1.4 Compare and contrast threat-intelligence and threat-hunting concepts
Vulnerability management teams
are responsible for identifying, assessing, prioritizing, and mitigating vulnerabilities within an organization's information technology infrastructure. The primary goal of these teams is to minimize the risk of security breaches by proactively addressing weaknesses in systems, networks, and applications.
Darknet
are specialized network segments intentionally left unused by legitimate systems. Administrators allocate specific IP addresses within their address space to create it. Since these addresses are not utilized by legitimate systems, any activity directed towards them is highly suspicious.
Threat maps
are visual representations of real-time or near-real-time data related to cybersecurity threats and attacks. They provide a dynamic and graphical view of various cyber threats, including malware infections, distributed denial-of-service (DDoS) attacks, intrusion attempts, and other malicious activities occurring across the internet.
Threat intelligence
consists of the set of activities that an organization undertakes to educate itself about changes in the cybersecurity threat landscape, and integrate information about changing threats into its cybersecurity operations.
End of sale (EOS)
describes the date where product will no longer be offered for purchase, but the vendor will support existing customers.
Open-Source Intelligence (OSINT)
involves gathering data from publicly accessible sources, such as websites, social media platforms, public records, news articles, and other publicly available repositories. The goal is to obtain insights, intelligence, and relevant information to support decision-making, investigations, or analysis.
Security orchestration automation and response (SOAR)
is a comprehensive approach to cybersecurity that integrates the capabilities of orchestration and automation with incident response processes. These platforms are designed to streamline and improve the efficiency of security operations by automating repetitive tasks, orchestrating workflows, and facilitating collaboration among security teams.
Security Information and Event Management (SIEM)
is a comprehensive approach to cybersecurity that involves the collection, analysis, and interpretation of log data generated throughout an organization's technology infrastructure. It systems provide a centralized platform for monitoring and managing security events, helping organizations detect and respond to potential security threats in real time.
DNS Sinkhole
is a cybersecurity measure used to redirect malicious or unwanted domain name system (DNS) queries to a controlled or non-existent IP address. This technique is employed to prevent systems within a network from connecting to malicious servers or accessing harmful content associated with specific domain names.
Cyber Observable eXpression (CybOX)
is a framework that provides a standardized schema for categorizing security observations. It helps us understand what properties we can use to describe intrusion attempts, malicious software, and other observable security events when we're trying to explain them to other people.
Threat analysis
is a process where cybersecurity teams use professional expertise, industry research, threat intelligence, and other information sources to develop a comprehensive list of the threats facing the organization. Once they've developed that list of threats, they then evaluate these threats based upon 2 criteria, the likelihood of the threat and the impact of the threat.
Relevant
is a property for evaluating threat intelligence which pertains to how consistently timely and relevant intelligence is provided to the company n a way that meets your business needs.
Timeliness
is a property for evaluating threat intelligence which pertains to how soon after a new threat arises, or evolves will the threat intelligence source reflect this new information?
Accuracy
is a property for evaluating threat intelligence which pertains to if the information reported by the threat intelligence source is correct?
Trusted Automated eXchange of Indicator Information (TAXII)
is a set of services that actually share security information between systems and organizations. It provides a technical framework for exchanging messages that are written in the STIX language.
Structured Threat Information eXpression (STIX)
is a standardized language used to communicate security information between systems and organizations. It takes the properties of the CybOX framework and gives us a language that we can use to describe those properties in a structured manner.
Threat modeling
is a systematic process used in cybersecurity to identify, evaluate, and mitigate potential security threats to a system, application, or organization. It involves analyzing the system's components, identifying potential vulnerabilities, and assessing the impact of potential threats. The goal is to proactively design security measures and make informed decisions to enhance the overall security posture.
Script kitties
is a term used in the cybersecurity community to refer to individuals who lack significant technical skills but use readily available hacking tools or scripts to carry out cyber attacks. Generally speaking, strong security controls make for a very effective defense against script kitties, but a failure to apply patches and respond to vulnerability scan results can leave security gaps that even a novice attacker can walk through.
Johari Window
is a threat classification system that consists of 4 categories which depends on the following factors : If the attack is known to us and to others If the attack is known to us and unknown to others If the attack unknown to us and known to others If the attack is unknown to us and unknown to others
Service-focused approach
is a threat modeling approach where the analyst evaluates the security risks associated with a specific services within a system or organization.
Threat-focused approach
is a threat modeling approach where the analyst thinks of all of the possible threats out there and then thinks through how those threats might affect different organizational information systems.
Asset-focused approach
is a threat modeling approach where the analysts use the organization's asset inventory as the basis for their analysis and walk through asset by asset, identifying the potential threats to each asset.
Reputational Threat Research
is a threat search technique that involves identifying entities that have previously engaged in malicious activities. By leveraging our defense mechanisms, we can recognize specific IP addresses, email addresses, or domains that were used in past attacks against our organization. This information enables us to assign a reputation to each encountered object, allowing us to proactively block future connection attempts from sources with a history of untrustworthy behavior.
