Threat intelligence (TI) Cyber intelligence

2023

Cyber ​ ​ intelligence is gaining popularity in Russia

The Russian companies have become more interested in cyber intelligence services, which include monitoring shadow forums to identify upcoming hacker attacks incidents and analyzing incidents that have occurred. According to, in to data F.A.C.C.T. (formerly Group-IB) the first half of 2023 alone, the demand for such services increased by almost 30%. The company Positive Technologies also notes an increase in demand by 40%, in "" - To Informzaschita by 25%. "" RTK Solar also recorded a twofold increase in demand for external threat monitoring services year on year. This was announced on September 6, 2023 by the press service of the deputy. State Duma of the Russian Federation Anton Nemkin

Interest in cyber intelligence is also growing in the public sector. So, on July 28, the Moscow Department of Information Technologies (DIT) published a tender for 250 million rubles. for "the provision of a comprehensive service for cyber intelligence and the investigation of information security incidents."

This work allows you to understand in advance what threats the organization may face in the near future. For DIT, it is extremely important, since the city must proactively respond to constantly emerging cyber threats and understand how attackers can act in relation to InformSystems. This is a planned work that the department conducts regularly. And the technical investigation makes it possible to understand how the attacker acted to strengthen protection against similar cyber attacks in the future, the department told Kommersant.

Specialists who provide cyber intelligence services should, among other things, check the presence on the network of compromising information about the organization's external resources and their vulnerabilities, track the placement of orders for hacker attacks on the company, as well as for the sale of access points to infrastructure or confidential data. At the same time, the range of clients who require such intelligence has expanded significantly after the start of a special military operation. As noted in the F.A.C.C.T., requests are received not only for protection, but also for obtaining data on the organizers of cyber incidents, their tools, infrastructure.

The digital footprint on the network is left not only by ordinary users, but also by scammers, and this circumstance can be safely used in its favor. I am sure that in the coming years the demand for cyber intelligence specialists will only continue to grow, since, unfortunately, the number of threats on the network continues to increase, attackers are improving their methods, they have new technological capabilities. Many responsible Russian companies have already realized that investing in preventive protection against digital incidents is much more profitable than then fighting their serious consequences, and this is a very good trend, the deputy said.

How does a hacker act in a targeted attack and how to prevent him? Threat Intelligence Services Capabilities Overview

In those distant times, when antiviruses first appeared and began to spread en masse in the markets, an important task was to obtain current instances of malware in the "wild." Although any specialist could then take and send a copy of the virus to the laboratory, it was important for antivirus companies to receive new versions of malicious code as quickly as possible. Then they located a network of sensors with customers (by agreement) and on the open Internet, which collected information about suspicious activity in applications or network protocols. These were the first sprouts of services that are now called Threat intelligence (TI) or cyber intelligence. Since then, TI services have evolved significantly and become an indispensable tool for understanding how hackers act in targeted attacks, as well as to prevent such attacks.

Know in the face

Initially, antivirus companies, using maintenance services, were only engaged in updating malware signatures, but it became clear that this was not enough. To fully protect corporate networks, it is also necessary to monitor the installation of fixes for various information system components, settings for network equipment and firewalls, access rights, and many other security parameters. At the same time, it was clear that hackers of various groups use approximately the same techniques and methods of penetrating the program to fix in the system and conduct their malicious activities. It was impossible to protect yourself from all the variety of malicious activities with antivirus signatures alone.

Approaches changed when the concept of advanced persistent threat (APT) arose. It became clear that protection should be based on knowledge of the methods of malicious activities of cybercriminal groups.

It was then that the concept of cyber intelligence arose, that is, a TI service, the owner of which monitors the criminal activities of hacker groups, analyzes from methods of preliminary analysis of information, introduction and consolidation in information systems, as well as movement inside the hacked infrastructure and committing malicious activity, which is often associated with data theft, disruption of the victim's information systems or the launch of ransomware ransomware.

