Chapter 02 - Cybersecurity Threat Landscape.pdf

Full Transcript

Chapter 2
Cybersecurity Threat Landscape

THE COMPTIA SECURITY+ EXAM OBJECTIVES COVERED IN THIS
CHAPTER INCLUDE:
Domain 2.0: Threats, Vulnerabilities, and Mitigations
2.1. Compare and contrast common threat actors and motivations.
Threat actors (Nation-state, Unskilled attacker, Hacktivist, Insider threat,
Organized crime, Shadow IT)
Attributes of actors (Internal/external, Resources/funding, Level of
sophistication/capability)
Motivations (Data exfiltration, Espionage, Service disruption, Blackmail,
Financial gain, Philosophical/political beliefs, Ethical, Revenge,
Disruption/chaos, War)
2.2. Explain common threat vectors and attack surfaces.
Message-based (Email, Short Message Service (SMS), Instant messaging
(IM))
Image-based
File-based
Voice call
Removable device
Vulnerable software (Client-based vs. agentless)
Unsupported systems and applications
Unsecure networks (Wireless, Wired, Bluetooth)
Open service ports
Default credentials
Supply chain (Managed service providers (MSPs), Vendors, Suppliers)
2.3. Explain various types of vulnerabilities.
Supply chain (Service provider, Hardware provider, Software provider)
Zero-day
Domain 4.0: Security Operations
4.3. Explain various activities associated with vulnerability management.
Identification methods (Threat feed, Open-source intelligence (OSINT),
 Proprietary/third-party, Information-sharing organization, Dark web)

Cybersecurity threats have become increasingly sophisticated and diverse over the past
few decades. An environment that was once populated by lone hobbyists is now shared
by skilled technologists, organized criminal syndicates, and even government-sponsored
attackers, all seeking to exploit the digital domain to achieve their own objectives.
Cybersecurity professionals seeking to safeguard the confidentiality, integrity, and
availability of their organization's assets must have a strong understanding of the threat
environment to develop appropriate defensive mechanisms.
In the first part of this chapter, you will learn about the modern cybersecurity threat
environment, including the major types of threat and the characteristics that
differentiate them. In the sections that follow, you will learn how to build your own
organization's threat intelligence capability to stay current as the threat environment
evolves.

Exploring Cybersecurity Threats
Cybersecurity threat actors differ significantly in their skills, capabilities, resources, and
motivation. Protecting your organization's information and systems requires a solid
understanding of the nature of these different threats so that you may develop a set of
security controls that comprehensively protects your organization against their
occurrence.

Classifying Cybersecurity Threats
Before we explore specific types of threat actors, let's examine the characteristics that
differentiate the types of cybersecurity threat actors. Understanding our adversary is
crucial to defending against them.

Exam Note

The threat characteristics in the section below are the characteristics specifically
mentioned in the CompTIA SY0-701 Security+ exam objectives. If you face
questions about threat actor attributes on the exam, remember that every exam
question ties back to a specific exam objective and the answer is most likely either
found on this list or directly related to one of these attributes.

Internal vs. External We most often think about the threat actors who exist
outside our organizations: competitors, criminals, and the curious. However, some
of the most dangerous threats come from within our own environments. We'll
discuss the insider threat later in this chapter.
Level of Sophistication/Capability Threat actors vary greatly in their level of
cybersecurity sophistication and capability. As we explore different types of threat
 actors in this chapter, we'll discuss how they range from the
unsophisticated/unskilled attacker simply running code borrowed from others to
the advanced persistent threat (APT) actor exploiting vulnerabilities discovered in
their own research labs and unknown to the security community.
Resources/Funding Just as threat actors vary in their sophistication, they also
vary in the resources available to them. Highly organized attackers sponsored by
organized crime or national governments often have virtually limitless resources,
whereas less organized attackers may simply be hobbyists working in their spare
time.
Intent/Motivation Attackers also vary in their motivation and intent. The
unskilled attacker may be simply out for the thrill of the attack, whereas
competitors may be engaged in highly targeted corporate espionage. Nation-states
seek to achieve political objectives; organized crime often focuses on direct
financial gain.
As we work through this chapter, we'll explore different types of threat actors. As we do
so, take some time to reflect back on these characteristics. In addition, you may wish to
reference them when you hear news of current cybersecurity attacks in the media and
other sources. Dissect those stories and analyze the threat actors involved. If the attack
came from an unknown source, think about the characteristics that are most likely
associated with the attacker. These can be important clues during a cybersecurity
investigation. For example, a ransomware attack seeking payment from the victim is
more likely associated with a organized crime seeking financial gain than a competitor
engaged in corporate espionage.

