Module 3: Threat Intelligence

Questions and Answers

What is the primary role of the MS-ISAC in the context of cybersecurity?

• To offer 24x7 cyber threat warnings and advisories (correct)
• To investigate cybercrime incidents
• To establish global cybersecurity standards
• To train network security professionals

Which of the following is NOT suggested for network security professionals to stay effective?

• Attending training and workshops
• Following security blogs and podcasts
• Subscribing to real-time threat feeds
• Overlooking ongoing education (correct)

What is the primary goal of the Cisco Talos Threat Intelligence Group?

• To develop cybersecurity software
• To provide training for cybersecurity professionals
• To protect enterprise users, data, and infrastructure from threats (correct)
• To conduct research on internet security protocols

What type of information do the Cisco Annual and Mid-Year Cybersecurity Reports provide?

Updates on security preparedness and expert analysis (B)

Which of these is emphasized as a method for cybersecurity analysts to mitigate attacks?

Subscribing to and reading cybersecurity reports (C)

Which service does Cisco Talos provide to help mitigate emerging threats?

Exchange of indicators of compromise (IOC) (C)

How can cybersecurity analysts stay updated with the latest vulnerabilities and exploits?

By following Cisco security blogs and podcasts (C)

Why is continuous professional development crucial for network security professionals?

Technology and threats are constantly evolving. (A)

What is included in the information that threat intelligence services share?

Vulnerabilities and firewall rules (B)

Which of the following statements about security blogs and podcasts is true?

They can offer advice and recommended mitigation techniques. (B)

What are the implications of a steep learning curve in network security?

A significant investment in time and education is required. (B)

Which of the following is NOT a focus of the Cisco Talos team?

Development of machine learning algorithms (B)

What type of content does Cisco Talos offer to subscribers?

Over eighty podcasts and security blogs (C)

How does subscribing to real-time feeds benefit network security professionals?

It keeps them informed about the latest threats. (A)

What action do threat intelligence services take as threats emerge?

Create and distribute firewall rules (D)

Which statement about the Cisco Talos group is accurate?

It includes world-class researchers, analysts, and engineers. (A)

What is the purpose of threat intelligence services?

To allow the exchange of threat information. (D)

Which organization offers the free Automated Indicator Sharing (AIS) service?

U.S. Department of Homeland Security (B)

What is the Common Vulnerabilities and Exposure (CVE) catalog used for?

To maintain a repository of known security threats. (C)

What is one of the services provided by FireEye for network security?

A three-pronged approach combining intelligence, expertise, and technology. (C)

Which of the following is NOT a common standard for threat intelligence sharing?

Common Security Protocol (CSP) (A)

What is the primary function of the Cisco Security products mentioned?

To deliver real-time security solutions (A)

Which platforms maintain security incident detection rules for network security tools?

Snort.org, ClamAV, and SpamCop (D)

What is a feature of the Helix Security Platform offered by FireEye?

It combines various security tools and threat intelligence (C)

What does the Automated Indicator Sharing (AIS) service enable?

Real-time exchange of cyber threat indicators (A)

How does the FireEye Security System enhance protection against advanced malware?

Using stateful attack analysis to detect zero-day threats (A)

Who is responsible for the creation and maintenance of the Common Vulnerabilities and Exposures (CVE) Database?

The MITRE Corporation, sponsored by the U.S. government (D)

What approach does FireEye use to help enterprises secure their networks?

Combining security intelligence, expertise, and technology (C)

What type of threats does the U.S. Department of Homeland Security's AIS primarily target?

Cyber threats and indicators (B)

What is the primary purpose of CVE Identifiers?

To serve as a dictionary for known vulnerabilities. (D)

Which standard is specifically designed to facilitate the communication of cyber threat intelligence over HTTPS?

TAXII (C)

What does the Malware Information Sharing Platform (MISP) primarily focus on?

Sharing indicators of compromise for new threats. (A)

Which of the following is NOT one of the three common threat intelligence sharing standards mentioned?

ICAP (A)

How many organizations globally use the Malware Information Sharing Platform (MISP)?

Over 6,000 (A)

Which component of the cybersecurity ecosystem is focused on specifying and capturing events for communication?

CybOX (B)

What is one of the key features of open standards in threat intelligence communication?

Enables the automated exchange of cyber threat intelligence. (C)

Which organization supports the Malware Information Sharing Platform (MISP)?

The European Union (A)

What is one of the main advantages of using a threat intelligence platform (TIP)?

