Following up on our post the other day, we found this great example of the difference between threat data (as in all those “feeds” with indicators) and threat intelligence on Black Hills’ security blog. Basically intelligence is data with context. Creating intelligence from data often involves understanding each indicator within the larger narrative of an attack. And organizations today are using standardized kill chains as that attack narrative. Start mapping enough of these attacks together via indicator placement within the kill chains and soon trends start to emerge. These similarities lead to attacker TTPs … otherwise known as intelligence. Got it? Below is the relevant part of the Black Hills post.
To me there are two categories. The first is Atomic Indicators of Compromise (IOCs). These are things that cannot be broken down further into additional data such as IP addresses, domain names, and file hashes. These are typically what you see in a threat intelligence feed.
Atomic indicators are then used to help describe the next category – Tools, Techniques, and Procedures (TTPs). This describes the tools an attacker uses, the techniques they employ with those tools, and the procedures they follow to reach a specific goal. This is generally not what you find in a threat intelligence feed.
For example: “When this attacker sent an email from the server at this IP address, the malicious attachment with this file hash created a command and control channel to the server at this IP address. Then the attacker downloaded and used this Remote Access Tool and moved laterally in the internal network over SMB and gathered this type of sensitive data from these systems and used this compression method to package up the data and exfiltrate it to this other IP address.”
Wait, this sounds difficult to figure out, how can an appliance do that?! It is. Very difficult. An appliance or feed cannot do that kind of analysis, people do that analysis. Attackers can change atomic indicators relatively easily. When they do, the feed does not help detect that attacker any longer until an actual person somewhere does some analysis and adds new data back in.
I’ve only touched the surface of this article so be sure to read the full version here.
Today’s post pic is from Wikipedia.org. See ya!