The Hats Hackers Wear

The cybersecurity community uses a shorthand lingo to refer to the motivations of
attackers, describing them as having different-colored hats. The origins of this
approach date back to old Western films, where the “good guys” wore white hats
and the “bad guys” wore black hats to help distinguish them in the film.
Cybersecurity professionals have adopted this approach to describe different types
of cybersecurity adversaries:
Authorized attackers, also known as white-hat hackers, are those who act with
authorization and seek to discover security vulnerabilities with the intent of
correcting them. White-hat hackers may either be employees of the organization
or contractors hired to engage in penetration testing.
Unauthorized attackers, also known as black-hat hackers, are those with
malicious intent. They seek to defeat security controls and compromise the
confidentiality, integrity, or availability of information and systems for their
own, unauthorized purposes.
Semi-authorized attackers, also known as gray-hat hackers, are those who fall
somewhere between white- and black-hat hackers. They act without proper
 authorization, but they do so with the intent of informing their targets of any
security vulnerabilities.

It's important to understand that simply having good intent does not make gray-hat
hacking legal or ethical. The techniques used by gray-hat attackers can still be
punished as criminal offenses.

Threat Actors
Now that we have a set of attributes that we can use to discuss the different types of
threat actors, let's explore the most common types that security professionals encounter
in their work.

Exam Note

In addition to being the types of threat actors most commonly found in
cybersecurity work, the attackers discussed in this section are also those found in
the CompTIA SY0-701 exam objectives.
Be certain that you understand the differences between unskilled attackers;
hacktivists; organized crime; advanced persistent threats (APTs), including nation-
state actors; and shadow IT.

Unskilled Attackers
The term script kiddie is a derogatory term for unskilled attackers who use hacking
techniques but have limited skills. Often such attackers may rely almost entirely on
automated tools they download from the Internet. These attackers often have little
knowledge of how their attacks actually work, and they are simply seeking out
convenient targets of opportunity.
You might think that with their relatively low skill level, unskilled attackers are not a
real security threat. However, that isn't the case for two important reasons. First,
simplistic hacking tools are freely available on the Internet. If you're vulnerable to them,
anyone can easily find tools to automate denial-of-service (DoS) attacks, create viruses,
make a Trojan horse, or even distribute ransomware as a service. Personal technical
skills are no longer a barrier to attacking a network.
Second, unskilled attackers are plentiful and unfocused in their work. Although the
nature of your business might not find you in the crosshairs of a sophisticated military-
sponsored attack, unskilled attackers are much less discriminating in their target
selection. They often just search for and discover vulnerable victims without even
knowing the identity of their target. They might root around in files and systems and
only discover who they've penetrated after their attack succeeds.
In general, the motivations of unskilled attackers revolve around trying to prove their
skill. In other words, they may attack your network simply because it is there. Secondary
school and university networks are common targets of unskilled attackers attacks
because many of these attackers are school-aged individuals.
Fortunately, the number of unskilled attackers is often offset by their lack of skill and
lack of resources. These individuals tend to be rather young, they work alone, and they
have very few resources. And by resources, we mean time as well as money. An unskilled
attacker normally can't attack your network 24 hours a day. They usually have to work a
job, go to school, and attend to other life functions.

Hacktivists
Hacktivists use hacking techniques to accomplish some activist goal. They might deface
the website of a company whose policies they disagree with. Or a hacktivist might attack
a network due to some political issue. The defining characteristic of hacktivists is that
they believe they are motivated by the greater good, even if their activity violates the law.
Their activist motivation means that measures that might deter other attackers will be
less likely to deter a hacktivist. Because they believe that they are engaged in a just
crusade, they will, at least in some instances, risk getting caught to accomplish their
goals. They may even view being caught as a badge of honor and a sacrifice for their
cause.
The skill levels of hacktivists vary widely. Some are only unskilled attackers, whereas
others are quite skilled, having honed their craft over the years. In fact, some
cybersecurity researchers believe that some hacktivists are actually employed as
cybersecurity professionals as their “day job” and perform hacktivist attacks in their
spare time. Highly skilled hacktivists pose a significant danger to their targets.
The resources of hacktivists also vary somewhat. Many are working alone and have very
limited resources. However, some are part of organized efforts. The hacking group
Anonymous, who uses the logo seen in Figure 2.1, is the most well-known hacktivist
group. They collectively decide their agenda and their targets. Over the years,
Anonymous has waged cyberattacks against targets as diverse as the Church of
Scientology, PayPal, Visa and Mastercard, Westboro Baptist Church, and even
government agencies.
This type of anonymous collective of attackers can prove quite powerful. Large groups
will always have more time and other resources than a lone attacker. Due to their
distributed and anonymous nature, it is difficult to identify, investigate, and prosecute
participants in their hacking activities. The group lacks a hierarchical structure, and the
capture of one member is unlikely to compromise the identities of other members.
 FIGURE 2.1 Logo of the hacktivist group Anonymous
Hacktivists tend to be external attackers, but in some cases, internal employees who
disagree strongly with their company's policies engage in hacktivism. In those instances,
it is more likely that the hacktivist will attack the company by releasing confidential
information. Government employees and self-styled whistleblowers fit this pattern of
activity, seeking to bring what they consider unethical government actions to the
attention of the public.
For example, many people consider Edward Snowden a hacktivist. In 2013, Snowden, a
former contractor with the U.S. National Security Agency, shared a large cache of
sensitive government documents with journalists. Snowden's actions provided
unprecedented insight into the digital intelligence gathering capabilities of the United
States and its allies.

