Threat Intelligence

Question 1

What is a Security Intelligence ?

Answer 1

The process where data is generated and is then collected, processed, analyzed, and disseminated to provide insights into the security status of information systems

Question 2

What is Cyber Threat Intelligence ?

Answer 2

Investigation, collection, analysis, and dissemination of information about emerging threats and threat sources to provide data about the external threat landscape.

2 forms of cyber threat intelligence:
● Narrative Reports
● Data Feeds

In cyber security u use both!

Question 3

What are Narrative Reports ?

Answer 3

Are detailed and analytical documents that describe cybersecurity incidents, findings or investigations in a structured and comprehensible manner.

Used in Cyber Threat Intelligence

Question 4

What is Data Feeds?

Answer 4

continuous, structured data that provide real-time or periodically updated information.

Used in Cyber Threat Intelligence

Question 5

Tell me about Intelligence Cycle

Answer 5

5 steps, like a wheel:

1. Requirements (Planning & Direction)
2. Collection (& Processing)
3. Analysis
4. Dissemination
5. Feedback

Question 6

Tell me about stage 1 of Intelligence Cycle

Answer 6

1. Requirements (Planning & Direction)

Sets out the goals for the intelligence gathering effort.

What do we want to measure and collect?

Question 7

Tell me about stage 2 of Intelligence Cycle

Answer 7

2. Collection (& Processing)

Implemented by software tools to gather data which is then processed for later analysis.

The processing part is where we will convert all the data into a standard format.

Factors Used to Evaluate Sources: Timeliness, Relevancy, Accuracy and Confidence Level.

Question 8

Tell me about stage 3 of Intelligence Cycle

Answer 8

3. Analysis

Performed against the given use cases from the planning phase and may utilize automated analysis, AI, and machine learning

Sort into three categories: Known good, known bad and not sure- it is the not sure we should investigate
further

Question 9

Tell me about stage 4 of Intelligence Cycle

Answer 9

4. Dissemination

Publishes information produced by analysts to consumers who need to act on the insights developed Strategic, Operational and Tactical

Question 10

What is Strategic Dissemination

Answer 10

A broad, long-term perspective

(global attack trends)

Question 11

What is Operational Dissemination

Answer 11

Information that supports planning and coordination of actions

(threat campaigns).

Question 12

What is Tactical Dissemination

Answer 12

Immediate, technical data

(malicious IP addresses, suspicious files).

Question 13

Tell me about stage 5 of Intelligence Cycle

Answer 13

5. Feedback

Aims to clarify requirements and improve the collection, analysis, and dissemination of information
by reviewing current inputs and outputs: Lessons learned, Measurable success and Evolving threat issues

Question 14

To what part of the Intelligence cycle dose Timeliness,
Relevancy, Accuracy and Confidence Level belongs?

Answer 14

2. Collection (& Processing)

Question 15

What dose Timeliness means and where dose it belong?

Answer 15

Ensures an intelligence source is up-to-date

Belongs to the Intelligence cycle - step 2- Collection (& Processing)

Question 16

What dose Relevancy means and where dose it belong?

Answer 16

Ensures an intelligence source matches its intended use case.

Belongs to the Intelligence cycle - step 2- Collection (& Processing)

Question 17

What dose Accuracy means and where dose it belong?

Answer 17

Ensures an intelligence source produces effective results.

Belongs to the Intelligence cycle - step 2- Collection (& Processing)

Question 18

What dose Confidence Level means and where dose it belong?

Answer 18

Ensures an intelligence source produces qualified statements about reliability.

Belongs to the Intelligence cycle - step 2-Collection (& Processing)

Question 19

Tell me about Evaluation of Source Reliability

Answer 19

A table to evaluate the Reliability of the source.
A - F
(A - the source is reliable, F - the source is not confirmed and is NOT reliable)

Question 20

Tell me about Evaluation of Information Content

Answer 20

A table to evaluate the Information Content
1 - 6
(1- The most reliable information , 6 - is not reliable at all )

Question 21

What are the general sources of information?

Answer 21

1. Proprietary
2. Closed-Source
3. Open-Source

Question 22

Tell me about Proprietary information

Answer 22

Threat intelligence is very widely provided as a commercial service offering, where access to updates and research is subject to a subscription fee

Question 23

Tell me about Closed-Source information

Answer 23

Data derived from the provider’s own research and analysis efforts, such as data from honeynets that they operate, plus information mined from its customers’ systems, suitably anonymized.

