Targeted Threat Intelligence
Targeted Threat Intelligence is used not only, but especially in the context of TIBER Red Team Assessments. This makes it possible to answer the threat situation for companies with the help of two questions:
- Attack potential: What attack surface do I offer attackers and what attack scenarios result from this? This is also referred to as ‘target intelligence’.
- Attacker activity: How are attackers currently targeting organizations similar to mine and what TTPs (Tactics, Techniques, Procedures) are they using? What tools are they currently using, what attack infrastructure are they currently operating? Is there any evidence of recent or upcoming attacks? Answering these questions is the task of ‘Threat Intelligence’.
Target intelligence is concerned with scouting a target. It is sometimes referred to as ‘footprinting’ or ‘attack surface mapping’. It simulates what attackers do at the beginning of a real attack: find out as much as possible about their target without interacting directly with it (i.e. without scans, for example) in order to remain undetected by the radar. Primarily open sources (OSINT – Open Source Intelligence) as well as Deep Web and specialized databases are used for this. The following, among other things, are determined during target intelligence:
- Digital: All systems, network areas, domains etc. that belong to the target and are accessible from the Internet
- Legal: All subsidiaries, holdings, joint ventures and other companies with which there is a relationship
- Geographical (GEOINT): Locations and their nature
- Personnel: employees, positions, relationships of trust
- Technology profiles
- Potential social engineering and spear phishing targets
- Web pages that can serve as templates for phishing attacks
- Clear and deep web analytics (WEBINT)
- Social media posts (SOCMINT), press releases
- Existing user accounts with third-party vendors
Company news and policy
- Public company-related communications by employees
- Passively discoverable security vulnerabilities
- and much more.
The collection, analysis and correlation of all this data lead to a complete inventory of all digital and non-digital externally visible assets of a company. This presents the entire footprint and also a map of an organization’s attack surface. It also provides insight into initial vulnerabilities and attack vectors.
Furthermore, possible attack scenarios are described that result from the footprinting and the attack surface. Special attention is given to those attack scenarios that attackers can use to gain access to Critical Functions and Critical Assets, the crown jewels and most valuable systems and data.
As the name implies, “Threat Intelligence” seeks to gain insight into threats.
There are four classical levels of threat intelligence:
- Strategic Threat Intelligence: strategic insights from a ‘bird’s eye view’.
- Tactical Threat Intelligence: knowledge of tactical approaches such as TTPs (Tactics, Techniques, Procedures)
- Operational Threat Intelligence: knowledge of artifacts, infrastructure and results (for example, captured data, exploited access and attack paths etc.) of recent past and current attacker operations
- Technical Threat Intelligence: technical artifacts of attacks such as IP addresses, file fingerprints or hashes.
All this information is gathered from a variety of different sources. Here are just a few examples:
- Dark Net
- Deep Web
- Monitoring of communication channels
- Technical threat intel feeds
- Reports of analysis of past attack campaigns
- Malware analysis
- C2 analysis
- and much more.
The result is a report that summarizes current activities and modus operandi (TTPs – Tactics, Techniques, Procedures) as well as insights into the attackers’ modus operandi, infrastructure, malware and behavioral patterns (Threat Actors).
This enables organizations to better prepare for these attackers.
Targeted Threat Intelligence (TTI) for TIBER Testing
TIBER tests are tests based on the European (TIBER-EU) or German (TIBER-DE) framework for Red Team Assessments in the financial sector (banks, insurance companies, other financial market players etc.). These Red Team Assessments are based on Targeted Threat Intelligence (TTI), hence the name TIBER – Threat Intelligence-Based Ethical Red teaming.
According to TIBER-DE or TIBER-EU, the testing phase of a Red Team consists of two steps:
- Targeted Threat Intelligence-Phase
- Red Teaming-Phase
NSIDE is capable of competently performing each phase individually or all of them together. You want targeted Threat Intelligence for a TIBER test, Red Teaming for a TIBER project, or both? Please feel free to contact us.
Difference between Targeted Threat Intelligence and Penetration Testing
Penetration testing is active technical security testing where testers interact directly with the already defined target and uncover as many specific technical vulnerabilities as possible. TTI, on the other hand, identifies all potential attack targets in an organization and discovers their attack surface, attack vectors and attack scenarios. Knowledge about attacker targets and modus operandi is also integrated into the analysis to describe active threats from malicious actors (threat actors). This makes TTI a preparatory activity for attacks or attack simulations.
Difference between Targeted Threat Intelligence and OSINT/WEBINT Analyses
OSINT/WEBINT analyses are a part of Target Intelligence. Target Intelligence, in turn, is one half of Targeted Threat Intelligence.