Threat intelligence

Welcome and thanks for joining!

What we will cover

What threat intelligence is and how it can be
utilized to protect individuals/organisations.

Learn to adapt and keep up with the attackers.

Perform more realistic security
exercises and assessments.

Learn what to look for when monitoring
IT systems and performing incident response.

Targeting and fine-tuning communication about
threats towards different recipients.

(Adapt efforts based on changes in
compliance rules/regulations and
advances in defensive technology)

Satisfy our curiosity!

Requires basic knowledge of...

• OS and application management
• Networking

The primary focus of this course is to
change your way of thinking, not dig
deep into exciting technical details.

(don't worry, there will be some of
those acronyms that you know and love)

How we will do it

• Lectures and Q&A
• Individual and group presentations
• Self-lead project
• Continuous reflection
• Quizzes and scored tests

For slides, notes and similar,
see: t.menacit.se/ti.zip .

These should be seen as a
complement to an instructor
lead course, not a replacement.

Acknowledgements

Thanks to IT-Högskolan and Särimner for enabling development of the course.

Hats off to all FOSS developers and free culture contributors making it possible.

Free as in beer and speech

Is anything unclear? Got ideas for improvements? Don't fancy the animals in the slides?

Create an issue or submit a pull request to
the repository on Github!

Let us dig in!

Vocabulary and basics

Lots of different terms and abbreviations are thrown around.

(Sometimes used interchangeably :-/ )

Let's try to define some of them!

Threat

Bad stuff that we don't want to happen.

Unwanted events with negative consequences.

Earthquakes, terrorism, lawsuits, ransomware...

Threat actor

Group or individual that wanna do bad stuff
towards other groups or individuals.

Intelligence agencies, criminal gangs,
hacktivists, disgruntled employees...

Asset

Thing belonging to a target that a threat actor
may try to abuse to achieve their goal(s).

Servers, network equipment, endpoint devices
and software running on these computers.

Some include confidential information and
personnel (OBJECTIFICATION!) in their definition.

(Let's keep our focus on IT assets)

Vulnerability

Weakness that can be abused to affect
the security of an asset.

Software bug, default/bad password,
enabled debug functionality...

Exploit

Tool or method used to abuse a vulnerability.

Attack

Attempt to use an exploit against an asset.

Attack surface

Assets exposed towards potential
threat actors that may be attacked.

The attack surface may not look
the same to all threat actors.

Services exposed towards the Internet.

Systems accessible by customers/partners
over a dedicated VPN tunnel.

Hosts exposed on internal office network.

Physical interfaces on industrial equipment.

APIs and other functionality accessible to
a (compromised) application/container.

Let's try putting these
terms to use, shall we?

A threat actor known as Grumpy Bear
enumerated the attack surface of
our Internet exposed systems.

They identified a vulnerability in
one of our assets: the VPN server
provided by UltraEnterPriseSec Inc.

They utilized a publicly available
exploit from Metasploit in their
attack, based on information
provided by the system logs.

TTPs

Describes (known historic) behavior
of a threat actor.

Tactics (high-level),
Techniques (mid-level) and
Procedures (low-level).

Used together with target analysis
(basically "who was targeted") and other
indicators for threat actor attribution.

Tactic: Steal sensitive information
and use it as blackmail for extortion.

Technique: Gain access to victim's email account
through "credential phishing" (social engineering).

Procedure:
Utilize the freely available tool "Gophish" to
send phishing emails claiming that the user must
change their password, setup redirect through
Google Docs domain to trick spam filters...

The CIA triad

Helps us break down what "secure" means.

Confidentiality,
Integrity and
Availability.

"Thought-tool" that can be used to discuss
priorities, expected outcome of changes...

(More about how to use it later...)

Quantifying risk

Risk ~=
Consequences of bad thing * Probability.

Tsunami washing away Stockholm data center *
Probability of event ~= Extremely low risk.

Secrets being stolen from outdated system Z *
Probability of event ~= Low-to-medium risk.

Wrapping up

Protecting whom?

Congratulations - the job is yours!
Make sure that we are safe.

— Person who just hired you to do "security stuff"

Now what?

Understanding the organisation

Resources (time, money and smart people)
are always limited.

How do we best spend them?

Spoiler alert: "It depends!"

What ensures the organisations survival
(income, political support, legal permits, etc)?

What are their worst nightmares?
"Extinction level events?"

How have other similar organisations
been affected by breaches/incidents?

What are the organisations priorities
from a security perspective?

Let's use the CIA triad to get an idea!

Psychotherapy clinic

Stores and processes highly sensitive information about patients.

Leakage of healthcare data would harm patient trust and may have legal repercussions.

Short-term inaccessibility of computer systems would be a nuisance, but likely manageable.

Crisis information website

Designed to provide important guidance and information during natural disasters, war and similar.

Availability is extremely important, but inaccurate (or even malicious) information may be worse.

Retail bank

Processes thousands of transactions per second.

Confidentiality, integrity and availability are all extremely important.

Money can't be allowed to dissapear from customers accounts.

Priorities may shift if "incident duration" is specified/changed.

May be hard to accurately use for a whole organisation - drill into different business areas.

Just one of the ways you can wield the CIA triad.

What do we have that others may want?

• Money!
• CRM information
• Intellectual property (code, product schematics, etc)
• Large number of eyeballs
• Computing resources and bandwidth
• Embarrassing documents/e-mails

...

Could we be used as a stepping stone?

The "Target retail breach" is
an interesting example.

Conclusions?

Meet the threat actors

Why should we care?

Not all threat actors are created equal.

Different motivations and expertise/resources.

Tracking and understanding their activities may help us better protect ourselves.

(and it's fun!)

Let's brasklapp!

Everyone has to live with
the "Internet noise".

Lots of hacking is opportunistic.

Motivations

• Personal
• Financial
• Political
• Military

Personal

• Curiosity / Learning
• Thrill seeking / Fun
• Fame / Cred
• Anger / Revenge

Financial

• Industrial espionage
• Blackmail
• Stock / Market manipulation
• Computational resources

Political

• Intelligence gathering
• Propaganda
• Discrediting

Military

• Intelligence gathering
• Disruption

Let's meet some of them!

