In one of our previous blogs, Starters Guide To Cyber Threat Intelligence, we get an understanding of the basics of Cyber Threat Intelligence, its types, and the utilization of CTI in organizations. Any organization that knows the importance of its security posture and actively wants to improve it has some basic technical implementations that they make. Let us see in a broad context what these implementations are, followed by cyber threat intelligence tools that can be used to enhance these sources:
- Once a company has set up its basic infrastructure, which includes installing firewalls, endpoint security tools, a health monitoring system, the basic requirement is to set up a SIEM (Security Information & Event Management) system, which collects relevant security logs (Event Log, System Log, Server Log) from various sources setup in the infrastructure. Popular open-source tools include AlienVault’s OSSIM, ELK Stack (Elasticsearch-Logstash-Kibana) and commercial products include Splunk, IBM QRadar.
- Post Integration of logs onto a SIEM, the next step is setting up rules to monitor activities is important; this may include setting rules like:
- Monitoring any outbound connections on protocols like SSH and RDP (this depends on machine-to-machine as an RDP session from a normal system would be common in work-from-home-like situations. However, SSH connection to critical servers which host commercial applications or databases needs to be monitored).
- Outbound connection request to an onion link.
- As the company matures in cyber security, it becomes imperative to create teams for various verticals, which were initially managed by the nuclear team. Different verticals of cyber security that need to be set up here are Policy Management, Compliance, Vulnerability Management, Web Application Pentesting, Mobile Application Pentesting, and Red Team.
- The process till now enables a company to defend itself through:
- monitoring activities through SIEM, endpoint security systems, firewalls, hybrid IDS (Intrusion Detection Systems), proxy to monitor web access,
- policies like segmentation of internal network with minimum access to critical servers,
- Compliance needs to keep in check with sectorial authorities, state authorities and their policies and standards.
On the offensive side:
- critically examining your web and mobile applications to identify any vulnerabilities that could lead to data exposure,
- a Red Team to test your overall security posture.
The next step of security maturity involves enhancing security through new developments in the cyber security world, which include integrating automation into your security posture. This can be done via SOAR (Security Orchestration Automation and Response), which allows you to automate manual action revolving around SIEM (that is, ticketing system and manually blocking IPs, hashes, and domains on different security products). As we are discussing Threat Intelligence, the star platform of this blog would be TIP (Threat Intelligence Platform).
Such platforms let you gather intelligence from various sources, store it all in one place, and assist you in processing what we call Indicators of Compromise and Attack. It collects intelligence on new techniques that may help your Red Team in tracking flaws in the organization’s security, first-hand information about targeted attacks in this new era of APT (Advanced Persistent Threat) groups and financially motivated groups who target organizations not in a simplistic manner and are persistent in their approach. CTI is all about identifying what your adversaries do and using that information to improve decision-making.
Setting up such a magnanimous security structure often comes with a heavy price, and it is not easy to add another hefty resource to the game. So, this is where this blog comes in handy. This blog contains all the steps that come in handy to assist you on how to set up your Threat Intelligence through open-source products, which can help you in getting attack ready. So, let’s get going with the Top 5 open-source CTI tools that can make you more Vigilant.
Frameworks- MITRE ATT&CK & D3FEND
1. MITRE ATT&CK
Started in 2018, Mitre ATT&CK is a knowledge base for tracking Tactics, Techniques, and Procedures, often known as TTPs, for adversaries based on real-world observations. It is an open-source, globally accessible platform that organizations use to create threat models and methodologies focused on their sector, geographical location, and various other aspects.
But what are TTPs? In simple language, Tactics include reasons about why a specific technique is used and its purpose. Let’s say an adversary wants to access your organization; for this they will need information related to your organization like technologies used through active or passive scans, externally available login sources, credentials for logins over surface or maybe dark web, interests of the company, and its employees if a spear phishing campaign is to be set up. All such methods come under Reconnaissance (TA0043) Tactic.
Techniques are the actions performed by an adversary to achieve their tactical goal. The above example of reconnaissance shows collecting credentials can be used on public-facing applications or employee login portals. As we see, these account credentials are valid, and through these, an adversary gains initial access to your organization; this technique is named Valid Accounts (T1078).
Now that you have understood that the technique to get access to an organization is by using valid accounts, identifying the procedure an adversary or group follows to access these accounts is the next step; it can be through external remote services like VPN, RDP, SSH, etc. Credentials hard coded onto a network share is another procedure followed by one of the groups. Another way these credentials can be used is to maintain persistence in a network.
In addition to TTP, the ATT&CK framework also presents these details according to Groups defined, Software used by different groups, and in the latest, Campaigns associated with a group or adversary and Mitigation techniques for various procedures. As of October 2022, 14 Tactics, 193 Techniques, 401 Sub-techniques, 135 Groups, 14 Campaigns, and 718 Pieces of Software can be used to identify, monitor and defend against adversaries.
ATT&CK navigator is another feature that can be used to explicitly map the activities you see on your network.
If you want to learn about the MITRE ATT&CK framework, our bandit Aamir Ahmed has written an awesome blog.
2. MITRE D3FEND
The ATT&CK framework tells about the adversary behaviors and all the detailed intelligence that need to be shared to the Red Teamers to test the organization and identify the weaknesses. D3FEND on similar lines is developed for giving a detailed understanding of countermeasures components and capabilities. It tells about how to address the threats from a defender perspective.
Defender perspective is a broader one, as it involves everyone and everything from SOC analysts, Incident Responders to System administrators who set up your systems. The Tactics from ATT&CK are mapped here as D3fend tactics and techniques are also mapped.
