Cyber Threat Intel : Overview

EVERY INCIDENT LEAVES A TRAIL OF EVIDENCE
D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE

The Technology World Always has the Sharpest Brains...
There are equally sharp minds, working against you…
Src : Securus First
Cyber Threat Intelligence: Medium D3PAK KUMAR (D3)

DISCLAIMER
The views / opinions / assumptions expressed in this presentation/resource is for educational & research
purposes only. Do not attempt to violate the law with anything contained here. Neither the author of this
material, nor anyone else aﬃliated in any way, is liable for your actions.
The purpose of this presentation is to share what is happening in cyber and what is possible...
D3PAK KUMAR (D3)

ONCE THE DOCUMENTS HAVE BEEN POSTED
ONLINE, THE
GENIE IS OUT OF THE BOTTLE
D3PAK KUMAR (D3)
Cyber Threat Intelligence: Medium

We live in the digital age
Actors/Criminals do too
What are the top cyber threats ?
Think Adversarial Perspective
D3PAK KUMAR (D3)

D3PAK KUMAR (D3)
CRITICAL INFRASTRUCTURE
GOVERNMENT
MANUFACTURING
BANKING
FINANCIAL SERVICES & MOBILE MONEY RETAIL
STRATEGIC & PUBLIC ENTERPRISES. PROFESSIONAL SERVICES
HOSPITALITY
INSURANCE
TELECOMMUNICATIONS

D3PAK KUMAR (D3)
CYBER of THINGS
C Factor and all are interrelated
CYBER
CRIME
CYBER
SECURITY
CYBER
TERRORISM

D3PAK KUMAR (D3)
Example: RANSOMWARE Now Crypto
Hackers Mindset : Too much risk......but the target is too sweet

D3PAK KUMAR (D3)
Anything Likely to cause damage or danger
+
Ability to acquire and apply knowledge and skills
=
Threat Intelligence
Another Buzz

D3PAK KUMAR (D3)

D3PAK KUMAR (D3)
OSINT ≠ Actionable Intelligence
What exactly : OSINF Open Source Information
Players are Firewalls, Endpoint Detection & Response, Endpoint protection platform, Anti-Virus Intel Stakeholders & OPSEC Firms
Online Social media : Sentiments, Statistics, Trends
Threat Intel firms:
Good intel
No Responsible Disclosure Policy; No verification
Shift towards Data breach and Free media PR
Defacement Days gone… APT , Malware, Ransomware, Honeypots, Bots, Watering Hole etc.
Present Scenario

D3PAK KUMAR (D3)
34% of
respondents
didn't have any
prior experience
with OSINT-
related research;
85% reported
they received
little or no
training in OSINT
techniques and
risk prevention
from their current
employer;
55% are
venturing into
the Dark Web as
part of their
OSINT activity 10
or more times
per month;
38% do not use
managed
attribution tools
to mask or hide
their online
identities or
personas;
29% report no
oversight
procedures to
ensure that tools
are not being
abused by
analysts;
83% of cyber
threat
intelligence
analysts use a
web browser as
their primary
tool.
Cyber Threat Intelligence: Analysts Undertrained, Unsupported
Source: Authentic8

D3PAK KUMAR (D3)
i. Hypothesis Driven: Data Leak/Breach, IOC, TTPS (Post incident)
ii. Analytics and Machine Learning : Data set, Signatures, Anomalies, Historical repo, UEBA, SOAR etc.
iii. Manual Interventions: Customised sensors, crawlers, parsers, API
iv. Human Intelligence always Win : Expertise, SME, Coordination agencies/organisations, etc.
Types and Approaches
Strategic: Broader threat trends typically meant for a non technical audience
Tactical: Outlines of tactics, techniques, and procedures (TTP) of threat actors
for a more technical audience
Operational: Technical details about specific attacks and campaigns

D3PAK KUMAR (D3)
• Threat Intel Cycle: Plan, Collect, Analysis, Dissemination
• Capacity building: Detailed subject training as Ramayana can't be finished in 1 hour
• PPT factor with proper effective coordination
• Proactive Threat Hunting required : Data and Patience
• Understand the Threat and Actor and what to hunt
REQUIRED ACTION

D3PAK KUMAR (D3)
Sophisticated actors penetrating networks using "publicly" available
information demonstrate they don’t need to develop advanced malware/tactics
when the vulnerabilities are sitting in plain sight. Using open-source
information (OSINF) to assess publicly available information is somehow
sufficient to serve the purpose
The best defence start with good OSINF

