threat intelligence series (1): what is threat intelligence

Posted by santillano at 2020-02-25


Threat Intelligence, as a relatively new and hot field in the recent security field, has its unique business and technical value. In the process of building Threat Intelligence, security practitioners from traditional terminal security vendors to security teams of Internet companies have actually carried out a series of technical innovation and Rethinking the essence of security confrontation.

The threat intelligence team of the goose factory participated in and was responsible for the construction of part of the threat intelligence from zero to one between 18 and 19 years. In the next series of articles, the author will review the accumulated intelligence related knowledge (what) in these two years through three articles, "what is the threat intelligence", "where is it from", "how to use it". In addition, I will tell you from the perspective of the business team how to realize the engineering, automation and scale (where to come from) by means of the traditional idea of sample confrontation, search, big data, knowledge map, real-time computing, machine learning algorithm and other technologies, and what kind of business (how to use) can be realized after having these infrastructures and business data, and how to use it To use this method to expand to business security and other businesses.


Before formally introducing Threat Intelligence, I want to briefly introduce how the technology has suddenly entered the rapid development stage in China.

The Internet industry will have a new outlet every once in a while. The technology and enterprises in the outlet will develop rapidly with the rapid change. But the enterprise security industry is different. So far, the total market in China is not big. Before, traditional security companies, represented by green alliance, Qiming star and Shenxin, have been fighting hard in it, so the technology iteration speed is not as fast as that of Internet companies. However, due to the impact of the environment and the development of the times, the PC desktop era has completely entered the stock competition period, and it is more and more difficult to realize the PC traffic. At this time, 360, the terminal overlord of Internet company (refer to "Internet three-stage rocket mode"), which takes security as its name, enters the enterprise security field in person. Tencent computer housekeeper, the second largest user, followed up for the same reason. With the volume of 360 and Tencent, as well as the data, talents and technical reserves they have, entering the security industry has created a new shuffle, changed the business model of the industry and brought a new round of technological upgrading.

There is also a well-known cause: the wannacry blackmail virus in May 2017. In addition to a few cases, the security industry will be accelerated by external capital and new players, and more often, it will develop relatively slowly. However, once there is an event that has an impact on very important information security, the attention of all walks of life will focus on the field of information security in a short time, at this time, the industry will also develop rapidly once.

I still remember that one night in May 2017, I was suddenly woken up by the leader's phone, and a roommate who was responsible for writing the rules was called back to the company for emergency response. Later, we all knew.

Wannacry's author uses ms-17010 vulnerability in eternalblue tape in NSA attack toolkit leaked by shadow brokers (with SMB, it can rce as well as shock wave In a short time, it has infected the infrastructure of governments, schools, hospitals and other countries all over the world, caused great losses and psychological impact, and brought a wave of making blackmail and mining viruses. I still remember that the next day my classmates sent a red picture of a university library and laboratory computer. Later, the company also received help from the hospital, because the blackmail virus caused their equipment not to work properly.

Screenshot of wannacry infection

However, unfortunately, the products of 360 security guards, Tencent computer stewards and major traditional security companies did not fully prevent the blackmail virus spread (a big reason is that many end users did not install the system update in time, in fact, Microsoft launched a patch for the vulnerability in April, and there are still many viruses using ms-17010 spreading in the next two years. It can only be said that educating users is also one of the work that security practitioners need to do, which in turn shows that there is still a lot of room for development in the security industry. This incident forced 360 and Tencent, two new players of C-terminal security overlord and b-terminal security, to reflect on their own shortcomings in security construction: that is, the lack of a hand to discover the virus families prevalent in the market (the overall domestic users), and the active Mafia gangs and continue to fight against them. With the continuous construction of the system and the in-depth understanding of data, this construction is manifested in various forms such as threat intelligence, apt reports, security brain products, etc., and promotes the technology and concept upgrading of various security products including cloud security products.

OK, let's stop gossiping. Let's start with what is the most basic Threat Intelligence and enter the world of threat intelligence.

1、 Definition of Threat Intelligence

At present, the definition of threat intelligence that is most cited is put forward by Gartner in its market guide for Security Threat Intelligence Service in 2014

"Threat intelligence is evidence-based knowledge, including context, mechanism, indicators, implicit and practical suggestions. Threat Intelligence describes the existing or imminent threat or danger to the asset, and can be used to inform the subject to take some response to the related threat or danger. "

In the definition of Gartner, there are clear requirements for the amount of information in intelligence. Besides detection, complex background information and suggestions for managers are also needed.

