CTI 1

Please identify 3-4 questions which should be answered in the executive summary. What value do each of these questions provide?

Current threat landscape? How ofter do organizations have security breaches? What are real data breach costs? What data supports the fact that intelligence based security reduces costs of data breaches?

Please explain what CTI is and is not.

Cyber threat intelligence is a knowledge about adversaries and their motivations, intentions, and methods that is collected, analyzed, and disseminated in ways that help security and business staff at all levels protect the critical assets of the enterprise It is timely (catching threats and pending attacks as early as possible), adaptive (customizing and tuning intel for your organization, not just buying intel feeds) It is NOT an automated data feed, waiting for and attack, or cleaning up a breach

What are the main capabilities of TAXII?

Discovery: flexibility in choosing which capabilities they support, not bound to network protocol or message binding, ability to see user IP, automated exchange of info about which capabilities a producer might support and their technical mechanisms Push messaging: producer to consumer, can be 1. 2 agreed upon parties sending periodically 2. a consumer welcoming any info Pull messaging: allows consumer to control when they receive data and they do not have to listen for incoming connections

Please compare and contrast the 4 hacker communities (hacker forums, irc channels, darknet markets, and carding shops). Please describe the value of each and be as descriptive as possible

Hacker forums- Users can share tutorials, source code, attachments, hyperlinks, etc and more in threads. Forums can provide useful CTI when attempting to gain information about specific tools available in cyberspace. can be dedicated to specific topics Darknet Marketplaces- Batch data breaches from small and large enterprises, Malware such as keyloggers, SQL injections, etc Hacking tutorials and related e-books, Carding related info such as account numbers, bank IDs, etc Zero-day attacks IRC Channels - internet relay chat: app that facilitates plaintext communication. designed for groups. declining in popularity. data must be collected in realtime (not naturally archiving) Carding shops - distribution of card info: meta data of stolen cards. collecting data can provide risk type, location analysis, pricing structure

Please describe 2-3 different types of threat actors.

Hacktivists(social or political cause) Governments competitors

Please explain the value of CTI within an IT organization.

Having CTI in an organization provides businesses with information such as Who is attacking (cyber criminals, hacktivists, government/national agencies) Why are they attacking (motivations, how much effort they would put into an attack)(advanced persistent threat APT vs opportunistic attack) What are they after (for prioritizing actions based on value of assets) How they are proceeding (TTP → tactics, techniques, procedures) Where they're from (help understand enemy) How to recognize them (indicators of compromise IOC or artifacts → IP address, hashes etc) How to mitigate them (info about how company can protect itself) who what where why how how how who's doing it, what they are after, where they're from, why (motivations), how (TTP), how (iOC), how to stop

Please compare and contrast 2 TAXII architectures

Hub and Spoke: one org is the clearing house for all organizations involved. can either be producer, consumer, or both. Hub may perform analytics or filtering before sharing Peer to peer: any number of organizations act as both consumers and producers of info (duh) source/subscriber: source is middle and sends to subscribers (duh)

Who are some major SIEM vendors today?

IBM QRadar - best HP ArcSight - 2nd Logrhythm - 3rd

Please describe 2-3 STIX domain objects and describe their major properties.

Identity name, description, identity_class(type of entity aka individual or organization), sectors(industry sectors), contact_information Indicator name, description, pattern (detection pattern), valid_from, valid_until, kill_chain_phases Malware name, description, kill_chain_phases (list of killchain phases for which the malware can be used)

Who are some of the major providers of commercial intelligence feeds today?

Intel security, McAfee Threat center, FireEye, iSight

Please identify and describe the components of the CTI Lifecycle.

Intelligence strategy Threat trending, asset ID, IOC, threat modeling, intelligence buy-in Intelligence aggregation Intelligence sources, internal intelligence, open source intelligence Threat analytics Cyber kill chain, hacker profiling and tracking, fundamental analytics, visualization Operational intelligence Actionable intelligence, course of action, proactive defense, intelligence dissemination

What is the role of internal intelligence in CTI?

It is gathered by utilizing data generated from your own systems. It has low lead time (timeliness), it is relevant to critical assets, it increases trust, and it is a massive amount of info that can be tuned to what you want to see Network logs, DB access events, ID/IPS logs → collected from internal cyber assets Router, IPS/IDS, firewall, switch, servers, DMZ, VPN

Please describe some of the key functionalities of SIEMs.

Log collection ..Many systems like windows, Unix/Linux systems, applications, DBs, routers, switches) Centralized Events per second - rate at which you IT infrastructure sends events User activity monitoring ..Real time event correlation Proactively dealing with threats Correlation boosts network security by processing millions of events simultaneously to detect anomalous events on the network ..Log retention Automatically log and archive all log data from systems, devices, and applications to a centralized repository Should have tamper proof feature which encrypts an timestamps them for compliance and forensics purposes Ease of retrieving and analyzing archived log data IT compliance reporting File integrity monitoring Log forensics dashboards

Please describe the value of Twitter and Facebook when developing OSINT

Many hacker groups post their activities and future targets on Twitter and Facebook and can serve as a possible news source for identifying breaking attacks.