The key concept of TI is indicators of compromise (Indicator of Compromise - IoC), that is, a combination of signs that a hacker activity of one of the well-known APT groups is present in the information system. IoC descriptions are prepared based on the results of an analysis of the malicious activities of hacker groups in other infrastructures - for this, the results of an investigation of similar cases of attacks are used. It is precisely the preparation of such feature descriptions that TI operators are engaged in.

The IoC stream is usually delivered as a malicious activity alert service describing the results of the investigation as a set of signs of the presence of the same grouping in the customer's infrastructure. Such a stream of warnings is called a TI-feed, which must be analyzed in detail and whose recommendations for protection should be immediately implemented in order to either secure the infrastructure from attacks by the same group, or detect traces of its presence in the system and proceed to counter.

It is clear that in order to process messages received from a TI operator, you need to have your own INFORMATION SECURITY-service or incident response center (security operations center SOC -), which will comply with the recommendations of the service and counteract hackers if signs of them are found in the information system. If there is no such service, then TI services will not be able to help protect themselves from intruders. In this case, it is better to use the services of commercial SOCs - their specialists will already deal with TI feeds themselves to obtain up-to-date information about hacker activity.

Western analysts have long been following the development of the TI services market. NTT DATA Americas annually publishes a report called the Global Threat Intelligence Report, in which it publishes its ideas about both the landscape of existing threats and the TI services market. So in 2019, she published a forecast that provided for an annual increase in the TI services market in the world by an average of 21.4% per year, and by 2024 this market worldwide was supposed to reach a volume of $6.6 billion. True, as of 2023, the company no longer cites such assessments - its analysts focused on the development of the threat landscape and recommendations to customers on how to protect themselves from them. In these recommendations, the use of cyber intelligence services is central, since it is they that allow information system defenders to know the enemy in the face in order to drive him to the neck.

NTT DATA Americas Forecast for Global TI Services Market Development (2019)

Anatomy of the attack

To describe the malicious activity of hackers, the concept of a hacking chain (Kill Chain) has appeared, which determines the stages of penetration of hackers into the victim's information system. The most popular matrix of the American corporation MITRE called ATT&CK, which for each stage of penetration into the system offered a whole set of protection methods. In it, the hacking chain was determined by the following stages:

• Reconnaissance. At this stage, attackers simply learn the victim's resources available to them, their software and methods of protection. At this stage, it is important for attackers to get the maximum information about the software used and vulnerabilities in them. As soon as the vulnerability is discovered, the attack proceeds to the next stage.
• Resource Development. At this stage, hackers develop tools to exploit vulnerabilities found at the first stage - send phishing messages, conduct DDoS attacks, or buy and exploit tools to exploit vulnerabilities - exploits. The purpose of this activity is to move to the next stage.
• Initial Access. This is already a stage of malicious activity, since destructive exploits that disable information systems can be used. However, most often the primary access for the means of protection passes unnoticed - entry through stolen accounts, to data execution hacker JavaScript in the context of a client browser or execution PHP of an injection as part of a web. servers It is important for a hacker to achieve an invisible transition to the next stage, so destructive exploits are rarely used.
• Execution. This is actually a hack, as a result of which a set of commands or a special application is executed in the context of the attacked system, which allows the hacker to interact with the victim's information system. Further, a hacker can already perform one of several actions listed below, depending on the goals of his activities.
• Persistence. This is an action to hide your presence in the system on the one hand and embed bookmarks for subsequent entry without going through the previous stages on the other. It is not always necessary to perform this step. For example, when entering stolen credentials, you usually cannot immediately gain a foothold in the system - the next stage is needed.
• Privilege Escalation. Often, on behalf of a simple user, it is impossible to commit to the system, so hackers have to obtain the rights of the system, local administrator or domain administrator. For this, additional exploits are usually used, depending on the available operating system and its vulnerabilities. After obtaining privileged rights, hackers move on to the next stage.
• Defense Evasion. To further develop an attack, you often need to turn off the used defense tools. In some cases, hackers have to disable the very antivirus tools, reconfigure firewalls and filter messages in system logs so that its actions remain invisible. More often than not, though, it comes down to the next stage.
• Credential Access. Reconfiguring access rights and establishing your own user with fairly high privileges, as a rule, allows hackers to commit to the system and disable protection. Also at this point, the hacker gets the opportunity to install his own hacker (and not very) tools to penetrate other elements of the victim's infrastructure, such as a domain controller or business-critical systems. The attack moves to a new stage.
• Explore internal infrastructure (Discovery). The hacker studies the device of the internal network, trying to find the most valuable resources for him and outline the goals for further distribution. Actions at this stage are highly dependent on the purpose of the hacker's penetration. If he penetrated to steal electronic money, then he will look for the accountant's computer, if for data, then the corresponding database, if for extortion, then a valuable asset. Setting internal traps that create virtual machines for each of these purposes allows you to better understand the hacker's tasks.
• Lateral Movement. At this stage, the hacker is already beginning to gradually seize other internal resources of the company in order to achieve its goal. This stage can last long enough and consist of several cycles. That is why it is important to very quickly detect such activities, which can be greatly extended in time to ensure stealth, analyze the purpose of the hacker's actions and localize it.
• Collection. The hacker collects information, as during intelligence or study of internal infrastructure, but this is another information - the very digital assets behind which the hacker entered the system: personal data, industrial secrets, accounts, confidential correspondence and much more. For a hacker, it is important to first collect all the data into a single file in order to quickly transfer it to your own resources. There have been cases when hackers used hacked DLP systems installed in the victim to collect valuable data.
• Command and Control. This is an alternative to the previous paragraph for the case when the hacker's goal is not data theft, but interference with the operation of the corporate network. The hacker gradually gains full access to the resources of the victim's information system, installing an application inside to secretly control internal events and transfer telemetry data to the command center. At this stage, usually the attack can be long enough - the system built by the hacker can generally go to sleep or constantly interact with the command servers of the hacker group, transferring the minimum set of the most operational data. However, it is also possible to move to the next, final stages.
• Data theft (Exfiltration). This is the final stage of the data theft operation - the data archive collected at previous stages is transferred to the attacker's servers. It is important for a hacker that the fact of theft is not noticed, so he will try to disable the protection systems as much as possible by this time, so that transmission outside valuable information is not noticed by information security officers.
• Impact. If the purpose of hackers is to extort or disable the information system, then at this stage it just launches malicious programs prepared to achieve goals - ransomware or logic bombs. This is the final stage of the attack, after which it can be considered completed, however, not without consequences for the victim.

All of the listed stages are not always present in a hacker attack - this depends on the goals of the hackers. However, modern APT groups try to adhere to the best practices and implement everything - theft of confidential data, sale of accounts, interference with the operation of web servers, and at the end of encryption with extortion. This is because a whole industry of malicious cyber activity has been built in the world - each of the members of the group is engaged in its own stage of attack and is interested in its full implementation and quality of service.

Operators of TI services can determine their signs of compromise for each of the stages, which allows the information security department of the client to find out at what stage this or that attack is, which groups use these methods of attack and what they usually pursue at the same time goals. This information allows you to better localize the hacker, and, possibly, even de-anonymize him, that is, help to detect him in the physical world.

Applications

It should be noted that TI services are necessary only for those companies that already have an information security service or at least information security specialists who can receive information from the operator and use it to protect their own infrastructure: check the IoC, localize the attack and recover from it in the event of a positive IoC, as well as reconfigure the protection to repel further attacks of this type, and for each received compromise indicator. With this in mind, it is worth assessing the need to purchase a TI feed subscription.

