Chapter 8 - 02 - Discuss Various Threat Intelligence Feeds and Sources - 01_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Module Flow Discuss Threat Hunting Discuss Various Threat Intelligence Feeds and Sources Discuss Vulnerability Assessment Discuss Ethical Hacking Concepts Understand Fundamentals of Penetration Testing and its Benefits Understand the Fundamentals of Configuration Management and Asset Management Discuss Various Threat Intelligence Feeds and Sources Building a strong defense system for an organization requires strong and reliable threat intelligence. However, what’s more important is that the intelligence acquired provides information about the latest and the trending threats that are active in the cyberspace. To obtain such a reliable intelligence, organizations use different intelligence sources and feeds that provide the essential information about the threats. These threat intelligence feeds are the building element of a strong and powerful defense system. This section discusses about the various feeds and sources of threat intelligence. Module 08 Page 1025 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Cyber Threat Intelligence (CTI) Q Cyber Threat Intelligence (CTI) is defined as the collection and analysis of information about threats and adversaries and drawing patterns that provide an ability to make Q knowledgeable decisions Cyber threat intelligence helps the organization to identify and mitigate various business risks by converting unknown threats into known threats, and helps in implementing various advanced and for the preparedness, prevention, and response proactive defense strategies actions against various cyber-attacks Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited Cyber Threat Intelligence (CTI) According to Oxford dictionary, a threat is defined as “[t]he possibility of a malicious attempt to damage or disrupt a computer network or system.” Threat is a potential occurrence of an undesired event that can eventually damage and interrupt the operational and functional activities of an organization. A threat can affect the integrity and availability factors of an organization. The impact of threats is very high, and it can affect the existence of the physical IT assets in an organization. The existence of threats may be accidental, intentional, or due to the impact of some other action. The threat intelligence, usually known as CTI, is defined as the collection and analysis of information about threats and adversaries and drawing patterns that provide an ability to make knowledgeable decisions for the preparedness, prevention, and response actions against various cyberattacks. It is the process of recognizing or discovering any “unknown threats” that an organization can face so that necessary defense mechanisms can be applied to avoid such occurrences. It involves collecting, researching, and analyzing trends and technical developments in the field of cyber threats (i.e., cybercrime, hacktivism, espionage, etc.). Any knowledge about threats that result in the planning and decision-making in an organization to handle it is a threat Intelligence. The main aim of the CTl is to make the organization aware of the existing or emerging threats and prepare them to develop a proactive cyber security posture in advance before these threats could exploit them. This process, where the unknown threats are converted into the possibly known ones, helps anticipating the attack before it could happen and ultimately results in better and secured system in the organization. Thus, threat Intelligence is useful in achieving secured data sharing and transactions among organizations globally. Module 08 Page 1026 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Threat intelligence process can be used to identify the risk factors that are responsible for malware attacks, SQL injections, web application attacks, data leaks, phishing, denial-of-service attack, etc. Such risks, after being filtered out, can be put on a checklist and handled appropriately. Threat intelligence is beneficial for an organization to handle cyber threats with effective planning and execution along with thorough analysis of the threat; it also strengthens the organization’s defense system, creates awareness about the impending risks, and aids in responding against such risks. Module 08 Page 1027 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Types of Threat Intelligence L3 /\ / g Strategic € E i @ § 3 High-level information on © @ € / K Consumed by IT Service and SOC Managers, Administrators N 4 Technical Information on specific |§ Consumed AN @ Information on specific € Consumed by SOC Staff, IR Teams J Defenders < N indicators of compromise by Security Managers, Network £] Information on attacker’s procedures (TTPs) @ incoming attack ? ) tactics, techniques, and Operational E Tactical Consumed by High-Level 4 ] 2 / changing risks Executives and Management \ (2] ) High-Level | l Y, Low-Level > Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited Types of Threat Intelligence Threat intelligence is contextual information that describes threats and guides organizations in taking various business decisions. It is extracted from a huge collection of sources and information. It provides operational insight by looking outside the organization and issuing alerts on evolving threats to the organization. For the better management of information that is collected from different sources, it is important to subdivide threat intelligence into different types. This subdivision is performed based on the consumers and goals of the intelligence. Based on the consumption of threat intelligence, it is divided into four different types. They are namely strategic, tactical, operational, and technical threat intelligence. These four types differ in terms of data collection, data analysis, and intelligence consumption. = Strategic Threat Intelligence Strategic threat intelligence provides high-level information regarding cyber security posture, threats, details about the financial impact of various cyber activities, attack trends, and the impact of high-level business decisions. This information is consumed by high-level executives and management of the organization such as IT management and CISO. It helps the management in identifying current cyber risks, unknown future risks, threat groups, and attribution of breaches. The intelligence obtained provides a risk- based view that mainly focuses on high-level concepts of risks and their probability. It mainly focuses on long-term issues and provides real-time alerts of threats on organization’s critical assets such as IT infrastructure, employees, customers, and applications. This intelligence is used by the management to take strategic business decisions and to analyze the effect of such decisions. Based on the analysis, the management can allocate sufficient budget and staff to protect critical IT assets and business processes. This intelligence is collected from sources such as OSINT, CTI vendors, and ISAO/ISACs. Module 08 Page 1028 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools = Exam 212-82 Tactical Threat Intelligence Tactical threat intelligence plays a major role in protecting the resources of the organization. It provides information related to TTPs used by threat actors (attackers) to perform attacks. Tactical threat intelligence is consumed by cyber security professionals such as IT service managers, security operations managers, network operations center (NOC) staff, administrators, and architects. It helps the cyber security professionals understand how the adversaries are expected to perform the attack on the organization, identify the information leakage from the organization, and the technical capabilities and goals of the attackers along with the attack vectors. Using tactical threat intelligence security personnel develop detection and mitigation strategies beforehand by updating security products with identified indicators, patching vulnerable systems, etc. The collection sources for tactical threat intelligence include campaign reports, malware, incident reports, attack group reports, human intelligence, etc. = QOperational Threat Intelligence Operational threat intelligence provides information about specific threats against the organization. It provides contextual information about security events and incidents that help defenders disclose potential risks, provide greater insight into attacker methodologies, identify past malicious activities, and perform investigations on malicious activity in a more efficient way. It is consumed by security managers or heads of incident response, network defenders, security forensics, and fraud detection teams. It helps organizations understand the possible threat actors and their intention, capability, and opportunity to attack, vulnerable IT assets, and the impact of the attack if it is successful. In many cases, only government organizations can collect this type of intelligence, which also helps IR and forensic teams in deploying security assets with the aim of identifying and stopping upcoming attacks, improving the capability of detecting attacks at an early stage, and reducing its damage on IT assets. Operational threat intelligence is generally collected from sources such as humans, social media and chat rooms, and also from real-world activities and events that result in cyberattacks. * Technical Threat Intelligence Technical threat intelligence provides information about an attacker’s resources that are used to perform the attack; this includes command and control channels, tools, etc. It has a shorter lifespan compared to tactical threat intelligence and mainly focuses on a specific 1oC. It provides rapid distribution and response to threats. For example, a malware used to perform an attack is tactical threat intelligence, whereas the details related to the specific implementation of the malware come under technical threat intelligence. Other examples of technical threat intelligence include specific IP addresses and domains used by malicious endpoints, phishing email headers, hash checksums of malware, etc. Technical threat intelligence is consumed by SOC staff and IR teams. The indicators of technical threat intelligence are collected from active campaigns, attacks that are performed on other organizations, or data feeds provided by external third parties. Module 08 Page 1029 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited.