Do you think Threat Intelligence is “cool”?

Cristian Cornea
6 min readMay 15, 2024

--

We are hiring! SectionX.io

What is Threat Intelligence?

“The analysis of an adversary’s intent, opportunity, and capability to do harm is known as cyber threat intelligence.”- SANS

To summarize, threat intel is a collection of activities through which we can gather intelligence about different threat actors and campaigns.

Threat Intelligence Activities

A lot of people (and probably you too) think:

Threat Intelligence = Indicators of Compromise

It is more than this!

Let us introduce you to other examples of Threat Intelligence activities:

  • Threat Modelling: you map out the threats specific to your organization. For example, a bank is targeted by different threats than a TV online channel.
Example of a Threat Modelling Diagram

Now you think, why this is important?

Let’s take two examples:

  1. Business Decisions: if you define a threat model specific to your organization, then the business can make investment decisions specific to your needs. Why should I defend myself from bears if there are none in my country? The same concept applies here.
  2. Red-Teaming: using the threat model, the red teamers can simulate the Techniques, Tactics, and Procedures (TTPs) that are used by the threat groups targeting your organization specifically.
  • OSINT: It stands for “Open-Source Intelligence”. Basically, you can use the Internet to gather information about the threat actors. You can use different platforms to map out the real identity of the people behind a campaign or a threat group.
Example of methodology to discover real identity of a threat

Also, through OSINT you can collect intelligence through the available cybercrime forums. Some examples you can find below:

xss[.]in
Exploit[.]in
Cracked[.]io
Nulled[.]to
Infinity[.]ink
BreachForums[.]st
Www-club[.]link
  • HUMINT: It stands for “Human Intelligence”, and it represents the process of collecting information from human sources. In Threat Intelligence, HUMINT can be used to establish an inside connection with a threat group through a human source. For example, you can obtain valuable intelligence about the future targets of a hacking group and use that to strengthen the security of the customer/victim.
  • Compromise Monitoring: You are actively monitoring forums, hacking communities, and Telegram channels for any posts related to your organization or to your customers. We would recommend creating a scraping tool that automatically checks for any compromise.
Source: BreachForums (“Database Leaks” Section)
  • Puppet Master: Yes, you heard correctly! You can become a puppet master… but in Threat Intelligence.
Source: Securing Online Personas Book by deadlock

A puppet master in Threat Intelligence is dealing with reputation building of his/her personas within the hacking community and securing them.

What is the difference between HUMINT and Puppet Mastering? — HUMINT deals with sources that are external while a puppet master has its own fake “threat actors” that infiltrate cybercrime groups and collect intelligence.

You can study a really good book on that subject, which is called “Securing Online Personas” by deadlock (which can be found online).

And there are many Threat Intel activities that you can perform besides the ones listed above.

Data, Information, and Intelligence

Do you know that these three terms are different?

“This is an IP address” -> Data

“This is an IP address used for Command and Control” -> Information

“This is an IP address used for Command and Control that targeted our infrastructure, looking for sensitive documents to be extracted for the purposes of economic espionage against our organization” -> Intelligence

Terminology & References

Find below some examples of the terminology used within the Threat Intelligence industry:

Source = refers to any provider or channel that furnishes the intelligence. In the reports, people do not mention how or from whom they got that piece of information. Instead, you will find very often mentioned: “our sources revealed to us XYZ”.

Persona = a constructed identity, typically associated with a threat actor or group. It is usually defined by a username.

Operation Security (OPSEC) = the methods you apply to protect your activities and personas against tracing of your real identity.

Indicators of Compromise (IoC) = pieces of evidence or artifacts that suggest a system has been breached or compromised. These can include Malicious File Hashes, IP Addresses, Domain Names, URLs, Email Addresses, Registry Keys, File Paths, User-Agent Strings, and more.

Techniques, Tactics, and Procedures (TTPs) = specific methods or approaches used by threat actors to achieve their objectives. You can find a comprehensive list on the MITRE ATT&CK page.

Source: https://attack.mitre.org/

YARA Rules = stands for “Yet Another Recursive Acronym” and it is an open-source tool primarily designed for creating and sharing rules that you can use to identity malicious files. It is based on static analysis of the files that are potentially dangerous. Reference: https://github.com/VirusTotal/yara

Example of YARA rule to detect Ember Rootkit

Adversary Intelligence = the intelligence about the threat actor -> identity and online presence.

Operation Intelligence = the intelligence about the campaigns alongside the TTPs associated with a threat actor

Initial Access Brokers (IAB) = the threat actors that are selling initial access (compromised VPN, RDP, SSH, or other remote access accounts).

Threat Modelling = a structured approach to assessing the potential threats for an organization.

MISP = stands for “Malware Information Sharing Platform & Threat Sharing” and it’s an open-source threat intelligence platform that enables organizations to collect, share, and analyze information about security threats.

Example of MISP graph

How can I evaluate the quality of the information?

The threat intelligence obtained can be categorized using the NATO admiralty system, which you can use to classify the reliability of the source and the validity of the information received.

NATO Admiralty System
NATO Admiralty System Categorization

Is it dangerous? OPSec Considerations

Definitely YES!

You must consider the fact that a lot of gangs, cartels, criminal groups, and terrorist organizations are associated with cyber threat actors. They have money, arms, and influence.

That’s why it is very important to have good OPSec in place. Some advice are the following:

  1. Use VPNs and proxies
  2. Use Proton Email or YOPMail when registering accounts on forums and other platforms
  3. Change your browser’s user agent to mimic a device that you do not own
  4. Disable cookies tracing in your browser
  5. Change your machine’s local time to a different time zone
  6. Apply the “Need-to-Know” principle to the intelligence that you gather
  7. Do not associated your persona usernames with your real identity’s usernames
  8. Log into the forum accounts and personas at random times, to not disclose your potential timezone
  9. Learn how to lie! For example, if you run into a discussion with your source about the weather, complain about the opposite things (and keep track of the lies that you are telling). Reality: it is snowing in your country. What you will say: “oh man it’s too hot here”. Develop hobbies for your persona that are not even 1% linked to your real-life hobbies. I hope that you got the point ;)

Thanks very much for your attention and take care!

--

--

Cristian Cornea

🇷🇴 Founder: Zerotak Security | Cyber Security Training Centre of Excellence (CSTCE) | SectionX.io | BSides Transylvania