Cracking Cyber Threats with Modern Threat Intelligence Platforms

Dan Cole:
Threat intel. How modern threat intelligence platforms can help cyber detectives like you crack the case. And before we start, just a reminder that you can use the chat to ask any questions as we go. My name is Dan Cole. I’m the vice president of product marketing here at ThreatConnect. But today, I will be playing the role of threat lock homes to help you solve one of the greatest cyber mysteries of all time. So today, we’re gonna be talking about a breach at Baskerville Bank, a most heinous, uh, cybersecurity breach. Then we’re gonna talk about really sort of a back to basics TIP fundamentals. Now, of course, TIPs are a mature technology, which is all the more reason to revisit and make sure we understand the basics. Then we’re gonna talk about some modern tip use cases. So beyond the basics, what are some new things that tips are offering today? Finally, we’re gonna come full circle and see how a tip helps solve the case. Now speaking of questions, we do have some prizes. They are Sherlock Holmes themed. And, uh, if I can look a little closer, okay, we’ve got puzzles, coasters, socks. So the the first three people to ask a substantive question about this presentation can pick a prize. So for example, why is the sky blue? Not a substantive question. Uh, but, you know, what is your favorite attack technique? I’ll accept that. So without further ado, let’s talk about a cyber attack most foul. So Baskerville Bank was recently hit by a ransomware attack. What do we know? We know that this caused the bank’s production systems to be encrypted. The customer portal was down for twelve hours. They had $3,200,000 in operational disruption, and that does not even include the fallout of PR, potential class action suits, and we think there may have been some data exfiltration. We don’t know yet. Now the people at the bank investigating this, they don’t know much. They know something was exploited in the help desk. They don’t know how the attacker got in. They think it’s related to an unpatched vulnerability, but the investigation is going on. But at the end of the day, the people at the bank who don’t have a tip have simply decided there’s no way we could have prevented this. They remediated it. The IR team did a great job. The general sense is that they could not have prevented it. But now let’s bring threat lock Holmes into the case. He was actually able to solve it. So he knew that the attack began with a phishing spoof, and the domain for that phishing spoof was already reported in various threat feeds. The payload was a rat delivered by a particular vulnerability, and the TTPs map cleanly to Midnight Jackal, a threat actor known to have been targeting banks in recent weeks. Now if Baskerville Bank had had a tip, that phishing domain might have raised alarms. Mapping the TTPs could have helped them recognize midnight jackal’s behavior. The plug in could have been patched, and fundamentally, the clues could have been connected. So let’s see how threat lock homes came to those conclusions by looking at how a TIP is supposed to work. So fundamentally, and I hate to say this, but a TIP is middleware. It sits between your intelligence feeds and your operational tools like your SIEM. And I like to think about how a tip works in three steps, aggregate, analyze, act, or triple a. So at the aggregation step, your tip is bringing in multiple sources of data. This could be OSINT. This could be various paid feeds. Uh, this could be, you know, something your team finds online. It could be internally generated intelligence. Now the problem is all of this data is nonstandardized. So the way one feed presents the information might be different than the way another feed presents the information. So we can fundamentally think of this data as low fidelity. It’s hard to make sense of. It’s not necessarily hyper relevant to your organization. So what do we do? We put it all in the tip. So now everything is standardized. It all follows the same format. There has likely been some sort of automated deduplication happening. It is now in a state where your teams can analyze it for relevancy. So what is relevant to my organization? What is relevant to my intelligence requirements? And then that data can be sent downstream in the act step at a higher level of fidelity than it came into the tech. And that might be deployed as technical indicators to power sim alerts, or it might be deployed in strategic reports to help leadership, incident response team, threat hunters go after this particular threat. So Charles Segars asks, what is the spectrum between hand collected and automation collected aggregation at the beginning of the cycle? Well, Charles, you just won our first prize. So we will take down your information and reach out after the webinar. Uh, just to clarify, when you say spectrum, are you kind of asking, you know, sort of volume of data or fidelity of data? Can you expand on that? And