CHAPTER 3 : INCIDENT RESPONSE
THREAT
INTELLIGENCE
GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC
1
CHAPTER 3
THREAT
INTELLIGENCE
THREAT INTELLIGENCE DEFINED
How it applies to our clients, and discuss some of the
key components and benefits of a comprehensive threat
intelligence strategy.
Threat intelligence, at its core, is a specific application of broader intelligence
principles which includes the painstaking collection of data and information
from many sources, context-aware analysis, intelligence production, and
delivery to the intelligence consumer.
CORE INTELLIGENCE DISCIPLINES
According to Intelligence Community (IC), there are five core intelligence principles:
◆ Human Intelligence (HUMINT) – the collection of information from
human sources.
◆ Open Source Intelligence (OSINT) – explores, exploits and enhances
generally-available public information via data mining and advanced search
techniques.
◆ Signals Intelligence (SIGINT) – the collection and exploitation of signals
transmitted from communications systems, radar and weapon systems.
◆ Imagery Intelligence (IMINT) – geospatial information collected and
processed by a variety of terrestrial, airborne or satellite-based collectors.
◆ Measurement and Signature Intelligence (MASINT) – a technical branch of
intelligence which uses information gathered by technical instruments such
as radars, lasers, passive electro-optical sensors, seismic and other sensors
to identify them by their signatures.
GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC
2
CHAPTER 3
THREAT INTELLIGENCE
DEFINED
DEFINING CYBERINTELLIGENCE
Cyberintelligence (CYINT) is not one of the core intelligence disciplines, but
is a hybrid field which can consist of any combination or all of the five core
disciplines. Although it can be used as a key component of cybersecurity, CYINT
operates independently of the cybersecurity mission and supports a variety of
operations across every sector of government and industry.
It is critical for organizations to recognize the broader capabilities of this rapidly
emerging field of intelligence, and how it can be used beyond identifying
cyberthreat actors, technical data about vulnerabilities, malware or IP reputation
data. CYINT goes beyond these narrow parameters and encompasses the
analysis of actions and events associated with an organization’s physical
environment which can lead to forecasting digital threats.
THE INTELLIGENCE CYCLE
At NTT Group, we have helped numerous enterprises around the globe implement
successful threat intelligence programs. Our holistic approach is outlined below.
1. Planning, Requirements and Direction – Planning and direction for
intelligence gathering includes management of the entire intelligence effort,
from Priority Intelligence Requirements to the final intelligence product.
2. Collection – The threat intelligence service gathers potentially useful raw
data from relevant sources.
3. Processing – The collected data is consolidated into a standardized
format suitable for detailed analysis.
4. Analysis and Production – The gathered data is analyzed by subject
matter experts to identify potential threats to customer environments and
develop threat countermeasures.
5. Dissemination – The intelligence analysis is distributed to stakeholders to
guide appropriate measures.
GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC
3
CHAPTER 3
THREAT INTELLIGENCE
DEFINED
1. Consumer Needs —
Planning,
Requirements &
Direction
5. Dissemination
of Product
to Consumer
2. Raw Information
Collected Based on
Requirements
4. Intelligence
Analysis
& Production
3. Information
Processed &
Exploited
Caption: The five steps in the intelligence cycle.
INFORMATION VS. INTELLIGENCE
Despite what many security threat intelligence vendors may say, data and
information are not intelligence. Let’s look at an example:
Information: An exploit for a zero-day Java vulnerability is publicly released
on a security mailing list. Shortly thereafter, malware is identified utilizing
the vulnerability. Security vendors vnotify clients of this threat and provide
recommendations for mitigation. This is threat information and while useful, it is
not, by definition, threat intelligence.
Intelligence: A security vendor monitoring exploitation of the Java vulnerability
notices infection rates in Asia are much higher than in the U.S. New strains of
GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC
4
CHAPTER 3
THREAT INTELLIGENCE
DEFINED
malware, which install code associated with a botnet command and control
system on victim devices, are being observed in the wild. At the same time, a
large financial institution has announced the acquisition of a number of smaller,
regional banks initiating an increase in their non-sufficient funds fee from $20
to $35, thereby angering consumers. A number of hacktivist groups begin
discussing a protest against the U.S. banking system on Twitter and other social
media sites, promising to halt online transactions for a day at major institutions.
One hacktivist Twitter account posts instructions for using botnet command and
control software, which appears to be related to the botnet client code installed
by the Java malware.
Piecing these data points together leads to a clearer picture: U.S. banks are
likely going to be targeted with a DDoS (Distributed Denial of Service) attack by
a hacktivist group using botnets based on the Java vulnerability. Based on what
is known about infection profiles, banks can expect the attacks to originate from
Asian source IP addresses. This is threat intelligence – information gathered
from a number of disparate sources, synthesized by human analysts to identify a
specific threat to a specific target.
