THREAT INTELLIGENCE - CrowdStrike

THREAT INTELLIGENCE

CrowdStrike Products

Cybersecurity’s Best Kept Secret

CROWDSTRIKE THREAT INTELLIGENCE

EXECUTIVE SUMMARYEven though cyber threat intelligence (CTI) is an essential component of a mature and healthy security strategy, its value is not necessarily well understood. Yet, when used efficiently, CTI can offer security teams substantial advantages, not only during an incident, but also before an attack even starts. By providing the information needed to optimize prevention, detection and response, threat intelligence helps security teams stay a step ahead of adversaries. Because threat intelligence comes in many shapes and forms, misunderstandings are common about what CTI entails. In a nutshell, “threat intel” can be divided into three main categories: tactical, operational and strategic.

Tactical CTI is technical and short term in nature, and can be as simple as looking for indicators of compromise (IOCs).

Operational CTI provides context by understanding and profiling threat actors, focusing on the near term.

Strategic CTI informs about the cyber risks associated with geopolitical events and situations and the long-term impact they may have on your organization.

CrowdStrike® Falcon X™ offers timely and high-fidelity intelligence in all categories. That intelligence can be consumed by customers in the form of APIs, alerts, threat reports and briefings, enabling them to bolster defenses, hunt down adversaries, investigate incidents and make better security decisions.


THREAT INTELLIGENCE

All-source' methodology refers to intelligence that taps into a wide gamut of sources from which data can be collected.

THREAT INTELLIGENCE


“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.”

—Sun Tzu, The Art of War

“In developing a game plan, coaches typically break down everything that happened in the opponent’s past four games to granular levels.” —Nicholas Dawidoff - The New Yorker.

Sportsmen have long known that in-depth knowledge of the opposing team offers a significant competitive advantage. Coaches and players spend time studying an adversary to gather intelligence, develop a strategy and determine the best tactics to win their upcoming game.

Somehow, this mindset has not fully prevailed in the world of cybersecurity. A recent survey conducted by the SANS Institute shows that only 60 percent of organizations are using

threat intelligence. Yet, threat intelligence can significantly increase the efficacy of both cybersecurity teams and the tools they use. Intelligence can provide an advantage, before, during and even after an attack. But for some, the value brought by threat intelligence is not straightforward. For others, the challenge comes from not fully understanding how to use threat intelligence. The goal of this white paper is to bring clarity to cyber threat intelligence. It explains the different categories of CTI and discusses some use cases to illustrate ways it can be applied and utilized to augment security teams’ efficiency and gain an edge over the attackers. Finally, it discusses CrowdStrike’s approach to threat intelligence.

INTRODUCTION

CTI is information about existing or potential threats, ranging from simple technical indicators such as a malicious domain name, all the way to in-depth profiles of known adversaries. This broad definition has allowed security vendors to label a wide range of solutions as threat intelligence. This has also enabled many of those vendors to claim that they offer threat intelligence, causing confusion in the market and among end-users. The reality is that there are multiple levels of CTI. It is key for end users to understand what those levels are, so they can determine which level they need and make efficient use of that threat intelligence. The following describes the three primary categories of CTI in greater depth:

1. TACTICAL INTELLIGENCE

Tactical CTI is technical in nature and can be recognized by simple IOCs, which usually encompass bad IP addresses, URLs, file hashes, known malicious domain names,

etc. If the primary questions surrounding an incident are characterized as the “what, why, who and how,” tactical intelligence answers the “what” of the incident. The data can be machine readable: directly read by security products in the form of feeds or API integration. Focused on the immediate future, tactical CTI is the most commonly offered level of threat intelligence, as it is also the easiest to gather and generate. As a result, it can be found via open source and free feeds but usually has a very short lifespan, as IOCs such as malicious IPs or domain names can become obsolete in days or even hours. In addition, if the source is not timely or of high fidelity, the threat intelligence can be prone to generating false positives.

2. OPERATIONAL INTELLIGENCE

Operational CTI provides context by understanding and profiling threat actors and adversaries. Focused on the near term, it answers the "how," "why" and "who" behind

WHAT IS CTI?

THREAT INTELLIGENCE


incidents. It focuses on the motivations, intent and capabilities of adversaries, and provides insight on how adversaries plan, conduct and sustain campaigns and major operations. Adversary tactics, techniques and procedures (TTPs) are a key component of operational threat intelligence. Analysis of such data provides information about upcoming attacks and campaigns. That’s why operational CTI requires human analysis to be generated in a format that is readily usable by customers. It takes more resources to create, but lasts longer than tactical intelligence, as it is harder for adversaries to change their TTPs than it is for them to change their tools, such as the specific malware or infrastructure they use.