It centralizes the collection of threat data from various sources. (D)

Which of the following types of threat intelligence data is NOT mentioned?

Vulnerability scanning results (C)

How do organizations enhance their threat intelligence?

By sharing intrusion data over the internet. (B)

What is the purpose of honeypots in threat intelligence?

To attract attackers for data collection. (C)

What is a key benefit of basing honeypots in the cloud?

It isolates the honeypot from production networks. (D)

Which of the following is not a listed organization that provides network intelligence?

NIST (D)

What does the acronym CVE stand for in the context of threat intelligence?

Common Vulnerability Exposure (C)

What is considered a challenge when accessing threat intelligence data?

Handling the overwhelming volume of data. (A)

Flashcards

CIS Role

Cybersecurity focal point for local governments, offering 24/7 threat warnings, vulnerability identification, mitigation, and incident response.

Threat Awareness

Staying updated on current cyber threats through real-time feeds, websites, blogs, and podcasts.

Skill Development

Continuous learning through security training, workshops, and conferences is crucial for network security.

Cisco Cybersecurity Reports

Annual and mid-year reports offering analyses of security landscape, top vulnerabilities, and attack trends.

Security Blogs/Podcasts

Resources offering insights, advice, research, and mitigation techniques related to cyber threats.

Network Security

Protecting computer networks from cyberattacks.

Cyber Threat

A malicious attempt to compromise a computer system or network.

Vulnerability Identification

The process of finding weakness in computer systems or networks that could be exploited by an attacker.

Threat Intelligence Services

Services that collect, analyze, and share threat information (like vulnerabilities, IOCs, and mitigation techniques) to protect systems and people.

Indicators of Compromise (IOCs)

Specific patterns or details that indicate a potential cyberattack is happening or has happened.

Cisco Talos Threat Intelligence Group

A large, commercial group of experts who collect, analyze, and share information about cyber threats, protecting enterprise users, data, and infrastructure.

Firewall Rules

Instructions set on a firewall to block or allow specific traffic based on known threats.

Vulnerability

A weakness in a system or software that could be exploited by an attacker.

Mitigation Techniques

Actions taken to reduce the impact of a cyber threat or vulnerability.

Cybersecurity Reports

Documents that analyze the current security landscape, identifying top vulnerabilities and attack trends.

Snort.org

A non-profit organization that provides free, open-source intrusion detection system software, rule sets, and support for network security tools.

ClamAV

A free, open-source antivirus software that detects and removes viruses, malware, and other threats from computer systems and networks.

SpamCop

A free, open-source anti-spam software that blocks unwanted email messages and protects users from phishing attacks.

FireEye Helix

A cloud-hosted security operations platform that combines different security tools and threat intelligence into a single platform for comprehensive network protection.

Behavioral Analysis

A technique used by FireEye Helix to detect malicious activities by recognizing unusual or suspicious patterns in user behavior on a network.

Automated Indicator Sharing (AIS)

A service that allows the real-time exchange of cyber threat indicators (e.g., malicious IP addresses, phishing emails) between the U.S. Federal Government and private organizations.

CVE Database

A catalog of known security vulnerabilities and exposures maintained by MITRE Corporation, used to identify and prioritize security risks.

Zero-Day Threats

Cyberattacks exploiting newly discovered vulnerabilities in software or systems, before a patch or fix is available.

CVE Identifier

A unique name assigned by MITRE to known cybersecurity vulnerabilities, making it easier to share vulnerability information.

STIX

A standard for sharing cyber threat information between organizations, allowing for structured and automated exchange.

TAXII

A protocol that allows the communication of cyber threat intelligence over HTTPS, supporting the STIX standard.

CybOX

A set of standardized schemas for specifying, capturing, and communicating events and properties of network operations related to cybersecurity.

MISP

An open-source platform for sharing indicators of compromise (IOCs), enabling automated sharing of threat intelligence between people and machines.

What is the purpose of CVE identifiers?

CVE identifiers are used to provide a standardized way of naming and sharing information about known cybersecurity vulnerabilities.

What is the role of STIX in cyber threat intelligence sharing?

STIX provides a standardized way of structuring and exchanging threat information between organizations, enabling seamless data sharing.

How does TAXII facilitate threat intelligence communication?

TAXII is a protocol that allows secure communication of threat information over HTTPS, supporting the STIX standard.

Common Vulnerabilities and Exposures (CVE)

A catalog maintained by MITRE that lists known security threats. It helps identify and understand vulnerabilities in software and systems.

