1 - 3: Threat Intelligence Flashcards
Threat Intelligence
Actions taken to educate about changes in cybersecurity, adapting security controls based on that knowledge
Open-source Intelligence
Uses public information, often using security websites, vulnerability databases, dark web sources, sharing centers, file or code repositories, or security researchers
Email address harvesting
Searches for valid addresses for social engineering attacks
Criteria for threat intelligence source
Timeliness, accuracy, reliability
Threat indicators
Data or other information that describes a threat, such as IP addresses or file signatures
CybOX (not questioned on exam)
Cyber Observable eXpression, a standardized schema for categorizing security observations, including intrusion attempts and malicious software
STIX
Structured Threat Information eXpression, a standardized language communicating security information between systems, using CybOX
TAXII
Trusted Automated eXachange of Indicator Information, provides a technical framework for exchanging messages and information written in the STIX language
OpenIOC
Mandiant Labs’s threat intelligence language, describes file names, sizes, and specific indicators
Functions threat intelligence supports
Incident response, vulnerability management, risk management, security engineering, detection and monitoring / SOCs
ISACs
Information Sharing and Analysis Centers, confidential sharing centers for threat intelligence based on industry
Threat research
Understanding adversaries’ methods, intent, etc
Threat research techniques
Reputational threat research and Behavioral threat research
Reputational threat research
Identifying potentially malicious actors based on previous behavior, IP addresses, email, domains
Behavioral threat research
Identifying potentially malicious actors based on the similarity of behaviors to past attackers
Research sources
Vendor websites, vulnerability feeds, conferences, academic journals, request for comment documents, threat feeds, TTP publications
Threat identification
A structured approach to assessing possible threats, typically as asset focused, threat focused, or service focused
Asset focused approach
An analysis based on the organizations asset inventory
Threat focused approach
Identifying how specific threats could affect each information system, chiefly to understand an adversary’s capability
Service focused approach
Identify the impact to services hosted over the internet and related interfaces
Automating threat intelligence
Providing responses to threat indications automatically when certain criteria are met, such as blocking IPs or certain network traffic
Minimizing disruption from automation
Test automated services in alert-only mode
Automating threat feeds
Combining threat feeds into a single, more refined information source
Data enrichment
Automation to assist incident response by providing assistance with routine details, including source reconnaissance, retrieving related logs, or triggering a vulnerability scan
SOAR
Security Orchestration, Automation, and Response that automate and enhance SIEM capabilities
Machine learning for threats
Can scan and assist in creating a signature definition for threats and malware
Assumption of Compromise
Considering attackers have already made a foothold in approaching security risks
Threat hunting
An organized, systematic approach to seeking indicators of compromise using expertise and analytic techniques
First step in threat hunting
Establish a hypothesis, thinking like an attacker would based on available information
Indicators of Compromise
Unusual binary files, unexpected processes or resource consumption, deviations in network traffic, alterations in permissions, unexplained log entries, unapproved config changes