I’ll just pause to give Charles a moment to, uh, type his response there. But while we’re waiting, and Charles, I will answer that question, let’s move forward to the aggregation step. So without a tip, when you’re trying to aggregate your threat intelligence, you might be relying on a single feed. Uh, there we go. Uh, second question. Uh, so I will get through the aggregation step and then, Edward, I promise I will come back to you. So if you’re not using a tip and relying on a single feed, that means you might have blind spots. Not every feed has every piece of the puzzle. Even if you are relying on multiple feeds, again, they are not in standard formats. You might have to flip between them, which is a high cognitive load. Things might be missed. Second, you have no way to actually compare how relevant the different feeds are. One might be better at servicing your organization, your industry. Finally, investigations can go off the rails because certain things might be unrecognized due to feed lag or omission. So what does this actually look like with ATIP? So, of course, the most important factor here is that tip is going to aggregate all of those sources, whether it’s OSINT, commercial, into one place. Second, it’s gonna correlate those indicators. So bad.com, what does it look like across these five different feeds? Does a different feed have a different piece of the puzzle? And critically, the tip, because you’re bringing in multiple feeds, can answer questions about feed quality. So it helps you prioritize which feeds to pay attention to. And I like to think of that part in terms of four factors, timeliness. So for bad.com, maybe you had five feeds, all report bad.com as malicious, but did one feed report it first? Two is uniqueness. Again, this is a puzzle problem. Did one feed report a particular indicator or an insight into a particular threat that another feed did not? So it was one feed providing sort of non commoditized threat intelligence. Known goods. What is the ratio of what this source is providing in terms of, uh, true positives versus false positives. Uh, and finally, dwell time, which is kind of the inverse of timeliness. Is the feed actually deprecating out indicators that might have been retired? So Edward asks, coming from a small IT team, uh, people wearing many hats, so you’ve got, like, a SOC analyst doing threat hunting, doing CTI, doing incident response. How often does that actionable intel get stuck in a report, and how do you get in the hands of the right person before it’s too late? So, Edward, you win a prize. That’s two to go. So I’m gonna get to the answer of that question because it is a very important one. So we don’t want the intel sitting there collecting dust. We actually want it getting in the right hands of the right people when they need it. So I’m gonna hit that in detail when we get talking about the modern tip. So in this case, threatlock Holmes saw the phishing domain reported in a different feed three days prior to the attack because he was not relying on one feed. And this feed he had was more timely. So So in ThreatConnect, by way of example, you can view things like, what are your top sources in terms of what are you observing in your environment? You can look at different feeds and see which ones are providing the most unique indicators, which feeds are providing the most timely indicators, and, of course, you can see all of your sources in one place, whether you’re only bringing in 10 OSINT feeds or whether you’re bringing in a 100 plus five paid feeds, government bulletins, etcetera. Step two is analyzing the evidence. So, okay, you’re looking at feed data. Without a tip, indicators lack context. At ThreatConnect, we call those orphaned indicators. So okay. Yes. Bad.com is bad. Why is it bad? Is it related to ransomware? Um, is it related to a spear phishing attack? Uh, is it tied to a known threat actor that’s targeting our industry? Second, there is no link between that observed activity and what threat actors are actually doing. So, okay, here’s a TTP. Great. It’s attack technique ten twenty six. Is anybody using it? Is it tied to a campaign that might be targeting a bank, for example? And so investigations end up stalling because all of this data is living all over the place and you just struggle to collect the dots. But with a tip, you’ve got the ability to do things like correlate indicators to specific techniques. So you are sort of deorphaning or adopting, uh, indicators so that bad.com is now tied to t tp ten ninety six. Ten ninety six is now tied to fancy bear. So you have some context and know what to do. Two is that tip automatically enriches and dedupes incoming intel. So you’re looking at bad.com. You don’t need to look at 10 different versions of bad.com from 10 different feeds. It’s like related campaigns and active threat activity. And fundamentally, when we talk about linking things like indicators to threat activity, it helps us focus on things like behavior. So