Cyber Security Threat Intelligence Researcher Preview

Udemy course: Cyber Security Threat Intelligence Researcher by CyberTraining 365 approx. 1.5hrs long

What you will learn:

  • a high level overview of the 7 threat intelligence phases

  • Hunting - The goal of hunting is to establish techniques to collect samples from different sources that help to start profiling malicious threat actors.

  • Features Extraction - goal of Features Extraction is to identify unique Static features in the binaries that help to classify them into a specific malicious group.

  • Behavior Extraction - The goal of Behavior Extraction is to identify unique Dynamic features in the binaries that help to classify them into a specific malicious group.

  • Clustering and Correlation - The goal of Clustering and Correlation is to classify malware based on Features and Behavior extracted and correlate the information to understand the attack flow.

  • Threat Actor Attribution - The goal of Threat Actors is to locate the threat actors behind the malicious clusters identified.

  • Tracking - The goal of tracking is to anticipate new attacks and identify new variants proactively.

  • Taking Down - The goal of Taking down is to Dismantled Organized Crime Operations.

Notes

Goals of Threat Intelligence Research

  • Identify

  • Goals of malware

  • Full picture of attack

  1. Hunting

  • Virustotal.com - hunting service, YARA-rules based

  • Underground hacking forums

  • DeepWeb

  • Incident response engagements - analyse malware and get to root cause

  • Honeypots - gather malware samples from infected ports

  • OSINT

2. Features Extraction (Static)

  • Identify static features to classify them into specific malicious group

  • Timestamp when binary was created

  • Digital certificates signing malware

  • Exif metadata - Mime type, language

  • Import hash tables

  • Ssdeep - sequence of identical bytes in same order

  • Strings - Mutex, C2IP, PDB Path, custom message

3. Behavior Extraction (Dynamic)

  • Identify dynamic features to classify them into specific malicious group

  • Run sample in sandbox or dump sample from memory

  • Capture malicious events - download/executable from internet, keystroke interception, anti-VM anti-debugging checks, delay techniques e.g. sleep calls junk loops, persistence e.g. registry, schedule task

  • Know techniques to cluster malware

  • Malicious events - desktop locked (ransomlock), multiple files overwrite (file infector), dump hashes from memory (hacktool)

  • Passive DNS - DNS names pointing to IP and vice versa, map domain name

4. Clustering and Correlation

  • Based on features and behavior

  • Clustering nodes based on features - timestamp, imphash, ssdeep, digital certs

  • Behavior is part of group properties

  • Correlation - Graph DB, NoSQL database

5. Threat Actor Attribution

  • Locate actor

  • Who is the sponsor

  • Sector/industry of target

  • C2 Infrastructure

  • TTPs - Initial compromise, privilege escalation, peristence (launch tasks, service), lateral movement, exfiltration strategy

6. Tracking

  • Anticipate new attacks and identify new variants proactively

  • Passive DNS - switch to new domain or point domain to new IP address

  • Internet port scan - find new C2s

  • Lookups - Yara and snort scans, Imphash/ssdeep scans

  • OSINT - emails, new domains created

  • Gang infiltration into hacking forums - normally law enforcement undercover agents

7. Taking Down

  • Disantle organised crime ops

  • Sinkhole - take over C2 infrastructure, stop infections, MITM track new changes closely

  • Hacking forum take down

  • Country-wide collaboration - take down ISP in country

This course covers the objectives and techniques of the threat intelligence phases. Due to the short duration, the techniques are quite broad and one needs to delve deeper into each process to perform the various phases.

PreviousCyber Threat Intelligence Summit 2022NextUsing ATT&CK for Cyber Threat Intelligence Training

Last updated