Information Security Fundamentals

Questions and Answers

Which of the following are sources of financial intelligence? (Select all that apply)

Financial Intelligence Unit (FIU) (correct)

Honeypots

SWIFT (correct)

Social Media

Social media intelligence (SOCMINT) can be collected only from open social networks.

False

What are indicators of compromise (IoCs)?

Artifacts of network security incidents that indicate an intrusion.

Cyber counterintelligence (CCI) is used to protect the organization against the adversary’s _____ operations.

intelligence

What type of CCI identifies and counters threats before they occur?

Defensive CCI

Match the following threat intelligence sources with their descriptions:

Facebook = Source of social media intelligence FS-ISAC = Industry association for financial services SWIFT = Organization facilitating international financial transactions MISP = Malware information sharing platform

Which of the following are major elements of threat intelligence?

Availability

Why do industries with similar fields of work build associations?

To coordinate and carry out resource and information exchange.

Unstructured data consists of numbers and text.

False

What is the main purpose of threat intelligence (CTI)?

The collection and analysis of information about threats and adversaries.

____ is information produced by processing data and analyzing information.

Intelligence

Match the following types of threat intelligence with their primary focus:

Strategic Threat Intelligence = High-level business strategies Tactical Threat Intelligence = Tactics, techniques, and procedures (TTPs) Operational Threat Intelligence = Specific threats against an organization Technical Threat Intelligence = Attacker's resources and tools

What is the role of SIEM in security?

Tracking suspicious end-user behavior activities within a real-time IT environment.

The collection sources for ______ threat intelligence include campaign reports, malware, and incident reports.

Tactical

Which components are important in risk assessment?

Assessing security controls

What is the first step in building an efficient threat intelligence program?

Gathering the requirements.

Network access controls can automatically discover every device attempting to connect to the network.

True

What do organizations need to assess before implementing a threat intelligence program?

Existing operational capabilities.

What are the types of questions PIRs enable organizations to answer? (Select all that apply)

What types of data need to be collected?

PIRs are static and rarely evaluated.

False

What does MoSCoW stand for in prioritization?

Must have, Should have, Could have, Won't have.

Strategic threat intelligence data helps in performing the ______ analysis.

strategic

Match the following types of threat intelligence data to their focus areas:

Strategic Threat Intelligence = High-level analysis for senior leaders Operational Threat Intelligence = Actionable information on specific attacks Tactical Threat Intelligence = Details on tactics and techniques of attackers Technical Threat Intelligence = Information on attacker's technical assets and infrastructure

What is the purpose of operational security (OPSEC)?

To control organizational data and avoid exploitation.

Which of the following are sources for technical threat intelligence? (Select all that apply)

Incident reports

Threat intelligence data collection is a static process.

False

What is raw data in the context of threat intelligence?

Unprocessed, unaltered, and unfiltered data.

Which of the following factors affect the credibility of an intelligence source? (Select all that apply)

Lack of authenticity of the data accessed

What is OSINT?

Open-Source Intelligence

What is one method of data collection mentioned in the content?

Active method

The quality of threat intelligence is not affected by the sources from which it is collected.

False

What is the primary goal of validating the quality and reliability of third-party intelligence sources?

To ensure the data is trustworthy and free from biases.

The method that only collects internal and open shared data is called the __________ method.

passive

What are the types of external intelligence feeds? (Select all that apply)

Business associations

What does SIGINT stand for?

Signals Intelligence

Which type of intelligence involves the gathering of information through interpersonal communication?

Human Intelligence (HUMINT)

Proactive surveillance feeds are used solely for historical data analysis.

False

Study Notes

Fundamental Concepts

• Threat Intelligence (TI) relies on five major elements: confidentiality, integrity, availability, authenticity, and non-repudiation.
• Data can be categorized into three types: raw data (unprocessed), structured data (numbers, text, etc.), and unstructured data (images, video, audio, etc.).
• Information is the output of processed data that contains meaning and context.
• Intelligence is obtained by processing data and analyzing information.

Intelligence-Led Security Testing

• Intelligence-led security testing provides contextual intelligence at every stage of testing, guiding security professionals to make informed decisions.
• It helps in identifying initial Indicators of Compromise (IoCs) and gradually pivots on to identify related indicators and artifacts to assess the possibility of an attack.