Generally speaking, threat intelligence is information about threats. It uses open resources to detect threats and guide enterprise actions to improve security.

It can also be said that we know which bad guys (gangs) are out there, what kind of technology they all use, and who their targets are. And what kind of things (IOC) can be used to quickly and accurately detect whether they have been attacked

Figure 1-1

Threat Intelligence can also be understood as a process from unknown unknowns to known unknowns, that is, to know the existence of a threat by finding evidence of its existence. Then, by collecting the context and background information of the threat, we can understand the threat and mitigate the degree of its harm, and then we can move from knowledge unkonowns to knowledge knowns.

The UK's National Cyber Security Centre (NCSC) divides Threat Intelligence into four categories:

Strategic thread intelligence

Operational thread intelligence

Tactical thread intelligence (TTPS)

Technical thread intelligence

Figure 1-2

Next, we will introduce each kind of Threat Intelligence in detail, and take the use scenario of Yujian Threat Intelligence Center as an example to facilitate your understanding.

1.1 strategic intelligence

Strategic intelligence is a summary type of information, standing in the perspective of the overall situation, providing reference for the decision-making level. It is usually a macro report of industry overview, attack trend, etc.

For example, notice for foreign trade practitioners issued by the Royal Threat Intelligence Center on February 20! Strange mail may hide Trojans stealing information. This paper summarizes the recent attacks on the foreign trade industry, in which the attacker uses the word document with macro virus to disguise as normal business email, to trick the staff of the foreign trade industry to click, and the malicious macro code will download the "business letter" virus after clicking.

1.2 operational intelligence

Actionable intelligence is intelligence that targets an imminent attack by a specific organization. For example, a foreign hacker organization has recently made more investigations on key state units, and may launch attacks on such key units recently. This kind of intelligence may be more easily collected by national intelligence collection units, and it is difficult for ordinary companies and individuals to access relevant information. This kind of information may also be obtained through the analysis of open source open information and undercover private chat forums (IRC or telegram).

1.3 tactical intelligence

Tactical intelligence usually refers to tactics, techniques, and procedures (TTPS). TTPS are used to describe how attackers attack, that is, the methods, tools and Strategies of attackers. It is provided to Party A's security principal and emergency response personnel for defense, alarm and investigation after being attacked.

Common TTPS include:

Characteristics of a Trojan family

Information about a specific variant of Trojan horse

Specific attack techniques

Infrastructure information used by attackers (such as C2 IP used by viruses)

Target information of attack


For example, attackers will use minikatz and modified or confused minikatz to extract credentials (usually NTLM) for blasting or lateral movement when they do intranet penetration. In horizontal movement, psexec or WMI interface may be used for pass the has operation. If there is no local administrator permission, pass the ticket may also be used for attack. This information is tactical intelligence.

Prevent domain administrators from logging in through configuration policies, and monitor psexec behavior in traffic using SOC traffic probe or IDS settings and configure relevant rules to monitor such behavior. (for windows horizontal mobile attack, please refer to "detection of windows horizontal mobile attack in Party A's security construction" and "implementation of domain penetration pass the hash")

Tactical intelligence is usually obtained by reading public reports, analyzing samples and organizations, and exchanging information with other manufacturers.

For example, in "a disk of 2018's intractable virus Trojans" released by Yujian Threat Intelligence Center on February 22, 2019, the common technical means, communication channels and hazards of bootkit / rootkit Trojans active in 2018 are analyzed.

1.4 technical information

Technical thread intelligence is the index (hash, domain name, IP) of specific malware. It is the information that can be used for automatic detection and analysis of machine-readable. Relatively speaking, TTPS is mainly human readable information.

The technical level intelligence can also be called the lost detection index (IOC), just as its name is, the lost detection index is used to detect whether the system provided to users has been attacked by malware or attackers. If these indexes are found in the system, it indicates that the system has been attacked.

For example, on February 25, 2019, Yujian Threat Intelligence Center published the article "constant activity of blue download trojan horse: starting from supply chain attack and changing attack tactics", which also released IOC related to the event:

Figure 1-3 IOC example

If it is detected on the user's machine that a non browser process is connected to the domain name in the IOC of "driving life Trojan horse", such as, the user may have infected the Trojan horse, and the attack can be located by combining the process and network log on the terminal, and the subsequent response can be made.

Some people will say that TTPS also contain IP, domain name and other information. What's the difference between TTPS and IOC. There is an example in Stix's document to explain the difference between TTPS and IOC:

”TTP describes the attacker's behavior and attack mode, and IOC describes how to identify these attacks.

