Cyber Threat Intelligence (CTI) and its many faces - Foundational Threat Indicator Lookup Services & Threat Indicator Feeds

Cyber Threat Intelligence (CTI) plays a vital role in enhancing detection capabilities and empowering organizations to make well-informed decisions in cybersecurity monitoring and response. Foundational Threat Indicator Lookup Services and Threat Indicator Feeds start to lay the groundwork for CTI program capabilities, initiating essential steps in strengthening cybersecurity operations.

This article aims to demystify the multifaceted landscape of Cyber Threat Intelligence (CTI) by offering an overview of various CTI offerings. The goal is to enhance comprehension regarding the specific applications of CTI services. To simplify the discussion, I've categorized CTI into distinct subgroups:

• Foundational Threat Indicator Lookup Services

• Threat Indicator Feeds

• Dark Web Monitoring

• Threat Exposure

• 3rd Party Risk

• Sandboxes & Malware Analysis

• All-In-One CTI Platforms

• CTI Analysis & Reporting

While some may argue that true CTI primarily revolves around 'Analysis and Reporting,' I've included other areas. This is because tools and techniques within these dimensions often serve as foundational elements for CTI 'Analysis and Reporting'. This article will explore the nuances of Foundational Threat Indicator Lookup Services and Threat Indicator Feeds in greater depth.

Foundational Threat Indicator Lookup Services

I've included the term 'Foundational' here because we're discussing a basic CTI function. Indicator Lookup Services are designed to scrutinize values such as file hashes, URLs, and IP addresses, cross-referencing them against known malicious actors who have utilized these indicators.

In the realm of cybersecurity, a widely recognized concept is "The Pyramid of Pain," first formulated by David Bianco. The Pyramid of Pain categorizes various cyber indicators based on their ease of detection and emphasizes that the indicators easiest to detect are also the simplest for cyber adversaries to manipulate.

For instance, consider a hash of a malware file—it's relatively straightforward to scan your systems for a hash match, making it easy to detect. However, it's equally effortless for malicious actors to make slight alterations to the file's content, thereby changing its hash signature and evading detection.

Foundational Indicator lookup services fall within the lower tiers of the Pyramid of Pain. While they are easily alterable by attackers, they are also relatively simple for defenders to detect.

Common tools that perform this function include:

• VirusTotal https://www.virustotal.com/gui/

• AlienVault https://otx.alienvault.com/

• Urlscan.io https://urlscan.io/

• AbuseIPDB https://www.abuseipdb.com/

• Defender Threat Intelligence (TI) (formerly RiskIQ) https://ti.defender.microsoft.com/

• urlhaus https://urlhaus.abuse.ch/

• Threatfox https://threatfox.abuse.ch/

• IntelligenceX https://intelx.io/

• Many Others

Interestingly, some Indicator of Compromise (IOC) lookup tools, such as VirusTotal, have surpassed the effectiveness of cybersecurity vendors' in-house threat analysis capabilities. In these instances, cybersecurity tools delegate or supplement the indicator lookup task to widely-used CTI tools like VirusTotal, exemplified by Microsoft Defender EDR's integration with VirusTotal.

Manual versus Automated Threat Intelligence Indicator Lookup

A philosophical principle in this domain questions the need for conducting these Indicator Lookup Services if your cybersecurity stack tools already incorporate these indicators. When investing in tools like EDR, Firewalls/IPS, or SIEM, the expectation is that these tools should handle the fundamental Indicator lookup function on your behalf.

EDR, Firewalls/IPS, and SIEM are expensive so you should not have to waste cybersecurity staff resources, as shown in the diagram below, doing manual lookups or developing your own programmatic interface to parse indictors from cybersecurity sensors to do indicator lookups.

If you've invested in costly cybersecurity tools, here's how they should ideally function—and in fact, most cybersecurity tools offer this basic functionality, even if they're merely aggregating data from open-source threat feeds rather than conducting their own research. The diagram below illustrates this process in operation. As network traffic is either allowed or blocked by your firewall, it should automatically cross-reference threat indicators. Similarly, if you're using host-based cybersecurity tools such as an EDR, they should promptly alert system owners to any detected threat indicators.

When are manual or user programmed cyber threat indicator lookups necessary?

• Lack of built-In threat indicator lookup capabilities in your cybersecurity tools

• Additional fees for threat indicator functionality in your cybersecurity tools

• Added cybersecurity effectiveness through increased threat indicator lookup augmentation

• Expanding detection and investigation capabilities through Cyber Threat Intelligence indicator pivoting

Lack of built-in threat indicator lookup capabilities in your cybersecurity tools

Sometimes, your tools may lack their own threat intelligence function, whether through their own dedicated CTI research teams or integration of CTI aggregations into their tooling. However, it's increasingly common for cybersecurity tools to offer interfaces allowing you to integrate API keys with independent threat indicator lookup services. If your cybersecurity sensor tooling doesn't support a third-party indicator lookup service interface, lookup functions can often be conducted via SIEM systems to which those sensors send log data.

