CSIM - The consolidated security

intelligence methodology
Scarpinati Luigi
anticip
lsc@anticip.co

June 7, 2018
Abstract

This paper is an attempt to summarize and make a creative effort to define a structured method for cyber
intelligence and threat hunting. The business of cyber intelligence is risky and costly. So in this article, we
will try to define a clear and comprehensive methodology to better respond to the multiple challenges the
cyber intel professional faces in his everydays job.

I. Introduction II. The challenges of cyber

intelligence
he security intelligence discipline is cur-

T rently at the beginning of its way. Orga-

nizations, professionnals and citzens face
the same challenges regarding the protection
of their assets.
With the growing complexity of sysems we
use everydays, the massive amount of data
we exchange and produce and the digitaliza-
tion of every economic parts of our lives the
opportunities for attackers are exploding. In
the meantime, the complexity of the task for
defenders is rising up.
These are some reasons why cyber intel-
ligence is taking more and more place in
every organization’s cyber-defense strategy.
But if there exists some great emerging tools
and frameworks to research for incidents and
threats, we need a global tool to help the ana-
lyst or any other concerned party structure his
cyber intelligence effort in a way that this ef-
fort can be analyzed, structurized and reported
with consistency.
Inpired by recognized great tools and frame-
works already existing int the cyber intelli-
gence field, this article wil try to provide such
a tool.
Cyber intelligence is tricky. And a good an-
alyst should be able to provide an answer to
an equation where the variable are not clearly
known. These variables are multiples in their
forms and complexity and the answers are de-
pending on these parameters.
The activities of an analyst are diverses by
nature and the risk is great for him to sink in
the ocean of informations he has to analyze,
classify and prioritize in order to uncover the
real threats that hurts the entity he tries to
defend.
In summary, here are some challenges a cy-
ber intelligence analyst face:
• Being burried under the big amount of
data he has to analyze
• define the right attacker for the right threat
• find the capabilities of the attacker
• uncover the real target of an attack
• prioritize the threats
• report the threats consistently
• design, structure the right responses rec-
ommendations for a given threat

1
 CSIM • Scarpinati Luigi • June7, 2018
III. The diamond model
One of the common used tool in threat modeli-
sation and cyber intelligence gathering is the
diamond model. The good part of this frame-
work rely on its ability to observe a threat in
four differents points of view:
• Victim
• Infrastructure
• Capability
• Adversary
These four point of views influence each oth-
ers and lead the analyst to a quite good and
actionable analysis.
The four differents views are like the four
angles of a diamond linked together by edges
that describe the relationship between them.
One of the strength of this model is that
it makes the analyst aware of the four main
components of a threats. This model formalize,
in some sort, the definition of a threat. This
sounds like a natural way of designing a threat.
Without a victim, there is no threat and there
is no threat without an adversary. In the same
way, if there is a threat, there should be an
adversary that uses his capability to attack an
infrastructure.
But, as stated in the technical paper discrib-
ing this method, the diamond model is uncom-
plete. This is a model that can be enriched
and somehow used as a backbone for a more
consistent model.
That is the purpose of this article. Using
the diamond model as a backbone and enrich
it with tools to go deeper in threat analysis,
measures and classify information, formalize
and standardize threat hunting.
2
IV. Looking for Capabilities &
infrastructure
Let’s start with an hypothesis. Random J.
Hacker works for a customer, his mission is
to reports threats the customer’s organization
is suffering. His first statement is: the customer
faces attacks. It is simple as that.
Next, if the customer faces attacks, there
should be attackers with some capabilities to
spread the attack. So if they have some capabil-
ities, they should have left some traces proving
these capabilities. Quickly a question raise in
Random J. Hacker’s mind: which traces should
I search for? Which tool can help me uncover
the capabilities attackers use?
i. The pyramid of pain
One tool who can help our hunter is “the pyra-
mid of pain” as represented below.
This tool has the goal to help the analyst clas-
sify the different types of intel about attackers’
capabilities and infrastructures assets.
This tool classify attackers’ assets from the
bottom of the pyramid, the most easy assets
to uncover but also the assets requiring low
efforts for an attacker to gain or hide, to the
top where assets are more difficult to uncover
but also the most valuables for the analyst.
When considering the yramid of pain it ap-
pears that if we consider this tool for uncover-
ing attacker’s capabilities, we should alo talk
about infrastructure.
Let’s consider an example. During his in-
vestigations, an analyst found a malware hash
posted on a specialized website. In the pyra-
mid of pain, the hash is an evidence, the easiest
 CSIM • Scarpinati Luigi • June7, 2018