Behavioral Threat Research
is a threat search technique that seeks to identify people and systems who are behaving in unusual ways that resemble the ways that attackers have behaved in the past. Even if an attacker is using a brand-new IP address that we've never seen before, we might notice patterns of behavior from that IP address that resemble the activity of past attackers.
Assumption of compromise
is a view to threat hunting that makes the assumption that the system is compromised and that attackers have a foothold. The threat hunter is responsible for searching and eliminating the compromises.
Email harvesting attack
is an attack where the attackers search the web for valid email addresses at the target's domain, and then use those addresses to send out phishing attacks.
Threat hunting
is an organized, systematic approach to seeking out indicators of compromise on our networks. Security professionals use a combination of time-tested security techniques and new analytic technology to track down signs of suspicious activity and conduct thorough investigations.
Threat research
is the process of using threat intelligence to get inside the minds of our adversaries.
Window of Vulnerability
is the time between when someone discovers a new vulnerability and the vendor releases a patch
End of support (EOS)
provides a date when the vendor will reduce or eliminate support for existing users of the product.
End of life (EOL)
provides the date when the vendor will no longer provide any support or updates for the product.
Criminal syndicates
refer to associations of individuals or entities that engage in illegal activities on a large scale. These organizations leverage sophisticated techniques, tools, and a network of skilled individuals to target individuals, businesses, and even governments. Their primary motivation is financial gain.
Nation state actors
refer to government entities or agencies that engage in cyber activities to achieve strategic, political, economic, or military objectives on behalf of a specific country. These actors have the resources, expertise, and authority of a nation-state behind them, making their cyber operations highly sophisticated and impactful.
Proprietary threat intelligence
refer to offerings provided by specialized companies or organizations that focus on collecting, analyzing, and delivering customized threat intelligence to their clients. These services aim to help organizations enhance their cybersecurity posture by providing actionable insights, early warnings, and context-specific information about potential cyber threats.
Threat impact
refers to the potential harm or damage that can result from the realization of a specific threat or security incident. It assesses the adverse consequences that may occur when a threat exploits a vulnerability and adversely affects an organization, its assets, or its operations.
Threat likelihood
refers to the probability or chance that a specific threat or potential event will occur within a given timeframe. It is an assessment of how likely it is that a particular threat scenario will manifest and pose a risk to an organization, system, or asset.
Insider threat
refers to the risk posed to an organization's security or data by individuals within the organization, such as employees, contractors, or business partners, who have insider knowledge concerning the organization's security practices, data, and computer systems. These threats can be intentional or unintentional and may result in unauthorized access, disclosure, or disruption of critical information.
Zero-Day vulnerability
software vulnerability that has been previously unreported and for which no patch yet exists. Applying security patches won't protect you against this vulnerability, because there is no patch for it.
Honeynets
are large-scale deployments of multiple honeypots on the same network.
Threat indicators
are pieces of information that make it possible to describe or identify a threat.
Detection and monitoring teams
are responsible for continuously monitoring an organization's networks, systems, and digital assets to identify and respond to potential security incidents. These teams play a crucial role in maintaining a proactive security posture by detecting anomalies, suspicious activities, and potential threats.
Security engineering teams
are responsible for designing, implementing, and maintaining security measures within an organization's information technology infrastructure. These teams play a critical role in integrating security into the development and deployment of systems, networks, and applications.
Risk management teams
are responsible for identifying, assessing, prioritizing, and mitigating risks within an organization. Their primary goal is to ensure that the organization can navigate uncertainties and potential threats to achieve its objectives while safeguarding its assets, reputation, and overall well-being.
indicators of compromise (IOCs)
are artifacts or observable patterns that suggest a system or network may have been compromised or affected by a cybersecurity incident.
Advanced Persistent Threats (APTs)
are attackers who are well-funded and highly skilled. They're typically military units, government intelligence agencies, or other highly organized groups that are carrying out very focused attacks. They have access to zero days and other sophisticated technical tricks and they methodically work to gain access to a highly selective set of targets with military or economic value.
Information Sharing and Analysis Centers (ISACs)
are collaborative forums that bring together cybersecurity teams from competing organizations to help share industry-specific security information in a confidential manner. The goal is to gather and disseminate threat intelligence without jeopardizing anonymity. It's a safe way for competitors to cooperate.
Honeyfiles
are files that are specifically created to resemble sensitive data, but they instead contain garbage data or intentional misinformation.
Incident response teams
are groups of individuals within an organization responsible for managing and mitigating cybersecurity incidents. The primary goal is to promptly and effectively respond to security incidents to minimize the impact on the organization's systems, data, and overall operations.
Honeypots
Tempting, bogus targets meant to lure hackers
