Cybersecurity Module 3: Threat Intelligence

Questions and Answers

Which organization maintains a list of CVEs used by prominent security organizations?

• (ISC)2
• SANS Institute
• SecurityNews
• FIRST (correct)

What type of resources does the SANS Institute provide for free upon request?

• Training Programs
• Security News Alerts
• Research Papers
• Early Warning Systems (correct)

Which of the following services is provided by the organization (ISC)2?

• Active vulnerability exploits
• Vendor neutral education products (correct)
• Network attack vectors
• Daily security news updates

What is the primary focus of FIRST as a security organization?

Fostering incident cooperation and information sharing (C)

Which weekly digest from SANS focuses specifically on newly discovered attack vectors?

@RISK (A)

Which organization aggregates the latest information related to alerts, exploits, and vulnerabilities?

SecurityNews (A)

What is one of the primary functions of the SANS Reading Room?

Sharing original research papers (A)

Which of the following best describes the target audience for (ISC)2's education products?

Industry professionals in cybersecurity (B)

Which of the following resources is NOT mentioned as useful for staying updated on cybersecurity threats?

Social media platforms (B)

What approach does FireEye use to secure networks?

Security intelligence, expertise, and technology (A)

Which organization is responsible for creating the Common Vulnerabilities and Exposure (CVE) catalog?

MITRE Corporation (D)

What is the primary purpose of the Automated Indicator Sharing (AIS) service?

To enable the real-time exchange of cyber threat indicators (D)

Which of the following is NOT one of the three common threat intelligence sharing standards?

Common Information Model (CIM) (A)

What is the primary purpose of the MS-ISAC in relation to cyber threats?

To act as a focal point for cyber threat prevention, protection, response, and recovery (A)

Which of the following is NOT mentioned as a method for network security professionals to stay updated on the latest threats?

Participating in online gaming forums (D)

What do the Cisco Annual Cybersecurity Report and the Mid-Year Cybersecurity Report provide information about?

Expert analysis of top vulnerabilities and state of security preparedness (A)

Continuous professional development for network security professionals includes which of the following?

Attending security-related training, workshops, and conferences (A)

What is a consequence of the steep learning curve in network security?

There is a necessity for continuous professional development (C)

What types of resources do blogs and podcasts primarily provide to security professionals?

Advice, research, and recommended mitigation techniques (D)

Which aspect is crucial for a cybersecurity analyst when reading security reports?

Learning how threat actors target their networks (A)

Which of the following is NOT a role of the CIS in relation to cyber threats?

Conducting cybersecurity vulnerability assessments (D)

Which service is known for regularly creating and distributing firewall rules and indicators of compromise (IOCs)?

Cisco Talos Threat Intelligence Group (A)

What is the primary objective of the Cisco Talos Threat Intelligence Group?

To protect enterprise users, data, and infrastructure from threats (D)

How many podcasts does Cisco Talos offer that cover security-related topics?

Over eighty (A)

In the context of threat intelligence services, what does the abbreviation IOC stand for?

Indicators of Compromise (C)

What type of information is primarily shared through threat intelligence services?

Threat information like vulnerabilities and mitigation strategies (A)

What is a notable feature of Cisco security blogs?

They allow for email notifications of new content (A)

Which of the following best describes the team composition of the Cisco Talos group?

World-class researchers, analysts, and engineers (D)

What is the intended outcome of Cisco Talos's data collection on threats?

To provide comprehensive protection against active threats (D)

What are the three major types of threat intelligence data?

IOC, TTP, and reputation information about internet destinations (A)

What is the primary purpose of a threat intelligence platform (TIP)?

To centralize and present threat data in a usable format (B)

How can organizations enhance their threat intelligence?

By sharing their intrusion data over the internet (D)

What is the role of honeypots in threat intelligence?

To attract and gather information from attackers (C)

What risk is associated with hosting honeypots?

They can expose production networks to attacks (D)

Which organization is NOT mentioned as a provider of network intelligence?

CISCO (B)

What is one benefit of basing a honeypot in the cloud?

It isolates the honeypot from production networks (D)

Which of the following is NOT a type of threat intelligence data?

User behavior metrics (D)

What is the primary function of Automated Indicator Sharing (AIS)?

