Summary

This document provides an overview of threat hunting concepts, including steps, characteristics, and maturity model. It also covers various aspects of cyber threat intelligence, including types, sources, and frameworks.

Full Transcript

# Module Objectives 1. Understanding Threat Hunting Concepts 2. Understanding Cyber Threat Intelligence and Various Feeds and Sources of Threat Intelligence 3. Understanding Vulnerability Assessment and Various Types of Vulnerability Assessment 4. Understanding Ethical Hacking Concepts 5. Understan...

# Module Objectives 1. Understanding Threat Hunting Concepts 2. Understanding Cyber Threat Intelligence and Various Feeds and Sources of Threat Intelligence 3. Understanding Vulnerability Assessment and Various Types of Vulnerability Assessment 4. Understanding Ethical Hacking Concepts 5. Understanding Penetration Testing and its Benefits 6. Understanding the Importance of Asset Management and Configuration Management # **Module Flow** 1. Discuss Threat Hunting 2. Discuss Various Threat Intelligence Feeds and Sources 3. Discuss Vulnerability Assessment 4. Discuss Ethical Hacking Concepts 5. Understand Fundamentals of Penetration Testing and its Benefits 6. Understand the Fundamentals of Configuration Management and Asset Management # Threat Hunting - Threat hunting is a proactive and iterative approach of searching networks, devices, endpoints, and datasets to identify and isolate the cyber threats that have entered a network by evading the current security systems. ## Threat Hunting Steps 1. **Collect and process**: Collect and analyze data using threat intelligence 2. **Hypothesis**: Make assumptions using TTPs 3. **Trigger**: Based on the hypothesis, threat-detection tools trigger an anomaly. 4. **Investigation**: Investigate malicious files/activities to eliminate the identified threats 5. **Response**: Generate a report for future detection # Characteristics of Threat Hunting - Threat hunting is not confined to large enterprise networks. Even small and medium organizations implement it by applying the following characteristics: - **Prescient hunting**: The prescient approach identifies all imminent threats, instead of simply relying on the alerts generated by security monitoring tools. Threat hunters presciently identify intruders before alerts are generated. - **Trusting the hypothesis**: Rather than relying solely on the alerts generated by automated threat detectors, threat hunters analyze all the data, conduct an investigation based on the hypothesis, and create a new rule based on their findings. - **Following traces**: It is a process of analyzing the compromised systems and traces left by attackers in a network. A threat hunter follows these traces and proceeds with their investigation, irrespective of its depth. - **Creating new methods**: Threat hunters need not follow existing rules; they can stay ahead of attackers by creating new rules. Threat hunters can use their creativity and adopt relevant methods to attain their ultimate goal. # Threat Hunting Maturity Model (HMM) - The threat hunting maturity model (HMM) describes the quantity and quality of information collected from a network for investigation. ## Level 0: Initial * Primarily depends on automated monitoring systems and alerts * Low data collection ## Level 1: Minimal * Follows the latest threat reports * Moderate- to high-level routine data collection ## Level 2: Procedural * Adopts data analysis procedures created by others. * High- to very-high-level routine data collection ## Level 3: Innovative * Creates custom data analysis procedures * High- to very-high-level routine data collection ## Level 4: Leading * Automates existing data analysis procedures * High- to very-high-level routine data collection # Threat Hunting Considerations * **Intelligence fusion**: Intelligence fusion is an approach to integrate security with threat intelligence and other cyber intelligence sources. * **Threat feeds**: Threat feeds are real-time feeds collected from real-time attacks. These feeds include IoCs, IoAs, potential threats, vulnerabilities, and existing risks. * **Advisories and bulletins**: Security advisories and bulletins are informative blogs or websites that provide information about the latest security threats and attacks. * **Maneuver**: Maneuver is a technique used in cyber warfare that is based on knowledge of some recent attacks and the nature of those attacks. # **Cyber Threat Intelligence (CTI)** - Cyber Threat Intelligence (CTI) is defined as the collection and analysis of information about threats and adversaries and drawing patterns that provide an ability to make knowledgeable decisions for the preparedness, prevention, and response actions against various cyber-attacks. - Cyber threat intelligence helps the organization to identify and mitigate various business risks by converting unknown