3. STRATEGIC INTELLIGENCEStrategic intelligence informs about the cyber risks that can accompany geopolitical conditions. By linking geopolitics to risk, strategic CTI shows how global events, foreign policies and other long-term local and international movements and agendas can impact the cyber safety of an organization. This level of threat intelligence helps decision-makers understand the implication of cyber risks for their entire organization and make cybersecurity investments that best protect their enterprise and aligned with its strategic priorities. The hardest form of intelligence to generate, strategic CTI requires human collection and analysis that demands both an intimate understanding of cybersecurity and of the world’s geopolitical situation and nuances. Strategic intelligence usually comes in the form of reports.

Whatever the level, threat intelligence can only provide value if it is actionable. Even though more and more organizations see the value of cyber threat intelligence — 72 percent of organizations plan to increase CTI spending (Source: Enterprise Strategy Group) — the current utilization of threat intelligence remains basic. Beyond trivial use cases such as integrating intelligence feeds to existing security products such as IPS, firewalls or SIEMs for IOC detection, most companies are still struggling with taking full advantage of the information threat intelligence can provide. The four uses cases below provide examples of how CTI can be used to provide better security.

1. OPTIMIZING PREVENTION AND STRENGTHENING THE RIGHT DEFENSES IN ANTICIPATION OF ATTACKS The most common application of threat intelligence is probably the utilization of technical indicators to block known bad IPs,

URLs, files hashed, etc. For that purpose, threat feeds can be automatically inserted into security products to update blacklists, ACL (access control lists), patterns or signatures. The integration of technical threat intelligence directly into gateways, intrusion detection systems (IDSes), next-generation firewalls (NGFWs), and endpoints enhances an organization’s ability to detect emerging and known threats, and automatically defend against them. What is less common and more advanced is the utilization of operational CTI as an opportunity to be proactive and get truly get ahead of the attackers. Operational threat intelligence supplies details about emerging threats. For example, it may identify which adversaries are likely to target an organization, as well as why and how those attempts may occur. Threat intelligence can also help recognize other early warning signs — such as the creation of attack infrastructures — that could predict attack campaigns in the making.

HOW THREAT INTELLIGENCE MAKES YOUR DEFENSES STRONGER, AND HOW TO USE IT

“Intelligence is about reducing uncertainty by obtaining information that the opponent in a conflict wishes to deny you.”

—Robert M. Clark, Author, Intelligence

Analysis: A Target-Centric Approach

THREAT INTELLIGENCE


Operational intelligence insights allow security teams to put appropriate measures in place, such as patching and eliminating vulnerabilities, to protect their organization before an attack even takes place. For example, learning through threat intelligence reports if your organization is a potential target for an adversary, and knowing which exploits and exploit kits are commonly used in such attacks, can help you prioritize patching and eliminate vulnerabilities before the attacker has a chance to start.

Operational intelligence also can provide other early warning signs, such as the creation of attack infrastructures, which can be a predictor of attack campaigns in the making. Locky ransomware is one example of how the CrowdStrike Falcon Intelligence™ team provided such a warning. Locky constantly uses new domains for access to the command and control (C2) servers used to encrypt files on a victim’s hard drive. The Falcon Intelligence team cracked Locky's domain generation algorithm and, through this analysis, was able to predict which C2 server and domains Locky would use. Armed with this level of operational intelligence, CrowdStrike customers were able to proactively block those domains and protect themselves against Locky with no manual effort required.

The more intelligence a security team obtains on who might be targeting their organization and how they operate, the more educated and the aware that security team becomes. By utilizing intelligence, an organization can better harden itself against adversaries by prioritizing activities to counter high-probability threats and protecting assets most likely to be targeted.

2. ACCELERATING DETECTION TIMEIntelligence-driven detections are also a common use case for tactical CTI. At an elementary level, the ingestion and application of technical indicators into SIEMs or EDR (endpoint detection and response) solutions can tremendously accelerate incident detection time. Armed with the latest intelligence, those solutions can automatically correlate and

detect incidents faster, by eliminating the requirement of waiting for a product update or for the creation of new detection rules.

A more advanced use of threat intelligence for detection is found in threat hunting. Threat hunting proactively looks for traces of incidents rather than waiting for security products to raise an alarm. But hunting can be daunting, as knowing where to start and what to look for is not necessarily obvious. In those situations, the addition of operational intelligence is invaluable, offering a better knowledge of who might be attacking the organization and why, a security team can hunt for the artifacts that are likely to be left behind by their potential attackers. They can search for fine details such as changes to registry settings, file removals, running processes and other potential signs of an attacker’s presence in the environment. In addition, knowing an adversary's motivation and goals helps narrow down which systems are most likely to be targeted, so they can be included in the hunt. Threat intelligence enables security teams to prioritize hunting for adversarial artifacts and activities that pose the biggest risks to their organization, empowering them to prioritize and hunt more effectively.

