3 Days Left to Get MacBook Air, $400 Amazon Gift Card, or Take $400 Off with OnDemand Training

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

Threat Intelligence

Featuring 18 Papers as of February 1, 2021

  • How to Build an Effective Cloud Threat Intelligence Program in the AWS Cloud Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - February 1, 2021 

    Threat intelligence can play a major role in improving the state of security incident-handling operations, either through proactive threat hunting activities or during active investigations based on detection scenarios. But threat intelligence can mean different things to different organizations. In this whitepaper, SANS analyst Dave Shackleford shows you how to customize your CTI program to your organization's processes and workflows as well as how to invest in security solutions that reduce risk and accelerate the resolution of security events with actionable context and minimal noise.

  • Tactical Linguistics: Language Analysis in Cyber Threat Intelligence by Jason Spataro - January 15, 2021 

    The capability to effectively collect and analyze data in strategic foreign languages when intelligence requirements are supported by it is a defining characteristic in a mature Cyber Threat Intelligence (CTI) program. Far beyond its use in attribution, language analysis can be leveraged to approach collection sources from a new perspective. This research seeks to provide a blueprint of those perspectives, as well as a set of critical considerations for those seeking to add or advance language analysis capabilities within their own CTI environments.

  • CTI, CTI, CTI: Applying better terminology to threat intelligence objects SANS.edu Graduate Student Research
    by Adam Greer - January 13, 2021 

    Increased awareness of the need for actionable cyber-threat intelligence (CTI) has created a boom in marketing that has flooded industry publications, news, blogs, and marketing material with the singular term applied to an increasingly diverse set of technologies and practices. In 2015, Dave Shackleford and Stephen Northcutt published findings of a survey sponsored by some of the largest names in cyber-threat intelligence at the time in order to address the widespread confusion around what precisely cyber-threat intelligence is and how it is generated, delivered, and consumed. In this research, they note that "... a shortage of standards and interoperability around feeds, context, and detection may become more problematic as more organizations add more sources of CTI..." (Shackleford, 2015). However, IT security teams have matured drastically since then, and most research has been applied to automation and standards for specific sub-domains, such as dissemination. This paper analyzes the current CTI environment and uses a defined methodology to develop a taxonomy for the domain that clarifies the application of CTI to security programs and serves as a foundation to further domain research.

  • Quantifying Threat Actor Assessments SANS.edu Graduate Student Research
    by Andy Piazza - May 20, 2020 

    The cyber threat landscape is a complex mix of adversaries, vulnerabilities, and emerging capabilities. Within this environment, Chief Information Security Officers (CISOs) must prioritize resources and projects to maximize their defenses against the most significant threats. The challenge, though, lies in assessing threats to an organization in a meaningful way. By assessing threat actors’ intent to target a specific organization for certain attack types, information security leaders can determine which malicious actors are most likely to target their enterprise. The assessment of the threat actors’ documented capabilities for those specific attack types allows leaders to wade through the fear, uncertainty, and doubt (FUD) of vendor marketing and nation-state saber-rattling to prioritize capabilities for defensive posturing. This paper introduces the Threat Box, a Cartesian coordinate system, which portrays threat actors’ intent and capabilities as an executive communication tool for information security leaders to depict the prioritization of threat actors.

  • Tips and Scripts for Reconnaissance and Scanning by Zoltan Panczel - February 12, 2020 

    Nowadays, information is the key to success. Pentesters' and bounty hunters' first step is to collect information about the target. The crucial part of the recon process is to identify as many hosts as possible. There are plenty of useful, necessary tools to conduct this searching but with limited automated capabilities. The recon and scanning procedures are repetitive; hence, automating these is effective to minimize the effort. Testers can make a customized framework if they combine the primary tools with scripting. Based on the discovered vulnerabilities and work experience, a little tuning or modification of tools might open new opportunities to find bugs.

  • Investigating Like Sherlock: A SANS Review of QRadar Advisor with Watson Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - October 26, 2019 
    • Sponsored By: IBM

    This paper reviews QRadar Advisor with Watson, a platform that combines IBM’s famous Watson with QRadar.

