Chapter 04: Threat Intelligence

Question 1

Threat Feed Details

Answer 1

Threat feeds will often contain things like:
* IPs
* Hostnames
* Domains
* Emails
* URLs
* File hashes
* File paths
* CVE numbers
* Details of what may make your org a target or vulnerable to threat
* Descriptions, motivations, methodologies of threat actors

Question 1

OSINT

Answer 1

Open Souce Intelligence

Intel acquired from publicly available sources

Public sites:
* Senki.org
* The Open Threat Exchange by AlienVault
* MISP (malware information sharing platform)
* Threatfeeds.io
* SANS Internet Storm Center
* VirusShare
* VirusTotal
* Spamhaus

Government sites:
* US Cybersecurity and Infrastructure Security Agency (CISA)
* US DoD Cyber Crime Center
* CISA’s Automated Indicator Sharing (AIS) program
* CISA’s Sharing and Analysis Organizations (ISAOS / ISAC) program

Vendor sites:
* MS Threat Intelligence Blog
* Cisco’s Threat Security Site

Other locations:
* Social media, but difficult to determin veracity of information
* Blogs and forums
* Computer emergency response teams (CERT) websites
* Cybersecurity incident response team (CSIRT) websites
* Dark web / deep web

Question 2

Closed Source Intelligence

Answer 2

The opposite of OSINT

Commercial security vendors, govt orgs, and other security-centric orgs create and use proprietary, closed source intel

They do all their own research and information gathering, and use custom tools / analysis models / proprietary methods to gather, curate, and maintain their threat feeds

Sometimes you can access these as paid feeds, but sometimes they keep it for internal use only

Question 3

Threat Intel Confidence Level

Answer 3

Is It Timely?
* A feed that operates on delay can cause you to miss a threat or to react after the threat is no longer relevant

Is the Information Accurate?
* Can you rely on what it says, and how likely is it that the assement is valid?
* Does it rely on a single source or multiple sources?
* How often are those sources correct?

Is the Information Relevant?
* If it describes the wrong platform, software, or resource for the org to be targeted, the data may be very timely, very accruate, but completely irrelevant to your org

Question 4

Threat Intel Confidence Score

Answer 4

One way to summariez threat intel assessment data is to assign it a confidence score

This allows you to filter and use threat intel based on how much trust you can give it

Low confidence doesn’t mean the intel isn’t useful—sometimes confidence scores start low and increase as the information solidifies

Low confidence just means you shouldn’t fully rely on it to make important decisions in a vacuum

Example confdience rating:
* Confirmed (90-100): Independent sources or direct analysis proves the threat is real
* Probable (70-89): Logical inference, but doesn’t directly confirm threat
* Possible (50-69): Some information agrees with the analysis, but the assessment is not confirmed—somewhat logical to infer from given data
* Doubtful (30-49): Assessment is possible but not the most likely option, or assessment can’t be proven or disproven by information available
* Improbable (2-29): Assessment is possible but not the most logical option, or refuted by other information available
* Discredited (1): Assessment confirmed to be inaccurate or iincorrect

Question 5

Threat Intelligence Sharing

Answer 5

Threat intel sharing is key for many operational security practices:

• Incident Response: Identifying threat actors as well as their common techniques and tools
• Vulnerability Management: Understanding current, active threats can help assess risk and influence patch cycles and prioritization efforts
• Risk Management and Security Engineering: Provides a useful view ofthe direction of threats and what threats are likely to grow over the lifecycle of a security design, and influences responses to threats that may be integrated into design updates
• Detection and Monitoring: Ensures timely updates and allowing for the creation of new detection rules—faster responses and better behavioral detection capabilities

Page 142 for full descriptions

Question 6

STIX

Answer 6

Structured Threat Information Expression

Currently in v 2.1 and defines 12 STIX domain objects (SDO) including things like:
* Observed data
* Indicators
* Attack patterns
* Course of Action (COA)
* Identities
* Malware
* Threat actors
* Tools

