The Cyber Threat Intelligence Life Cycle: A Case Study (Part 4)
Recap
Objectives
In this blog series, we explore how to practically apply all five stages of the CTI life cycle to a hypothetical scenario involving two fictional institutions of higher education: Maplewood University and Pine Grove University.
In this installment of the series, we will focus on the third stage of the CTI life cycle, and you will learn how to convert collected information into actionable intelligence that can be leveraged by the intelligence consumer.
The Case Study
You are a CTI analyst at Maplewood University. After a campus-wide spear-phishing attack on the nearby Pine Grove University, the President of Maplewood approaches your team, concerned that your institution may be the next victim. She has instructed you to determine the likelihood that Maplewood will also be targeted by this spear-phishing campaign and to identify measures the University can implement to defend against any future phishing attacks.
❗Disclaimer: Although the case study presented here is based on real events, the names, entities, and data included are not intended to be representative of real people, organizations, or incidents and should not be interpreted as such. This scenario is entirely fictitious and was devised by me specifically for use during this exercise.
The CTI Life Cycle | Stage 3: Analysis
Key Concepts
The third stage of the CTI life cycle is “Analysis”. During this stage, analysts systematically examine and interpret previously collected information in order to draw meaningful conclusions that support decision-making.
The primary objective of this stage is to convert information into relevant, timely, and actionable intelligence that can be leveraged by the intelligence consumer. To achieve this, analysts must contextualize the information they have collected and explore potential relationships within it. This helps analysts identify patterns in the data that ultimately can be used to better evaluate the available information.
To combat cognitive biases while interpreting these patterns and forming hypotheses, analysts also frequently employ tools called Structured Analytic Techniques (SATs). These tools provide analysts with mental frameworks to guide their reasoning and produce more objective analysis from complex and often incomplete information.
Case Study Example
With these general steps in mind, let’s consider what Stage 3 of the CTI life cycle might look like for the Maplewood University threat intelligence team.
Note: The following sections demonstrate just one possible approach to the analysis process.
Production Requirement #1
You begin your analysis by investigating the domain found in the Pine Grove phishing emails to gain more insight into the nature of the scam. Before progressing further with your analysis, your goal is to first gain a deep understanding of the features of the scam and the actions performed by the malicious website when engaged by a user.
During a previous stage of the CTI life cycle, you learned from the Pine Grove threat intelligence team that this link opens to a spoofed Pine Grove University login page. The team also informed you that the phishing email instructed recipients to immediately update their “outdated” banking information or risk the cancellation of their direct deposit services.
To observe the scam first-hand, you navigate to the spoofed domain–pinegrove[.]online–in a sandbox environment. This allows you to interact freely with the malicious website while mitigating the risk of compromise to your host system.
📌 Pro Tip: To avoid accidentally clicking a malicious URL, you should surround every period in the URL with brackets and replace “https” with “hxxps”. This process, called “defanging,” minimizes the risk of inadvertently infecting your system while investigating suspicious websites.
As indicated by the Pine Grove threat intelligence team, when clicked, this link opens to a spoofed Pine Grove University login page:
A quick comparison to the real Pine Grove login page shows that the spoofed version looks nearly identical; to unsuspecting users, the differences likely would be unnoticeable.
Submitting a fake username and password here redirects you to “pinegrove[.]online/directdeposit” and a virtual form titled “Employee Direct Deposit Form”. This form instructs victims to enter their banking details along with a wealth of personally identifiable information (PII), including their Social Security Number (SSN) and University ID.
Entering fake data once again leads to a submission confirmation page where victims have the option to “log out”, which returns them to the original spoofed Pine Grove University login page.
The inclusion of a spoofed login page in addition to the fake direct deposit form reveals this to be a two-part attack aimed at acquiring both the victim’s account credentials and their banking details; in other words, enough information to both impersonate and defraud them with little difficulty.
To verify that this information is, indeed, being collected by the adversary, you leverage the integrated browser “Inspect” tool and see that each data submission generates an HTTP POST request. This means any information entered by users is being collected by the attacker, as suspected.
Now that you better understand the nature of the attack, you are ready to enrich this information by gathering more details about the domain.
To further contextualize the phishing domain, you use the free open-source intelligence tool Whois Lookup by DomainTools, which compiles basic domain registration and infrastructure information.
According to the Whois record for pinegrove[.]online, the spoofed site was created just 30 days ago using a domain registrar and hosting provider commonly chosen by malicious actors for establishing phishing sites. Unsurprisingly, the registrant opted to redact all personal identifying information, so it remains unclear who created the domain; however, this record still reveals some interesting information, including the adversary’s infrastructure preferences and the IP address of the host server. The Whois record indicates that this host server IP address is associated with only four other domains, which suggests a potential overlap between them. You decide to pivot off this IP address next and investigate the related domains.
To pivot off the host server IP address, you perform a reverse IP lookup, which yields the following four domains:
- sierrasummit[.]online
- crescentvalley[.]online
- aspenstate[.]online
- libertyhills[.]online
Each of these domains appears to be impersonating a legitimate university login page, just like the domain employed for the Pine Grove phishing attack. This is getting interesting!
You pivot once again by performing additional Whois lookups on the four related domains. The Whois records for these domains reveal that each is less than 30 days old and leverages the same basic infrastructure as the impersonated Pine Grove site. This indicates significant overlap between all five domains.
To confirm that the four related domains host the same phishing scam, you visit each in a sandbox environment. As expected, all four domains present the same sequence of phishing pages as the spoofed Pine Grove site with only minor aesthetic modifications to better impersonate each institution. Unsurprisingly, each spoofed login site is nearly indistinguishable from the original.