Organized Crime
Organized crime appears in any case where there is money to be made, and cybercrime
is no exception. The ranks of cybercriminals include links to traditional organized crime
families in the United States, outlaw gangs, the Russian mafia, and even criminal groups
organized specifically for the purpose of engaging in cybercrime.
The common thread among these groups is motive and intent. The motive is simply
illegal financial gain. Organized criminal syndicates do not normally embrace political
issues or causes, and they are not trying to demonstrate their skills. In fact, they would
often prefer to remain in the shadows, drawing as little attention to themselves as
possible. They simply want to generate as much illegal profit as they possibly can.
In their 2021 Internet Organized Crime Threat Assessment (IOCTA), the European
Union Agency for Law Enforcement Cooperation (EUROPOL) found that organized
crime groups were active in a variety of cybercrime categories, including the following:
Cyber-dependent crime, including ransomware, data compromise, distributed
denial-of-service (DDoS) attacks, website defacement, and attacks against critical
infrastructure
Child sexual abuse material, including child pornography, abuse, and solicitation
Online fraud, including credit card fraud and business email compromises
Dark web activity, including the sale of illegal goods and services
Cross-cutting crime factors, including social engineering, money mules, and the
criminal abuse of cryptocurrencies

Organized crime tends to have attackers who range from moderately skilled to highly
skilled. It is rare for unskilled attackers to be involved in these crimes, and if they are,
they tend to be caught rather quickly. The other defining factor is that organized crime
groups tend to have more resources, both in terms of time and money, than do
hacktivists or unskilled attackers. They often embrace the idea that “it takes money to
make money” and are willing to invest in their criminal enterprises in the hopes of
yielding a significant return on their investments.

Nation-State Attackers
In recent years, a great deal of attention has been given to nation-state attackers
hacking into either foreign governments or corporations. The term advanced persistent
threats (APTs) describes a series of attacks that they first traced to sources connected to
the Chinese military. In subsequent years, the security community discovered similar
organizations linked to the government of virtually every technologically advanced
country.
The term APT tells you a great deal about the attacks themselves. First, they use
advanced techniques, not simply tools downloaded from the Internet. Second, the
attacks are persistent, occurring over a significant period of time. In some cases, the
attacks continue for years as attackers patiently stalk their targets, awaiting the right
opportunity to strike.
The APT attacks that Mandiant reported are emblematic of nation-state attacks. They
tend to be characterized by highly skilled attackers with significant resources. A nation
has the labor force, time, and money to finance ongoing, sophisticated attacks.
The motive can be political or economic. In some cases, the attack is done for traditional
espionage goals: to gather information about the target's defense capabilities. In other
cases, the attack might be targeting intellectual property or other economic assets.

Zero-Day Attacks

APT attackers often conduct their own security vulnerability research in an attempt
to discover vulnerabilities that are not known to other attackers or cybersecurity
teams. After they uncover a vulnerability, they do not disclose it but rather store it
in a vulnerability repository for later use.
Attacks that exploit these vulnerabilities are known as zero-day attacks. Zero-day
attacks are particularly dangerous because they are unknown to product vendors,
and therefore, no patches are available to correct them. APT actors who exploit
zero-day vulnerabilities are often able to easily compromise their targets.
Stuxnet is one of the most well-known examples of an APT attack. The Stuxnet
attack, traced to the U.S. and Israeli governments, exploited zero-day vulnerabilities
to compromise the control networks at an Iranian uranium enrichment facility.

Insider Threat
Insider attacks occur when an employee, contractor, vendor, or other individual with
authorized access to information and systems uses that access to wage an attack against
the organization. These attacks are often aimed at disclosing confidential information,
but insiders may also seek to alter information or disrupt business processes.
An insider might be of any skill level. They could be an unskilled attacker or very
technically skilled. Insiders may also have differing motivations behind their attacks.
Some are motivated by certain activist goals, whereas others are motivated by financial
gain. Still others may simply be upset that they were passed over for a promotion or
slighted in some other manner.
An insider will usually be working alone and have limited financial resources and time.
However, the fact that they are insiders gives them an automatic advantage. They
already have some access to your network and some level of knowledge. Depending on
the insider's job role, they might have significant access and knowledge.
Behavioral assessments are a powerful tool in identifying insider attacks. Cybersecurity
teams should work with human resources partners to identify insiders exhibiting
unusual behavior and intervene before the situation escalates.