is this threat actor trying to get into the bank to exfiltrate data? Is it trying to perpetrate ransomware? Is it a hacktivist attack? So Benjamin asks, what fraud security options do banks provide for payments cybersecurity? Very good question. Uh, give Benjamin a prize. So we are seeing more and more, uh, banks and financial organizations trying to link fraud teams and cyber defense teams. Because very often things like fraud are perpetrated via cyber attacks as a vector. And if you wanna talk about very mature teams, they are also starting to merge their physical security teams into that process. So you’ve got fraud, physical, and cyber all working towards the same objective, and we even see some customers doing all of that in the tip. So, again, we’re proving out the value of that unified thread library where those three teams can now go to one place, get access to the same data, and maybe look at correlations between something like an ATM attack and a potentially related cyber attack. So Threatlock Holmes got his magnifying glass out. He’s enriching indicators. He’s mapping it to specific behavior so it’s no longer orphaned. So in threat connect, for example, we can take unstructured data and we use AI to automatically categorize it by things like industry, by attack technique, by vulnerability. So that way, any indicator ties to it is automatically classified by that. We help you connect the dots. We help you tell that story. We also have CAL, which is our global analyst network, which takes a threat graph like this. And if you’re stuck, CAL will give you additional bread crumbs to potentially lead you to the next step in your organization. And finally, we have the attack navigator, which lets you look at patterns in these attacks. So you can look at you know, if you if you’ve got threat actors targeting your industry, you can add those to the attack graph and see which TTPs are the most prevalent. Finally, action. So we’ve aggregated all data. We’ve analyzed it. We know what is high fidelity versus low fidelity. Let’s get it downstream. So without ATEP and, Edward, this is gonna be part of my answer to your question. Without ATEP, Intel gets stuck in spreadsheets or PDFs. And we all get a lot of email. We all get a lot of Slack messages. Things get lost. Indicator sharing can be manual. It can be delayed. It can be done through ad hoc APIs. Or worse, some people pipe feeds directly into their SIM. And SIMs aren’t built for that. That’s going to lead to alert overload. Uh, strategic reporting is ad hoc or inconsistent. So how is data actually going to decision makers in a narrative format? And investigations end up hitting dead ends. Again, because it is hard to get those things downstream. With a tip, you have better technical dissemination. So when you talk about disseminating indicators to SIMs, EDRs, etcetera, those indicators are gonna be high fidelity, so you’re gonna have less of an alert problem. For strategic dissemination, most tips are gonna have some kind of reporting engine. So you can pull data directly from your tip, from your unified threat library, and tailor them to a SOC analyst, to a threat hunter, to executives, even to your risk teams. And because it’s all pulling to the one place from the same place, you have consistency. And, critically, this is something we see the most mature teams doing. You’re gathering feedback on those reports on that data. Was this useful to me? Did I take action on this? Because intel is supposed to be cyclical. The intel life cycle talks about feedback, and that helps you increase the relevancy of your data over time. So in this case, threat lock homes, he’s done his aggregation. He’s done his analysis. He’s got a simigration that lets him push the relevant hashes immediately. So, again, he found that indicator three days prior. He linked it to behaviors tied to a known threat actor. He pushed it downstream ahead of the attack, so now it can be alerted on and blocked. So I’ll talk a little bit about, uh, automation later, but, of course, automation is a key part of deploying things downstream, uh, because things like our playbook feature let you connect bespoke data to different tools in your tech stack, SIMs, EDRs, firewalls, in a way that is tailored to your tech stack. And that’s, uh, something very important to look for when shopping around is can this connect to your tech stack so it adapts to that versus the other way around. And then, of course, the reporting engine I mentioned, it should be tolerable to different stakeholders, and it should be tied again directly into that threat library so it can be templatized. So let’s talk about modern tip use cases. Let’s go beyond the basics. Step one is what I personally consider to be the most important part of the intelligence cycle because it’s really what leads to alignment and it informs everything that comes after, and that is intelligence requirements. And most mature intel teams these days do have a mature intel requirement