Chapter 4 Highlighted CTIA PDF
Document Details
Uploaded by TerrificAlmandine
Tags
Related
Summary
This document is a set of notes and highlights for a Certified Threat Intelligence Analyst course. It covers topics like confidentiality, integrity, availability, authenticity, and non-repudiation, and threat intelligence.
Full Transcript
7/19/24, 1:33 PM Highlights & Notes: Certified Threat Intelligence Analyst (CTIA) Mellow Yellow 6/24/2024...
7/19/24, 1:33 PM Highlights & Notes: Certified Threat Intelligence Analyst (CTIA) Mellow Yellow 6/24/2024 Side Notes It relies on five major elements: confidentiality, integrity, availability, authenticity, and non-repudiation. Groovy Green 6/24/2024 does not include any context, and is unprocessed. Mellow Yellow 6/24/2024 Structured data consists of numbers, text, etc., whereas unstructured data consists of images, video, audio, etc. Mellow Yellow 6/24/2024 Information is the output of processed data that contains meaning and context. I Mellow Yellow 6/24/2024 Intelligence is obtained by processing data and analyzing information. Mellow Yellow 6/24/2024 Intelligence-led security testing provides contextual intelligence at every stage of testing that guides the security professionals to make appropriate decisions such as: Mellow Yellow 6/24/2024 The threat intelligence, usually known as CTI, is defined as the collection and analysis of information about threats and adversaries and drawing patterns that provide an ability to make knowledgeable decisions for the preparedness, prevention, and response actions against various cyberattacks. PRINTED BY: [email protected]. Printing of Notes and Highlights is for personal, private use only. Notes created by user are not part of publisher content. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted. about:blank 1/91 7/19/24, 1:33 PM Highlights & Notes: Certified Threat Intelligence Analyst (CTIA) Mellow Yellow 6/24/2024 The following are the characteristics of CTI: Collects data from multiple sources such as open source and commercial data feeds, and internal and external sources. Creates customized and prioritized alerts based on the IT infrastructure of the organization. Helps in identifying initial Indicators of Compromise (IoCs) and gradually pivots on to identify related indicators and artifacts to assess the possibility of an attack. Provides an ability to implement new protection strategies to prevent upcoming attacks. Provides an understanding of active campaigns that include who, what, when, where, why, and how of emerging security threats. Provides insight into the probability of risks and its impact on business. Recommends various remediation and risk mitigation solutio Mellow Yellow 6/24/2024 Properly applied CTI program helps in the following: Providing greater insight into cyber threats Preventing data loss by identifying the causes of data leakage Guiding in incident response Conducting data analysis to identify the exploitable data Providing actionable strategic and tactical choices Conducting threat analysis for detecting advanced threats Sharing threat information to spread awareness Identifying IoCs Discovering tactics, techniques, and procedures (TTPs) for possible attacks Detecting breaches at early or initial stage Leveraging threat modeling process Utilizing indicators for building a more proactive perimeter defense Mellow Yellow 6/24/2024 Discussed below are the organizational objectives for threat intelligence programs (TIPs): Enhanced and Automated Incident Prevention Many organizations use threat intelligence to improve and automate their incident prevention mechanisms. Organizations consume and analyze external threat intelligence to improve internal security controls to thwart evolving threats. Automation of Security Operations and Remediation Activities Organizations use threat intelligence to automate and enhance their security operations and remediation activities. Threat intelligence guides organizations in the decision-making process of cyber security investigations by focusing more on people and process aspects. Guidance to Cyber Security Activities Many organizations establish a threat intelligence center or service to provide guidance and monitor various cyber security activities of smaller sections within the organization. PRINTED BY: [email protected]. Printing of Notes and Highlights is for personal, private use only. Notes created by user are not part of publisher content. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted. about:blank 2/91 7/19/24, 1:33 PM Highlights & Notes: Certified Threat Intelligence Analyst (CTIA) Mellow Yellow 6/24/2024 Improved Risk Management Many organizations consume threat intelligence to improve the efficiency of risk management process. Threat intelligence is used to enhance the risk management metrics and mitigation strategies. Improved Incident Detection In many organizations, SOC utilizes threat intelligence to enhance incident detection mechanism in various security systems of the organization. Many malware detection systems use threat intelligence to detect malicious files entering the organization’s network. The SOC professionals use threat intelligence to identify internal threats by extracting information such as IoCs, threat actors, and TTPs. Mellow Yellow 6/24/2024 The strategic threat intelligence is generally in the form of a report that mainly focuses on high-level business strategies. Since the characteristic of strategic threat intelligence is preeminent, the data collection also relates to high-level sources and requires highly skilled professionals to extract the intelligence. This intelligence is collected from sources such as OSINT, CTI vendors, and ISAO/ISACs. Groovy Green 6/24/2024 Tactical threat intelligence plays a major role in protecting the resources of the organization. It provides information related to TTPs used by threat actors (attackers) to perform attacks. Tactical threat intelligence is consumed by cyber security professionals such as IT service managers, security operations managers, network operations center (NOC) staff, administrators, and architects. Groovy Green 6/24/2024 The collection sources for tactical threat intelligence include campaign reports, malware, incident reports, attack group reports, human intelligence, etc. This intelligence is generally obtained by reading white/technical papers, communicating with other organizations, or purchasing intelligence from third parties. It includes highly technical information such as malware, campaigns, techniques, and tools in the form of forensic reports. PRINTED BY: [email protected]. Printing of Notes and Highlights is for personal, private use only. Notes created by user are not part of publisher content. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted. about:blank 3/91 7/19/24, 1:33 PM Highlights & Notes: Certified Threat Intelligence Analyst (CTIA) Mellow Yellow 6/24/2024 Operational threat intelligence provides information about specific threats against the organization. It provides contextual information about security events and incidents that help defenders disclose potential risks, provide greater insight into attacker methodologies, identify past malicious activities, and perform investigations on malicious activity in a more efficient way. It is consumed by security managers or heads of incident response, network defenders, security forensics, and fraud detection teams. Mellow Yellow 6/24/2024 Operational threat intelligence is generally collected from sources such as humans, social media and chat rooms, and also from real- world activities and events that result in cyberattacks. Mellow Yellow 6/24/2024 Technical threat intelligence provides information about an attacker’s resources that are used to perform the attack; this includes command and control channels, tools, etc. It has a shorter lifespan compared to tactical threat intelligence and mainly focuses on a specific IoC. Mellow Yellow 7/5/2024 A cyber threat is defined as an act in which the adversary attempts to gain unauthorized access to an organization’s network by exploiting communication paths. Mellow Yellow 7/5/2024 motives or goals depend on the attacker’s state of mind, his/her reason for carrying out such an activity, and his/her resources and capabilities. Mellow Yellow 7/5/2024 Hacking forums provide information related to hackers such as the method used to launch an attack, techniques, and tools used to perform an attack and the procedures followed for covering the PRINTED BY: [email protected]. Printing of Notes and Highlights is for personal, private use only. Notes tracks after an attack. created by user are not part of publisher content. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted. about:blank 4/91 7/19/24, 1:33 PM Highlights & Notes: Certified Threat Intelligence Analyst (CTIA) Mellow Yellow 7/5/2024 Advanced persistent threats are a major security concern for any organization as they represent threats to the organization’s assets, resources, financial records, and other confidential data. Mellow Yellow 7/15/2024 SIEM provides security by tracking suspicious end-user behavior activities within a real-time IT environment. Groovy Green 7/15/2024 Next-generation firewall (NGFW) is a security system having the capability of detecting and blocking advanced attacks by incorporating certain rules or policies at the application level. It helps in data leakage protection (DLP), user identity-related control, URL blocking, application control, SSL and SSH inspection, and network access control. When combined with threat intelligence, NGFW can be a powerful tool that can automate network defenses and remediate attacks at an initial stage Mellow Yellow 7/15/2024 A gateway is a node in the network that routes the traffic from a workstation to an external command and control server. Groovy Green 7/15/2024 An intrusion detection system and intrusion prevention system (IDS/IPS) are present behind the firewall and help in increasing the security of the network by monitoring traffic and inspecting data packets for suspicious content. IDS/IPS also gathers and analyzes information from within a computer or a network to identify the possible violations of security policy, including unauthorized access, as well as misuse. PRINTED BY: [email protected]. Printing of Notes and Highlights is for personal, private use only. Notes created by user are not part of publisher content. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted. about:blank 5/91 7/19/24, 1:33 PM Highlights & Notes: Certified Threat Intelligence Analyst (CTIA) Mellow Yellow 7/15/2024 Network access controls (NACs) have the capability to automatically discover each device that attempts to connect to the organizational network. Antivirus (AV) software products defend both internal and external resources from viruses, Trojans, worms, etc. Similarly, gateway solutions monitor network traffic for suspicious content and block them if necessary. Groovy Green 7/15/2024 At an initial phase risk assessment can be assumed as a mapping activity that must include the following: What are the various operational technology systems and IT systems that are vulnerable to threats and the reason behind being vulnerable, including human factors? What are various security controls that are present to protect the systems, and do these controls cover the known security vulnerabilities? Which key operations are vulnerable to threats? Identify possible cyber security incidents and their impact on various operations along with their probability. Mellow Yellow 7/15/2024 If an organization lacks proper resources required to perform these activities, then it can rely on third parties to perform a risk assessment. Groovy Green 7/15/2024 The result of the risk assessment is delivered in the form of a report, containing all the identified vulnerabilities and assessed risks in terms of their impact on the organizational network and their possibility of occurring. Based on this report, the organization can identify the goals and requirements for building a threat intelligence program to enhance their current security posture. Mellow Yellow 7/15/2024 The first step in building an efficient threat intelligence program is to gather the requirements before collecting and researching any threat intelligence dat PRINTED BY: [email protected]. Printing of Notes and Highlights is for personal, private use only. Notes created by user are not part of publisher content. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted. about:blank 6/91 7/19/24, 1:33 PM Highlights & Notes: Certified Threat Intelligence Analyst (CTIA) Groovy Green 7/15/2024 it addresses prioritizing organizational assets, scoping the threat intelligence program, and developing non-disclosure agreements and rules of engagement. Groovy Green 7/15/2024 Most importantly, organizations need to have foundational cyber security capabilities incorporated into the current IT infrastructure, such as configuration management, centralized SIEM capabilities, patch management, advanced malware detection and analysis capability, network activity monitoring controls, incident handling capabilities, and forensic investigation capabilities. These capabilities help the organization to utilize threat intelligence to its maximum level. Mellow Yellow 7/15/2024 Organizations need to assess the existing operational capabilities before implementing a threat intelligence program. Some of the important capabilities that need to be assessed include the following: Identify IT assets that are most critical to the organization’s business operations, such as applications, publicly accessible infrastructure and servers, and various operational control systems. Identify valuable internal assets. Identify possible threat actors, their tactics, techniques, and procedures (TTPs), and campaigns targeting the organization. Assess and evaluate the efficiency and effectiveness of the existing security system capabilities. Assess the ability of security professionals to monitor, detect, mitigate, prevent, and remediate various targeted attacks from possible adversaries. Mellow Yellow 7/15/2024 The main goal of setting up the requirements is to understand what type of information is needed by the organization and how it is consumed. T Groovy Green 7/15/2024 An organization has to identify the needs of the threat intelligence by answering questions such as: What type of intelligence does the PRINTED BY: [email protected]. Printing of Notes consumer need? When does the intelligence so as need to be and Highlights is for personal, private use only. Notes delivered to the consumer? created by user are not part of publisher content. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted. about:blank 7/91 7/19/24, 1:33 PM Highlights & Notes: Certified Threat Intelligence Analyst (CTIA) Groovy Green 7/15/2024 Organizations need to start with a primary use case for threat intelligence. They can decide on one of the typical use cases given below: Prevention and Detection of Attacks It is the most important use case for threat intelligence. It is difficult to trace the adversaries, so organizations need to incorporate external threat data into the existing security infrastructure to identify what is to be detected and blocked. If the organization is concerned about advanced adversaries, then they need to start with this use case. Forensics If an organization has already experienced a successful compromise, then the organization can leverage threat intelligence to reduce the focus and guide the investigation process. Mellow Yellow 7/15/2024 The organization needs to focus on possible adversaries after identification of both the primary and secondary use cases for threat intelligence. This helps in extracting additional information about the TTPs used by the adversaries. Gathering knowledge of specific attacks and adversaries to the organization’s environment helps the security teams to refine and enhance the protection mechanisms with threat intelligence. Groovy Green 7/15/2024 Organizations need to answer the above questions to decide on how to incorporate threat intelligence into the current security infrastructure. The organization’s intelligence requirements generally fall into three directives: long term, medium term, and short term. Long-term directives are broader in scope and generally persist for one or two years. Medium-term directives are related to the specific topic and last only for weeks or months. Short-term directives are narrow in scope, tactical in nature, and persist only for a few days. Groovy Green 7/15/2024 Defining and setting up the requirements is the first task that must be accomplished before spending the resources and time on collecting any type of intelligence information. PRINTED BY: [email protected]. Printing of Notes and Highlights is for personal, private use only. Notes created by user are not part of publisher content. