CYSA+: Topic 1B
threat data
OSINT techniques can also be a source of ____, as researchers use them to discover more about adversary groups & malicious actors
open-source
_____ repositories include threat feeds similar to the commercial providers, but also reputation lists & malware signature databases
automated detection & monitoring systems
acquiring accurate & relevant information about attacks suffered by organizations working in similar industries will improve ____ & _____, though there will be some increased risk of false positive alerts & notifications
collection/processing
another consideration for the _____ phase is to keep security data secure
incorporated
as part of the requirements phase of the life cycle, it is important to assess sources as they are ____ within the data set this is particularly important when considering threat intelligence, as this data is likely to derive from external sources
proactive threat modeling & threat hunting
as well as improving operational capabilities, threat intelligence promotes new strategies to information assurance, such as ____ & ____ techniques
strategic level
at a _____, threat intelligence can identify previously unrecognized sources of vulnerabilities, such as embedded systems, IoT home automation devices, deep fakes, or AI-facilitated fuzzing to discover zero-day vulnerabilities
operational level
at a _____, threat intelligence can identify priorities for remediation, such as campaign targeting a vulnerability in web server software
goals & tactics
by linking the 2 sources of intelligence, you can identify what 2 things associated with that group & use controls to mitigate further attacks?
use case
each ____ should be supported by filter or query strings to extract relevant data
embedded & industrial control
one of the primary area of focus for cybersecurity in industries that support critical infrastructure is with what 2 types of systems?
16
the DHS identifies how many critical infrastructure sectors? each sector is supported by its own ISAC
requirements
the ____ phase of the security intelligence cycle sets out the goals for the intelligence gathering effort?
dissemination
the ____ phase refers to publishing information produced by analysis to consumers who need to act on the insights developed can take many forms, from status alerts sent to incident responders to analyst reports circulated to C-suite executives
fraud, terrorists, & nation-state actors
the aviation industry is targeted for/by what 3 things?
explicit knowledge
threat feeds contribute to what? (insights that can be directly applied to a security process)
Meltdown & Spectre
threat intelligence can also provide ongoing monitoring & analysis of vulnerabilities such as ____ & _____, which could pose lasting risks well past the impact of their initial announcement
commercial
threat intelligence is widely provided as a ____ service offering, where access to updates & research is subject to a subscription fee some of these ____ sources primarily repackage information coming from free public registries, while others provide proprietary or closed-source data that may not be found in the free public registries
network & application operational
threat intelligence should be shared with ___ & ____ security teams so that they can apply best practices to the controls that they responsibility for
requirements & processing/collection
what 2 phases establish a normalized, searchable data set that can be analyzed to produce useful information, or actionable intelligence, for dissemination to information consumers, such as incident response staff, software development teams, & IT operations teams?
strategic intelligence
what addresses broad themes & objectives, affecting projects & business priorities over weeks & months?
operational intelligence
what addresses the day-to-day priorities of managers & specialists?
interference in the electoral process & the security of electronic voting mechanisms
what are 2 key cybersecurity concerns for governments?
IBM X-Force Exchange, FireEye, & Recorded Future
what are 3 examples of commercial providers?
lessons learned, measurable success, & address evolving security threats
what are 3 things the feedback phase might address?
timeliness, relevancy, accuracy, & confidence levels
what are 4 factors that identify the value of threat intelligence?
AT&T Security (previously OTX), MISP, Spamhaus, SANS ISC Suspicious Domains, & VirusTotal
what are 5 examples of open-source providers?
use cases
what are developed from threat analysis to provide a working model of what to look for within a data set?
data feeds
what are lists of known bad indicators, such as domain names or IP addresses associated with spam or DDoS attacks, or hashes of exploit code known as? this provides tactical or operational intelligence that can be used within an automated system to inform real-time decisions & analysis as part of incident response or digital forensics
narrative reports & data feeds
what are the 2 formats that CTI typically products?
requirements (planning & direction), collection (& processing), analysis, dissemination, & feedback
what are the 5 steps involved in the security intelligence cycle?
intelligence distribution
what can be thought of as occurring at strategic, operational, & tactical levels?
threat intelligence
what can be used to improve capabilities across different security functions?
Security Engineering
what focuses on the design & architecture of hardware, software, & network platforms to reduce their attack surface?
risk management
what identifies, evaluates, & prioritizes threats & vulnerabilities to reduce their negative impact?
tactical intelligence
what informs the real-time decisions made by staff as they encounter alerts & status indicators?
security intelligence cycle
what involves various steps you perform to not only collect data, but also to process & analyze it so you can obtain actionable insights, which are formatted & organized to provide decision makers with relevant & useful information?
OSINT
what is an example of a reconnaissance technique?
narrative reports
what is analysis of certain adversary groups or a malware sample provided as a written document known as? these provide valuable information & knowledge, but in a format that must be assimilated manually by analysts. this is most useful at providing strategic intelligence to influence security control selection & configuration
closed-source data
what is derived from the provider's own research & analysis efforts, such as data from honeynets that they operate, plus information mined from its customers' systems, suitably anonymized?
strategic threat intelligence
what is important for establishing an up-to-date model of threat sources & actors, & their motivations, capabilities, & tactics?
security intelligence
what is the process through which data generated in the ongoing use of information systems is collected, processed, integrated, evaluated, analyzed, & interpreted to provide insights into the security status of those systems?
planning & direction
what is the requirements phase of the security intelligence cycle also known as?
collection
what is usually implemented by software suites, such as SIEM?
analysis
what needs to be performed in the context of use cases?
requirements
what phase should also consider any special factors & constraints that will ultimately determine it?
feedback
what phase utilizes the input of both intelligence producers & intelligence consumers? the goal of this phase is to improve the implementation of the other phases as the life cycle develops
cyber threat intelligence (CTI)
what provides data about the external threat landscape, such as active hacker groups, malware outbreaks, zero-day exploits, & so on? typically produced in one of two formats: narrative reports & data feeds
processing
what puts data into a consistent format so that analysis tools can operate on it effectively? it ensures that the data point is referenced consistently, can be searched/indexed, & can be correlated across multiple sources
admiralty scale
what rates sources with letters from a (reliable) to g (purposefully deceptive) & information credibility from 1 (confirmed by multiple sources) to 6 (cannot be validated)?
multi-state ISAC
what serves non-federal governments in the US, such as state, local, tribal & territorial governments?
Information Sharing & Analysis Centers (ISACs)
where a generic open-source or commercial threat intelligence provider might use corporate or academic networks to gather data, ____ produce data from their members' systems, so the data is highly industry-specific & relevant information shared within an ____ is given legal protections by the PCII program operated by the DHS
incident response
where risk management & security engineering make best use of strategic insights, ____ is better served by operational & tactical insights
government agencies
who represents one source of public threat information?