The Threat of Shadow IT
 Dedicated employees often seek to achieve their goals and objectives through
whatever means allows them to do so. Sometimes, this involves purchasing
technology services that aren't approved by the organization. For example, when file
sharing and synchronization services first came on the market, many employees
turned to personal Dropbox accounts to sync work content between their business
and personal devices. They did not do this with any malicious intent. On the
contrary, they were trying to benefit the business by being more productive.
This situation, where individuals and groups seek out their own technology
solutions, is a phenomenon known as shadow IT. Shadow IT poses a risk to the
organization because it puts sensitive information in the hands of vendors outside
of the organization's control. Cybersecurity teams should remain vigilant for
shadow IT adoption and remember that the presence of shadow IT in an
organization means that business needs are not being met by the enterprise IT
team. Consulting with shadow IT users often identifies acceptable alternatives that
both meet business needs and satisfy security requirements.

Competitors
Competitors may engage in corporate espionage designed to steal sensitive information
from your organization and use it to their own business advantage. This may include
theft of customer information, stealing proprietary software, identifying confidential
product development plans, or gaining access to any other information that would
benefit the competitor.
In some cases, competitors will use a disgruntled insider to get information from your
company. They may also seek out insider information available for purchase on the dark
web, a shadowy anonymous network often engaging in illicit activity. Figure 2.2 shows
an actual dark web market with corporate information for sale.

FIGURE 2.2 Dark web market
These markets don't care how they get the information; their only concern is selling it.
In some cases, hackers break into a network and then sell the information to a dark web
market. In other cases, insiders sell confidential information on the dark web. In fact,
some dark web markets are advertising that they wish to buy confidential data from
corporate insiders. This provides a ready resource for competitors to purchase your
company's information on the dark web.
Your organization may want to consider other specific threat actors based on your threat
models and profile, so you should not consider this a complete list. You should conduct
periodic organizational threat assessments to determine what types of threat actors are
most likely to target your organization, and why.

Attacker Motivations
You've already read a few examples of how different threat actors may have different
motivations. For example, hacktivists are generally motivated by political beliefs,
whereas organized crime may be motivated by financial gain. Let's take a look at some of
the primary motivations behind cyberattacks:
Data exfiltration attacks are motivated by the desire to obtain sensitive or
proprietary information, such as customer data or intellectual property.
Espionage attacks are motivated by organizations seeking to steal secret information
from other organizations. This may come in the form of nation-states attacking each
other or corporate espionage.
Service disruption attacks seek to take down or interrupt critical systems or
networks, such as banking systems or health-care networks.
Blackmail attacks seek to extort money or other concessions from victims by
threatening to release sensitive information or launch further attacks.
Financial gain attacks are motivated by the desire to make money through theft or
fraud. Organized crime is generally motivated by financial gain, as are other types of
attackers.
Philosophical/political belief attacks are motivated by ideological or political
reasons, such as promoting a particular cause or ideology. Hacktivists are generally
motivated by philosophical or political beliefs.
Ethical attacks, or white-hat hacking, are motivated by a desire to expose
vulnerabilities and improve security. These attacks are often carried out by security
researchers or ethical hackers with the permission of the organization being tested.
Revenge attacks are motivated by a desire to get even with an individual or
organization by embarrassing them or exacting some other form of retribution
against them.
Disruption/chaos attacks are motivated by a desire to cause chaos and disrupt
normal operations.
War may also be a motivation for cyberattacks. Military units and civilian groups
may use hacking in an attempt to disrupt military operations and change the
 outcome of an armed conflict.

Understanding the motivations of attackers can help you understand what they might
target and how to defend your organization against them.

Exam Note

It is very likely you will be asked to compare and contrast the various threat actors
on the exam. You should know the attributes and motivations behind each.

Threat Vectors and Attack Surfaces
Threat actors targeting an organization need some means to gain access to that
organization's information or systems. First, they must discover an attack surface. This
is a system, application, or service that contains a vulnerability that they might exploit.
Then, they must obtain access by exploiting one of those vulnerabilities using a threat
vector. Threat vectors are the means that threat actors use to obtain access. One of the
goals of security professionals is to reduce the size and complexity of the attack surface
through effective security measures and risk mitigation strategies.

