This is the first in a series of articles that aims to technically describe the various objects collected within our Exposure Assessment activity, based on our OSINT & Cyber Threat Intelligence SATAYO platform. Its functionalities and the elements make it a fundamental tool for all organizations wishing to continuously monitor their exposure within public domain sources.
What is Cyber Threat Intelligence?
Cyber Threat Intelligence (CTI) is defined as the collection and analysis of information about threats and adversaries, and for discerning patterns that provide the ability to make knowledgeable decisions for the preparedness, prevention and response actions against various cyber attacks.
CTI involves collecting, researching and analyzing trends and technical developments in the area of cyber threats, and is often presented in the form of Indicators of Compromise (IoCs) or threat feeds. It provides evidence-based knowledge regarding an organization’s unique threat landscape.
In Cyber Threat Intelligence, analysis is performed based on the intent, capability and opportunity triad. Via the study of this triad, experts can evaluate and make informed, forward-learning strategic, operational and tactical decisions on existing or emerging threats to the organization.
The three types of Threat Intelligence:
Strategic – provides high-level information regarding cyber security posture, threats and their impact on business
Tactical – provides information related to a threat actor’s Tactics, Techniques and Procedures (TTPs) used to perform attacks
Operational – provides information about specific threats against the organization
Typical sources of intelligence are:
The 7 phases of an attack (Cyber Kill Chain®)
Developed by Lockheed Martin, the Cyber Kill Chain® framework is part of the Intelligence Driven Defense® model for identification and prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective.
The seven steps of the Cyber Kill Chain® enhance visibility into an attack and enrich an analyst’s understanding of an adversary’s tactics, techniques and procedures.
Reconnaissance: After identifying the target, the attacker begins his investigation of the target, drawing a profile using public (OSINT) and private (CLOSINT) sources. Publicly available information can be derived from company-related websites, information retrieved through search engines, details of all organizations related to the company, employees, events, and social networks.
Weaponization: Once the malware has been written, the attack moves from theory to practice.
Delivery: The exploit is delivered via an attack vector, which may be an e-mail (phishing), a text message (smishing), a voice communication (vishing), a link on a website, or some other way.
Exploitation: The malware performs the activity for which it was created. Using vulnerabilities on the target system, the malicious code is executed.
Installation: The payload, the main attack element within the malware, is downloaded and installed. It manages to avoid and bypass various security measures using cryptographic and obfuscation techniques.
Command and Control (C2 or C&C): Once installed, the code in the payload is contacted by the malware in order to send data collected in the target victim, or receive new instructions to be executed.
Actions on objectives: These include all activities following the standard steps described above. They may encompass, for example, theft or damage of information, compromise of the most valuable elements of the organization’s infrastructure, and lateral movements towards other systems.
The attacker’s point of view
With SATAYO we have developed a platform capable of simulating the activity of an attacker during the first phase of the attack, reconnaissance. This means acting silently, without creating background noise inside what may be the security probes (for example, the Intrusion Prevention System) which are capable of blocking information retrieval activities.
With SATAYO we also aim to clearly show how anyone, using the correct techniques, can retrieve information, taking it from OSINT-type sources, with the potential to then use it to create targeted attacks and with a very high probability of success.
Typically an attacker invests a large part of the time necessary to carry out an attack in the reconnaissance phase. The quality of this phase is what will inexorably determine the success or failure of an attack.