2B: Threat Intelligence
0.0(0)
Studied by 1 person
Learn
Practice Test
Spaced Repetition
Match
FlashcardsCard Sorting
1/23
Earn XP
Description and Tags
Study Analytics
Name | Mastery | Learn | Test | Matching | Spaced |
|---|
No study sessions yet.
24 Terms
1
New cards
Threat research
a counterintelligence gathering effort in which security companies and researchers attempt to discover the tactics, techniques, and procedures (TTPs) of modern cyber adversaries.
2
New cards
Deep web
any part of the World Wide Web that is not indexed by a search engine. Includes pages that require registration, block search indexing, unlinked pages, pages using non-standard DNS, and content encoded in a non-standard manner.
3
New cards
Dark net
a network established as an overlay to Internet infrastructure by software, such as The Onion Router (TOR), Freenet, or I2P, that acts to anonymize usage and prevent a third party from knowing about the existence of the network or analyzing any activity taking place over the network
4
New cards
Dark web
deliberately concealed from regular browser access - accessible only only over a dark net.
5
New cards
3 main threat intelligence forms
1. behavioral threat research
2. reputational threat intelligence
3. threat data
2. reputational threat intelligence
3. threat data
6
New cards
Reputational threat intelligence
Lists of IP addresses and domains associated with malicious behavior, plus signatures of known file-based malware.
7
New cards
Behavioral threat research
narrative commentary describing examples of attacks and TTPs gathered through primary research sources.
8
New cards
Threat data
computer data that can correlate events observed on a customer's own networks and logs with known TTP and threat actor indicators.
9
New cards
Cyber Threat Intelligence (CTI)
Feeds of threat data that can integrate with a security information and event management (SIEM) platform. The data on its own is not a complete security solution. It must be correlated with observed data from customer networks.
10
New cards
Threat intelligence models:
1. closed/proprietary: research and data is made available as a paid subscription to a commercial threat intelligence platform.
2. vendor websites: many vendors make huge amounts of threat research available on their sites, for free, as a general benefit to their customers.
3. information sharing and analysis centers (ISACs): both public and private sector-specific resources for companies working in critical industries to share threat intelligence and promote best practice.
4. open source intelligence (OSINT): provides threat intelligence on an open-source bases, earning income from consultancy rather than directly from the platform.
2. vendor websites: many vendors make huge amounts of threat research available on their sites, for free, as a general benefit to their customers.
3. information sharing and analysis centers (ISACs): both public and private sector-specific resources for companies working in critical industries to share threat intelligence and promote best practice.
4. open source intelligence (OSINT): provides threat intelligence on an open-source bases, earning income from consultancy rather than directly from the platform.
11
New cards
Tactic, technique, or procedure (TTP)
a generalized statement of adversary behavior. TTPs categorize behaviors in terms of campaign strategy and approach (tactics), generalized attack vectors (techniques), and specific intrusion tools and methods (procedures).
12
New cards
Indicator of compromise (IoC)
a residual sign that an asset or network has been successfully attacked or is continuing to be attacked. Evidence of a TTP and attack that was successful. Can be definite and objectively identifiable or open to interpretation due to the correlation of many data points. Often slow to diagnose because of this.
13
New cards
Examples of IoCs
Unauthorized software and files
Suspicious emails
Suspicious registry and file system changes
Unknown port and protocol usage
Excessive bandwidth usage
Rogue hardware
Service disruption and defacement
Suspicious or unauthorized account usage
Suspicious emails
Suspicious registry and file system changes
Unknown port and protocol usage
Excessive bandwidth usage
Rogue hardware
Service disruption and defacement
Suspicious or unauthorized account usage
14
New cards
Indicator of Attack (IoA)
A term used for evidence of an intrusion attempt that is in progress.
15
New cards
Threat data feed
The data within a CTI platform - Signatures and pattern-matching rules supplied to analysis platforms as an automated feed.
16
New cards
OASIS CTI framework
designed to provide a format for a threat data feed so that organizations can share CTI.
17
New cards
Structured Threat Information eXpression (STIX)
Part of OASIS CTI framework that describes standard terminology for IoCs and ways of indicating relationships between them. Provides the syntax for describing CTI.
18
New cards
Trusted Automated eXchange of Indicator Information (TAXII)
protocol that provides a means for transmitting CTI data between servers and clients.
19
New cards
Automated Indicator Sharing (AIS)
service offered by Homeland Security for companies to participate in threat intelligence sharing.
20
New cards
Threat map
an animated graphic showing the source, target, and type of attacks that have been detected by a CTI platform.
21
New cards
Common Vulnerabilities and Exposures (CVE)
database of a list of vulnerabilities codified as signatures and scanning scripts that can be supplied as feeds to vulnerability scanning software.
22
New cards
artificial intelligence (AI)
science of creating machines that can simulate or demonstrate a similar general intelligence capability to humans.
23
New cards
Machine Learning (ML)
use of algorithms to parse input data and then develop strategies for using that data.
24
New cards
Predictive analysis
also known as threat forecasting. One of the goals of using AI-backed threat intelligence.