Stakkato

Swedish teenager hacking for
learning and the thrill.

Targeted "high-security organisations"
and educational institutions.

While at the surface somewhat harmless,
how should we handle incident response?

(Curious to learn more? Check out
the old and cozy book "Svenska hackare"!)

LulzSec

Small group of hackers with
"fun and mayhem" as their goals.

Targeted wide range of companies,
such as Sony Pictures, Fox News
and the game publisher Bethesda.

Disbanded after "50 days of lulz",
several members were later arrested
after group founder became informant.

While not the most technical and
quite opportunistic, good at PR!

Casey Umetsu

Sysadmin who was fired/made redundant.

Allegedly used knowledge to disrupt
operations at former employer.

Malicious action by disgruntled employee
or an honest mistake using automation?

Useful lesson regardless!

FIN7

Highly organised criminal group based in Russia.

Focus on datatheft and "big-game" ransomware.

Branched out into becoming a
"Ransomware as a Service" provider.

AKA Carbon Spider, ELBRUS and Sangria Tempest,
depending on who you ask! :-/

APT10

Chinese threat actor with focus on industrial espionage.

Suspected ties to intelligence services.

Responsible for the "Cloud Hopper" attacks
targeting (Swedish) MSPs.

This type of group is known as an
Advanced Persistent Threat.

Lazarus Group

Hacking group associated with the
North Korean government.

Focus on attacks against payment services,
banking and cryptocurrency exchanges.

Known to use interesting tactics like
fake recruitment tests for developers
and getting hired for insider access.

Phineas Fisher

Highly skilled anarchist hacktivist.

Targeted makers of "law enforcement spyware",
political parties and financial institutions.

Claims to run "bug-bounty" for "ethical hacking".

Published surprisingly detailed write-ups of
hacking activities, providing useful lessons.

Charming Kitten

State-sponsored Iranian group.

Spies on various targets of interest to the government.

Targets organisations and individuals
(mainly dissidents and activists).

Equation Group

Threat actor associated with NSA.

Famous for malware such as "Stuxnet"
and "Flame".

Targets adversaries of the USA.

Several tools associated with the group,
like an exploit for the "EternalBlue"
vulnerability, were stolen and leaked
by the threat actor "Shadow Brokers".

Sandworm

Unit of the Russian military intelligence service.

Known for disruptive attacks against the
Olympic Games and Ukrainian infrastructure.

While long known as a theoretical risk,
demonstrated attacks against a power grid.

(Check out Andy Greenberg's book if
you wanna learn more about them!)

Countless more for the interested!

Group exercise

Exercise: Match the threat actor

Participants are split into groups.

Each group will be provided with descriptions of fictional organisations and threat actors.

For each organisation, motivate and define their priorities/needs using the CIA triad.

For each threat actor, motivate and rank (1 to 5) how "attractive" each target organisation is.

Use liberal amounts of imagination/guesstimation. After presentation, send slides as PDF to:
courses+ti_010401@0x00.lt

Sounds complicated?

Let me show you an example...

Org: XMPLE Prospecting Inc.

Experts in geological prospecting to find oil and natural gas deposits.

Operates several high-performance computing clusters for simulation models.

Produces reports and sells information, doesn't perform any extraction.

Active in the Central Asia region.

Org: XMPLE Prospecting Inc.

Needs/security priorities based on CIA triad.

Confidentiality

The organisation makes money by selling highly valuable information.

Customers pay for the advantage, value proposition fails otherwise.

Org: XMPLE Prospecting Inc.

Needs/security priorities based on CIA triad.

Integrity

Manipulation of collected data/simulation models could result in misleading customers.

Long-term, this may result in a loss of credibility.

Org: XMPLE Prospecting Inc.

Needs/security priorities based on CIA triad.

Availability

While the organisation relies on computer systems
to aid prospecting, its main strengths are expert
knowledge and customer relations.

Temporary inaccessibility of IT environment
is not deemed a major business risk.

Threat actor: Crocs4Justice

Loosely organised group of "left-leaning" hacktivists.

Hacks for fun and as a political action.

Utilize DDoS, defacement and information leaks against their targets.

Known to use publicly available exploits and seem to lack deep technical knowledge/funding.

Threat actor: Savory Bear

APT with suspected ties to the Russian state.

Hacks to extract sensitive information that may be of value to the state or associated actors.

Has historically exploited 0-day vulnerabilities to gain system access.

Org: XMPLE Prospecting Inc.

How well does the organisation match the threat actors focus/interest?

Crocs4Justice: 3

While the threat actor likely objects to the business ("aiding ecological destruction") of
the target organisation, it is far from a household name and the PR gains would be small.
May attack the organisation opportunistically, but won't spend much effort on the target.

Org: XMPLE Prospecting Inc.

How well does the organisation match the threat actors focus/interest?

Savory Bear: 5

Information produced by the target organisation may be of high value to the Russian state.
Central Asia is perceived as their historical sphere of influence and large energy deposits
could greatly change international interest in the region. Early access to the information
could allow state-friendly actors to quickly exploit the resources and gain an edge/presence.

Bonus points for verbosity,
group participation and fancy design!

Again: imagination is encouraged!

If you need a template of a triangle,
checkout this link.

Write-up exercise

Exercise: Threat actor report

Each participant should research and produce a report about one of the following threat actors:

• "Ember Bear"
• "Lapsus$"
• "Darkhotel"

The report should contain information about the
threat actor's TTPs, known victims/attacks, motivations or similar (512 words or more).

Send as plain text, Markdown document or PDF to:
courses+ti_010501@0x00.lt

Basics recap

Fundamental vocabulary

• Threat actor
• Asset
• Vulnerability
• Exploit
• Attack
• Attack surface

Tactics,
Techniques and
Procedures.

Confidentiality,
Integrity and
Availability.

Risk ~=
Consequences of bad thing * Probability

Protecting an organisation

What ensures its survival
(income, political support, legal permits, etc)?

What are their worst nightmares?

What are the organisation's priorities?

What do they have that others may want?

Understanding threat actors

Not all created equal.

Different skill levels and motivations:

• Personal
• Financial
• Political
• Military

Any recap questions?

