Cybersecurity Module 3: Threat Intelligence

Questions and Answers

Which organization maintains a list of CVEs used by prominent security organizations?

(ISC)2

SANS Institute

SecurityNews

FIRST (correct)

What type of resources does the SANS Institute provide for free upon request?

Training Programs

Security News Alerts

Research Papers

Early Warning Systems (correct)

Which of the following services is provided by the organization (ISC)2?

Active vulnerability exploits

Vendor neutral education products (correct)

Network attack vectors

Daily security news updates

What is the primary focus of FIRST as a security organization?

Fostering incident cooperation and information sharing

Which weekly digest from SANS focuses specifically on newly discovered attack vectors?

@RISK

Which organization aggregates the latest information related to alerts, exploits, and vulnerabilities?

SecurityNews

What is one of the primary functions of the SANS Reading Room?

Sharing original research papers

Which of the following best describes the target audience for (ISC)2's education products?

Industry professionals in cybersecurity

Which of the following resources is NOT mentioned as useful for staying updated on cybersecurity threats?

Social media platforms

What approach does FireEye use to secure networks?

Security intelligence, expertise, and technology

Which organization is responsible for creating the Common Vulnerabilities and Exposure (CVE) catalog?

MITRE Corporation

What is the primary purpose of the Automated Indicator Sharing (AIS) service?

To enable the real-time exchange of cyber threat indicators

Which of the following is NOT one of the three common threat intelligence sharing standards?

Common Information Model (CIM)

What is the primary purpose of the MS-ISAC in relation to cyber threats?

To act as a focal point for cyber threat prevention, protection, response, and recovery

Which of the following is NOT mentioned as a method for network security professionals to stay updated on the latest threats?

Participating in online gaming forums

What do the Cisco Annual Cybersecurity Report and the Mid-Year Cybersecurity Report provide information about?

Expert analysis of top vulnerabilities and state of security preparedness

Continuous professional development for network security professionals includes which of the following?

Attending security-related training, workshops, and conferences

What is a consequence of the steep learning curve in network security?

There is a necessity for continuous professional development

What types of resources do blogs and podcasts primarily provide to security professionals?

Advice, research, and recommended mitigation techniques

Which aspect is crucial for a cybersecurity analyst when reading security reports?

Learning how threat actors target their networks

Which of the following is NOT a role of the CIS in relation to cyber threats?

Conducting cybersecurity vulnerability assessments

Which service is known for regularly creating and distributing firewall rules and indicators of compromise (IOCs)?

Cisco Talos Threat Intelligence Group

What is the primary objective of the Cisco Talos Threat Intelligence Group?

To protect enterprise users, data, and infrastructure from threats

How many podcasts does Cisco Talos offer that cover security-related topics?

Over eighty

In the context of threat intelligence services, what does the abbreviation IOC stand for?

Indicators of Compromise

What type of information is primarily shared through threat intelligence services?

Threat information like vulnerabilities and mitigation strategies

What is a notable feature of Cisco security blogs?

They allow for email notifications of new content

Which of the following best describes the team composition of the Cisco Talos group?

World-class researchers, analysts, and engineers

What is the intended outcome of Cisco Talos's data collection on threats?

To provide comprehensive protection against active threats

What are the three major types of threat intelligence data?

IOC, TTP, and reputation information about internet destinations

What is the primary purpose of a threat intelligence platform (TIP)?

To centralize and present threat data in a usable format

How can organizations enhance their threat intelligence?

By sharing their intrusion data over the internet

What is the role of honeypots in threat intelligence?

To attract and gather information from attackers

What risk is associated with hosting honeypots?

They can expose production networks to attacks

Which organization is NOT mentioned as a provider of network intelligence?

CISCO

What is one benefit of basing a honeypot in the cloud?

It isolates the honeypot from production networks

Which of the following is NOT a type of threat intelligence data?

User behavior metrics

What is the primary function of Automated Indicator Sharing (AIS)?

To facilitate the exchange of cyber threat indicators between government and private sectors.

Which of the following best describes the capabilities of the FireEye Helix Security Platform?

