Under the hood.
Group-IB Threat Intelligence & Attribution. Part 2

How we make Tailored Threat Intelligence
Dmitry Volkov
CTO & Co-Founder, Group-IB
Adversary-centric cyber Threat Intelligence has become an increasingly important aspect of cybersecurity. The urgency of the Threat Intelligence solutions use was reflected in the recent updates to the information security standard of the International Organization for Standardization, ISO 27002. The latest amendments including Threat Intelligence controls highlight the TI solutions growing importance for supporting corporate security teams in proactive hunting for upcoming threats.

If used properly, Threat Intelligence can help significantly in operational and strategic cybersecurity decision-making. In our latest blog in a series "Under the hood. Group-IB Threat Intelligence & Attribution" we took a deep dive into different aspects of monitoring breached databases and explained how companies can better protect themselves using this data. This time we'll focus on the importance of tailored threat intelligence.

Tailored Threat Intelligence is the key to making an organization's threat intelligence program effective. There are many services on the market that are ready to overload you with different types of threat intelligence, but in fact the more you see, the less you can do with it because it just deluges your focus from important things. Frost & Sullivan emphasize the importance of this in their latest Frost Radar: Global Cyber Threat Intelligence Market report, stating that "While threat intelligence feeds are highly valuable, they can be deemed utterly useless if they are not curated, contextualized, and operationalized".

At Group-IB, we apply an advanced approach to provide tailored threat intelligence that is unique to each client. In the Frost Radar report, Frost & Sullivan evaluated that "Group-IB is one of the few vendors in the market that conducts intelligence collection in line with customers' requirements.". We achieve this high level of accuracy thanks to our four phase approach:

  • Consulting during onboarding client
  • Creation of custom Threat Hunting rules
  • Managing a tailored threat landscape
  • Writing tailored reports and research
    Consulting during onboarding client and after
    We build and maintain strong relationships with organizations: interviewing before and during the PoC, throughout the onboarding process and then during support when they become a customer. The goal is to design an organization's priority intelligence requirements (PIRs), if not established already.

    Every customer has a dedicated manager from Group-IB that acts as a single direct point of contact for any type of requests including putting the organization's analysts in contact with Group-IB's security experts. Organization's requests are directed to the appropriate Group-IB team based on that unit's area of expertise. These communications are managed through the Threat Intelligence & Attribution system making the entire process transparent, especially when an organization has a big team of analysts.
    Custom Threat hunting rules
    To automate the process of aggregating tailored threat intelligence we create Threat Hunting rules. The settings for Threat Hunting rules can be further tuned by the customer to match their priority intelligence requirements as they change, for example as the company grows, begins an acquisition, or expands into new markets. These rules can be created to hunt for intelligence in 16 different domains:
    • Dark web
    • Cybercriminals actors
    • Nation-state actors
    • Malware families
    • Compromised accounts
    • Compromised bank cards
    • Git leaks
    • Public leaks
    • Breached databases
    • Vulnerabilities
    • Targeted trojans
    • Phishing attacks
    • Phishing kits
    • DDoS attacks
    • Deface attacks
    • Suspicious IPs
    During the initial configuration of Threat Hunting rules we ask the organizations to provide us with a list of its domains, IP-address, BIN numbers and brands that client can see in it's company settings. This information allows us to immediately create custom hunting rules, that will give the organization tailored intelligence and does not require any additional configuration.
    The initial hunting rules based on Domains, IP-address, BIN numbers and brands allow us to identify compromised credentials belonging to the organization that we observe in logs from botnets, phishing or breached databases that different threat actors share on Dark Web resources. Malware samples configured to attack the organization or phishing kits that will exploit the organization's brands.
    To make rule creation simpler and faster Group-IB supports tokenized searches, and provides hints on which tokens can be used. Additionally, we support logical operators OR, NOT, AND that allow complex queries to be created to most relevant results. For example, if a customer wants to be notified about advertising on the Darkweb when selling access to a corporate network with domain admin privileges they can create rule:

    "domain admin" AND access AND sell* AND NOT buy

    And then you will get results like shown on the screenshot below where different threat actos sell access to US Bank, governmental USA network, a company in the Middle East with revenue 1 billion and many others.
    Tokenized searches can also be used to analyze reports about nation-state threat actors or cybercriminals, allowing information about attacks to be filtered by the specific industries, regions, or countries. Alternatively, queries can be used to discover vulnerabilities and exploits relevant to your company based on software you are using or be aware about very critical vulnerabilities.
    Tailored threat landscape
    One of the biggest challenges for any company is to answer the following important questions:

    • Who attacks my company?
    • Who threatens my partners and clients and potentially can attack me in the supply chain?
    • What poses a threat to the industry in different regions?
    • Who are the trending actors, whom I should track even if they don't attack me?

    We can rephrase all these questions into one: What is my Threat landscape and how does it look?
    Unlike other Threat Intelligence providers, we do not just offer data on threats, but a complete map of attackers, tracking their activity, and ranking them according to various criteria. And we are the first provider who made this possible and a leading innovator in the threat attribution space.

    Our new threat landscape tool allows organizations to tune the reporting they recieve about threat actors. The threat landscape interface in the Group-IB Threat Intelligence & Attribution is a four-part matrix that can be viewed from the dashboard and from a dedicated section in the system. The landscape can be tuned either by Group-IB analysts or by the client themselves based on the data they receive from their security solution and research. And for each client, such a matrix is unique. Each part of the matrix includes cards with information on specific threat groups:
    The threat landscape serves as the basis for personalizing incoming data, reports, settings, and notifications in order to track what is important only and analyze this information using the following sections of Group-IB Threat Intelligence & Attribution system. If we detect a threat targeting your company or your partner/client Group-IB will automatically add this threat on your threat landscape.

    In order to be able to create a finely tuned threat landscape high-quality profiling on attackers is necessary. We have moved to a new level through a series of process and technical innovations. First, we have moved away from providing unrelated threat bulletins to reporting on threat actors. Now every threat or event report is assigned to a specific threat actor, divided into two types: Cybercriminals and Nation-State. Secondly, we created a new framework that allows us to track threat actors with all needed details. If we detect a threat actor that matches the client's intelligence requirements, we launch threat profiling processes to ensure information about them. We created our own model to manage threat actor profile that includes:

    • Timeline with campaigns and critical events
    • Description of their attacks;
    • Timestamps, targeted countries, sectors and companies if such information is available;
    • MITRE ATT&CK matrix
    • Network indicators of compromise;
    • Files and how they are linked
    • Malware used in their campaigns
    • Legitimate tools used by the attacker
    • CVE, affected software, available exploits

    The report also contains data needed by analysts to conduct further investigation:

    • contact details
    • information about threat actor's partners and clients
    • their accounts on Darkweb
    • financial account information
    Tailored reports & research
    During analysis and reporting on many threat actors we discover that they have ongoing campaigns or are in the process of preparing attacks that are linked to our customers. In this case, we create a tailored TLP:RED report for affected clients that is only available for them. The report is listed with the special tag "Tailored" in the timeline of the actor's activity in client's portals, as shown below.
    Also, all our clients can send us an unlimited number of RFIs (request for information) to get more details about the specific threats or threat actors. Depending on the RFI we can create new threat actors profiles with tailored reports available only to the client and a list of general reports that will be available for all our clients. If the RFI is not about a specific threat, for example, a client requests for an underground source to be reviewed we will prepare a full PDF report that will be available as a separate research among the list of strategic reports that we provide on monthly, quarterly and annual basis.
    At Group-IB we believe that only tailored threat intelligence can be actionable, manageable and provide real value for the client. Without customization to an organization's specific needs, threat intelligence turns into a data feed that cannot be meaningfully analyzed. Our unique four phase approach allows us to customize the information that we provide our clients to ensure they get the most relevant and comprehensive insight into their threat landscape.

    Organizations that attempt to consume raw technical indicators themselves from free or paid sources are at risk of information overload. This data should be analyzed and used by security providers that have the in-house expertise to correctly disseminate them.
    Gain the edge over adversaries now with Group-IB
    Threat Intelligence & Attribution