Chapter 8 - 02 - Discuss Various Threat Intelligence Feeds and Sources - 03_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Example: Government TI Feed Providers The Department of Defense The free Automated Indicator Sharing (AIS), provided by e the US Department of Homeland Security (DHS), allows the Indicator Sharin haring (AIS) Cyber Crime Center (DC3) https://www.dc3.mil 0O 606 exchange of cyber threat indicators between the federal government and the private sector at machine speed US Computer Emergency Response Team (US-CERT) 3 Homeland https://us-cert.cisa.gov nogm-Q~ Secun(y European Union Agency for Network and Information Security (ENISA) CI"A https://www.enisa.europa.eu CYBER « INFRASTRUCTURE R Federal Bureau of Investigation (FBI) Cyber Crime R a—— https://www.fbi.gov Automated ]ndlcator Sharing (AIS) itermation shaing Atomated indicator Sharing51 The Depastment of Homeland Security's (DHS) tiee Automated Indicatos Shazing (AIS) capability enables the exchange of cybet threat indicators between the Federal Government STOP. ate pieces of information like Thieat indicators TH'NK. CONNECT. © and the private sector at machine speed. malicious P addiesses o1 the sender addiess of a phishing email (although they can also be much mote complicated) https://www.stopthinkconnect.org https://www.dhs.gov Copyright © by All Rights Reserved. Reproduction is Strictly Prohibited. Example: Government TI Feed Providers = Automated Indicator Sharing (AlS) Source: https.//www.dhs.gov The free Automated Indicator Sharing (AlIS), provided by the US Department of Homeland Security (DHS), allows the exchange of cyber threat indicators between the federal government and the private sector at machine speed. Here, threat indicators are malicious IP addresses, sender addresses of phishing emails, etc. noEm--Q= g Homeland Securlty Topics News In Focus Mow Do 1? Get Involved AbOut DHS Enter Search Term On DHS gov v m CICA CYBER+INFRASTRUCTURE About CISA A > Q84 > Cyvbersecurty Cybersecurity > Information Shannp > Infrastructure Security Emergency Communications National Risk Management News & Media Automated Indicator Sharing (AIS) Information Sharing Automated Indicator Sharing (AIS) Automated Indicator Sharing (AIS) The Department of Homeland Security’s (DHS) free Automated Indicator Sharing (AIS) Cyber Information Sharing and Collaboration Program (CISCP) capability enables the exchange of cyber threat indicators between the Federal Government Enhanced Cybersecurity Services malicious IP addresses or the sender address of a phishing email (although they can also be much more complicated). Information Sharing and Analysis and the private sector at machine speed. Threat indicators are pieces of information like Figure 8.6: Screenshot of Automated Indicator Sharing (AIS) Module 08 Page 1035 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Some additional government Tl feed providers are listed below: The Department of Defense Cyber Crime Center (DC3) (https.//www.dc3.mil) US Computer Emergency Response Team (US-CERT) (https.//us-cert.cisa.gov) European Union Agency for Network and Information Security (ENISA) (https://www.enisa.europa.eu) Federal Bureau of Investigation (FBI) Cyber Crime (https.://www.fbi.gov) STOP. THINK. CONNECT. (https.//www.stopthinkconnect.org) Module 08 Page 1036 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Threat Intelligence Sources Open-Source Intelligence Human Intelligence (OSINT) (HUMINT) QO Information is collected from the publicly available sources and analyzed to obtain a rich useful form of intelligence Q OSINT sources: o Media o Internet o Public government data o Corporate/academic o Literature publishing Q Information is collected from interpersonal contacts O HUMINT sources: o Foreign defense personnel and advisors o Accredited diplomats o NGOs o Prisoners of War (POWs) o Refugees o Traveler interview or debriefing il All Rights Reserved. Reproduction is Strictly Prohibited. Threat Intelligence Sources (Cont’d) Signals Intelligence (SIGINT) O Information is collected by intercepting the signals O The signals intelligence comprises of: * * Communication Intelligence (COMINT): Obtained from interception of communication signals Electronic Intelligence (ELINT): Obtained from electronic sensors like radars and lidar * Foreign Instrumentation Signals Intelligence (FISINT): Signals detected from non-human communication systems Technical Intelligence (TECHINT) Q Information is collected from an adversary’s equipment or captured enemy material (CEM) O TECHINT sources: = Foreign equipment = Foreign weapon systems = Satellites = Technical research papers * Foreign media * Human contacts L. All Rights Reserved. Reproduction is Strictly Prohibited Module 08 Page 1037 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Threat Intelligence Sources (Cont’d) Social Media Intelligence (SOCMINT) manipulation techniques to lure and trap threats CCl Sources: Facebook Linkedin o Honeypots Twitter o Passive DNS monitors WhatsApp o Online web trackers o Sock puppets (fake profiling) on online forums o Publishing false reports o o o SOCINT sources: Information is collected from proactively established security infrastructure or by employing various threat o O a o Information is collected from social networking sites and other types of social media sources (CCI) o Q Cyber Counterintelligence Instagram Telegram Threat Intelligence Sources (Cont’d) Industry Association and Vertical Communities Indicators of Compromise (IoCs) Q Information is collected from network security threats and breaches and also from the alerts generated on the security infrastructure, which will likely indicate an intrusion Q 1oCs Sources: o Commercial and industrial sources o Free loC specific sources o Online security-related sources o Social media and news feeds o loC buckets Module 08 Page 1038 Q Information is collected from various threat intelligence sharing communities where the organizations share intelligence information among each other Q Vertical community sources: o Financial Services Information Sharing and Analysis Center (FS-ISAC) o o MISP (Malware Information Sharing Platform) Information Technology—Information Sharing and Analysis Center (IT-ISAC) Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.