threats into known threats, and helps in implementing various advanced and proactive defense strategies. # Types of Threat Intelligence * **Strategic**: High-level information on changing risks. Consumed by High-Level Executives and Management. * **Tactical**: Information on attacker’s tactics, techniques, and procedures (TTPs). Consumed by IT Service and SOC Managers, Administrators. * **Operational**: Information on specific incoming attack. Consumed by Security Managers, Network Defenders. * **Technical**: Information on specific indicators of compromise. Consumed by SOC Staff, IR Teams. # Layers of Threat Intelligence - An intelligence provider can be an open-source community or movement or a private or commercial body that provides threat intelligence as sources, threat intelligence feeds (TI feeds), platforms, and professional services. * **Providers** * **Sources** * **TI Feeds** * **Platforms** * **Professional Services** # Threat Intelligence Feeds - Threat intelligence feeds (TI feeds) are continuous streams of packaged data related to potential or current threats to the organization. ## Different sources of TI feeds * **Publicly available feeds**: These feeds are easily available on the Internet (open source, social listing, OSINT, etc.) - **Examples of websites providing freely available TI feeds**: * SHODAN * Threat Connect * Virus Total * AlienVaults Open Threat Exchange (OTX) * Zeus Tracker * The dark web * **Commercial feeds**: An organization must purchase these feeds (government, commercial vendors, etc.) - **Examples of commercial TI feed vendors**: * Microsoft Cyber Trust Blog * Kaspersky * IBM X-Force Exchange * FireEye * Recorded Future # Example: Free and Open-source TI Feed Providers - **threatfeeds.io**: threatfeeds.io is a free and open-source threat intelligence provider of popular free and open-source TI feeds and sources. - **IPSpamList**: http://www.ipspamlist.com - **Darklist**: http://darklist.de - **SSL BL**: https://sslbl.abuse.ch - **Botvrij.eu - ips**: https://www.botvrij.eu - **Monitor Malicious Executable Urls**: https://www.urlvir.com # Example: Government TI Feed Providers - **Automated Indicator Sharing (AIS)**: The free Automated Indicator Sharing (AIS), provided by the US Department of Homeland Security (DHS), allows the exchange of cyber threat indicators between the federal government and the private sector at machine speed. - **The Department of Defense Cyber Crime Center (DC3)**: https://www.dc3.mil - **US Computer Emergency Response Team (US-CERT)**: https://us-cert.cisa.gov - **European Union Agency for Network and Information Security (ENISA)**: https://www.enisa.europa.eu - **Federal Bureau of Investigation (FBI) Cyber Crime**: https://www.fbi.gov - **STOP. THINK. CONNECT.**: https://www.stopthinkconnect.org # Threat Intelligence Sources - **Open-Source Intelligence (OSINT)**: Information is collected from the publicly available sources and analyzed to obtain a rich useful form of intelligence. - **OSINT sources**: * Media * Internet * Public government data * Corporate/academic publishing * Literature - **Human Intelligence (HUMINT)**: Information is collected from interpersonal contacts. - **HUMINT sources**: * Foreign defense personnel and advisors * Accredited diplomats * NGOS * Prisoners of War (POWs) * Refugees * Traveler interview or debriefing # Threat Intelligence Sources (Cont'd) - **Signals Intelligence (SIGINT)**: Information is collected by intercepting the signals. - **The signals intelligence comprises of**: * **Communication Intelligence (COMINT)**: Obtained from interception of communication signals * **Electronic Intelligence (ELINT)**: Obtained from electronic sensors like radars and lidar * **Foreign Instrumentation Signals Intelligence (FISINT)**: Signals detected from non-human communication systems - **Technical Intelligence (TECHINT)**: Information is collected from an adversary’s equipment or captured enemy material (CEM) - **TECHINT sources**: * Foreign equipment * Foreign weapon systems * Satellites * Technical research papers * Foreign media * Human contacts # Threat Intelligence Sources (Cont'd) - **Social Media Intelligence (SOCMINT)**: Information is collected from social networking sites and other types of social media sources. - **SOCINT sources**: * Facebook * LinkedIn * Twitter * WhatsApp * Instagram * Telegram - **Cyber Counterintelligence (CCI)**: Information is collected from proactively established security infrastructure or by employing various threat manipulation techniques to lure and trap threats. - **CCI Sources**: * Honeypots * Passive DNS monitors * Online web trackers * Sock puppets (fake profiling) on online forums * Publishing false reports # Threat Intelligence Sources (Cont'd) - **Indicators of Compromise (IoCs)**: Information is collected from network security threats and breaches and also from the alerts