Message-Based Threat Vectors
Email is one of the most commonly exploited threat vectors. Phishing messages, spam
messages, and other email-borne attacks are simple ways to gain access to an
organization's network. These attacks are easy to execute and can be launched against
many users simultaneously. The benefit for the attacker is that they generally need to
succeed only one time to launch a broader attack. Even if 99.9 percent of users ignore a
phishing message, the attacker needs the login credentials of only a single user to begin
their attack.
Message-based attacks may also be carried out through other communications
mechanisms, such as by sending text messages through Short Message Service (SMS) or
instant messaging (IM) applications. Voice calls may also be used to conduct vishing
(voice phishing) attacks.
Social media may be used as a threat vector in similar ways. Attackers might directly
target users on social media, or they might use social media in an effort to harvest
information about users that may be used in another type of attack. We will discuss
these attacks in Chapter 4, “Social Engineering and Password Attacks.”

Wired Networks
Bold attackers may seek to gain direct access to an organization's wired network by
physically entering the organization's facilities. One of the most common ways they do
this is by entering public areas of a facility, such as a lobby, customer store, or other
easily accessible location and sitting and working on their laptops, which are
surreptitiously connected to unsecured network jacks on the wall.
Alternatively, attackers who gain physical access to a facility may be able to find an
unsecured computer terminal, network device, or other system. Security professionals
must assume that an attacker who is able to physically touch a component will be able to
compromise that device and use it for malicious purposes.
This highlights the importance of physical security, which we will discuss in detail in
Chapter 9, “Resilience and Physical Security.”

Wireless Networks
Wireless networks offer an even easier path onto an organization's network. Attackers
don't need to gain physical access to the network or your facilities if they are able to sit
in the parking lot and access your organization's wireless network. Bluetooth-enabled
devices may be configured without security settings that prevent unauthorized
connections. Unsecured or poorly secured wireless networks pose a significant security
risk.
We'll discuss the security of wireless networks in Chapter 13, “Wireless and Mobile
Security.”

Systems
Individual systems may also serve as threat vectors depending on how they are
configured and the software installed on them. The operating system configuration may
expose open service ports that are not necessary to meet business needs or that allow the
use of well-known default credentials that were never changed. Software installed on a
system may contain known or undetected vulnerabilities. Organizations may be using
legacy applications or systems that are no longer supported by their vendor. Any of
these vulnerabilities could be used as a threat vector by an attacker seeking to gain a
foothold on a system.
We'll discuss securing endpoint systems in Chapter 11, “Endpoint Security.”

Files and Images
Individual files, including images, may also be threat vectors. An attacker may create a
file that contains embedded malicious code and then trick a user into opening that file,
activating the malware infection. These malicious files may be sent by email, stored on a
file server, or placed in any other location where an unsuspecting user might be tempted
to open it.

Removable Devices
Attackers also commonly use removable media, such as USB drives, to spread malware
and launch their attacks. An attacker might distribute inexpensive USB sticks in parking
lots, airports, or other public areas, hoping that someone will find the device and plug it
into their computer, curious to see what it contains. As soon as that happens, the device
triggers a malware infection that silently compromises the finder's computer and places
it under the control of the attacker.
We discuss the security of endpoint devices, including control over the use of removable
media, in Chapter 11.
Cloud
Cloud services can also be used as an attack vector. Attackers routinely scan popular
cloud services for files with improper access controls, systems that have security flaws,
or accidentally published API keys and passwords. Organizations must include the cloud
services that they use as an important component of their security program.
The vulnerabilities facing organizations operating in cloud environments bear
similarities to those found in on-premises environments, but the controls often differ.
We discuss secure cloud operations in Chapter 10, “Cloud and Virtualization Security.”

Supply Chain
Sophisticated attackers may attempt to interfere with an organization's IT supply chain,
including hardware providers, software providers, and service providers. Attacking an
organization's vendors and suppliers provides an indirect mechanism to attack the
organization itself.
Attackers may gain access to hardware devices at the manufacturer or while the devices
are in transit from the manufacturer to the end user. Tampering with a device before the
end user receives it allows attackers to insert backdoors that grant them control of the
device once the customer installs it on their network. This type of third-party risk is
difficult to anticipate and address.
Supply chain attackers may also target software providers, inserting vulnerabilities into
software before it is released or deploying backdoors in software through official update
and patching mechanisms.
Attackers who infiltrate managed service providers (MSPs) may be able to use their
access to the MSP network to leverage access that the MSP has to its customer's systems
and networks.
Other issues may also arise in the supply chain, particularly if a vendor fails to continue
to support a system that the organization depends on, fails to provide required system
integrations, or fails to provide adequate security for outsourced code development or
data storage. Strong vendor management practices can identify these issues quickly as
they arise and allow the organization to address the risks appropriately.

Exam Note

Be ready to identify and explain the common threat vectors and attack surfaces.