asset to detect. It is also the asset causing the Capability Infrastructure

mowest pain to an attacker. In fact, changing The attacker got access The company’s host
the code of his malware will change the hash. to a company’s host that hosts the
The atacker should only change obfuscation, malware
or wathever else and that’s it. Target specific emails The malware
addresses
But, which information the analyst should
Using a specific tactic
get out of this asset? Well if the analyst has a
reverse enginnering report for this malware, he Now, let’s consider the pyraid of pain. We
can get much more informations. already stated that the pyramid is a ranking
Maybe this malware target some specific from the easiest to the most difficult. So let’s
email addresses in he company. Maybe it attribute a quotation to each rank.
makes some TCP connections to sepcifics hosts
in the company’s infrastructure. These repre-
sents capabilities but also infrastructures. An-
other point of consideration in this case could
be:where is stored the malware?
Let’s imagine the analyst uncover that the
malware is stored on a host in the company’s
infrastructure. Here we have another two infor- In our example, we should have the followon-
mations: (a) the attacker has the capability to ing ranking:
hide a malware on the victim’s infrastructure Capability & Infra Ranking
and (b) the attacker’s infrastructure includes a The company’s host 4/6
part of the victim’s infrastructure. that hosts the malware
Target specific emails 6/6
With these informations in mind, let’s imag- addresses
ine that the malware target some specific email Using a specific tactic 6/6
addresses. Another question here could be: The malware hash 1/6
who is targeted? If the malware target some The total is 17/24 or if we ponderate this
email addresses that belong to members of the wheight on ten : 7.09. This give us a useful
company’s direction board, the analyst can de- indicator about the attacker’s capabilities.
duce that the attack is an attempt to get quickly Note that we can also here add CVE/CVSS
access to hosts that play a key role in the com- score if we have an insight about a vulnerability
pany’s infrastructure. that was or could be exoploited. This cold be a
In this case some other few questions could good addition to our ranking and would be a
emerge: Which role plays the host where the precious information hen we will try to define
malware was found in the company’s infras- our attaker persona.
tructure? How the attacker could get access to Here it is interesting to notice, like the dia-
this host? mond model state, that there exists a strong
relationship between capability and infrastruc-
Let’s summarize the findings of our analyst ture. This is a natural way of thinking because
and find a way to value these informations the capabilities of an attacker highly depend on
using our pyramid of pain. the attacker’s capacity to set up, maintain and
First, let’s classify informations: use an infrastructure to perform his malicious
activities.
At this point, in the context of this security
event, we have a good understanding of the at-
taker’s capabilities but what about the attacker

