Conducting operational threat intelligence research involves systematically gathering, analyzing, and disseminating information about current or emerging threats that could impact an organization’s operations.
In this article, we will delve deeper into the importance of this type of research and its methodologies. By the end, you’ll have a clearer understanding of how to transform data into actionable insights that can help you protect your organization from ever-evolving cyber threats.
What Is Operational Threat Intelligence? 🔗︎
Operational threat intelligence (OTI) is a focused subset of cyber threat intelligence (CTI) which drills down into specific cyber-attacks or ongoing campaigns. While CTI offers a panoramic view of the broader digital threat landscape, OTI provides a granular view of the details of distinct attacks.
For security professionals, the granularity of OTI is invaluable as it provides a comprehensive understanding of a cyber-attack’s nature, the underlying intent (financial, data theft, hacktivism), and the expected duration or progression of the campaign.
With this knowledge, analysts can effectively respond to the immediate threat, and strategize for potential future developments to safeguard their organizations.
How to Conduct Operational Threat Intelligence Research? 🔗︎
1. Define the Objectives –Start with a clear goal:
- What are you trying to achieve?
- Are you attempting to gain an understanding of industry-specific threats, or investigate a specific incident?
2. Data Collection –Dive deep into both open and closed sources:
- Security blogs and websites like KrebsOnSecurity, Dark Reading, and the SANS Internet Storm Center offer insights into the latest threats and vulnerabilities.
- Public Forums and communities like InfoSec Exchange on Mastodon or the NetSec subreddit often discuss emerging threats.
- Free threat intelligence feeds like AlienVault (OTX) and ThreatFox by AbuseCH.
- Paid threat intelligence providers like Recorded Future and CrowdStrike offer threat intelligence feeds that provide data like indicators of compromise (IOCs) or tactics, techniques, and procedures (TTPs).
- Industry groups and alliances like the Financial Services ISAC (FS-ISAC) or the Health ISAC share threat intelligence relevant to specific industries.
- Honeypots & honeynets: Systems set up to act as decoys, attracting attackers and recording their actions.
- Intrusion detection systems (IDS) and intrusion prevention systems (IPS) logs: These systems generate alerts based on recognized malicious patterns.
- Firewall and proxy logs: These can reveal potentially malicious traffic or access attempts.
It is important to note that while these sources can provide valuable insights, not all sources are suitable for every organization. The quality and accuracy of intelligence can vary, so it is essential to vet and corroborate information before acting on it.
3. Data Processing –Once you have the data, standardize it. Remove redundancies, enrich it, and filter out the noise through:
- Normalization: Threat intelligence can come from many sources, each with its own format and structure. Normalization ensures that all collected data adheres to a consistent format, making it easier to analyze and correlate.
- Deduplication: Given the vast amount of data collected, there can be many redundant pieces of information. Deduplication ensures that each piece of threat intelligence is unique.
- Enrichment: Raw threat data can be enhanced by adding context. An IP address can be enriched with information about its geographical location, associated domain names, or known malicious activities.
- Filtering: Not all collected data is pertinent to an organization’s threat landscape. Filtering ensures that only relevant threat intelligence is retained, allowing analysts to focus on what’s truly important for their specific environment.
4. Analysis –This is where the magic happens! Connect the dots, identify patterns, and pinpoint who’s behind a threat through:
- Correlation: Correlation involves linking pieces of information like IOCs or TTPs to identify larger patterns or campaigns. For example, correlating a specific malware hash with an IP address can help identify a coordinated attack from a particular source or attacker.
- Trend Analysis: Trend analysis in threat intelligence can help organizations anticipate potential threats or understand the evolution of specific threat vectors. For example, by analyzing the increasing frequency of ransomware attacks in a sector, organizations can prioritize defenses against such threats.
- Attribution: Attribution involves determining who is behind a cyber-attack or campaign. This can be incredibly challenging due to adversaries’ use of obfuscation techniques. However, analysts can sometimes identify specific threat groups or nation-state actors by analyzing TTPs, malware types, or even linguistic patterns.
5. Dissemination – Share findings with stakeholders within the organization. This might include IT teams, executives, or other relevant departments.
6. Feedback Loop – Incorporate stakeholder feedback to refine the intelligence process.
7. Operationalization – Convert intelligence into actionable items. Update the firewall rules, train the staff, or recommend further investigations.
8. Review and Iteration – Review and refine the threat intelligence process regularly.
9. Tooling and Automation – Leverage threat intelligence platforms (TIPs) and other tools to automate data collection, processing, and analysis.
10. Training and Collaboration – Train the threat intelligence team on adversaries’ latest TTPs. Collaborate with other organizations, industry groups, and government agencies to share intelligence and best practices.
