Chapter 04: Threat Intelligence Flashcards
Threat Feed Details
Threat feeds will often contain things like:
* IPs
* Hostnames
* Domains
* Emails
* URLs
* File hashes
* File paths
* CVE numbers
* Details of what may make your org a target or vulnerable to threat
* Descriptions, motivations, methodologies of threat actors
OSINT
Open Souce Intelligence
Intel acquired from publicly available sources
Public sites:
* Senki.org
* The Open Threat Exchange by AlienVault
* MISP (malware information sharing platform)
* Threatfeeds.io
* SANS Internet Storm Center
* VirusShare
* VirusTotal
* Spamhaus
Government sites:
* US Cybersecurity and Infrastructure Security Agency (CISA)
* US DoD Cyber Crime Center
* CISA’s Automated Indicator Sharing (AIS) program
* CISA’s Sharing and Analysis Organizations (ISAOS / ISAC) program
Vendor sites:
* MS Threat Intelligence Blog
* Cisco’s Threat Security Site
Other locations:
* Social media, but difficult to determin veracity of information
* Blogs and forums
* Computer emergency response teams (CERT) websites
* Cybersecurity incident response team (CSIRT) websites
* Dark web / deep web
Closed Source Intelligence
The opposite of OSINT
Commercial security vendors, govt orgs, and other security-centric orgs create and use proprietary, closed source intel
They do all their own research and information gathering, and use custom tools / analysis models / proprietary methods to gather, curate, and maintain their threat feeds
Sometimes you can access these as paid feeds, but sometimes they keep it for internal use only
Threat Intel Confidence Level
Is It Timely?
* A feed that operates on delay can cause you to miss a threat or to react after the threat is no longer relevant
Is the Information Accurate?
* Can you rely on what it says, and how likely is it that the assement is valid?
* Does it rely on a single source or multiple sources?
* How often are those sources correct?
Is the Information Relevant?
* If it describes the wrong platform, software, or resource for the org to be targeted, the data may be very timely, very accruate, but completely irrelevant to your org
Threat Intel Confidence Score
One way to summariez threat intel assessment data is to assign it a confidence score
This allows you to filter and use threat intel based on how much trust you can give it
Low confidence doesn’t mean the intel isn’t useful—sometimes confidence scores start low and increase as the information solidifies
Low confidence just means you shouldn’t fully rely on it to make important decisions in a vacuum
Example confdience rating:
* Confirmed (90-100): Independent sources or direct analysis proves the threat is real
* Probable (70-89): Logical inference, but doesn’t directly confirm threat
* Possible (50-69): Some information agrees with the analysis, but the assessment is not confirmed—somewhat logical to infer from given data
* Doubtful (30-49): Assessment is possible but not the most likely option, or assessment can’t be proven or disproven by information available
* Improbable (2-29): Assessment is possible but not the most logical option, or refuted by other information available
* Discredited (1): Assessment confirmed to be inaccurate or iincorrect
Threat Intelligence Sharing
Threat intel sharing is key for many operational security practices:
- Incident Response: Identifying threat actors as well as their common techniques and tools
- Vulnerability Management: Understanding current, active threats can help assess risk and influence patch cycles and prioritization efforts
- Risk Management and Security Engineering: Provides a useful view ofthe direction of threats and what threats are likely to grow over the lifecycle of a security design, and influences responses to threats that may be integrated into design updates
- Detection and Monitoring: Ensures timely updates and allowing for the creation of new detection rules—faster responses and better behavioral detection capabilities
Page 142 for full descriptions
STIX
Structured Threat Information Expression
Currently in v 2.1 and defines 12 STIX domain objects (SDO) including things like:
* Observed data
* Indicators
* Attack patterns
* Course of Action (COA)
* Identities
* Malware
* Threat actors
* Tools
Standard terminology for IOC and ways of indicating relationships between them that’s included as part of the OASIS Cyber Threat Intelligence (CTI) framework
NOTE: STIX v1 was XML, but STIX v2 uses JSON format, and you can tell it’s JSON because of the curly brackets and type”: id”: etc—if you see JSON on the exam, it’s likely referring to STIX
TAXII
Trusted Automated Exchange of Indicator Information
Companion to STIX, and allows cyber threat information to be communicated at the OSI application layer via HTTPS
TAXII is specifically designed to support STIX data exchange
OpenIOC
Open Indicators of Compromise
Another XML-based framework for threat information sharing, developed by Mandiant and uses their indicators for its base
A typical IOC inclues metadata like:
* Author
* Name of IOC
* Description
* References to the investigation or case
* Information about the maturity of the IOC
* Definition for the IOC, which may include details of the actual compromise
The Threat Intelligence Lifecycle
Comprised of five phases:
- Requirements Gathering
- Data Collection
- Data Processing and Analysis
- Intelligence Dissemination
- Feedback
Page 144 for all in detail
Intel Cycle: Requirements Gathering
Plan for your intelligence requirements, which may be created as a result of:
* Successful breaches and compromises
* Industry trends
* Risk assessments conducted for your organization
In this step, you typically assess:
* What security breaches or compromises you’ve faced
* What information could have prevented or limited the impact of the breach
* What controls and security measures were not in place that would have mitigated the breach
Intel Cycle: Data Collection
Once you have the information requirements, you can collect data from threat intel sources to meet those requirements
This phase may repeat as additional requirements are added, or as requirements are refined based on available data and data sources
Intel Cycle: Data Processing and Analysis
The threat intel data you gather will likely be in multiple different formats
Here, you have to process the data so it can be consumed by the tools or processes you use
Then you have to analyze that data
Intel Cycle: Intelligence Dissemination
Data is distributed to leadership and operational personnel who will use it as part of their security operations role
We can break this data dissemination up into three categories:
1. Strategic: Addresses broad themes and objectives, usually affects projects and business priorities over weeks, months, and years
2. Operational: Day to day priorities of managers and specailists
3. Tactical: Informs real-time decisions made by staff as they encounter alerts and system indications
Intel Cycle: Feedback
Gather feedback about the reports and data you’ve gathered
This is an oppty for continuous improvement so you can create better requirements and improve the overall output of your threat intel program
* Lessons learned
* Measurable success
* Evolving threat issues