CS0-003 Section 3: Threat Intelligence Sharing
Studied by 0 people
Learn
Practice Test
Spaced Repetition
Match
Flashcards1/21
There's no tags or description
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced |
|---|
No study sessions yet.
22 Terms
[Security and Threat Intelligence]
historically, our focus was on configurations.
We would set up the right firewalls, the right ACLs, install the right antivirus, and then we would say, "Hey, we're protected."
But these days, that simply isn't enough
instead, it's really important for us to think about the idea of security intelligence and cyber threat intelligence
security intelligence (inward look)
the process through which data is generated in the ongoing use of the information system.
that data is going to be collected, processed, analyzed and disseminated to provide us with insights into the security status of those systems
i.e. a standard system administrator logs things on their system and they review those logs. That is a form of security intelligence.
It's for them to be able to understand what is their system doing. As they go through their firewall logs, their intrusion detection alerts and other things like that, you're understanding what your posture is internally inside your network and what your organization's security posture is now set at
thinking about ‘how are our systems looking?‘
cyber threat intelligence (outward look)
the process of investigating, collecting, analyzing and disseminating information about the emerging threats and threat sources to provide data about the external threat landscape
thinking about the attacker groups, malware outbreaks, zero-day exploits, etc
forms of thraeat intelligence (2)
[Security and Threat Intelligence]
narrative report
gives us the analysis of a certain adversary group or a certain type of malware,
get a written report based on that
There are a lot of places you can buy these from, and these come in a format that is manually created by some threat analyst.
you may spend all day going through different packet captures,
and going through honeypots, and learning about some kind of adversary or malware, and then writing a report on it.
And these reports are then sold to all the different SOCs around the world who use that in their defense of their networks.
this is very useful at a strategic level.
This gives you intelligence about what the bad guys are doing, and that can help us decide where we want to put money and which security controls we want to have to be able able to defend ourself from these bad guys and their types of attacks
data field
can be a list of known bad indicators, things like indicators of compromises, domain names, IP addresses, it might be something like hashes of exploit malware code.
All of these type of things are tactical level information.
This gives us something that is very operational. It's something we can do something with. If you tell me that this IP address is a known bad IP, I can block it in my firewall so no connections can go to it, right?
Use Both
We're going to use those narrative reports to get the big picture of what the landscape looks like and then we're going to use the data feeds to get those specific tactical things that we can program our sensors and our defenses against to be able to protect ourselves.
[Intelligence Cycle]
intelligence is a process
Requirements (Planning and Direction)
focused on what do we want to collect and figure out how we can best do that
Collection (& Processing)
Now that we know what we want to collect, we have to go about actually collecting it.
Analysis
where we start taking all that data we got and we start looking through it to try to make some decisions based on it
Dissemination
how we take that information that we've analyzed and present it to other people
Feedback
how we look back through the cycle, see what went right, what went wrong and what we could do better and then we started all over again.
Requirements (Planning and Direction)
[Intelligence Cycle]
set out the goals for the intelligence gathering effort.
At this point, we need to figure out what is it that we want to collect.
That way we can figure out what are the things
we care about?
What do we want to spend the time, money
and resources to gather?
it’s really important to have your goals set because if you don't understand what your goals are and you don't understand what your use case is for this data, you're going to be spending a lot of time and a lot of money collecting a lot of data for no reason at all.
i.e. if I worked for an auto manufacturer like Tesla or Honda or Ford, I would probably want to make sure that we are gathering intelligence on any threats to automobile systems.
Especially if you're somebody like Tesla that is trying to work towards self-driving cars, there's a big cyber threat component to that.
so we'd want to be looking out there at the entire landscape to figure out what adversaries are out there, what APTs are out there and what type of malware and vulnerabilities are out there for our type of systems that could affect the safety of our systems.
Consequently, we might also look at any kind of things that would affect our supply chain.
we have to buy those computers from somewhere, right?
And so we need to make sure we understand what threats exist there and how we can mitigate those risks.
