CySA+ Study Notes 2 Flashcards
(1) The ??? phase sets out the goals for the intelligence gathering effort. This phase is also widely referred to as Planning and Direction. This phase should show how intelligence will support business goals, such as ensuring a trustworthy repository of company data. The analyst effort needs to be properly costed and resourced, with sufficient staffing levels and tools. Define how security intell. supports business goals, define use cases for security intell., identify legal/regulatory factors that impact collection and retention, identify data sources and anticipate technical ???/constraints.
Security Intelligence Cycle 1 (Requirements)
??? is usually implemented by software suites, such as security information and event management (SIEM). This software must be configured with connectors or agents that can retrieve data from sources such as firewalls, routers, IDS sensors, and servers. As part of the ??? phase, or as a separate phase, the data retrieved from different systems must be processed. Processing puts data into a consistent format so that analysis tools can operate on it effectively. Select and Deploy SIEM solution, configure and install collectors and agents to retrieve and process data sources, select/integrate sources of CTI, ensure secure storage and access control of security info.
Security Intelligence Cycle - Stage 2 (Collection)
??? : once data is captured and normalized lots of effort might be needed to analyze it and identify anomalies pointing to potential problem. Use AI/ML to help w/automated ???. Develop use cases w/queries and filters designed to identify incident types, correlate sec. event sources w/CTI sources.
Security Intelligence Cycle 3 (Analysis)
??? : you must assess whether the intelligence produced by a source is relevant to the use cases developed for your analysis effort.
??? : you must assess whether an intelligence source can research and disseminate updates in a timely manner.
Relevancy / Timeliness
??? is derived from the provider’s own research and analysis efforts, such as data from honeynets that they operate, plus information mined from its customers’ systems, suitably anonymized. Most of the commercial feed providers also market their own platform for processing and disseminating threat intelligence. Ex.’s of commercial providers : IBM X-Force Exchange, FireEye, Recorded Future.
Closed-Source data
??? refers to methods of obtaining information about a person or organization through public records, websites, and social media. ??? techniques can also be a source of threat data, as researchers use them to discover more about adversary groups and malicious actors. ex.’s of ??? : AT&T Security, MISP, Spamhaus, SANS, VirusTotal; and Open-source repositories include threat feeds similar to the commercial providers, but also reputation lists and malware signature databases. Government agencies represent one source of public threat information.
OSINT
??? identifies the following capabilities : (1) Acquired and augmented—Uses commodity malware and techniques only (acquired) or has some ability to customize existing tools (augmented). (2) Developed—Can identify and exploit zero-day vulnerabilities and can deploy significant human and financial resources to attack planning and execution. (3) Advanced—Can exploit supply chains to introduce vulnerabilities in proprietary and open-source products and plan campaigns that exploit suppliers and service providers. (4) Integrated—Can additionally use non-cyber tools, such as political or military assets.
MITRE
??? : a formal classification of the resources and expertise available to a threat actor.
Adversary Capabilities
Threat modeling is designed to identify the principal risks and TTPs that a system may be subject to by evaluating the system both from an attacker’s point of view and from the defender’s point of view. Threat modeling can be used to assess risks against corporate networks and business systems generally and can also be performed against more specific targets, such as a website or software deployment. The outputs from threat modeling can be used to build use cases for security monitoring and detection systems. Threat modeling is typically a collaborative process, with inputs from a variety of stakeholders. As well as cybersecurity experts with knowledge of the relevant threat intelligence and research, stakeholders can include non-experts, such as users and customers, and persons with different priorities to the technical side, such as those who represent financial, marketing, and legal concerns.
info
The attack surface is all the points at which an adversary could interact with the system and potentially compromise it. To determine the attack surface, you must inventory the assets deployed on your network and the processes that those assets support. Consider the following three threat-modeling scenarios: (1) Corporate data network—Consider access by external users (VPN, email/VoIP, FTP/internally hosted website, Wi-Fi, building security) and internal users (switch port security, management channels, unlocked workstations, and so on). (2) Website/cloud—Consider the web application used for the front end, but also ways to access the application programmatically via an application programming interface (API). You might also consider the possibility of compromise from within the service provider’s data center. (3) Bespoke software apps—Forms and controls on the application’s user interface, interaction with other software via an API or file/data import process, and vulnerabilities from the host OS or platform.
info