Intrusion vocabulary

A somewhat gentle introduction

We've begun to understand who we're protecting.

We've gotten to know some of the threat actors.

We know that there is something called TTPs.

What does a "typical hack" look like?

Overview of phases

• Reconnaissance
• Initial access
• Persistence
• Lateral movement / Privilege escalation
• Causing impact

Reconnaissance

Understanding the target organisation
and their attack surface.

Active network scanning of exposed assets
and gathering of Open Source Intelligence.

Products in role descriptions on LinkedIn,
domains in certificate transparency logs,
paths/usernames in file metadata,
technical information leakage
in server headers...

(Mandatory plug for Bellingcat!)

Initial access

• (Spear) phishing / smishing / quishing...
• Credential stuffing / Password guessing
• Software bug exploitation

Persistence

Wanna be able to come and go as we please.

Malware such as a Remote Access Trojan.

Configuration of additional reset email addresses.

Backdooring of firmware if we're real serious!

Privilege escalation

Vertical escalation ("guest to admin rights")
and horizontal escalation ("Org. A to Org. B").

Lateral movement

Gain access to sensitive systems by exploiting
lacking segmentation and interconnectedness.

Causing impact

• Disruption
• Data theft
• Defacement
• Resource hijacking

During all the phases, we might put
some effort into covering our tracks
and "muddy the waters" to make
attribution more difficult.

Delete (some) audit log events,
utilise proxy/tunneling services,
modify locale metadata in malware,
avoid hacking during "working hours"...

Wanna dig deeper into the phases of a hack
and discover known TTPs of threat actors?

Have a look at MITRE ATT&CK.

Some are trying to name and define
the phases of a hacking campaign in a
standardised way, with more or less success.

Lockheed Martin's "Cyber Kill Chain"
is a commonly used example.

Wrapping up

CVE and vulnerability tracking

Background

Software will always contain bugs.

Some of those are exploitable.

Some software components are used in more
than one product by more than one vendor
(think popular libraries like OpenSSL).

Is vendor Y's software affected by vulnerability X?

Does our product have vulnerabilities similar to X?

Can our Intrusion Detection System
identify attempts to exploit vulnerability X?

Can our vulnerability scanner detect X?

What are "CVE IDs"?

Common Vulnerabilities and Exposures.

Unique identifier assigned to vulnerabilities.

Developed and managed by MITRE since 1999.
Over 280000 flaws registered in the database.

Defacto industry standard used to track
and talk about vulnerabilities.

CVE-2022-47949

"CVE-" + $Year + $Sequence number

CVE IDs are in either the "reserved",
"published" or "rejected" state.

At its core, a CVE database entry contains
a vulnerability description and optionally
a list of references (external links).

How do I get one?

CVE IDs are allocated/assigned by a
CVE Numbering Authority.

Each CNA is responsible for one or more
vendors/products/software components.

If the software isn't covered by the
scope of any existing CNA, talk to a
CNA of Last Resort (CNA-LR).

CVE-2020-29583

Firmware version 4.60 of Zyxel USG devices
contains an undocumented account (zyfwp)
with an unchangeable password. The
password for this account can be found in
cleartext in the firmware. This account
can be used by someone to login to the
ssh server or web interface with
admin privileges.

CVE-2021-22893

Pulse Connect Secure 9.0R3/9.1R1 and higher
is vulnerable to an authentication bypass
vulnerability exposed by the Windows File
Share Browser and Pulse Secure Collaboration
features of Pulse Connect Secure that can
allow an unauthenticated user to perform
remote arbitrary code execution on the Pulse
Connect Secure gateway. This vulnerability
has been exploited in the wild.

CVE-2016-5195

Race condition in mm/gup.c in the Linux
kernel 2.x through 4.x before 4.8.3 allows
local users to gain privileges by leveraging
incorrect handling of a copy-on-write (COW)
feature to write to a read-only memory
mapping, as exploited in the wild in
October 2016, aka "Dirty COW."

CVE-2022-33637

Microsoft Defender for Endpoint
Tampering Vulnerability.

CVE-2017-0144

The SMBv1 server in Microsoft
Windows Vista SP2;
Windows Server 2008 SP2 and R2 SP1;
Windows 7 SP1; Windows 8.1;
Windows Server 2012 Gold
and R2; Windows RT 8.1;
and Windows 10 Gold, 1511, and 1607;
and Windows Server 2016 allows
remote attackers to execute
arbitrary code via crafted packets,

There are "extensions" to the CVE database
that may be used to associate additional
useful information to an identifier.

Some are created/managed by MITRE,
others by third-parties.

Let's have a look at the most common ones...

Common Platform Enumeration
provides as structured/computer-readable
format to describes which vendors, products
and software versions are affected by a flaw.

cpe:2.3:a:ivanti:endpoint_manager_mobile:12.5

The page about CPE on Wikipedia provides
a decent explanation of the sub-fields.

Common Weakness Enumeration
provides a list of common vulnerability
types that may affect software/hardware.

Similar to OWASP Top Ten, but more generic.

Useful as reference for flaw mitigation
and to understand historic security
challenges in codebase.

Who could forget classics like
CWE-416 (AKA "Use After Free") and
CWE-89 (AKA "Improper Neutralization of Special Elements used in an SQL Command") ?!

The USA's Cybersecurity and
Infrastructure Security Agency
maintains two lists of CVE IDs that
may be of particular interest.

The Known Exploited Vulnerabilities
list contains flaws that they've identified
being actively exploited by threat actors.

Fixing or mitigating vulnerabilities included
in the list should be highly prioritized
(great "signal-to-noise ratio").

The organisation "FIRST" provides
the "Exploit Prediction Scoring System".

Uses machine learning and voodoo magic
sophisticated prediction models to guesstimate
how likely it is that a flaw will be
practically exploitable.

Currently provided as API with scores
for all published CVEs. Use with caution.

(CISA has launched an alternative called
"Likely Exploited Vulnerabilities".)

We will cover the wide-spread
Common Vulnerability Scoring System
later during the course, don't worry...

Manually monitoring CVEs is time-consuming.

Tools like OpenCVE can help you
track/triage those relevant to your organisation.

Sounds amazing, doesn't it?

