Chapter 8 - 02 - Discuss Various Threat Intelligence Feeds and Sources - 04_ocred_fax_ocred.pdf
Document Details
Uploaded by barrejamesteacher
null
Tags
Related
- Chapter 8 - 02 - Discuss Various Threat Intelligence Feeds and Sources - 01_ocred.pdf
- Chapter 8 - 02 - Discuss Various Threat Intelligence Feeds and Sources - 02_ocred.pdf
- Chapter 8 - 02 - Discuss Various Threat Intelligence Feeds and Sources - 03_ocred.pdf
- Chapter 8 - 02 - Discuss Various Threat Intelligence Feeds and Sources - 04_ocred.pdf
- Chapter 8 - 02 - Discuss Various Threat Intelligence Feeds and Sources - 05_ocred.pdf
- Chapter 8 - 02 - Discuss Various Threat Intelligence Feeds and Sources - 01_ocred_fax_ocred.pdf
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Network Security Assessment Techniques and Tools Threat Intelligence Sources (Cont’d)...
Certified Cybersecurity Technician Exam 212-82 Network Security Assessment Techniques and Tools Threat Intelligence Sources (Cont’d) Government and Law Co S Enforcement Sources QO Information is collected from commercial QO Information is collected from government entities and security vendors that provide the and law enforcement sources threat information to various organizations O Government sources: O Commercial sources: o US Computer Emergency Response Team (US- o Kaspersky Threat Intelligence CERT) © McAfee o European Union Agency for Network and o Avast Information Security (ENISA) o FortiGuard o FBI Cyber Crime o SecureWorks o StopThinkConnect o Cisco o CERIAS Blog Copyright © by EC cil. All Rights Reserved. Reproduction is Strictly Prohibited Threat Intelligence Sources Intelligence sources are the important resources in designing an efficient intelligence system. Threat intelligence sources provide a large amount of information to intelligence analysts to identify potential and evolving threats and allow an organization to make strategic decisions in time. Some of the sources of intelligence collection are described below: = Open-Source Intelligence (OSINT) The OSINT is the information gathered from the publicly available sources and analyzed to obtain a rich useful form of intelligence. In OSINT, data collection is done using various forms of sources according to the requirement of the subject. OSINT is primarily used for national security, law enforcement, and for collecting intelligence required for business or strategic decision-making. The information is collected from non-sensitive sources and is analyzed to create an actionable form of intelligence. Various sources that can be used to obtain such intelligence include: o Media—newspapers, magazines, brochures, television, and radio o Internet—information publicly accessible through the World Wide Web such as social media website, blogs, groups, forums, or job sites o Public Government Data—press conferences, speeches, government reports and releases, official declarations, and telephone directories o Corporate/Academic Publications—handouts, conferences, seminars, white papers, journals, and academia papers Module 08 Page 1039 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Assessment Techniques and Tools o Commercial Surveys—company driven surveys for business-related tracking and market research and database analysis o Literature—books, research papers, business documents, newsletters, and preprints * Human Intelligence (HUMINT) The human intelligence is a form of information that is collected by means of interpersonal communication. It can provide different information like observations or findings during a site visit or events involving travelers, prisoners of war, and refugees. It can provide the required data that can be analyzed to form necessary intelligence based on the subject. The source of this form of intelligence can be another human subject who can be interrogated or in case of friendly or cooperative spies, an interview can be conducted to collect sensitive information to which they had access to. The human intelligence is also a useful source of a strong counterintelligence value. Examples of human intelligence sources are as follows: o Foreign defense personnel and advisors o Accredited diplomats o NGOs o Prisoners of war (POWs) o Refugees o Traveler interview or debriefing » Signals Intelligence (SIGINT) Signals intelligence involves the gathering of information by intercepting the signals. These communication intercepts can be direct between two people or transmitted indirectly using electronic media. Signals intelligence requires various analytical methods, which may include cryptanalysis, translation, authentication, etc. This intelligence provides useful information about adversary and helps in creating countermeasures against adversary’s advancements. Signals intelligence comprises: o Communication Intelligence (COMINT): It involves the gathering of information about messages or voice extracted from the interception of foreign communications. It reveals information about the sender, receiver, their locations, time and duration of the transmission, frequencies of communication, and so forth. o Electronic Intelligence (ELINT): It includes information extracted using electronic sensors, and it is mainly focused on the noncommunication signal intelligence. The purpose is to obtain the location of the target, which could be a radar or lidar. o Foreign Instrumentation Signals Intelligence (FISINT): This form of intelligence is gathered from the interception of nonhuman communication systems emitting some sort of signals or radiations. These systems may be in their testing phase or Module 08 Page 1040 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Assessment Techniques and Tools under operational deployment over aerospace, surface, or under the surface. These signals may include telemetry data of weapons, data from reconnaissance devices, remotely controlled equipment, and control signals for the remote devices. = Technical Intelligence (TECHINT) Technical intelligence is the information that is collected from an adversary’s equipment or captured enemy material (CEM). This form of information is gathered to achieve a technological advantage over the adversary. This