CSN31: Writing Threat Intelligence Content for Today's Threats

Summary:

The article "CSN31: Writing Threat Intelligence Content for Today's Threats" by John DiFederico focuses on enhancing threat intelligence processes to effectively address modern cybersecurity challenges. It emphasizes not only importing but actively processing and utilizing threat intelligence, which involves filtering, correlating, and elevating information for actionable insights. The content methodology should detail specific threats affecting hosts, whether tied to attackers or destinations, and assess malicious intent if confirmed. The article introduces several types of specialized threat intelligence content: 1. **Repeat Offender Content**: Monitors irregular intervals at which malware like Trojans check into botnets, helping identify unusual activity patterns that distinguish between routine and burst traffic. 2. **Bytes Out Tracker**: Detects deviations in the typical packet size during malware check-ins, useful for detecting outbreaks of worms or trojans. 3. **DNS Tracker**: Monitors changes in DNS settings by a malware that may facilitate phishing or loading additional malware onto compromised systems, requiring monitoring of port 53 traffic and DNS queries towards public IP addresses. 4. **High and Low Port Rules**: Effective for specific use cases like suspicious Internet provider transfers via SMB in uncommon ports where event volume is low but relevance high. The article also discusses the application of threat intelligence to critical files such as .exe, .pdf, .swf, .bin, and .jar files, enhancing traditional IDPS with intelligence to detect unauthorized activities like RDP sessions, FTP data siphoning, and IRC bots. It recommends using dashboards, query viewers, and reports for identifying trends and patterns in investigations rather than immediate events. Lastly, the article addresses the issue of domain parking lots by selectively adding suspicious domains to active lists after specific matches, improving the accuracy of threat intelligence despite containing many seemingly harmless domains. This approach involves utilizing data monitors to identify suspicious hosts, focusing on domains, IP addresses, and user-agents that may indicate threats or false positives. In summary, this document underscores the importance of tailored content based on behavior patterns for detecting sophisticated modern threats, enhancing traditional cybersecurity measures with intelligence from specific files and activities, and employing advanced tools like ArcSight to effectively manage events and improve threat detection capabilities.

Details:

The article "CSN31: Writing Threat Intelligence Content for Today's Threats" by John DiFederico discusses the importance of not just importing threat intelligence, but actively processing and utilizing it. The process involves filtering, correlating, and elevating information to make it actionable. The content methodology should include specific details about the threats being tracked, such as how they affect hosts and whether they are tied to attackers or destinations. It advises that hits should be evaluated for their malicious intent if confirmed. The article also highlights specialized types of threat intelligence content:

• **Repeat Offender Content**: This pertains to malware like Trojans that check into botnets at irregular intervals. Monitoring these events in a dashboard helps identify unusual activity patterns, distinguishing between bursts and routine traffic.

• **Bytes Out Tracker**: By monitoring the typical packet size of malware check-ins, one can detect deviations indicative of worm or trojan outbreaks. A large data monitor is recommended for this purpose.

• **DNS Tracker**: Malware often changes DNS settings to facilitate phishing or loading additional malware onto compromised systems. It's crucial not only to track port 53 traffic but also to monitor DNS queries directed towards public IP addresses.

• **High and Low Port Rules**: These rules are effective for specific use cases such as suspicious Internet provider transfers via SMB, where event volume is low but relevance high in these uncommon ports.

Overall, the article underscores the importance of tailored content that can effectively track today's sophisticated threats by focusing on deviations from normal patterns and behaviors. The summary highlights several key aspects of threat intelligence and how to effectively use it in various contexts, particularly within the realms of network security, file handling, domain management, and reporting tools. Firstly, it emphasizes the importance of correlating critical threat intelligence with specific files that commonly contain executable code such as .exe, .pdf, .swf, .bin, and .jar files. This approach helps in identifying unauthorized activities like RDP sessions, FTP data siphoning, and IRC bots. Secondly, it suggests enhancing traditional intrusion detection systems (IDPS) with threat intelligence to improve their effectiveness by correlating events that do not initially match old signatures but can be linked through intelligence on file names or URLs ending in these specific extensions. Thirdly, the summary advises against relying solely on active channels for investigation and recommends utilizing dashboards, query viewers, and reports as they are better equipped to identify trends and patterns necessary for establishing investigations based on threat intelligence rather than immediate events. Lastly, it highlights a common issue with domain parking lots where IP addresses associated with seemingly harmless domains may still be included in threat intelligence feeds due to the presence of even one suspicious domain out of thousands. To mitigate this, adding only the suspicious domains to an active list and waiting for specific matches can improve the accuracy of threat intelligence. This text discusses using data monitors to identify suspicious hosts, focusing on domains, IP addresses, and user-agents that may indicate threats or false positives. The key points include learning from investigations, documenting false positive items, tracking new intelligence, adding these items to active lists for further analysis, and utilizing the best tools like ArcSight to view events effectively. It emphasizes that while importing threat intelligence feeds is important, tailored content specific to behavior patterns is crucial for effective detection. Additionally, it stresses the importance of continuous learning from investigations rather than relying solely on pre-compiled intelligence feeds.