Cyber Threat Intelligence Overview

Questions and Answers

Modern networks require a deep understanding of what is present on the network; what ______ exist; and who might be targeting them.

weaknesses

Gaining insight into network activity allows for increased ______ to outmaneuver increasingly sophisticated threat actors.

agility

Threat data, when given the appropriate context, results in the creation of threat ______.

intelligence

Several products can provide decision-makers with a clear picture of network ______.

activity

A good threat intelligence ______ is necessary for any modern information security program.

program

Sergio Caltagirone defines cyber threat intelligence as 'actionable knowledge and insight on ______ and their malicious activities.'

adversaries

Investing in analysts who can collect and quickly understand data about ______ facing the organization is often effective.

threats

Decades of intelligence analysis studies can be used to define threat ______.

intelligence

A potential security risk is allowing clients to see directory listings instead of a rendered ______.

web page

To find vulnerable server directories, use the Google search query: site: intitle:"index of" "parent ______".

directory

Several registries are crucial for the Internet's function, and they manage unique global ______ addresses.

IP

Regional Internet Registries (RIRs) are responsible for assigning ______ addresses worldwide.

IP

As a security analyst, understanding advanced Google search methods such as Boolean logic and ______ order is useful.

word

___ intelligence is derived from human sources through overt, covert, or clandestine methods.

HUMINT

___ intelligence is the analysis of imagery and geospatial data concerning security-related activities.

GEOINT

Signals intelligence is intelligence-gathering done via intercepts of communications known as ___.

SIGINT

___ intelligence is the collection and analysis of publicly available information appearing in print or electronic form.

OSINT

Measurement and signature intelligence is derived from data other than imagery and ___.

SIGINT

Traditional intelligence often involves collecting information on foreign countries to further foreign policy and national ___ goals.

security

Threat intelligence teams often focus on using public, commercial, or in-house resources instead of ___ assets.

on-call

Free data associated with actor activity can be gathered through ___ source intelligence.

open

AFRINIC is the Regional Internet Registry for ______ and portions of the Indian Ocean.

Africa

The mechanism responsible for associating domain names with their server's IP address is known as ______.

DNS

Zone transfers are used to replicate DNS server content across multiple ______.

servers

The default behavior of DNS servers is to accept any request for a full transfer from any ______.

host

DNS tools like nslookup, host, and ______ are used to troubleshoot network problems.

dig

Protecting the network from DNS poisoning or spoofing requires restricting DNS ______.

leakages

Authorized hosts should only be able to request full transfers using ______ control lists.

access

LACNIC is the Regional Internet Registry for Latin America and portions of the ______.

Caribbean

Social media sites are rich sources of threat data, providing useful artifacts during high-impact ______.

events

Profiling analyzes a target's preferences and patterns to identify likely ______.

actions

Attackers exploit careless or untrained employees through social engineering ______.

campaigns

A recent OSINT gathering course was taught to a class in an allied ______.

country

The author performed a superficial exercise and found considerable actionable ______.

intelligence

The registrant contact for Google Inc. is listed with the title of ______.

DNS Admin

The tech contact for Google Inc. has a phone number of ______.

+1.6503300100

WHOIS is a tool that allows users to query information about registered domain ______.

registrants

Private registration services may show the registrar's information instead of the ______ details.

registrant's

Job sites can be used for ______ gathering and job recruitment.

information

Attackers can automate the gathering of data about ______ to craft convincing phishing emails.

targets

WHOIS is available in both command-line and ______ versions.

web-based

The email address for the DNS Admin at Google Inc. is ______.

[email protected]

Closed source data is any data collected covertly or as a result of ______ access.

privileged

By establishing a baseline of normal activity, analysts can use historical incident ______ to improve awareness of emerging threats.

responses

Closed source data tends to be of higher ______, allowing analysts to confidently verify findings.

quality

Many organizations prioritize external data over ______ threat data.

internal

Using multiple sources reduces the effect of ______ bias.

confirmation

The Traffic Light Protocol (TLP) was developed by the UK government's National Infrastructure Security Coordination Centre (NISCC) to improve threat information sharing among ______.

organizations

TLP:RED information is not for disclosure and is restricted to ______ only.

participants

TLP:AMBER allows limited disclosure, restricted to participants' ______.

organizations

Recipients of TLP:GREEN information may share it with peers and partner organizations within the ______.

