Chapter 2 Flashcards
Closed-Source Intelligence
Commercial security vendors, government organizations, and other security-centric organizations own information gathering and research, and they may use custom tools, analysis models, or other proprietary methods to gather, curate, and maintain their threat feeds.
Timeliness - Threat Intelligence
A feed that is operating on delay can cause you to miss a threat or to react after the threat is no longer relevant.
Accuracy - Threat intelligence
Can you rely on what it says, and how likely is it that the assessment is valid? Does it rely on a single source or multiple sources? How often are those sources correct?
Relevancy - Threat Intelligence
If it describes the wrong platform, software, or reason for the organization to be targeted, the data may be very timely, very accurate, and completely irrelevant to your organization.
Structured Threat Information Expression (STIX)
Is an XML language originally sponsored by the U.S. Department of Homeland Security. STIX 2.0 (its current version as of this writing) defines 12 STIX domain objects, including things like attack patterns, identities, malware, threat actors, and tools. These objects are then related to each other by one of two STIX relationship object models: either as a relationship or as a sighting. A STIX 2.0 JSON description of a threat actor might read
OpenIOC
The OpenIOC schema was developed by Mandiant, and it uses Mandiant’s indicators for its base framework. A typical IOC includes metadata like the author, the name of the IOC, and a description; references to the investigation or case and information about the maturity of the IOC; and the definition for the indicator of compromise, which may include details of the actual compromise.
Intelligence Cycle
Requirements Gathering, Threat Data collection, Threat Data analysis, Threat Data dissemination, and Gathering feedback.
Requirements Gathering
Assess what security breaches or compromises you have faced. Assess what information could have prevented or limited the impact of the breach. Assess what controls and security measures were not in place that would have mitigated the breach
Data Collection
Once you have your information requirements, you can collect data from threat intelligence sources to meet those requirements. This phase may repeat as additional requirements are added or as requirements are refined based on available data and data sources.
Data Processing & Analysis
The threat intelligence data that you gathered in the data collection stage will likely be in several different formats. Some may be in easy-to-access formats that your existing tools and systems can consume. Other data may be in plain-text or written form, or it may be almost entirely unformatted. In this stage you must first process the data to allow it to be consumed by whatever tools or processes you intend to use, and then you must analyze the data itself. The output from this stage could be data fed into automated systems or other tools, or written reports to distribute to leadership or others across your organization.
Intelligence Dissemination
In the dissemination phase of the intelligence cycle, data is distributed to leadership and operational personnel who will use the data as part of their security operations role.
Feedback
The final stage in the threat intelligence cycle is gathering feedback about the reports and data you have gathered. Continuous improvement is a critical element in the process, and it should be used to create better requirements and to improve the overall output of your threat intelligence program.
Nation State
Actors often have the most access to resources, including tools, talent, equipment, and time. Nation-state threat actors have the resources of a country behind them, and their goals are typically those of the country they are sponsored by. Nation- state actors are often associated with advanced persistent threat (APT) organizations, and they have advanced tools and capabilities not commonly seen in the hands of other threat actors.
Hacktivists
Are activists who use hacking as a means to a political or philosophical end. Hacktivists range from individual actors to large groups like Anonymous, and their technical capabilities and resources can vary greatly. When you are assessing threats from hacktivists, you need to carefully consider what types of hacktivists are most likely to target your organization and why.
Insider Threats
Are threats from employees or other trusted individuals or groups inside an organization. They may be intentional or unintentional, but in either case, they can pose a significant threat due to the trusted position they have. Insider threats are frequently considered to be one of the most likely causes of breaches and are often difficult to detect.