To better understand why these five institutions, in particular, have been targeted, you leverage open-source intelligence to research potential connections between them. Because this phishing scam begins with the theft of university account credentials, you decide to first investigate the authentication systems employed by each institution.
This investigation reveals an alarming relationship: none of the institutions have implemented multi-factor authentication with their university-issued accounts. For the adversary, this significantly simplifies the process of gaining initial access to the internal network, especially at institutions that lack defense in depth.
After briefly reviewing the official websites for each institution, a pattern in the victim profile also emerges: each of the five targeted universities is a large R1 research institution located on the East Coast of the United States. This suggests another potential adversary objective: the exfiltration of intellectual property data, namely classified research.
Aware that Maplewood University fits your current victim profile and that these five institutions may not be the only targets of the spear-phishing campaign, you search for spoofed versions of the Maplewood University login page that match the naming conventions of the other phishing domains, but none currently exist. However, this does not eliminate the possibility that Maplewood will be victimized by this spear-phishing campaign, as well.
To assess what factors contributed to the success of past phishing campaigns against Maplewood University, your team previously reviewed the reports produced in response to these historical incidents. These reports revealed that Maplewood staff and students are particularly vulnerable to phishing attacks that leverage brand impersonation to bait victims into taking action due to the trust they implicitly place in familiar senders. This means that the phishing campaign deployed against Pine Grove University would likely be highly effective at Maplewood, as well, especially because–like the other targets–Maplewood University lacks multi-factor authentication systems.
To determine the likelihood that Maplewood University will be targeted by this spear-phishing campaign based on the available information, your team utilizes a Structured Analytic Technique called Analysis of Competing Hypotheses (ACH). This technique seeks to find the hypothesis with the least evidence against it, rather than the most evidence in support of it, in order to limit the influence of cognitive biases. This is achieved by systematically evaluating all possible hypotheses against the available information.
Employing this analytic technique reveals the strongest conclusion according to the currently available information: Maplewood University is likely to be targeted by the same spear-phishing campaign as Pine Grove. This estimation is based on the following words of estimative probability (WEP) matrix provided by the Center for Internet Security:
Production Requirement #2
You continue your analysis by seeking to determine the most effective courses of action to limit the success of future phishing campaigns at Maplewood University. To achieve this, you first review the defensive measures that have already been implemented by the Maplewood University Information Technology Center (ITC). These include:
- Automatically blocking specific file types in email attachments (e.g. “.exe” files)
- Scanning all incoming emails multiple times with different scanning engines
- Flagging all communications from non-university email addresses as “external”
- Requiring all employees to annually complete a two-hour online security awareness training
- Maintaining an online knowledge base for end users with tutorials on identifying phishing and other scam messages
With this in mind, you consult the annual Proofpoint “State of the Phish” report to review the emerging trends in phishing attacks and updated security best practices. According to the research presented by Proofpoint, the best defenses against phishing are multi-layered and include a combination of the following:
- Requiring multi-factor authentication with university-issued accounts
- Consistently training all end users, not just a subset
- Identifying the most targeted end users and tailoring their trainings to mimic the most likely attacks against them
- Conducting real-world phishing simulations that reflect the current attack trends
- Providing both phishing and general security awareness trainings
- Implementing a logical consequence-reward model for simulated phishing attacks
- Cultivating an organizational culture that promotes and prioritizes cybersecurity
These recommendations underscore the importance of implementing both technical defenses and robust end-user training initiatives to thwart phishing campaigns.
Currently, Maplewood University prioritizes preventing phishing messages from entering the environment, rather than teaching end users how to recognize and report them. As a result, more resources are allocated to the development of technical controls than security awareness programs, which leaves end users more vulnerable to the phishing messages that inevitably break through the defenses. According to recent surveys conducted by the Maplewood ITC, the majority of staff members are displeased with their required annual phishing training, and 35 percent said they would not list cybersecurity as a priority for the institution.
This is why Proofpoint suggests a more balanced approach to mitigating the risks of phishing attacks–one that considers technology, people, and culture. To achieve this, your team assesses with moderate confidence that the university should implement the following defensive measures based on the best practices outlined by Proofpoint:
Right Now
- Send an email to all end users with reminders on how to recognize and report suspected phishing messages
- Communicate all identified indicators of compromise (IOCs) related to the Pine Grove University phishing attack to the Maplewood SOC team to detect and block
Near Future
- Implement multi-factor authentication with all university-issued accounts
- Conduct regular phishing simulations for all email users with rewards for consistently accurate reporting
- Cultivate a security-positive organizational culture by increasing buy-in from end users
Conclusion
The third stage of the CTI life cycle is “Analysis”. At this point in the CTI life cycle, analysts convert information into relevant, timely, and actionable intelligence that directly responds to the production requirements established by the intelligence consumer. This process of transforming information into intelligence includes six main steps:
- Information Review;
- Enrichment;
- Pivoting;
- Contextualization;
- Correlation; and
- Analysis
By the end of this process, the analyst has reached a conclusion and is ready to produce the intelligence deliverables that will communicate their analysis to the intelligence consumer.
Looking Ahead
In the next installment of this blog series, we will explore the fourth stage of the CTI life cycle — Production — by practically applying it to this case study.
You will learn how to produce intelligence deliverables tailored to the individual needs and prior knowledge of your intelligence consumers.
📍 To jump straight to Part 5, click here.
If you found value in this blog series, please consider:
👏🏻 Clapping for this article,
📩 Sharing it with others, or
💬 Commenting your thoughts below
About the Author:
Casey Hennings is a security analyst and educator who writes about cybersecurity, threat intelligence, and security awareness.
She is currently seeking an entry-level cybersecurity position where she can apply her skills and continue growing as part of a passionate, purpose-driven team of security professionals.
To connect, you can find her at @cyberwithcasey on X (Twitter) and here on LinkedIn.