Additional fees for threat indicator functionality in your cybersecurity tools

Cybersecurity tools often require an additional fee for their proprietary threat intelligence lookup feature. In some instances, you may opt not to allocate budget for this additional licensing cost.

Added cybersecurity effectiveness through increased threat indicator lookup augmentation

It's worth noting that free indicator lookup services often exhibit superior identification capabilities compared to paid alternatives. Certain indicator lookup services have established reputations for being more comprehensive and accurate than others. This might prompt the question: why invest in any paid indicator lookup services?

While the cartoon may seem lighthearted, there are indeed valid reasons for opting for paid services and additional licenses in your cybersecurity products. Some of the key reasons why investing in add-on threat intelligence licenses may prove worthwhile include: unlimited lookup capabilities, seamless integrations with your existing tooling, and bolstering tooling effectiveness through complementary detection capabilities.

Expanding detection and investigation capabilities through Cyber Threat Intelligence indicator pivoting

Another valid reason for a lookup is to pivot towards acquiring additional information associated with the initial indicator, offering supplementary clues. These additional indicators can be fed back into your cyber systems for further investigation. Once again, the expectation is that cybersecurity tools should ideally handle such tasks seamlessly. Unfortunately, most cybersecurity tools have not yet attained the capability to dynamically pivot off initial indicators and dynamically search for related indicators. As a result, indicator pivoting remains a manual or user-automated process. Ultimately, achieving success in Cyber Threat Intelligence (CTI) necessitates significant research and effort. Here's a simplified example of this CTI pivoting process:

1. A user identifies an Indicator of Compromise (IOC).

2. The user conducts research within CTI sources to uncover connections related to that IOC.

3. Armed with this supplementary CTI information and context, the user initiates searches and takes measures to enhance security within their environment.

Threat Indicator Feeds

Conceptually, there is some overlap between Threat Indicator Feeds and Foundational Threat Indicator Lookup Services. One main difference is that with Threat Indicator Feeds, you download the threat indicator data and either have your cybersecurity systems conduct basic foundational threat indicator lookups against the feed data you downloaded or push the feed data directly to the systems so that the cybersecurity sensors can perform the lookup within the tool itself. The typical process involves receiving data from these feeds and distributing it to your systems or directing your systems to the centralized repository that collects threat indicators. This feed lookup method is particularly common in generic logs that capture indicator values but lack a dedicated cybersecurity alerting field value.

Now is an opportune moment to introduce the concepts of Producers, Aggregators, and Consumers within CTI.

• CTI Producer - These are organizations or individuals responsible for generating CTI.

• CTI Aggregator - CTI Aggregators are organizations or individuals that collect CTI from multiple sources and distribute it to others.

• CTI Consumer - CTI Consumers are organizations or individuals who utilize CTI for decision-making.

When you retrieve data from a threat feed, you function as a CTI Consumer. This data may originate from a CTI Aggregator, a CTI Producer, or a combination of both. As you distribute the CTI data you've consumed, you also assume the role of a CTI Aggregator for other CTI consumers, whether they're internal to your organization or external as a service.

Some examples of threat feeds include Proofpoint Emerging Threat (ET) Open Rules https://rules.emergingthreats.net/, DFIR report https://thedfirreport.com/services/threat-intelligence/ , Malware Infromation Sharing Platform (MISP) https://www.misp-project.org/ , and OpenCTI https://filigran.io/ There are others, but I am highlighting some of these systems for this discussion because each serves a slightly different purpose in the domain of threat feeds.

Proofpoint Emerging Threat (ET) Open Rules primarily consists of IPS rules designed for Next Generation Firewalls and IPS systems. However, a subset of these rules serves as basic threat indicators, such as known malicious IP addresses and URLs.

The DFIR threat feed is noteworthy because DFIR Report focuses on generating high-quality threat intelligence reports concerning advanced hacking attacks and campaigns, such as ransomware. Consequently, its threat feeds predominantly comprise indicator data related to Command & Control (C&C) platforms like Cobalt Strike, Metasploit, and Sliver.

MISP stands out as a Threat Intelligence Platform (TIP). While MISP itself doesn't generate threat feed data, it serves as a platform where you can install the MISP software to collect threat feed data from multiple sources. You can then have tools and systems (either yours or your customers' if you're offering a cybersecurity service) pull threat feed data from your MISP instance. Additionally, MISP provides the added value of allowing you to input your own produced CTI and distribute it to consumers or other aggregators.

This article delved into the basic functions of Foundational Threat Indicator Lookup Services and Threat Indicator Feeds, as well as the design decisions associated with their implementation. Future articles will explore other aspects of CTI, including:

• Dark Web Monitoring

• Threat Exposure

• Third-Party Risk

• Sandboxes and Malware Analysis

• All-In-One CTI Platforms

• CTI Analysis & Reporting