Module 3: Threat Intelligence

Questions and Answers

What is the primary role of the MS-ISAC in the context of cybersecurity?

To offer 24x7 cyber threat warnings and advisories (correct)

To investigate cybercrime incidents

To establish global cybersecurity standards

To train network security professionals

Which of the following is NOT suggested for network security professionals to stay effective?

Attending training and workshops

Following security blogs and podcasts

Subscribing to real-time threat feeds

Overlooking ongoing education (correct)

What is the primary goal of the Cisco Talos Threat Intelligence Group?

To develop cybersecurity software

To provide training for cybersecurity professionals

To protect enterprise users, data, and infrastructure from threats (correct)

To conduct research on internet security protocols

What type of information do the Cisco Annual and Mid-Year Cybersecurity Reports provide?

Updates on security preparedness and expert analysis

Which of these is emphasized as a method for cybersecurity analysts to mitigate attacks?

Subscribing to and reading cybersecurity reports

Which service does Cisco Talos provide to help mitigate emerging threats?

Exchange of indicators of compromise (IOC)

How can cybersecurity analysts stay updated with the latest vulnerabilities and exploits?

By following Cisco security blogs and podcasts

Why is continuous professional development crucial for network security professionals?

Technology and threats are constantly evolving.

What is included in the information that threat intelligence services share?

Vulnerabilities and firewall rules

Which of the following statements about security blogs and podcasts is true?

They can offer advice and recommended mitigation techniques.

What are the implications of a steep learning curve in network security?

A significant investment in time and education is required.

Which of the following is NOT a focus of the Cisco Talos team?

Development of machine learning algorithms

What type of content does Cisco Talos offer to subscribers?

Over eighty podcasts and security blogs

How does subscribing to real-time feeds benefit network security professionals?

It keeps them informed about the latest threats.

What action do threat intelligence services take as threats emerge?

Create and distribute firewall rules

Which statement about the Cisco Talos group is accurate?

It includes world-class researchers, analysts, and engineers.

What is the purpose of threat intelligence services?

To allow the exchange of threat information.

Which organization offers the free Automated Indicator Sharing (AIS) service?

U.S. Department of Homeland Security

What is the Common Vulnerabilities and Exposure (CVE) catalog used for?

To maintain a repository of known security threats.

What is one of the services provided by FireEye for network security?

A three-pronged approach combining intelligence, expertise, and technology.

Which of the following is NOT a common standard for threat intelligence sharing?

Common Security Protocol (CSP)

What is the primary function of the Cisco Security products mentioned?

To deliver real-time security solutions

Which platforms maintain security incident detection rules for network security tools?

Snort.org, ClamAV, and SpamCop

What is a feature of the Helix Security Platform offered by FireEye?

It combines various security tools and threat intelligence

What does the Automated Indicator Sharing (AIS) service enable?

Real-time exchange of cyber threat indicators

How does the FireEye Security System enhance protection against advanced malware?

Using stateful attack analysis to detect zero-day threats

Who is responsible for the creation and maintenance of the Common Vulnerabilities and Exposures (CVE) Database?

The MITRE Corporation, sponsored by the U.S. government

What approach does FireEye use to help enterprises secure their networks?

Combining security intelligence, expertise, and technology

What type of threats does the U.S. Department of Homeland Security's AIS primarily target?

Cyber threats and indicators

What is the primary purpose of CVE Identifiers?

To serve as a dictionary for known vulnerabilities.

Which standard is specifically designed to facilitate the communication of cyber threat intelligence over HTTPS?

TAXII

What does the Malware Information Sharing Platform (MISP) primarily focus on?

Sharing indicators of compromise for new threats.

Which of the following is NOT one of the three common threat intelligence sharing standards mentioned?

ICAP

How many organizations globally use the Malware Information Sharing Platform (MISP)?

Over 6,000

Which component of the cybersecurity ecosystem is focused on specifying and capturing events for communication?

CybOX

What is one of the key features of open standards in threat intelligence communication?

Enables the automated exchange of cyber threat intelligence.

Which organization supports the Malware Information Sharing Platform (MISP)?

The European Union

What is one of the main advantages of using a threat intelligence platform (TIP)?

