Investigate Potential Threats

Learning Objectives

After completing this unit, you’ll be able to:

  • Describe how to use intelligence requirements and tactics, techniques, and procedures (TTPs) to investigate adversaries.
  • Explain how to research emerging threats to look for weaknesses before threat actors have the opportunity to attack.

Investigate Adversaries Using Intelligence Requirements and Tactics, Techniques, and Procedures (TTPs)

Mahmoud is a threat intelligence analyst at an information technology and services company, Cyber Innovation Technologies (CIT). His primary role is to investigate adversary behaviors to inform the work of each of the security teams in his organization in searching out new threats, prioritizing risks for remediation, and responding to intrusions. Mahmoud starts off his investigation of actionable information by first understanding the intelligence requirements. 

Analyzing Stakeholder Needs

First, he makes sure he understands who his stakeholders are, what they need, and how those needs should be prioritized. For example, Mahmoud may need to develop intelligence for his colleague, Akshay, on the threat hunting team, who needs to better understand adversary behaviors to search out new threats. Or he may need to focus on helping his coworker Lorena on the vulnerability management team better understand which vulnerabilities matter most for prioritization based on adversary behaviors. 

A threat intelligence analyst gathers intelligence requirements from his colleagues on the threat hunting and vulnerability management teams.  

Using TTPs

Once Mahmoud understands the intelligence requirements of the different security teams at CIT, he next uses TTPs to stay abreast of emerging threats to his IT environment and to identify relationships between different threat activities. He starts by looking at historical data and recent attack information, and tries to find the unique or interesting data points that are worth investigating further. 

Performing Technical and Human Analysis

Mahmoud performs technical analysis by using malware sandboxes to extrapolate information about how a particular threat behaves. He then performs human analysis by investigating the environment at CIT to assess the organization’s exposure to the malware by reviewing mitigating controls in place, and reviewing logs of those controls that may indicate a compromise related to this particular strain of malware. 

Mahmoud also considers CIT’s exposure in relation to the external landscape. For example, is a particular threat actor with a history of targeting his organization known to use this type of malware? This helps him better understand the possible threat actor that may weaponize this particular attack, what they would hope to achieve by doing so, and how successful they may be. 

Through all of this, Mahmoud’s investigation of TTPs provides knowledge about the adversary that is core to all security teams. The intelligence Mahmoud produces by investigating TTPs helps the other security teams at CIT understand adversary behaviors and methods, prioritize risks and intrusions, and respond quickly. 

Research Emerging Threats

CIT uses software that facilitates employee discussions about customer issues, potential new partners, and relevant news items. Lorena on the vulnerability management team recently installed a patch on the software to protect against a vulnerability disclosed a few months ago. However, attackers have found a new bug (often referred to as a “zero day” or “0-day” vulnerability) in the system that allows them to run malicious code and take over discussions without needing to authenticate to the site. This is an example of an emerging threat, which has not been previously disclosed via the responsible disclosure process. 

In the responsible disclosure process, a security researcher who discovers the vulnerability provides a working proof of concept to the affected software vendor to allow them to rectify the issue within a given time frame, usually 90 days. The finder usually receives credit publicly, or a bounty payment, when updates are released on the vendor’s website. 

Opposite of the responsible disclosure process is a zero-day vulnerability. A zero-day vulnerability is often seen exploited in the wild in real time, forcing the affected software vendor to scramble to create a patch. They also need to work quickly to address the issue and provide mitigation guidance if possible.

In this scenario, as a threat intelligence analyst researching emerging threats, Mahmoud would try to look for weaknesses and exploitable vulnerabilities and propose protective measures that can be delivered before the threat is realized. This research is important because emerging threats often have no previously reported indicators for analysts to determine what to look for, requiring specialized analytics to identify, investigate, respond, and adapt. 

While this type of research can be provided by a third-party threat intelligence vendor, at CIT, Mahmoud performs this function as part of the in-house threat intelligence team. To identify these types of threats, he sets up an attack simulation that runs realistic cyberattacks on CIT to identify vulnerable users, devices, systems, and data before the real attack affects the business. 

In doing so he collaborates with other teams, such as the penetration testing team and red team, to run simulation scenarios. This simulation allows an organization to determine whether or not it is ready for a true outsider attack. And it enables the organization’s CTO or information security (infosec) director to determine existing weaknesses within an environment or address possible failsafe solutions to counter a real-life attack.

Knowledge Check

Ready to review what you’ve learned? The knowledge check isn’t scored—it’s just an easy way to quiz yourself. To get started, drag the function in the left column next to the matching category on the right. When you finish matching all the items, click Submit to check your work. To start over, click Reset.

Great work! Let's move on to the next unit where you learn more about how threat intelligence analysts identify malicious activity using the cyber kill chain.