained is not classified and has been divulged freely, hence
it is legal to obtain any such information.
• Because it relies on public resources, users frequently share and update the
information regularly.
Disadvantages of OSINT
• Finding information means very little unless you can put it to use in
some meaningful way.
• Filtering out junk data from valuable information can be challenging
based on the volume of data you find.
• Once you have filtered out usable data, you need to validate that the
information is reliable.
• Organizations and individuals may deliberately post false information
to mislead potential attackers.
• The information gleaned is not consumable as it is, and there is a
considerable amount of analysis work involved.
OSINT Framework classification
• When you immediately load the website
https://www.osintframework.com you’ll notice the OSINT tree is
before your eyes on the left side of your screen.
• There are some highlights you should know; take a look at the
following indicators on the right side, for some of the listed tools:
• (T) – Indicates a link to a tool that must be installed and run locally
• (D) – Google Dork (Google Hacking)
• (R) – Requires registration
• (M) – Indicates a URL that contains the search term and the URL itself must
be edited manually
Contd..
Threat Modeling
What is Threat Modeling?
Assessing security risks of a software system from
an adversary’s perspective.
Purpose of Threat Modeling
1. Understand threats to guard against during requirements analysis.
2. Provide basis for which security mechanisms to include during
design.
3. Verify security of system design.
4. Provide basis for prescribing secure implementation practices.
5. Provide basis for testing system security after implementation.
Threat Modeling Process
1. Understand adversary’s view of system.
2. Characterize security of system.
3. Evaluate threats.

Slide #31
Understanding the Adversary’s View
1. Identify System Assets.
• System resources that an adversary might attempt to
access, modify, or steal.
• Ex: credit cards, network bandwidth, user access.
2. Identify Entry Points.
• Any location where data or control transfers between
the system being modeled and another system.
• Ex: network sockets, RPCs, web forms, files
3. Determine Trust Levels.
• Privileges external entities have to legitimately use
system resources.

Slide #32
Identify System Assets
• User login data
• User personal data
• Web process resources
• Execute code as web server
• Network/disk resources
• Application resources
• Database server resources
• Access to stored data
• Organization’s reputation
Slide #33
Discover Entry Points
Any method for system to accept input
Example: http://cs.nku.edu/ctrl.psp?pg=login
• Web server: cs.nku.edu
• All network protocols that can access host
• Web server specific attacks
• ctrl.psp
• Your controller application
• pg=login
• The login subsystem invoked by controller

Slide #34
Analyze Entry Points
1. Are you missing any potential back door entry points?
• What if attacker is on the web server?
• What if attacker between web and db servers?
2. How does system distinguish between bad and good input?
3. Can system distinguish a request from a legitimate client from a
replay attack?

Slide #35
Trust Levels
Resources with higher trust levels are accessible to
fewer users, but higher trust levels offer access to a
wider range of resources.

Trust Levels
• Remote Unauthenticated Users
• Remote Authenticated User
• Remote Application Admin User
• Web Administrator
• Web Server Process
• DB Administrator

Slide #36
Characterize System Security
1. Use and misuse scenarios.
• How do users use the system to fulfill needs?
• How could an adversary use these system interfaces to attack the system?
2. Identify assumptions and dependencies.
• How does system security depend on external systems?
• What assumptions do components make about data or control transfers
with other components?
3. Model the system.
• Model how system processes data from each entry point using tools like
DFDs.

Slide #37
Use Case Example
UC 1: Login to Web Store
Primary Actor: Customer
Stakeholders and Interests:
• Customer: Wants to purchase products.
Preconditions: Customer has web access.
Postconditions: Customer has access to their account, with the ability
to pay for and ship products.
Summary: Customer gains access to system using an assigned
username and password.

Slide #38
Misuse Case Example
MUC 1: Sniff Password
Primary Actor: Attacker
Stakeholders and Interests:
• Attacker: Wants to obtain user credentials.
Preconditions: Attacker has access to a machine on network path
between user and system.
Postconditions: Attacker has obtained one or more valid usernames
and passwords.
Summary: Attacker obtains and later misuses passwords to gain
unauthorized access to system.

Slide #39
Misuse Case Example
Basic Flow:
1. Attacker installs network sniffer.
2. Sniffer saves all packets which contain strings matching
“Logon,” “Username,” or “Password.”
3. Attacker reads sniffer logs.
4. Attacker finds valid username/password in log.
5. Attacker uses sniffed password to access system.

Slide #40
Misuse Case Example
Alternate Flows:
1a. Attacker not on path between user and
system:
1. Attacker uses ARP poisoning or similar attack to
redirect user packets through his system.
1b. Customer uses wireless connection.
1. Attacker drives to customer location.
2. Attacker uses wireless sniffer to intercept passwords.
4a. Attacker finds no passwords in log
1. Continue sniffing until a password is found.

Slide #41
STRIDE Model: Threat Categorization
• Spoofing
• ex: Replaying authentication transaction.
• Tampering
• ex: Modifying authentication files to add new user.
• Repudiation
• ex: Denying that you purchased items you actually did.
• Information disclosure
• ex: Obtaining a list of customer credit card numbers.
• Denial of service
• ex: Consuming CPU time via hash algorithm weakness.
• Elevation of privilege
ex: Subverting a privileged program to run your cmds.

Slide #42
Analyze Threats
• Decompose threats into individual, testable conditions using attack
trees.
• Attack Trees
• Hierarchical decomposition of a threat.
• Root of tree is adversary’s goal in the attack.
• Each level below root decomposes the attack into finer approaches.
• Child nodes are ORed together by default.
• Special notes may indicate to AND them.

Slide #43
Attack Trees—Graph Notation
Goal: Read file from password-protected PC.

Read File

Get Network Physical

Password Access Access

Search Social Boot with Remove

Desk Engineer CD hard disk

Slide #44
Attack Trees—Text Notation
Goal: Read message sent from one PC to another.
1. Convince sender to reveal message.
1.1 Blackmail.
1.2 Bribe.
2. Read message when entered on sender’s PC.
1.1 Visually monitor PC screen.
1.2 Monitor EM radiation from screen.
3. Read message when stored on receiver’s PC.
1.1 Get physical access to hard drive.
1.2 Infect user with spyware.
4. Read message in transit.
1.1 Sniff network.
1.2 Usurp control of mail server. Slide #45
Evaluate Risk with DREAD Model
• Damage Potential
• Extent of damage if vulnerability exploited.
• Reproducibility
• How often attempt at exploitation works.
• Exploitability
• Amount of effort required to exploit vulnerability.
• Affected Users.
• Ration of installed instances of system that would be affected if exploit
became widely available.
• Discoverability
• Likelihood that vulnerability will be discovered.

Slide #46
Quantifying Threats
• Calculate risk value for nodes in attack tree
• Start at bottom of tree.
• Assign a number 1-10 to each DREAD item.
• Assign average of numbers to node.
• Propagate risk values to parent nodes.
• Alternate technique: monetary evaluation
• Estimate monetary value to carry out attacks.
• Propagate values to parent nodes as above.
• Note: smaller values are higher risks in this method.

Slide #47
Attack Tree Exercise
• Create an attack tree for the reading a message stored on the mail
server that you described in the DFD exercise.
• Consider all entry points.
• While you’re starting as an unauthorized network user, consider all trust
levels in constructing your tree, with gaining the required trust level to
conduct your attack being one of your subgoals.

Slide #48