To facilitate the exchange of cyber threat indicators between government and private sectors. (D)

Which of the following best describes the capabilities of the FireEye Helix Security Platform?

It offers a cloud-hosted security operations platform integrating threat intelligence. (A)

How does FireEye's security system enhance malware detection?

Through behavioral analysis and advanced threat detection. (D)

What is the purpose of the Common Vulnerabilities and Exposures (CVE) database?

To catalog known security threats and vulnerabilities. (D)

Which organization is responsible for sponsoring the creation of the CVE database?

MITRE Corporation (C)

What kind of technology does the Cisco Security product utilize?

Automation and advanced data analysis. (A)

What distinguishes the method FireEye uses to detect zero-day threats?

It employs a signature-less engine for stateful attack analysis. (C)

Which of the following tools does Cisco maintain security incident detection rule sets for?

Snort, ClamAV, and SpamCop (A)

Flashcards

CIS Role

A focal point for cyber threat prevention, protection, response, and recovery for local governments.

Cyber Threat Prevention

Measures to stop cyberattacks before they happen.

Cyber Threat Protection

Measures to defend against cyberattacks.

Cyber Threat Response

Actions taken when a cyberattack occurs.

Cyber Threat Recovery

Actions taken to restore systems/data after cyberattacks.

Continuous Skill Improvement

Staying up-to-date with the latest security and threat analysis.

Security Professionals

Individuals responsible for preventing, detecting, and mitigating cyberattacks.

Cybersecurity Reports

Reports providing analysis about the state of security preparedness, top vulnerabilities, and attack trends.

SANS Institute Resources

Free resources about internet security threats, including the Internet Storm Center, NewsBites, @RISK, and flash security alerts.

Internet Storm Center

A component of SANS, providing early warnings about emerging internet security threats.

CVE List (Mitre)

A list of Common Vulnerabilities and Exposures maintained by Mitre, used by security organizations.

FIRST (Forum of Incident Response and Security Teams)

A security organization that coordinates security incident response teams globally, improving information sharing and incident response.

Security News Portal

A website that aggregates up-to-date security news, alerts, exploits, and vulnerabilities.

Wire (ISC)²

Provides vendor-neutral security education and career services.

Network Intelligence Communities

Groups providing information about network security threats.

Threat Intelligence Services

Services that provide information about network and security threats, including information sources and communities.

Cybersecurity Intelligence Reports

Reports that contain information about cybersecurity threats, vulnerabilities, and exploits.

Indicators of Compromise (IOCs)

Specific data points that indicate a potential security breach or malicious activity.

Cisco Talos Threat Intelligence Group

A large commercial threat intelligence team focused on protecting against cyber threats.

Security Blogs

Online articles that discuss security-related topics, such as threats and vulnerabilities.

Cisco Talos Security Podcasts

Audio recordings discussing security threats, vulnerabilities, and mitigation techniques.

Vulnerabilities

Weaknesses in a system that attackers can exploit.

Mitigation Techniques

Methods to reduce or eliminate the impact of a threat.

Threat Intelligence

The collection, analysis, and dissemination of information about potential threats to cybersecurity.

Cisco Talos

A Cisco Threat Intelligence Group providing information about known vulnerabilities, indicators of compromise (IOCs), and mitigation techniques.

FireEye's Approach

Combines security intelligence, expertise, and technology to secure enterprises.

Automated Indicator Sharing (AIS)

A DHS service that enables real-time exchange of cyber threat indicators between the government and private sector.

CVE Catalog

A catalog of known security vulnerabilities managed by MITRE.

Threat Intelligence Platforms (TIPs)

Centralized systems that collect, analyze, and present threat data from multiple sources, enabling organizations to better understand and respond to threats.

Tools, Techniques, and Procedures (TTPs)

Methods and strategies employed by attackers to compromise systems and networks, such as phishing, malware distribution, or social engineering.

Reputation Information

Data about the trustworthiness of internet destinations or domains, often indicating potential threats based on historical activity or blacklisting.

Honeypots

Simulated networks or servers designed to attract attackers, providing valuable intelligence on attack methods and attackers' behaviors.

Cloud-Based Honeypots

Honeypots deployed in cloud environments, isolating them from production networks and reducing the risk of attacker intrusion.