community

TLP:WHITE information has unlimited ______ and can be distributed without restriction.

disclosure

TLP designations help guide information sharing responsibly while protecting sensitive information ______.

sources

When information falls under TLP:RED, it is crucial that recipients do not share it with any parties outside the specific ______.

exchange

The Traffic Light Protocol utilizes color-coded ______ to guide information sharing.

designations

Organizations need to map acquired intelligence to specific aspects of their ______ profile.

threat

Timely intelligence is crucial for its value in ______-making.

decision

Accurate threat intelligence reduces ______ and enhances efficiency of the security team.

noise

Internal network data often provides the most relevant threat ______.

intelligence

Good threat intelligence includes a clear description of the threat using ______ language.

consistent

Threat analysts often use ______ sources to help them keep pace with security industry trends.

OSINT

Adversaries prefer to acquire information about a target without directly ______ it.

touching

Passive reconnaissance is a process by which an adversary acquires information about a target network without directly ______ with it.

interacting

Google's vision is to organize all of the data in the world and make it ______ for everyone.

accessible

Many security analysts rely on publicly available data sets to perform research on common threat ______ and mitigating controls.

indicators

The operator [blank:] restricts search results to the specified domain or ______.

site

The operator [blank:] is used to find pages that contain a ______ to the indicated site or URL.

link

Using search queries, security researcher Johnny Long helped reveal vulnerable systems by exploiting Google’s ______ operators.

advanced

Google can help an attacker gather a remarkable amount of information about any individual, organization, or ______.

network

The operator [blank:] is used for searching files of a specific type, such as Excel spreadsheets.

filetype

Flashcards

Threat Intelligence

Actionable knowledge and insights into malicious actors and their activities, helping organizations reduce harm through better security decision-making.

Threat Data

Data about malicious activities, when contextualized, becomes threat intelligence.

Intelligence Cycle

Processes for gathering, analyzing, and disseminating threat intelligence.

Indicators of Compromise (IOCs)

Specific data points that indicate a potential or actual intrusion.

Cyber Threat Intelligence

Intelligence about malicious activities in cyberspace.

Network Activity Insight

Understanding and analyzing network data for security purposes.

Modern Networks

Complex networks requiring deep understanding of threats and weaknesses.

Security Decision-Making

Choosing the best course of action to reduce harm from cyber threats.

SIGINT

Intelligence gathering by intercepting communications, electronics, and/or instrument transmissions.

HUMINT

Intelligence gathered from human sources, using overt, covert, or clandestine methods.

OSINT

Intelligence gathered from publicly available information in print or electronic form.

MASINT

Intelligence gathered from data other than imagery and SIGINT.

GEOINT

Intelligence gathered by analyzing imagery and geospatial data concerning security.

All Source Intelligence

Intelligence gathered from every available source.

Open Source Intelligence (OSINT) use cases

Collecting free info from public sources like news, libraries, and search engines to answer questions for intelligence.

Intelligence Sources for Non-Government Groups

Non-government groups often rely on public, commercial resources, industry partners, and government organizations for intelligence.

Directory Listing

Displays a list of all files within a directory on a web server, potentially exposing sensitive information.

Google Cached Pages

A stored copy of a web page that Google has saved, allowing viewing even if the original site is down or unavailable.

Misconfigured Server

A server that has settings improperly configured, potentially exposing vulnerabilities and risks.

Internet Registries

Organizations responsible for managing and assigning unique identifiers, such as IP addresses and domain names, on the internet.

Regional Internet Registries (RIRs)

Nonprofit organizations responsible for assigning IP addresses within specific geographical regions, ensuring global uniqueness.

Actionable Threat Intelligence

Information about threats that can be used to take action and prevent or respond to security incidents.

Passive Reconnaissance

Gathering information about a target network without directly interacting with it.

Google Search Operators

Specific search commands used to refine Google search results for targeted information.

site: operator

Limits Google search to a specific website domain.

inurl: operator

Filters search results to include URLs containing a specific phrase.

filetype: operator

Filters search results to only show files of a specific type (e.g., .xls, .pdf).

intitle: operator

Finds web pages with a specific word or phrase in their title.

link: operator

Finds pages containing a link to a specific URL.

cache: operator

Shows cached copies of a webpage from Google's archives.

Domain Name System (DNS)

A system that translates human-readable domain names (like www.google.com) into machine-readable IP addresses.

