The number of cyberattacks is increasing rapidly, leading to significant losses in businesses' revenue and reputation. According to Cyber Security Ventures, the global cost of cybercrime is projected to reach USD 10.05 trillion by 2025 annually.
Cyber Threat Intelligence (CTI) is the act of collecting threat data from various sources to help organizations better understand adversaries, their motivations, attack techniques, tactics, and the preferred attack vectors they employ. CTI will also boost an organization's ability to discover new and unknown threats. By knowing such information, organizations may foster their security defenses by adopting proactive security measures to become more prepared for future attacks.
In this post, we'll be shedding some light on popular threat intelligence sources, the threat intelligence lifecycle, CTI platforms and how to use our own SecurityTrails products for threat intelligence data collection.
- Threat intelligence sources
- Cyber threat intelligence lifecycle
- Threat intelligence platforms and tools
- How to use SecurityTrails as a threat intelligence platform
Threat intelligence sources
A security team should gather threat data (including indicators of compromise) from various online sources, both free and commercial, to ensure the most comprehensive threat intelligence coverage possible. The three primary categories of CTI sources are:
Vendor data: Every organization utilizes IT infrastructure and technologies purchased from one or more vendors. For example, routers, switches, server operating systems, and other security appliances such as Firewalls and IDS/IPS systems. Most IT vendors have a private threat intelligence feed. Customers can often subscribe to remain up to date with the latest threats—and discovered vulnerabilities—targeting their specific IT infrastructure and deployed software.
Public sources: Government agencies mainly operate these at no cost. Examples of public CTI sources include:
- Private sources: These are commercial enterprises that provide threat data for a fee, commonly on a subscription basis. Some commercial threat data sources could be Accenture Security Cyber Defense, Booz Allen Cyber Threat Intelligence Services and Crowdstrike.
Cyber threat intelligence lifecycle
For the threat intelligence gathering to be successful, a proper methodology or framework should follow. A general CTI lifecycle is formed from the following phases:
Requirements: Defining the goals from collecting the threat intelligence data and the methodology we will use to achieve these goals.
Collection: Threat data is collected from various sources such as public and private sources, security solutions logs, public posts on social media platforms, darknet forums and websites hosting leaked information. Open Source Intelligence (OSINT) techniques are utilized to discover threat information posted on publicly available sources during this phase.
Processing: The gathered data is organized into a format to be interpreted easily by the security team.
Analysis: The security team will analyze collected data and transform raw data into information that can be consumed to make informed decisions to protect the organization's digital assets.
Feedback: The outcomes are delivered to relevant stakeholders, usually at regular intervals. Reports typically contain recommended courses of action and allow stakeholders to evaluate.
Threat intelligence platforms and tools
The volume of data collected from different threat intelligence sources can be overwhelming. Tools are used to filter results and help the security team keep the most relevant data according to their requirements while discarding the rest. There are different tool sets to aid in CTI endeavor; however, using a threat intelligence platform is considered the ideal option for organizations to aggregate data from multiple sources in an efficient, organised, and automated manner.
A threat intelligence platform is a system that can be deployed either on cloud or on-premises. It helps an organization collect data from various threat data sources (from both darknet and the surface web) and present them in a readable format ready for analysis. Here are just a few of the numerous advantages threat intelligence platforms offer:
Allow the searcher to conceal their real identity, so threat actors cannot know who is collecting information about them.
Search darknet online communities and deep databases for threat data.
Facilitate managing data acquired from security solutions such as SIEM, firewalls, and IPS/IDS so that an organization can have a holistic view of all threats surrounding its operational environment.
Can be customized to send alerts about a specific threat type.
Rate collected threat data according to their risk score.
Combine various security tools in one environment to enhance business protection.
How to use SecurityTrails as a threat intelligence platform
There are various threat intelligence platforms with varying capabilities. SecurityTrails stands out because of the rich features and data incorporated into a single platform with a friendly UI. For instance, SecurityTrails offers a comprehensive threat intelligence attack surface report that includes the following key elements:
Infrastructure Mapping - which includes all active devices across a scanned network including cloud assets. This helps you to mitigate the risks of shadow IT devices. In 2020, Gartner estimated that one-third of successful attacks experienced by enterprises is on data located in shadow IT resources, including shadow Internet of Things.
Discover unknown risks and other misconfigurations in the IT environment - such as open ports, exposed RDP, forgotten subdomain names.
Asset locations – for every discovered asset, you will know its precise location and which domain name it's under.
Let’s experiment with utilizing this platform to conduct some threat intelligence gathering:
Finding all subdomain names of a particular company helps you discover its complete domain infrastructure, which can reveal vital information. For example, many companies create a subdomain name to test some functionality or a new application, and forget to remove the subdomain after finishing; threat actors can exploit such a security gap to gain an entry point into the target environment.
To investigate subdomain names of the target, follow these steps:
Go to https://securitytrails.com and login to your console area.
Click on the 'SurfaceBrowser™' link at the top of the left menu.
Enter the target domain name into the search form and hit Enter to begin the search
The next page will show all associated subdomain names of the target (see Figure 1), along with the IP, hosting company and open ports.
Clicking on any of the subdomains shows a treasure trove of information about that subdomain including SSL details, redirects, historical DNS records, and more.
The "Reverse DNS" feature can be useful for discovering additional assets and hosts.
Historical DNS records can be useful for determining the evolution of a hostname over time. Sometimes, it's also used as an indicator for domain attribution.
Current and historical WHOIS records of a domain name can be viewed by using the "WHOIS" functionality. Such information can prove useful when tracking the ownership of a specific domain name over time, and can help in finding other domain names belonging to the same owner (known as "reverse WHOIS"). Even if they currently utilise a WHOIS privacy service.
The SSL functionality provides all information about any related SSL certificates for the company. This can also be used in reverse, to discover all hostnames utilising a particular SSL certificate and is an excellent way to uncover additional assets.
A threat intelligence platform is an emerging cybersecurity technology that facilitates aggregating threat data from a wide variety of sources. This article discusses the importance of CTI and the general intelligence lifecycle.
It is easy to see how the combination of exhaustive data and the excellent platform offered by SecurityTrails could be used as a powerful threat intelligence platform by any company wishing to enhance its threat intelligence capabilities.