Threat Intelligence (CTI)

• CTI is the collection and analysis of information about threats and adversaries, drawing patterns to make knowledgeable decisions for preparedness, prevention, and response actions against various cyberattacks.
• Characteristics of CTI include:
  • Collecting data from multiple sources
  • Creating customized and prioritized alerts
  • Identifying initial IoCs and related indicators
  • Providing insights into active campaigns and emerging security threats
  • Recommending remediation and risk mitigation solutions

Benefits of CTI Program

• Provides greater insight into cyber threats
• Prevents data loss by identifying causes of data leakage
• Guides incident response
• Conducts data analysis to identify exploitable data
• Provides actionable strategic and tactical choices
• Conducts threat analysis for detecting advanced threats
• Shares threat information to spread awareness
• Identifies IoCs, TTPs, and discovers breaches at an early stage

Organizational Objectives for Threat Intelligence Programs (TIPs)

• Enhanced and Automated Incident Prevention
• Automation of Security Operations and Remediation Activities
• Guidance to Cyber Security Activities
• Improved Risk Management
• Improved Incident Detection

Types of Threat Intelligence

• Strategic Threat Intelligence: focused on high-level business strategies, collected from OSINT, CTI vendors, and ISAO/ISACs.
• Tactical Threat Intelligence: provides information related to TTPs used by threat actors, consumed by cyber security professionals.
• Operational Threat Intelligence: provides contextual information about specific threats against the organization, consumed by security managers, network defenders, and fraud detection teams.
• Technical Threat Intelligence: provides information about an attacker's resources, focused on a specific IoC, consumed by security teams.

Cyber Threats and Motivations

• Cyber threat: an act in which the adversary attempts to gain unauthorized access to an organization's network.
• Motivations of attackers depend on their state of mind, reason, and resources.

Security Measures

• SIEM: tracks suspicious end-user behavior activities within a real-time IT environment.

• Next-Generation Firewall (NGFW): detects and blocks advanced attacks by incorporating rules or policies at the application level.

• IDS/IPS: monitors traffic and inspects data packets for suspicious content, gathers information to identify possible violations of security policy.

• Network Access Controls (NACs): automatically discover each device attempting to connect to the organizational network.

• Antivirus (AV) software: defends internal and external resources from viruses, Trojans, worms, etc.

• Gateway solutions: monitor network traffic for suspicious content and block them if necessary.### Foundational Cyber Security Capabilities

• Organizations need to have foundational cyber security capabilities incorporated into their current IT infrastructure, including:

  • Configuration management
  • Centralized SIEM capabilities
  • Patch management
  • Advanced malware detection and analysis capability
  • Network activity monitoring controls
  • Incident handling capabilities
  • Forensic investigation capabilities

• These capabilities help organizations utilize threat intelligence to its maximum level

Assessing Operational Capabilities

• Organizations need to assess their existing operational capabilities before implementing a threat intelligence program, including:
  • Identifying IT assets critical to the organization's business operations
  • Identifying valuable internal assets
  • Identifying possible threat actors, their tactics, techniques, and procedures (TTPs), and campaigns targeting the organization
  • Assessing the efficiency and effectiveness of existing security system capabilities
  • Assessing the ability of security professionals to monitor, detect, mitigate, prevent, and remediate targeted attacks

Setting Up Requirements

• The main goal of setting up requirements is to understand what type of information is needed by the organization and how it is consumed
• Organizations need to identify the needs of the threat intelligence by answering questions such as:
  • What type of intelligence does the consumer need?
  • When does the intelligence need to be delivered to the consumer?