Spoiler alert: it ain't all roses...

CNAs are responsible for allocating
CVE IDs and submitting description to MITRE.

Product vendors are often their own CNA.

They may be unresponsive to reports.

They could be incentivised to
procrastinate publication or polish
descriptions to downplay the severity.

The "NotCVE" project attempts to
provide an alternative. Will it succeed?

CVE IDs gets allocated and assigned
to bugs/behaviors that are not
security vulnerabilities.

Submitted by sloppy researches and
hallucinating AI bots.

Developers may dispute bogus claims,
but it's hard to get them removed
from the CVE database.

A common work-around is to become
your own CNA to filter requests,
like the curl project did.

Some software projects don't wanna spend
time on classifying whether a bug could
be a security vulnerability or not.

The Linux kernel team recently became
their own CNA and simply assigns a
CVE ID to each identified bug.

...thereby spamming the database
with a bunch of non-flaws.

MITRE is mainly funded by the US government.

Like many similar organisations, there have
been significant uncertainty regarding
their ability to continue operating.

Furthermore, they've been failing to
maintain the database and promptly
allocate CVE IDs to CNAs.

Alternatives have appeared, like
EU's own Vulnerability Database and
the decentralised Global CVE system.

Conclusions?

CVSS basics

Common Vulnerability Scoring System

Background

CVE IDs tell us that a vulnerability exist.

Its description doesn't necessarily tell us
the potential impact or if there are any
prerequisites for exploitation.

Great need for a common method to rate and
compare severity of vulnerabilities.

The Common Vulnerability Scoring System
aims to provide a solution.

Standard developed by FIRST to describe
the "characteristics of a vulnerability".

Widely used to guide and prioritize
vulnerability remediation efforts.

Produces a numerical score between 0.0 and 10.0.

Vulnerabilities may be assigned a textual
severity rating based on their score:

CVSS "vector strings" provide a compact way to
communicate the reasoning behind a score:

CVSS:4.0/AV:N/AC:L/AT:N/PR:L ↴
/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

(We shall cover this later, don't worry!)

Several different versions exist,
4.0 was release in late 2023.

Version 3.1 is still most commonly used.

Available as a formal specification or
through a handy online calculator tool.

(If you're paranoid, consider using
a local copy of the calculator!)

Let there be demos!

Group exercise

Exercise: CVSS base score

Participants are split into groups.

Each group will be provided with five CVE IDs and
their descriptions. Based on the descriptions,
calculate CVSS 4.0 base metrics.

Guesstimation/basic research may be required.

Send resulting CVSS vector strings to:
courses+ti_011001@0x00.lt

CVE-2017-6742

The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS 12.0 through 12.4 and 15.0
through 15.6 and IOS XE 2.2 through 3.17 contains multiple vulnerabilities that could allow an
authenticated, remote attacker to remotely execute code on an affected system or cause an affected
system to reload. An attacker could exploit these vulnerabilities by sending a crafted SNMP packet
to an affected system via IPv4 or IPv6. Only traffic directed to an affected system can be used to
exploit these vulnerabilities. The vulnerabilities are due to a buffer overflow condition in the
SNMP subsystem of the affected software. The vulnerabilities affect all versions of SNMP: Versions
1, 2c, and 3. To exploit these vulnerabilities via SNMP Version 2c or earlier, the attacker must
know the SNMP read-only community string for the affected system. To exploit these vulnerabilities
via SNMP Version 3, the attacker must have user credentials for the affected system. All devices
that have enabled SNMP and have not explicitly excluded the affected MIBs or OIDs should be
considered vulnerable. Cisco Bug IDs: CSCve54313.

CVE-2021-22009

The vCenter Server contains multiple denial-of-service vulnerabilities
in VAPI (vCenter API) service. A malicious actor with network access
to port 443 on vCenter Server may exploit these issues to create a
denial of service condition due to excessive memory consumption
by VAPI service.

CVE-2022-39945

An improper access control vulnerability [CWE-284] in FortiMail 7.2.0,
7.0.0 through 7.0.3, 6.4 all versions, 6.2 all versions, 6.0 all versions
may allow an authenticated admin user assigned to a specific domain to
access and modify other domains information via
insecure direct object references (IDOR).

CVE-2022-44877

login/index.php in CWP (aka Control Web Panel or CentOS Web Panel) 7
before 0.9.8.1147 allows remote attackers to execute arbitrary
OS commands via shell metacharacters in the login parameter.

CVE-2018-1000803

Gitea version prior to version 1.5.1 contains a CWE-200 vulnerability
that can result in Exposure of users private email addresses.
This attack appear to be exploitable via Watch a repository to receive
email notifications. Emails received contain the other recipients even
if they have the email set as private. This vulnerability appears to
have been fixed in 1.5.1.

Advanced CVSS usage

Beyond the base metrics

The problem

In practice, the urgency to mitigate a
vulnerability may change over time.

Is it just theoretically exploitable or
are there public Metasploit modules?

Are there any factors that affect the
severity based on my particular usecase?

The supplemental, environmental
and threat metrics are available
to tweak the calculated score!

Let's take 'em for a spin!

Wrapping up

Write-up exercise

Exercise: Incident report

Each participant should research and produce a report about one of the following incidents:

• Cayman National Bank hack
• Equifax data breach
• Logica leak

The report should describe (to the extent known) what happend, which flaws were exploited,
suspected perpetrators and incident aftermath.
777 words or more, remember to cite sources!

Send as plain text, Markdown document or PDF to:
courses+ti_011201@0x00.lt

CVE / CVSS recap

Tracking and rating vulnerabilities

Common Vulnerabilities and Exposures.

Unique identifier assigned to a vulnerability
in a software component.

Used to track flaws and communicate about them.

Managed by MITRE and
CVE Numbering Authorities (often vendors).

"CVE-" + $Year + $Sequence number

We can tie other useful information to CVE IDs!

Common Platform Enumeration
provides as structured/computer-readable
format to describes which vendors, products
and software versions are affected by a flaw.

Common Weakness Enumeration
provides a list of common vulnerability
types that may affect software/hardware.

The Known Exploited Vulnerabilities
list contains flaws that they've identified
being actively exploited by threat actors.

