Lesson 2:Using Threat Intelligence Flashcards
Open-source intelligence
a collection and analysis of information that is gathered from publicly available sources.
Open-source intelligence is primarily used in
national security, law enforcement, and business intelligence functions.
Closed source intelligence consists of
government or private data, which is not available through open inquiry.
Closed source intelligence is primarily used in
business information, law enforcement data, educational records, banking records, and medical records.
When assessing threat intelligence which three factors should you consider?
timeliness, relevancy, and accuracy of intelligence sources
Confidence scores allow organizations to
filter and use threat intelligence based on how much trust they can give it.
Why does a lot of threat intelligence start with a lower confidence score
that score increases as the information solidifies
What does (STIX) stand for?
Structured Threat Information Expression
Structured Threat Information Expression (STIX) is an
XML language originally sponsored by the U.S. Department of Homeland Security.
Using a single threat feed can leave you in the dark! Many organizations leverage
multiple threat feeds to get the most up-to-date information.
- Requirements Gathering:
a. Assess what security breaches or compromises you have faced
b. what information could have prevented or limited the impact of the breach
c. what controls and security measures were not in a place that would have mitigated the breach
- Data Collection:
a. This phase may repeat as additional requirements are added or as requirements are refined based on available data and data sources.
- Data Processing and Analysis: The data that you gathered will likely be in several different formats.
You must process the data to allow it to be consumed by whatever tools or processes
(TAXII) protocol
Trusted Automated Exchange of Indicator Information
- Intelligence Dissemination
Data is distributed to leadership and operational personnel who will use the data as part of their security operations role.
- Feedback gathering feedback contributes to the continuous
improvement of security and it should be used to improve the overall output of your threat intelligence program.
In the United States, organizations known as Information Sharing and Analysis Centers (ISACs) help
infrastructure owners and operators share threat information, as well as provide tools and assistance to their members.
The CySA+ exam objectives specifically mention three areas in this information sharing grouping:
healthcare, financial services, and aviation.
The CySA+ exam objectives specifically call out four common threat actors:
Nation-state actors
Organized Crime
Hacktivist
Insider Threat
Nation-state actors often have the most access to
resources, including tools, talent, equipment, and time. ``
Organized crime focused attacks aimed at
financial gain. Ransomware attacks are an increasingly common example of this type of threat from organized crime groups.
Insider threats are threats from
employees or other trusted individuals or groups inside an organization.
Insider threat’s intentions whether intentional or unintentional are
considered to be one of the most likely causes of breaches and are often difficult to detect.
ATT&CK stands for
Adversarial Tactics, Techniques, and Common Knowledge
The ATT&CK matrices include detailed descriptions, definitions, and examples for the complete threat life cycle, from
initial access through execution, persistence, privilege escalation, and exfiltration.
The Diamond Model of Intrusion Analysis focuses heavily on understanding the attacker and their motivations
then uses relationships between these elements to better understand the threat
Lockheed Martin’s Cyber Kill Chain Seven stages
Reconnaissance Weaponization Delivery Exploitation Installation Command and Control Actions on Objectives
- Reconnaissance: Defenders must gather data about reconnaissance activities and
prioritize defenses based on that information.
- Weaponization involves building or acquiring a weaponizer that combines
malware and an exploit into a payload that can be delivered to the target. 9
- Delivery adversary either deploys their tool directly against targets or via release that relies
on staff at the target interacting with it such as an email payload, on a USB stick, or via websites that they visit.
- Exploitation uses software, hardware, or human vulnerability to gain access. Defense against this stage focuses on
user awareness, secure coding, vulnerability scanning, penetration testing, and endpoint hardening to ensure the organizations has a strong security posture
- Installation focuses on persistent backdoor access for attackers. Defenders must monitor for
typical artifacts of a persistent remote shell or other remote access methodologies.
- Command and Control (C2) access allows two-way communication and continued control of the remote system. Defenders will seek to detect the C2 infrastructure by
hardening the network, deploying detection capabilities, and conducting ongoing research to ensure they are aware of new C2 models and technology.
- Actions on Objectives: Adversaries will collect credentials, escalate privileges, move laterally through the environment. They may also
cause damage to systems or data.
Retention of logs is important at which stage? why?
Delivery.
Defenders need them to track what occurred
Proactive Threat Hunting Activities: Establishing a hypothesis to test and should have actionable results based on
the threat that the hypothesis considers.
Proactive Threat Hunting Activities: Profiling threat actors and activities. This helps ensure that
you have considered who may be a threat, and why, as well as what their typical actions and processes are.
Proactive Threat Hunting Activities: Threat hunting tactics. The skills, techniques, and procedures are where action
meets analysis. This step includes executable process analysis,
Proactive Threat Hunting Activities: Reducing the attack surface area. This allows resources to be
focused on the remaining surface area, making protection more manageable.
Proactive Threat Hunting Activities: Bundling critical assets into
groups and protection zones.
Proactive Threat Hunting Activities: Improving detection capabilities. This is a continuous process as threats improve their techniques and technology. If you do not improve your detection capabilities, new threats will
bypass existing capabilities over time.
Proactive Threat Hunting Activities: Integrated intelligence combines
multiple intelligence sources to provide a better view of threats.
Proactive Threat Hunting Activities: Attack vectors must be understood, assessed, and addressed based on the
analysis of threat actors and their techniques as well as the surface area that threat actors can target.
Attack vectors that specify how an attacker can gain access to their target, can include things like
(USB) key drops.
The ATT&CK framework specifically defines
threat actor tactics in standardized ways.
Which type of assessment is particularly useful for identifying insider threats?
Behavioral indicators: after-hours logins, misuse of credentials, logins from abnormal locations or abnormal patterns
TAXII is specifically designed to exchange information
via Hypertext Transfer Protocol Secure (HTTPS).
Which security company creates and provides a base set of indicators of compromise (IOC) used by OpenIOC?
Mandiant security company
What is a common criticism of the Cyber Kill Chain model?
It includes actions outside the defended network
Athena and Redshift fall under which category
Analytics
CLOUD9, CLOUD COMMIT fall under which category
Development:
RDS, DynamoDB, Aurora, DocumentDB, ElastiCache, Neptune fall under which category
Databases:
Explain the difference between Region, AZ, and data center?
Regions are geographically isolated locations around the globe that has 2 or more AZ’s within it
-An AZ has one or more data centers within it