We’ve also compiled these steps into a PDF that you can take with you.
How Can OSINT Help You Enhance Your Operational Threat Intelligence? 🔗︎
OSINT is crucial in the operational threat intelligence research process, from defining objectives based on ongoing cyber-attack campaigns and trending malware to data collection and analysis.
I already covered some OSINT sources that can improve your operational threat intelligence, so let’s talk about tools now. OSINT tools are not just add-ons to your investigations; they are an integral part of the research process.
Here are some popular and valuable tools:
- Amass: An advanced open-source tool designed for network mapping and external asset discovery using OSINT gathering and active reconnaissance techniques.
Use Case: Identify and map all the external assets belonging to your organization.
Identify and map all the external assets belonging to your organization.
- Censys: A search engine that allows researchers to ask questions about devices and networks on the Internet.
Use Case: Identify misconfigured servers, research SSL/TLS configurations, and discover vulnerable systems.
Identify misconfigured servers, research SSL/TLS configurations, and discover vulnerable systems.
- Google Dorks: Advanced search techniques using Google to uncover information that might not be readily visible.
Use Case: Discover exposed files or databases, identify potential vulnerabilities, and gather data on possible targets.
Discover exposed files or databases, identify potential vulnerabilities, and gather data on possible targets.
- Maltego: Imagine a tool that not only mines data but deduplicates it, enriches it, and correlates it while visualizing the relationships and making patterns clear. Maltego is a game-changer.
Use Case: Investigate IP addresses, domains, and email addresses; visualize relationships between different entities and enrich the information using the unique data sources integrated into Maltego.
Investigate IP addresses, domains, and email addresses; visualize relationships between different entities and enrich the information using the unique data sources integrated into Maltego.
- Onyphe: A search engine for threat intelligence, helping researchers and security professionals gather and correlate information about IP addresses, domains, and other digital assets.
Use Case: Use Onyphe to find malicious infrastructure like C2 systems.
Use Onyphe to find malicious infrastructure like C2 systems.
- Shodan: Often dubbed “the search engine for the Internet of Things,” Shodan allows users to discover devices connected to the Internet, ranging from servers to smart devices.
Use Case: Identify exposed and vulnerable systems, research misconfigured servers or databases, and monitor the exposure of an organization’s assets.
Identify exposed and vulnerable systems, research misconfigured servers or databases, and monitor the exposure of an organization’s assets.
- theHarvester: A tool designed to gather emails, subdomains, hosts, and more related to a specific domain.
Use Case: Conduct reconnaissance on a target domain, identify potential phishing vectors, and map an organization’s online footprint.
Conduct reconnaissance on a target domain, identify potential phishing vectors, and map an organization’s online footprint.
- Recon-ng: A reconnaissance framework with modular tools to gather data and integrate with popular databases.
Use Case: Automate data-gathering tasks, find relationships between collected data, and consolidate data for analysis.
Automate data-gathering tasks, find relationships between collected data, and consolidate data for analysis.
- SpiderFoot: An automation tool for conducting OSINT and threat intelligence research on IPs, domains, email addresses, and more.
Use Case: Discover network infrastructure details, identify data leaks, and find potential vulnerabilities.
Discover network infrastructure details, identify data leaks, and find potential vulnerabilities.
- The Wayback Machine: An archive of the Internet that allows users to see historical versions of websites.
Use Case: Investigate changes on a website, recover lost information, and research defunct services or products.
Investigate changes on a website, recover lost information, and research defunct services or products.
If your team is looking for specific threat intelligence providers, you can explore our repository of 36 providers tailored for SOC teams and suitable for other teams that incorporate OSINT into their daily operations.
Download the resource
How to Make the Most of Your Operational Threat Intelligence? 🔗︎
Operational threat intelligence is not just about collecting data; It is about discerning actionable patterns, understanding connections, and foreseeing potential threats.
Maltego, with its unmatched data integrations and intuitive visualizations, can help you simplify these tasks as it transforms information into comprehensive maps, revealing hidden relationships and patterns that might have otherwise gone unnoticed.
Don’t forget to download your copy of the 36 top threat intelligence providers below, follow us on Twitter, LinkedIn, and Mastodon, and sign up for our email newsletter so you don’t miss out on updates and news!
About the Author 🔗︎
Mario Rojas 🔗︎
Mario Rojas is a former Cyber Security and Threat Intelligence Subject Matter Expert at Maltego with more than 14 years of experience in the cybersecurity field. His expertise in open-source intelligence (OSINT) allows him to effectively map and visualize complex relationships and connections between entities, from IP addresses and domain names to social media profiles and Darkweb forums.