What does DNS do?

DNS translates domain names into IP addresses, allowing users to access websites by typing easy-to-remember names instead of complex IP addresses.

Zone Transfer

Copying DNS server content to other servers for redundancy and reliability.

DNS Harvesting

Attackers using tools like nslookup or dig to gather information about a network's DNS servers.

Why is zone transfer a vulnerability?

It allows anyone on the network to request a full copy of a DNS server's records, potentially exposing sensitive information.

DNS Poisoning/Spoofing

Attackers manipulate DNS records to redirect users to malicious websites.

Access Control Lists (ACLs)

Lists used to restrict who can access DNS zone transfers, minimizing potential security risks.

Social Media & Threat Data

Social media platforms like Twitter and Reddit can be used to gather threat data, such as indicators of cyberattacks and information about individuals or companies.

Social Media Profiling

Analyzing a target's online activity and preferences to understand their likely actions, used for marketing and malicious purposes.

Social Engineering Attacks

Exploiting human vulnerabilities through deception and manipulation, often using social media, to trick individuals into performing actions that benefit the attacker.

OSINT in Action

OSINT can be used to gather actionable intelligence even through seemingly superficial exercises, highlighting its potential in real-world situations.

WHOIS

A tool used to query information about registered domains, including contact details and DNS records.

Private Registration Services

Services that mask the registrant information with the registrar's details, limiting public exposure but making it harder to contact the organization.

Job Sites Vulnerability

Job sites gather user data like professional history and preferences, which attackers can exploit for phishing and email harvesting.

Email Harvesting

Gathering email addresses from publicly available sources like job sites, for targeted attacks like phishing.

Incident Response

The process of dealing with cybersecurity incidents to contain damage, restore systems, and learn from the experience.

Spammers and Attackers

Individuals or groups that use WHOIS to gain access to personal information and target individuals for malicious purposes.

Network Engineer's Use of WHOIS

Network engineers use WHOIS to verify domain records, troubleshoot DNS issues, and identify network ownership.

Security Decision-Making with Threat Intelligence

Making informed security choices based on knowledge about cyber threats, vulnerabilities, and attacker tactics.

Closed-Source Intelligence

Data gathered covertly or through privileged access, like internal network logs, dark web communications, or intelligence sharing from communities, providing high-quality insights.

Confirmation Bias

The tendency for analysts to interpret information in a way that supports their pre-existing beliefs, ignoring contradictory evidence.

Why use multiple data sources?

To reduce confirmation bias, validate findings, and increase confidence in conclusions, especially when using closed-source information, ensuring a more accurate understanding of the situation.

Internal Network Threat Data

Critical data source for security analysis, often overlooked in favor of external data, providing valuable insights into potential malicious activity within an organization.

Handling Classified Data

When dealing with closed-source information, consider potential consequences of disclosure, legal implications, and protecting the integrity of the source.

Tailored Intelligence

Threat intelligence specific to an organization's environment, needs, and threats, providing maximum value.

Intelligence Timeliness

The value of threat intelligence is directly linked to its recency and relevance to current events.

Intelligence Accuracy

The reliability and trustworthiness of threat intelligence, minimizing noise and false alarms.

Internal Network Data

A valuable source of threat intelligence, providing insights specific to an organization's internal environment.

Impact on Business

Describing the potential consequences of a threat to an organization's operations and goals.

TLP:RED

The most restricted TLP designation. Information should only be shared with the specific participants involved, avoiding any further dissemination.

TLP:AMBER

Information is limited to the organizations involved, including clients or customers needing protection.

TLP:GREEN

Information can be shared within the community, including peers and partners, but not publicly.

TLP:WHITE

Information can be freely shared with no restrictions, except for standard copyright rules.

Traffic Light Protocol (TLP)

A system used to guide information sharing among organizations based on color-coded designations, ensuring responsible sharing while protecting sensitive information.

What is the TLP designation for sharing information within the community but not publicly?

TLP:GREEN. Green allows for sharing within the community, including peers and partner organizations, but not via publicly accessible channels.

Shareable Information Levels

The TLP categorizes information into different levels of shareability: RED (most restricted), AMBER (limited to organizations), GREEN (community only), and WHITE (no restriction).

When would you use a TLP:AMBER designation?

Use TLP:AMBER when information requires support for action but carries risks to privacy, reputation, or operations if shared outside of the involved organizations.