The specific method of counterfeiting 100 yuan bill can be considered as TTP, and the specific guidance of identifying whether the bill is counterfeit through watermark and other methods is IOC. "

In fact, TTPS and IOC can be linked. After detecting the intranet security threat through IOC, IOC can reverse index the corresponding TTPS. Based on this, it can guide users to solve security problems, find ways to improve the security defense ability, and trace attackers through IOC.

2、 The level of Threat Intelligence

Figure 2-1 Threat Intelligence hierarchy

In the generalized Threat Intelligence, according to the acquisition difficulty, accuracy and information quantity from low to high, the order is as follows:

Hash of malicious files

Host features (mainly windows platform): mutex, running path, registry key

Network features: IP, domain name, URL, communication protocol

TTPS: technical means used by malicious gangs. The same gangs may use similar means, which can be used as evidence to locate gangs

Organization: Based on the event feature evidence and other information, it is possible to identify the same organization behind multiple attacks, and determine the organization's source, division of labor, resource status, personnel composition, action target and other elements.

Personnel Intelligence: locate the real personnel identity corresponding to the virtual identity behind the attack, and then locate the root of the threat (for example, locate the author of the virus and grasp the evidence to arrest).

Corresponding to Figure 1-2, the higher the level and the longer the effective time, the more difficult it is to obtain the information. Relatively speaking, TTPS and IOC (host, network characteristics, malicious file hash) and other data acquisition are relatively easy, but the failure time is also shorter.

Among them, file sample hash, host feature and network feature can be generated by sandbox and data analysis. The file hash can be modified only by an attacker modifying one or two bytes of the file, so the failure speed is the fastest, and the host feature and network feature are more used for detection.

The host features (mutex, run path, command line features, registry key) are mainly used in combination with EDR products on the terminal. If the terminal EDR product is installed in combination with SOC and other security big data storage and analysis system, the security effect is the best. But the reality in China is that in addition to Tencent, Huawei, Ali and other large-scale technology companies or companies with high security awareness such as finance, few enterprises have deployed terminal EDR products in the office environment and server environment.

Network features (IP, domain name) can be applied in the traffic detection system of network boundary, such as IDS system, and can also be linked with SoC system to detect the current and past security situation of various devices.

Based on the host features and network features to do cluster analysis, and through the similarity of each dimension, the malware of the same family can be classified together. Then, according to the context information of IOC, find the attacker's attack method or the channel of sample propagation. This information is known as TTPS.

After collecting multiple independent families and attack samples, it may be possible to distinguish the same gang behind multiple families. For example, the same group may have its own developed tools, or fixed channels of communication, according to which TTPS information may be able to analyze the groups behind.

After the analysis of the organization, through the affected areas, industries and ordinary users, we can roughly analyze the target groups of attackers, supplemented by the analysis of the linguistic features contained in the samples or the camouflage situation of the samples. It can also roughly find out the attacker's attack target and purpose. In combination with real news and other information, it can roughly infer the source of the attacker.

Starting from the analysis of samples, we gradually collect more information such as technical means, and finally locate the process of organization and its attack purpose, which is fully reflected in the attack analysis of apt.

2.1 apt analysis: an example

Refer to the apt analysis report "disclosure of attack activities of Sidewinder apt against South Asia" released by Tencent Yujian Threat Intelligence Center on February 26. In the report, the latest attack samples found are analyzed first to get the technical means (TTPS information) used by attackers and the network characteristics (IOC information). Then the content of the bait file used by the attacker determines that the target of the attack should be related to Pakistan, and then through the information of the author of the document and the download address used by the delivery of another document, the target is related to the Pakistani military. Finally, the organization information of the attacker is obtained as follows:

2.2 starting from the sample to find the Association

When analyzing attacks, we can use various analysis platforms, such as VirusTotal, Tencent Antu advanced threat tracing system, qi'anxin Threat Intelligence Center and micro step Threat Intelligence Center, to trace the source of attackers by expanding the known information. For example, through visual analysis of the domain name of the sample outreach, query the IP of the domain name history resolution, find the IP used by the attacker and more infrastructure that may have been used to launch the attack.

Figure 2-3 analysis of bondat worm using the security visualization analysis interface of Antu

2.3 related to the organization

Or when analyzing an IOC, the Antu advanced threat tracing system will automatically associate the organization information corresponding to the IOC through the security knowledge map, including the background of the organization (source, attack target, technical means, etc.), the network characteristics used for delivering samples, the C2 network characteristics of samples, and various information in the history of the organization.