There's a lot of information out there and what the idea here in requirements gathering the planning and direction is figuring out what are the things we want to measure?
also think about any kind of special factors or constraints we might have.
i.e. if you work for the government, there are certain things you can and cannot collect on your citizens depending on what government you are in the world.
so your organization is going to have to consider that as you're planning what your collection process is going to be.
now that we've considered all of that and we've figured out what we want a plan to do, we now need to actually move into collection.
Collection (& Processing)
[Intelligence Cycle]
implemented by software tools such as SIEMS and then it's processed for later analysis.
this is where we're gathering all the data.
So if I put a network sensor out there that's collecting PCAP data, packet capture data, it can collect all that information and send it back to a centralized server.
I may collect logs from a router from an intrusion detection system, from a firewall, from servers, from endpoints. all that data has to be collected and then sent someplace.
then we can use the SIEM as our center point of all the collection.
one challenge we have though is that when all this stuff is coming from different systems, it might come in a different format.
So we need to normalize that data and that is the processing part.
This is where we'll convert all the data into a standard format that a single solution like a single SIEM can actually use.
This means all the source IP addresses will be
in a certain column all the destinations will be in another column, all the timestamps will be in a third column.
this way we can search and index all this information and use it as we search for those things later on in our analysis cycle
another consideration is how are you going to keep all this data secure?
we might be using things like encryption on the SIEM,
we might be using things like access control in the SIEM
and we might be using things for integrity like hashing on the SIEM.
All that data needs to be protected as well, because if it's useful to us, it could also be useful to an attack
Analysis
[Intelligence Cycle]
performed against the giving use cases that we had from our planning phase
we can utilize things like automated analysis, artificial intelligence, and machine learning.
important because there is so much data that we are collecting
at this point that a single person cannot read it and analyze it fast enough.
So we have to use some sort of way to automate this.
these days one of the most common ways of attacking this problem is by separating our data first into three buckets.
First, what do we know is good?
Second, what do we know is bad?
And third, what we're really concerned with is what we're not sure of because that's where further analysis needs to be done.
Now, all of the analysis we do should be done in the context of a use case.
And these use cases are something that we developed all the way back in our planning phase.
This says, I'm interested in this type of information for this reason because there might be some interesting information
but if it doesn't impact business decisions for you and your organization, why do you even care? And that's the idea here.
Our job here is to go through these large data sets and we want to start figuring out what doesn't look right, what looks funky, what is not going to be good for our organization and we want to start building our models against that.
i.e. if I start looking through the domain authentications that are occurring in your organization, and I know what good looks like and I know what bad looks like, there may be some things there that are suspect and it may be the indication of an insider threat.
And so if I'm looking at that through the lens of an insider threat use case, that will help me do my analysis better and use the right filters and query strings to extract the relevant data that I need
dissemination
[Intelligence Cycle]
refers to publishing the information produced by an analyst to a consumer who needs to act on the insights developed.
this can take a lot of different forms, and it depends on your organization and what the intended audience is.
You may have oral reports, you may have written reports, you may have a PowerPoint presentation,
you may have an email.
three of the most common ways we'd like to break up this dissemination is into the level of intelligence.
It can be strategic, operational, or tactical.
strategic intelligence
addresses broad themes and objectives
usually affect projects and business priorities over weeks, months, and years.
most often done as a report to an executive or a PowerPoint presentation in a large group.
operational intelligence
addresses the day-to-day priorities of managers and specialists.
oftentimes, seen put out as a checklist of things you should be worried about today
tactical intelligence
informs real-time decisions made by staff as they encounter different alerts and system indications.
so if you're sitting there on the SOC watch floor and you see an alert pop up on your screen that is considered tactical intelligence.
it needs to be dealt with right now, and it is real time.
feedbac and review
[Intelligence Cycle]
aims to clarify the requirements and improve the collection, analysis, and dissemination of information by reviewing the current inputs and outputs.
Basically, how can we do things better? That's our goal.
We always want to improve the implementation of our requirements, our collection, our analysis and dissemination, and how we can improve over time and get better at what we do.
i.e. you might be doing things like lessons learned by figuring out what incidents occurred during the intelligence gathering this cycle so we can avoid those problems next cycle.
