(4) Proprietary Intelligence and/Accessing Threat Intelligence Flashcards
Describe closed source intelligence
Closed source intelligence is where an org does their own gathering of information and research, custom tools, analysis models, or other methods to obtain information
This information may be shared as paid feeds or may be held for internal use only.
Why use closed source intelligence instead of OSINT?
There are a few reasons. The org might want to keep threat data secret, they might want to license it and to keep their methods and sources as trade secrets, and they might not want threat actors to know about the data that they are gathering
When considering threat intelligence, what standards of quality need to be assessed to determine if the information should be used?
-Is the information timely?
-Is the information accurate?
-Is the information relevant?
Describe how a confidence score helps with threat intelligence data
A confidence score lets an organization filter and put threat intelligence data to use depending on how much it can be trusted.
Lower confidence data doesn’t mean its useless, but it shouldn’t be given too much weight either
What are the six levels of confidence that ThreatConnect uses to grade threat intel?
Confirmed (90-100)
Probable (70-89)
Possible (50-69)
Doubtful (30-49)
Improbable (2-29)
Discredited (1)
What areas of security operations can stand to benefit from Threat Intelligence Sharing?
-Incident Response
-Vulnerability Management
-Detection and Monitoring
-Security Engineering efforts
What is Structured Threat Information Expression (STIX)?
STIX is an XML language originally sponsored by the U.S. Department of Homeland Security.
It helps share threat information through the use of objects that are related to each other by one of two STIX Relationship object models
What is the Trusted Automated Exchange of Indicator Information (TAXII)?
STIX is meant to let cyber threat information be communicated at the app layer via HTTPS.
TAXII is meant to support STIX data exchange
What is the Open Indicators of Compromise (OpenIOC) framework?
OpenIOC is XML based.
It uses the indicators from Mandiant for its base framework.
IOC metadata includes author, name, description, reference to investigation or case and information about the maturity of the IOC