Know your enemy: Collect and share threat actor intelligence

Collect, analyze, and share threat actor intelligence 7X faster than alternative searches.

Aug 16, 2024 - 13:10
 0  8
Know your enemy: Collect and share threat actor intelligence
Threat Intelligence

Know your enemy: Collect and share threat actor intelligence

TTPs, IoCs, Malware, MITRE ATT&CK

15-second summary

Threat actor groups number in the hundreds, are well-resourced, and employ highly evolved tactics and techniques. Knowing which threat actors are targeting your industry and their TTPs requires constant diligence.

To improve your threat actor intelligence collection, prioritization, and sharing:

  • Feedly AI has been trained to understand the concept of threat actors and their aliases to help you know where they are attacking and their tactics, techniques, and procedures.
  • Create Threat Actor AI Feeds that continuously scan the open web and collect intelligence to keep up with their behaviors and evolution.
  • Prioritize the most crucial intelligence on team boards and collaborate with your team.
  • Share security metadata that Feedly AI extracts from the articles, such as IoCs and TTPs, with your security tools.

AI Feeds deliver precise, actionable, and timely insights while saving you significant time.

Challenges monitoring threat actors

Threat actors don’t want you to know who they are, how they operate, or their targets, so they try to deceive you (and everyone else). Here are a couple of reasons why tracking them is hard and what you can do about it.

  • Threat actors evolve their tactics. While some are more dynamic than others, understanding how they are changing their Tactics, Techniques, and Procedures (TTPs) can help you understand if your defenses need adjusting. To keep up to speed, you need to constantly monitor news and reports about threat actors.
  • Threat actors often plant misleading information and use similar techniques, making attribution hard. Having broader access to news about threat actors, as well as feeds from your trusted sources, can help you better analyze what’s real or false. You also need a way of tracking hundreds of threat actors and their aliases, whether they appear new or are part of a known group. Manually searching websites isn’t enough.
  • Threat actors change techniques to evade detection. You also need to frequently update your defenses, collecting and adding new Indicators of Compromise (IoCs) to your security tooling. Manual collection is too slow and leaves you open to attacks.

AI Feeds: Let Feedly AI collect threat actor intelligence for you

Feedly’s threat actor AI Models can be added to your AI Feeds to target your intelligence needs. AI Feeds help you collect, analyze, and share threat actor intelligence 7X faster than alternative searches.

Feedly’s Threat Actor AI Feeds:

  • Think like an analyst, understanding over 1,000 threat intel concepts, not just keywords. They also understand threat actor aliases documented in Malpedia.
  • Scan the open web continuously, analyzing millions of articles across 140 million sources daily to rapidly identify changes in threat actor behavior and reduce blind spots.
  • Deliver actionable intelligence, such as IoCs, TTPs, malware associations, and more, in exportable formats like rich STIX 2.1 JSON or MISP. You can launch into MITRE ATT&CK to map your defenses against their methods.

Let’s say you want to track threat actors in your industry to identify any potential new adversaries. You can create an AI Feed by pairing the Threat Actors AI Model with your industry AI Model (let’s say it’s the Finance Industry). Feedly AI will scour through millions of sources and only feature the articles that are relevant to you. If you find a new threat, set up a new feed to monitor it!

AI Feeds: Think like an analyst

Feedly AI has been trained to understand the context, nuances, and deeper meanings of cybersecurity concepts using natural language processing. It works 24/7 to collect intelligence based on the AI Feeds you’ve designed to help you spend less time searching and more time analyzing and prioritizing.

AI Feeds think like an analyst to help you collect relevant threat actor intelligence.

AI Feeds: Automatically tag and enriches articles with security metadata to help jumpstart your analysis

With Feedly for Threat Intelligence, you can quickly identify the relevance of the article with summary insights at the top of the page, highlighted content for easy scanning, and exportable formats for security tool integrations.

Feedly AI enhances articles, highlighting and summarizing important facts to help improve usability.

Customizable AI Feeds to help you better understand your adversaries - three examples

Now, you can create threat actor-specific customized AI Feeds by combining a Threat Actor AI Model with keywords or over 1,000 Threat Intelligence AI Models.

1 - Create a customized AI Feed to find TTPs associated with a threat actor

Find articles that include IoCs, IP addresses, email addresses, hashes, and domains related to the Lazarus Group (and all aliases such as Guardians of Peace and Whois Team).

  • Select the ‘Lazarus Group’ AI Model
  • Click on 'AND'
  • Add the ‘Indicators of Compromise’ AI Model

The articles are not only relevant to the topic, but they are enriched with insights to help you understand and analyze faster. Export them for use in your TIP, SIEM, or SOAR (more below).