Threat Data and Intelligence
Threat intelligence is the set of activities and resources available to cybersecurity
professionals seeking to learn about changes in the threat environment. Building a
threat intelligence program is a crucial part of any organization's approach to
cybersecurity. If you're not familiar with current threats, you won't be able to build
appropriate defenses to protect your organization against those threats. Threat
intelligence information can also be used for predictive analysis to identify likely risks
to the organization.
There are many sources of threat intelligence, ranging from open source intelligence
(OSINT) that you can gather from publicly available sources, to commercial services that
provide proprietary or closed-source intelligence information. An increasing number of
products and services have the ability to consume threat feed data, allowing you to
leverage it throughout your infrastructure and systems.
Regardless of their source, threat feeds are intended to provide up-to-date detail about
threats in a way that your organization can leverage. Threat feeds often include technical
details about threats, such as IP addresses, hostnames and domains, email addresses,
URLs, file hashes, file paths, Common Vulnerabilities and Exposures (CVE) record
numbers, and other details about a threat. Additional information is often included to
help make the information relevant and understandable, including details of what may
make your organization a target or vulnerable to the threat, descriptions of threat actors,
and even details of their motivations and methodologies.
Vulnerability databases are also an essential part of an organization's threat intelligence
program. Reports of vulnerabilities certainly help direct an organization's defensive
efforts, but they also provide valuable insight into the types of exploits being discovered
by researchers.
Threat intelligence sources may also provide indicators of compromise (IoCs). These are
the telltale signs that an attack has taken place and may include file signatures, log
patterns, and other evidence left behind by attackers. IoCs may also be found in file and
code repositories that offer threat intelligence information.

Open Source Intelligence
Open source threat intelligence is threat intelligence that is acquired from publicly
available sources. Many organizations have recognized how useful open sharing of
threat information can be, and open source threat intelligence has become broadly
available. In fact, now the challenge is often around deciding what threat intelligence
sources to use, ensuring that they are reliable and up-to-date, and leveraging them well.
A number of sites maintain extensive lists of open source threat information sources:
Senki.org provides a list: www.senki.org/operators-security-toolkit/open-source-
threat-intelligence-feeds

The Open Threat Exchange operated by AT&T is part of a global community of
security professionals and threat researchers: https://cybersecurity.att.com/open-
threat-exchange

The MISP Threat Sharing project, www.misp-project.org/feeds, provides
standardized threat feeds from many sources, with community-driven collections.
Threatfeeds.io hosts a list of open source threat intelligence feeds, with details of
when they were added and modified, who maintains them, and other useful
 information: https://threatfeeds.io

In addition to open source and community threat data sources, there are many
government and public sources of threat intelligence data. For example, Figure 2.3
shows an alert listing from the Cybersecurity & Infrastructure Security Agency (CISA)
website.

FIGURE 2.3 Alert listing from the CISA website
Government sites:
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) site: www.cisa.gov
The U.S. Department of Defense Cyber Crime Center site: www.dc3.mil
The CISA's Automated Indicator Sharing (AIS) program,
www.cisa.gov/topics/cyber-threats-and-advisories/information-
sharing/automated-indicator-sharing-ais, and their Information Sharing and
Analysis Organizations program, www.cisa.gov/information-sharing-and-analysis-
organizations-isaos

Many countries provide their own cybersecurity sites, like the Australian
Signals Directorate's Cyber Security Centre: www.cyber.gov.au. You should become
familiar with major intelligence providers, worldwide and for each country you
 operate in or work with.

Vendor websites:
Microsoft's threat intelligence blog: www.microsoft.com/en-
us/security/blog/topic/threat-intelligence

Cisco Security Advisories site
(https://sec.cloudapps.cisco.com/security/center/publicationListing.x
https://sec.cloudapps.cisco.com/security/center/publicationListing.x) includes
an experts' blog with threat research information, as well as the Cisco Talos
reputation lookup tool, https://talosintelligence.com

Public sources:
The SANS Internet Storm Center: https://isc.sans.org
VirusShare contains details about malware uploaded to VirusTotal:
https://virusshare.com

The Spamhaus Project focuses on blocklists, including spam via the Spamhaus Block
List (SBL), hijacked and compromised computers on the Exploits Block List (XBL),
the Policy Block List (PBL), the Domain Block List (DBL), the Don't Route or Peer
lists (DROP) listing netblocks that you may not want to allow traffic from, and a
variety of other information: www.spamhaus.org

These are just a small portion of the open source intelligence resources available to
security practitioners, but they give you a good idea of what is available.

Exploring the Dark Web

The dark web is a network run over standard Internet connections but using
multiple layers of encryption to provide anonymous communication. Hackers often
use sites on the dark web to share information and sell credentials and other data
stolen during their attacks.
Threat intelligence teams should familiarize themselves with the dark web and
include searches of dark web marketplaces for credentials belonging to their
organizations or its clients. The sudden appearance of credentials on dark web
marketplaces likely indicates that a successful attack took place and requires further
investigation.
You can access the dark web using the Tor browser. You'll find more information on
the Tor browser at the Tor Project website: www.torproject.org.