3
 CSIM • Scarpinati Luigi • June7, 2018

himself? This lead us to the attacker point of

view. Class Description
APTs Highly trained
and highly financial
V. Who is behind the curtain? supported adversary.
Use special techniques
The capability of the attacker can give us a and zero day exploits.
quite good understanding of its personnality Dispose of time and
and its motivations. resources. Difficult to
Let’s consider our previous example. We find intel about their
saw that the attacker could store a malware on activities.
one of the hosts that belongs to the victim. We Cyber Highly qualified and
also noticed that the attacker targeted specific criminals motivated adversary
emails belonging to key persons in the com- Disposes of resources
pany. But how to figure out wich attacker we but has time contraint.
face? Less verbose about
To help us in this task let’s categorize com- his targets
monly acepted attacker types. To achieve that and activities.
goal, we can take inspiration from the military Cyber Adversary motivated by
field of activities. espionage gain and/or strategic and/or
In intel military, operators have the habit to financial advantage.
classify adversaries according to different crite- External to the victim.
rias ( motivation, training, experience, . . . ). For Variable in qualification,
example when intel operatives face terrorism variable in financial support.
threat for example, they quickly try to know Insider Attacker internal to the victim.
which is the level of training and which are the Variable in his motivations,
weapons the attacker can use. This give them variable in his training,
an insight about which class of adversary they difficult to prevent.
face. Hacktivist Attacker motivated by political,
We easely can apply the same concept to religious or other causes.
malicious cyber actors. In the matrice below Variable in financial support.
you can see a matrice classifiying the most Variables in qualification.
accepted types of malicious actors. Verbose about his activities.
Use automated tools.
Script Attacker poor in technical skills
kiddies Practically not financial supported.
Uses automated tools.
Without any motivation.

One pitfall here should be to leave this clas-

sification as it is. But, using entities names in
classes is not a good idea. The classes represent
types of attacker with capabilities, motivations,
funding, . . . that is why the better alternative
would be to name class of attackers “class 1”,
“class 2”, . . .
So a good classification of attackers should
be:

4
 CSIM • Scarpinati Luigi • June7, 2018
Class Description
1 Highly trained
and highly financial
supported adversary.
Use special techniques
and zero day exploits.
Dispose of time and
resources. Difficult to
find intel about their
activities.
2 Highly qualified and
motivated adversary
Disposes of resources
but has time contraint.
Less verbose about
his targets
and activities.
3 Adversary motivated by
gain and/or strategic and/or
financial advantage.
External to the victim.
Variable in qualification,
variable in financial support.
4 Attacker internal to the victim.
Variable in his motivations,
variable in his training,
difficult to prevent.
5 Attacker motivated by political,
religious or other causes.
Variable in financial support.
Variables in qualification.
Verbose about his activities.
Use automated tools.
6 Attacker poor in technical skills
Practically not financial supported.
Uses automated tools.
Without any motivation.
We have now a classification where one is
the most efficient type of attacker and six the
easiest type of attacker. If we consider the
score we had in our previous example (7.09/10)
we can try to find a method to determine the
attacker type.
We have six classes of attacker. We could
easely deduce the following formula to deter-
mine the attacker’s class “C”:
7.09 4.25
C= = 0.709 ∗ 6 =
10 6
If we consider the adversary matrice, we are
most likely facing an attackertype between an
insider and an hacktivist. In our example, we
have no reason to beleive this conclusion.
Remember, the found malware targeted spe-
cific emails addresses and was found in the
victim’s infrastructure. This was more likely a
more sophisticated kind of threat than a hack-
tivist or an insider would perform.
But what about considering that the class
number of the potential attacker is inversely
related with the capability score? In this case,
the formula should be:
7.09 1.75
C= = (1 − 0.709) ∗ 6 =
10 6
In this case, we are most likely somewhere
in between the “APTs” class and the “cyber-
criminals” class but nearest the second one.
This gives us a quite good judgement about
our attacker’s type.
We can here draw the conclusion that as the
capability score of an attacker increase, the
attacker class number decrease. More globally,
the formula should be as follow:
Let A the attacker
Let S the capability score
Let C the attacker class
a x
∀A where S = exists C = such that
b y
1−S
C=
y
This way, we can define the attacker’s class
with more confidence.
VI. What about the victim?
So we defined the attacker’s capability score,
the attacker’s class rank and now another ques-
tion shows up: How to quantify the vctim’s
readiness to face this threat? How to rank and
evaluate the impact this threat has on the vic-
tim?
In this part of the analyze, two things should
be considered: the victim and the attack the
5
 CSIM • Scarpinati Luigi • June7, 2018
victim faces. So there should be some indi-
cators helping us determining the impact the
analyzed security event on the victim.
One of the tools that can help is known as
the “Cyber Kill Chain”. This tool describe an
attack at different stages. The image below
explain these different steps of an attack:
Let’s imagine we pointed a potential threat
based on a known vulnerability in a software
the victim uses and we do not know if an at-
tacker already used it to attack the victim. How
should we rank the attack following the cyber
kill chain?
Well, there are two possibilities. (1) There
exist some documentation proving that this
vulnerability is exploitable and in tis case the
risk is that someone exploit the vulnerability.
So a good practice would be to rank it as ex-
6
ploitation.
And (2) second, the concept exist (documen-
tation states that the vulnerability exists) but
ther is no proof that the vulnerability was ex-
ploited. In this case it would be normal to rank
this poential threat as “conceptualization”.
In our example, the malware targeted spe-
cific email addresses. So we can consider that
the attack is at a delivery stage. Therefore, we
should rank it in the “delivery” stage giving
the threat a score of 3/7.
But there is another parameter that will influ-
ence the impact of a threat on the victim: the
maturity of the victim regarding its security
intelligence plans and procedures.
A victim that has practically no plan about
threat intelligence planning and security mon-
itoring, will be more impacted because of its
lack of security planning, adaptation and in-
cident response planning. This factor can in-
crease or decrease the level of the impact on
the victim.
This is a variable an analyst should consider
in his investigations. To help in this task, let’s
categorize the different types of victims regard-
ing their threat intelligence plannification.
The graph above is clear, it permits to con-
 CSIM • Scarpinati Luigi • June7, 2018