The Exploit Prediction Scoring System
and Likely Exploited Vulnerabilities
aim to predict how likely it is that a flaw
will actually be exploited in "the wild".

Common Vulnerability Scoring System.

Used to calculate severity rating and
describe the "characteristics of a vulnerability".

Widely used to prioritize remediation efforts.

Can adapt rating based on a specific
organisation's implementation/requirements
using "environmental metrics".

"Threat metrics" can be added to
indicate availability of exploits.

Vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:L ↴
/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

Ready to move forward?

Indicators of Compromise

Low-level threat sharing

Threat intelligence is not just for humans.

Especially observed behavior of attackers
and their malware that we commonly call
Indicators Of Compromise.

Used to improve (automated)
Intrusion Detection/Prevention Systems.

Like what exactly?

• IP addresses
• Domain names
• File hashes
• User agents / Client identifiers
• URL paths
• JA3 / JA3S fingerprints
• Traffic patterns
• Bank account numbers

....

Convert into configuration for firewalls,
End-point Detection and Response agents,
log alerting queries, e-mail spam filters, etc.

How do I get hold of these?

Feeds (Passive)

• IPsum
• Proofpoint's Emerging Threats
• PhishTank
• SSLBL
• disposable-email-domains
• Greynoise's blocklist

APIs (Active)

• VirusTotal
• Focsec

Pros/Cons with active/passive approaches?

Not all sharing is done in the open.

Information Sharing and Analysis Centers
exist to support specific private/public
sectors and interest areas.

What is MISP?

FOSS solution for threat sharing.

Instances can subscribe and publish information to public or private communities.

Normalize data from different feeds.

Provides a powerful search engine and
supports IoC import/export for common formats, such as STIX and YARA/Snort rules.

Let's have a look, shall we?

Considerations and gotchas?

Risks with sharing

Quality of data

• False positives
• Freshness of data
• Collateral damage

Wrapping up

Targeting communication

Knowing your audience

We gather threat intelligence to help
groups and individuals protect themselves.

Ideally, change their behavior and invest
in suitable supporting technology.

How do we maximize the value of that
information and our hard work?

Targeting communication based on:

• Role / Responsibilities
• Technical skills
• Domain specific knowledge
• Bandwidth

What do you think are the most important
take-aways for role X? (desires/responsibilities)

How do you want them to react (mohaha)?

Some examples, mayhaps?

CTO

Chief Technology Officer.

Sets medium- to long-term direction
and goals for IT in the organisation.

Technical skill level highly varied.

Influence to prioritize security related efforts,
but remember that IT is a support function-ish.

CTO

Should we migrate our sensitive applications
to a public cloud provider in country X?

How much effort should we spend on migrating
away from platform X that is End-of-Life
and no longer updated by the vendor?

Should the development teams standardise on
usage of programming language X or Y?

CISO

Chief Information Security Officer.

Reports to CTO, CSO or CEO.

Often acts as counter-balance to CTO.

Help them filter out the noise and produce
sound-bites/ammunition.

Lessons learned from incidents affecting
competitors and similar organisations
are usually an effective tool.

CEO

Chief Executive Officer.

Extremely limited bandwidth.

Just enough information to not be embarrassed
in front of board/shareholders/partners.

Reporting through one or two slides is common.

SOC analyst

Security Operations Center analyst.

Typically, highly skilled.

Focus on TTPs and IoCs that can be used
to develop detection/prevention.

Keep it to the point and prepare
for asynchronous communication.

Marketing department

Mostly applicable if we wanna make
money on security-related events.

What makes a headline?

What are the scariest parts and
how can we help?

Who are their audience?
Recruits, customers, etc.

In the marketing field, personas are
often used to focus communication efforts.

Fictional character that represents
a group of customers/targets.

We can borrow the tool to practice our skills!

Max is the CTO at a small power utility
company owned by the local municipality.

Responsible for Information Technology
and its interaction with their
Operational Technology
(computers making power go buzz).

Due to their size, they haven't employed a
CISO - the work and worries falls on Max.

Struggles with funding and budget cuts.

Used to be technically skilled, but have
fallen behind due to the work load.

How can we help Max?

Conclusions

There is no "one size fits all".

Know your audience and
make the most of it!

Group exercise

Exercise: Target the message

Participants are split into groups.

Groups should research the
"Colonial Pipeline ransomware attack"
and produce a targeted report for one of the following recipients:

• CEO at large sewage treatment plant
• Technical CISO at pharmaceutical factory
• SOC operator at small MSSP

After presentation, send as plain text, Markdown document or PDF to:
courses+ti_011601@0x00.lt

Protecting what?

Managing your attack surface

Quick recap

Assets exposed towards threat actors
that may be attacked.

The attack surface may not look
the same to all threat actors.

Keeping track of systems in
your IT environment is key!

How about a CMDB?

Configuration Management Database.

Tool for documenting HW- and/or SW-assets.
Excel spreadsheet or fully-fledged application.

Stores related information like system owners
and their relationships/dependencies.

Often aims to provide a Single Source of Truth.

Use the information to configure monitoring
of specific CPEs in the CVE database...

Sounds simple enough?

Manual documentation always* drift
from reality over time.

Documentation tends to be sacrificed
first during stress/pressure.

Faulty/Outdated documentation may
be worse than not having any.

All doom and gloom?

IaC and automation

Automation tools, such as Terraform,
Ansible and CI/CD pipelines,
are "self-documenting".

(rant about incident recovery)

Only works if ClickOps is
disallowed/heavily restricted.

Using the hacker toolbox

DNS zone dumping/enumeration.

Network and service scanning tools,
such as Nmap and Shodan.

Application fingerprinting with tools like WhatWeb.

Querying of cloud platform APIs.

Purpose built software like runZero.

Product category: Attack Surface Management.

Perhaps an agent like osquery may be useful?

SELECT name, version FROM chrome_extensions 
WHERE name LIKE "%Netflix%";

+-----------------------+---------+
| name                  | version |
+-----------------------+---------+
| Netflix Party         | 1.0.4   |
+-----------------------+---------+
| US Netflix Anywhere   | 0.2.7   |
+-----------------------+---------+

Deploy it to your servers and end-points
to gain insights unavailable through
simple network scanning.

