Chapter 04: Threat Intelligence Flashcards

1
Q

Threat Feed Details

A

Threat feeds will often contain things like:
* IPs
* Hostnames
* Domains
* Emails
* URLs
* File hashes
* File paths
* CVE numbers
* Details of what may make your org a target or vulnerable to threat
* Descriptions, motivations, methodologies of threat actors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
1
Q

OSINT

A

Open Souce Intelligence

Intel acquired from publicly available sources

Public sites:
* Senki.org
* The Open Threat Exchange by AlienVault
* MISP (malware information sharing platform)
* Threatfeeds.io
* SANS Internet Storm Center
* VirusShare
* VirusTotal
* Spamhaus

Government sites:
* US Cybersecurity and Infrastructure Security Agency (CISA)
* US DoD Cyber Crime Center
* CISA’s Automated Indicator Sharing (AIS) program
* CISA’s Sharing and Analysis Organizations (ISAOS / ISAC) program

Vendor sites:
* MS Threat Intelligence Blog
* Cisco’s Threat Security Site

Other locations:
* Social media, but difficult to determin veracity of information
* Blogs and forums
* Computer emergency response teams (CERT) websites
* Cybersecurity incident response team (CSIRT) websites
* Dark web / deep web

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Closed Source Intelligence

A

The opposite of OSINT

Commercial security vendors, govt orgs, and other security-centric orgs create and use proprietary, closed source intel

They do all their own research and information gathering, and use custom tools / analysis models / proprietary methods to gather, curate, and maintain their threat feeds

Sometimes you can access these as paid feeds, but sometimes they keep it for internal use only

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Threat Intel Confidence Level

A

Is It Timely?
* A feed that operates on delay can cause you to miss a threat or to react after the threat is no longer relevant

Is the Information Accurate?
* Can you rely on what it says, and how likely is it that the assement is valid?
* Does it rely on a single source or multiple sources?
* How often are those sources correct?

Is the Information Relevant?
* If it describes the wrong platform, software, or resource for the org to be targeted, the data may be very timely, very accruate, but completely irrelevant to your org

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Threat Intel Confidence Score

A

One way to summariez threat intel assessment data is to assign it a confidence score

This allows you to filter and use threat intel based on how much trust you can give it

Low confidence doesn’t mean the intel isn’t useful—sometimes confidence scores start low and increase as the information solidifies

Low confidence just means you shouldn’t fully rely on it to make important decisions in a vacuum

Example confdience rating:
* Confirmed (90-100): Independent sources or direct analysis proves the threat is real
* Probable (70-89): Logical inference, but doesn’t directly confirm threat
* Possible (50-69): Some information agrees with the analysis, but the assessment is not confirmed—somewhat logical to infer from given data
* Doubtful (30-49): Assessment is possible but not the most likely option, or assessment can’t be proven or disproven by information available
* Improbable (2-29): Assessment is possible but not the most logical option, or refuted by other information available
* Discredited (1): Assessment confirmed to be inaccurate or iincorrect

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Threat Intelligence Sharing

A

Threat intel sharing is key for many operational security practices:

  • Incident Response: Identifying threat actors as well as their common techniques and tools
  • Vulnerability Management: Understanding current, active threats can help assess risk and influence patch cycles and prioritization efforts
  • Risk Management and Security Engineering: Provides a useful view ofthe direction of threats and what threats are likely to grow over the lifecycle of a security design, and influences responses to threats that may be integrated into design updates
  • Detection and Monitoring: Ensures timely updates and allowing for the creation of new detection rules—faster responses and better behavioral detection capabilities

Page 142 for full descriptions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

STIX

A

Structured Threat Information Expression

Currently in v 2.1 and defines 12 STIX domain objects (SDO) including things like:
* Observed data
* Indicators
* Attack patterns
* Course of Action (COA)
* Identities
* Malware
* Threat actors
* Tools

Standard terminology for IOC and ways of indicating relationships between them that’s included as part of the OASIS Cyber Threat Intelligence (CTI) framework

NOTE: STIX v1 was XML, but STIX v2 uses JSON format, and you can tell it’s JSON because of the curly brackets and type”: id”: etc—if you see JSON on the exam, it’s likely referring to STIX

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

TAXII

A

Trusted Automated Exchange of Indicator Information

Companion to STIX, and allows cyber threat information to be communicated at the OSI application layer via HTTPS

TAXII is specifically designed to support STIX data exchange

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

OpenIOC

A

Open Indicators of Compromise

Another XML-based framework for threat information sharing, developed by Mandiant and uses their indicators for its base

A typical IOC inclues metadata like:
* Author
* Name of IOC
* Description
* References to the investigation or case
* Information about the maturity of the IOC
* Definition for the IOC, which may include details of the actual compromise

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

The Threat Intelligence Lifecycle

A

Comprised of five phases:

  1. Requirements Gathering
  2. Data Collection
  3. Data Processing and Analysis
  4. Intelligence Dissemination
  5. Feedback

Page 144 for all in detail

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Intel Cycle: Requirements Gathering

A

Plan for your intelligence requirements, which may be created as a result of:
* Successful breaches and compromises
* Industry trends
* Risk assessments conducted for your organization

In this step, you typically assess:
* What security breaches or compromises you’ve faced
* What information could have prevented or limited the impact of the breach
* What controls and security measures were not in place that would have mitigated the breach

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Intel Cycle: Data Collection

A

Once you have the information requirements, you can collect data from threat intel sources to meet those requirements

This phase may repeat as additional requirements are added, or as requirements are refined based on available data and data sources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Intel Cycle: Data Processing and Analysis