Though the platform is in beta, it still provides a detailed understanding of Defensive Tactics, which include tactics like Model, Harden, Detect, Isolate, Deceive, and Evict. Model tactics working on similar lines as reconnaissance help to collect data such as Asset Inventory, mapping network artifacts, and System and Operation Activity Mapping that is required to protect.
Defining Local File Permissions and eliminating dead code are artifacts included under Harden’s tactic to assist us in reducing possibilities of compromise through our infrastructure. It is also very important to monitor any fake domains that are used to compromise customers’ privacy; this is known as Domain Monitoring, and under Detect tactic, it is presented through artifact Homoglyph detection.
There are 6 Defensive Tactics and 442 artifacts available. Most of them are mapped to relative attacking techniques on the ATT&CK framework, making it better to understand which areas need to be improved under given circumstances.
Starting from the initial access vectors, the most common infiltration technique is Phishing (T1566; it includes sub-techniques of spearphishing via Attachment, service, and Link. The tool in focus helps us in looking at the sub-technique of spearphishing via link. URLscan is a runtime environment available to scan and analyze websites by sending a web request to the URL entered. It then returns information related to location, connections established while processing the request, technologies used, google safe browsing analytics, and a screenshot of the live website, without accessing the link directly. This is very helpful in defensive techniques of hardening your security posture, for example, through homoglyph detection.
But homoglyphs that create similar-looking domain names can be bought by big companies and left alone, often known as parking pages; then how do we still see phishing websites for such companies as amazon? The reason is that the adversaries often share links as shortened URLs, which on expanding, have nothing in common with original domains, and still, phishing websites are hosted on the same page. This is where the defensive technique URL analysis and URLScan screenshots are useful in viewing the content hosted and if the website is a malicious one, initiate the process of takedown.
The other sub-technique, Spearphishing via Attachments, has been seen as a major cause of account compromises through the security community. Hash values used to block malware that is shared as an attachment can be altered with the least effort; inserting a simple character would do it. So, to defend against this, another great tool exists as Hybrid Analysis, which is an online sandbox or malware analysis system where teams can analyze attachments on different systems provided, like Windows 7, 10, Linux, and Android.
Here is a snapshot of the same,
An instant report returns with MIME type, size and other metdata of the submitted file, and parallelly file is executed in any of the environments as chosen above gives back the results of the sandbox. The sandbox results below result as well.
Gathering intelligence from the internal environment is good; however, collecting data already identified by the community assists you in being prepared. Here we gather sources of data collection that will help you in this process.
It’s a great platform created to identify and track cyber threats, with a strong focus on malware and botnets. It not only shares Threat Intelligence but also allows threat researchers to share their findings with the community through various platforms. Platforms developed by abuse.ch are:
A repository of malware that collects and shares malware samples, which can be integrated into your SIEM and TIP tools and analyzed by malware analysts to track new activities of APT groups and ransomware.
This project of Abuse.ch is used to track Botnets, and C&C servers associated with malware like Dridex, Trickbot, and Emotet and can be helpful in identifying any botnets that might be attacking your network.
This tool can be used in identifying malicious URLs, can be used in SIEM platforms to monitor any outbound connections, or during phishing analysis to check whether a link is malicious or not.
Threatfox is an integrated environment for sharing Indicators of Compromise with the community.
A tool used to identify and classify malware samples. YARA rules are like a piece of programming that identifies unique patterns and strings that are present in malware.
SSL Blacklist monitors SSL certificates and detects malicious certificates that are related to Botnet and C&C servers.
Alienvault OTX (Open Threat Exchange) is an open-source global intelligence that uses honeypots to capture indicators comprising IP addresses, Domains, Emails, and File Hashes. The indicators can be API, STIX/TAXII.
Virustotal inspects various antivirus scanners and domain-blocking services to analyze data. It allows you to upload files that might be suspicious and checks if any of the antiviruses have identified it as malicious. Virustotal also allows you to look up URLs with comprehensive details like HTTP Response, headers, and HTML info. It also allows looking up IP addresses and hashes.
Storage and Visualization
Now that we have established external tools to analyze suspicious data, the next important step is to store and visualize data that we collect from different sources. OpenCTI assists in this visualization through structuring data in STIX standard which can be visualized through GraphQL to a modern web application; the data storage is managed by elastic search, minio, and redis. It can capitalize on technical as well as non-technical information, such as identifying victims of a particular adversary.
OpenCTI can be integrated with other tools and applications like Alienvault OTX, MISP, TheHive, MITRE ATT&CK, etc. The device comes with the ability to integrate OpenCTI connectors to import data from major sources like Abuse SSL, AbuseIPDB, Alienvault, Virustotal, and malpedia. It also can export data in CSV, stix, txt, and pdf formats. Collected data can be processed through automation to send updates to endpoint systems or clients.
For documentation of the tool, refer to OpenCTI link.
Another great storage and visualization tool is MISP, which can share, store, and correlate IOCs of targeted attacks, threat intelligence, and financial fraud information. This tool automatically correlates attributes and indicators of malware, attack campaigns, or analysis. With a built-in sharing functionality, the tool can export data by generating IDS, OpenIOC, plaintext, CSV, XML, and JSON outputs and supports STIX 2.0 format.
MISP can be integrated with other tools and applications like CrowdStrike Falcon, Alienvault OTX, Hybrid Analysis.
In the last few years, the increase in organized cybercrime has led to a rise in the importance of CTI. Not only does this CTI setup come free of cost, but also studies show that effective CTI used in organizations helps in reducing the overall expenses utilized in developing a security posture. Instead of buying a vulnerability management tool that covers a generalized collection of vulnerabilities, it is wise to introduce a CTI platform to your environment that provides targeted intelligence. In addition, improve your security team’s efficiency and enhance their knowledge about threats that matter while reducing your team’s workload.