  • ATT&CKing Threat Management: A Structured Methodology for Cyber Threat Analysis SANS.edu Graduate Student Research
    by Andy Piazza - July 29, 2019 

    Risk management is a principal focus for most information security programs. Executives rely on their IT security staff to provide timely and accurate information regarding the threats and vulnerabilities within the enterprise so that they can effectively manage the risks facing their organizations. Threat intelligence teams provide analysis that supports executive decision-makers at the strategic and operational levels. This analysis aids decision makers in their commission to balance risk management with resource management. By leveraging the MITRE Adversarial Tactics Techniques & Common Knowledge (ATT&CK) framework as a quantitative data model, analysts can bridge the gap between strategic, operational, and tactical intelligence while advising their leadership on how to prioritize computer network defense, incident response, and threat hunting efforts to maximize resources while addressing priority threats.

  • Analysis of a Multi-Architecture SSH Linux Backdoor by Angel Alonso-Parrizas - June 17, 2019 

    A key aspect in any intrusion is to attempt to gain persistence on the compromised system. Threat actors and criminals assure persistence through different mechanisms including backdoors. The existence of backdoors is nothing new and over the years very popular backdoors targeting most Operating Systems and many application have been developed. This paper focuses on the code analysis of an SSH Linux backdoor used in the wild by a criminal group from 2016 to at least October 2018. The backdoor runs in multiple architectures; however, the research focuses on the ARM version of the backdoor using the recently released reversing tool Ghidra, which has been developed by the NSA.

  • Thinking like a Hunter: Implementing a Threat Hunting Program Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - April 21, 2019 
    • Sponsored By: IBM

    A successful threat hunting program should identify previously unknown or ongoing threats within the environment and facilitate a deeper understanding of the organization's technical landscape. This paper focuses on bridging the gap between those two objectives and discusses the whats, whys and hows of threat hunting. The paper presents techniques that can be immediately applied to your environment to help you either build a new hunt team or hone your existing one.

  • Threat Intel Processing at Scale by Don Franke - March 27, 2019 

    This paper examines the common but flawed practice of implicitly assigning trust to threat indicators (or "intel") that are shared by external providers. These indicators are often deployed automatically to security controls without adequate vetting, resulting in false positives and a false sense of security. This paper proposes a solution for how to implement an intel analysis process that separates noise from useful indicators, can handle a large volume of information received regularly and is scalable despite limited analyst resources.

  • Evaluation of Comprehensive Taxonomies for Information Technology Threats SANS.edu Graduate Student Research
    by Steven Launius - March 26, 2018 

    Categorization of all information technology threats can improve communication of risk for an organization’s decision-makers who must determine the investment strategy of security controls. While there are several comprehensive taxonomies for grouping threats, there is an opportunity to establish the foundational terminology and perspective for communicating threats across the organization. This is important because confusion about information technology threats pose a direct risk of damaging an organization’s operational longevity. In order for leadership to allocate security resources to counteract prevalent threats in a timely manner, they must understand those threats quickly. A study that investigates categorization techniques of information technology threats to nontechnical decision-makers through a qualitative review of grouping methods for published threat taxonomies could remedy the situation.

  • CTI in Security Operations: SANS 2018 Cyber Threat Intelligence Survey Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - February 5, 2018 

    The survey focuses on how organizations could collect security intelligence data from a variety of sources, and then recognize and act upon indicators of attack and compromise scenarios in a timely manner. Although some CTI trends continued this year, we definitely saw several differences in a number of areas, which are noted in the research. From this year's results, it is obvious that CTI collection, integration and use within security teams are maturing.

  • Cyber Threat Intelligence Support to Incident Handling SANS.edu Graduate Student Research
    by Brian Kime - November 17, 2017 

    Recent research has shown increased awareness of Cyber Threat Intelligence (CTI) capabilities. However, CTI teams continue to be underutilized and have had difficulty demonstrating the value they can add to digital forensics incident response (DFIR) teams. Meta-analysis of multiple surveys will identify where the gaps in knowledge exist. The paper will suggest how CTI can support DFIR at each level of intelligence and operations tactical, operational, and strategic and during each phase of the incident response lifecycle preparation; detection and analysis, containment, eradication, and recovery; and lessons learned. CTI teams should have priority intelligence requirements (PIRs) and a collection plan that supports answering those PIRs. In return, DFIR needs to share investigations and incident reports with the CTI team to reduce risk to the organization, decrease the time to detect an incident and decrease the time to remediate an incident. This paper builds on previous work by the author to develop CTI processes to support CTI planning.

