1_5_3 Section 1 – Attacks, Threats, and Vulnerabilities - 1.5 – Threat Actors and Vectors - Threat Intelligence

Questions and Answers

What is the primary purpose of staying up to date with the latest threat posts?

To identify potential threats to the organization (correct)

To understand the hacking techniques

To gather information from other sources

To monitor government reports

What is OSINT?

Open-source hacking techniques

Open Systems Internet Network

Open-source intelligence (correct)

Online Security Intelligence Network

Where can you gather threat intelligence from?

Only from government reports

From both open and commercial sources (correct)

Only from private threat databases

Only from hackers directly

Why is threat intelligence valuable?

It helps organizations prepare against potential threats

What is the purpose of threat intelligence reports?

To help organizations understand potential threats

Who can use threat intelligence reports?

Almost anybody in IT security

What is the primary purpose of threat intelligence services?

To provide a method to gather and analyze threats affecting an organization

What is the Common Vulnerabilities and Exposures database sponsored by?

The US Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency

What is the primary function of the National Vulnerability Database (NVD)?

To compile and summarize CVEs

What is the purpose of the Cyber Threat Intelligence (CTA)?

To provide a platform for members to share and validate threat information

What is the benefit of sharing vulnerability information?

It enables everyone to benefit from knowledge of existing vulnerabilities

What type of databases are a common source of threat intelligence?

Vulnerability databases

What is the purpose of the severity scoring provided by the NVD?

To determine the severity of a particular vulnerability

What can organizations do with the information provided by threat intelligence services?

Gather and analyze threats affecting their organization

What is the benefit of the NVD providing a summary of the score distributions of vulnerabilities?

It enables organizations to see the severity of vulnerabilities at a glance

What is the purpose of public threat intelligence databases?

To share information about vulnerabilities with the public

What is the primary focus of machine learning in the context of threat intelligence?

Finding better ways to analyze large data sets

What is the purpose of threat maps?

To provide a visual perspective of attack origins and targets

Why do attackers monitor code repositories like GitHub?

To identify vulnerabilities in source code

What can happen if a code repository is misconfigured?

The source code is released publicly

What can attackers use source code for?

To find vulnerabilities for exploits

What is a common goal of threat intelligence?

To set up additional security measures

What is the purpose of Automated Indicator Sharing (AIS)?

To automate the transfer of threat information between organizations

What is the standardized format for threat information?

STIX

What is the primary use of the dark web in threat intelligence?

To gather information on hacker groups and their activities

What is an Indicator of Compromise (IOC)?

A specific activity that indicates a breach

What is the purpose of Trusted Automated eXchange of Indicator Information (TAXII)?

To securely exchange threat information

What is the main benefit of using Automated Indicator Sharing (AIS)?

It automates the transfer of threat information between organizations

What type of data can be used to predict compromises?

All of the above

Why is it important to monitor for potential threats?

To understand when a network may have been breached

What is the dark web?

An overlay to the existing internet that requires specialized software

What is the primary goal of analyzing large amounts of data?

To predict when a compromise may be attempted

What is the primary goal of threat intelligence reports?

To identify potential threats that could affect an organization

Where can you gather threat intelligence from?

From open sources, commercial resources, and other sources

What is the primary benefit of gathering threat intelligence?

To stay informed about potential threats and take necessary action

What type of information can be used to gather threat intelligence?

Publicly available information, including financial information and databases

Why is it important to stay up to date with the latest threat posts?

To stay informed about potential threats and take necessary action

Who can use threat intelligence reports?

Almost anybody in IT security

What is the primary purpose of threat intelligence services?

To provide a method to gather and analyze threats that may affect an organization

What is the role of the National Vulnerability Database (NVD)?

To provide a summary of all CVEs

What is the benefit of the severity scoring provided by the NVD?

To give an idea of how severe a particular vulnerability might be

What is the purpose of the Cyber Threat Intelligence (CTA)?

To evaluate and validate threat information among members

What is the Common Vulnerabilities and Exposures (CVE) database sponsored by?

The US Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency

What can be found on the National Vulnerability Database (NVD) website?

A summary of all CVEs, along with severity scoring and patching information

What is the purpose of vulnerability databases?

To make information about vulnerabilities available to organizations

What can organizations do with the information provided by threat intelligence services?

Gather and analyze threats that may affect the organization

What is the purpose of threat intelligence?

To provide a method to gather and analyze threats that may affect an organization

What is a common source of threat intelligence?

Vulnerability databases

What is the primary benefit of using machine learning in threat intelligence?

To analyze large amounts of data and make inferences

What is the purpose of threat maps?

To give a visual perspective of where attacks may be originating and going

Why do attackers monitor code repositories like GitHub?

To find vulnerabilities in the source code

What is the primary goal of analyzing large amounts of data in threat intelligence?

To make inferences and protect networks

What can happen if a code repository is misconfigured?

The source code may be released publicly

What is the primary benefit of using threat intelligence?

To set up additional security for specific systems

What is the main purpose of STIX in threat intelligence?

To provide a standardized format for threat information

What is the primary benefit of using TAXII in threat intelligence?