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted. about:blank 8/91 7/19/24, 1:33 PM Highlights & Notes: Certified Threat Intelligence Analyst (CTIA) Groovy Green 7/15/2024 Cyber intelligence requirements are divided into following categories: Production Requirements Production requirements should be complete and consists of information about the short-term requirements that right away head to the top of the priority list. Production requirements let intelligence function to have a well- structured template and cadence for the output of intelligence product. Security analysts must find answers to the following questions before analyzing the production requirements: o What will be the deliverable to the intelligence customer/consumer? o What are the vulnerabilities that are being exploited around the world that the organization cannot identify or protect? Mellow Yellow 7/15/2024 One common question that is usually encountered by CTI analysts is whether to choose the intelligence requirements of an organization based on attack surfaces or threat actors. Intelligence requirements generally consist of knowns and unknowns about questions that the intelligence function needs to answer in order to provide knowledge- and judgment-based decisions. Groovy Green 7/15/2024 Collection requirements focus on either external sources or internal sources. The collection requirements focusing on external sources include threat actors, while the collection requirements focusing on internal sources include information on attack surfaces of an organization Groovy Green 7/15/2024 n. Mellow Yellow 7/15/2024 Tactical users include cyber security professionals such as IT service managers, security operations managers, network operations center (NOC) staff, administrators, and architects. NOC staff need tactical information such as malware signatures and URL reputations to permit the firewalls, security gateways, IDS/IPS systems, and other security elements to prevent the attacks without blocking the flow of PRINTED BY: [email protected]. Printing of Notes genuine traffic or creating false positives. and Highlights is for personal, private use only. Notes created by user are not part of publisher content. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted. about:blank 9/91 7/19/24, 1:33 PM Highlights & Notes: Certified Threat Intelligence Analyst (CTIA) Mellow Yellow 7/15/2024 To perform such activities, operational users need intelligence such as analysis of malware, the breakdown of targeted attacks, and reports on the TTPs of a particular adversary or attack. Groovy Green 7/15/2024 Priority intelligence requirements (PIRs) are defined as the fundamental elements required for building a threat intelligence program. PIRs are usually approved by the organization’s management. PIRs provides requirements that are essential for high- level management for making strategic, operational, or tactical changes in the organizational infrastructure to reduce risks. PIRs help organizations to reach their strategic goals by providing dynamic situational awareness about the evolving threat landscape. They are dynamic in nature and are evaluated continuously to meet the ever- growing business requirements and evolving threat landscape. PIRs enable organizations to answer the following questions: What types of data need to be collected? Are there any gaps in the collected data? What talent and resources are needed to support the intelligence program? Mellow Yellow 7/15/2024 Generally, PIRs are in the form of a series of questions that assists the threat intelligence team to focus on what is important to the higher-level management. These also help to ensure that the organizational resources are being focused on the critical assets of the organization and are appropriately aligned with the overall intelligence strategy. Groovy Green 7/15/2024 Once the PIRs are specified, the next phase is to identify and validate the information sources by applying confidence ratings to the correctness and usefulness of the sources. Mellow Yellow 7/15/2024 After the identification and validation of the information sources, the organization collects and stores the data in a raw format, which is further processed and exploited in a way that assists the security PRINTED BY: [email protected]. Printing of Notes and Highlights is for personal, private use only. Notes created by user are not part of publisher content. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted. about:blank 10/91 7/19/24, 1:33 PM Highlights & Notes: Certified Threat Intelligence Analyst (CTIA) Groovy Green 7/15/2024 MoSCoW prioritization or MoSCoW analysis is defined as a prioritization method that assists in prioritizing requirements based on iterative and incremental approaches. It plays a vital role in agile project management, software development, and business analytics. This method is about setting the requirements based on the order of priority, where the most important requirement must be met first, for a greater chance of success. Prioritization can be applied to requirements, tasks, scenarios, use cases, tests, and so on. Mellow Yellow 7/15/2024 e word “MoSCoW” is an acronym for MUST have, SHOULD have, COULD have, and WON’T have, and the two Os in between are added to make the word “MoSCoW” pronounceable. The stakeholders use these four priority groups to prioritize requirements collaboratively. Groovy Green 7/15/2024 are important but not vital for delivery within the time frame. These requirements can be as important as MUST have requirements, but usually they are not as time-critical as MUST have requirements, or there can be another way to fulfill the requirements so that it can be held back for the future delivery time frame. Groovy Green 7/15/2024 Customer’s experience or satisfaction can be improved by these requirements in little development cost. This category of requirements is often included if the time is sufficient to make it work. Mellow Yellow 7/15/2024 These requirements are usually postponed until the next phase of development. PRINTED BY: [email protected]. Printing of Notes and Highlights is for personal, private use only. Notes created by user are not part of publisher content. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted. about:blank 11/91 7/19/24, 1:33 PM Highlights & Notes: Certified Threat Intelligence Analyst (CTIA) Mellow Yellow 7/15/2024 Threat data consumers are security systems or devices that take input from threat data in order to detect and prevent the network against malicious activities. The consumers of threat data include proxy servers, firewalls, and intrusion prevention systems. Depending upon the threat data, firewalls can include certain rules to detect and block incoming malicious traffic from unknown IP addresses. Similarly, proxy servers and intrusion prevention systems employ various rules to monitor the network against suspicious traffic and block it if necessary Groovy Green 7/15/2024 hreat intelligence consumer is a remote management platform to manage threat intelligence: for example, SIEM solutions. Mellow Yellow 7/15/2024 Threat intelligence producer is a threat intelligence collaborative platform or threat intelligence feed. Groovy Green 7/15/2024 The presence of multiple layers of defenses throughout the network can effectively reduce an attacker’s ability to remain undetected for a long period of time. Mellow Yellow 7/15/2024 Given below are some areas that are relevant to automation: o Using standard formats o Using a threat intelligence platform o Subscribing to a threat intelligence feed Mellow Yellow 7/15/2024 Given below are some areas that are relevant to automation: o Using standard formats o Using a threat intelligence platform o Subscribing to a threat intelligence feed PRINTED BY: [email protected]. Printing of Notes and Highlights is for personal, private use only. Notes created by user are not part of publisher content. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted. about:blank 12/91 7/19/24, 1:33 PM Highlights & Notes: Certified Threat Intelligence Analyst (CTIA) Groovy Green 7/15/2024 Threat intelligence data is divided into five high-level categories: Mellow Yellow 7/15/2024 This data source provides information on the behavior of a device by sending external notifications and alerts. The malicious device either communicates with the known malicious websites or participates in creating an army of botnets to launch further attacks. Various services are emerging to gather a huge volume of Internet traffic to identify such malicious devices. Groovy Green 7/15/2024 One prominent type of reputation usually contains intelligence feeds on command and control (C&C) network and other external servers or sources of malicious activities. These intelligence feeds monitor C&C traffic globally, the origin of malware, controllers of a botnet, spoofed IP addresses, compromised proxies, and malicious websites. Depending on the information obtained from these feeds, an organization can search for similar indicators within its network Groovy Green 7/15/2024 Steps involved in scheduling a threat intelligence program 1. Review the project charter. 2. Build a work breakdown structure (WBS). 3. Identify all deliverables. 4. Define all activities. Groovy Green 7/15/2024 Identify the sequence of activities. 6. Identify and estimate resources for all activities. 7. Identify task dependencies. 8. Estimate duration of each activity. 9. Develop the final schedule. Mellow Yellow 7/19/2024 Processing of the collected data into a comprehensible and structured form is a key for effective threat intelligence. PRINTED BY: [email protected]. Printing of Notes and Highlights is for personal, private use only. Notes created by user are not part of publisher content. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted. about:blank 13/91 7/19/24, 1:33 PM Highlights & Notes: Certified Threat Intelligence Analyst (CTIA) Mellow Yellow 7/19/2024 Passive data collection is a type of data collection that involves no participants, and it is purely based on analysis and observation of activities and processes going on within the local boundaries of an organization. Groovy Green 7/19/2024 active data collection involves observation of the adversary system and activities without any legal and privacy breach Groovy Green 7/19/2024 Hybrid data collection involves the collection of data from shared networks, commercial external feeds and sources, information systems or from the specific network built to lure and trap the adversaries. Example of hybrid data is honeypot built to lure adversaries into interacting with them. Another example is sharing of networks between two organizations. Suppose one organization is targeted by the adversary and shares that information with another organization. T Groovy Green 7/19/2024 Raw Data A raw data is the unprocessed, unaltered, and unfiltered form of data. This form of data is the most valuable and productive as it contains the basic details of the adversary and other processes such as IP addresses, network logs, configuration files, and network architecture map. It requires an extra amount of time for processing and analysis to extract usable information from unstructured data. Exploited Data The exploited data is the data that is filtered out from the large collection of raw data and sorted by other analysts. It contains details related to technical aspects of the intended adversary such as malware analysis report, IDS/IPS logs, and campaign reports. Production Data The production data is the end- level form of data that is filtered, analyzed, and relevant in form and is ready for distribution and consumption by the organization. This form of data is free from raw components and might be distributed as report, which is meant for user or customer awareness and useful for decisions and responses in an organization. PRINTED BY: [email protected]. Printing of Notes and Highlights is for personal, private use only. Notes created by user are not part of publisher content. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted. about:blank 14/91 7/19/24, 1:33 PM Highlights & Notes: Certified Threat Intelligence Analyst (CTIA) Groovy Green 7/19/2024 Strategic Threat Intelligence Data Collection Strategic threat intelligence data helps in performing the strategic analysis that is consumed by high-level strategists and senior leaders within an organization to understand and predict risks and threats for the organization. Collection of strategic data from high-level reliable feeds provides better threat intelligence and helps higher management in taking key strategic business decisions. Strategic threat intelligence collection is a challenging task since it requires a sociopolitical mind-set in order to acquire highly reliable and appropriate information from the trusted sources. Mellow Yellow 7/19/2024 Operational Threat Intelligence Data Collection Operational threat intelligence data collection involves the collection of actionable information on any specific incoming attacks or events. As an analyst, you can obtain operational threat intelligence data from online sources for any indications of preplanned attacks. This data provides greater insight into the behavior of an attacker or intruder, and it can be used by the response operations teams to develop preventive measures for specific attacks. This data also provides crucial information related to the attacker and attack patterns and when likely would the attack take place. Vast operational threat intelligence data can be collected by monitoring the perimeter. However, organizations that are planning to perform such monitoring operations should follow legitimate legal advice and approach. PRINTED BY: [email protected]. Printing of Notes and Highlights is for personal, private use only. Notes created by user are not part of publisher content. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted. about:blank 15/91 7/19/24, 1:33 PM Highlights & Notes: Certified Threat Intelligence Analyst (CTIA) Groovy Green 7/19/2024 Activity-Related Attacks Operational threat intelligence data provides crucial information about activity-related attacks, including the details related to event or activity logs, investigation reports, etc. This data is essential for an analyst to examine whether the acquired information is correlating to any global threat events and analyze indications for any emerging attacks. Analysts can also collect data related to frequent attack attempts like the distributed denial of service (DDoS attacks) for attack patterns and links to any correlated events. o Social Media Sources Social media and social networking sources are some of the important sources to acquire operational threat intelligence. Analysts can monitor social networks and social media in order to gather the threat information that can be related to an organization. The information collected from social media might point towards a potential attack or vulnerability or a security issue in the organization. o Chat Room Conversations Private chat room conversations can be a great source of operational threat intelligence gathering as threat groups and attackers find it convenient and safe for discussing their plans of actions in these chat room environments. The attackers generally use slangs or linguistics with hidden meaning, which upon analysis might reveal valuable intelligence. Mellow Yellow 7/19/2024 Tactical Threat Intelligence Data Collection Tactical threat intelligence deals with tactics, techniques, and procedures (TTPs) of threat groups and is most effectively used in defending an organization. It is consumed by defensive information security personnel such as architects, administrators, and security PRINTED BY: [email protected]. Printing of Notes and Highlights is for personal, private use only. Notes created by user are not part of publisher content. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted. about:blank 16/91 7/19/24, 1:33 PM Highlights & Notes: Certified Threat Intelligence Analyst (CTIA) Mellow Yellow 7/19/2024 staff. By this data, an analyst can attempt to predict the intention of an attacker, his approach and the tools and techniques attacker(s) employed, which can help in providing specific measures to avoid such incidents. Following sources provide tactical threat intelligence: o Threat Actor Groups and Campaign Reports Tactical intelligence collection can be performed using reports that provide details about the attack campaigns or some specific attackers and other details related to tactics and tools used by the threat actors. o Malware Information related to malware is generally collected using available data feeds and online sources. Analysts can also collect data about malware using techniques like sandboxing, honeypots, spam traps, DNS sinkhole, or bamfdetect, which allow capturing of unknown malware that can be analyzed for their activities and methodologies of attack. o Incident Reports Incident reports from organizations regarding past attack events and response tactics provide a rich form of intelligence. The analyst can gather such intelligence to utilize it in the defense formation and response procedures against such attacks. Groovy Green 7/19/2024 Technical Threat Intelligence Data Collection Technical threat intelligence deals with the technicalities of an attacker’s assets and infrastructure. Technical threat intelligence data consists of information related to the threat machines’ IP address, operating systems, details about subnet, domain names of C2 headers, generic behavior of the malware family, headers of the phishing emails, etc. This data is consumed by automated network security devices and endpoint security solutions. Since this information is purely technical and can be modified at any point in time by the attacker, technical threat intelligence data collection is valid only for a short time horizon. This type of threat intelligence data collection is performed manually or in an automated manner and mostly collected from the endpoint and network security devices like firewalls and mail filters. The event and data logs from firewalls and other security devices are also considered in this type of data collection, where the information regarding historical attacks can be analyzed to fetch technical details of the attackers. Following sources provide technical threat intelligence: PRINTED BY: [email protected]. Printing of Notes and Highlights is for personal, private use only. Notes created by user are not part of publisher content. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted. about:blank 17/91 7/19/24, 1:33 PM Highlights & Notes: Certified Threat Intelligence Analyst (CTIA) Groovy Green 7/19/2024 Indicators Malware indicators, such as network indicators and email indicators, are the main sources for technical threat intelligence data collection. A pattern in the data/network flow is a kind of malware indicator, which can point you towards the specified type/family of the malware. These indicators can be obtained from online sources as well as custom-built by the analysis of captured malware or network traffic analysis. The most common indicators used are MD5, SHA-1, or SHA-256 hashes. However, the Groovy Green 7/19/2024 attackers have the tendency to change the hash values of the malware frequently, so the indicators are generally short-lived and need to be updated with the new trends of malware. Indicators can also be used to detect registry entries, process injection, or related changes made to the system. Indicators can work with the IDS/IPS or firewalls to detect or block the malware attempting intrusions in the network. Mellow Yellow 7/19/2024 UNDERSTANDING OPERATIONAL SECURITY FOR DATA COLLECTION Operational security (OPSEC) refers to the risk management process where an analyst analyzes the complete operations from an adversary’s point of view to provide security measures and avoid sensitive organizational data to get exposed. The main goal of OPSEC is to control organizational data and to avoid exploitation of data. Ensuring the operational security for data collection is also one of the important tasks of a threat intelligence analyst where he/she needs to understand how to securely collect the data and simultaneously maintain anonymity during the collection process depending on the organizational security policy to ensure privacy. Following are the steps that the analyst should follow to provide optimal operational security for data collection: Identify the critical information of the organization to ensure its privacy. Identify the possible threats from the data that you have collected and for the data that you intend to collect. Identify vulnerabilities in the organizational security infrastructure like firewalls, and IDS that can compromise the network while performing data collection from unauthorized sources. Identify risks involved in data collection. Apply all the effective countermeasures in place during data collection. Apart from the above-mentioned operational security ste PRINTED BY: [email protected]. Printing of Notes and Highlights is for personal, private use only. Notes created by user are not part of publisher content. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted. about:blank 18/91 7/19/24, 1:33 PM Highlights & Notes: Certified Threat Intelligence Analyst (CTIA) Mellow Yellow 7/19/2024 , the analyst can also follow the below security measures: Use secure tunneling protocols like SSH (Secure Shell) or HTTPS, ensuring reliable connection and data integrity while transferring the data from online sources. Mellow Yellow 7/19/2024 Use virtual machines to access and download files from untrusted online sources. Ensure updated and patched firewalls are in place to block malicious incoming traffic to enter into the network while accessing the online resource. Use dark web browsers like TOR Browser to collect data confidentially. Use encrypted channels, like virtual private network (VPN). Use encrypted email service to protect the confidentiality of the message. Groovy Green 7/19/2024 UNDERSTANDING DATA RELIABILITY The analyst must ensure the reliability of data that is collected in order to achieve better threat intelligence. He/she must know various factors that affect data reliability and must be able to assess the relevance of the intelligence sources, know the factors affecting the credibility of intelligence sources and identify data collection methods affecting the availability of data in order to understand the reliability of data. Assessing the relevance of intelligence sources o The data accessed and collected must be from a reliable source, providing relevant and accurate data. o It must be ensured that this data is not altered during the collection process. Factors affecting the credibility of an intelligence source o Lack of authenticity of the data accessed o Inaccuracy of the data provided o Availability of incomplete or insufficient data Data collection methods affecting the availability of data o Different methods of collecting data may bring out a certain amount of data as per the access level o For example: Passive method only collects internal and open shared data. Active method accesses the authorized level of data only. Hybrid method provides the traps based collection Groovy Green 7/19/2024 data. PRINTED BY: [email protected]. Printing of Notes and Highlights is for personal, private use only. Notes created by user are not part of publisher content. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted. about:blank 19/91 7/19/24, 1:33 PM Highlights & Notes: Certified Threat Intelligence Analyst (CTIA) Mellow Yellow 7/19/2024 ENSURING INTELLIGENCE COLLECTION METHODS TO PRODUCE ACTIONABLE DATA All the threat intelligence sources may not be equally important. Irrelevant intelligence may be more distracting and harmful than useful intelligence. Utilization of low cost or free sources of intelligence may introduce additional risks to the organization and compromises the quality of the decision-making process. Therefore, analysts need to concentrate on selecting intelligence sources that contain data that is relevant, accurate, timely, and has maximum coverage. They need to sort and prioritize the collected intelligence to align with the requirements of organizations. Analysts need to answer the following questions to ensure that the intelligence data is relevant and can produce actionable threat intelligence: Does the intelligence belong to the same geographical location as the organization? Does the intelligence support the strategic business requirements of the organization? Up to what extent is the information about threat actors, IoCs, and TTPs are useful to the organization? What are the broader effects of intelligence on the organization? Mellow Yellow 7/19/2024 VALIDATE THE QUALITY AND RELIABILITY OF THIRD-PARTY INTELLIGENCE SOURCES Threat information is only as trustworthy as the source of that data, so it is essential to validate the credibility of third-party threat intelligence sources. This helps the organization to judge the neutrality of the data in order to remove biases. There are few factors that the organization should consider for checking the relevance of data: Whether the threat intelligence provides greater insight on the identified threats and changes the way the stakeholder views the threat? Is the threat intelligence actionable? Does the threat intelligence support the stakeholders in enhancing the defenses against the identified threats and reduce the reoccurring of threats? Is the threat intelligence informative? Does the collected intelligence provide contextual awareness on the identified threats? Evaluating the sources of data is as important as evaluating the threat data. The following questions should be considered while evaluating third-party intelligence sources: Whether the source refers its own source in order to verify the conclusions independently? Who are the authors of the threat information? What rights do they have? Who is responsible for the threat data? What is funded by another company? Whether the third-party intelligence source has an objective or any undisclosed motivation? What is the frequency of publishing and updating threat data? Whether the quality of the source meets the standar PRINTED BY: [email protected]. Printing of Notes and Highlights is for personal, private use only. Notes created by user are not part of publisher content. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted. about:blank 20/91 7/19/24, 1:33 PM Highlights & Notes: Certified Threat Intelligence Analyst (CTIA) Mellow Yellow 7/19/2024 ESTABLISH COLLECTION CRITERIA FOR PRIORITIZATION OF INTELLIGENCE NEEDS AND REQUIREMENTS The threat intelligence action plan must have the capability to aggregate, analyze, and prioritize threat intelligence that is collected from different sources for timely blocking and alerting. Prioritization of threat intelligence needs and requirements helps security analysts to develop new protection mechanisms and mitigate the evolving threats. Hence, analysts need to consider the frequency or impact of a threat to prioritize threat intelligence needs and requirements. Frequency o Estimated Frequency: How frequently is this threat relevant to the organization? o Estimated Trend: Is the threat likely to be increasing or decreasing in frequency? Impact o Functional Impact: What is the potential impact of the threat on the ability of the organization to accomplish critical services? o Information Impact: Does the threat increases the risk of sensitive information? o Recoverability Effort (Business continuity and disaster recovery): How much effort does the organization require to recover from the potential damage caused by the threat? For example, consider the following threat intelligence needs for collection: Threat Actors: TTPs of threat actors such as hacktivists, cybercriminals, an Mellow Yellow 7/19/2024 d script kiddies. Mellow Yellow 7/19/2024 DoS Attack: Attacks that disrupt the normal legitimate functionality of the networks, systems, and applications by draining resources. This activity resembles being the target or participating in the DoS attack. Malware: Covertly injecting a malicious program into a system or network with the intention of compromising confidentiality, integrity, or availability of resources such as operating systems, applications, and sensitive data. PRINTED BY: [email protected]. Printing of Notes and Highlights is for personal, private use only. Notes created by user are not part of publisher content. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted. about:blank 21/91 7/19/24, 1:33 PM Highlights & Notes: Certified Threat Intelligence Analyst (CTIA) Mellow Yellow 7/19/2024 BUILDING A THREAT INTELLIGENCE COLLECTION PLAN Before collecting the intelligence, threat intelligence analysts must focus on building an efficient threat intelligence collection plan. A good threat intelligence collection plan can drive the intelligence collection teams to generate good results in reducing the organizational risks. After completing the threat intelligence collection plan, the threat intelligence teams will have a clear idea about the operating environment, threats and threat landscapes, etc. and this narrows down the data collection to specific organizational operational environment requirements. Mellow Yellow 7/19/2024 ollowing are the steps that an analyst should consider while planning a threat intelligence collection: Design a threat intelligence collection strategy. o Understand the limitations of the area of operations. o Understand the area of interest. Understand different collection sources and solutions that match your needs. Ensure reliability of data and collection methods providing actionable data. Align the collected internal–external data and data sources to your organizational specific intelligence analysis needs in further stages. Normalize information with industry standards. Store the information in secure and easily accessible infrastructure. Share the information with other analysis teams. Mellow Yellow 7/19/2024 RVIEW OF THREAT INTELLIGENCE FEEDS AND SOURCES Building a strong defense system for an organization requires strong and reliable threat intelligence. However, what’s more important is that the intelligence acquired provides information about the latest and the trending threats that are active in the cyberspace. To obtain such a reliable intelligence, organizations use different intelligence sources and feeds that provide the essential information about the threats. These threat intelligence feeds are the building element of a strong and powerful defense system. This section discusses about the various feeds and sources of threat intelligence Mellow Yellow 7/19/2024 Threat intelligence feeds refer to a stream of indicators or data derived from the various sources related to potential or evolving threats to an organization’s security. Threat intelligence feeds are mainly categorized into three types, depending on the type of data PRINTED BY: [email protected]. Printing of Notes collection: and Highlights is for personal, private use only. Notes created by user are not part of publisher content. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted. about:blank 22/91 7/19/24, 1:33 PM Highlights & Notes: Certified Threat Intelligence Analyst (CTIA) Mellow Yellow 7/19/2024 External Intelligence Feeds External intelligence feeds include information that is acquired from globally available sources. These sources exist outside the organizational infrastructure boundaries and provide information from globally existing systems and the shared threat information on the global scenario. Organizations can obtain such feeds as per their requirement and relevance to the system and functions. External intelligence feeds also include building the intelligence repositories from external datasets. The only analysis required in this kind of feed is the applicability in the existing system with respect to its relevance. These sources may include the following: o Journals, groups, forums, and blogs o Law enforcement feeds o Business associations o Security researchers o Underground forums o Hash record Mellow Yellow 7/19/2024 o GeoIP statistic Groovy Green 7/19/2024 Internal Intelligence Feeds Internal intelligence feeds include information that is acquired from locally available sources and from local infrastructure or system. These feeds can be generated from the internal analysis of the systems and the organizational resources. They are also collected from the alerts. These feeds can be from the current data or from the historic events or activities and are related to locally existing functions and activities of an organization. These sources include the following: o Fraud analysis o Security activity data o Mailbox misuse information o Human intelligence o Vulnerability information o Sandbox Mellow Yellow 7/19/2024 Proactive Surveillance Feeds Proactive surveillance feeds include information that is acquired using the real-time assessment of system activities and events. It enables appropriate defensive measures and immediate response to such activities. These feeds also enable the security teams to build defensive strategies in advance keeping in mind the possible intrusion attempts and securing the vulnerabilities visible in the system. These sources include the following: o Honeynets o Malware forensics o Brand monitoring o P2P monitoring o DNS monitoring o Watchlist monitoring o Infrastructure and application logs PRINTED BY: [email protected]. Printing of Notes and Highlights is for personal, private use only. Notes created by user are not part of publisher content. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted. about:blank 23/91 7/19/24, 1:33 PM Highlights & Notes: Certified Threat Intelligence Analyst (CTIA) Mellow Yellow 7/19/2024 THREAT INTELLIGENCE SOURCES Intelligence gathering is an important step in performing threat intelligence. This intelligence is generated from the analysis of data, which is collected from various sources. Intelligence sources are the important resources in designing an efficient intelligence system. Threat intelligence sources provide a large amount of information to intelligence analysts to identify potential and evolving threats and allow an organization to make strategic decisions in time. Some of the sources of intelligence collection are described below: Open-Source Intelligence (OSINT) The OSINT is the information gathered from the publicly available sources and analyzed to obtain a rich useful form of intelligence. In OSINT, data collection is done using various forms of sources according to the requirement of the subject. OSINT is primarily used for national security, law enforcement, and for collecting intelligence required for business or strategic decision-making. The information is collected from non-sensitive sources and is analyzed to create an actionable form of intelligence. Various sources that can be used to obtain such intelligence include: o Media—newspapers, magazines, brochures, television, and radio o Internet—information publicly accessible through the World Wide Web such as social media website, blogs, groups, forums, or job sites o Public Government Data —press conferences, speeches, government reports and releases, official declarations, and telephone directories o Corporate/Academic Publications—handouts, conferences, seminars, white papers, Mellow Yellow 7/19/2024 ournals, and academia papers Groovy Green 7/19/2024 Commercial Surveys—company driven surveys for business-related tracking and market research and database analysis o Literaturebooks, research papers, business documents, newsletters, and preprints Human Intelligence (HUMINT) The human intelligence is a form of information that is collected by means of interpersonal communication. It can provide different information like observations or findings during a site visit or events involving travelers, prisoners of war, and refugees. It can provide the required data that can be analyzed to form necessary intelligence based on the subject. The source of this form of intelligence can be another human subject who can be interrogated or in case of friendly or cooperative spies, an interview can be conducted to collect sensitive information to which they had access to. The human intelligence is also a useful source of a strong counterintelligence value. Examples of human intelligence sources are as follows: o Foreign defense personnel and advisors o Accredited diplomats o NGOs o Prisoners of war (POWs) o Refugees PRINTED BY: [email protected]. Printing of Notes and Highlights is for personal, private use only. Notes o Traveler interview or debriefing created by user are not part of publisher content. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted. about:blank 24/91 7/19/24, 1:33 PM Highlights & Notes: Certified Threat Intelligence Analyst (CTIA) Mellow Yellow 7/19/2024 Signals Intelligence (SIGINT) Signals intelligence involves the gathering of information by intercepting the signals. These communication intercepts can be direct between two people or transmitted indirectly using electronic media. Signals intelligence requires various analytical methods, which may include cryptanalysis, translation, authentication, etc. This intelligence provides useful information about adversary and helps in creating countermeasures against adversary’s advancements. Signals intelligence comprises: o Communication Intelligence (COMINT): It involves the gathering of information about messages or voice extracted from the interception of foreign communications. It reveals information about the sender, receiver, their locations, time and duration of the transmission, frequencies of communication, and so forth. o Electronic Intelligence (ELINT): It includes information extracted using electronic sensors, and it is mainly focused on the noncommunication signal intelligence. The purpose is to obtain the location of the target, which could be a radar or lidar. o Foreign Instrumentation Signals Intelligence (FISINT): This form of intelligence is gathered from the interception of nonhuman communication systems emitting some sort of signals or radiations. These systems may be in their testing phase or under Groovy Green 7/19/2024 operational deployment over aerospace, surface, or under the surface. These signals may include telemetry data of weapons, data from reconnaissance devices, remotely controlled equipment, and control signals for the remote devices. Technical Intelligence (TECHINT) Technical intelligence is the information that is collected from an adversary’s equipment or captured enemy material (CEM). This form of information is gathered to achieve a technological advantage over the adversary. This will allow in preventing technological surprise by the adversary and helps the analyst to assess the adversary’s scientific and technical capabilities. It also provides a quick assessment of the performance and vulnerability of the enemy’s equipment, providing a critical advantage to the analysts. TECHINT enables the analyst in designing the countermeasures that will neutralize the adversary’s attacks. Some examples of technical intelligence sources are given below: o Foreign equipment o Foreign weapon systems o Satellites o Technical research papers o Foreign media o Human contacts PRINTED BY: [email protected]. Printing of Notes and Highlights is for personal, private use only. Notes created by user are not part of publisher content. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted. about:blank 25/91 7/19/24, 1:33 PM Highlights & Notes: Certified Threat Intelligence Analyst (CTIA) Mellow Yellow 7/19/2024 Geo-spatial Intelligence (GEOINT) The geo-spatial intelligence is the Information is collected by exploitation and evaluation of geo-spatial information to assess the human activities on earth. It is the type of intelligence that deals with the collection of information through the exploitation of geo-spatial data to describe, evaluate, and visualize the natural or human-made features and geographically referenced activities on the earth. Some examples of geo-spatial intelligence sources are as follows: o Satellite imagery o Unmanned aerial vehicles (UAV) imagery o Maps o GPS waypoints o IMINT (Imagery Intelligence) o National Geospatial-Intelligence Agency (NGA) o Signals o Measurements and signatures o Human sources Groovy Green 7/19/2024 Imagery Intelligence (IMINT) Imagery intelligence is the information that is collected from the objects that are used to reproduce the real scenario electronically by any kind of electronic media or device. This intelligence is developed by analyzing the graphical data or images. IMINT provides detailed information about the threat location and enables an analyst to develop the counterintelligence. Some examples of imagery intelligence sources are listed below: o Visual photography o Infrared sensors o Synthetic aperture radar (SAR) o MASINT (measurement and signature intelligence) o LASER o Electro- optics Mellow Yellow 7/19/2024 Measurement and Signature Intelligence (MASINT) Measurement and signature intelligence is the information that is collected from the sensors that are intended to record distinctive characteristics (signatures) of fixed or dynamic targets. This intelligence is derived from the scientific and technical analysis of the data to provide the information related to the source and the emitter. Some examples of measurement and signature intelligence sources are as follows: o Electro-optical o Radar sensors o Acoustic sensors like sonars o LASER o Infrared o Spectroscopic sensors PRINTED BY: [email protected]. Printing of Notes and Highlights is for personal, private use only. Notes created by user are not part of publisher content. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted. about:blank 26/91 7/19/24, 1:33 PM Highlights & Notes: Certified Threat Intelligence Analyst (CTIA) Groovy Green 7/19/2024 Covert Human Intelligence Sources (CHIS) Information is collected covertly from the target person by maintaining a personal or other relationship with the target person. CHIS is generally referred to a person or an agent under the Regulation of Investigatory Powers Act 2000 (RIPA), UK. CHIS is a legal entity that has the authority of gathering intelligence legally from the target sources. The sources for CHIS are the target persons from whom the information will be extracted. It also involves the collection of important information known to the person or gathering information about another person indirectly. The agents involved in carrying out the operations are handled by the agent handlers, who are experienced officials. The agents themselves are responsible to carry out the operation for days, weeks, and even years to extract the information required. Groovy Green 7/19/2024 Financial Intelligence (FININT) Financial intelligence is the gathering of information about an adversary’s financial affairs and transactions that may involve tax evasions, money laundering, etc., which in turn provides information about the nature, capabilities, and intentions of the adversary. It also provides information about the money management capacity of the adversary, as well as the source of finance for the adversary. Financial intelligence is generally employed by law enforcement organizations in order to track down the threat actors who are involved in financial crimes. Some examples of financial intelligence sources are as follows: o Financial Intelligence Unit (FIU) o Banks o SWIFT o Informal value transfer systems (IVTS) Social Media Intelligence (SOCMINT) Social media intelligence is the information that is collected from social networking sites and other types of social media sources. The analyst can collect the SOCMINT both from open and closed social networks. SOCMINT is also a part of OSINT. The social network Mellow Yellow 7/19/2024 provides detailed knowledge about an organization, employee profiles, contacts, activity threads, potential partners, websites, and upcoming news about the adversary. Some of the social media intelligence sources are as follows: o Facebook o LinkedIn o Twitter o WhatsApp o Instagram o Telegram Cyber Counterintelligence (CCI) Cyber counterintelligence (CCI) is used as a security mechanism to protect the organization against the adversary’s intelligence operations. CCI can also sometimes be effective in providing crucial information about the adversary. Cyber counterintelligence is the information that is collected from proactively established security infrastructure or by employing various threat manipulation techniques to lure and trap threats. PRINTED BY: [email protected]. Printing of Notes and Highlights is for personal, private use only. Notes created by user are not part of publisher content. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted. about:blank 27/91 7/19/24, 1:33 PM Highlights & Notes: Certified Threat Intelligence Analyst (CTIA) Mellow Yellow 7/19/2024 CCI is basically classified into two types: o Defensive CCI Defensive CCI is used to identify and counter the threats or intrusions before they take place. o Offensive CCI Offensive CCI deals with interactions with the adversaries for direct collection of the threat information. Some of the CCI sources are as follows: o Honeypots o Passive DNS monitors o Online web trackers o Sock puppets (fake profiling) on online forums o Publishing false reports Groovy Green 7/19/2024 Indicators of Compromise (IoCs) Indicators of compromise (IoCs) are the artifacts of network security incidents. IoC information is collected from network security threats and breaches and from the alerts generated on the security infrastructure, which will likely indicate an intrusion. IoCs represent security threats and breaches like malware MD5 hashes, DNS attack, virus signatures, botnet URL or domain, and malicious IP address, which may indicate the intrusion activity in the organization’s network. IoCs are often considered as a technical or tactical intelligence data and usually represents the known threats. Some of the IoC sources are provided below: o Commercial sources o Industrial sources o Free IoC specific sources o Online security–related sources o Social media o News feeds o IoC buckets Mellow Yellow 7/19/2024 Industry Association and Vertical Communities Vertical communities are the hierarchical chain of organizations that share resources and data within their business sector. Vertical communities are considered as one of the threat intelligence sources where the information is collected from various threat intelligence sharing communities. It is a many-to-many interaction between the organizations to share the data, and the data that is shared is highly valuable and specific. PRINTED BY: [email protected]. Printing of Notes and Highlights is for personal, private use only. Notes created by user are not part of publisher content. No part of this book may be reproduced or transmitted without publisher's prior permission. Violators will be prosecuted. about:blank 28/91 7/19/24, 1:33 PM Highlights & Notes: Certified Threat Intelligence Analyst (CTIA) Mellow Yellow 7/19/2024 Some of the attack groups target specific industries working in the similar field of interest. Such industries often become potential targets if any of the industry with similar field of work suffers an attack. To overcome this vulnerability, industries with similar field of work build an association to coordinate and carry out resource and information exchange among them. Such industrial associations generate information with higher accuracy as compared to regular commercial feeds. Some of the vertical community sources are as follows: o Financial Services Information Sharing and Analysis Center (FS-ISAC) o MISP (Malware Information Sharing Platform) o MineMeld o DarkReading.com o Krebsonsecurity.com Mellow Yellow 7/19/2024 Commercial Sources Commercial sources are considered as one of the threat intelligence sources where the information is collected from commercial entities and security vendors that provide the threat information to various organizations. Commercial sources of intelligence are those providers who make the feeds and other forms of intelligence data commercially available to the organizations. These feeds may include white papers, threat databases, legally available industrial data, use cases, or reports. These providers