STIX, TAXII, CybOX

Open standards that define how cyber threat intelligence is shared and exchanged between organizations in a standardized format.

Threat Intelligence

The process of collecting, analyzing, and sharing information about cyber threats to understand the attacker's tactics and mitigate risks.

FireEye's Approach

A three-pronged approach combining security intelligence, security expertise, and technology to help enterprises protect their networks.

What is a TIP?

A threat intelligence platform (TIP) centralizes threat data from various sources and formats, making it easier to analyze and use.

What are the 3 main types of threat intelligence data?

The three main types are Indicators of Compromise (IOCs), Tools, Techniques, and Procedures (TTPs), and reputation information about internet destinations or domains.

How do organizations contribute to threat intelligence?

Organizations share their intrusion data over the internet, often through automated systems, to help improve threat intelligence services.

What are honeypots?

Honeypots are simulated networks or servers designed to attract attackers. The attack data gathered can then be shared with threat intelligence subscribers.

Why are cloud honeypots beneficial?

Cloud-based honeypots isolate the honeypot from production networks, reducing the risk to the organization's main systems.

What is MITRE ATT&CK?

MITRE ATT&CK is a knowledge base that provides detailed information about adversarial tactics and techniques used in cyberattacks.

What is a CVE?

A Common Vulnerabilities and Exposures (CVE) database lists known security vulnerabilities and weaknesses in software and systems.

What are some organizations that provide threat intelligence?

Organizations like SANS, MITRE, FIRST, SecurityNewsWire, (ISC)2, and CIS offer various threat intelligence services and resources.

Study Notes

Module 3: Threat Intelligence

• This module focuses on evaluating threat intelligence sources.
• Information sources are used to communicate emerging network security threats.
• Various threat intelligence services are described.

3.1 Information Sources

• SANS Institute resources are largely free and include the Internet Storm Center (early warning system), NewsBites (weekly security news digest), @RISK (weekly digest of newly discovered attack vectors), Flash security alerts, and a Reading Room with over 1,200 research papers.
• SANS develops security courses.
• MITRE maintains a list of CVE (Common Vulnerabilities and Exposures) used by security organizations.
• FIRST is a security organization that brings together incident response teams of various organizations (government, commercial, educational) to share information and coordinate efforts.
• SecurityNews aggregates the latest security news, alerts, and vulnerabilities.
• (ISC)² provides vendor-neutral education and career services to over 75,000 professionals.
• CIS is a focal point for cyber threat prevention, protection, response, and recovery for governments through MS-ISAC.

Network Intelligence Communities (cont.)

• To remain effective, cybersecurity professionals must:
  • Stay up-to-date on the latest threats (subscribe to real-time feeds, security websites, blogs, podcasts).
  • Continue to upgrade skills (attend security training, workshops, conferences).
• Network security has a steep learning curve and requires ongoing professional development.

Cisco Cybersecurity Reports

• Cisco Annual Cybersecurity Report and the Mid-Year Cybersecurity Report help security professionals stay abreast of the latest threats.
• These reports provide updates on security preparedness, analysis of top vulnerabilities, factors behind attacks (adware, spam).
• Analysts should subscribe to these reports to understand threat actor tactics and learn how to mitigate these attacks.

Security Blogs and Podcasts

• Another way to stay updated on threats is through blogs and podcasts.
• Blogs and podcasts provide advice, research, and mitigation techniques.
• Cisco provides security blogs and podcasts from experts and the Cisco Talos Group.
• Subscribe to receive notifications of new content, and podcasts can be played from the internet or downloaded.

Lab - Evaluate Cybersecurity Reports

• Lab objectives:
  • Part 1: Research Cyber Security Intelligence Reports
  • Part 2: Research Cyber Security Intelligence Based on Industry
  • Part 3: Research Cyber Security Threat Intelligence in Real Time

3.2 Threat Intelligence Services

• Threat intelligence services allow the exchange of threat information (vulnerabilities, IOCs, mitigation techniques) for personnel and security systems.
• As threats emerge, threat intelligence services create and distribute firewall rules and IOCs to subscribed devices.
• Cisco Talos Threat Intelligence Group is one such service.

Cisco Talos (cont.)

• Cisco Talos is a major commercial threat intelligence team comprised of experts and researchers.
• Its goal is to protect enterprise users, data, and infrastructure from active adversaries.
• The team collects information about active, existing, and emerging threats.
• It provides comprehensive protection (against attacks and malware) to subscribers.
• Cisco Security products can use real-time security solutions.
• It provides free software, services, resources, and data.
• It maintains security incident detection rule sets for Snort.org, ClamAV, and SpamCop network security tools.