sider the maturity of the victim in our threat VIII. Conclusion

ranking. This way, an anlayst can keep trace
of the past event ranked and can make time For an analyst, ranking, comparing and keep-
based comparaisons between security events. ing track records of cyber threats is a real chal-
This will help the analyst and the organization lenge. In this article we tried to formalize this
keep track of the progress the victim made. process. This model is maybe not perfect but
time and practice will help this process en-
hance.
VII. Putting it all together A security intelligence process genarate a
Now, we have a threat and we defined: an huge amount of data and informations to an-
attacker capabilities score, an attacker class, alyze. Ranking is a key point as it permit to
an attack’s stage score and a victim’s maturity quickly compare security, prioritize and ratio-
score. We can put all these quotations together nalize the security efforts.
to et our threat score.
In our example, let’s consider that the victim References
has not planned activities in threat intelligence.
The organization relies on automated tools to [Jon Friedman, Mark Bouchard 2015] Jon
ensure its security. There is a monitoring imple- Friedman, Mark Bouchard (2015). Defini-
mented but the position is quite passive. The tive Guide to Cyber Threat Intelligence
victim wait and see for compromise. So we CyberEdge Group, LLC.
have the following scores:
[S. Caltagirone,A. Pendergast,C. Betz 2013]
Description Score Sergio Caltagirone,Andrew Pender-
Attacker Capability 7.09/10 gast,Christopher Betz (2013). The
Attacker Class 1.75/6 Diamond Model of Intrusion Analysis US
Attack Stage 3/7 Department of Defense.
Victim Maturity 5/5
We now have a threat score of 16.84/28 or [J. A. Gomez 2011] Jimmy A. Gomez (2011).
6.01/10. This represent a serious threat. The The Targeting Process: D3A and F3EAD
evaluation seems to be correct because, as we 2011, Small Wars Foundation.
have a targeted attack, we only have the proof
that the attack was delivered. But as we does
not have the proof that there was an exploita-
tion based on this attack we can not have a
higher score.
Here, the interesting thing is that with this
methodology, we can adapt the score of a
threat. Let’s imagine that further investiga-
tion proof that the victim was exploited ad that
there are indications of a C2 activity. Now the
threat score should be adapted as follow:
Description Score
Attacker Capability 7.09/10
Attacker Class 1.75/6
Attack Stage 6/7
Victim Maturity 5/5
The threat score is now : 19.84/28 or 7.09/10.
This is clear that the attack is getting more
serious.