Threat Intelligence Sources (Threat Actors, Intelligence Sources, & Vulnerabilities) Flashcards
Indicators of compromise IoCs
An IoC is an artifact or a remnant or some indicator that there’s some activity going on in a system, application or a service that is part of an exploit or malware attack
IoCs give organizations valuable information on different objects and the different state of systems that have been compromised
IoCs are network or host based cyber observables
There are forensic artifacts of an incursion or a disturbance, for example, on a database system.
An IoC is a measurable event or a stateful property in the cyber domain.
includes registry entries, changes to configuration files, new files that show up on disk, code that shows up in-memory, the sudden appearance of encrypted files or compressed files, tools that are doing scanning or snooping over the network
Vulnerability Database
A vulnerability database is a collection and distribution of information about exposed computer security vulnerabilities.
-And although collection is important, it’s the rapid distribution and dissemination of information that’s critical.
Vulnerability databases typically categorize and define identified vulnerabilities, along with different variants and versions so that each vulnerability has a unique identifier.
The database usually assesses the potential impact on affected systems based on a qualitative scale. For example, on a scale of one to five or a scale of one to ten, or perhaps it’ll use a color scheme. For example, green for benign, yellow for a warning and red representing a dangerous state or a critical state.
they may also provide different mitigation techniques, workarounds, countermeasures and hyperlinks to various updates, security patches, hotfixes and upgrades as well.
Common Database Organizations
Common Vulnerabilities and Exposures (CVE) with MITRE” dot org
National Vulnerability Database, NVD, with NIST
ISS X-Force database
Symantec/SecurityFocus BID Database
@Risk from SANS.ORG
Dark Web
Another place to find valuable information for countermeasures, mitigation and other technical controls
Also called overlay networks or daknets
To access the dark web, you need special software configurations and sometimes authorization
Deep web not indexed by search engines
Peer-to-peer networking
Can access it using the Tor browser, Freenet, I2P and Riffle
Dark Web ( What you will find)
source of a lot of malware and ransomware and other malicious campaigns
source of botnets, Bitcoin services, darknet marketplaces like the historical Silk Road,
hacking groups and malware as a service sites,
various fraud and hoaxing services,
places to get financing for your malware campaigns
Phishing, ransomware and scam campaigns
puzzles and games, illegal pornography, niche social media
terrorists to gather and share information
The dark web could also be considered a source of open source intelligence or OSINT
OSINT is any data or information that can be collected legally from free, public sources concerning an individual or an organization (Think of it as any information found on the Internet)
it could be sourced from books or reports in a public library. Articles in a newspaper or a magazine or a blog. Statements and press releases and Freedom of Information Act reports (FOIA)
OSINT information can also be gathered and compiled and visualized using tools like Maltego. You can find that in Kali Linux and other exploit kits.
There is sharing centers where different entities come and collect information and code repositories like GitHub and code repositories at cloud providers like Amazon Web Services and Google Cloud Platform
Other Threat Intelligent Sources
Automated Indicators Sharing, or AIS
-It’s a free indicator sharing capability that allows the exchange of cyber threat indicators between the federal government and the private sector at very fast speeds
Structured Threat Information Exchange or STIX
–allows organizations to share this cyber threat intelligence with each other in a consistent and machine readable way
Predictive Analysis and threat maps
-part of a managed security service provider. For example, Google Cloud Platform or AWS guard duty, as well as threat mapping. And then there’s Trusted Automated eXchange of Indicator Information or TAXII. This is similar to STIX.