process where they are sitting down with stakeholders. They’re talking about what threats do I wanna look at, what industries do I wanna look at, and the very advanced teams, uh, and this actually bears out in this year’s San CTI survey. They’re actually involving the business and the executives in the IR development process so that they are really highlighting threats that really matter to the business. This helps address that fidelity problem I mentioned because it helps you eliminate irrelevant data by aligning your intelligence to the industry’s real exposure. So what do you wanna look for? So in ThreatConnect, you can give us a plain English PIR, which is really how PIRs start. I mean, for years, PIRs were tracked in spreadsheets as plain English queries. So what ransomware groups are actively targeting UK banks this year? In ThreatConnect, it will take that plain English query and using AI, turn it into keywords, and then in real time, bring in actual intelligence reports tied to that PIR. And, essentially, what you’re doing is you’re creating a intel feed that’s pulling from all these enter other intel feeds that is tailored specifically to your intel requirements. So when you’re shopping around, look for, you know, when you’re looking at PIRs, is the AI coming in I’m sorry. Is the intel coming in AI curated? So what I mean by that is if you think about, like, an unstructured report. So maybe you’re pulling something from CISA. That report is plain English. It is a narrative report. Within that, though, there might be mentions of attack techniques, of industries, of geographies. And to make that machine actionable, it needs to be queryable, the indicators need to be parsed out, and the job of the AI is to do that classification. So if you have a PIR around banks or oil and natural gas, the AI should be able to pull that in. Two is real time intel coming in. So, again, in ThreatConnect, we are not just storing the IRs. We are pulling in relevant intel tied to them. So it’s not just a repository of PIRs like you might find in a spreadsheet. Uh, it’s not a capability where you just log the PIR and then manually tie intelligence. It’s actively bringing intelligence for you. The second element is background automation. So we we’ve all seen source, and the goal here is that, you know, automation can trigger playbooks when certain things are seen, and that could mean doing enrichment. It could be creating a ticket. It could be going as far as deploying a detection rule. And the goal here is to eliminate manual steps or disconnected tooling. So the average security team is running something like 45 distinct tools. You need automation that’s able to connect all of the relevant ones. Because if you’ve got a credit a mission critical system that doesn’t connect into your automation, that means the automation is basically dead on arrival. So it needs to be able to adapt to that. Uh, and one thing I wanna, uh, pick out here is that a lot of people will talk about automation in terms of human replacement or like a lights out sock. I don’t see it that way. To me, automation is about doing the mundane tasks so that analysts don’t have to be cutting and pasting. You know, and it should free up analysts to focus on the interesting threats, the ones that make you feel like you’re making an impact, the ones that make you feel fulfilled. Now what do you actually wanna look for in an automation system? So the goal of automation is not for you to see an alert and then necessarily to kick off a one off automation. What you wanna look for is things like multithreading. So is your automation and high volume. Is your automation able to run tens of thousands of automations per day? Because that’s the volume of data you’re looking at. It’s not just one alert. It’s all of those background enrichments, the tickets, the escalations, the rule deployments. So for threat lock homes, once he licked that vulnerability to Midnight Jackal, he was able to alert the vulnerability team with everything they needed to act. So that playbook pulled in different malware reports. It pulled in hashes. It pulled in potentially assets that the bank has on hand for what needs to be patched. So, again, critically, the number one and and I’m gonna give two number ones. The number one things you need to look for are multithreading and high volume capability and flexibility to adapt to your tech stack. The next one is a brand new concept in cyber defense. So I want you to think about how a cyber defender might look at or model a threat. So what we see here is the bank, Baskerville Bank, has looked at all of the potential threat actors that might be targeting them. So active screening, we’ve got one threat actor, APT 42. Uh, native API, we’ve got eight threat actors targeting them. So we might look at this and say, hey. Phishing, we’ve got 15 I’m sorry. 