the context, marking and suggestions that can be implemented of threat intelligence

Posted by barello at 2020-03-01

In the previous article, we discussed the hierarchical analysis of threat intelligence according to our own practice, and defined the types of information and use scenarios contained in each layer. In this paper, we start from Gartner's definition of threat intelligence, and further explore several elements involved: context, labeling, and suggestions that can be implemented.

Recorded future, a threat intelligence manufacturer, once wrote an article to analyze the differences between data, information and intelligence. If you are interested, you can visit the link of reference resources to read it. Compared with a lot of other articles that use military business to describe Threat Intelligence as a cloud, the recorded future is more connected to network security. From my personal point of view, the current mainstream application scenarios of threat intelligence combined with SoC / Siem are far from comparable to military intelligence. First, clear up all the multi-dimensional data collection, do these dirty jobs well, and then build the superstructure to have a real foundation to rely on.

Among the concepts of data, information and intelligence, the definition of data is relatively clear, which can be understood as a large number of independent records of objective facts. Information and intelligence are the conclusions of different levels after data processing. The following diagram is widely used to express a basic process and relationship:

However, the difference between information and intelligence is quite subtle. After reading various articles trying to explain the difference, I still can't draw a clear boundary between them. From the perspective of usefulness and inheritance, let's take a very possibly inappropriate analogy for a moment: data can be regarded as opium poppy, information is opium, and information is heroin.

Each manufacturer and organization has different views on Threat Intelligence and corresponding definitions. Among them, Gartner's description is cited more frequently, largely because it contains relatively complete elements:

Threat intelligence is evidence-basedknowledge, including context, mechanisms, indicators, implications andactionable advice, about an existing or emerging menace or hazard to assetsthat can be used to inform decisions regarding the subject's response to thatmenace or hazard.

For the above English definition, I found that the Chinese translation of each manufacturer and organization is not very consistent, which is mainly reflected in the different translation orientations of "context, mechanisms, indicators, implications and actionable advice". My translation is as follows:

Threat Intelligence is a kind of evidence-based knowledge, including context, mechanism, labeling, meaning and suggestions that can be implemented. These knowledge is related to the existing or brewing threats or hazards faced by assets, and can be used to provide information support for relevant decisions to respond to these threats or hazards.

The concept of the element marked with red above deserves further interpretation. Here is my understanding.

The calibration and description of multi-dimensional attributes related to threat elements. Different levels of threat intelligence have different attribute sets. In addition, the context may also include time and environment related information.

For example, IP can have the following properties in terms of security:

ASN domain

geographical position

Is it an agent?

Whether there are related malicious activities in the near future

Network exit type

History and currently bound domain names

Open ports and services

Here is an example of IP reputation:

For file samples:

Whether the file is malicious

Malicious type

Malicious code family

Whether to use in directed attack

Related network behaviors

The following is an example of sample context information output by 360 Threat Intelligence Center:

For apt organizations or groups:

Organization name and alias

Source country and region

Attack purpose

Target industry

Attack methods and means

Technological capability

The example below is a description of multiple attributes of lotus apt group:

It contains information such as attack target, attack purpose, attack mode and tactical tool process (so-called TTP), which is usually output in the comprehensive analysis report for apt gangs.

Why context is important, because this information can be used to understand the adversary, guide detection response, design confrontation, etc., so that we can provide necessary information support for specific threat detection, disposal and subsequent confrontation decision-making. Complete context information can help answer the following key questions in security analysis and event response:

Who are our opponents. The source of attack is ordinary black production or targeted attack based on the amount of infection. If the former is relatively simple to deal with, it's OK to break the connection and clear the back door and block the access channel. For example, the host is unfortunately infected as the node of elknot DDoS Botnet, and it's OK to clear the malicious code and repair the related vulnerabilities later. But if it is the latter, in addition to the usual threat elimination, it is necessary to conduct a comprehensive investigation and assessment of the damage to the network, and make clear the whole process of intrusion, implantation and control through log analysis. For example, when we assist users to deal with the attack and infection events of the lotus Gang, we try to make clear the entry path of malicious code, carpet check the infected system itself and other machines with suspicious interaction, and finally find other malicious code families from the lotus Gang unknown before on the relevant system.

What are the capabilities and resources of the opponent. This can be evaluated by the calibration of multiple attributes, such as whether the adversary has its own self-developed malicious code family, how many kinds, whether it has a history of using 0day vulnerability, how many IP domain names are used in the network infrastructure, how many legitimate websites have been used as water pits or distribution channels of malicious code. For example, for Stuxnet, which uses four 0day vulnerabilities plus a bunch of white signatures for high-end attacks, and NSA which has mastered a large number of 0day vulnerabilities and mature attack frameworks from network devices to general operating system, look at the dazzling use of unknown vulnerabilities combined with security mechanism breakthrough in pwn2own competition, we should know that by repairing known vulnerabilities, we can't prevent advanced black at all As the passenger intrudes into the network, the silver bullet with single ring section is impossible to exist, and its detection focus may fall on the later stage of load delivery and penetration utilization of Loma kill chain model.

How we fight. It depends on our understanding of the opponent's TTP. Now there is a popular saying: unknown attack, how to know how to defend. In fact, due to the huge asymmetry of both sides of attack and defense, it is not enough to form an effective defense just to know how to attack, but there is no understanding of the opponent's attack means, and even the basic attack surface analysis is incomplete.

