Several years have passed since the WannaCry ransomware attack crippled 150 countries. Over a few short months, the perpetrators of this global cyberattack wreaked havoc across healthcare and manufacturing industries, costing companies and countries an estimated $4 billion to recover. WannaCry is just one of many attacks in the growing epidemic of cyber maladies that plague IT professionals in every vertical, such as healthcare, finance, retail and government services – including military operations. This trend demands greater warning for cyber operators to defend against, driving the need for effective cyber intelligence.
The use of Cyber Threat Intelligence (CTI) is crucial for organizations looking to defend their networks from sophisticated cyberattacks. At the forefront, critical infrastructure organizations that rely on operational technology (OT) and face an increasing number of high-profile attacks need this kind of information to prepare their defenses and uncover the presence of malicious actors.
However, using CTI effectively is difficult due to poor data quality (such as high volume and low relevance) and actionability (such as the need to match technical indicators with network traffic). These challenges mean that many organizations use CTI ineffectively and, since they often invest heavily in this type of resource, they are not receiving a full return on investment.
As we discuss below, even with the best available threat intelligence, the lack of appropriate device visibility and network monitoring will severely reduce its actionability. Unactionable data diminishes the value to your organization – sometimes to the point where following, analyzing and trying to apply the incoming volume of CTI can be a distraction from protecting your network against the threats you are facing.
What is CTI?
CTI has its origins in military intelligence and, in a broader sense, it refers to the whole intelligence cycle, which the U.S. Marine Corps divides into planning and direction, collection, processing and exploitation, production, dissemination and utilization. Other organizations – military or not – adopt similar variants of this cycle. But in this post, we focus on the last part of the cycle: the utilization of existing intelligence by network defenders.
According to Gartner, “Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice about an existing or emerging menace or hazard to assets that can inform decisions regarding the subject’s response to that menace or hazard.”
How is CTI used?
Due to the military origins described above, CTI comprises three categories that map to the three levels of warfare or – in the case of civilian organizations – three levels of defense against malicious actors:
- Strategic, which looks at big-picture trends and targets the highest-level decision makers. Examples of strategic threat intelligence include the motivation and capability of adversaries, their potential impacts and even possibilities of future threats.
- Operational, which can inform mid-level decision makers that face high-priority threats identified at the strategic level. Classic examples of operational threat intelligence include the Tactics, Techniques and Procedures used by adversaries.
- Tactical, which looks at individual threats and is more technical, thus targeting those analysts that need immediate actionable information, such as technical indicators.
These three types of intelligence are used in a variety of ways by CISOs, SOC analysts and other security personnel, but we can highlight the following use cases:
- Strategic threat intelligence allows CISOs and other senior leaders to prioritize security investments that counter growing threats such as the increasing numbers of insecure IoT devices or advanced persistent threat groups targeting specific industry verticals.
- Operational threat intelligence helps organizations to prioritize defensive actions to reduce risk from those threats. For instance, security managers can prioritize patching and segmenting known-risky devices.
- Tactical threat intelligence can be used to investigate ongoing attacks in the organization’s network, either based on intrusion detection alerts or proactively via threat hunting. For example, when new vulnerabilities or indicators of compromise (IoCs) for active campaigns are identified, SOC analysts can look for signs of intrusion using those.
Enabling these use cases requires organizations to adopt a combination of threat intelligence sources, including open source feeds (such as the FBI’s InfraGard), crowdsourced feeds shared within a network of trust (such as sectorial ISACs), purchased feeds that are curated by a reliable third-party and internal observations from their own SOC.
Using multiple sources is necessary for several reasons. First, various types of intelligence enable different use cases. Also, some sources may only track a limited set of actors because multiple sources allow for a better correlation of data or because of issues in trusting a single source in the first place.
However, these sources’ content can vary widely in terms of volume, quality, contextual information and relevance to the organization. And that is where the challenges of using CTI start.
The challenges of using CTI
Several studies have compared CTI sources and found that the quality of CTI feeds and the value obtained from them can differ significantly. These feeds often have a high volume of data, which means that much of it must be manually analyzed. It may generate more noise rather than signal SOC analysts who are already drowning in false-positive alerts.
There are also datapoisoning attacks that implant false information in threat feeds, thus reducing their reliability. VirusTotal, a popular and well respected open malware feed now owned by Google, is one source that is known to have been poisoned. This reinforces the fact that you need to trust the source of intelligence and that relying on a single source may be unwise.
Even in the presence of an acceptable volume of high-quality threat data, turning it into actionable information is a challenge. In 2017, the Ponemon Institute found that, for 69% of organizations, CTI is too voluminous and complex to be actionable, partly because 48% of organizations lacked the right technology to use it effectively. In 2019, another study by the same institute showed that while 85% of companies considered CTI an important part of security, only 41% rated its use as effective. One of their recommendations to close this effectiveness gap: improve the integration between threat intelligence and existing monitoring tools, such as IDS and SIEM.
Increasing the effectiveness of CTI – lessons from the military
In the military arena, a process called Intelligence Preparation of the Battlefield (IPB) lays the groundwork for the proper generation and use of intelligence. IPB is a continuous, systematic process that analyzes the threat and environment in a specific area of interest.