generated on the security infrastructure, which will likely indicate an intrusion. - **loCs Sources**: * Commercial and industrial sources * Free loc specific sources * Online security-related sources * Social media and news feeds * loC buckets - **Industry Association and Vertical Communities**: Information is collected from various threat intelligence sharing communities where the organizations share intelligence information among each other. - **Vertical community sources**: * Financial Services Information Sharing and Analysis Center (FS-ISAC) * MISP (Malware Information Sharing Platform) * Information Technology-Information Sharing and Analysis Center (IT-ISAC) # Threat Intelligence Sources (Cont'd) - **Commercial Sources**: Information is collected from commercial entities and security vendors that provide the threat information to various organizations. - **Commercial sources**: * Kaspersky Threat Intelligence * McAfee * Avast * FortiGuard * SecureWorks * Cisco - **Government and Law Enforcement Sources**: Information is collected from government and law enforcement sources. - **Government sources**: * US Computer Emergency Response Team (US-CERT) * European Union Agency for Network and Information Security (ENISA) * FBI Cyber Crime * StopThinkConnect * CERIAS Blog # Deep and Dark Web Searching - **Surface Web**: It is the surface layer of online cyberspace that allows user to find the web pages and content using normal web browsers. - **Deep Web**: It consists of web pages and content that are hidden and unindexed and cannot be located using traditional web browser and search engines. It can be accessed by search engines like DeeperWeb and Surfwax - **Dark Web or Dark Net**: It is the subset of deep web where it enables anyone to navigate anonymously without being traced. It can be accessed by browsers like TOR Browser, Freenet, GNUnet, I2P, OneSwarm, and Retroshare. # Deep and Dark Web Searching Tools - **TOR Browser**: It is used to access the deep and dark web where it acts like a default VPN for the user and bounces the network IP address through several servers before interacting with the web. - **ExoneraTor**: https://metrics.torproject.org - **Freenet**: https://freenetproject.org - **GNUnet**: https://gnunet.org - **I2P**: https://geti2p.net - **OneSwarm**: http://www.oneswarm.org # AI and Predictive Analysis for Threat Hunting - Attackers use diverse and distributed mechanisms to evade existing security boundaries. - The AI-based correction of cyber threat intelligence, security intelligence, and predictive analysis can help organizations identify threats across every attack surface within their network. ## Artificial Intelligence (AI) and Machine Learning (ML) * AI/ML enhances opportunities to respond to security incidents quickly * Using AI and ML for threat hunting. can reduce the time required for hunting, analyzing, and responding to threats ## AI-backed Predictive Analysis * By performing predictive analysis through AI-backed intelligence, reactive measures can be taken in advance, enabling security teams to be ahead of attackers. # Threat Intelligence Frameworks - **MISP-Open Source Threat Intelligence Platform**: MISP is used for sharing, storing and correlating Indicators of Compromise (IoCs) of targeted attacks, threat intelligence, financial fraud information, vulnerability information, etc. - **OSINT - Cisco IOS CVE-2018-0171 attack**: * Event ID: 10683 * Uuid: Sac8cee2-2a78-4237-8830-d0b802de0b81 * Org: CIRCL * Owner org: CIRCL * Contributors: [email protected] * Email: * Tags: tipawhite x Circliosint-feed x estimative-language:likelihood-probability="roughly-even-chance" x estimative-language:confidence-in-analytic-judgment="moderate" x cyber-threat-framework:Effect/Consequence="destroy-hardware-software-or-data" 3 * Date: 2018-04-07 * Threat Level: Medium * Analysis: Completed * Distribution: All communities * Info: OSINT Cisco IOS CVE-2018-0171 attack * Published: Yes * Attributes: 14 * Last change: * Extends: 2018/04/17 05:16:30 * Extended by: Event (10701): Constituency affected with CVE-2018-0171 * Sightings: 0 (0) * Activity: Currently in atomic view. - **TC Identify**: https://threatconnect.com - **Yeti**: https://yeti-platform.github.io - **ThreatStream**: https://www.anomali.com - **IBM X-Force Exchange**: https://exchange.xforce.ibmcloud.com - **IntelMQ**: https://www.enisa.europa.eu # Standards and Formats for Sharing Threat Intelligence * **CybOX**: Cyber Observable eXpression (CybOX™) is a standardized language for encoding and communicating high-fidelity information about cyber observables. * **STIX**: Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange CTI. * **TAXII**: Trusted Automated Exchange of Intelligence Information (TAXIITM) is an application-layer protocol for the communication of CTI in a simple and scalable manner.

Use Quizgecko on...
Browser
Browser