Taking into account the above reservations, the following categories of consumers will now experience the need for TI services:

• CII subjects. The TI service, largest in Russia, is State system of detection, prevention and elimination of consequences of computer attacks. Moreover, its use has become almost mandatory at the legislative level for owners of information systems subject to law No. 187-FZ "On the critical information infrastructure of the Russian Federation." Lack of connection can lead to legal consequences up to criminal prosecution. The service is bilateral - NCCCA, which is the root of the hierarchical State system of detection, prevention and elimination of consequences of computer attacks, not only publishes warnings about attacks and recommendations for protecting against them, but also requires sending information about incidents to the system. A feature of the service is that in the event of a serious attack, FSB specialists, of which NCCC is a part, reserve the right to go to the attack site, repel it and conduct an independent investigation. Moreover, using the means of the ORD and other state registers, it is this system that has every chance not only to minimize the consequences of the attack, but also to find and punish the perpetrators.
• Owners of personal data information systems (ISDS). In accordance with the amendments to Law No. 152-FZ "On the Protection of Personal Data of Citizens of the Russian Federation," which entered into force on September 1, 2022, personal data operators (and this is almost all Russian companies) need to transfer data on information security incidents taking place in their IT infrastructure to State system of detection, prevention and elimination of consequences of computer attacks. Of course, this does not imply the use of TI services of the NCCC, but the following model seems strange: send information about their incidents to the NCCC and not receive warnings from the Response Center for new attacks. Almost how to deceive a taxi driver - to pay and not go. Fortunately, for small companies that still own ISPDn, interaction with State system of detection, prevention and elimination of consequences of computer attacks can be organized both through the commercial centers of State system of detection, prevention and elimination of consequences of computer attacks and through industry - their creation is expected in the near future, however, so far only in the areas of the law No. 187-FZ.
• Industrial networks (operating technologies - OT). There are companies that still have OT infrastructures, but do not belong to KII. For example, enterprises of the food industry or housing and communal services. Nevertheless, it is now important for them to provide protection against modern threats so as not to lose business or receive criminal prosecution, for example, for sabotage if hackers manage to violate the recipe for water treatment or food products, which will lead to poisoning of people. Now such companies are not subject to law No. 187-FZ, but in the event of serious victims, the head is unlikely to be able to avoid punishment under other laws. There are regular proposals to expand the list of key industrial areas in law No. 187-FZ, so the owners of such enterprises should build information security services in advance and prepare to connect TI services.
• International business. Companies that have representative offices around the world, including in Russia, usually already have information security services and comply with the requirements for the protection of their information resources that the governments of various countries impose on them. Previously, the representative offices of such companies were most likely connected to some TI service at the international level and did not even know about it, receiving information from the headquarters. However, now international TI service operators do not support Russian customers, while attacks on such representative offices continue. Therefore, it is logical for branches of international companies to use the services of domestic TI services, since there are enough such offers.
• Small and medium-sized businesses. As already mentioned, for a business that does not have its own information security service, connecting to TI services does not make sense. However, they also need to protect their information systems. To do this, it is worth using the services of commercial incident response centers (SOC), which will act as a kind of external (rented) information security service. When choosing an operator for such a connection, it is worth paying attention to the list of TI services, the services of which are used by such an SOC. They should be domestic and adequate to those challenges that may arise at the enterprise in connection with a hacker attack.

In general, it can be noted that almost all companies need cyber intelligence services, just some through intermediaries in the form of commercial SOCs. Our main engine for the development of this market is the state, releasing and tightening legislation in the field of personal data protection and critical information infrastructure. In some countries, the development model of this market may be different - through insurance companies. In this case, the subscription to TI services and the presence of the information security service that these services order is a factor in the discount on cyber risk insurance. In Russia, such a model has not yet taken root, although projects regularly arise from insurance companies for cyber risk insurance.

