All of us encounter the use (and misuse) of terms like threat hunting, threat modeling, threat intelligence, and threat picture.

  • Threat hunting is about leveraging knowledge of adversaries and the target system to proactively identify (and hopefully eradicate) threats before damage is incurred.
  • Threat Modeling is a structured approach used to identify, assess, and mitigate potential threats and vulnerabilities in a system, application, or environment – outlining the hypothetical ways that a threat might attack us.
  • Threat Intelligence (often called Cyber Threat Intelligence or CTI) characterizes the potential adversaries or troublesome events that might exploit those weaknesses, the organization’s most likely adversaries, attack vectors, and dependencies must be evaluated against that context.
  • The likely adversaries portion of threat modeling is often called the Threat Picture – an externally-focused view of the most likely attacks your organization will face. 

The value to you in leveraging CTI is multi-faceted – it can provide your team with invaluable insights and improves the architecture deployed, reduces risks, accelerates incident response, and improves your environment’s resilience. The operative word here though, is ‘can’. Your people, tools, and process should ensure that any approach to leverage CTI fits the organization’s own capabilities, rather than add insurmountable workloads to the already exhausted operators. If your team is leaner, CTI enrichment in your tools and some consultative use of CTI during assessments and tests might be the appropriate level.Whatever your team’s capabilities, your goal should be to move as far up David Bianco’s Pyramid of Pain (shown in Figure 1 below) as possible.

Figure 1: David Bianco’s Pyramid of Pain, Representing the Hierarchy of Adversarial Traits

This model demonstrates how gaining a more fundamental understanding of the adversary’s behaviors – culminating with their Tactics, Techniques and Procedures (TTPs) – can force the adversary to experience even more pain and effort to alter their behavior and counter your threat-informed defenses (Figure 2 below). Tools have focused on blocking more ‘atomic’ indicators, like file hashes, domain names, or IP addresses because they are easy attributes for you and your vendors to build protective policies around. Unfortunately for all of us, it is also rudimentary for adversaries to alter their operations to evade those protections. Now if you can quantify their behaviors more fundamentally and prevent them from using certain techniques or procedures, you now cause them to reevaluate the effort.  They might decide to call off the attack (a great quick win) or they may frustrate themselves as their old tricks are unsuccessful, which at the very least will require they spend more time to retool or learn new tricks but has the added benefit of making a lot of noise, thereby improving detectability!

Figure 2: Forcing the Adversary to Change TTPs Flips the Pain to Them

Threat intelligence (and the threat picture it helps paint) informs threat modelling and makes threat hunting possible.  Trust me, it will be clearer soon! We’ll now discuss how Threat Modeling, Threat Intelligence, and the resulting Threat Picture are developed and how they interact.