We might want to figure out how we're going to measure success, what metrics are going to show us success or failure of the intelligence gathering.
we also want to think about evolving threat issues.
Maybe we've been looking a lot for phishing but now we're seeing that phishing isn't popular.
instead, people are going against bring your own devices and so we want to start shifting our intelligence collection towards that threat vector.
these are the kind of things you want to think about as you move through the intelligence lifecycle.
[Intelligence Sources (collection and processng phase)]
there are lots of different sources to our intelligence that we can get out there, but not all are created equal
we have to be able to identify some factors to weigh the value of the intelligence that we're getting
timeliness
the property of an intelligence source that ensures that it is up-to-date,
because over time, the information is not nearly as valuable.
If I know that somebody has been attacking your network today and I don't tell you about it for three years, it's not going to be very useful to you.
once an adversary understands they've been identified, they're going to change tactics and they're going to change the way they do things.
And that means your report that you wrote today may not be valid in a week, three weeks, three months, or three years from now because things change
relevancy
the property of an intelligence source that ensures it matches the use case it was intended for.
Let's go back to my example of working for a large auto manufacturer.
If I start seeing that there's a lot of attacks going against the Mac OS X operating system, does that really apply to me as somebody who is running a car company and is using Windows machines or is using Linux in my embedded systems? Probably not
And so it's not nearly relevant to me for the use case I have.
consider that as you're looking at all the different information out there because it can be overwhelming.
accuracy
the property of an intelligence source that ensures that it produces effective results.
this means that the information needs to be valid and true.
If you tell me that I've been attacked and I look and I can't find anything, well, was I really attacked, or was your information bad? We really don't know.
so it's really important to make sure the information we're getting is accurate.
This means we want to try to eliminate as many false positives as possible, especially when using automated software and machine learning and artificial intelligence, and make sure that we're getting the right information so that we can do our analysis properly on good information and create good decisions
confidence level
the property of an intelligence source that ensures it produces qualified statements about reliability.
When an analyst publishes report, they don't have a hundred percent of the facts.
It's just the way this works.
We're trying to guess our way through this and we're getting lots of different pieces of information and lots of different indicators and we try to put together the best report we can.
Well, when we deal with this and we start taking all these sources, we have to look at these sources and figure out:
Are they reliable? Are they accurate? Are they relevant and are they timely?
w’re going to actually put a grade on it of how good we think that information is.
confidence score…
[Intelligence Sources]
w’re going to actually put a grade on it of how good we think that information is.
i.e. the MISP Project codifies the use of the admiralty scale for grading data and estimative language.
Now, you can choose any scale you want, but the admiralty scale is one of the more common ones.
it breaks it down into two areas.
source reliability and information content.
source reliability,
this is going to get a letter grade from A through F.
It tells you if it's reliable all the way down to I can't judge the reliability.
i.e. if I got this piece of data from my own sensors and I trust them and there's no doubt this is reliable, give it a grade of A.
information content
graded on a scale of 1 to 6.
from this could be confirmed to it cannot be judged.
when I confirmed it, this means that I had multiple independent sources that told me this information.
it's not just hearsay from one person.
as I go down the scale, I get less and less stringent on how well I can confirm that information all the way down to cannot be judged,
which means it's basically just a best guess.
useful, especially when reporting up to higher authorities or up to your bosses.
you can say, "Hey, I have this information. I heard there's this threat, but I'm not real confident about it. It only has a grade letter of C."
And you going to take less actions against that maybe than something that has a strength of A, because A is much more certain
where to find information
[Intelligence Sources]
proprietary
threat intelligence that comes as a commercial service offering, where you're going to pay for access to these updates and research based on a subscription fee.
some of these commercial services are really just repackaging information that's available in free public registries without providing of any of their own data inside of it, and these aren't nearly as useful
closed source
data that's derived from the provider's own research and analysis efforts, such as data from honeynets as they operate, plus information that's mined from their other customer systems and suitably anonymized.
i.e. if you and a hundred thousand other people all subscribe to a certain service and they're monitoring your networks, they can collect all that data from the 100,000 users and then be able to make analysis and reports based off of that in an anonymized fashion back to those 100,000 users so you all can share the information.
i.e. Mandiant → a proprietary information source that is closed-source.
they provide their own data, and you can subscribe using their threat intelligence subscription service to get data and updates from them
open source
data that's available for use without a subscription, and this may include threat feeds similar to commercial providers, and it can contain reputation list and malware signature databases too.