What are some considerations when selecting a SIEM?

Native support, supplement existing logging capabilities, how effectively can it make use of threat intelligence, forensic capabilities, features that assist in data examination and analysis, (timely, secure, and effective are SIEM's automated response capabilities), for which security compliance initiative does the SIEM provide built in reporting support

Please explain why an organization must understand its critical assets

Need to know what to protect based on current threat climate

What are some considerations when selecting intelligence feeds?

Need → type of intelligence Specialization → publicly available intelligence feeds tend to specialize in certain aspects of threat intelligence more Support → commercial data feeds will usually have more support than publicly available Cost → commercial data feeds charge for service

compare and contrast OSINT, internal intelligence, human intelligence, and counterintelligence. What is the value of each?

OSINT Data that can be collected from the internet or from other CTI companies (External) Social media, public statements, commercial data feeds Provides comprehensive views of external threat landscape Internal Intelligence Data collected from internal cyber assets (internal obvi) Network logs, DB access events, IDS/IPS logs Provides info about activities internal to an organization HUMINT Manual research and data collection (both) Direct hacker interactions Provides very precise and deep knowledge Counterintelligence Providing false information to deceive attackers Honeypots, anti-human intelligence Safely identify tools and methods used by attackers

Please explaining the role and value of OSINT in CTI

OSINT is intelligence collected from publicly available resources. Gives a good view of what is going on in the world today and amount of freely available information is immense. Unlike internal intelligence, it gives a view on activities outside of the org. OSINT gives insight to what breaches have already occured, who is talking about you and how, what devices you have exposed on your network, what type of tools are available that can be used for exploit purposes.

Please list 3-5 major CTI companies and their specialties.

One free CTI provider is Intel security, McAfee threat center. Their target audience is cybersecurity researchers. Their data source is an anti-virus engine, and it features a cyber threat library. FireEye targets security professionals. Its data sources are incident response and sensors. It features blogs, reports, and attack databases and is paid. iSight Partners is also for security professionals. Its data sources are network traffic, IDS/IPS, and antivirus engines. It features reports and API and is paid

Please describe 3-5 different types of attack vectors and corresponding IoC's.

Phishing attacks Unusual outbound traffic Social engineering attacks Log-in flags DoS or DDos Large request numbers SQL injections Files in wrong places USB drops Unexpected patching Malicious scans HTML response sizes Emails with malware attachments Anomalies in user account activity Pre-installed malware Geographical irregularities

What value does a SIEM have in internal intelligence?

Rise in data breaches due to internal and external threats Attackers are smart and traditional security tools just don't suffice Mitigate sophisticated cyber-attacks Manage increasing volumes of logs from multiple sources Meet stringent compliance requirements

What is the value of intelligence formats in CTI?

They provide a different way of assessing the cyber threat landscape. Each provides a different perspective, but the two most important are OSINT and internal intelligence To provide the most value, the data sources should be carefully selected based on quality and relevance to critical assets For precise and targeted fashings, HUMINT and counterintelligence are good

Describe the process of threat trending. Be as descriptive as possible

Threat trending is the process of modeling an organization's' threat landscape by using industry reports Take 3 year sliding window approach, first start with a global threat landscape, then local threat landscape Use global threat landscape to see who is being attacked and how often, what are they losing, how much money are they losing, how are they being attacked, how much do those organizations spend on security, has the amt of attacked increased in the past 12 months and by how much? Update when possible. Must model for organization specific trends

What value do CIFs offer in the CTI process?

aggregates feeds (parsing), un-duplicates (normalizes) intelligence data, accrues information over time pulls in data observations from any source and creates a series of messages "over time" Like an email thread chronologically when you query the data. a series of observations about a specific bad actor post processing - derive additional data from one piece of threat intelligence stores data querying (CLI client or API) sharing producing new datasets based on collected data

What are the key components of TAXII?

defines a set of services and message exchanges that when implemented, enable sharing of actionable cyber threat information across organization and product/service boundaries. It empowers organizations to easily share the information they choose with the partners they choose all while using a single, common, set of tools A producer is an entity that is the recipient of the source of structured CTI A consumer receives the CTI

Please draw and explain each node in the diamond model

each event is a diamond. 1. VICTIM discovers malware 2. CAPABILITIES of the hacker like malware, stolen certs, hacker tools 3. INFRASTRUCTURE- the chosen capability from the hacker resolves to an IP address or domain name 4. ADVERSARY is the bad guy's identity revealed in email, address, handle, phone etc