It offers a cloud-hosted security operations platform integrating threat intelligence.

How does FireEye's security system enhance malware detection?

Through behavioral analysis and advanced threat detection.

What is the purpose of the Common Vulnerabilities and Exposures (CVE) database?

To catalog known security threats and vulnerabilities.

Which organization is responsible for sponsoring the creation of the CVE database?

MITRE Corporation

What kind of technology does the Cisco Security product utilize?

Automation and advanced data analysis.

What distinguishes the method FireEye uses to detect zero-day threats?

It employs a signature-less engine for stateful attack analysis.

Which of the following tools does Cisco maintain security incident detection rule sets for?

Snort, ClamAV, and SpamCop

Study Notes

Module 3: Threat Intelligence

• Module objective: Evaluate threat intelligence sources.

Information Sources

• SANS: Resources are largely free upon request, including the Internet Storm Center (early warning), NewsBites (weekly security news digest), @RISK (weekly digest of attack vectors and vulnerabilities), Flash security alerts, and Reading Room (research papers). SANS also develops security courses.
• Mitre: Maintains a list of CVE (Common Vulnerabilities and Exposures).
• FIRST: Security organization bringing together incident response teams from government, commercial, and educational organizations, fostering cooperation in information sharing, prevention, and rapid response.
• SecurityNews: Security news portal aggregating breaking news on alerts, exploits, and vulnerabilities.
• (ISC)² Wire: Provides vendor-neutral education products and career services to over 75,000+ industry professionals in over 135 countries.
• CIS: Focal point for cyber threat prevention, protection, response, and recovery for governments, offering 24/7 cyber threat warnings, vulnerability identification, and mitigation, and incident response services.

Network Intelligence Communities (Cont.)

• To remain effective: Stay updated on the latest threats (subscribe to real-time feeds, security websites, blogs, podcasts), and upgrade skills (attend training, workshops, and conferences).
• Network security has a steep learning curve and requires continuous professional development.

Cisco Cybersecurity Reports

• Resources for staying updated on latest threats: Cisco Annual Cybersecurity Report and Mid-Year Cybersecurity Report.
• These reports provide updates, expert analysis on vulnerabilities, and factors behind attacks using adware and spam.
• Cybersecurity analysts should read these reports to learn about threat actors' targeting methods and mitigation strategies.

Security Blogs and Podcasts

• Another method to keep up-to-date is through reading blogs and listening to podcasts.
• Blogs and podcasts provide advice, research, and recommended mitigation techniques.
• Cisco provides blogs on security-related topics and podcasts from experts and the Cisco Talos Group.
• Search for Cisco security blogs and subscribe for notifications.
• Cisco Talos offers numerous podcasts available for listening or download.

Lab - Evaluate Cybersecurity Reports

• Part 1: Research Cyber Security intelligence Reports
• Part 2: Research Cyber Security Intelligence Based on Industry.
• Part 3: Research Cyber Security Threat Intelligence in Real Time

3.2 Threat Intelligence Services

• Cisco Talos: Exchange threat information (vulnerabilities, indicators of compromise (IOC), and mitigation techniques) with personnel and security systems.
• Create and distribute firewall rules and IOCs to subscribed devices as threats emerge.
• Cisco Talos Threat Intelligence Group is a sample service.
• It is one of the largest commercial threat intelligence teams, comprised of world-class researchers, analysts, and engineers.
• Its goal is protecting enterprise users, data, and infrastructure, collecting information about existing and emerging threats.
• Provides protection against these threats and malware in real time.
• Provides free software, services, resources, and data.
• Maintains security incident detection rule sets for Snort.org, ClamAV, and SpamCop network security tools.

FireEye

• Security company offering services to secure networks using a three-pronged approach (security intelligence, expertise, technology).
• Offers SIEM and SOAR with the Helix Security Platform using behavioral analysis and advanced threat detection, supported by FireEye Mandiant's worldwide threat intelligence network.
• Helix is a cloud-hosted security operations platform combining security tools and threat intelligence.
• Blocks attacks across web and email threat vectors, and latent malware on file shares.
• Blocks advanced malware and compromises most enterprise networks.
• Uses a signature-less engine utilizing stateful attack analysis to detect zero-day threats.

