1 - Security Controls and Security Intelligence
Open-Source Intelligence Sources
AT&T Security, previously Alien Vault Open Threat Exchange (OTX) Malware Information Sharing Project (MISP) Spamhaus SANS ISC Suspicious Domains VirusTotal (virustotal.com)
Chief Information Security Officer (CISO)
Controls information security issues in an organization and is responsible for securing anything related to digital information. An enterprise may develop specialized roles in different sectors of information assurance. Senior analysts are likely to report directly to this person.
Physical Security Control Functional Type
Controls such as alarms, gateways, locks, lighting, security cameras, and guards that deter and detect access to premises and hardware are often classed separately.
Proprietary/Closed-Source Intelligence Sources
IBM X-Force Exchange FireEye Recorded Future
Threat Intelligence Sharing - Risk Management
Identifies, evaluates, and prioritizes threats and vulnerabilities to reduce their negative impact.
CTI Dissemination: Tactical intelligence
Informs the real-time decisions made by staff as they encounter alerts and status indicators.
Despite operating a patch management program, your company has been exposed to several attacks over the last few months. You have drafted a policy to require a lessons- learned incident report be created to review the historical attacks and to make this analysis a requirement following future attacks. How can this type of control be classified?
It is implemented as an administrative control as it is procedural rather than technical in nature. Additionally, it is a managerial control rather than an operational control as it seeks oversight of day-to-day processes with a view to improving them. In terms of function, you can classify it as corrective, as it occurs after an attack has taken place.
CTI Data Feeds
Lists of known bad indicators, such as domain names or IP addresses associated with spam or distributed denial of service (DDoS) attacks, or hashes of exploit code. This provides tactical or operational intelligence that can be used within an automated system to inform real-time decisions and analysis as part of incident response or digital forensics.
You work for a development company that provides specialized software and ATM firmware to financial services companies. Your company is transitioning from use of private, locally hosted network services to cloud-based solutions. In this context, you also want to review your security procedures and use of security tools and technologies, and threat intelligence capability specifically. Review the platform provided by a commercial solution, such as fireeye.com/solutions/cyber-threat-intelligence.html, noting the market review provided by Forrester (fireeye.com/content/dam/fireeye-www/products/pdfs/pf/intel/rpt-forrester-threat-intel-services.pdf). What are some of the differentiators from an open-source feed?
Range of threat collection sources from enterprise networks and analyst-driven dark web and nation-state research, tailoring of sources to different industry segments, support for developing use cases, and tailored reporting of strategic, operational, and tactical intelligence to different consumers within the customer organization.
Cyber Threat Intelligence (CTI)
The analysis of internal and external threats to an organization in a systematic way. Attempts to defend against include zero-day threats, exploits and advanced persistent threats (APTs). Involves in-depth analysis of both internal and external threats.
Technical Security Control Category
The control is implemented as a system (hardware, software, or firmware). For example, firewalls, anti-virus software, and OS access control models are technical controls. Controls may also be described as logical controls.
Operational Security Control Category
The control is implemented primarily by people rather than systems. For example, security guards and training programs are operational controls rather than technical controls.
Deterrent Security Control Functional Type
The control may not physically or logically prevent access, but psychologically discourages an attacker from attempting an intrusion. This could include signs and warnings of legal penalties against trespass or intrusion.
Detective Security Control Functional Type
The control may not prevent or deter access, but it will identify and record any attempted or successful intrusion. Operates during the progress of an attack. Logs provide one of the best examples of detective-type controls.
Compensating Security Control Functional Type
The control serves as a substitute for a principal control, as recommended by a security standard, and affords the same (or better) level of protection but uses a different methodology or technology.