MITRE ATT&CK Framework

A comprehensive knowledge base that maps common attacker tactics and techniques, providing valuable insights for threat analysis and defense.

Common Vulnerabilities and Exposures (CVEs)

Standardized identifiers for publicly known vulnerabilities in software and hardware, allowing organizations to assess and address potential risks.

Snort.org

A non-profit organization that provides open-source intrusion detection systems (IDS) and related resources.

ClamAV

An open-source antivirus software that scans for malware and viruses on computer systems.

SpamCop

A non-profit organization that provides tools and resources to fight spam, a type of unwanted electronic messages.

FireEye Helix

A cloud-hosted security platform that combines various security tools and threat intelligence to protect networks.

Signature-less engine

A security technology that detects threats without relying on known signatures or patterns of malicious code.

MITRE Corporation

A non-profit organization that maintains the CVE database and conducts cybersecurity research and development.

Study Notes

Module 3: Threat Intelligence

• Module objective: Evaluate threat intelligence sources.

Information Sources

• SANS: Resources are largely free upon request, including the Internet Storm Center (early warning), NewsBites (weekly security news digest), @RISK (weekly digest of attack vectors and vulnerabilities), Flash security alerts, and Reading Room (research papers). SANS also develops security courses.
• Mitre: Maintains a list of CVE (Common Vulnerabilities and Exposures).
• FIRST: Security organization bringing together incident response teams from government, commercial, and educational organizations, fostering cooperation in information sharing, prevention, and rapid response.
• SecurityNews: Security news portal aggregating breaking news on alerts, exploits, and vulnerabilities.
• (ISC)² Wire: Provides vendor-neutral education products and career services to over 75,000+ industry professionals in over 135 countries.
• CIS: Focal point for cyber threat prevention, protection, response, and recovery for governments, offering 24/7 cyber threat warnings, vulnerability identification, and mitigation, and incident response services.

Network Intelligence Communities (Cont.)

• To remain effective: Stay updated on the latest threats (subscribe to real-time feeds, security websites, blogs, podcasts), and upgrade skills (attend training, workshops, and conferences).
• Network security has a steep learning curve and requires continuous professional development.

Cisco Cybersecurity Reports

• Resources for staying updated on latest threats: Cisco Annual Cybersecurity Report and Mid-Year Cybersecurity Report.
• These reports provide updates, expert analysis on vulnerabilities, and factors behind attacks using adware and spam.
• Cybersecurity analysts should read these reports to learn about threat actors' targeting methods and mitigation strategies.

Security Blogs and Podcasts

• Another method to keep up-to-date is through reading blogs and listening to podcasts.
• Blogs and podcasts provide advice, research, and recommended mitigation techniques.
• Cisco provides blogs on security-related topics and podcasts from experts and the Cisco Talos Group.
• Search for Cisco security blogs and subscribe for notifications.
• Cisco Talos offers numerous podcasts available for listening or download.

Lab - Evaluate Cybersecurity Reports

• Part 1: Research Cyber Security intelligence Reports
• Part 2: Research Cyber Security Intelligence Based on Industry.
• Part 3: Research Cyber Security Threat Intelligence in Real Time

3.2 Threat Intelligence Services

• Cisco Talos: Exchange threat information (vulnerabilities, indicators of compromise (IOC), and mitigation techniques) with personnel and security systems.
• Create and distribute firewall rules and IOCs to subscribed devices as threats emerge.
• Cisco Talos Threat Intelligence Group is a sample service.
• It is one of the largest commercial threat intelligence teams, comprised of world-class researchers, analysts, and engineers.
• Its goal is protecting enterprise users, data, and infrastructure, collecting information about existing and emerging threats.
• Provides protection against these threats and malware in real time.
• Provides free software, services, resources, and data.
• Maintains security incident detection rule sets for Snort.org, ClamAV, and SpamCop network security tools.

FireEye

• Security company offering services to secure networks using a three-pronged approach (security intelligence, expertise, technology).
• Offers SIEM and SOAR with the Helix Security Platform using behavioral analysis and advanced threat detection, supported by FireEye Mandiant's worldwide threat intelligence network.
• Helix is a cloud-hosted security operations platform combining security tools and threat intelligence.
• Blocks attacks across web and email threat vectors, and latent malware on file shares.
• Blocks advanced malware and compromises most enterprise networks.
• Uses a signature-less engine utilizing stateful attack analysis to detect zero-day threats.