THE IMPORTANCE OF THREAT INTELLIGENCE IN
INFORMATION VHHSECURITY
There are four principal reasons threat intelligence is becoming recognized as a
critical information security requirement:
Change in Cyberthreat Profiles: Organizations must defend against a dramatic
shift in security threats and understand that the attack surface encompasses
far more than a narrowly defined technical parameter. Cyberthreat actors are
no longer idiosyncratic or dissident individuals and groups. They now include
GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC
5
THREAT INTELLIGENCE
DEFINED
CHAPTER 3
nation-state actors or sponsored groups, as well as transnational organized crime
groups with considerable resources, support and expertise at their disposal.
Conversely, those tasked with defending organizations often have limited
resources and budgets to launch an adequate defense, hence the asymmetric
nature of the threat. The steady rise in documented data loss incidents provides
evidence that recent attacks are increasingly successful. The following chart
depicts the increasing number of documented attacks as identified by http://
datalossdb.org/statistics.
NUMBER OF ATTACKS PER YEAR
2006
2007
2008
2009
2010
2011
2012
2013
2014
0
200
400
600
800
1000
1200
1400
1600
1800
Caption: The number of attacks increases almost every year.
The Volume of Information Security Vulnerabilities: The sheer volume of
data which information security personnel must analyze can be overwhelming.
Organizations must react to a daily influx of vulnerabilities, zero-day threats,
malware, exploit kits, botnets, Advanced Persistent Threats (APT) and targeted
attacks. The number of Common Vulnerabilities and Exposures (CVEs) (http://
web.nvd.nist.gov/view/vuln/statistics) identified every year for the last 15 years
is shown in Figure 3 below – over 4,000 new security vulnerabilities have been
identified annually since 2005.
GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC
6
THREAT INTELLIGENCE
DEFINED
CHAPTER 3
NEW VULNERABILITIES ANNUALLY
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
0
1000
2000
3000
4000
5000
6000
7000
8000
Caption: The number of new vulnerabilities annually is almost unmanagable.
The rate of malware identification has also increased in recent years, as shown in
the following chart. Even a glance at the chart below shows the dramatic rise in
the amount of new malware identified annually since 2011 (http://www.av-test.org/
en/statistics/malware/).
NEW MALWARE IDENTIFIED PER YEAR
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
0
39
79
119
159
Caption: The amount of new malware isn’t just rising. It is skyrocketing.
GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC
7
CHAPTER 3
THREAT INTELLIGENCE
DEFINED
Intelligence about threats targeted to an organization’s environment can assist in
the prioritization of remediation actions, so that mitigation efforts and resources
are directed to areas with the greatest need and defensive value.
Technology Growth and Usage Changes: The number of technologies in
place at most organizations is dramatically higher than it was even two or three
years ago. Bring Your Own Device (BYOD) initiatives, remote workers joining
corporate networks via VPNs, pervasive wireless networking, and the increasing
use of virtualization and cloud computing have all dramatically increased the
technologies in use within typical organizational environments. New technologies
don’t typically replace legacy technologies – they are most often an addition,
resulting in a net increase to the organization’s attack surface and vulnerabilities
found within. Homogeneous organizational networks with defined perimeters no
longer exist. A heterogeneous, distributed user and technology base is the new
standard. This new reality comes with more complexities and more potential risks.
Affordable Outsourcing of Threat Intelligence: As organizations face increasing
risk and higher numbers of attacks from all the factors listed above, their
resources can quickly get stretched thin. Fortunately, many vendors offer threat
intelligence services to help these organizations better prepare for, defend
against, and react faster to threats and attacks.
HOW ORGANIZATIONS ARE USING THREAT INTELLIGENCE
Every organization has different information security priorities, assets to protect,
levels of expertise, and types of security technology in place. As a result, different
organizations can have different perceptions, needs, and expectations of threat
intelligence services. Factors influencing organizational threat intelligence needs
include organization size, alignment with government entities and key verticals,
GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC
8
CHAPTER 3
THREAT INTELLIGENCE
DEFINED
supply and information chain outside the firewall, and the sophistication of
internal security resources.
For example, organizations with limited public exposure, and not storing or
transmitting the types of data typically desired by attackers, are likely to have
different threat intelligence needs than organizations which are highly visible in the
public sphere, maintain highly desirable data, or are associated with controversial
topics. And an international organization involved in highly political industries may
require targeted intelligence on topics such as attacks from activist groups, attacks
on competitors, high-profile conferences and events, and industrial espionage.
CONCLUSION
The terms intelligence, cyberintelligence and cyberthreat intelligence have been
used extensively and interchangeably, and often incorrectly, in the information
security community. They have been used quite inaccurately to describe
automated data feed services or data which may be used to further identify
and mitigate threats. However, the very specific nature of each of these terms
builds on the fundamental understanding of what true intelligence is and how
it is derived. It is important to align security industry terminology with that of the
traditional intelligence community for a unified understanding.
The traditional intelligence community has been managing threat intelligence
information for a long time, and has had the opportunity to improve, if not perfect,
the process. Industry should apply their lessons learned to maximize the effective
of a newer breed of cyberthreat intelligence.
Changes to the cybersecurity landscape over the last several years have been
the primary driver in the need for threat intelligence services. As organizations
seek new sources of threat intelligence, they need to be aware of the different
types of intelligence being delivered by the security industry.
GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC
9