CYBER THREAT INTELLIGENCE (CTI) SERVICES
“If you don’t know where you are going, you’ll end up someplace else.” Yogi Berra. Cyber Threat Intelligence (CTI) is a new buzz word, however the process and practice of CTI has been used within Nettitude for a long time.
Request a free quote
LOOKING FOR CYBER THREAT INTELLIGENCE SERVICES?
Nettitude is far more than just a provider of security services. Our desire is to work in partnership together with our clients to provide a secure platform and successful project delivery for your products and services using our threat intelligence data feeds.
We will aim to impart knowledge, advice and assistance to help you deploy changes in behaviour, understanding, and where appropriate, culture. This will then provide you with a robust foundation, which will help you develop and grow your security platform.
We deliver this through active engagement, education and knowledge, sharing about the risks, techniques and remediation/prevention actions required.
Our aim is to give you the capabilities, knowledge and assistance to reduce risk to an acceptable level.
PRODUCT & SERVICES
Cyber Threat Intelligence services can be accessed through a range of different products and services:
- Targeted Attack & Response Scenario Planning (for example threat actor discovery/attack surface analysis)
- Technical Threat Intelligence Data Feeds (enhanced capabilities within our SOC managed services)
- Incident Response Investigations (using our intelligence platforms to determine and trace threat actor intents, motivations and sources)
- Threat Advisories (regular reports and advisories issues upon events, investigations or key threats as they emerge)
- Bespoke CTI Products and Services (services tailored to events, geographies or your specific needs)
Our CTI methodology is based on industry standards. It follows best practice from industry bodies and from the UK Governments National Intelligence Model (NIM) adopted by the UK Police Force and many other agencies.
1. Planning & Preparation
This is broken down into a number of steps within the initial stage:
- Focus and Orientation – Engagements start with a workshop/briefing to determine the overall objectives and goals to be agreed. The project milestones, deliverables and length will be defined.
- Scoping – The methods, data sources and type of analysis, the scope of the project in terms of business units and geography will be discussed.
- Team and Technology Selection – From this the right team – with the right background and experience, tools and data sources will be agreed.
- Deliverables and Reporting – The reporting and communication process for the project will be discussed and agreed. Strategic, Operational and Tactical deliverables and communication points/methods will be defined.
2. Data Collection
Data Collection will happen in a number of ways depending on the goals and objectives of the intelligence gathering. These can form a number of the following:
- In House Sources – They can be taken from our internal sources (such as our global honeypot network, our IOC database, our malware and technical databases and threat actor profiles).
- Open Source Data Feeds – Technical data from open source feeds for URL, IP and malware analysis and process 10’s of thousands of elements every data to provide context, verification and validation before use.
- Client Sources – Such as log/SIEM data, email, monitoring software and network/data capture tools, people, public resources, etc.
- Open Source (public) Intelligence – As well as utilising the wealth of open source tools we have built custom tools to analysis and extract data from malware samples. We search and look at data gathered from a wide range of social media sites, forums, data dumps, inc dark web sites and locations.
- Commercial Tools – We can ingest a wide variety of paid data feeds. For example, operational threat intelligence from companies such as Digital Shadows, are part of our solution.
- Human and Physical Intelligence – In some situations the use of proactive involvement in the collection of information is required. For example, personal meetings/conversations, social engineering, joining forums and groups, linking to associates, setting up social media aliases, etc.
Data arrives and is gathered in many forms and the processing needs can vary between data sets.
- Structured/Unstructured Data – Where data is received in know or supported formats this process can be quickly performed. Formats supported include the main IOC formats (OpenIOC, STIX, XML, etc). Data that arrives unstructured will also be processed. Tools and techniques to identify key indicators, meta data and IOC information have been built to ensure that this data can be made available to the analysts in the next stage.
- Direct Source Intelligence – Evidence may be collected direct from sources through interview, observation or first-hand source materials. This is collected on an adapted 5x5x5 form which includes an assessment of the source confidence and reliability levels, as well as the factual findings. Some of this material can be incorporated into our main platform, either in the raw forms or as additions to the threat actor profiles.
Our CTI big data processing platform has been purpose built to run queries and analysis on large and historic datasets with ease.
4. Analysis & Production
This stage is where the bulk of the threat analyst’s role comes into play. Each team member will have a clear idea of the objectives and goals of the work. We use a number of methodologies to conduct investigations and analysis including the Diamond Model and Kill Chain concepts:
- Analysis Stage 1: Threat/Adversary Investigation – Build up a picture of the threat actor, the group they may be part of, their origin and background.
- Analysis Stage 2: Victim Investigation – What do we know about the victim in terms of the company, assets, sector, geography, etc, but also in terms of the individual being targeted, their profile and attack surface.
- Analysis Stage 3: Infrastructure Investigation – What do we know about the method of attack, the C2 structure, the composition of any malware, proxy services, domains, social profiles, etc. We map these findings to the kill chain to determine how much of the whole attack process is understood.
- Analysis Stage 4: Capability Investigation – What payloads and implants have been used? How sophisticated is their approach? What covert and methods of remaining hidden have they deployed? We use the kill chain extensively at this point to identify the capabilities and methods used/potentially to be used.
- Analysis Stage 5: Social-Political – Motives and intents. Why has this attack happened/will happen? What are the motivations of the attacker?
- Analysis Stage 6: Technical – What are the tactics, techniques and processes employed by this attack/threat actor? How well do we know what they are and how well are they understood. The kill chain is again used to map out the understanding at each of the key stages of the attacks.
5. Product Briefings & Reports
- Strategic Briefings
- Operational Briefings
- Tactical briefings
Our tools can be categorised as below:
In House Data Capture – The Nettitude global honey pot network has over 200 nodes located in 20+ countries. Data collected is combined with other sources to create our internal IOC database, malware database and threat actor profiles. We use a combination of malware analysis, machine learning and big data platforms to analysis and present information to our threat analysis team.
Open Source Data Feeds – We process multiple feeds on a daily basis. All data is validated through the use of custom tools and active analysis – false positives are removed and context is added to the IP/URL/Malware samples.
Your Environment – Data is taken from tools you may already have directly, for example logging/SIEM data from Firewalls, FIM, IPS/IDS, AV, DLP, etc. We can also capture and take PCAP network traffic using our own tools that can be deployed.
OSINT – Many open source/freely available tools and techniques are used to access publically available data.
Commercial Tools – We have a number of commercial tools including Digital Shadows which gives access to their operational threat actor platform, and internet search/investigation tools. We can also integrate and consume date from many other providers as required.
Honey Traps – The network architecture is key. We ensure our sensors are deployed to ‘see’ all the monitored areas of the network. We also deploy honey traps in client environments in order to capture suspicious events that can be investigated as a priority.
HUMINT – Where required we can also gather human based information, for example through forums, social engineering.