July 9, 2020 • The Recorded Future Team
Editor’s Note: Over the next several weeks, we’re sharing excerpts from the second edition of our popular book, “The Threat Intelligence Handbook: Moving Toward a Security Intelligence Program.” Here, we’re looking at chapter 11, “Analytical Frameworks for Threat Intelligence.” To read the entire chapter, download your free copy of the handbook.
Renowned author Napoleon Hill once said, “First comes thought; then organization of that thought into ideas and plans; then transformation of those plans into reality.”
In just about everything in life, this process holds true. To make something happen — from building a tree fort, to launching a new business, to running for public office, to making a scientific breakthrough — creativity and great ideas will only get you so far. You need a conceptual framework, or a structured way of thinking, acting, and communicating to accomplish your goal. Further, you need the people involved in your shared venture to understand that framework, what resources are available, and what the short-term plans and long-term strategies are for reaching that goal.
The same is true for security. To effectively analyze the massive amount of data and information that’s available, security teams require a framework to process all the information that flows their way. They then need the proper context to make fast, confident decisions. Analytic frameworks are essential for applying security intelligence across an organization’s entire security ecosystem — including teams, processes, and workflows — to streamline efforts and amplify risk reduction.
In this chapter, which has been edited and condensed for clarity, we explore the advantages of using intelligence frameworks. We also examine the strengths and weaknesses of the three best-known frameworks and how the frameworks complement one another.
We understand the world through conceptual frameworks — mental schema that we map over reality to categorize it and create a sensible narrative. We can also think of conceptual frameworks as paradigms, which Wikipedia defines as “a distinct set of concepts or thought patterns, including theories, research methods, postulates, and standards for what constitutes legitimate contributions to a field.”
Scientific paradigms, for example, represent one important set of shared conceptual frameworks, within which people work together toward a common goal — in the case of science, investigating physical phenomena. If, say, physicists didn’t agree on the definition of words like force, mass, or acceleration, and how to measure them, individual investigations into the nature of physics would not be replicable and the field could not advance.
Creating a shared conceptual framework is an essential prerequisite for the success of any venture, at any scale. Whether we’re talking about a couple of kids opening their first lemonade stand or a Fortune 500 company making their big Q4 push, teams need to have a shared understanding of their goals, what resources they have available, and what their short-term plans and long-term strategies are. In other words, they need to all agree on how their ways and means align with the ends they have in mind, and they need to have a commonly agreed-upon way of talking about it.
Analytical frameworks are essential for learning how to apply threat intelligence effectively and cross-functionally. Threat intelligence is not only for analysts and cybersecurity professionals who have the technical understanding to read over a threat data feed — it also provides much-needed context for high-level decision making around issues like digital risk management and technology investment strategies.
In this chapter from our new book, “The Threat Intelligence Handbook,” which has been edited and condensed for clarity, we will explore a few complementary conceptual frameworks for understanding threat intelligence.
Analytical Frameworks for Threat Intelligence
Threat intelligence frameworks provide structures for thinking about attacks and adversaries. They promote a broad understanding of how attackers think, the methods they use, and where in an attack lifecycle specific events occur. This knowledge allows defenders to take decisive action faster and stop attackers sooner.
Frameworks also help focus attention on details that require further investigation to ensure that threats have been fully removed, and that measures are put in place to prevent future intrusions of the same kind.
Finally, frameworks are useful for sharing information within and across organizations. They provide a common grammar and syntax for explaining the details of attacks and how those details relate to each other. A shared framework makes it easier to ingest threat intelligence from sources such as threat intelligence vendors, open source forums, and information sharing and analysis centers (ISACs).
The Lockheed Martin Cyber Kill Chain®
The Cyber Kill Chain, first developed by Lockheed Martin in 2011, is the best known of the cyber threat intelligence frameworks. The Cyber Kill Chain is based on the military concept of the kill chain, which breaks the structure of an attack into stages. By breaking an attack up in this manner, defenders can pinpoint which stage it is in and deploy appropriate countermeasures.
The Cyber Kill Chain describes seven stages of an attack:
- Command and Control
- Actions and Objectives (sometimes referred to as exfiltration)
Security teams can develop standard responses for each stage. For example, if you manage to stop an attack at the exploitation stage, you can have high confidence that nothing has been installed on the targeted systems and full incident response activity may not be needed.