A

The threat intel data you gather will likely be in multiple different formats

Here, you have to process the data so it can be consumed by the tools or processes you use

Then you have to analyze that data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Intel Cycle: Intelligence Dissemination

A

Data is distributed to leadership and operational personnel who will use it as part of their security operations role

We can break this data dissemination up into three categories:
1. Strategic: Addresses broad themes and objectives, usually affects projects and business priorities over weeks, months, and years
2. Operational: Day to day priorities of managers and specailists
3. Tactical: Informs real-time decisions made by staff as they encounter alerts and system indications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Intel Cycle: Feedback

A

Gather feedback about the reports and data you’ve gathered

This is an oppty for continuous improvement so you can create better requirements and improve the overall output of your threat intel program
* Lessons learned
* Measurable success
* Evolving threat issues

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Nation-State Threat Actors

A

They have the most access to resources including tools, talent, equipment, and time

They have the full resources of an entire country behind them as well, and their goals are sponsored by that country

Associated with APT organizations and they have advanced tools and capabilities unrivaled by other threat actors

16
Q

Organized Crime Threat Actors

A

They have focused attacks typically aimed at financial gain, like ransomware attacks

17
Q

Hacktivist Threat Actors

A

Activists who use hacking as a means to a political or philosophical end

They range from individuals to large groups like Anonymous, and their tech capabilities and resources vary greatly

When assessing threats from hacktivists, carefully consider what types of hacktivists are most likely to target your org and why

18
Q

Script Kiddie Threat Actors

A

Malicious actors who use preexisting tools, often in relativelty unsophisticated ways

Still very dangerous, don’t underestimate them

19
Q

Insider Threats Threat Actors

A

Threat actors from withing your org, like employees or trusted individuals and groups

They might be intentional or unintentional, but either way they pose a significant threat due to their trusted position

Frequently considered one of the most likely causes of a breach, and difficult to detect

NOTE: The exam will break insider threats into intentional and unintentional, so know both

20
Q

Supply Chain Threat Actors

A

They can act as part of the supply chain, inserting malicious software or hardware, compromising devices, or inserting backdoors

They can also attack the supply chain itself, disrupting the ability to obtain goods and services

21
Q

TTP

A

Tactics, Techniques, and Procedures

APTs are one of the most concerning attackers that an organization can face

As they’re studied, they’re identified and classified based on their TTP

When you know that, you can successfully counter APT activity—it makes information about them exceptionally valuable

22
Q

Proactive Threat Hunting

A

Searching for threats proactively, rather than reactively, can keep you ahead of attackers

To implement this proactivity, use the following steps:
* Establishing a Hypothesis: A hypothesis is needed to test and should have actionable results based on the threat that the hypothesis considers
* Profiling Threat Actors and Activities: This helps ensure that you have considered who may be a threat, and why, as well as what their typical actions and processes are
* Threat Hunting Tactics: These are key to success in threat hunting activities—the skills, techniques, and procedures are where action meets analysis
* Reducing the Attack Surface Area: This allows resources to be focused on the remaining surface area, making protection more manageable
* Bundling Critical Assets Into Groups and Protection Zones: This helps with managing attack surface area, threat hunting, and response activities, since each asset doesn’t need to be individually assessed or managed as a unique item
* Understanding, Assesing, and Addressing Attack Vectors or the Means By Which an Attack Can Be Conducted: This step must be based on analysis of threat actors and their techniques as well as the surface area that threat actors can target
* Integrated Intelligence: This step combines multiple intelligence sources to provide a better view of threats
* Improving Detection Capabilities: This is a coninuous process as threats improve their techniques and technology—if you don’t improve your detection capabilities, new threats will bypass existing capabilities over time

23
Q

Three Major Areas of Focus for Threat Hunting

A
  1. Configurations and misconfigurations that may lead to compromise, or that may indicate that an attacker has modified settings
  2. Isolated networks, which are typically used to protect sensitive or specialized data and systems—threat hunting here can be a bit easier since traffic and behaviors should be fully understood, but it could also mean deploying and using centrally managed tools which can be challenging
  3. Business-critical assets and processes are a focus area due to their importance—focus on these due to their organizational risk profile and the importance of ensuring they remain secury
24
Q

IOC

A

Indicators of Compromise

Data that are commonly associated with compromised systems and software

They’re used to detect breaches, compromises, and malware, as well as other activities associated with attacks

For the exam, look at IOC through these three lenses:

  1. Collection: How to acquire data that may indicate compromise—this focuses on using tools, logs, and other data sources to gather that data
  2. Analysis: Determine if the information gathered actually indicates a compromise
    * EX: Unusual network traffic is a common IOC, but it could also be a new process or user performing a rarely required task—analysis requires understanding of whether it’s likely to mean a compromise has occurred or has been attempted
  3. Application: This occurs in two ways:
    * First: Through using analysis to understand if compromises have occurred, thus activating incident response processes and other security response procedures
    * Second: IOC application can be leveraged as part of the analysis process

Page 150 full description

25
Q

Common IOCs

A
  • Questionable login activity, including activity at odd hours, from dormant accounts, or from countries or geographic locations that don’t match typical account behavior
  • Modifications to files, particularly config files or logs
  • Unexpected or unusual use of privileged accounts
  • Unexpected or unusual network traffic
  • Large outbound data transfers
  • Unexpected services, ports, or software running on systems or devices
26
Q

Active Defense

A

A threat hunting technique that involves deception to either delay or confuse attackers

Techniques like tarpits provide attackers with large numbers of fake targets with false data, and they slow down scans and attacks

Honeypots are also used to lure attackers in

Dion’s Notes
* The practice of responding to a threat by destroying or deceiving the threat actor’s capabilities