Threat Intelligence for Defenders

beginner
hands-on

Threat Intelligence for Defenders

Threat Intelligence can come in various forms and contain different types of information about adversaries. But not all threat indicators are equally valuable for the defenders.

Threat indicators can be of the following types

  • Hash values
  • IP addresses
  • Domain names
  • Network artifacts
  • Host artifacts
  • Tools
  • Tactics, Techniques, and Procedures (TTPs)
Pyramid of Pain shows the hierarchy of indicators based on how much pain it can cause to the adversaries, or in other words, how effectively it can be used to stop them in future incidents. Hash values are at the bottom of the pyramid as it is an easily available type of threat indicator and it is not helpful in the long term for defenders. On the top, there are TTPs that show how the adversary accomplishes each step of their attack, right from reconnaissance to data exfiltration in the end. Thus, TTPs directly describe the adversary behavior instead of just showing their signatures or tools. Thus, TTPs are the most effective type of threat indicators. Once you have set up the defense against a particular behavior, the adversary will need to completely reinvent their attack to escape detection which cannot be done in a short time. Thus, TTPs can help build long-lasting countermeasures against APTs. Among the different types of Threat Intel, Tactical threat Intelligence provides information about the TTPs used by threat actors to achieve their goals. Thus, Tactical Intel is of the highest importance from a technical security standpoint.

About Trainer :

Avkash Kathiriya, VP - Security Research and Innovation at Cyware Labs Information Security professional with overall 10+ years of experience in the defensive side of the Information Security domain. Currently working on security research in the domain of automated Incident Response using orchestration and Threat Intelligence framework for practical implementation. Also, associated with the Mumbai chapter of the Null community (Open security community).