Section Introduction, Tactical Intelligence Flashcards
This section of the Threat Intelligence domain will focus on tactical intelligence roles and responsibilities. A typical day in the life as a Cyber Threat Intelligence Analyst focusing on tactical intelligence typically involves performing threat exposure checks to see if malicious indicators have been identified within the environment, conducting public exposure assessments to see how what information about the company and its employees is freely available online and if that could be exploited in any way, and collecting and using actionable intelligence to improve defenses by implementing threat feeds to power automated defenses and provide context to security investigations.
Learning Objectives
By the end of this section you will have achieved the following objectives:
Understand how threat exposure checks are conducted to identify the presence of indicators of compromise.
Understand how organizations can monitor IOCs using SIEM, EDR, and IDS systems to alert for positive matches.
Understand what public exposure assessments are and why they can be valuable to defenders and attackers.
Understand how information can be collected from open and dark-web sources and the legal constraints of this activity.
Understand what MISP is, why it’s used, and how to deploy it.
Threat Exposure Checks Explained
A threat exposure check is when an analyst uses multiple tools such as SIEM and EDR to look for the presence of any indicators of compromise they have retrieved from intelligence vendors, information sharing partners, government alerts, or OSINT sources. This activity is considered a tactical task, as it requires a deep technical understanding to analyze the results from several different tools to determine if any exposure has been detected, and then assess exactly what’s been observed so it can potentially be passed to security analysts for investigation. To help you understand when and how threat exposure checks are conducted, we will walk you through a scenario based on real-world practices.
Example Walkthrough
The threat intelligence team receive an email alert from US-CERT stating that “Vulnerability X” has seen a spike in exploitation activity across the internet. This report includes a list of IP addresses that US-CERT and partners have observed scanning the internet for vulnerable devices. The threat intelligence team would now retrieve that list of indicators of compromise and search for them in their SIEM platform, where the perimeter firewalls send their logs, so they can all be queried at once. The assigned analyst will search for the source IP equal to the values provided in the report and do a historic search, typically for the previous 7 days. Once the search has been completed the analyst will be able to see if any of the mentioned scanning IPs have scanned the organization’s public IP range in the past 7 days.
If there is a recorded presence of the malicious IPs performing any kind of scanning or enumeration activity then IP blocks can be considered, depending on the nature of the IPs. Alerts can also be set up to trigger if these IPs begin scanning again so that defenders can closely monitor exactly what the IPs are scanning.
In an organization that has a team working on vulnerability management, it is likely that they will work closely with the threat intelligence team, as context around vulnerabilities is extremely important. A high-rated vulnerability might never be exploited, but a medium-rated vulnerability could be exploited on a mass scale. If malicious actors are actively exploiting a vulnerability, then this can provide justification for immediate patching.
