How to get CTI

Getting information about threats is relatively easy; either you're creating data through internal product telemetry, you're collecting from a data feed, or you're doing both. Data and information that can be used as a foundation for threat intelligence is just a Google search away. This kind of search will present you with lots of sources that provide threat data in the form of feeds that you can utilize to begin the evaluation and intelligence enrichment processes. One important thing to note, though, is that this information is not CTI but threat data feeds. Once you have it in place, you will still need to go through the process of considering whether the information is credible, actionable, and timely as well as considering how you will work it into your internal standard operating procedures or security automations. Right now, I want to walk you through the process of gathering some technical information from an open source resource published on the internet. This will give you an introduction if you are starting your journey from scratch.

Some of the most common indicator types that individuals and organizations are seeking some type of context and reputation for are URLs, domains, and IP addresses. These indicator types are riddled throughout the logs of any corporate ecosystem, and nobody with any kind of digital footprint is doing business without accessing some form of these. Domain, URL, and IP address reputation intelligence can assist internet users to determine whether the internet endpoint is safe, suspicious, or even malicious, essentially allowing the individuals or the corporation to protect themselves against any known malware source, its delivery mechanisms, or any malicious content on the web.

Let me introduce you to a free web-based service called urlscan.io. Their mission is to allow anyone to analyze unknown and potentially malicious websites easily and confidently. According to their website (https://www.urlscan.io), the following is true:

When a URL is submitted to urlscan.io, an automated process will browse to the URL like a regular user and record the activity that this page navigation creates. This includes the domains and IPs contacted, the resources (JavaScript, CSS, etc) requested from those domains, as well as additional information about the page itself. urlscan.io will take a screenshot of the page, record the DOM content, JavaScript global variables, cookies created by the page, and a myriad of other observations. If the site is targeting the users of one of the more than 400 brands tracked by urlscan.io, it will be highlighted as potentially malicious in the scan results.

The urlscan.io service itself is free, but they also offer commercial products for heavy users and organizations that need additional insight.

To begin utilizing urlscan.io, simply navigate to their website and type the URL you are seeking a reputation for into the form field at the top of the page, as referenced in Figure 1.1. Then, click on Public Scan to begin the process:

Figure 1.1 – The urlscan.io landing page

Once you click on Public Scan, urlscan.io goes through the process described earlier to initiate some form of reputation determination regarding the site you are seeking questions about. It will provide you with the results of its analysis and even a verdict that you can utilize for decision-making. Examples of malicious urlscan.io results can be seen in Figure 1.2, along with all the additional observable information produced during the scan of the URL:

Figure 1.2 – The urlscan.io results for a malicious domain

You can clearly see in the results of the URL scan that urlscan.io believes this domain contains some form of malicious activity specifically targeting Credit Agricole, a financial services company based out of France. You can see in the results of the scan that there is a large amount of data and information produced about the URL that can be collected and utilized as a part of creating your CTI.

If you click on the Indicators tab on the website, you will be presented with Figure 1.3:

Figure 1.3 – The Indicators tab on urlscan.io

The results of the URL scan allow us to provide you with a small demonstration of how data can be transitioned into information that can be utilized as the foundation for CTI. In the following list, you will find a sampling of indicator data from the URL scan along with the indicator types:

• URL: https://www.dorkyboy.com/photoblog/templates/smokescreen/styles/js/mdddss/lmmnodejs/
• DOMAIN: dorkboy.com
• IP ADDRESS: 174.136.24.154
• HASH: 1c8399c9f4f09feb8f95fe39465cc7e70597b0097ad92da954 db82646ec68dc3
• HASH: 7b0da639a2ad723ab73c08082a39562aa3a2d19adb7472f1 dbb354c5fd0b4c20

In this example, the URL indicator was the first piece of data that was utilized to start an operation investigation for this use case. Through the utilization of urlscan.io, it was determined that the associated indicators could be tied to the initial data. Often, this is called pivoting and is part of the hunting and enrichment process that we will describe, in detail, in later chapters. This hunting and enrichment process provides us with information we can then utilize to create our threat intelligence. Finally, based on the result set, we can see that the URL is malicious and that the threat actor performing the malicious activity is specifically targeting the financial services industry in France. Further investigation would show that the URL points to a phishing kit deployed on a compromised website, which is being utilized to collect account credentials.

Based on all the information provided here, you can see that in the right context, strategic decisions about the URL can be made to protect your users or harden your security posture.

Important Note

It is important to note that in the preceding example, the URL is specifically malicious in this instance – this does not always mean that the domain should be categorized as the same. Often, legitimate domains are compromised, and threat actors upload kits meant to target specific brands and will specifically socially engineer users to the deep URL within the domain. Once a compromise has been identified, the domain owner will go through the process of cleanup to eliminate the malicious URLs in the domain. Malicious categorization contains a timeout and revaulation period, ensuing the verdict is accurate and any initial malicious categorization should expire or be reevaulated.

Almost any organization can retrieve and receive CTI, but that doesn't necessarily mean that the intelligence is actually usable and good. In the following section, we're going to take a deep dive into what constitutes good CTI.