Core Concepts
Threat intelligence is more than just indicators of compromise - it encompasses a diverse range of activities, including threat modeling, open-source intelligence (OSINT), human intelligence (HUMINT), and compromise monitoring, which can provide valuable insights to organizations in defending against cyber threats.
Abstract
The article provides an overview of the various aspects of threat intelligence, going beyond the common perception of it being solely about indicators of compromise (IoCs). It highlights several key threat intelligence activities:
Threat Modeling: Mapping out the specific threats relevant to an organization to enable informed business decisions and effective red teaming exercises.
Open-Source Intelligence (OSINT): Leveraging the internet and online platforms to gather information about threat actors and their campaigns.
Human Intelligence (HUMINT): Establishing connections with threat groups through human sources to obtain valuable intelligence about their future targets and plans.
Compromise Monitoring: Actively monitoring forums, hacking communities, and communication channels for any posts or information related to the organization or its customers.
Puppet Mastering: Developing and maintaining fake "threat actor" personas within the hacking community to collect intelligence.
The article also emphasizes the importance of understanding the differences between data, information, and intelligence, and provides examples of relevant terminology used in the threat intelligence industry, such as sources, personas, OPSEC, IoCs, TTPs, and MISP.
Additionally, the article cautions about the potential dangers associated with threat intelligence work, as it may involve interactions with criminal groups and organizations. It provides several OPSEC (Operational Security) recommendations to mitigate the risks, such as using VPNs, proxies, and maintaining separate personas.
Stats
"This is an IP address" -> Data
"This is an IP address used for Command and Control" -> Information
"This is an IP address used for Command and Control that targeted our infrastructure, looking for sensitive documents to be extracted for the purposes of economic espionage against our organization" -> Intelligence
Quotes
"The analysis of an adversary's intent, opportunity, and capability to do harm is known as cyber threat intelligence."- SANS
"This is an IP address used for Command and Control that targeted our infrastructure, looking for sensitive documents to be extracted for the purposes of economic espionage against our organization" -> Intelligence