3. ACCELERATING INVESTIGATION AND INCIDENT RESPONSE TIME Threat intelligence also plays a big role in incident prioritization, investigation and response. Faced with too many alerts, too many false positives and a regrettable lack of context, security teams can have difficulties determining which incidents to focus on. They also can spend more time than needed investigating them. By providing context and attribution, threat intelligence helps prioritize responses and accelerate investigations. An alert that is attributed to a sophisticated adversary will stand out above inconsequential alerts such as commodity malware detections. This allows the response team to quickly and appropriately prioritize alerts. With context and attribution, incident management becomes manageable. Security teams can

ROCKET KITTEN

Adversary profile example

OPERATIONAL WINDOWApril 2014 - Present

OBJECTIVES• Recon• Lateral

Movement• Data Theft

TARGETING• Aerospace• Defence• Government

TOOLS• Word Macros• Core Impact• Gmail G2• FireMalv

Credential Stealer

• MPK Post-exploitation Toolkit

THREAT INTELLIGENCE


start to separate the “forest from the trees” and apply the correct prioritization to their workload and workflow. When the investigation starts, attribution provides the context that makes it possible for incident responders to effectively react. An essential aspect of that context is the full understanding of the adversary’s motivations and TTPs, so responders can react quickly and accurately to protect the assets that are being targeted. In addition, if the adversary profile provided by threat intelligence also includes IOCs related to that adversary, the response team will be able to perform both companywide and historical searches to fully evaluate and understand the scope of the incident. This can reveal how many systems might be impacted, or if it’s the first time the organization has encountered that attacker.

Using the context and additional information provided by threat intelligence also allows incident responders to see the connection between alerts that might appear isolated at first, to uncover advanced attacks. Imagine, for example, that your endpoint protection solution triggers an alert because one of your endpoints has connected to an IP address known as being malicious by your threat intelligence source. Looking at the detection further, you link into a CTI report informing you that this IP is currently being used for an active campaign against industries in your vertical industry. You also learn who the adversary behind the campaign is. The report then gives you additional information about the TTPs associated with that adversary and an in-depth technical analysis of IOCs that can reveal their presence. You can now use those indicators to search your environment, review your logs and query your SIEMs or EDR solutions to determine the likelihood, full scope and severity of the incident. In addition, you can feed the signatures and IOCs into your security systems to prevent further penetration attempts, and help your incident responders. Finally, you can call your counterparts at other organizations in your vertical and share information with them, or ask your threat intelligence vendor about the impact and gravity of the campaign.

4. EMPOWERING BETTER SECURITY AND EXECUTIVE DECISIONS At a tactical level, knowing which adversaries are likely to target them and why, allows decision-makers to allocate their defenses and resources to protect what is likely to be targeted. At a higher level, strategic CTI can empower optimal executive decision-making. Executive-level decisions may include effective risk management, which means identifying and weighing the risk/reward equation of business outcomes, and then selecting the option that presents the least risk for the highest reward. This means decision-makers need to take calculated risks, informed by reliable threat intelligence. For example, strategic CTI can help determine if the decision to open a new office in a high-risk geographic region will benefit from a full cybersecurity assessment before making an investment in new facilities and recruiting new employees. In addition, cybersecurity has become a topic discussed at most or all board meetings. Unfortunately, many C-level executives and boards of directors lack strategic insight into whether their current security strategy is truly optimized to match their risk profiles. When it comes to those conversations with board members, senior management teams can benefit from a trusted source of strategic threat intelligence that can deliver high-fidelity information to help answer tough questions and provide the necessary business context.

THREAT INTELLIGENCE


HOW CROWDSTRIKE FALCON X CAN HELP YOUFunction Sec/It Analyst SOC

(Security Operation Center)

CSIRT (Computer Security Incident Response Team)

Intel Analyst Executive Management

Threat Intelligence Benefits

Optimize prevention and detection capabilities across existing security stack

Prioritize incidents based on risk and impact to the organisation

Accelarate insident triage, management and prioritization

Uncover and track threats targeting the organisation, the vertical and geo's the organisation operates in

Understand the risks the organisation faces and what the options are to lessen or remove their impact

How To Use Threat Intelligence

Integrate TI feeds with other security products e.g. SIEM, FW, IDS, EDR etc.

