SANS: Who’s Using Cyberthreat Intelligence and How?

“Who’s Using Cyberthreat Intelligence and How?” By Dave Shackleford 


Threat Intelligence – the set of data collected, assessed and applied regarding security threats, threat actors, exploits, malware, vulnerabilities and compromise indicators

Purpose of CTI:
• Ability to see attacks in context
• Accuracy of detection and response
• Faster detection and response 

Data Collection Points:
“In addition to the 59% stating they are gathering intelligence from their internal systems, 76% of respondents say their organizations are gathering intelligence from the security community at large.

The external sources they are gathering information from include: • 56% gather intelligence from their vendor product’s CTI feeds • 54% gather intelligence from their public CTI feeds • 53% gather intelligence from open source feeds

A small number of answers in the “Other” category included private feeds for government agencies and law enforcement, as well as social media and sites such as the SANS Internet Storm Center (ISC). “

Intelligence Feeds
“We asked those who selected “vendor-driven CTI feeds” what types of vendors were providing these. The range of responses was very broad, and many teams are obviously using CTI data from a number of different types of vendors. Endpoint security vendors led with 51%, but 43% of respondents are also getting CTI information from unified threat management (UTM)/firewall/IDS vendors and 40% from CTI platform vendors, vulnerability management providers and SIEM vendors. “

Planning for CTI
Organizations planning to invest in CTI feeds, tools and internal capabilities should assess their readiness for using CTI now and in the future.

1. Decide what you intend to do with CTI data and to whom you will assign to CTI planning duties. Most organizations that attempt to implement CTI ad hoc, with no budget, staff, tools or goals, tend to reap minimal rewards.

2. Focus on tools and feeds. Once you’ve decided what you plan to do with CTI (improve detection capabilities, add more granular correlation rules to your SIEM, add host-based forensics indicators, etc.), focus on two areas: What kinds of tools will you use to aggregate and collect CTI data? And will you use commercial feeds, open source and community data, or both? Many SIEM providers are now integrating CTI feeds and information readily. Be sure to look at standard import data formats if you are bringing in feeds.

3. Consider your goals. Once you’ve decided on the basics of what data you want and where it will be aggregated, think about the short- and long-term goals of the program and how you’ll measure progress. 

CTI Standards and Tools
• Open Threat Exchange (OTX)—51%
• Structured Threat Information Expression (STIX)—46%
• Collective Intelligence Framework (CIF)—39%
• Open Indicators of Compromise (OpenIOC) framework—33%
• Trusted Automated eXchange of Indicator Information (TAXII)—33%
• Traffic Light Protocol (TLP)—28%
• Cyber Observable eXpression (CybOX)—26%
• Incident Object Description and Exchange Format (IODEF)—23%
• Vocabulary for Event Recording and Incident Sharing (VERIS)—20%

Domain Generation Algorithm (DGA): Ways to Communicate

# Domain Generation Algorithm (DGA): Python Implementation 

Ways to disseminate the DGA seed:
(1) Spread inside the bot config (easy but insecure);
(2) Generate based on the GetSystemInfo & GetCurrentUser etc. (local environment) (more secure)
(3) Pull additional websites based off the seed websites’ HTML source code . Example,


# ROE is a marker for Base64-encoded

# -*- coding: utf-8 -*- 
import hashlib
def md5_dga(seed)
 var hashlib.md5() # hash the seed using the entry algorithm 
 var.hexdigest() # cut all the strings after the 10th one 
 part name[:10
 return “{}.xyz”.format(part

seed “cm9jayduJ3JvbGw=” # ASCII: rock’n’roll 
for in range(12)
 seed md5_dga(seed)
print seed

# -*- coding: utf-8 -*- 
import hashlib
dga_dictionary = [‘btc’‘love’‘bit’,‘rain’,‘drop’
def dictionary_dga(seed): 
 ln len(dga_dictionary# check the maximum length of the DGA dictionary
if ln ln <= seed
  return False # choose 2 words 
 first seed ln
 last seed ln # create an address concatenating variable 1 + variable 2 
 addr “{}{}.xyz”.format(dga_dictionary[first],dga_dictionary[last]
 return addr
for in range(20)
 print dictionary_dga(x)