As a follow-up to our recently held Tools of Engagement - The
Mechanics of Threat Intelligence: Analysis, Information Sharing
and Associated Challenges webinar, questions answered by
presenters Doug Wilson and Jen Weedon are listed below. To view
the archived webinar, please click
1. We received some questions asking about work being done by
Mandiant and others on open source intelligence sharing. We've got
some questions about STIX and TAXII in comparison to other
To succeed with sharing indicators internally
or externally, you have to pick a standardized format. That can be
anything, honestly, from a tab-delimited file to complicated XML. If
you are looking at sharing outside your organization, there are a
couple of different standards that are out there to look at.
what Mandiant uses for recording and transmitting threat indicators.
DHS funds a project through MITRE called STIX, with a
transport and exchange mechanism that is called TAXII. IETF also has
the MILE working group, which has a protocol named IODEF, which uses
RID as its transfer and exchange mechanism. These are all ways of
packaging up threat information and shipping them off to other
people or organizations. We've been looking at interacting with both
groups, and trying to make sure that OpenIOC interacts with both
sets of protocols where it can.
A lot of people are still
very uncomfortable with the idea of sharing openly, so a lot of the
sharing that's happening out there is going to be happening in
smaller, closed groups.
The protocols that we have discussed
are all open standards, whether somebody is sharing in a small group
or somebody is sharing in a large group. Since they are all open and
feely available, there's not any restrictions to using them for
sharing, and ultimately, we're hoping that there are some
corporations out there that are standing up sharing portals - there
are also government entities that are doing this as well. We're
hoping that ultimately, people will be able to pick the tools that
work properly for their particular situation. But whatever standard
(or standards) shakes out as being the one most people use, it will
need to be something that's open and accessible.
several questions about sharing groups. If you're not familiar with
the idea of an ISAC, I looking them up online. ISAC stands for
Information Sharing and Analysis Center. There's an ISAC Council
website that lists a bunch of the ISACs (not endorsed by Mandiant,
but for reference: http://www.isaccouncil.org/memberisacs.html).
Some of the larger ISACs have their own events and conferences, FS-ISAC is one
that is engaged in adopting threat information sharing standards
(such as STIX).
There are also specific groups for the
Defense Industrial Base, or DIB. Associated with the DoD Cybercrime
Center (DC3) is the DoD-DIB Collaborative Information Sharing
2. As an investment bank, how should we advise our clients
concerning cyber security audit and compliance prior to making an
We have seen threat activity around or related
and mergers. Entities should be aware that advanced attackers
are often quite aware of business decisions and movements in
industries that they're targeting, so you should take this into
account when determining how you want to allocate resources for risk
We can't directly advise any specific course of
action, and folks should consult their counsel or their risk
management personnel on specific actions, but on numerous occasions
we have been asked to do investigations that center around
acquisitions and mergers. We often advise our clients to consider
doing threat assessments as part of the due diligence process when
they are thinking of acquiring other companies. In addition, we
conduct regular analysis on risk factors for companies who may be
targeted by advanced threat actors to identify which variables may
place them at higher likelihood of being targeted, and why. These
variables may include the industry they're in, their intellectual
property, strategic partnerships, business strategy, and overseas
3. What are the options - in other words, legal or
technical - available to counterattack hackers from world nations
who don't respect international laws?
Mandiant does not
endorse or support hacking back in any form. We suggest an in-depth
incident response life cycle within your organization's network and
host, and an ongoing cycle of detection,
response and containment. We also suggest reaching out to law
enforcement or appropriate authorities responsible for national
4. What are the most important items to gather and share with a
threat team for vulnerability analyses?
depiction of vulnerabilities in an enterprise can help inform risk
management decisions. This should be a two-way communication. A team
that deals with threats can prioritize responding to some threats
above others if they know certain vulnerabilities or weaknesses
exist within their environment, and then the threat team can talk
with whoever does the vulnerability assessment if they think certain
types of actors are more likely to exploit certain types of
vulnerabilities, so those vulnerabilities have a higher priority for
5. What kind of training do you suggest for intelligence
analysis, especially cyber threat intelligence analysis?
One of the most important things a company can do, or anyone that
does threat intel in an office can do is to get the technical folks
and the sort of more traditional intel analysts in the room together
to observe sort of how the other side works.
It may not be
possible to fully cross-train both types of personnel on each
other's disciplines, but the more interaction they have and the more
folks get out of their comfort zones with what they're used to
doing, the better your teams will understand with each other.
Communication is key, especially when dealing with technical and
non-technical teams having to work together.
6. Strategic versus tactical - why would individual firms care
beyond what protects them from immediate threats? In other words,
why would they care about strategic over the tactical?
This gets into debates about attribution, categorization of
threats and threat tracking, and what that matters, which is a large
topic in and of itself. It really depends on where an organization
is in terms of the maturity of its security capabilities.
an organization's security interests are strictly operational and
are just looking at turning stuff away from the firewall and
blocking things, the idea of this longer-term view of threat actors
is not going to be interesting, because they are just looking at
what can immediately stop the bleeding. As an organization becomes
more mature in their security posture and starts to evolve it into
basing security off of threat intelligence, they will be able to
appreciate the use of strategic intelligence. But this requires an
investment of a lot more resources, and investment in personnel and
programs that are not normally considered standard for traditional
"information security" yet.