will allow in preventing technological surprise by the adversary and helps the analyst to assess the adversary’s scientific and technical capabilities. It also provides a quick assessment of the performance and vulnerability of the enemy’s equipment, providing a critical advantage to the analysts. TECHINT enables the analyst in designing the countermeasures that will neutralize the adversary’s attacks. Some examples of technical intelligence sources are given below: o Foreign equipment o Foreign weapon systems o Satellites o Technical research papers o Foreign media o Human contacts = Social Media Intelligence (SOCMINT) Social media intelligence is the information that is collected from social networking sites and other types of social media sources. The analyst can collect the SOCMINT both from open and closed social networks. SOCMINT is also a part of OSINT. The social network provides detailed knowledge about an organization, employee profiles, contacts, activity threads, potential partners, websites, and upcoming news about the adversary. Some of the social media intelligence sources are as follows: o Facebook o LinkedIn o Twitter o WhatsApp o Instagram o Telegram = Cyber Counterintelligence (CCl) Cyber counterintelligence (CCl) is used as a security mechanism to protect the organization against the adversary’s intelligence operations. CCl can also sometimes be effective in providing crucial information about the adversary. Module 08 Page 1041 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Assessment Techniques and Tools Cyber counterintelligence is the information that is collected from proactively established security infrastructure or by employing various threat manipulation techniques to lure and trap threats. CCl is basically classified into two types: o Defensive CCI Defensive CCl is used to identify and counter the threats or intrusions before they take place. o Offensive CCI Offensive CCl deals with interactions with the adversaries for direct collection of the threat information. Some of the CCl sources are as follows: o Honeypots o Passive DNS monitors o Online web trackers o Sock puppets (fake profiling) on online forums o Publishing false reports * Indicators of Compromise (10Cs) Indicators of compromise (loCs) are the artifacts of network security incidents. loC information is collected from network security threats and breaches and from the alerts generated on the security infrastructure, which will likely indicate an intrusion. loCs represent security threats and breaches like malware MD5 hashes, DNS attack, virus signatures, botnet URL or domain, and malicious IP address, which may indicate the intrusion activity in the organization’s network. IoCs are often considered as a technical or tactical intelligence data and usually represents the known threats. Some of the loC sources are provided below: o Commercial sources o Industrial sources o Free loC specific sources o Online security-related sources o Social media o News feeds o loC buckets Module 08 Page 1042 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Assessment Techniques and Tools = Industry Association and Vertical Communities Vertical communities are the hierarchical chain of organizations that share resources and data within their business sector. Vertical communities are considered as one of the threat intelligence sources where the information is collected from various threat intelligence sharing communities. It is a many-to-many interaction between the organizations to share the data, and the data that is shared is highly valuable and specific. Some of the attack groups target specific industries working in the similar field of interest. Such industries often become potential targets if any of the industry with similar field of work suffers an attack. To overcome this vulnerability, industries with similar field of work build an association to coordinate and carry out resource and information exchange among them. Such industrial associations generate information with higher accuracy as compared to regular commercial feeds. Some of the vertical community sources are as follows: o Financial Services Information Sharing and Analysis Center (FS-ISAC) o MISP (Malware Information Sharing Platform) o Information Technology—Information Sharing and Analysis Center (IT-ISAC) o MineMeld o DarkReading.com o Krebsonsecurity.com o spamhaus.org o virustotal.com o AT&T Alien Labs = Commercial Sources Commercial sources are considered as one of the threat intelligence sources where the information is collected from commercial entities and security vendors that provide the threat information to various organizations. Commercial sources of intelligence are those providers who make the feeds and other forms of intelligence data commercially available to the organizations. These feeds may include white papers, threat databases, legally available industrial data, use cases, or reports. These providers exhibit deep insights into the areas of intelligence that have fewer false positives. Though the information they provide may not be completely relevant to the organization, it is a bit expensive. Some of the commercial sources are as follows o Kaspersky Threat Intelligence o McAfee o Avast Module 08 Page 1043 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Assessment Techniques and Tools o FortiGuard o SecureWorks o Cisco = Government and Law Enforcement Sources Government and law enforcement departments facilitate functions that may require data sharing with the organizations. Threat intelligence being one of the information type that is promptly shared with the agencies, these are considered as one of the sources for threat intelligence gathering. The information is collected from government and law enforcement sources and it may be limited due to confidentiality and ongoing inquiry. Some of the government and law enforcement sources include the following: o US Computer Emergency Response Team (US-CERT) o European Union Agency for Network and Information Security (ENISA) o FBI Cyber Crime o StopThinkConnect o CERIAS Blog Module 08 Page 1044 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.