When it comes to threat intelligence, we often hear a term called IOC, which is the abbreviation of indicator of complexity. Compromise is a very common word in the field of information security. Its corresponding Chinese translation includes: compromise, compromise, disclosure, danger, damage, violation, etc. Therefore, in many information security related technical analysis and news, it is often seen that some translators without security background directly map compromise to the word "compromise". In fact, in the context of discussing Threat Intelligence, especially in the combination of IOC, it should be the most appropriate to translate complex as "lost" or "trapped". Its core meaning is to emphasize the status of invasion or damage that has been achieved. Common Chinese translations of indicators include: indicators, signs, indicators, etc. In the context of threat intelligence, it is more appropriate to interpret this word as a marker, just as the picture below shows a dead fish floating on the water surface. When you see them, you can safely infer that there is a certain problem in the water body where the fish is located, whether there is oxygen deficiency or toxic substances, in a word, something is wrong.


In the scenario of network security, when we observe that some terminals in the network we manage are connecting to some known Black IP, trying to resolve some strange domain names, and some unusual files or processes appear in the operating system of the terminal itself, then we know that there is a security problem in the network. The above mentioned Black IP, black domain name, black file and so on are indicators, forming a typical low-level IOC.

In essence, IOC is used to answer the following two basic questions:

Have I been under invasion control. This state determination is one of the starting points for the analysis and disposal of security events, and other starting points may include suspicious behaviors output from the anomaly detection model. The advantage of IOC lies in its accuracy, especially in the case of file hash. The possibility of false positives is so low that the team with no experience in security operation and maintenance can also follow the instructions in the proposal. In contrast to IOC, the output of the exception model requires a high level of security analysis ability of the team dealing with it, which requires sufficient experience to eliminate a large number of false positives. The advantage is that unknown intrusion activities not covered by IOC may be found.

How much does the attack affect me. By matching the IOC with the actual activities in the network, we can easily find the systems that have been invaded or controlled so as to assess the impact of the problem. For example, by monitoring the domain name We can find the machines in the network that have been invaded by wannacry blackmail worm. These machines are likely to have serious security vulnerabilities related to ms17-010.

The following is an example of some IOC related to an apt group targeting financial organizations in China:

IOC is the most directly used data part in most Threat Intelligence at present. Events triggered by IOC often become the starting point of current security operation and emergency response. 360 Tianyan products can receive IOC data from the cloud and collect facts from the local network to match to generate alarms. In more scenarios, SoC / Siem products will match the local Threat Intelligence Platform The interaction matching log is used to find event clues, and the multi-dimensional information collected locally is used for correlation analysis. It can be said that the essence of threat intelligence is that security manufacturers output judgment ability with IOC as carrier to help users eliminate uncertainty. The stronger the certainty is, the greater the value of IOC will be. Combined with sufficient rich context, it can finally achieve a certain way of disposal at a certain level. If a threat intelligence provider only collects some open-source data for simple de Association, and does not make purification and determination based on its own more dimensional data and mining analysis methods, the value-added information it provides is very limited, and it may even fall into the trap of "garbage in, garbage out", which increases the screening workload of security operators in vain with low efficiency.

In order to implement the recommendations contained in the threat intelligence, it is required that the technical ability, money, time, human resources and corresponding jurisdiction required for the implementation of the recommendations match with the corresponding implementation subject, which also means that different suggestions are needed for different types of executors.

In the article "analysis of threat intelligence levels", I once drew a pyramid chart as follows:


The bottom two layers of the pyramid mainly correspond to the IOC threat intelligence data, which is mainly used by the operation and event response personnel of SoC / Siem system, and the handling suggestions for related events are mainly based on the operation instructions of detection, isolation, elimination and subsequent repair.

The output objects of TTP and organization level threat intelligence are mainly security management director or CISO, and the corresponding suggestions focus on the overall solution for the adversary. As for the suggestions for personnel, the elimination of such threats is likely to involve the introduction of administrative or law enforcement resources, which is no longer limited to the internal organization. In the extreme situation of national apt attack and defense, it is very difficult to eliminate the people who are the source of the threat. The second is to resort to long-term and sustained technical confrontation.

Let's look at an example of advice given in Threat Intelligence. At the end of 2017, a huge CPU hardware vulnerability occurred, which may lead to the leakage of sensitive information in the computer memory. At that time, US-CERT issued a version of the corresponding vulnerability notice. What are the suggestions given in the notice? Look at the picture below:

You are right. It gives the suggestion of "replace CPU hardware". Do you think it is feasible in operation and economy? Of course, this notice will be updated later. After Intel and the operating system manufacturer provide software patches, it is recommended to fix them:

Compared with the initially infeasible suggestions, patching is at least operational, and it also indicates the possible performance risks caused by patching. However, it is suggested that the more detailed this thing is, the better. Just like the 360 document below, distinguish the patching objects and detailed execution steps.


It is not easy to output real security recommendations that can be implemented. It requires Threat Intelligence manufacturers to have a complete and profound understanding of the threats they are dealing with, to have a reasonable estimate of the user's use scenarios and the limitations of processing resources, and to provide solutions or solutions according to the actual situation.