Cyber Threat Intelligence Overview

Questions and Answers

PDF Questions PDF Answers

What is the primary benefit of vendors aggregating data from multiple customer environments?

To limit the scope of threat detection

To derive unique technical insights on threats (correct)

To reduce the cost of cybersecurity solutions

To minimize the need for incident response teams

Which of the following is a typical product line for vendors in the cybersecurity space?

Financial auditing software

Cloud storage services

Technical cybersecurity solutions and applications (correct)

Human resource management tools

What type of intelligence is primarily collected by vendors in the cybersecurity industry?

Internal employee performance data

External telemetry and forensic-based intelligence (correct)

Cultural and social intelligence

Marketing analytics and consumer behavior

How does aggregated data from multiple customers assist vendors?

It provides visibility into threats impacting specific systems

What are high-fidelity observables primarily used for in cybersecurity?

To support network defense and threat hunting

Which of the following products can be created from the insights derived by vendors?

Threat feeds and finished intelligence

What role does a URL associated with a credential harvesting site play in network defense?

It can be leveraged for alerts or blocks against users

What could positive hits on a URL related to ransomware indicate?

User connection history relevant to the ransomware operation

What phase follows the collection phase in the intelligence lifecycle?

Processing and ingestion phase

Which type of intelligence is NOT categorized under the broad categories discussed in the module?

Artificial intelligence based intelligence

What is the primary focus of the collection phase in the intelligence lifecycle?

Collecting information and data for analysis

Which of the following best describes the purpose of the analysis and production phase?

To analyze data for creating intelligence products

How does understanding collection sources support the intelligence process?

It fits into the overall collection management process.

What is the ultimate goal of the dissemination and feedback phase?

To deliver intelligence products and gather feedback.

Which of the following phases involves turning data into analytic assessments?

Analysis and production phase

What is a critical element that should be reviewed before starting the collection module?

The requirements and planning module

What do TTPs stand for in the context of threat actors?

Tactics, Techniques, and Procedures

Why is it difficult for threat actors to change their TTPs?

Because they involve ingrained behaviors and strategic methodologies

What is a key benefit of understanding threat actor TTPs for organizations?

It helps in developing effective defensive measures

What factor should organizations consider when selecting a vendor for cyber intelligence?

The types of visibility the vendor has based on their cybersecurity products

What is the primary role of initial access brokers in cybercrime?

To develop and sell compromised access to other threat actors

What is a requirement for effectively using external telemetry and forensics-based intelligence?

A high degree of cybersecurity acumen and organizational maturity

What can be inferred about vendors based in Canada selling email security solutions?

Their intelligence is likely limited to North American email-based threats

How do CTI teams utilize intelligence related to compromised systems?

To engage in third-party risk mitigation activities

What approach do vendors often take when dealing with threat actors selling compromised resources?

They engage directly to gather more information

What should organizations do if they lack stakeholders with behavior-based threat hunting skills?

Seek to develop internal expertise before pursuing such products

Which application of cybersecurity intelligence is emphasized for assisting network defenders?

Informing prioritization and investment in security solutions

What is one key aspect of the information provided by threat actors about compromised resources?

They offer minimal information to entrap interested buyers

In what way do threat actors utilize deep and dark web forums?

To engage in recruiting operations for various purposes

What is a critical caution to consider when assessing intelligence from threat actors?

Much of the information may be false or exaggerated

What kind of emerging threats can threat actors discuss or sell on forums?

Commodity malware and new tactics

What should organizations be wary of regarding the sources of intelligence derived from the web?

They need to verify the reliability and authority of sources

What type of intelligence includes data collected from internal sensors and logs?

Internal telemetry and forensics-based intelligence

Why is internal telemetry and forensics-based intelligence often considered difficult to leverage?

Data comes from multiple sources with varying formats.

Which of the following best describes the primary purpose of contextualized security alerts?

To support incident responders and intelligence analysts.

What is a major limitation of the log data generated by network components?

Most logs pertain to non-threat-related events.

What is the potential advantage of correlating internal telemetry with external intelligence sources?

To derive unique, actionable, and relevant insights.

What is considered the 'holy grail' for many cyber threat intelligence (CTI) teams?

Full integration of internal telemetry and forensics-based intelligence.

What challenge do CTI teams face when analyzing data from diverse applications?

Inconsistency in log formats requiring custom processing.

What type of intelligence is most often the most difficult for CTI teams to leverage?

Internal telemetry and forensics-based intelligence

Study Notes

The Intelligence Lifecycle

• The intelligence lifecycle is a five-phase process outlining the core workflows of cyber threat intelligence (CTI) teams
• The five phases are requirements & planning, collection, processing & ingestion, analysis & production, and dissemination & feedback
• The collection phase focuses on gathering information and data for intelligence purposes

Types of CTI

• CTI is categorized into three broad categories:
  • Clear, Deep, and Dark Web Intelligence
  • External Telemetry and Forensics-Based Intelligence
  • Internal Telemetry and Forensics-Based Intelligence

Clear, Deep, and Dark Web Intelligence

• This type of intelligence is obtained from various online sources, including forums and marketplaces
• Threat actors use these platforms to advertise compromised systems, sell access, and recruit others for operations
• It’s crucial to approach this intelligence with skepticism, as threat actor claims can be inaccurate or exaggerated
• Key applications: Understanding emerging threats, tracking new malware and tools, and identifying plans and intentions related to specific operations or industry verticals

External Telemetry and Forensics-Based Intelligence

• This intelligence is typically collected from cybersecurity vendors that develop, deploy, and manage technical solutions and applications
• Vendors often have deep visibility into threats impacting the systems and applications their solutions are designed to detect and mitigate
• Key applications: Providing high-confidence technical insights on threats, delivering observables and indicators of compromise (IOCs) for network defense, threat hunting, and attribution
• It can also provide technical analysis and detection rules for malware samples, detailed analyses on threat actor tactics, techniques, and procedures (TTPs), and insights on threats affecting specific organizations, regions, and technologies

Internal Telemetry and Forensics-Based Intelligence

• This type of CTI encompasses data collected from internal sensors, security appliances, applications, logs, and post-incident forensics
• Internal data can be analyzed individually or correlated with external intelligence for enhanced insights
• Challenges in leveraging internal data: Different data elements and components requiring custom parsing and processing, large amounts of irrelevant data among logs and alerts
• It is widely considered the 'holy grail' of CTI, as effectively integrating and leveraging it can provide extremely valuable and relevant threat insights

Description

Explore the foundations of Cyber Threat Intelligence (CTI) through the intelligence lifecycle, which encompasses five critical phases. Learn about the different types of CTI, including Clear, Deep, and Dark Web Intelligence, and understand the importance of skepticism in evaluating gathered data.