  • Data Mining in the Dark: Darknet Intelligence Automation SANS.edu Graduate Student Research
    by Brian Nafziger - November 17, 2017 

    Open-source intelligence offers value in information security decision making through knowledge of threats and malicious activities that potentially impact business. Open-source intelligence using the internet is common, however, using the darknet is less common for the typical cybersecurity analyst. The challenges to using the darknet for open-source intelligence includes using specialized collection, processing, and analysis tools. While researchers share techniques, there are few publicly shared tools; therefore, this paper explores an open-source intelligence automation toolset that scans across the darknet - connecting, collecting, processing, and analyzing. It describes and shares the tools and processes to build a secure darknet connection, and then how to collect, process, store, and analyze data. Providing tools and processes serves as an on-ramp for cybersecurity intelligence analysts to search for threats. Future studies may refine, expand, and deepen this paper's toolset framework.

  • Triaging Alerts with Threat Indicators by Gregory Pickett - August 25, 2017 

    Enterprises see more and more alerts every day. They are continually flooded with alerts, and the numbers keep increasing. Because analysts don't know which ones indicate a genuine threat, they have to be gone through one at a time to find out. With not enough time in the day, some get ignored (Magee, 2017). There just isn't enough time to get to them all. What if analysts could skip over those alerts that aren't a threat and just focus their time on those that are? If they were able to do that, they just might have enough time in the day to get through all of them. The answer to this question is Threat Indicators. Using past behavior, as measured by Threat Indicators, security analysts can determine how likely an adversary in an alert is a threat. Those that are less threatening can then be skipped over in favor of those that are allowing an analyst to get through their alerts much more quickly. It may even be quick enough for them to get through them all. This paper explores the use of Threat Indicators in through both theory and practice. Finally, it will measure its success through its use in the analysis of actual alerts to determine how effective this approach is in identifying threats and through this identification whether or not analysts able to get through their alerts more quickly.

  • The Conductor Role in Security Automation and Orchestration by Murat Cakir - August 22, 2017 

    Security Operations Centers (SOCs) are trying to handle hundreds of thousands of events per day and automating any part of their daily routines is considered helpful. Ultimately fast creation of malware variants produces different Indicators of Compromise (IOCs) and automated tasks should adapt themselves accordingly. This paper describes the possible use of automation at Threat Hunting, Identification, Triage, Containment, Eradication and Recovery tasks and phases of Incident Handling along with practical examples. Also describes how they can fail or can be systematically forced to fail when orchestration is missing. Orchestration should not only cover dynamic selection of proper paths for handling of specific tasks, but should also provide circumstantial evidence while doing that. Finally, there should be a Conductor who should know "when and how to use the baton" to accept, modify or reject any part of the automated flow.

  • Artificial Intelligence and Law Enforcement by John Wulff - August 21, 2017 

    After the 9/11 terrorist attacks against the United States, law enforcement, and intelligence communities began efforts to combine their talents and information gathering assets to create an efficient method for sharing data. The central focus of these cooperative efforts for information dissemination was State Fusion Centers, tasked with collecting data from several database sources and distributing that information to various agencies. This vast amount of intelligence data eventually overwhelmed the investigative organizations. The use of Artificial Intelligence (AI) is the preferred technology for analyzing data to recognize behavioral patterns and create a method for the sharing of data in the fight against crime and terrorism. AI can analyze threat data and historical information and then create attack hypotheses for predicting when and where crimes will be committed. The use of AI can directly affect the cost of operations. Criminal activity locations can be predicted by AI so equipment and personnel can be directed to those areas to prevent those events from occurring. Financial resources must be allocated to allow for the development and testing of these applications so that the options available to law enforcement and the intelligence communities can be increased.

  • Threat Intelligence: Planning and Direction SANS.edu Graduate Student Research
    by Brian Kime - March 29, 2016 

    Many celebrated leaders like Ben Franklin and Winston Churchill have said, in various forms, “Failing to plan is planning to fail.”

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

All papers are copyrighted. No re-posting or distribution of papers is permitted.

SANS.edu Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.