Wrapping up

Understanding your IT environment and
attack surfaces may help you focus
gathering of threat intelligence.

Sadly, it is rarely well documented.

In most organisations, you'll likely need
to utilize all three methods described.

Software supply chain

Dependencies and imported risk

No one builds computers from scratch.

Relies on a highly interconnected
and globalized supply chain.

Risk VS Reward.

Likewise,
no one builds software from scratch.

Example: Keycloak server

Popular solution for identity and access
management - an authentication service.

$ mvn clean install | tee build_output.txt

[...]
Downloaded from central:
https://repo.maven.apache.org/maven2/org/
fusesource/jansi/jansi/1.16/jansi-1.16.jar
[...]

$ grep \
  -E 'Downloaded from central: .+\.jar' \
  build_output.txt | wc --lines

1465

What's the problem?

XZ Utils backdoor

Freely available code library for handling
LZMA data compression ("liblzma").

Great example of something (boring) that
people wanna avoid writing from scratch.

Included in countless code-bases
(both proprietary and open-source),
for example systemd...

XZ Utils backdoor

In March of 2024, malicious code was
detected in the software library that
targeted the widely deployed
OpenSSH server process.

The code introduced a backdoor,
allowing attackers with a secret key
to remotely access the vulnerable system.

The backdoor code was included by one of
the maintainers of XZ Utils.

Log4Shell

Vulnerability in popular Java logging library
"Log4j" (CVE-2021-44228).

Could be exploited by injecting code in messages that were logged (CVSS 10.0).

Not just a problem affecting freely
available open source libraries...

Root cause analysis

The initial cost of including
third-party libraries is near zero.

Dependencies often have their own dependencies.

Maintaining software over time ain't always
the most fun/rewarding task, especially for free.

Your security depends on the security of
your dependencies and that of its developers.

XKCD #2347: Dependency

(Software) Bill Of Materials.

Term borrowed from physical manufacturing.
Describes components (and their suppliers)
required to assemble a product.

Helps us understand what/who our software
relies on and what/who we need to monitor.

Several competing standards exist,
like CycloneDX and SPDX.

Also useful for license compliance.

Tools exist to generate SBOMs using
source code analysis and guesstimation.

Conclusions

Should I really depend on
third-party code?

In the end of the day,
it's all a cost-benefit gamble.

Automated dependency monitoring,
OpenSSF Scorecard reviews and
similar efforts can minimize the risk.

Dependency tracking exercise

Exercise: Dependency tracking

To the best of your abilities,
identify and document third-party
dependencies (both direct and indirect)
required to run the automation tool "Ansible".

Send as plain text, Markdown document or PDF to:
courses+ti_011901@0x00.lt

Course midpoint

What have we learned so far?

We've talked about...

• Who we're protecting
• What we're protecting
• Who we're protecting against

We've talked about...

• Tracking and rating vulnerabilities
• Adapting communication based on recipients

What's next?

Put your skills to the test.

Report about real events to real people.

+ Some deep dives and hopefully guest lectures!

Feedback, bitte!

• What are your course highlights so far?
• How would you re-balance the course? (less/more lectures, practical labs, etc.)
• Any "Ahaaa!"-moments you remember?
• What would you like to learn more about?
• Other thoughts/comments/suggestions?

Take the chance to be a bit --verbose!

courses+ti_012001@0x00.lt

Course recap

Let's look back for a while

We've talked about...

• Who we're protecting
• What we're protecting
• Who we're protecting against

Learn to adapt and keep up with the attackers.

Perform more realistic security exercises and assessments.

Invest in appropriate security controls.

Learn what to look for when monitoring systems and performing incident response.

Basic vocabulary

• Threat actor
• Asset
• Vulnerability, exploit and attack
• Attack surface

Tactics,
Techniques and
Procedures.

Confidentiality,
Integrity and
Availability.

Risk ~=
Consequences of bad thing * Probability.

Threat actor motivations

• Personal
• Financial
• Political
• Military

Causing impact

• Disruption
• Data theft
• Defacement
• Resource hijacking

Indicators of Compromise

Used to improve Intrusion Detection /
Prevention Systems and for attribution.

IP addresses, domain names, file hashes,
URL paths, traffic patterns...

Tracking vulnerabilities

Common Vulnerabilities and Exposures.

Common Platform Enumeration and
Common Weakness Enumeration.

Common Vulnerability Scoring System.

Known Exploited Vulnerabilities.

Managing assets/attack surface

Configuration Management Database.

Infrastructure as Code,
Configuration Management automation and
Continuous Integration.

Active scanning ("Hacker's toolbox").

Supply chain security

Most applications utilize third-party
code libraries for (boring) functionality.

May contain (intentional) vulnerabilities,
backdoors and other malicious things.

Utilize Software Bill of Materials files
to keep track of dependencies.

Auditing and risk management.

Knowing your audience

Target communication based on:

• Role / Responsibilities
• Technical skills
• Domain specific knowledge
• Bandwidth

What do you think are the most important
take-aways for role X?

Using personas for targeting practice.

Rules and regulations

• GDPR
• NIS(2)
• DORA
• CRA
• PSD2
• FIPS
• PCI DSS
• ISO 27K / SOC 2

Everything clear?

Final exercise

Exercise: Yearly summary report

Each student should produce a report analyzing
the most noteworthy IT security-related
incidents and developments of 2024.

Its content should be targeted and adapted
to a recipient persona assigned by the teacher.

Report requirements

Minimum 1500 words, maximum 2500.

Remember to cite your sources
("in-line" or "appendix").

Upload report as plain text, Markdown document
or PDF to ITHS Distans.

Deadline: 2025-08-20 08:59

Exercise grading

• Targeting
• Relevance
• Analysis
• Recommendations / "Actionability"
• Report length

Tips and guidance

• Don't forget an introduction
• "Descriptive" or "Narrative" approach
• Ain't only "text" in your toolbox
• A LLM can help, but you're responsible
• Utilize help offered by teacher

Let's have a look at
the recipient personas!

