1_5_3 Section 1 – Attacks, Threats, and Vulnerabilities - 1.5 – Threat Actors and Vectors - Threat Intelligence

Threat Intelligence

• Threat intelligence is crucial for security professionals to stay up to date with the latest threat posts and understand potential threats to their organization.
• Threats can come from public or private threat databases, hackers, or other sources on the internet.

Open-Source Intelligence (OSINT)

• OSINT is a good starting point for gathering threat intelligence from open sources.
• Open sources include the internet, discussion groups, social media sites, and governmental organizations.
• OSINT provides publicly available information from meetings, reports, and other sources.

Commercial Resources

• Commercial resources provide financial information, databases, maps, and other publicly available information.
• These resources are valuable and can be obtained for a cost.

Threat Intelligence Reports

• Threat intelligence reports can be used by anyone in IT security.
• Reports are essential for understanding threats that may apply to an organization.

Vulnerability Databases

• Vulnerability databases compile information from researchers and provide a summary of vulnerabilities.
• One popular database is the Common Vulnerabilities and Exposures (CVE) database.
• CVE is sponsored by the US Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency.

National Vulnerability Database (NVD)

• NVD is a summary of all CVEs, providing severity scoring and patching information.
• NVD provides a dashboard with real-time data, including new CVEs, analyzed vulnerabilities, and score distributions.

Threat Maps

• Threat maps provide a visual perspective of attacks, including origins and frequency.
• Maps are created from real-time data pulled from many sources.

File or Code Repositories

• Repositories like GitHub can provide intelligence on potential threats.
• Hackers may use these repositories to gather information for future attacks.
• Misconfiguration can cause source code to be released publicly, allowing attackers to find vulnerabilities.

Cyber Threat Intelligence (CTA)

• CTA is a platform where members share threat information and validate threats.
• CTA enables faster reaction to threats with higher-quality information.

Automated Indicator Sharing (AIS)

• AIS is a way to automate the transfer of threat information between organizations.
• AIS uses a standardized format called STIX (Structured Threat Information eXpression).
• TAXII (Trusted Automated eXchange of Indicator Information) is a trusted transport for transferring STIX data.

Dark Web

• The dark web is an overlay of the internet that requires specialized software to access.
• It provides extensive information on hacker activities, tools, and techniques.
• Dark web forums can be a valuable tool for gathering intelligence against attackers.

Indicators of Compromise (IOCs)

• IOCs are specific activities that indicate a network breach.
• Examples of IOCs include unusual network traffic, changes in file hash values, and unusual login patterns.
• Understanding IOCs is essential for detecting and responding to network breaches.

Predicting Compromise

• Analyzing large amounts of data quickly can help predict potential breaches.
• Criteria for predicting compromise include evaluating DNS queries, traffic patterns, and location data.
• Combining these criteria with vulnerability information can help predict potential attacks.### Threat Information Sharing
• AIS (Automated Indicator Sharing) is a method to automate the process of sharing threat information between organizations quickly and securely over the internet.

Standardized Format for Threats

• STIX (Structured Threat Information eXpression) is a standardized format for representing threat information, including motivations, abilities, capabilities, and response information.

Secure Exchange of Threat Information

• TAXII (Trusted Automated eXchange of Indicator Information) is a trusted transport method for securely exchanging STIX data between organizations.

Dark Web Threat Intelligence

• The dark web is an overlay to the existing internet, requiring specialized software to access private websites.
• The dark web provides valuable threat intelligence, including information on hacker groups, tools, and techniques used to gain network access.
• Dark web forums can be a valuable tool for searching for intelligence on attackers.

Indicators of Compromise (IOCs)

• IOCs are specific activities that indicate a network may have been breached.
• Examples of IOCs include:
  • Unusual network traffic patterns
  • Changes to file hashes
  • Unusual login patterns
  • Changes to DNS server data
  • Unusual file access patterns

Predicting Network Compromise

• Analyzing large amounts of data quickly can help predict potential network compromises.
• Criteria for predicting compromises include:
  • Analyzing DNS queries and traffic patterns in real-time
  • Combining with location data to understand traffic origins
  • Identifying vulnerabilities that may be exploited