Here are some key points to consider about CTI reports:
The availability of CTI reports is on the rise, and their quality is improving.
In the past, subpar CTI reports often consisted primarily of a collection of technical CTI indicators, leading to the coining of the term "IOC" or "Indicator of Compromise."
While IOCs remain a fundamental component of most CTI reports, modern reports go beyond this by offering in-depth analysis and contextual information.
As an example, a recent Microsoft report on Zinc serves as a model of a well-structured CTI report. It not only includes a range of technical indicators but also provides extensive context for these indicators. This illustrates that elements such as IP addresses and file hashes continue to be integral parts of most CTI reports.
An overriding objective of a strong CTI capability is to ensure that CTI indicators are dynamically integrated into your security infrastructure and the systems within your environment. This integration enables your security systems to gain visibility into these indicators across your organization and within your systems.
CTI reports and assembly code
In many CTI reports, you'll frequently come across details related to malware reverse engineering. This typically manifests in the form of screenshots displaying assembly code. Malware researchers obtain the malware binary and utilize specialized software tools like IDA Pro or Ghidra to disassemble it. By examining this disassembled code, researchers can uncover crucial elements such as key functions and strings, which provide insights into the malware's operations.
While reverse engineering information may hold lesser significance for the average CTI consumer, it remains an essential component of CTI research sharing and is highly valuable to those involved malware reverse engineering and more in-depth CTI analysis.
In recent times, there's been a trend in CTI reports to reduce the display of reverse engineering assembly code, opting instead for a more concise and accessible explanation of how the malware functions and interacts. An example of this approach can be seen in a screenshot from the aforementioned Microsoft report on Zinc.
CTI Context through Categories and Timelines - Kill Chain and Mitre ATT&CK
To enhance CTI effectiveness, context plays a pivotal role. Understanding the context of malicious actors or hackers is primarily achieved through categorization and timelines. In the aforementioned Microsoft report on Zinc, the attack was examined using a framework known as the "Cyber Kill Chain," offering valuable contextual insights related to the attack.
The concept of the Cyber Kill Chain was initially introduced in a paper titled "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains."
In this paper, the authors drew an analogy between the military's kill chain model and the steps that cyber attackers must navigate to execute successful cyber attacks. Additionally, the paper explored the methods for breaking the attacker's cyber kill chain, which encompassed the functions of Detect, Deny, Disrupt, Degrade, Deceive, and Destroy.
Reconnaissance
Weaponization
Delivery
Exploitation
C2
Action on objectives
While the Cyber Kill Chain primarily concentrates on the step-by-step sequences of a cyber-attack, MITRE has developed a model for categorizing different types of cyber-attacks. While it may resemble the kill chain in some respects because many attack categories align with sequential stages of cyber-attacks, its primary emphasis lies in categorizing these attacks rather than detailing the specific attack sequence.
Within the MITRE ATT&CK framework, various categories of cyber-attacks are identified, each of which contains a range of techniques employed in cyber-attacks. As depicted in the example below, an attack may not necessarily encompass techniques from all categories, and these techniques may not unfold in a predetermined or sequential order within the categories.
Meta researchers have introduced their own model for cyber attacks, which stands out due to its notable emphasis on how attackers strategize and configure their attacks.
Acquire assets – “address, email addresses, phone numbers, crypto wallets, or whatever the adversaries need to operate.” (Even bean bag chairs)
Disguise assets
Gather information
Coordinate and Plan
Test defenses
Evade detection
Engage indiscriminately
Target engagements
Compromise assets
Enable persistence
(https://www.csoonline.com/article/3680149/meta-s-new-kill-chain-model-tackles-online-threats.html )
Cyber Threat Intelligence (CTI) - Connecting the Dots - Diamond Model
Several years ago, a group of CTI professionals introduced a model aimed at establishing connections between various cyber attacks, known as "The Diamond Model." This model was initially presented in a paper authored by Sergio Caltagirone, accessible at the following link: https://apps.dtic.mil/dtic/tr/fulltext/u2/a586960.pdf The Diamond Model is instrumental in addressing questions such as:
Identifying individuals or groups that remain the same while altering or maintaining their indicators.
Understanding the intentions behind these actions.
In simplified terms, the Diamond Model of intrusion analysis elucidates how an "adversary" leverages a specific "capability" through an "infrastructure" to target a "victim." This approach asserts that adversaries employ their infrastructure capabilities to execute intrusions and impact their targets.
The Diamond Model is often integrated with a framework like the Cyber Kill Chain to establish connections between the same attacker or group of attackers across distinct incidents.
In this visualization, the Y-axis represents the Diamond Model components aligned with the various stages of the kill chain within a single incident, while the X-axis delineates different incidents, creating a comprehensive view of the attacker's activities and their evolution over time.
APT Groups and Names
In the realm of CTI research, you'll often encounter naming conventions. Multiple research teams may monitor and release CTI about the same threat groups, but they may employ their unique code names when publishing information about these groups. Fortunately, some cybersecurity researchers provide a straightforward Excel key, which serves as a reference to map the names assigned by prominent CTI producers for tracking various high-level hacking groups.
https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/edit#gid=1864660085
Comments