TLP:CLEAR
Cyber Threat Intelligence
Actively monitor intelligence feeds for threat or
vulnerability advisories from government, trusted
partners, open sources, and commercial entities.
Cyber threat intelligence can include threat
landscape reporting, threat actor profiles and
intents, organizational targets and campaigns, as
well as more specific threat indicators and
courses of action. Ingest cyber threat indicators
and integrated threat feeds into a SIEM, and use
other defensive capabilities to identify and block
known malicious behavior. Threat indicators can
include:
• Atomic indicators, such as domains and
IP addresses, that can detect adversary
infrastructure and tools
• Computed indicators, such as Yara rules
and regular expressions, that detect
known malicious artifacts or signs of
activity
• Patterns and behaviors, such as analytics
that detect adversary tactics, techniques,
and procedures (TTPs)
Atomic indicators can initially be valuable to
detect signs of a known campaign. However,
because adversaries often change their
infrastructure (e.g., watering holes, botnets, C2
servers) between campaigns, the “shelf-life” of
atomic indicators to detect new adversary activity
is limited. In addition, advanced threat actors
might leverage different infrastructure against
different targets or switch to new infrastructure
during a campaign when their activities are
detected. Finally, adversaries often hide in their
targeted environments, using native operating
system utilities and other resources to achieve
their goals. For these reasons, agencies should
use patterns and behaviors, or adversary TTPs, to
identify malicious activity when possible. Although
more difficult to apply detection methods and
verify application, TTPs provide more useful and
10
See Best Practices for MITRE ATT&CK® Mapping
Framework for guidance on using ATT&CK to analyze and
report on cybersecurity threats.
11
CISA Automated Indicator Sharing
sustainable context about threat actors, their
intentions, and their methods than atomic
indicators alone. The MITRE ATT&CK
®
Framework documents and explains adversary
TTPs in detail making it a valuable resource for
network defenders.
10
Sharing cyber threat intelligence is a critical
element of preparation. FCEB agencies are
strongly encouraged to continuously share cyber
threat intelligence—including adversary
indicators, TTPs, and associated defensive
measures (also known as “countermeasures”)—
with CISA and other partners. The primary
method for sharing cyber threat information,
indicators, and associated defensive measures
with CISA is via the Automated Indicator Sharing
(AIS) program.
11
FCEB agencies should be
enrolled in AIS. If the agency is not enrolled in
AIS, contact CISA for more information.
12
Agencies should use the CISA Cyber Threat
Indicator and Defensive Measures Submission
System—a secure, web-enabled method—to
share with CISA cyber threat indicators and
defensive measures that are not applicable or
appropriate to share via AIS.
13
Active Defense
FCEB agencies with advanced defensive
capabilities and staff might establish active
defense capabilities—such as the ability to
redirect an adversary to a sandbox or honeynet
system for additional study, or “dark nets”—to
delay the ability of an adversary to discover the
agency’s legitimate infrastructure. Network
defenders can implement honeytokens (fictitious
data objects) and fake accounts to act as canaries
for malicious activity. These capabilities enable
defenders to study the adversary’s behavior and
TTPs and thereby build a full picture of adversary
capabilities.
12
CISA Automated Indicator Sharing
13
CISA Cyber Threat Indicator and Defensive Measure
Submission System
TLP:CLEAR
CISA | Cybersecurity and Infrastructure Security Agency