In CTI, as currently practiced, analysis of the environment is largely skipped. Instead, indicators and signatures are identified without environmental context. This practice stems from the background of CTI practitioners and the difficulty of mapping a cyber environment. Fortunately, some progress has been made at adding environmental context to CTI through adaptations of IPB like Intelligence Preparation of the Cyber Operational Environment.
IPB, when properly done, gives decision-makers from tactical to strategic levels knowledge of the status of their environment, the threats arrayed against them, potential threat actions and decision points where leaders can move to counter these actions. Beyond informing operational decision-makers, IPB informs intelligence professionals about the requirements for information collection in their environment.
The key differentiator that makes IPB more effective than present-day CTI is that IPB starts with mapping a designated environment. Mapping an organization’s cyber environment and the threats arrayed against it enables the following:
- At the strategic level, the output allows CISOs and other executive leaders to understand where their networks are threatened, and the relationship to organizational missions. In turn, this enables these leaders to prioritize investments to counter threats and to justify investments to the remainder of the organization.
- At the operational level, with an understanding of the environment, security and operational leaders can recognize what areas of a network require their focus. This can vary from deciding what network vulnerabilities require immediate patching to an increased focus by the SOC on alerts coming from certain network segments.
- At the tactical level, understanding your environment and the threat helps alert triage and threat hunting. Indicators to search for can be narrowed down with the knowledge of what threats could be targeting your organization, given your environment and mission. Understanding the network makes sure that organizations use the right intelligence feeds and capabilities to look for threats in the right areas.
Analyzing indicators in the context of a complete understanding of a cyber environment is far more effective than trying to piece together millions of contextless alerts. Further, it is more important to have an environmental understanding than indicators. Environmental knowledge allows organizations to prioritize resource allocation, like vulnerability remediation, while working toward the proper use of indicators. The use of indicators without context can be detrimental as SOCs get overwhelmed by the high percentage of false positives that contextless indicators generate. Proper environmental understanding can even drive indicator development. Anomalies identified in an environment can become your own set of curated signatures/indicators.
Achieving effective environmental understanding requires gathering as many relevant details about devices and their communications as possible. This means discovering, at a minimum, devices’ firmware version, role, operating system, MAC address, IP address, vulnerabilities, hosts that the device is talking to, and any risky or anomalous behavior associated with the device or its traffic. The more information you can discover about a device, the better the IPB results.
In an OT environment, there are additional requirements associated with collecting this information. First, to avoid disrupting devices, data collection needs to be passive. Second, platforms need to handle the vast number of OT-specific protocols that exist. A collection platform that cannot analyze these protocols cannot see OT environments; thus, operators and analysts cannot gather critical information on endpoints and traffic.
Achieving effective CTI for OT through visibility and monitoring
Visibility into every IT, OT and IoT device in the network and their communication behavior allows organizations to have a thorough understanding of their OT environment and its connections. This makes it easier to identify attack vectors and locate blind spots, among other things. Improved visibility also enables OT managers to resolve unknown and unchecked operational security issues.
Optimal visibility for CTI involves the adoption of an advanced and mature hybrid IT-OT approach to network monitoring. Passive network monitoring solutions are invisible to the network and have no impact on running processes, invoking OT-friendly active capabilities only when needed. They collect asset information such as type, version and location by listening to traffic already traveling through the network. Because this method’s automated and non-intrusive nature, operators can continuously track asset information and behavior, thus greatly increasing the efficiency of IPB. In addition, the context-rich collected asset inventory is best suited to apply tactical IoCs, threat indicators, and match vulnerabilities, which helps non-OT-specialized security personnel better handle the threat detection phase.
Solutions of this type leverage full Deep Packet Inspection and powerful machine learning capabilities. Other key capabilities include:
- Asset inventory and management, including dynamic business asset classification.
- Vulnerability management of OT vulnerabilities, including those with and without CVE identifiers.
- Anomaly detection, to detect new attacks and techniques but also deviations from normal process behavior.
- API integration with IT security management tools.
- Broad OT protocol support.
Combining sensor-derived information from across the network with other data sources such as controls configuration and asset management makes it possible to create a comprehensive, visual and interactive model. This gives operators total OT visibility and a clear path toward achieving true cyber-resilience.
As part of the cybersecurity community, Forescout is engaged in discussions and activities about CTI beyond our products in several ways:
- We participate in CTI exchange platforms, such as the European Energy ISAC, where we are a founding member.
- We join research projects that explore the collaborative use of threat intelligence in domains such as energy (sponsored by the U.S. Department of Energy) and manufacturing (sponsored by the European Union). We also partner with the National Cybersecurity Center of Excellence at the National Institute of Standards and Technology (NIST) to contribute to projects concerning patching, securing IoT, securing ICS and others.
- Forescout Research Labs often publishes new vulnerabilities and analysis of relevant threats. Much of our research highlights upcoming trends in attacks, such as when we discussed attacks on building automation, IP cameras and other IoT devices, and video conferencing tools.