It centralizes the collection of threat data from various sources.

Which of the following types of threat intelligence data is NOT mentioned?

Vulnerability scanning results

How do organizations enhance their threat intelligence?

By sharing intrusion data over the internet.

What is the purpose of honeypots in threat intelligence?

To attract attackers for data collection.

What is a key benefit of basing honeypots in the cloud?

It isolates the honeypot from production networks.

Which of the following is not a listed organization that provides network intelligence?

NIST

What does the acronym CVE stand for in the context of threat intelligence?

Common Vulnerability Exposure

What is considered a challenge when accessing threat intelligence data?

Handling the overwhelming volume of data.

Study Notes

Module 3: Threat Intelligence

• This module focuses on evaluating threat intelligence sources.
• Information sources are used to communicate emerging network security threats.
• Various threat intelligence services are described.

3.1 Information Sources

• SANS Institute resources are largely free and include the Internet Storm Center (early warning system), NewsBites (weekly security news digest), @RISK (weekly digest of newly discovered attack vectors), Flash security alerts, and a Reading Room with over 1,200 research papers.
• SANS develops security courses.
• MITRE maintains a list of CVE (Common Vulnerabilities and Exposures) used by security organizations.
• FIRST is a security organization that brings together incident response teams of various organizations (government, commercial, educational) to share information and coordinate efforts.
• SecurityNews aggregates the latest security news, alerts, and vulnerabilities.
• (ISC)² provides vendor-neutral education and career services to over 75,000 professionals.
• CIS is a focal point for cyber threat prevention, protection, response, and recovery for governments through MS-ISAC.

Network Intelligence Communities (cont.)

• To remain effective, cybersecurity professionals must:
  • Stay up-to-date on the latest threats (subscribe to real-time feeds, security websites, blogs, podcasts).
  • Continue to upgrade skills (attend security training, workshops, conferences).
• Network security has a steep learning curve and requires ongoing professional development.

Cisco Cybersecurity Reports

• Cisco Annual Cybersecurity Report and the Mid-Year Cybersecurity Report help security professionals stay abreast of the latest threats.
• These reports provide updates on security preparedness, analysis of top vulnerabilities, factors behind attacks (adware, spam).
• Analysts should subscribe to these reports to understand threat actor tactics and learn how to mitigate these attacks.

Security Blogs and Podcasts

• Another way to stay updated on threats is through blogs and podcasts.
• Blogs and podcasts provide advice, research, and mitigation techniques.
• Cisco provides security blogs and podcasts from experts and the Cisco Talos Group.
• Subscribe to receive notifications of new content, and podcasts can be played from the internet or downloaded.

Lab - Evaluate Cybersecurity Reports

• Lab objectives:
  • Part 1: Research Cyber Security Intelligence Reports
  • Part 2: Research Cyber Security Intelligence Based on Industry
  • Part 3: Research Cyber Security Threat Intelligence in Real Time

3.2 Threat Intelligence Services

• Threat intelligence services allow the exchange of threat information (vulnerabilities, IOCs, mitigation techniques) for personnel and security systems.
• As threats emerge, threat intelligence services create and distribute firewall rules and IOCs to subscribed devices.
• Cisco Talos Threat Intelligence Group is one such service.

Cisco Talos (cont.)

• Cisco Talos is a major commercial threat intelligence team comprised of experts and researchers.
• Its goal is to protect enterprise users, data, and infrastructure from active adversaries.
• The team collects information about active, existing, and emerging threats.
• It provides comprehensive protection (against attacks and malware) to subscribers.
• Cisco Security products can use real-time security solutions.
• It provides free software, services, resources, and data.
• It maintains security incident detection rule sets for Snort.org, ClamAV, and SpamCop network security tools.

FireEye

• FireEye offers security services using a three-pronged approach (security intelligence, expertise, technology).
• It provides SIEM and SOAR with the Helix Security Platform, leveraging behavioral analysis and threat detection.
• Helix is a cloud-hosted platform combining diverse security tools and threat intelligence.
• FireEye blocks attacks across web, and email vectors and latent malware.
• It addresses all stages of the attack lifecycle with a signatureless engine for zero-day threat detection.