7. Is threat intelligence a myth?
Again, this depends
a lot on the maturity level that a security program is at. It's not
a myth, but it might be useless to entities that do not have the
resources or focus to do anything with threat intelligence.
We've seen that attribution is one area where people can go down
a lot of rabbit holes. Some folks spend a lot of time arguing about
the merit of attribution, and can get wrapped around the fact that
attribution down to a specific human being is nearly impossible on
the Internet. It doesn't necessarily matter who is at the keyboard
unless you're a nation state or you're somebody who's going to be
somehow doing an international lawsuit against a particular
But the groups of actors, and what is motivating these
groups to make them want to act against your enterprise, should be
of interest to you. If you want to be proactive about securing your
network and distributing resources to protect your network, it helps
to know that someone is using a particular type of attack and
they're not using another set of attacks. This may help you
determine how to allocate resources for defense.
If you have
less resources, if you have a less mature security posture, if
you're not as involved in terms of where you are in the life cycle
of getting a sophisticated security program set up - and a lot of
people are having a hard time getting down that road because you
have the classic problems of justifying your budget, or convincing
your CEO that they care - you're not necessarily going to care
about a strategic view of threat actors.
But if you're
someone who's invested more in security, you have a larger
investment in spending money on this and doing some sort of defense
that is informed by a strategic viewpoint, it's going to matter a
lot more, and we're seeing a lot more major companies turning in
this direction, over time. So there could be naysayers, but the
market is slowly speaking out against them.
8. What are some resources for analysts and detailed
methodologies and curriculums as well as buying threat
intelligence and reviews on different products and
Without going into specifics on the latter
question, there are certainly a lot of industry research
organizations that have racked and stacked different threat
intelligence providers and their solutions.
I guess it really
gets to what you can consume. Like Doug was saying, if you have the
resources and the political will inside your organization to consume
more strategic intelligence, you may have different needs and pursue
different solutions providers.
In terms of developing a
threat intel capability, there are certainly lots of firms out
there, including Mandiant, who consult on what you need to do to
mature in that sense.
9. Is there public or closed IOC sharing platforms besides
A couple of other entities out
there are using OpenIOC publicly. If you are familiar with the
company AlienVault, their lab, when
they do posts of threat information and blog posts about malware,
will include an IOC as part of their sharing.
We also do that
with some of our blog posts and forum posts. Some of those
are open and some of those closed to our customers, depending on the
level of content. There, unfortunately, is not a wonderful public
open sharing site for all of the IOCs out there other than http://ioc.forensicartifacts.com.
Most people are still kind of uncomfortable with the idea of
sharing openly, so you're going to see closed communities springing
up here and there and, over time, they're going to open up or
improve or share with larger audiences. We hope to continue to
contribute to that conversation as it evolves.
10. What are the sources of IOCs
IOCs can come from a
variety of sources. In Mandiant's case, they are a product of a wide
variety of different sets of input throughout our business units,
curated over time by our intel team. We capture IOCs from our
investigative work, from feedback from our product and managed
services customers, and from a wide variety of intel sources,
including examining malware and network traffic. Organizations could
create IOCs from their own knowledge of threats that they face, but
usually they use a combination of their knowledge plus information
gleaned from other security or intelligence sources.
11. What kind of IOC would you recommend sharing publicly or just
in closed groups, so attackers don't know detection
IOCs don't necessarily give away detection
methods. Specific pieces of intelligence may give away sources and
methods, and you need to determine risk to your intel sources before
sharing anything. However, in most cases, especially if you are
already trying to combat an opponent that has launched attacks
against your networks, they probably assume that you can capture
anything that they may deploy against you. If you are using external
sources of intelligence, the situation becomes more complex, which
is where having trained intelligence staff and experienced analysts
can help you make appropriate decisions. The risk tolerance of each
organization is going to be different, so it will likely be
something that you will have to tailor to your organization's
12. What are some products that can be used for
We have previously
discussed the use of threat intel in the form of IOCs. The freely
available Mandiant IOC Editor can be used to write and edit IOCs,
and Redline can consume IOCs for host based investigations. Both of
these complement the commercial Mandiant
for Intelligent Response® offering.
Additionally, during the webinar we were also asked about tools
for gathering and cataloging more strategic intelligence. None of
these are endorsed by Mandiant. However, some examples of tools to
13. Do domains and IPs alone attribute activity to an actor if
the actor was seeing using a domain or an IP once?
Attribution to actors is a complicated and time-consuming
process. Actors' use of certain domains or IPs as part of their
attack infrastructure is only part of the story. Threat groups also
frequently share infrastructure, malware, or other tools. There's
certainly no 1:1 correspondence between IPs and domains and specific
actors, especially if you've only observed the correlation once.
They're useful data points for more thorough analysis.