Use Cases for Threat Intelligence

• Organizations need to start with a primary use case for threat intelligence, such as:
  • Prevention and Detection of Attacks
  • Forensics
• The primary use case helps in extracting additional information about the TTPs used by adversaries

Focus on Adversaries

• Organizations need to focus on possible adversaries after identification of both primary and secondary use cases for threat intelligence
• Gathering knowledge of specific attacks and adversaries to the organization's environment helps security teams refine and enhance protection mechanisms with threat intelligence

Intelligence Requirements

• Organizations need to answer questions to decide on how to incorporate threat intelligence into the current security infrastructure
• Intelligence requirements generally fall into three directives: long term, medium term, and short term
• Cyber intelligence requirements are divided into categories:
  • Production Requirements
  • Collection Requirements

Priority Intelligence Requirements (PIRs)

• PIRs are defined as the fundamental elements required for building a threat intelligence program
• PIRs are usually approved by the organization's management
• PIRs provide requirements that are essential for high-level management for making strategic, operational, or tactical changes in the organizational infrastructure to reduce risks
• PIRs help organizations to reach their strategic goals by providing dynamic situational awareness about the evolving threat landscape

Prioritization

• MoSCoW prioritization is a method that assists in prioritizing requirements based on iterative and incremental approaches
• MoSCoW prioritization uses four priority groups: MUST have, SHOULD have, COULD have, and WON'T have

Threat Data Consumers

• Threat data consumers are security systems or devices that take input from threat data in order to detect and prevent the network against malicious activities
• Examples of threat data consumers include:
  • Proxy servers
  • Firewalls
  • Intrusion prevention systems

Threat Intelligence Producer and Consumer

• Threat intelligence producer is a threat intelligence collaborative platform or threat intelligence feed
• Threat intelligence consumer is a remote management platform to manage threat intelligence, such as SIEM solutions### Threat Intelligence Program
• A prominent type of threat intelligence contains intelligence feeds on command and control (C&C) networks and other external sources of malicious activities.
• Intelligence feeds monitor C&C traffic globally, the origin of malware, controllers of a botnet, spoofed IP addresses, compromised proxies, and malicious websites.

Scheduling a Threat Intelligence Program

• Steps involved in scheduling a threat intelligence program:
  • Review the project charter
  • Build a work breakdown structure (WBS)
  • Identify all deliverables
  • Define all activities
  • Identify the sequence of activities
  • Identify and estimate resources for all activities
  • Identify task dependencies
  • Estimate duration of each activity
  • Develop the final schedule

Data Collection

• Types of data collection:
  • Passive data collection: involves no participants, and it is purely based on analysis and observation of activities and processes going on within the local boundaries of an organization.
  • Active data collection: involves observation of the adversary system and activities without any legal and privacy breach.
  • Hybrid data collection: involves the collection of data from shared networks, commercial external feeds and sources, information systems or from the specific network built to lure and trap the adversaries.

Types of Data

• Raw Data: unprocessed, unaltered, and unfiltered form of data that requires an extra amount of time for processing and analysis to extract usable information from unstructured data.
• Exploited Data: filtered out from the large collection of raw data and sorted by other analysts, contains details related to technical aspects of the intended adversary.
• Production Data: the end-level form of data that is filtered, analyzed, and relevant in form and is ready for distribution and consumption by the organization.

Threat Intelligence Data Collection

• Strategic Threat Intelligence Data Collection: involves collecting strategic data from high-level reliable feeds, providing better threat intelligence and helping higher management in taking key strategic business decisions.
• Operational Threat Intelligence Data Collection: involves collecting actionable information on any specific incoming attacks or events, providing greater insight into the behavior of an attacker or intruder.
• Tactical Threat Intelligence Data Collection: deals with tactics, techniques, and procedures (TTPs) of threat groups and is most effectively used in defending an organization.
• Technical Threat Intelligence Data Collection: deals with the technicalities of an attacker’s assets and infrastructure, providing information related to the threat machines’ IP address, operating systems, and details about subnet and domain names of C2 headers.

Operational Security for Data Collection

• Operational security (OPSEC) refers to the risk management process where an analyst analyzes the complete operations from an adversary’s point of view to provide security measures and avoid sensitive organizational data to get exposed.
• Steps to ensure operational security for data collection:
  • Identify the critical information of the organization to ensure its privacy.
  • Identify the possible threats from the data that you have collected and for the data that you intend to collect.
  • Identify vulnerabilities in the organizational security infrastructure.
  • Identify risks involved in data collection.
  • Apply effective countermeasures in place during data collection.

Description

Test your knowledge of fundamental concepts in threat intelligence, including data types, information processing, and intelligence analysis.