OSINT Sources: Trends in the Threat Intelligence MarketYANN LE BORGNE
When building a threat intelligence library, it is important to determine a methodology that covers all aspects of intelligence, thus ensuring that what is created can be effectively used operationally, tactically, and strategically.
One way to do this is to use a system based on a “pyramid of pain”, starting with the strategic vision and descending towards more operational aspects, remembering that each step will be linked to the previous one to maintain a homogeneous overall context and understand the links between the different layers.
Most cybersecurity professionals use commercial sources as well as OSINT sources for this process. Below are some of the OSINT sources most commonly encountered by our team:
Adversary reader – APT Groups and Operations: This enables the creation of a documentation library and reference source for the main adversaries encountered. This document, which can be freely accessed at the link below, allows the first level of the library to be populated using public reference sources and a large quantity of information that can be downloaded for local storage in the library.
MITRE ATT&CK: MITRE provides two types of information for the cyber community based around its ATT&CK framework.
This framework was built as a matrix of techniques used by adversaries during the various stages of an attack. Each of these techniques is described in detail and accompanied by important information such as data sources to monitor for detection, target systems, and courses of action to mitigate the risk represented. The initial “Enterprise” matrix was later complemented by the “Mobile” and “Pre-Attack” matrices to cover the scope of the reconnaissance phase and the IoT environment. The first part of this data is useful for attack modelling, implementing effective countermeasures for blue teaming, or for evaluating security solutions.
In addition to this analysis and modelling framework, MITRE also provides a knowledge base on a number of adversaries. Here we can find a framework-based analysis of the techniques and tactics used by these adversaries. This is a very useful first dataset for building a minimal knowledge base about a certain number of groups. In addition to being a helpful foundation for the company’s local knowledge library, this data can be very useful for blue/red teaming exercises and can also be used to evaluate defences against the listed adversaries from a functional standpoint.
MALPEDIA: Malpedia is a free service focused on identifying and providing context around malware families. Malpedia provides information at various levels: adversaries, malware, samples, YARA rules, and context. This source is helpful for making a link from the highest level (adversaries) through to actions (YARA rules) by articulating this link around malware families.
NVD: This source is published by NIST (National Institute of Standards and Technology – US Department of Commerce). This allows the library to have the option of covering use cases associated with wide-scale vulnerability management.
ExploitDB: Combined with the previous source, this provides additional information on vulnerabilities and information on their exploitability, and helps link tools and malware acquired from the previous sources.
AlienVault Pulse: This is the first appearance of technical indicators actionable for the organisation’s defences. OTX Pulse allows collaborative information sharing on its platform. Users or particular pulses can be “followed” to choose Pulse events to be added to the local library. These “pulses” provide both technical indicators and a link with the upper layers of our model, malware families, adversaries, etc. However, special care should be taken when choosing what to import automatically, as multiplying the selections can soon result in being inundated by the mass of information available.
MISP CIRCL: Of course MISP, the sharing platform par excellence, has its own circle of trust for sharing, known as CIRCL. Once again, this contains a good mix of actionable information (technical indicators) and high-level data provided in MISP under “galaxies”. The concept of frameworks is also available, including MITRE, presented in the form of a “galaxy”.
Phishtank and Bambenek: These sources commonly used by our clients provide actionable indicators for defences. They also enable links to be made between the upper layers of the model thanks to the context provided (malware families in particular).
By correctly integrating these sources, we can quickly link the technical data and the top of the “pyramid of pain”, adversaries, techniques, tactics, etc.
It is important (particularly with regard to sources providing actionable indicators) to select only those which relate to the cyber risks managed by the company. “Technical” sources are often focused on certain risks and must therefore be carefully selected according to need.