There are a lot of great sources of open-source intelligence out there.
And so if your organization is a little weary about spending a lot of money on commercial source information, they can start out with open-source information and then upgrade from there later on.
open source
[Intelligence Sources]
Now, when you talk about open-source intelligence, there are lots of different sources
US-CERT
the United States Computer Emergency Readiness Team.
provides you with feeds of current activity and alert news, plus regular bulletins and analysis reports.
also have a bidirectional threat feed called the Automated Indicator Service that you can use
UK’s NCSC
National Cyber Security Centre
provides similar services to the US-CERT
AT&T Security (OTX)
was actually AlienVault Open Threat Exchange previously,
was bought out by AT&T.
MISP
Malware Information Sharing Project.
VirusTotal
a great place to upload any file you're not sure of.
If you upload this file, it will check across 40 to 50 different antivirus products to see if any of them know if it's a virus or not, and it's a public repository for malware
Spamhaus
very focused on spam and email
SANS ISC Suspicious Domains
focused on providing a feed of suspicious domains that they think might be malicious.
implicit knowledge
that sense that they have, that they just go, "Ah, I know something is wrong here because of my 20 years of experience."
may not always have the latest trends in cybersecurity, although most of the time they do, but they also have the ability to give you that attitude and instinct because of their career as a cybersecurity professional
Overtime, you're going to develop this as you become a senior cybersecurity analyst, where you just know this is wrong because you've seen it a hundred times before and you start getting this feeling of what is going to come next based on your experience
you can't write it down, you can't codify it in a procedure.
It's just something you know based on your years of experience
OSINT
a very popular thing these days.
a method of obtaining information about a person or organization through public records, websites, and social media
ways for you to get information from public records,
websites, and social media.
[ISAC) Information Sharing and Analysis Centers]
Began back in the 1990s as a form of a public-private partnership here in the United States
set up for each critical industry
a not-for-profit group set up to share sector specific threat intelligence and security best practices among its members.
were set up here in the United States, but over in the UK they have a similar thing known as the Cybersecurity Information Sharing Partnership (CISP).
Industries → government, healthcare, financial, aviation, etc
critical infrastructure → defied by DHS as any physical or virtual infrastructure that is considered so vital to the US that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination of these
chemical sector, commercial facility sector, communication sector, critical manufacturing sector, the dams sector, the defense industrial base sector, emerency services sector, energy sector, financial services sector, food and agriculture sector, governement facilities sector, healthcare and public health sector, IT sector, nuclear reactors, materials, and wastewater sector, transportation sector, and water and waastewater system sector (16)
if you work for any of these, probably dealing with ICS, SCADA
ICS, SCADA, and embedded systems
these threats are main focuses within critiical infrastructure
governement
[ISAC) Information Sharing and Analysis Centers]
the government has their own,
not talking about the federal government. Instead, this government ISAC is focused on serving non-federal governments in the United States.
such as the state, local, tribal and territorial governments
i.e. my company is based out of Puerto Rico which is a territory of the United States.
So our government is a territorial government and they work as part of this ISAC with the federal government in this public-private partnership to make sure they're being served and they understand what threats are against their government
healthcare
[ISAC) Information Sharing and Analysis Centers]
ISAC serves healthcare providers that are often targets of criminals who are seeking to blackmail them or looking for ransom opportunities by compromising patient data records or interfering with medical devices.
As you saw earlier, healthcare is considered one of the critical infrastructures inside this country. But then we have this separate ISAC here to help support healthcare providers directly.
financial
[ISAC) Information Sharing and Analysis Centers]
this serves the financial sector to prevent fraud and extortion of both the consumer and the financial institutions.
i.e. we want to make sure we're getting information about anybody who's trying to affect a major trading platform like the NASDAQ or the stock market or somebody who might be able to go after ATMs to have them give out money for free.