14 different threat actors targeting us via phishing. So we might say, okay. We’re gonna build out intelligence requirements around that. Uh, we’re gonna build out skill sets. We’re gonna do training around phishing to target that as our most prevalent, uh, technique that we’re seeing. But that’s how a cyber defender sees a threat. How does the business so how does your boss’s boss actually think about threats? They think about it in financial terms. So if a threat actor comes in and we don’t have the right controls in place and there is a breach, how much is this going to cost me? So we are talking about cyber risk quantification. And this is the same view. This is an attack matrix. And when we look at this, we see that phishing, uh, hopefully, you can all see that, phishing, which is our most common TTP, only represents a 5 and a half thousand dollar risk to the business. And that might mean because we have the right controls in place or phishing attacks don’t really impact major systems. What we do see is that it’s bits jobs that represents the highest financial risk, a $105,000. And the way we calculate this data at ThreatConnect is we look at breach data over the past decade or several decades. I’m sorry. We aggregate that. We analyze that with machine learning. And, critically, we take information on your business, everything from your revenue to how much PII you have to technical things like what your assets are, what vulnerabilities you have, and then we apply these dollar figures both to the TTPs and to things like vulnerabilities. So this helps you focus directly, not on the most common threats, but the ones that are most going to impact your business. And that helps you make a bigger impact. And, critically, it helps you demonstrate a bigger impact. So you can go to the businesses and say, hey. We played down a $105,000 in risk. And that can help you have an easier time getting more budget, getting more resources, getting more pats on the back, and feeling more more fulfilled in the impact you’re making. So that’s the other thing to look for in a modern tech, is can you actually align the threats you’re working on to what cares about the business? Uh, and I will say one thing we also saw from the latest SANS CTI survey is that more and more mature teams are including executives and the business in intelligence requirements development. So it is happening. And so this is one of the most critical things to look for in a tip. And finally, and this goes back to Edward’s question, in your face dissemination. So the goal of a tip is not to produce intelligence and leave it in the tip. We need to get it downstream. That could mean a narrative report. It could be in the form of technical indicators. But, really, that intelligence needs to be present wherever that downstream analyst is. And to illustrate that, well, I’m actually gonna break from the presentation. And I’m gonna go give you a quick demo of a tool we launched recently called Polarity. So imagine I’m an analyst, maybe I’m doing threat hunting, um, maybe an I’m investigating alerts. I’ve got all kinds of stuff open on my desktop. I’ve got sim alerts, network logs, IR tickets, vulnerability scans. I’ve got a million tabs open. There’s a huge cognitive load to thinking through all of this. Let alone being able to go back and correlate this to threat intelligence. Maybe I can submit an RFI, but what I really need, what I really want is something that can tell me at this moment when I might need to take an action. Maybe I need to escalate, block, build a detection rule. I need something that tells me right now what I should do. So polarity is an overlay that sits on my desktop. And what I can do is I can use it to highlight everything on my screen. So I’m gonna pick these indicators. And what Clarity does is it scans that, and then it correlates all of those indicators back to what is one in my intelligence sources. So my feeds inside my unified threat library, but it also looks across my operational systems. So did I see this IP address in my SIM? Did I see this IP address in my email gateway? So it is a federated search that looks across all of those systems. And, you know, like many other tools today, it also has AI so that if I’ve got this IP that appears in 50 different sources, and again, I’m trying to move quickly, it will actually summarize all those sources. So this IP address has been associated with suspicious activity. It’s been tied to a p t 41. It’s been tied to these malware actors. And from this, I can execute a ThreatConnect playbook to take some kind of action. So, Edward, I I hope this answers your question. If you’ve got a small IT team and you don’t want actionable intel to get stuck, this is a great way to solve that problem. Because especially on a small team wearing many hats, you’re gonna be more likely to have a desktop that looks like this. And it becomes even more critical to be able to get quick answers from everything on this desktop to know exactly what I’m looking at and what to do about it. So in your face dissemination. So let’s close this case. So how did Sherlock