Proprietary and Closed-Source Intelligence
Commercial security vendors, government organizations, and other security-centric
organizations also create and make use of proprietary, or closed-source intelligence.
They do their own information gathering and research, and they may use custom tools,
analysis models, or other proprietary methods to gather, curate, and maintain their
threat feeds.
There are a number of reasons that proprietary threat intelligence may be used. The
organization may want to keep their threat data secret, they may want to sell or license it
and their methods and sources are their trade secrets, or they may not want to take the
chance of the threat actors knowing about the data they are gathering.
Commercial closed-source intelligence is often part of a service offering, which can be a
compelling resource for security professionals. The sheer amount of data available via
open source threat intelligence feeds can be overwhelming for many organizations.
Combing through threat feeds to identify relevant threats, and then ensuring that they
are both well defined and applied appropriately for your organization, can require
massive amounts of effort. Validating threat data can be difficult in many cases, and
once you are done making sure you have quality threat data, you still have to do
something with it!

When a Threat Feed Fails

The authors of this book learned a lesson about up-to-date threat feeds a number of
years ago after working with an IDS and IPS vendor. The vendor promised up-to-
date feeds and signatures for current issues, but they tended to run behind other
vendors in the marketplace. In one case, a critical Microsoft vulnerability was
announced, and exploit code was available and in active use within less than 48
hours. Despite repeated queries, the vendor did not provide detection rules for over
two weeks. Unfortunately, manual creation of rules on this vendor's platform did
not work well, resulting in exposure of systems that should have been protected.
It is critical that you have reliable, up-to-date feeds to avoid situations like this. You
may want to have multiple feeds that you can check against each other—often one
feed may be faster or release information sooner, so multiple good-quality, reliable
feeds can be a big help!

Threat maps provide a geographic view of threat intelligence. Many security vendors
offer high-level maps that provide real-time insight into the cybersecurity threat
landscape. For example, Check Point offers the public the threat map shown in Figure
2.4 at https://threatmap.checkpoint.com.
Organizations may also use threat mapping information to gain insight into the sources
of attacks aimed directly at their networks. However, threat map information viewed
skeptically because geographic attribution is notoriously unreliable. Attackers often
relay their attacks through cloud services and other compromised networks, hiding their
true geographic location from threat analysis tools.
 FIGURE 2.4 Check Point Cyber Threat Map

Assessing Threat Intelligence
Regardless of the source of your threat intelligence information, you need to assess it. A
number of common factors come into play when you assess a threat intelligence source
or a specific threat intelligence notification.
1. Is it timely? A feed that is operating on delay can cause you to miss a threat, or to
react after the threat is no longer relevant.
2. Is the information accurate? Can you rely on what it says, and how likely is it that the
assessment is valid? Does it rely on a single source or multiple sources? How often
are those sources correct?
3. Is the information relevant? If it describes the wrong platform, software, or reason
for the organization to be targeted, the data may be very timely, very accurate, and
completely irrelevant to your organization.

One way to summarize the threat intelligence assessment data is via a confidence score.
Confidence scores allow organizations to filter and use threat intelligence based on how
much trust they can give it. That doesn't mean that lower confidence information isn't
useful; in fact, a lot of threat intelligence starts with a lower confidence score, and that
score increases as the information solidifies and as additional sources of information
confirm it or are able to do a full analysis. Low confidence threat information shouldn't
be completely ignored, but it also shouldn't be relied on to make important decisions
without taking the low confidence score into account.

Assessing the Confidence Level of Your Intelligence

Many threat feeds will include a confidence rating, along with a descriptive scale.
For example, one approach uses six levels of confidence:
Confirmed (90–100) uses independent sources or direct analysis to prove that
the threat is real.
Probable (70–89) relies on logical inference but does not directly confirm the
threat.
Possible (50–69) is used when some information agrees with the analysis, but
the assessment is not confirmed.
Doubtful (30–49) is assigned when the assessment is possible but not the most
likely option, or the assessment cannot be proven or disproven by the
information that is available.
Improbable (2–29) means that the assessment is possible but is not the most
logical option, or it is refuted by other information that is available.
Discredited (1) is used when the assessment has been confirmed to be
inaccurate or incorrect.

Your organization may use a different scale: 1–5, 1–10, and High/Medium/Low
scales are all commonly used to allow threat intelligence users to quickly assess the
quality of the assessment and its underlying data.

