Threat Intelligence: Different Types of TI and the Use of TI in Radiflow Breach Simulations
By Dr. Yehonatan Kfir, CTO, Radiflow
In my previous post I wrote about the importance of using Threat Intelligence (TI) as part of constructing a cyber-risk strategy. In this post I will describe the different types of TI, what you can can get from TI, and what can be misleading if TI is used incorrectly.
There are three types of threat intelligence: tactical, operational and strategic.
Tactical threat intelligence
Tactical threat intelligence includes domains, IP addresses and file hashes, and is normally consumed through security sensors. Tactical TI feeds are used to update the organization’s investigative or monitoring sensors, e.g. firewalls and domain filtering, by blocking attempted connections to malicious servers.
Operational threat intelligence
The second type of TI is operational threat intelligence. This type is used to share information about how threat actors conduct attacks. Operational TI is used by incident responders to ensure that their defenses and their investigation capabilities are updates with the latest attack methods. Operational TI is often obtained by reading technical white papers or by communicating with peers in other organizations whom had observed attacker behavior.
Sharing threat information requires a structured and unified framework for describing threats. To this end, TI-sharing providers have gone to great lengths to model and standardize adversary behavior. For example, the Common Attack Pattern Enumeration and Classification (CAPEC™) provides a catalog of attack patterns as well as classification taxonomy.
Another widely-used modeling framework is MITRE’s Adversarial Tactics, Techniques and Common Knowledge (ATT&CK), designed to identify the most reliable indicators of sophisticated attacks. The framework presents commonly-observed adversarial tactics and techniques, based on intelligence gathered on many advanced persistent threat (APT) groups.
In this framework, tactics represent types of adversaries’ actions (e.g. reconnaissance, initial access and more); and for each type/tactic, the framework details its exact methods of operation, or techniques. For example, techniques for performing initial access include: spearphishing attachment and exploit public-facing application, among others. MITRE also released a dedicated model for ICS, called ATT&CK ICS.
In the figure above, as an example, we can see the most-used tactics in the UK against Energy Sector networks, which in turn indicate the most effective mitigation measures (data to the figure was taken from MITRE TI source). However, this TI provides no information about the rate of cyber attack attempts on energy companies in the UK – is it once every 10 years or once a month? This would obviously change the risk level significantly. This type of information is provided as part of Strategic TI.
Strategic Threat Intelligence
Strategic Threat Intelligence consists of high-level information that helps risk managers understand current risks and identify upcoming risks, of which they are yet unaware. This may include the financial impact of cyber activity, attack trends, historical data or predictions for each threat’s activity. Using this information, each user company’s board is able to weigh the risk posed by each possible attack and allocate budgets and resources for mitigation.
TI for Breach Simulation
Combining information from multiple TI types can provide a holistic view of the threats to a specific sector in a specific region. In some cases, it can also provide quantitative information about the loss magnitude of a cyber event or the threat event frequency. However, this combined-TI still tells us nothing about the vulnerability of users’ networks to those threats. There’s another missing piece in the puzzle: the evaluated network properties. Only with this information would it be possible to efficiently transform the TI into effective actions.
For example: in the figure above, we can see that spear-phishing is one of the most used tactics among attackers in the Energy Sector in UK. Does this mean that all the risk officers in the UK energy sector should spent their entire security budget on spear-phishing defenses? Not necessarily – simply because spear-phishing may not be an applicable technique in the highest risk zones in the OT network. If the organization has adequate IT-OT segmentation in place, spear-phishing would not cause significant damage. Instead, risk officers may consider installing defenses against insider threats and improving their user-authentication tools – since attack techniques exploiting weak user authentication are more applicable in the OT network. Therefore, using only TI, may lead to incorrect investments in security. Risk officers must consider the specific OT network properties,
Every OT network has its own unique properties: topology, vulnerabilities, security controls and more. These network properties define which tactics can indeed be used in the network and which can’t. Consequently, these properties define which threats have a higher likelihood of compromising the network. Assuming the network is well-modeled, risk officers can now evaluate the entire “attack chain”: which threats are targeting the network, at what frequency, and what is the likelihood of these threats compromising the network, given the network properties and security controls deployed.
Using the TI and the network model, Radiflow’s TI-based breach simulation can evaluate over 100 “attack chains” for different threats. In a matter of seconds, the simulation evaluates which devices are more likely to be compromised, which mitigations are the most effective and which threats are the most dangerous to your specific network.
Another lack of the the general TI related to the “second best mitigation to choose”. Let’s take a closer look at one of the outputs provided by the Radiflow simulation: the Control Level, which denotes the percentage of TTPs that are mitigated by one or more security controls, out of all of the TTPs used by the attackers targeting the evaluated network. You can see in the figure that Network Intrusion Prevention and Privileged Account Management cover the largest number of TTPs. Therefore, implementing one of them will yield the largest Control Level increase.
But which mitigation should you choose second? This is where it becomes less clear. The second chosen mitigation should be the one that covers the largest number of TTPs which were not covered by previous chosen mitigations. Furthermore, when you add in budget constraints, compliance requirements and the potential impact/risk projected for the different TTPs, the process of prioritizing mitigations becomes incredibly complex. This further emphasizes why it’s imperative to run a simulation that’s able to evaluate all options, based on the actual evaluated network model.
The main challenge in the modeling part is of course producing an accurate network model — better accuracy provides more effective results. In the next posts we will further elaborate on how Radiflow’s visibility and detection system can be used to build the network model, the attackers and the mitigations used. In addition, we will show how the Radiflow model enables presentation of results and receiving inputs using any terminology or security standard, e.g. IEC-62443.
In this post, the second of three, Radiflow CTO Dr. Yehonatan Kfir discusses the different types of Threat Intelligence (TI), the benefits of using TI within an OT network risk assessment, and the problems with misuse of TI.