GOOD THINGS OF TECHNOLOGY
D3PAK KUMAR (D3)
DEEP-WEB / REDDIT
LEAD (SOCIAL NETWORKING)
IOT / Sync
COOKIES INTELLIGENCE
CTI COMMUNITIES
GOOGLE

D3PAK KUMAR (D3)
SOCMINT
• Disseminate to Concern
• Need to add
Output
COTS
Twitter
iMessengers
Maltego
Etc.
Processing
There are three main steps in
analysing social media:
• Data identification,
• Data analysis, and
• Information interpretation.
Gather actionable insights in raw
form concerning to Subject, etc.
Input

D3PAK KUMAR (D3)
Cyber Kill Chain
MITRE ATT&CK MATRIX
Recon Weaponise Delivery Exploitation Installation C2
Actions &
Objectives
 Task: Identify the Attackers’ Step by Step Process
 Goal: Disrupting Attackers’ operations
 Motivation
 Preparation
 SE
 OSINT
 Configuration
 Packaging
 Powershell
 Add
 Mechanism
of Delivery
 Infection
Vector
 Phishing
 Technical or
human?
 Applications
affected
 Method &
Characteristics
 Persistence
 Characteristic
s of change
 Self0signed
Driver
 Communication
between victim
& adversary
 VPN
 What the adversary
does when they
have control of the
system
 Data Exfil
 APT
MITRE ATT&CK:
 Active Scanning
 Passive Scanning
 Determine Domain
& IP Address Space
 Analyze Third-Party
IT Footprint
MITRE ATT&CK:
 Malware
 Scripting
 Service
Execution
MITRE ATT&CK:
 Spearphishing
Attachment/Link
 Exploit Public-
Facing
Application
 Supply Chain
Compromise
MITRE ATT&CK:
 Local Job
Scheduling
 Scripting
 Rundll32
MITRE ATT&CK:
 Application
Shimming
 Hooking
 Login Items
MITRE ATT&CK:
 Data
Obfuscation
 Domain
Fronting
 Web Service
MITRE ATT&CK:
 Email Collection
 Data from Local
System/Network
Share
 Surveillance

D3PAK KUMAR (D3)
CYBER SECURITY PREPAREDNESS
LEGALMEASURES
• Measures the
legal
framework of a
country that
streamlines
basic response
mechanisms to
breaching of
cyber law
TECHNICAL
• Measures the
adequacy of
technical
measures and
the strength of
capabilities
based on the
number of
existing
technical
institutions
and
frameworks
dealing with
cybersecurity
ORGANISATIONAL
• Measures the
organisational
strategy of a
countries
cybersecurity
imitative. This
is based on
the number of
institutions
and strategies
organizing
cybersecurity
development
at national
level
CAPACITYBUILDING
• Measures the
awareness
campaign and
the availability
of resources
for each
country. (
Includes the
existence of
research and
development
education and
training
programs and
certified
professionals
and public
sector
agencies.
COOPERATION
• Measures the
active
engagement
of different
sectors and
stakeholders in
preventing
threats and
combating
cyber-attacks.

D3PAK KUMAR (D3)
i. OSINT Tools and Framework : Domain Based, Searching, Clustering, Grouping etc.
ii. OSINT Services websites: osint, start.me, midasearch, toddington, osintgeek, intel technique etc.
iii. Commercial vendors: Feeds, Alerts
iv. Government off-the-shelf Tools : In-House, Integrated APIs and Data Lake
v. Common Sense
Tools
CIA Director: We kill people based on metadata
Open Network
Top OTT platforms, Social media domains Twitter,
Facebook, YouTube, Instagram, Parler, 4chan, 8chan,
Stream, Kiwi, countries specific search engine
Close Network
Encrypted channels keybase, chirpwire, signal, Kirk,
FaceTime, Riot, discord, gaming platform etc.
invitation /participation basis

D3PAK KUMAR (D3)
Don't believe marketing hype regarding Cyber Threat Safety
"oh, we spent $$$ in $Vendor product, so we are safe"
Any "tool", regardless of the price, is still a "tool“
Take a Break

D3pak@Protonmail.com
Resources : D3pakblog.wordpress.com
D3PAK KUMAR (D3)
Thank You
References
o Cyber Threat Intelligence Command Centre - SC3
o GitHub/SANS/Lockheed Martin Corporation

Cyber Threat Intel : Overview

More Related Content

What's hot (20)

Similar to Cyber Threat Intel : Overview (20)

More from Deepak Kumar (D3) (20)

Recently uploaded (20)

Cyber Threat Intel : Overview