Figure 2-4 information interface of Antu related groups

In the apt analysis article "disclosure of targeted attack of suspected darkhotel apt organization against executives of China's trade industry" released by Yujian Threat Intelligence Center, analysts extract the external C2 server information (IOC) by analyzing the captured apt samples, and pass the IOC on the Antu advanced threat tracing system It is related to more samples, and through the information extracted from these samples and the attack methods, it is judged that the initiator of the attack is suspected to be the darkhotel apt organization.

Figure 2-5 analysis of associated samples with safety chart

2.4 positioning to people

The higher-level information than organization information is personnel information, because to complete the mapping from virtual identity to real identity requires a strong big data security analysis system and infrastructure construction, once positioned to people, it means the end of the battle, because the ultimate source of all threats is still people.

In this way, the company invested a lot of resources to build the xkeyscale system. Snowden said in a TV interview: "with the help of xkeyscore, you can read emails sent by anyone in the world and get in and out of all websites. And it can track a personal computer, even if it moves between different regions.

The results of xkeyscore's application in reality can be seen from an accusation of mj18-1479 against North Korean hackers issued by the US emperor last year. In this accusation, an FBI agent who specializes in tracking cyber crimes made a presumption of guilt against North Korean hacker Park Kinh, determined that he was the official North Korean hacker and participated in and carried out a number of cyber attacks, including:

Attack on Sony Pictures in 2014 (Sony Pictures released a film called "assassinating Kim Jong Un" in 2014).

Participated in the preparation of wannacry, a global blackmail virus that broke out in May 2017.

He attacked Lockheed Martin, an American arms dealer who also proposed the concept of kill chain in cybersecurity.

Attacks on the Central Bank of Bangladesh resulted in the theft of $81 million. It has attacked banks in Europe, Asia, Africa and other countries in North and South America in 15, 16, 17 and 18 years respectively, causing more than $1 million in losses.


Finally, the personal information of Park Kinh is given in the accusation:

Graduated from

Return to North Korea in 2014

Members of Lazarus's hacking team - under North Korea's lab001 - belong to the North Korean general investigation bureau.

The chapter of proof in the accusation lists a series of evidences (quoted from "focus on cyber war - another perspective on the accusation of us against North Korean hackers (mj-18-1479)), including:

[email protected], [email protected], [email protected], [email protected] and [email protected] have been visited by the same machine

[email protected] this email is registered on September 1, 2011, the name filled in at the time of registration is "Kym", the recovery email filled in at the time of registration is [email protected], and the email owner hangs the email used by the agent from September 2014 to may 2015. The calendar service time zone of this email account number is set to Asia / Pyongyang

In November 2013, [email protected] registered rapid7 account (the company developing Metasploit). The IP address visited was (belonging to China and used by North Korea)

[email protected] used the name "Kim hyonwu" to register an account with another network security company

[email protected] was registered on March 13, 2007 in Korean. Its registered location is Seoul, South Korea. Its registered name is "Kim Hyon woo"

[email protected] used ipා2 on April 23, 2007 to check the software programming related articles in a well-known software forum

[email protected] this email has received more than n email attachments, each of which has been successfully recovered by FBI agents. It contains information about Tema samples or related to darkseoul cyber attack

8) On December 4, 2015, I posted on hacker Forum (hackforums. Net), "my email is campbelldavid [email protected] who has doc exploit to send me a copy"

Figure 2-6 mj18-1479 analysis diagram

It can be seen from the accusation that through the continuous monitoring of the whole network traffic and the acquisition of mail service provider's data, the United States has obtained the information that the ordinary people or institutions can not get completely, such as IP access to the designated mailbox, use the specific mailbox to register, log on to the website, and the backup mailbox of the mailbox. And it goes back to 2008 (10 years ago). Through the continuous construction of big data means and intelligence collection infrastructure, the United States can finally reach the highest level of threat intelligence, that is, positioning people.

Three, summary

Through the definition of Threat Intelligence and the level of threat intelligence, this paper briefly introduces the concept of Threat Intelligence and the macro application scenarios. After explaining what Threat Intelligence is, we will talk about the specific technical details related to Threat Intelligence in the following articles, that is, how to find Threat Intelligence through big data, and the application of Threat Intelligence in actual security products.


Threat Intelligence Series (2): where does Threat Intelligence come from

Threat Intelligence Series (3): how to use Threat Intelligence

Coming soon.

4、 Reference reading