Domestic cyber intelligence

Now the TI services market in Russia has changed a lot - international players have left it, who occupied an overwhelming share in it. The market has become vacant and existing players can now feel more free. Although it should be remembered that the largest player here is the state in the form of State system of detection, prevention and elimination of consequences of computer attacks. Taking into account this factor, the following companies can be distinguished that offer the services of commercial TI services:

• BI.Zone ThreatVision. BI.Zone - A digital risk management company that helps organizations around the world safely grow their businesses in the digital age. It specializes in preparing individual strategies for complex projects based on more than 40 own products and services, and also offers simple automated solutions for outsourcing. Small business of Russia The company has its own response center for. cyber threats BI Zone-CERT, which also monitors malicious activity in. The Internet BI.Zone IT ThreatVision service itself provides up-to-date analytical information on the latest threats and trends, collected from many sources. All data have been processed and put into a convenient format, which is designed to help customers respond to potential threats in time and prepare to repel attacks.
• Group-IB Threat Intelligence. Group-IB has traditionally been involved in helping to investigate computer crimes in the banking sector. At a certain point, her specialists gained quite a lot of experience in controlling APT groups, which allowed her to compile her own attack warning service. The service is provided as a subscription and implements monitoring, analysis and forecasting of threats to the organization, its partners and customers. Using the generated APT grouping database and the built tracking system for them, Group-IB Threat Intelligence clients can learn about attacks at all stages of the hacking chain.
• Kaspersky Threat Intelligence. The service is the result of KSN (Kaspersky Security Network) malware detection network activity. This is one of the old tools of the antivirus company, which still allows you to collect data on malicious activity on the Internet and, based on the results of its analysis, generate warnings in the form of a TI-feed. Now the Kaspersky Threat Intelligence portal is a threat reporting service and is designed for prompt response to incidents and their effective investigation, however, the information contained on it can be used in the company's security tools when building a complex corporate security system.
• PT Cybersecurity Intelligence. Positive Technologies specialized in creating tools for assessing the security system of enterprises, and therefore its specialists also studied the methods of attack that hackers use when hacking information systems. As a result, the information obtained using the analysis of malicious activity on the network formed the basis not only of the security analysis tool, but also of the corresponding TI service. The PT Cybersecurity Intelligence platform is designed to manage knowledge of information security threats based on free and commercial feeds, as well as Positive Technologies' own data. To identify massive, targeted and industry attacks, the platform is able to independently transfer processed data to existing protection and response tools.
• R-Vision Threat Intelligence Platform (TIP). Since 2011, R-Vision has been developing solutions and services for building complex enterprise security systems. Its TI service is a compilation of feeds from other commercial and open sources, as well as data from the industry response center. FinCERT It is a centralized cyber intelligence analytics platform that collects, processes, storage and analyzes threat data, and leverages that knowledge to identify and block threats, respond to incidents, and conduct investigations.
• Securtiy Vision Threat Intelligence Platform (TIP). Security Vision is developing a comprehensive security platform for various enterprises under the same name. The TI-module - Securtiy Vision TIP - can also be included in this integrated protection system. Its functionality provides automatic collection of IoC from external sources, normalization of the received data, enrichment of additional information, as well as post-processing of the received information - adding exceptions to security settings, identifying indicators in the client's infrastructure, notifying interested parties and further disseminating information.

Thus, there are a wide variety of companies on the TI services market - from the oldest antivirus to new information security integrators. The quality of the offered services is different for them, but almost all of them collect data from various commercial and open sources on vulnerabilities, malware and APT attack methods, which are then offered to information security services in companies for prompt response and protection restructuring. The services help both to build corporate software update policies and to reconfigure corporate network settings in time to repel current attacks.

Conclusion

Figure 2. Gartner Hype Cycle (2022)

The market for domestic cyber intelligence services is already quite developed and will only continue to improve, since the main factor in it is the state policy in the field of information security, which will only be tightened. At the same time, now he got rid of fierce competition from international services, which at the moment caused problems for some customers, but this cleared the market of international influence - in fact, TI services were completely divided up to blocking the receipt of information from international sources of information about hacker activity. However, in Russia, at the moment, enough of its own network threat response centers have already been built, which provide a good base for the further development of the cyber intelligence services market.