Automated Indicator Sharing

• The U.S. Department of Homeland Security (DHS) offers a free service called Automated Indicator Sharing (AIS).
• Enables real-time exchange of cyber threat indicators (malicious IP addresses, phishing emails) between the U.S. Federal Government and the private sector.
• Creates an ecosystem for immediate threat sharing to protect networks.

Common Vulnerabilities and Exposures (CVE) Database

• The United States government sponsored the MITRE Corporation to create and maintain a catalog called Common Vulnerabilities and Exposures (CVE).
• The CVE serves as a dictionary for known cybersecurity vulnerabilities (by using CVE identifiers).
• The MITRE Corporation defines unique CVE Identifiers to easily share data.

Threat Intelligence Communication Standards

• Network organizations and professionals must share threat information to increase knowledge.
• Several intelligence sharing open standards have evolved to enable communication across networking platforms and automated, consistent, and machine-readable threat intelligence (CTI) exchange.
• Three common threat intelligence sharing standards: Structured Threat Information Expression (STIX), Trusted Automated Exchange of Indicator Information (TAXII), and CybOX.
• STIX is a set of specification for exchange of threat information between organizations, including CybOX standard.
• TAXII is a specification for application layer protocol allowing CTI communication using HTTPS.
• CybOX is a set of standardized schemas for specifying, capturing, and characterizing network operations, supporting many cybersecurity functions.
• The Malware Information Sharing Platform (MISP): Open-source platform for sharing newly discovered threats, indicators of compromise (IOCs).
• Globally supported by the European Union, over 6000 organizations utilize MISP.
• MISP allows automated sharing of IOCs using STIX and other formats.
• These open standards standardize cyber threat intelligence information exchange.

Threat Intelligence Platforms

• Various threat intelligence sources exist, each with unique formats.
• Accessing and using multiple threat intelligence sources can be time-consuming.
• Threat intelligence platforms centralize threat data from various sources, offering formats for analysis.
• Threat intelligence data includes Indicators of Compromise (IOC), Technique, Procedure and Tools(TTPs), and reputation information.
• Threat intelligence platform designs encompass threat intelligence data in a comprehensible and usable format.

Threat Intelligence Platforms (Cont.)

• Organizations can contribute to threat intelligence by sharing intrusion data (typically automated).
• Threat intelligence services use subscriber data to stay up-to-date on threats.
• Honeypots are simulated networks to attract attackers, sharing attack-related information.
• Cloud-based honeypots isolate from production networks, offering an alternative gathering method.

Lab - Identify Relevant Threat Intelligence

• Part 1: Research MITRE CVE
• Part 2: Access MITRE ATT&CK Knowledge Base.
• Part 3: Investigate Potential Malware.

3.3 Threat Intelligence Summary

• Several organizations provide network intelligence (SANS, Mitre, FIRST, SecurityNewsWire, (ISC)² Wire, and CIS).
• Staying up-to-date (keeping abreast of threats, upskilling) and using resources like Cisco's annual reports is important.
• Blogs and podcasts provide updated insights on threat information (vulnerabilities, IOCs, and mitigation techniques).
• Threat intelligence services allow exchange with security systems, creating/distributing firewall rules and Indicators of Compromise (IOCs) to subscribed devices as threats emerge.
• Examples include Cisco Talos Threat Intelligence Group, and other services such as FireEye.
• FireEye uses a three-pronged approach combining security intelligence, expertise and technology.
• The US Department of Homeland Security (DHS) offers Automated Indicator Sharing (AIS) for real-time exchange between the US Federal Government and the private sector.
• The MITRE Corporation maintains the Common Vulnerabilities and Exposures (CVE) catalogue of threats
• Three key standards (STIX, TAXII, and CybOX) standardize cyber threat intelligence information exchange.

Description

This quiz evaluates your understanding of threat intelligence sources, including SANS, Mitre, and FIRST. Test your knowledge on various information sources and their roles in cybersecurity. Enhance your ability to navigate and utilize these resources effectively.