Using threat intelligence to produce a cyber defence strategy

Using threat intelligence to produce a cyber defence strategy

Very few practitioners need to be told of contemporary cyber threats such as ransomware, it has found its way into the common language of risk assessments, disaster recovery plans and mainstream media alike. But what can be done other than writing playbooks and practicing response plans, following the Essential 8 and blocking known malicious indicators?

Those organisations with a strategic approach to cyber defence will more likely survive a ransomware attack, and consideration of an attacker’s motive may be key towards mounting a successful defence. For example, if the motive is purely financial and the attacker causes significant business disruption if the ransom demand is not met, what controls can prevent this?

However, if the motive is to hold to ransom the intellectual property, customer database or another information asset, should priority instead be given to controls which detect and mitigate data exfiltration? Whilst senior management’s risk tolerance level may be “we must implement all possible countermeasures,” few organisations will have the luxury of doing so.

Utilising available data sets to form operational “cyber threat intelligence” can help mitigate harmful events such as ransomware attacks. Most importantly, to do so is within the reach of most organisations following the explosion of available open-source tools and data sets. Such “tactical” cyber threat intelligence usually consists of Indicators of Compromise (IoCs) – technical data such as known bad IP addresses, URLs, emails and file hashes.

Here is where the value proposition of CERTs (Cyber Emergency Response Teams) pays off: not-for-profit organisations providing open source and member-funded services, passionate teams consisting of analyst, dev-ops and engagement functions, CERTs are trustworthy due to their independent status. CIRCL from Luxembourg famously produce the Malware Information Sharing Platform (MISP) and tactical data feeds, used worldwide by other CERTs including AusCERT, governments and private enterprise.

Many organisations do not have resources beyond the tactical level, however simply using tactical feeds of IoCs has shown to be effective detecting or even preventing the initial stages of a ransomware attack. Relevant and concise IoCs may be used in content filters, centralised logging, SIEM or even custom-scripted solutions to hunt or block threats. AusCERT’s Malicious URL Feed is an example of a high-confidence, low-volume feed, usually consumed in an automated fashion but also suitable for manual threat hunting, depending upon the consumer’s available resources.

Members of AusCERT’s MISP community can study operational intelligence such as attackers’ tools, techniques and procedures, even visually. A “mind map” connects similar events and data, allowing members to correlate campaigns and understand the techniques used in incidents such as ransomware attacks, for example. Organisations can then form strategic plans regarding the risks associated with cyber threats.

Most importantly of all, a collaborative approach must be foremost in discussions regarding cyber defence strategy. A common misconception is that sharing threat information may compromise competitive advantage, however a particular strength of CERTs is coordinating, anonymising and analysing incident data, and then providing operational intelligence to members – even entire sectors. Have you included your local CERT in your IR (Incident Response) plans?

Mike Holm
Senior Manager, AusCERT