Automated Indicator Sharing

• The U.S. Department of Homeland Security (DHS) offers a free service called Automated Indicator Sharing (AIS).
• Enables real-time exchange of cyber threat indicators (malicious IP addresses, phishing emails) between the U.S. Federal Government and the private sector.
• Creates an ecosystem for immediate threat sharing to protect networks.

Common Vulnerabilities and Exposures (CVE) Database

• The United States government sponsored the MITRE Corporation to create and maintain a catalog called Common Vulnerabilities and Exposures (CVE).
• The CVE serves as a dictionary for known cybersecurity vulnerabilities (by using CVE identifiers).
• The MITRE Corporation defines unique CVE Identifiers to easily share data.

Threat Intelligence Communication Standards

• Network organizations and professionals must share threat information to increase knowledge.
• Several intelligence sharing open standards have evolved to enable communication across networking platforms and automated, consistent, and machine-readable threat intelligence (CTI) exchange.
• Three common threat intelligence sharing standards: Structured Threat Information Expression (STIX), Trusted Automated Exchange of Indicator Information (TAXII), and CybOX.
• STIX is a set of specification for exchange of threat information between organizations, including CybOX standard.
• TAXII is a specification for application layer protocol allowing CTI communication using HTTPS.
• CybOX is a set of standardized schemas for specifying, capturing, and characterizing network operations, supporting many cybersecurity functions.
• The Malware Information Sharing Platform (MISP): Open-source platform for sharing newly discovered threats, indicators of compromise (IOCs).
• Globally supported by the European Union, over 6000 organizations utilize MISP.
• MISP allows automated sharing of IOCs using STIX and other formats.
• These open standards standardize cyber threat intelligence information exchange.

Threat Intelligence Platforms

• Various threat intelligence sources exist, each with unique formats.
• Accessing and using multiple threat intelligence sources can be time-consuming.
• Threat intelligence platforms centralize threat data from various sources, offering formats for analysis.
• Threat intelligence data includes Indicators of Compromise (IOC), Technique, Procedure and Tools(TTPs), and reputation information.
• Threat intelligence platform designs encompass threat intelligence data in a comprehensible and usable format.

Threat Intelligence Platforms (Cont.)

• Organizations can contribute to threat intelligence by sharing intrusion data (typically automated).
• Threat intelligence services use subscriber data to stay up-to-date on threats.
• Honeypots are simulated networks to attract attackers, sharing attack-related information.
• Cloud-based honeypots isolate from production networks, offering an alternative gathering method.

Lab - Identify Relevant Threat Intelligence

• Part 1: Research MITRE CVE
• Part 2: Access MITRE ATT&CK Knowledge Base.
• Part 3: Investigate Potential Malware.

3.3 Threat Intelligence Summary

• Several organizations provide network intelligence (SANS, Mitre, FIRST, SecurityNewsWire, (ISC)² Wire, and CIS).
• Staying up-to-date (keeping abreast of threats, upskilling) and using resources like Cisco's annual reports is important.
• Blogs and podcasts provide updated insights on threat information (vulnerabilities, IOCs, and mitigation techniques).
• Threat intelligence services allow exchange with security systems, creating/distributing firewall rules and Indicators of Compromise (IOCs) to subscribed devices as threats emerge.
• Examples include Cisco Talos Threat Intelligence Group, and other services such as FireEye.
• FireEye uses a three-pronged approach combining security intelligence, expertise and technology.
• The US Department of Homeland Security (DHS) offers Automated Indicator Sharing (AIS) for real-time exchange between the US Federal Government and the private sector.
• The MITRE Corporation maintains the Common Vulnerabilities and Exposures (CVE) catalogue of threats
• Three key standards (STIX, TAXII, and CybOX) standardize cyber threat intelligence information exchange.

Description

This quiz evaluates your understanding of threat intelligence sources, including SANS, Mitre, and FIRST. Test your knowledge on various information sources and their roles in cybersecurity. Enhance your ability to navigate and utilize these resources effectively.