Threat Indicator Management and Exchange
Managing threat information at any scale requires standardization and tooling to allow
the threat information to be processed and used in automated ways. Indicator
management can be much easier with a defined set of terms. That's where structured
markup languages like STIX and OpenIOC come in.
Structured Threat Information eXpression (STIX) is an XML language originally
sponsored by the U.S. Department of Homeland Security. In its current version, STIX
2.1 defines 18 STIX Domain Objects, including things like attack patterns, identities,
malware, threat actors, and tools. These objects are then related to each other by one of
two STIX Relationship Objects: either as a relationship or as a sighting. A STIX JSON
description of a threat actor might read as follows:
{
"type": "threat-actor",
"created": "2019-10-20T19:17:05.000Z",
"modified": "2019-10-21T12:22:20.000Z",
"labels": [ "crime-syndicate"],
"name": "Evil Maid, Inc",
 "description": "Threat actors with access to hotel rooms",
"aliases": ["Local USB threats"],
"goals": ["Gain physical access to devices", "Acquire data"],
"sophistication": "intermediate",
"resource:level": "government",
"primary_motivation": "organizational-gain"
}

Fields like sophistication and resource level use defined vocabulary options to allow
STIX users to consistently use the data as part of automated and manual systems.

Using a single threat feed can leave you in the dark! Many organizations
leverage multiple threat feeds to get the most up-to-date information. Thread feed
combinations can also be challenging since the feeds may not use the same format,
classification model, or other elements. You can work around this by finding
sources that already combine multiple feeds or by finding feeds that use the same
description frameworks, like STIX.

Since its creation, STIX has been handed off to the Organization for the Advancement of
Structured Information Standards (OASIS), an international nonprofit consortium that
maintains many other projects related to information formatting, including XML and
HTML.
A companion to STIX is the Trusted Automated eXchange of Intelligence Information
(TAXII) protocol. TAXII is intended to allow cyber-threat information to be
communicated at the application layer via HTTPS. TAXII is specifically designed to
support STIX data exchange. You can read more about both STIX and TAXII in detail at
the OASIS GitHub documentation site: https://oasis-open.github.io/cti-
documentation.

Information Sharing Organizations
In addition to threat intelligence vendors and resources, threat intelligence communities
have been created to share threat information. In the United States, organizations
known as Information Sharing and Analysis Centers (ISACs) help infrastructure owners
and operators share threat information and provide tools and assistance to their
members. The National Council of ISACs lists the sector-based ISACs at
www.nationalisacs.org/member-isacs-3.

The ISAC concept was introduced in 1998, as part of Presidential Decision Directive-63
(PDD-63), which asked critical infrastructure sectors to establish organizations to share
information about threats and vulnerabilities. ISACs operate on a trust model, allowing
in-depth sharing of threat information for both physical and cyber threats. Most ISACs
operate 24/7, providing ISAC members in their sector with incident response and threat
analysis.
In addition to ISACs, there are specific U.S. agencies or department partners for each
critical infrastructure area. A list breaking them down by sector can be found at
www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-
infrastructure-sectors.

Outside the United States, government bodies and agencies with similar responsibilities
exist in many countries. The UK National Protective Security Authority
(www.npsa.gov.uk) is tasked with providing threat information, resources, and guidance
to industry and academia, as well as to other parts of the UK government and law
enforcement.

Conducting Your Own Research
As a security professional, you should continue to conduct your own research into
emerging cybersecurity threats. Here are sources you might consult as you build your
threat research toolkit:
Vendor security information websites.
Vulnerability and threat feeds from vendors, government agencies, and private
organizations.
Academic journals and technical publications, such as Internet Request for
Comments (RFC) documents. RFC documents are particularly informative because
they contain the detailed technical specifications for Internet protocols.
Professional conferences and local industry group meetings.
Social media accounts of prominent security professionals.

As you reference these sources, keep a particular eye out for information on adversary
tactics, techniques, and procedures (TTPs). Learning more about the ways that
attackers function allows you to improve your own threat intelligence program.

Summary
Cybersecurity professionals must have a strong working understanding of the threat
landscape in order to assess the risks facing their organizations and the controls
required to mitigate those risks. Cybersecurity threats may be classified based on their
internal or external status, their level of sophistication and capability, their resources
and funding, and their intent and motivation.
Threat actors take many forms, ranging from relatively unsophisticated/unskilled
attackers who are simply seeking the thrill of a successful hack to advanced nation-state
actors who use cyberattacks as a military weapon to achieve political advantage.
Hacktivists, organized crime, competitors, and other threat actors may all target the
same organizations for different reasons.
Cyberattacks come through a variety of threat vectors. The most common vectors
include email and social media; other attacks may come through direct physical access,
supply chain exploits, network-based attacks, and other vectors. Organizations should
build robust threat intelligence programs to help them stay abreast of emerging threats
and adapt their controls to function in a changing environment.