Cyber threat intelligence (CTI) serves a broad purpose: to inform, advise, and empower stakeholders within an organization. Successful CTI functions invariably put stakeholder intelligence requirements at the heart of their mission statement. But, any CTI team can and should adopt a requirements-focused approach.
In our report, A Requirements-Driven Approach to Cyber Threat Intelligence, we outline what it means to be requirements-driven in practice. We offer actionable advice on how intelligence functions can implement and optimize such an approach within their organizations.
Implementing a requirements-driven approach to CTI has never been more important. In a recent Mandiant global survey, we found that while 96% of security decision-makers believe it is important to understand which threats could be targeting their organization, 79% of respondents make decisions without adversary insights the majority of the time. With operationalizing threat intelligence posing a challenge for many security functions, a requirements-driven approach to CTI introduces essential building blocks for a thriving intelligence capability within an organization.
Adversaries take numerous directions to gain authorization for actions on targeted endpoints: privilege escalation, DLL side-loading, credential theft, and more.
Browser extensions, Android Packages (APKs), and other permission declaring files take a different approach-they declare the permissions they require, sensitive or not. These file types are external code sources that are given authorization to run with varying degrees of permissions. Due to their unique file type, not being a standard executable, there is a lack of automated analysis that is performed on these files. Security researchers, threat hunters, and cyber analysts need a method to cluster, hunt for, and pivot between browser extensions, APKs, and other files that declare a set of permissions in a repeatable and scalable way.
In 2022, Mandiant identified attacker activity centered in Microsoft Azure that Mandiant attributed to UNC3944.
Mandiant's investigation revealed that the attacker employed malicious use of the Serial Console on Azure Virtual Machines (VM) to install third-party remote management software within client environments. This method of attack was unique in that it avoided many of the traditional detection methods employed within Azure and provided the attacker with full administrative access to the VM. Unfortunately, cloud resources are often poorly misunderstood, leading to misconfigurations that can leave these assets vulnerable to attackers. While methods of initial access, lateral movement, and persistence vary from one attacker to another, one thing is clear: Attackers have their eyes on the cloud.
See all Archived Mandiant News articles
See all articles from this issue