or sorry. Fretlock Holmes do this? One, he set proper intelligence requirements to know where to prioritize the investigation. So he knew what the financial risk to the bank was by looking at the various risks. He knew what threat actors might be targeting them, so he aligned intelligence requirements to bring in relevant intel. Two, he focused the investigation around those key risks. So maybe he knew what the most risky vulnerability was, and he looked for ways to exploit it. The automated repetitive tasks, so his keen intellect, was free to investigate. So he wasn’t cutting and pasting. He wasn’t doing enrichments on his own. That was all happening at scale in the background so he could put on his keen intellect, his thinking cap. Four, he was able to aggregate multiple feeds so he didn’t miss a clue. Again, it is a puzzle. If you’ve got one feed out of 50, and that one feed is the one that has the key clue you’re looking for, again, maybe it’s more timely. Maybe it has this indicator three days before the other feeds. That’s where that piece comes in. He contextualized those indicators. He didn’t leave them orphaned. They all got linked maybe through automation to actual threats, actual activity, actual threat actors. He integrated his sim with that high fidelity intel. He passed that hash downstream, which was easy to do because it was all loaded into that unified threat library. He didn’t have to integrate yeah. He didn’t have to integrate multiple systems into a sim. It was all right there. And finally, through tools like polarity, he was able to send that relevant intel downstream to the person who was actually taking action on that threat. So maybe it was the vulnerability manager who was responsible for prioritizing and patching. All of that was right in front of them so they could take action. So now that you know fundamentally what a tip does, now what you know to look for in a modern tip, it’s time to ask yourself today, are you effectively aggregating intelligence all of your sources? Do your analysts know specifically what to prioritize, what to look for, what to remediate? Are you able to take action inside your existing tools? Or are you alt tabbing switching tabs, having to go to some other tools because you can’t get the a the APIs to talk nice to each other? Are you able to connect all those things? Can your SOC, CTI, incident response, risk, threat hunters, pen testers, red team, blue team, green team? Can they all see the same threat in the same way? So do they all have access to that Polarity AI summary? So no matter what they do, where they’re doing it, when they do it, they’re all able to see that unified, common, standardized threat view. So basically, do you have what it takes to wear this hat, grab this pipe, grab your magnifying glass, and solve the cases for your organization? So if the answer is yes, I would ask you to please book a demo. And if you are going to Black Hat, please come by our booth. Uh, we’ve got some great swag as always. Uh, we’ve got a great setup. We are the Museum of Cyber Threats Past and Present, and you can come by for a one on one demo and really dive deep into what we actually have to offer, both in terms of a fundamental tip and things that a modern tip can do. So, uh, any final questions, uh, before we bid at you? Thank you, Sarah. Sarah, uh, is our excellent, uh, director of events. She just put in a link to our BlackCat information. Alright. Well, thank you all very much. If you do have any follow-up questions, you oh, uh, Hunter asked, do our queue numbers, uh, I’m sorry, risk numbers take into account kill chain progression? Uh, the answer is, uh, technically not kill chain. Uh, it uses attack path modeling. Uh, so if you look at the progression of an attacker of an attacker through attack well, I guess the tactics in attack are the kill chain. So you can look at the progression that an attacker might take through that, and it basically looks at, you know, do I have a control for this particular technique? Uh, and if you do have a control maybe, you know, at sort of the third level, that’s gonna reduce that risk. But just so you have a control in that level, the attacker might still have another TTP they can use to leverage to achieve their ultimate goal. So that attack path modeling looks at all of that and factors that in into what actually is the risk. So even if you’ve sort of mitigated what might be an initial access mechanism, it’s also gonna look at other potential access mechanism, uh, as well as things downstream to take that all into account. Um, if you do wanna learn more about that, we do have extensive documentation about our methodology, uh, across our products products that we’d like to be very transparent. We’d like to be very open. Uh, so we are very happy to dive deep into kind of how the math all works for them. Alright. Well, thank you very much. If I did miss anything, please feel free to reach out, uh, and I will bid you all. Cheerio. Have a good week.