1B. Importance of Threat Data and Intelligence obj 1.1, 1.2 Flashcards
What is Security Intelligence?
Security intelligence focuses on your systems (firewall logs, IDS alerts, etc) . It is the act of collecting, normalising, and analysing data generated by IT infrastructure in real-time, and using the information to assess and improve an organisation’s security posture.
What is Cyber Threat Intelligence (CTI)?
CTI provides data about the external threat landscape and emerging threats (e.g., hacker groups, malware outbreaks, zero-days, etc).
What are the Two formats of CTI reports?
1) Narrative
- written document that must be assimilated manually. Useful for strategic intelligence.
2) Data feeds
- Lists of IoCs (domain names, IPs, hashes of exploit code, etc). Useful for use in automated systems to inform real-time decisions.
what do threat feeds provide?
up-to-date details about threats, such as IP addresses, hostnames/domains, emails, URLs, file hashes/paths, CVE numbers, etc.
What are the five stages of the security Intelligence Gathering life cycle?
1) Requirements
2) Collection
3) Analysis
4) Dissemination
5) Feedback
(Ryan Cooked A Delicious Feast)
Briefly explain the first phase of the security intelligence gathering life cycle
Requirements Gathering (e.g., types of threats you’re most likely to face, identify specific sources that will be used to gather the required information, identifying laws/regs you must adhere to, etc). This phase includes:
1) assessing security breaches you have faced,
2) assess what information could have prevented/limited to impact of the breach,
3) assess what security controls were not in place that could have mitigated the breach
Briefly explain the second phase of the security intelligence gathering life cycle
Collection. Once the information requirements have been identified, you can begin collecting from Threat Intelligence sources to meet those requirements.
Briefly explain the third phase of the security intelligence gathering life cycle
Analysis and Processing. Data must be formatted so that it can be consumed by whatever tools or processes you intend to use. You must then analyse the data yourself. The output of this stage may then be fed into automated systems, or written reports for seniors.
Briefly explain the fourth phase of the security intelligence gathering life cycle
Dissemination (sharing is caring). The information is distributed to leadership, IT personnel, and other stakeholders.
Briefly explain the fifth phase of the security intelligence gathering life cycle
Feedback. Gathering feedback about the report and data you have gathered to create better requirements and improve the output of the security intelligence program
What four points should threat intelligence be assessed against? (TRAC)
1) Timeliness. If feed is delayed, could miss a threat or react after a threat is no longer relevant.
2) Accuracy. Is the intelligence valid and true? is the intelligence general or of a specific nature? are the sources reliable?
3) Relevancy. Is it relevant to your systems, platforms, and software. If not, then it is obsolete.
4) Confidence score. Threat intelligence sources are given a confidence score which can be used as filter.
Name some examples of open-source threat intelligence
Alien Vault, US-Cert. Threatfeeds.io, VirusTotal, NCSC
ISACs?
Information Sharing and Analysis Centres.
What are ISACs?
A non-profit group that facilitates the sharing of threat intelligence for industry specific threats and security best practices e.g., healthcare, government, finance
In the context of the fourth phase of the threat intelligence life cycle, what is Risk Management?
Identifying, evaluating, and prioritising threats/vulns to reduce their impact