Block bad IPs, URLS, domains, files etc.

Use TI to enrich alerts

Link alerts together into incidents

Tune newly deployed security controls

Eliminate vulnerabilities

Look for information on the who/what/why/when/how of an incident

Analyze root cause Determine scope of the incident (Is still ongoing? What is impacted...)

Determine best aproach to mitigation and remedation

Look wider and deeper for intrusion evidence

Review reports on threat actors to better detect them

Conduct threat landscape assesments

Assess overall threat level for the organisation

Develop security roadmap

Allocate budget and resources

How Crowdstrike Provides The Required Threat Intelligence

Endpoint integration

Intelligence automation

Customs IOCs Acess feeds:

Snort/Suricata, Yara, Common Event Format , Netwitness

Falcon Intel APIs


Custom IOCs Dasgboard

monitoring Alerts and

reports Actor profiles IOC searches Malware

submission


Custom IOCs IOC search Actor attribution

and context Searchable

reports with detailed information on TTPs

Requests for information (RFI)

Maltego transforms

Alerts and report

Tailored Intel notifications

Requests for information (RFI)

Malware submission

Malware research

Strategic reports

Actor Profiles Requests for

information (RFI)

Intelligence is no longer a “nice to have” — it is a mandatory element of stopping breaches.

THREAT INTELLIGENCE


HOW CROWDSTRIKE FALCON X HELPS SECURITY STAKEHOLDERS

CrowdStrike delivers threat intelligence that is consumable by both humans and systems. Because there are many aspects to cybersecurity, and because many sources can contribute to building an overall picture of the threat landscape, Falcon X combines intelligence automation with analysis from the CrowdStrike Falcon Intelligence™ team to provide an unparalleled solution for mitigating cyber risk. This elite team of intelligence analysts, security researchers, cultural experts and linguists uncover unique threats and provide groundbreaking research that fuels CrowdStrike’s ability to deliver proactive security that dramatically improves security posture.

For organizations that are struggling to respond to cybersecurity alerts and don’t have the time or expertise to get ahead of emerging threats, CrowdStrike Falcon X delivers the critical intelligence you need, while eliminating the resource-draining complexity of incident investigations. Falcon X is the only solution to truly integrate threat intelligence into endpoint protection, automatically performing investigations, speeding response, and enabling security teams to move from a reactive to a predictive, proactive state.

With the unique cloud-native CrowdStrike Falcon® platform as a foundation, cybersecurity teams can now automatically analyze malware found on endpoints, find related samples from the industry’s largest malware search engine, and enrich the results with customized threat intelligence. This closed-loop system provides security teams with custom indicators of compromise (IOCs) to share with their other security tools as well as intelligence reporting that tells the complete story of the attack. With a thorough understanding of the attack, your team is empowered to respond faster and orchestrate proactive countermeasures across your organization.

The global CrowdStrike Falcon Intelligence team monitors both nation-state actors and eCrime organizations and is organized to take full advantage of its all-source methodology. For example, one team specializes in monitoring and analyzing the cultural, geopolitical and psychological variables of adversary activity. Often, members of that team get access to information that is not available from Western or English-speaking sources. Thanks to their mastery of languages such as Chinese, Russian, Farsi and many others, the team members are able to find and understand valuable information. That team collaborates and shares insights with the technical analysis team and the operations analysts, resulting

INDICATOR API/FEEDSConsumed by machines

REPORTINGConsumed by humans

TACTICAL

OPERATIONAL

STRATEGIC

• Technical Indicators

• Tactics• Techniques• Procedures

• Manage Risk &• Direct Investment

CROWDSTRIKE DELIVERS ACTIONABLE INTELLIGENCE

THREAT INTELLIGENCE


FALCON X — PRODUCT OFFERINGS

There are two levels of Falcon X, enabling your organization to choose the option that best fits your needs and business requirements.

Feature Falcon XFalcon X Premium

Endpoint Integration

X X

Intelligence Automation

X X

Custom Intelligence

X X

Custom and global IOCs

X X

Intelligence Reports

X

Threat Monitoring

X

Expert Malware Analysis

X

YARA/SNORT Rules

X

Intelligence Support

X

Quarterly Briefings

X

in the highest quality threat intelligence in the industry. It enables the CrowdStrike Falcon Intelligence team to not only track technical indicators, profile adversaries and closely monitor their campaigns, but to also keep well-informed about the cybersecurity implications of geopolitical changes.

CrowdStrike’s all-source methodology examines every aspect of an adversary's profile, motivations, intentions and TTPs, in order to fully understand what they are doing, why they are doing it and how to stop them.