All of these could pose a national security risk or an economic risk to our country.
aviation
[ISAC) Information Sharing and Analysis Centers]
focused on serving the aviation industry to prevent fraud, terrorism, service disruptions and unsafe operations of air traffic control systems.
Again, this is an area we don't want to have problems in because if somebody could take over the air traffic control system they could start crashing planes into each other and that would be a really bad day for us.
[Threat Inteligence Sharing]
think about threat intelligence sharing within your organization
how do we make that data actionable
1. by disseminating this information to different people within our organization, or even outside our organization
through risk management and security engineering,
incident response,
vulnerability management and
detection and monitoring.
Overall, our goal here is to share our threat intelligence within our organization so we can improve our organizational capabilities and protect ourselves from additional threats
risk management and security engineering,
[Threat Inteligence Sharing]
risk management is the process of identifying, evaluating and prioritizing different threats and vulnerabilities in order for us to reduce their negative impact.
Now, the reason that threat intelligence is important to risk management is
it tells us how risky a certain thing is based on outside threats, because we know our own vulnerabilities through our vulnerability management and our scanning, but if we don't know what attackers are coming after us we can't really think about the threat.
the reason why we put risk management and security engineering together is because
we can start designing the architecture of the hardware, the software, and the network platforms to respond to these different threats and reduce our attack surface.
This way we can start figuring out what attacks we're vulnerable to and what controls we can put in place.
i.e. if we're looking at strategic threat intelligence and we start seeing that people are going after Linux systems more than Mac or Windows systems for instance that may mean that if we're running a lot of Linux servers we need to make sure we're prepared for those additional attacks.
This is the idea of thinking strategically of what changes we can make inside our organization for the long term to try to outsmart or out-maneuver the different bad actors that are out there
incident response
[Threat Inteligence Sharing]
Incident response is an organized approach to addressing and managing the aftermath of a cybersecurity breach or attack.
So if somebody has been successful in penetrating our network, we need intelligence to help keep them out.
the best type of intelligence here is going to be tactical-level intelligence
because we need to know where they are in our networks, what IP address are they coming from what are they doing once they're in our network,
all those tactical pieces of threat intelligence will help us identify where they are and how we can get them out of our network and prevent them from coming back.
then we can start using those strategic insights to prevent them from coming back over and over again in the future. But right now, we're really focused on the tactical threat intelligence to get this incident response resolved.
vulnerability management
[Threat Inteligence Sharing]
vulnerability management is the practice of identifying, classifying, prioritizing, remediating, and mitigating software vulnerabilities.
at a strategic level, we're going to use our threat intelligence to identify unrecognized sources of vulnerabilities that we may not have thought of.
i.e. do we have a WiFi enabled thermostat?
that's an IoT device, that we have to consider.
And many people don't think about that inside their organizations.
what about the concept of deepfakes?
what about AI facilitated fuzzing to discover zero day vulnerabilities?
there are lots of different things out there and if we think about them from a strategic level we can make sure that we're doing a good vulnerability management program that addresses those concerns.
we can also be thinking about things at a more tactical level, like we know that a certain piece of malware is now in the market.
Are we vulnerable to it?
And so we can do a scan, specifically looking for that one thing.
This is very popular once there's a big well-known malware attack that goes out there.
i.e. when WannaCry came out, that was something you'd want to do a vulnerability management of your own network and see if you were vulnerable to it and what mitigations you could put in place before you were attacked.
And using threat intelligence allows you to do that.
detection and monitoring
[Threat Inteligence Sharing]
detection and monitoring → the practice of observing activity to identify anomalous patterns for further analysis.
as we think about detection and monitoring we need to also use threat intelligence here too, because as we know what threats are out there we can then tune our sensors better.
This will allow us to add more rules and definitions based on different observed incidences that have happened either to our organization or partner organizations, or one of those commercial data feeds that we're subscribed to.
By getting that information, we can tune our sensors better and we can have a lot more true positives and a lot less false positives.
So this is why it's a good idea to make sure you're on the dissemination chain for threat intelligence if you work in detection and monitoring