#1: Saylor Twift

Head of Security Operations @ EXMPL Bets

• Works at large sports betting company
• Need to delegate work and motivate security investments to higher-ups
• Very technically skilled, but quite busy
• Interested in new threats, defensive tech and incidents affecting gambling sector

#2: Garvin Maye

Sales Director @ ExamPL CybSec

• Works at Managed Security Service Provider
• Need to help his staff convince (see "scare") potential customer into investing in security
• Want to map threat landscape into existing or new service offerings
• Low technical skill level
• Interested in high-level knowledge about current events, both technical and rules/regulation

#3: Krida Fahlo

SOC team leader @ Esimerkki Defense

• Works at company developing highly secret military equipment
• Responsible for transferring security knowledge to team members and plan improvement efforts
• Highly skilled, but need to delegate work
• Interested defensive technologies and incidents affecting the defense sector

#4: Hustin Doffman

Cybersecurity advisor @ Ejemplo OT Inc.

• Works as freelance consultant, focusing on Industrial Control Systems ("OT")
• Needs to convince (see "scare") companies providing critical infrastructure to hire him
• Medium level technical skills, but interacts mostly with "C-level" personnel
• Interested in incidents, developments and regulation related to critical infrastructure

#5: Rargot Mobbie

CISO @ Exemplum Medical Services

• Works at company providing highly sensitive SaaS for hospitals
• Needs help prioritising security efforts and motivate/defend investments
• Low technical skill level, but curious
• Interested in incidents/regulation affecting the sector and defensive technology

Rules and regulation

(Seen by some as a threat)

We've mostly focused on keeping up with activities of threat actors.

Other developments can greatly affect how organizations prioritize their security efforts.

Let's talk a bit about
regulation and compliance frameworks.

More specifically...

• GDPR
• NIS(2)
• DORA
• CRA
• PSD2
• FIPS
• PCI DSS
• ISO 27K / SOC 2

GDPR

General Data Protection Regulation.

Attempt to unify and strengthen privacy
for individuals within the EU + EEA.

Translate into member state law
and enforced since 2018 by
Data Protection Authorities.

Protecting what?

Privacy of natural/physical persons
(temporarily) located in the EU.

More specifically, protection of Personal Data
(AKA Personally Identifiable Information).

Personal Data is (according to the GDPR)
anything that can be tied to the activities of
an individual.

Personal Data

Physical/digital addresses, gender, ID number,
location information, phone number,
date of birth, photographs...

Sensitive Personal Data

Race/ethnicity, political opinions/affiliations,
religious/philosophical beliefs, union membership,
Sexual preferences/activities and
health/medical information.

Individuals have the right to...

1. Be informed
2. Access
3. Rectification
4. Object processing

Individuals have the right to...

5. Avoid/restrict automated profiling
6. Be forgotten
7. Data portability
8. Restrict processing

Consequences

Organization must document how they
store, process and protect PD.

They must also assign a
Data Protection Officer*.

Failure to respect individuals' rights or
inadequate protection of PD could result in
large sanction fees (200 MSEK || 4% of revenue)
and other forms of punishment.

Enforcement in Sweden

Intigritetsskyddsmyndigheten
(previously called Datainspektionen) is the DPA.

~150 employees, slowly growing.

How's it going?

Official IMY statistics

IMY has been criticized for its
"lazy handling" of complaints.

On-going court case against them
by privacy interest group "noyb".

EU and USA

GDPR limits transfer of PD to
third countries.

In practice, tons of (S)PD is collected
and processed in the USA.

When (and if at all) this is okay is a
constant back and forth.

Example: Data transfer fine

Example: Employee monitoring

Example: Google school ban

Example: Inadequate protection

Example: Unlawful marketing

Example: Not just giants

For more examples and details, check out
GDPRhub.

NIS(2)

Network and Information Security Directive.

Aims to ensure availability of services and infrastructure critical to society.

Initially released in 2018, version 2 should
be implemented by member states during 2024.

As of 2025, Sweden is still working on
fulfilling requirements through
"Cybersäkerhetslagen".

What does that mean?

Organizations must structure and document
their IT security efforts.

Security efforts must be
appropriate to the risk posed,
as interpreted by the sector regulator.

If an incident occurs, it must be reported to
the sector regulator within 6h, 12h...

Failure to comply can result in
sanction fees (10 MSEK || 2% of revenue)
and other consequences.

Critical sectors

Version 1

Banking/payment services, digital infrastructure,
Energy, healthcare and logistics/transportation.

Version 2

Food production/distribution, waste treatment,
central heating/cooling, "heavy industry",
local/national "authorities", postal services
and (aero)space.

Is our organization providing
services critical to society?

Well, that's up to the sector regulator.

NIS2 does however provide much
clearer guidance for selection.

DORA

Digital Operational Resilience Act.

EU regulation targeting "financial entities"
(banks, insurance companies, investment firms,
crowdfunding services, crypto exchanges, etc!).

More detailed requirements than NIS(2),
for example regarding security testing.

Enforced since January 2025.

CRA

Cyber Resilience Act.

Aims to improve security of software
and hardware products sold in the EU.

Requires that vendors understand
and document their supply chain.

Products should be
"reasonably secure-by-default"
and those "critical for security"
must be audited by a third party.

Expected enforcement by 2027.

PSD2

Payment Services Directive.

Aims to increase innovation and competition
within payment/banking sector.

Among other things, forces banks to open up
their online services (APIs) to third-parties.

While not focused on security,
it surely affects it.

FIPS

Federal Information Processing Standards.

Published by NIST,
describes things such as acceptable encryption algorithms and other security related requirements.

US government/military enforces FIPS during procurement.

PCI DSS

Payment Card Industry
Data Security Standard.

Specifies technical and organizational
security requirements.

Requires yearly audit by an external
Qualified Security Assessor.

If you want to handle card numbers,
you need to comply.

ISO 27K / SOC 2

The ISO 27000-family of standards describes
methods for organizations to structure
their security efforts.

Identified risks must be evaluated,
documented and acted upon.

No legal requirement, but many organizations
require that vendors/partners are certified.

SOC 2 is basically the equivalent thing in the USA,
but with stricter/more expensive auditing.

Many more out there, but hopefully
you get the idea by now!

(IT / cyber security VS Information security)

Wrapping up

While rules/regulations serve different purposes,
they warrant a response more often than not.

