What are the…
Five phases of the Threat Intellience Cycle
- Planning & Requirements
- Collection & Processing
- Analysis
- Dissemination
- Feedback
Provide the purpose of…
Planning & Requirements
Threat Intelligence Cycle
- Defining our Goal
- Staying business-aligned
- Consider legal restrictions, regulations
- Determine our most likely threats
- How would they do us harm?
Provide the purpose of…
Collection & Processing
Threat Intelligence Cycle
- Gathering of information
- Maintain consistency to stay organized
- Automate as much as possible
- Select appropriate end-points to collect data from
- Processing & normalizing the collected data
Potential collection end-points include; cloud, phones, routers, servers, apps, laptops, etc…
Provide the purpose of…
Analysis
Threat Intelligence Cycle
- More data means higher chance to prove an attack is happening
- Too much data demands automated tools to sift through the data
- Use of SIEM to automate the correlation of events
Automation could include; Scripts (Bash, Python, PowerShell…)
Provide the purpose of…
Dissemination
Threat Intelligence Cycle
- Internally communicating the findings
- Selecting the appropriate audience(s)
- Communicate the findings to EACH of the audiences. (See types)
- Outside communication? Potentially.
- Types
- Strategic Intelligence
- Operational Intelligence
- Tactical Intelligence
Provide the purpose of…
Feedback
Threat Intelligence Cycle
- New findings, new information
- Lessons Learned from previous steps
- New discoveries since last time
- New tactics to imploy?
- Assign clear list of people, a clear list of tasks to make the cycle better
Whats the time frame of…
Strategic Intelligence
Long-term goals
Whats the time frame of…
Operational Intelligence
Shorter-term goals
Whats the time frame of…
Tactical Intelligence
Real-time goals
What is…
Security Intelligence
How secure are we?
What is…
Cyber Threat Intelligence
How threatening is the world?
* Narrative Sources
* Threat Feeds
Threat feeds are online resources that can be queried. Flow of known vulnerabilities, IP addresses, anti-virus softwares, necessary patches, real-time attacks, etc…
What is… used for?
Historical / Trend Analysis
Used to indicator potential threats
Describe what… is used for
Reconnaisance
As a defender
- What could an attacker find out about us?
- Use of OSINT tools to automate some of the process
Use of open-sourced (public) data to analysis a target (e.g. Social Media, websites, job descriptions, LinkedIN)
What does … stand for?
OSINT
Open-source Intelligence
The process of gathering and analyzing publicly available information to assess threats, make decisions, and/or answer specific questions.
What is a … ?
zone transfer
Usually used to transfer DNS to new server; however could be used to fetch ALL DNS server information if misconfigured poorly
What are … used for?
Website Rippers
Clones the entire target website
Used for interacting with the website and see potential vulnerabilities
What are important for … ?
Confidence Levels
Information source
- Timeliness (up to date?)
- Relevancy
- Accuracy
- Fake News?
What is the … ?
Admiralty System
A method for evaluating a source and the credibility of an information source
What is … used for?
Information Sharing and Analysis Centers
Sources for industry specific security information
Whats the purpose of … ?
Vulnerability Management
Keep an overview of security holes within organization
meltdown / spectre are two classic vulnerabilities to be aware of
enables us to patch problem before they get exploited
What does the process of … look like?
Vulnerability Management
- Assign responsibilities
- Document EVERYTHING
- Keep management excited about this
- Track all inventory
- Assign a business risk to each item, in order to prioritize when things fall a part
- Select the appropriate tools
- Scan for vulnerabilities
- Fix ASAP
- Dont forget about it, continuous process
What are … ?
Unknown Threats
Threats that only present themselves via behaviors (aka breaks the mould)
Very advanced malware or Zero-day vulnerability
Describe the … ?
The Johari Window
- Known Knowns - we know what to do, just need to act
- Known Unknowns - Aware but not sure how to implement
- Unknown Knowns - Could understand but not aware of
- Unknown Unknowns - Dont know how little you know
Describe the behavior of …
APT
Advanced coordinated group(s) with the ability to establish persistent presence. Malicious actors by nature.
CYSA Exam - Well funded, Governmentally supported
Technically - Anyone with ability to break into something