To securely exchange information between organizations

What type of information can be gathered from the dark web?

Information about hacker groups and their activities

What is an indicator of compromise (IOC) in threat intelligence?

A specific activity that indicates a network breach

What is the primary goal of analyzing large amounts of data in threat intelligence?

To predict potential threats to a network

What is the benefit of combining location data with traffic patterns and DNS queries in threat intelligence?

To predict potential threats to a network

What is the primary focus of threat intelligence in terms of network security?

To detect and respond to potential threats to a network

What is the benefit of using standardized formats for threat information in threat intelligence?

To enable efficient sharing and exchange of threat information

What is the primary goal of monitoring for potential threats to a network in threat intelligence?

To detect and respond to potential threats to a network

What is the benefit of analyzing DNS queries and traffic patterns in threat intelligence?

To predict potential threats to a network

Study Notes

Threat Intelligence

• Threat intelligence is crucial for security professionals to stay up to date with the latest threat posts and understand potential threats to their organization.
• Threats can come from public or private threat databases, hackers, or other sources on the internet.

Open-Source Intelligence (OSINT)

• OSINT is a good starting point for gathering threat intelligence from open sources.
• Open sources include the internet, discussion groups, social media sites, and governmental organizations.
• OSINT provides publicly available information from meetings, reports, and other sources.

Commercial Resources

• Commercial resources provide financial information, databases, maps, and other publicly available information.
• These resources are valuable and can be obtained for a cost.

Threat Intelligence Reports

• Threat intelligence reports can be used by anyone in IT security.
• Reports are essential for understanding threats that may apply to an organization.

Vulnerability Databases

• Vulnerability databases compile information from researchers and provide a summary of vulnerabilities.
• One popular database is the Common Vulnerabilities and Exposures (CVE) database.
• CVE is sponsored by the US Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency.

National Vulnerability Database (NVD)

• NVD is a summary of all CVEs, providing severity scoring and patching information.
• NVD provides a dashboard with real-time data, including new CVEs, analyzed vulnerabilities, and score distributions.

Threat Maps

• Threat maps provide a visual perspective of attacks, including origins and frequency.
• Maps are created from real-time data pulled from many sources.

File or Code Repositories

• Repositories like GitHub can provide intelligence on potential threats.
• Hackers may use these repositories to gather information for future attacks.
• Misconfiguration can cause source code to be released publicly, allowing attackers to find vulnerabilities.

Cyber Threat Intelligence (CTA)

• CTA is a platform where members share threat information and validate threats.
• CTA enables faster reaction to threats with higher-quality information.

Automated Indicator Sharing (AIS)

• AIS is a way to automate the transfer of threat information between organizations.
• AIS uses a standardized format called STIX (Structured Threat Information eXpression).
• TAXII (Trusted Automated eXchange of Indicator Information) is a trusted transport for transferring STIX data.

Dark Web

• The dark web is an overlay of the internet that requires specialized software to access.
• It provides extensive information on hacker activities, tools, and techniques.
• Dark web forums can be a valuable tool for gathering intelligence against attackers.

Indicators of Compromise (IOCs)

• IOCs are specific activities that indicate a network breach.
• Examples of IOCs include unusual network traffic, changes in file hash values, and unusual login patterns.
• Understanding IOCs is essential for detecting and responding to network breaches.

Predicting Compromise

• Analyzing large amounts of data quickly can help predict potential breaches.
• Criteria for predicting compromise include evaluating DNS queries, traffic patterns, and location data.
• Combining these criteria with vulnerability information can help predict potential attacks.### Threat Information Sharing
• AIS (Automated Indicator Sharing) is a method to automate the process of sharing threat information between organizations quickly and securely over the internet.

Standardized Format for Threats

• STIX (Structured Threat Information eXpression) is a standardized format for representing threat information, including motivations, abilities, capabilities, and response information.

Secure Exchange of Threat Information

• TAXII (Trusted Automated eXchange of Indicator Information) is a trusted transport method for securely exchanging STIX data between organizations.

Dark Web Threat Intelligence

• The dark web is an overlay to the existing internet, requiring specialized software to access private websites.
• The dark web provides valuable threat intelligence, including information on hacker groups, tools, and techniques used to gain network access.
• Dark web forums can be a valuable tool for searching for intelligence on attackers.

Indicators of Compromise (IOCs)

• IOCs are specific activities that indicate a network may have been breached.
• Examples of IOCs include:
  • Unusual network traffic patterns
  • Changes to file hashes
  • Unusual login patterns
  • Changes to DNS server data
  • Unusual file access patterns

Predicting Network Compromise

• Analyzing large amounts of data quickly can help predict potential network compromises.
• Criteria for predicting compromises include:
  • Analyzing DNS queries and traffic patterns in real-time
  • Combining with location data to understand traffic origins
  • Identifying vulnerabilities that may be exploited

Description

Test your knowledge on identifying potential threats to your organization from various sources, including public and private databases, hackers, and online sources. Stay up to date with the latest threat posts and understand their importance. Evaluate your skills in threat research and identification.