Especially since interpretation and enforcement may change over time.

Example observations

Let's take a look at some security related happenings and use what we've learned to analyze them.

• Norwegian government intrusion
• CISA launches CyberSentry
• Lemmy zero-day exploitation
• Wiper attacks in Ukraine
• Microsoft cloud vulnerabilities
• Real-world impact of WebAuthn

Norwegian government intrusion

• Norway's department of security reports that 12 government ministries have suffered data breaches
• Attackers used 0-day flaw in a Mobile Device Management solution (CVE-2023-35078)
• Vulnerability could be used to gain authentication administrative access of MDM
• The software vendor has previously patched several similar flaws

Norwegian government intrusion

• With great power comes great responsibility
• Security tools aren't necessarily secure tools
• Perhaps we should include "security track-record" in procurement process?

CISA launches CyberSentry

• US government agency "CISA" published a press release about the new "CyberSentry program"
• Provide intrusion monitoring services and expertise to operators of critical infrastructure
• Voluntary participation for public and private entities

CISA launches CyberSentry

• Method for circumventing political challenges
• Carrot, not stick
• May make even more sense in EU and Sweden

Lemmy zero-day exploitation

• Catalin Cimpanu reports that several Lemmy instances have been compromised using a zero-day
• Patched within an hour after issue was reported
• Unknown threat actor

Lemmy zero-day exploitation

• Monocultures are inherently vulnerable
• Sometimes it makes sense to wait for software to become battle hardened
• Lack of previous CVEs ain't necessarily a good security indicator

Wiper attacks in Ukraine

• ESET Research has investigated cyberattacks against Ukraine
• Increase of cyberattacks since before full-scale invasion
• Mostly DDoS and wiper attacks, confirmed by Head of Cyber at SBU
• Commonly attributed to APT group "Sandworm" (Russian military intelligence agency)

Wiper attacks in Ukraine

• When facing APTs, incidents will happen
• Fast cleanup/restoration seems to be key to success. Are we ready?
• Most organizations put availability first

Microsoft cloud vulnerabilities

• Tenable published a blog post about Microsoft's handling of vulnerability reports
• Security flaw could be used by an unauthenticated attacker to access data of Azure customers
• Vulnerability was only properly patched after five months since initial report
• Controversy comes on the heels of Office 365 breach by Chinese APT

Microsoft cloud vulnerabilities

• No one is "too big to fail"
• Even if managed services are in use, organizations should plan/prepare to handle data breaches
• E2EE is not just for paranoid individuals

Real-world impact of WebAuthn

Okta released a blog post where they show how
phishers are desperately trying to circumvent FIDO2 authentication:

Attention: To view your new tickets,
you must temporarily remove your
Yubikey authenticator for up to
6 hours, then proceed to: https: //....

Real-world impact of WebAuthn

• Ain't all doom and gloom!
• Better security doesn't necessarily mean worse UX
• Low cost, large (demonstrable) impact
• How do we handle account recovery?

Have you come to any other conclusions?

Hopefully this will serve as inspiration!

Source analysis

Critical parsing of intelligence

Most organisations rely on third-party
sources to provide threat intelligence.

Lots out there with widely different quality.

Let's look at some considerations
before relying on it, shall we?

Source categories

• First-party producers
• Free / Public aggregators
• Paid / Private aggregators

Some examples, perhaps?

First-party producers

• Victims
• Security companies/vendors
• Journalists
• Governmental organisations

Victims

Straight from the horse's mouth!

Crisis management and/or legal requirement
(privacy laws, financial reports, court cases).

Beware of spin and lacking expertise.

Security companies/vendors

Most intelligence are provided by
commercial cybersecurity actors.

Original research or analysis from
incident responses efforts.

Often high quality.

Ask yourself what they're selling.

Journalists

<INSERT EVERYTHING GREAT ABOUT
PROFESSIONAL JOURNALISM HERE>

May provide the "attacker's perspective".

Severe lack of technical competency
and often sensationalist.

Governmental organisations

Allegedly have access to high-quality and
non-publicly available information.

Spying, surveillance and reporting requirements.

Unfortunately a lot of "trust me, bro".

Shouldn't be discarded, but meditate upon
possible alternative motives.

Free / Public aggregators

• Academic research
• Think Tanks / NGOs
• Community threat feeds

Academic research

Hopefully provides high-quality analysis.

Often lack relevant "educated guesses".

Think Tanks / NGOs

Provides "hot-takes", "other perspectives"
"interesting correlations"...

Beware of their agenda, biases and funding.

(Often used in PSychological OPerations.)

Community threat feeds

(Automatically) collects, normalises and
publish IoCs from other sources.

Shared effort, inexpensive for consumers.

Highly-variable quality, significant
risk of "false-positives".

What about paid / private aggregators?

ISACs

Information Sharing and Analysis Centers
exist to support specific private/public
sectors and interest areas.

Defense alliances, telecom, financial services...

Highly intelligence with less fear
of "tipping off" threat actors.

May have "sharing requirements".

Tricky to draw generalised conclusions
regarding quality and biases.

Commercial providers

Sells (original) research and aggregations
through a "subscription" model.

Adds value by normalising/categorising data.

Many produce targeted reports per request.

Often expensive, sometimes high quality.

Wrapping up

Artificial intelligence

Utilising LLMs for threat intelligence

Artificial intelligence is all the rage,
especially Large Language Models.

Humans are expensive,
computers are cheap-ish.

Let's look at how we can utilise it
for threat intelligence purposes!

(...and not discuss philosophy/ethics)

Data classification
VS
Text analysis / generation.

Writing aid++

• Improve communication about threats
• Shorten or summarise our writing
• Make it sound more formal/boring
• Provide the occasional inspiration
• Iterate based on feedback from personas

Thanks to Retrieval-Augmented Generation,
we can feed a LLM with fresh information like:

• News / Threat intelligence feeds
• Non-public data, like reports
• Legalese

Categorise, normalise and extract
information from unstructured data.

"Cyber Espresso" is a neat example.

...and yes, it ain't perfect.

"Hallucinations".

Information leakage risks.

Garbage in, garbage out*.

Let us summarise!