AI Feed: Discover indicators of compromise related to threat actors like the Lazarus Group

Tip: If you want to focus on trusted sources to minimize false positives, you can add the Threat Intelligence Report AI Model, which limits the sources of IoCs to structured intel reports.

2 - Collect tactics and techniques associated with threat actors

To defeat your adversary, you need to know them—understand their TTPs. Find articles that include TTPs so you can learn their methods and compare them to your defenses.

  • Select the ‘Threat Actors’ AI Model
  • Click on 'AND'
  • Add the ‘Tactics and Techniques (Mitre ATT&CK)’ AI Model

In this example, articles with TTPs will include links to launch into the MITRE ATT&CK Navigator to better understand how the Lazarus group attacks targets.

AI Feed: Threat actors and their tactics and techniques.

3 - Discover the malware families threat actors use to target the private sector

What malware families are threat actors using to gain access, deploy ransomware, or take down your systems? Pair the ‘Malware’ AI Model with ‘Threat Actors Targeting the Private Sector’ AI Model to identify any blind spots and ensure you have adequate protection in place.

  • Select the 'Threat Actors Targeting the Private Sector’ AI Model
  • Click on 'AND'
  • Add the ‘Malware' AI Model
AI Feed: Malware used by Threat Actors Targeting the Private Sector.

Prioritize critical threat actor intelligence in Team Boards

Save important articles to Team Boards to facilitate deeper analysis, prioritization, and sharing workflows.

  • You can organize Team Boards by threat actor, Priority Intelligence Requirement (PIR), or other means.
  • Add your analysis with notes in the articles and highlight key sentences to make it easier for your team to digest.
  • Notify team members to get their input by tagging their emails or sharing in Slack or Teams.
Selecting a team board and adding an article with annotated notes.

Share IoCs with your SIEM

Feedly makes it easy for you to share data collected from articles with your security tooling. Either export the IoCs via a rich STIX 2.1 format or in JSON format for MISP and then upload it to your SIEM or MISP instance.

Teams can automatically ingest data via the Feedly API into their security tooling to automate defenses.

Export the contents of an article in a rich STIX 2.1 format to ingest into your tools.

Bonus: More threat actor use cases!

We’ve only presented a couple of threat actor use cases in this post, but we’re sure you can think of others. To spark your innovation, here are a few additional ideas for Threat Actor-related Customized AI Feeds we see when working with customers.

Four additional threat actor-related use cases to spark ideas.

Speed up your threat intelligence research

Threat Actor AI Models are just a few of more than 1000 AI Models available in Feedly for Threat Intelligence. Start a free 30-day trial to see how Feedly can help you eliminate blind spots, speed up intelligence gathering, and automate your defenses.Start free trial

Why are there so many threat actor aliases?

There are a few reasons why threat actor groups have multiple aliases or names. Depending on the threat actor group, they may be trying to raise their profile and want to promote their name for political or propaganda purposes. In addition, new aliases might be chosen by threat researchers when they discover what they believe to be a new threat actor.

However, most of the time, the reason for so many aliases is driven by the threat actors in efforts to hide their identities.

  • Anonymity - Using different names helps obscure the group's true identity and makes attribution more difficult.
  • Flexibility - Different names allow the group to compartmentalize different operations or campaigns. If one operation is exposed, the rest remain hidden.
  • Confusion - The multitude of names can confuse security researchers and law enforcement, making analysis and tracking more challenging.
  • Evolution - Groups change over time as members come and go.
  • False flags - Names can be chosen to implicate other groups or nations, misdirecting blame.

The use of multiple names is a classic tactic in the cyber threat landscape. However, it makes tracking their activities more difficult. It’s why Feedly tracks threat actor aliases automatically, so you don’t have to keep track of them.

Automating the collection of threat actor IoCs

There are over 400 threat actor groups and thousands of aliases. Adversaries will often change their tactics to evade defenses. Automating defenses by finding and deploying indicators of compromise (IoCs) into security tools can help teams keep up with changes. Manual collection of IoCs is slow, labor-intensive, and bound to leave you open to blind spots.

You also need to be careful of the IoCs you find. They aren’t always accurate and may include false positives. Implement them and you might keep the good guys out. You can dial up the trustworthiness by focusing on sources you know, including reputable threat intelligence reports.

Often, you’ll find your own IoCs by using honeypots to attract bad actors or performing forensics on infected systems. Be sure to test your IoCs in sandboxes to confirm their effect before implementing them in production systems.

What's Your Reaction?

like

dislike

love

funny

angry

sad

wow