Talk C-1: Backing your Threat Hunting activities with contextualised Threat Intelligence

Tuesday 27.02.2024 | 13:30 - 14:00
Presentation
Auditorio: Sala Multiusos
Av. la Constitución 1, 38003 Santa Cruz de Tenerife Canarias, Spain

Accessible: Yes

CERT-EU is supporting its constituents, the EU institutions, bodies, and agencies to fulfill many of their cybersecurity needs.

In 2023, we have decided to review from our ground up our threat hunting service to increase our chances of catching the types of advanced threat actors that target our constituents.

Thanks to our long standing experience in fighting APTs and our knowledge of the threat landscape, we are able to provide a tailored threat hunting service to our constituents.

In this presentation we want to present our approach to threat hunting and how we leverage contextualised threat intelligence to define the scope and focus our data collection and analysis.

### General concepts on threat hunting and contextualised threat intelligence

In this part, we will quickly go over the general description of the objectives and benefits of a threat hunting activity as well as explaining what we mean by contextualised threat intelligence.

Why is threat hunting important?

* Identify undetected threats and reduce dwell time of adversaries by proactively searching for malicious activities within an organisation
* Identify gaps in the security posture of an organisation
* Improve the detection capabilities of an organisation by creating new detection rules and improving existing ones

Regarding contextualised threat intelligence, we will explain why it is necessary to have a structured and contextualised way to store your threat intelligence. By that we mean that you need to use a platform which observes the following principles:

* Technical information (rules, observables, etc...) must be linked to descriptive threat objects such as malware families, threat actors, targets, incidents, victims, TTPs, …
* Ability to query and filter your dataset from different initial points
* Ability to tag any elements to map your data against your threat landscape.

### Leveraging contextualised threat intelligence to define your scope

Once you have the data and the context for this data. The next step is to know your enemy:

* Which threat actors are potentially targeting your organisation?
* Which threat actors previously targeted your organisation?
* What are their tactics, techniques and procedures?
* Are they using some specific malware or tools?
* Which part of your technology stack are they targeting?

By being able to answer these questions, you can now prioritise your threat hunting activities on the actual threats which really matter.

### Data collection strategy

In this part, we will focus on the data collection strategy. We will explain how we leverage the pre-defined scope to define our data collection strategy. We will also explain how we move from collection to analysis.

Moreover, we will present the tools we use to collect data depending on the data location:

* Windows artefacts,
* Linux and macOS artefacts,
* Network data,
* Cloud artefacts,
* Custom systems.

Finally, we will present some key aspects of data ingestion.

### Focused data enrichment and analysis

In this part, we will explain how the preparation work support the analysis activities to quickly triage the huge amount of collected data and focus on the most relevant malicious activities as well as the main challenges analysts will face during this phase.

We will introduce some automation strategies to help analysts during this phase:

* Tailored data enrichment:
* Enrichment using open or closed sources (VirusTotal, MISP, etc...),
* Enrichment using data generated by the organisation itself.
* Leveraging of technical information from our threat intelligence database:
* Detection rules (Sigma/YARA/Suricata),
* Malicious hashes,
* IPs,
* Domains,
* Custom IOCs.
* Statistical detection of suspicious artefacts.
* Automatic tagging of suspicious machines based on collected data.
* Reporting.

### Conclusion

The approach we will present is the one we are currently using to support our constituents. We are still in the process of improving it and we are always looking for new ideas and new ways to improve our service. We are also looking for new ways to automate our activities and improve our detection capabilities.