The Cyber Kill Chain also allows organizations to build a defense-in-depth model that targets specific parts of the kill chain. For example, you might acquire third-party threat intelligence specifically to monitor:
- References to your enterprise on the web that would indicate reconnaissance activities
- Information about weaponization against newly reported vulnerabilities in applications on your network
Limitations of the Cyber Kill Chain
The Cyber Kill Chain is a good way to start thinking about how to defend against attacks, but it has some limitations. One of the big criticisms of this model is that it doesn’t take into account the way many modern attacks work. For example, many phishing attacks skip the exploitation phase entirely, and instead rely on the victim to open a Microsoft Office document with an embedded macro or to double-click on an attached script.
But even with these limitations, the Cyber Kill Chain creates a good baseline to discuss attacks and where they can be stopped. It also makes it easier to share information about attacks within and outside of the organization using standard, well-defined attack points.
The Diamond Model
The Diamond Model was created in 2013 by researchers at the now-defunct Center for Cyber Intelligence Analysis and Threat Research (CCIATR). It is used to track attack groups over time rather than the progress of individual attacks.
In its simplest form, the Diamond Model looks similar to the image below. It is used to classify the different elements of an attack. The diamond for an attacker or attack group is not static, but rather evolves as the attacker changes infrastructure and targets and modifies TTPs.
The Diamond Model helps defenders track an attacker, the victims, the attacker’s capabilities, and the infrastructure the attacker uses. Each of the points on the diamond is a pivot point that defenders can use during an investigation to connect one aspect of an attack with the others.
Let’s say you uncover command and control traffic to a suspicious IP address. The Diamond Model would help you “pivot” from this initial indicator to find information about the attacker associated with that IP address, then research the known capabilities of that attacker.
Knowing those capabilities will enable you to respond more quickly and effectively to the incident. Or imagine that your threat intelligence solution uses the Diamond Model. If the board of directors asks who is launching similar attacks against other organizations in your industry (attribution), you may be able to quickly find a list of victims, the probable attacker, and a description of that attacker’s TTPs. These will help you decide what defenses need to be put in place.
One of the big advantages of the Diamond Model is its flexibility and extensibility. You can add different aspects of an attack under the appropriate point on the diamond to create complex profiles of different attack groups. Other features of an attack that can be tracked include:
Challenges With the Diamond Model
The downside is that Diamond Models require a lot of care and feeding. Some aspects of the model, especially infrastructure, change rapidly. If you don’t update the diamond of an attacker constantly, you run the risk of working with outdated information.
Even with these challenges, though, the Diamond Model can make the jobs of many security people easier by helping get everyone fast answers about threats.
The MITRE ATT&CK™ Framework
MITRE is a unique organization in the United States: a corporation responsible for managing federal funding for research projects across multiple federal agencies. It has had a huge impact on the security industry, including the development and maintenance of the Common Vulnerabilities and Exposures (CVE) database and the Common Weakness Enumeration (CWE) databases.
MITRE has developed a number of other frameworks that are very important for threat intelligence, including:
- The Trusted Automated Exchange of Intelligence Information (TAXII™): A transport protocol that enables organizations to share threat intelligence over HTTPS and use common application programming interface (API) commands to extract that threat intelligence
- Structured Threat Information eXpression (STIX™): A standardized format for presenting threat intelligence information
- The Cyber Observable eXpression (CybOX™) Framework: A method for tracking observables from cybersecurity incidents
Categories of Attacker Behavior
The MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) framework was created as a means of tracking adversarial behavior over time. ATT&CK builds on the Cyber Kill Chain, but rather than describe a single attack, it focuses on the indicators and tactics associated with specific adversaries.
ATT&CK uses 11 different tactic categories to describe adversary behavior:
- Initial Access
- Privilege Escalation
- Defense Evasion
- Credential Access
- Lateral Movement
- Command and Control
Each of these tactical categories includes individual techniques that can be used to describe the adversary’s behavior. For example, under the Initial Access category, behaviors include Spearphishing Attachment, Spearphishing Link, Trusted Relationship, and Valid Accounts.
This classification of behaviors allows security teams to be very granular in describing and tracking adversarial behavior and makes it easy to share information between teams.
ATT&CK™ is useful across a wide range of security functions, from threat intelligence analysts to SOC operators and incident response teams. Tracking adversary behavior in a structured and repeatable way allows teams to:
- Prioritize incident response
- Tie indicators to attackers
- Identify holes in an organization’s security posture
Get ‘The Threat Intelligence Handbook’
This chapter is just one of many in our new book that provides helpful explanations of the different ways threat intelligence can be applied to your security program. Other chapters look at different use cases for threat intelligence, like how it can benefit vulnerability management, incident response, security leadership, and more.
And as far as this chapter goes, you’ll find more content in the book as well, including more charts and figures, like a timeline showing trends in the proliferation of malware families. Get your free copy of “The Threat Intelligence Handbook” now.