Standard terminology for IOC and ways of indicating relationships between them that’s included as part of the OASIS Cyber Threat Intelligence (CTI) framework

NOTE: STIX v1 was XML, but STIX v2 uses JSON format, and you can tell it’s JSON because of the curly brackets and type”: id”: etc—if you see JSON on the exam, it’s likely referring to STIX

Question 7

TAXII

Answer 7

Trusted Automated Exchange of Indicator Information

Companion to STIX, and allows cyber threat information to be communicated at the OSI application layer via HTTPS

TAXII is specifically designed to support STIX data exchange

Question 8

OpenIOC

Answer 8

Open Indicators of Compromise

Another XML-based framework for threat information sharing, developed by Mandiant and uses their indicators for its base

A typical IOC inclues metadata like:
* Author
* Name of IOC
* Description
* References to the investigation or case
* Information about the maturity of the IOC
* Definition for the IOC, which may include details of the actual compromise

Question 9

The Threat Intelligence Lifecycle

Answer 9

Comprised of five phases:

1. Requirements Gathering
2. Data Collection
3. Data Processing and Analysis
4. Intelligence Dissemination
5. Feedback

Page 144 for all in detail

Question 10

Intel Cycle: Requirements Gathering

Answer 10

Plan for your intelligence requirements, which may be created as a result of:
* Successful breaches and compromises
* Industry trends
* Risk assessments conducted for your organization

In this step, you typically assess:
* What security breaches or compromises you’ve faced
* What information could have prevented or limited the impact of the breach
* What controls and security measures were not in place that would have mitigated the breach

Question 11

Intel Cycle: Data Collection

Answer 11

Once you have the information requirements, you can collect data from threat intel sources to meet those requirements

This phase may repeat as additional requirements are added, or as requirements are refined based on available data and data sources

Question 12

Intel Cycle: Data Processing and Analysis

Answer 12

The threat intel data you gather will likely be in multiple different formats

Here, you have to process the data so it can be consumed by the tools or processes you use

Then you have to analyze that data

Question 13

Intel Cycle: Intelligence Dissemination

Answer 13

Data is distributed to leadership and operational personnel who will use it as part of their security operations role

We can break this data dissemination up into three categories:
1. Strategic: Addresses broad themes and objectives, usually affects projects and business priorities over weeks, months, and years
2. Operational: Day to day priorities of managers and specailists
3. Tactical: Informs real-time decisions made by staff as they encounter alerts and system indications

Question 14

Intel Cycle: Feedback

Answer 14

Gather feedback about the reports and data you’ve gathered

This is an oppty for continuous improvement so you can create better requirements and improve the overall output of your threat intel program
* Lessons learned
* Measurable success
* Evolving threat issues

Question 15

Nation-State Threat Actors

Answer 15

They have the most access to resources including tools, talent, equipment, and time

They have the full resources of an entire country behind them as well, and their goals are sponsored by that country

Associated with APT organizations and they have advanced tools and capabilities unrivaled by other threat actors

Question 16

Organized Crime Threat Actors

Answer 16

They have focused attacks typically aimed at financial gain, like ransomware attacks

Question 17

Hacktivist Threat Actors

Answer 17

Activists who use hacking as a means to a political or philosophical end

They range from individuals to large groups like Anonymous, and their tech capabilities and resources vary greatly

When assessing threats from hacktivists, carefully consider what types of hacktivists are most likely to target your org and why

Question 18

Script Kiddie Threat Actors

Answer 18

Malicious actors who use preexisting tools, often in relativelty unsophisticated ways

Still very dangerous, don’t underestimate them

Question 19

Insider Threats Threat Actors

Answer 19

Threat actors from withing your org, like employees or trusted individuals and groups

They might be intentional or unintentional, but either way they pose a significant threat due to their trusted position

Frequently considered one of the most likely causes of a breach, and difficult to detect