Question 24

Tell me about Open-Source information

Answer 24

Data that’s available without subscription, which may include threat feeds, reputation lists, and malware signature databases.

Different sources of open-source intelligence:
US-CERT, UK’s NCSC, AT&T Security (OTX), MISP, VirusTotal, Spamhaus and SANS ISC Suspicious Domains.

Open-Source Intelligence (OSINT)- A method of obtaining information about a person or organization through public records, websites, and social media

Question 25

What kind of information is OSINT ?

Answer 25

Open-Source Intelligence

Question 26

What is the Information Sharing and Analysis Center (ISAC)?

Answer 26

A not-for-profit group set up to share sector-specific threat intelligence and security best practices amongst its members. like Cyber Security Information Sharing Partnership (CISP) in the UK. exist in many areas including: Critical Infrastructure, Government, Healthcare , Financial and Aviation (like terror events ).

Question 27

What is a Critical Infrastructure?

Answer 27

Any physical or virtual infrastructure that is considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination of these. there are 16 of those.

Question 28

What dose Risk Management do?

Answer 28

Identifies, evaluates, and prioritizes threats and vulnerabilities to reduce their negative impact.

Question 29

In the intelligence cycle, where do we put Risk Management ?

Answer 29

4. Dissemination To share other people about a weakness we found. Risk management-Identifies, evaluates, and prioritizes threats and vulnerabilities to reduce their negative impact.

Question 30

What is Vulnerability Management? and where in the intelligence cycle do we put it?

Answer 30

4. Dissemination To share other people about a weakness we found. Vulnerability Management- The practice of identifying, classifying, prioritizing, remediating, and mitigating software vulnerabilities

Question 31

What dose Incident Response do?

Answer 31

An-organized approach to addressing and managing the aftermath of a security breach or cyberattack. Tactical- level intelligence

Question 32

What is Detection and Monitoring

Answer 32

The practice of observing activity to identify anomalous patterns for further analysis

Question 33

Quiz: Which of the following factors evaluates a source to ensure it matches the use case?

Answer 33

Relevancy Relevancy ensures that a source matches its intended use case. Wrong answers: * Timelines ensures an intelligence source is up-to-date. * Accuracy ensures an intelligence source produces effective results. * Confidence Level ensures an intelligence source produces qualified statements about reliability.

Question 34

Quiz: In which phase of the security intelligence cycle is input collected from intelligence producers and consumers to improve the implementation of intelligence requirements?

Answer 34

Feedback The final phase of the security intelligence cycle is feedback and review, which utilizes the input of both intelligence producers and intelligence consumers. The goal of this phase is to improve the implementation of the requirements, collection, analysis, and dissemination phases as the life cycle is developed. Wrong answers: * Collection - pay attention to the q!

Question 35

Quiz: Which level of intelligence is directly used by Security Operations Center (SOC) staff to make real-time decisions in response to system alerts?

Answer 35

Tactical Tactical intelligence refers to the immediate, actionable information necessary for frontline staff, such as SOC analysts, to make decisions about real-time security threats and alerts.

Question 36

What is a Tactical intelligence?

Answer 36

Tactical intelligence refers to the immediate, actionable information necessary for frontline staff, such as SOC analysts, to make decisions about real-time security threats and alerts.

Question 37

What is Operational intelligence?

Answer 37

Operational intelligence Focuses on the ongoing activities and procedures involved in maintaining security, typically used for routine tasks and immediate responses. like what soc using -the program SIEM

Question 38

What is Strategic intelligence?

Answer 38

Strategic intelligence Involves long-term planning and decision-making at the organizational level, addressing overall security posture and resource allocation. like a bullate list

Question 39

What is Analytical intelligence?

Answer 39

Analytical intelligence Relates to the detailed analysis of large data sets to identify patterns, trends, and underlying causes of security issues, supporting informed decision-making for future actions.

Question 40

What is the job of Security engineering?

Answer 40

Security engineering involves **designing, implementing, and maintaining security measures** within systems and networks to protect against threats and vulnerabilities. It encompasses principles, practices, and tools used to build secure infrastructure and applications. Relevance to Threat Intelligence Sharing: Threat intelligence sharing relies on understanding vulnerabilities and attack vectors. Security engineering ensures the systems are resilient enough to incorporate threat intelligence inputs.