Automated Indicator Sharing

• The U.S. Department of Homeland Security (DHS) offers a free service called Automated Indicator Sharing (AIS).
• Enables real-time exchange of cyber threat indicators (e.g., malicious IP addresses, phishing emails) between the U.S. Federal Government and the private sector.
• Creates an ecosystem where threats are immediately shared with the community for protection.

Common Vulnerabilities and Exposures (CVE) Database

• The United States government sponsored the MITRE Corporation to create and maintain a catalog of known security threats (CVE).
• The CVE serves as a dictionary for cybersecurity vulnerabilities, using unique CVE Identifiers to facilitate data sharing.

Threat Intelligence Communication Standards

• Network organizations and professionals share information to increase knowledge of threat actors and assets.
• Several open standards facilitate cross-platform communication.
• Three common standards are Structured Threat Information Expression (STIX), and Trusted Automated Exchange of Indicator Information (TAXII), and CybOX.
• STIX is used for exchanging threat information between organizations.
• TAXII facilitates the communication of CTI (Cyber Threat Intelligence) over HTTPS.
• CybOX specifies events and properties of network operations to support many cybersecurity functions.

Threat Intelligence Communication Standards (cont.)

• Open standards facilitate standardized cyber threat intelligence information exchange.
• The Malware Information Sharing Platform (MISP) is an open-source platform for sharing IOCs for newly discovered threats.
• MISP is supported by the EU and is used by over 6,000 organizations globally.
• MISP enables automated IOC sharing between people and machines using STIX and other export formats.

Threat Intelligence Platforms

• Multiple threat intelligence sources can be very time-consuming to access and use.
• Threat Intelligence Platforms (TIPs) centralize the collection of threat data from various sources and formats.
• Three main types of data are IOCs, TTPs, and reputation information for internet destinations/domains.
• TIPs aggregate and present threat intelligence data in a comprehensible and usable format.

Threat Intelligence Platforms (cont.)

• Organizations can contribute to threat intelligence by sharing intrusion data (typically automated).
• Threat intelligence services utilize subscriber data to keep current with emerging threats.
• Honeypots are simulated networks/servers that attract attackers.
• Gathering data from honeypots can be beneficial, but also presents potential risks.
• Cloud-hosted honeypots isolate them from production networks.

Lab – Identify Relevant Threat Intelligence

• Lab objectives:
  • Part 1: Research MITRE CVEs
  • Part 2: Access the MITRE ATT&CK Knowledge Base
  • Part 3: Investigate Potential Malware

3.3 Threat Intelligence Summary

• Many organizations provide network intelligence.
• Keep up-to-date on threats and continuously improve skills.
• Utilize resources like the Cisco Annual and Mid-Year Cybersecurity Reports.
• Use security blogs and podcasts for threat information.
• Threat intelligence services allow exchange of threat information among personnel and security systems.
• These services create firewall rules and IOCs as threats emerge.
• Cisco Talos and FireEye are examples of these services.
• FireEye uses a three-pronged approach combining security intelligence, expertise, and technology.
• The U.S. Department of Homeland Security offers Automated Indicator Sharing (AIS)
• The MITRE Corporation maintains a catalog of known vulnerabilities and exposures called CVE.
• STIX, TAXII, and CybOX are key threat intelligence communication standards.

What Did I Learn in this Module? (summary)

• Various organizations (SANS, Mitre, FIRST, etc.) provide network intelligence information.
• Stay updated on threats and continuously improve skills. (Use Cisco reports, blogs, and podcasts.)
• Threat intelligence services allow for sharing threat data between personnel and security systems.
• Services create and distribute firewall rules and IOCs for subscribed devices. (Cisco Talos, FireEye)
• FireEye uses a three-pronged approach.
• The U.S. Department of Homeland Security's Automated Indicator Sharing (AIS) enables real-time exchange of cyber threat indicators.
• Common Vulnerabilities and Exposures (CVE) catalog is maintained by MITRE.

Description

This quiz focuses on evaluating various threat intelligence sources that are essential for network security. Learn about the role of organizations like SANS Institute, MITRE, and FIRST in providing timely information on emerging threats. Understand how these resources contribute to a proactive security stance.