NOTE: The exam will break insider threats into intentional and unintentional, so know both

Question 20

Supply Chain Threat Actors

Answer 20

They can act as part of the supply chain, inserting malicious software or hardware, compromising devices, or inserting backdoors

They can also attack the supply chain itself, disrupting the ability to obtain goods and services

Question 21

TTP

Answer 21

Tactics, Techniques, and Procedures

APTs are one of the most concerning attackers that an organization can face

As they’re studied, they’re identified and classified based on their TTP

When you know that, you can successfully counter APT activity—it makes information about them exceptionally valuable

Question 22

Proactive Threat Hunting

Answer 22

Searching for threats proactively, rather than reactively, can keep you ahead of attackers

To implement this proactivity, use the following steps:
* Establishing a Hypothesis: A hypothesis is needed to test and should have actionable results based on the threat that the hypothesis considers
* Profiling Threat Actors and Activities: This helps ensure that you have considered who may be a threat, and why, as well as what their typical actions and processes are
* Threat Hunting Tactics: These are key to success in threat hunting activities—the skills, techniques, and procedures are where action meets analysis
* Reducing the Attack Surface Area: This allows resources to be focused on the remaining surface area, making protection more manageable
* Bundling Critical Assets Into Groups and Protection Zones: This helps with managing attack surface area, threat hunting, and response activities, since each asset doesn’t need to be individually assessed or managed as a unique item
* Understanding, Assesing, and Addressing Attack Vectors or the Means By Which an Attack Can Be Conducted: This step must be based on analysis of threat actors and their techniques as well as the surface area that threat actors can target
* Integrated Intelligence: This step combines multiple intelligence sources to provide a better view of threats
* Improving Detection Capabilities: This is a coninuous process as threats improve their techniques and technology—if you don’t improve your detection capabilities, new threats will bypass existing capabilities over time

Question 23

Three Major Areas of Focus for Threat Hunting

Answer 23

1. Configurations and misconfigurations that may lead to compromise, or that may indicate that an attacker has modified settings
2. Isolated networks, which are typically used to protect sensitive or specialized data and systems—threat hunting here can be a bit easier since traffic and behaviors should be fully understood, but it could also mean deploying and using centrally managed tools which can be challenging
3. Business-critical assets and processes are a focus area due to their importance—focus on these due to their organizational risk profile and the importance of ensuring they remain secury

Question 24

IOC

Answer 24

Indicators of Compromise

Data that are commonly associated with compromised systems and software

They’re used to detect breaches, compromises, and malware, as well as other activities associated with attacks

For the exam, look at IOC through these three lenses:

1. Collection: How to acquire data that may indicate compromise—this focuses on using tools, logs, and other data sources to gather that data
2. Analysis: Determine if the information gathered actually indicates a compromise
   * EX: Unusual network traffic is a common IOC, but it could also be a new process or user performing a rarely required task—analysis requires understanding of whether it’s likely to mean a compromise has occurred or has been attempted
3. Application: This occurs in two ways:
   * First: Through using analysis to understand if compromises have occurred, thus activating incident response processes and other security response procedures
   * Second: IOC application can be leveraged as part of the analysis process

Page 150 full description

Question 25

Common IOCs

Answer 25

• Questionable login activity, including activity at odd hours, from dormant accounts, or from countries or geographic locations that don’t match typical account behavior
• Modifications to files, particularly config files or logs
• Unexpected or unusual use of privileged accounts
• Unexpected or unusual network traffic
• Large outbound data transfers
• Unexpected services, ports, or software running on systems or devices

Question 26

Active Defense

Answer 26

A threat hunting technique that involves deception to either delay or confuse attackers

Techniques like tarpits provide attackers with large numbers of fake targets with false data, and they slow down scans and attacks

Honeypots are also used to lure attackers in

Dion’s Notes
* The practice of responding to a threat by destroying or deceiving the threat actor’s capabilities