FireEye

• FireEye offers security services using a three-pronged approach (security intelligence, expertise, technology).
• It provides SIEM and SOAR with the Helix Security Platform, leveraging behavioral analysis and threat detection.
• Helix is a cloud-hosted platform combining diverse security tools and threat intelligence.
• FireEye blocks attacks across web, and email vectors and latent malware.
• It addresses all stages of the attack lifecycle with a signatureless engine for zero-day threat detection.

Automated Indicator Sharing

• The U.S. Department of Homeland Security (DHS) offers a free service called Automated Indicator Sharing (AIS).
• Enables real-time exchange of cyber threat indicators (e.g., malicious IP addresses, phishing emails) between the U.S. Federal Government and the private sector.
• Creates an ecosystem where threats are immediately shared with the community for protection.

Common Vulnerabilities and Exposures (CVE) Database

• The United States government sponsored the MITRE Corporation to create and maintain a catalog of known security threats (CVE).
• The CVE serves as a dictionary for cybersecurity vulnerabilities, using unique CVE Identifiers to facilitate data sharing.

Threat Intelligence Communication Standards

• Network organizations and professionals share information to increase knowledge of threat actors and assets.
• Several open standards facilitate cross-platform communication.
• Three common standards are Structured Threat Information Expression (STIX), and Trusted Automated Exchange of Indicator Information (TAXII), and CybOX.
• STIX is used for exchanging threat information between organizations.
• TAXII facilitates the communication of CTI (Cyber Threat Intelligence) over HTTPS.
• CybOX specifies events and properties of network operations to support many cybersecurity functions.

Threat Intelligence Communication Standards (cont.)

• Open standards facilitate standardized cyber threat intelligence information exchange.
• The Malware Information Sharing Platform (MISP) is an open-source platform for sharing IOCs for newly discovered threats.
• MISP is supported by the EU and is used by over 6,000 organizations globally.
• MISP enables automated IOC sharing between people and machines using STIX and other export formats.

Threat Intelligence Platforms

• Multiple threat intelligence sources can be very time-consuming to access and use.
• Threat Intelligence Platforms (TIPs) centralize the collection of threat data from various sources and formats.
• Three main types of data are IOCs, TTPs, and reputation information for internet destinations/domains.
• TIPs aggregate and present threat intelligence data in a comprehensible and usable format.

Threat Intelligence Platforms (cont.)

• Organizations can contribute to threat intelligence by sharing intrusion data (typically automated).
• Threat intelligence services utilize subscriber data to keep current with emerging threats.
• Honeypots are simulated networks/servers that attract attackers.
• Gathering data from honeypots can be beneficial, but also presents potential risks.
• Cloud-hosted honeypots isolate them from production networks.

Lab – Identify Relevant Threat Intelligence

• Lab objectives:
  • Part 1: Research MITRE CVEs
  • Part 2: Access the MITRE ATT&CK Knowledge Base
  • Part 3: Investigate Potential Malware

3.3 Threat Intelligence Summary

• Many organizations provide network intelligence.
• Keep up-to-date on threats and continuously improve skills.
• Utilize resources like the Cisco Annual and Mid-Year Cybersecurity Reports.
• Use security blogs and podcasts for threat information.
• Threat intelligence services allow exchange of threat information among personnel and security systems.
• These services create firewall rules and IOCs as threats emerge.
• Cisco Talos and FireEye are examples of these services.
• FireEye uses a three-pronged approach combining security intelligence, expertise, and technology.
• The U.S. Department of Homeland Security offers Automated Indicator Sharing (AIS)
• The MITRE Corporation maintains a catalog of known vulnerabilities and exposures called CVE.
• STIX, TAXII, and CybOX are key threat intelligence communication standards.

What Did I Learn in this Module? (summary)

• Various organizations (SANS, Mitre, FIRST, etc.) provide network intelligence information.
• Stay updated on threats and continuously improve skills. (Use Cisco reports, blogs, and podcasts.)
• Threat intelligence services allow for sharing threat data between personnel and security systems.
• Services create and distribute firewall rules and IOCs for subscribed devices. (Cisco Talos, FireEye)
• FireEye uses a three-pronged approach.
• The U.S. Department of Homeland Security's Automated Indicator Sharing (AIS) enables real-time exchange of cyber threat indicators.
• Common Vulnerabilities and Exposures (CVE) catalog is maintained by MITRE.