Some of the elements covered in CrowdStrike’s threat intelligence monitoring and analysis include:

TTPs Indicators of Compromise (IOCs) Targeted Verticals and Geographies Detection/Prevention Logic Adversary Profiles and Goals

Falcon X subscribers have access to accurate, in-depth and up-to-date cyber threat intelligence, as well as expert guidance about how to protect their assets against those threats. This intelligence — delivered via custom IOCs, reports, alerts and APIs — enable organizations to automatically update their infrastructure without having to manually configure rules, blacklists and whitelists. More specifically, Falcon X subscribers receive threat intelligence via a variety of methods.

Endpoint Integration: Analyze high-impact threats taken directly from your endpoints protected by the CrowdStrike Falcon platform. Falcon X analysis is presented as part of the detection details of a Falcon endpoint protection alert. Security teams, regardless of size or skill level, will never miss an opportunity to learn from an attack occurring in their environment.

Intelligence Automation: Automate each step of a cyber threat investigation and reduce analysis time from days to minutes. Falcon X combines malware analysis, malware search and threat intelligence into a seamless solution.

Custom IOCs: Focus your team on the threats you actually encounter. Falcon X delivers custom IOCs that are derived from the automated analysis of threats taken directly from your endpoints.

Intelligence Reports: Receive trusted, in-depth threat intelligence reports from CrowdStrike’s global threat intelligence team, including real-time threat alerts, technical reports with expert analysis, and strategic reports outlining threats to industries, regions and infrastructure.

Threat Monitoring: Monitor the web for adversary activity against your organization to prioritize resources and effectively respond to impending cyberattacks.

Expert Malware Analysis: Escalate interesting malware samples to a CrowdStrike expert for deeper research or to get a second opinion.

YARA/SNORT Rules: Keep ahead of the latest adversary threats and orchestrate your defenses with YARA and SNORT rules, created and validated by CrowdStrike experts.

Intelligence Support: The CrowdStrike team works to ensure it has a clear understanding of your intelligence requirements and that you are successfully onboarded. The team also performs quarterly reviews.

Quarterly Briefings: Live webinars provide insight into the latest adversaries and their TTPs leading to better decision-making, in-depth cybersecurity guidance and improved cybersecurity strategy and planning.

THREAT INTELLIGENCE


ABOUT CROWDSTRIKECrowdStrike is the leader in cloud-delivered endpoint protection. The CrowdStrike Falcon® platform offers instant visibility and protection across the enterprise and prevents attacks on endpoints on or off the network. CrowdStrike Falcon deploys in minutes to deliver actionable intelligence and real-time protection from Day One. Falcon seamlessly unifies next-generation AV with best-in-class endpoint detection and response, backed by 24/7 managed hunting. Its cloud infrastructure and single-agent architecture take away complexity and add scalability, manageability, and speed. CrowdStrike Falcon protects customers against all cyber attack types, using sophisticated signatureless artificial intelligence/machine learning and indicator-of-attack-based (IOA) threat prevention to stop known and unknown threats in real time. Powered by the CrowdStrike Threat Graph™, Falcon instantly correlates 60 billion security events from across the globe to immediately prevent and detect threats.

There’s much more to the story of how Falcon has redefined endpoint protection but there’s only one thing to remember about CrowdStrike: We stop breaches.

Learn more: www.crowdstrike.com

CONCLUSIONTo make smart security-related decisions, organizations need to have proper threat intelligence. That starts with using technical indicators and matures by developing an understanding of who is attacking, how they're attacking and why. It culminates with implementing security decisions guided by strategic intelligence. Getting the right level of intelligence and using it effectively can greatly optimize prevention capabilities, shorten threat detection time, accelerate incident response and help teams make better security decisions.

CrowdStrike delivers the critical intelligence you need, while eliminating the resource-draining complexity of incident investigations. It takes antivirus (AV) and endpoint detection and response (EDR) alerts to the next level by not only showing what happened on the endpoint, but also revealing “the who, why and how” behind the attack. Understanding the threat at this level is the key to getting ahead of future attacks and raising the cost to the adversary.

Security teams can now automatically investigate all incidents that reach their endpoints and orchestrate defenses to proactively prevent future attacks. This level of automation, enriched with the expertise of the global CrowdStrike Falcon® Intelligence™ team, enables all security teams, regardless of size or sophistication, to finally make proactive security a reality. By examining all aspects of the threat landscape, from all available sources, CrowdStrike Threat Intelligence is able to provide the full-picture perspective that customers need to stop breaches.

Documents

THREAT INTELLIGENCE - CrowdStrike