Business Continuity Plan (BCP) involves the following:
1. Analysis of organizational threats 2. A list of the primary tasks required to keep the organization operations flowing 3. Easily located management contact information 4. Explanation of where personnel should go if there is a disastrous event 5. Information on data backups and organization site backup 6. Collaboration among all facets of the organization 7. Buy-in from everyone in the organization
You work for a development company that provides specialized software and ATM firmware to financial services companies. Your company is transitioning from use of private, locally hosted network services to cloud-based solutions. In this context, you also want to review your security procedures and use of security tools and technologies, and threat intelligence capability specifically. As a relatively small company, with no dedicated SOC, what is the main risk from deploying a threat intelligence feed?
Being overwhelmed with low-priority alerts.
Chief Information Security Officer (CISO) Responsibilities
Implementing and configuring security controls, such as firewalls, Intrusion Detection Systems, and other threat management appliances and software Working in a leading role in the computer security incident response team (CSIRT) or security operations center (SOC) to manage security incidents Auditing security processes and procedures, performing due diligence on third parties, and delivering employee training Performing risk assessments, vulnerability assessments, and penetration tests and recommending appropriate security controls or procedures Maintaining up-to-date threat intelligence and awareness and advising on legal, compliance, and regulatory issues
Business Impact Analysis (BIA)
A component of business continuity planning that helps to identify critical and non-critical systems. Assigns consequences and usually a dollar figure to specific disaster scenarios. It will also include estimated recovery times and recovery requirements for such scenarios. Often used to measure the risks of failure against the costs of upgrading a particular system.
Cybersecurity Analyst Responsibilities
Leverage intelligence and threat detection Analyze and interpret data Identify and assess vulnerabilities Suggest preventative measures Respond to and recover from incidents
Security Operations Center (SOC)
A location where security professionals monitor and protect critical information assets in an organization. Centralize and streamline the organization's security efforts to maximize its effectiveness. Can be difficult to establish, maintain, and finance, they are usually employed by larger corporations, like a government agency or a healthcare company that deals in personally identifiable information (PII).
Business Continuity Plan (BCP)
A plan to help ensure that business processes can continue during a time of emergency or disaster. Such emergencies or disasters might include a fire or any other case where business is not able to occur under normal conditions. Businesses need to look at all such potential threats and devise these to ensure continued operations should the threat become a reality.
Cybersecurity Analyst
A senior position within an organization's security team with direct responsibility for protecting sensitive information and preventing unauthorized access to electronic data and the systems that process it. A cybersecurity team may contain junior and senior levels, and an enterprise may develop specialized roles in different sectors of information assurance.
Threat Intelligence Sharing - Detection and Monitoring
Acquiring accurate and relevant information about attacks suffered by organizations working in similar industries will improve automated detection and monitoring systems, though there will be some increased risk of false positive alerts and notifications. Adding more rules and definitions based on observed incidents to automated tools will create more chances for malicious indicators to be matched (true positives). Unfortunately, it also creates more chances for non-malicious data points to be matched as suspected indicators (false positives). As well as improving operational capabilities, threat intelligence promotes new strategic approaches to information assurance, such as proactive threat modeling and threat hunting techniques, which will be the subject of the next lesson.
CTI Dissemination: Strategic Intelligence
Addresses broad themes and objectives, affecting projects and business priorities over weeks and months.
CTI Dissemination: Operational Intelligence
Addresses the day-to-day priorities of managers and specialists.
You work for a development company that provides specialized software and ATM firmware to financial services companies. Your company is transitioning from use of private, locally hosted network services to cloud-based solutions. In this context, you also want to review your security procedures and use of security tools and technologies, and threat intelligence capability specifically. What are your strategic, operational, and tactical requirements for threat intelligence?
At a strategic level, identify sector-specific threat actors and adversary tactics plus new vulnerabilities and exploits in software and financial systems. At operational and tactical levels, you will need to ensure developers are updated about alerts and threats, especially industry-specific ones. You might use security feeds to block suspicious domains/IP address ranges and perform threat hunting for correlated indicators. While you are currently using locally-hosted network services, you will need to consider threat intelligence platforms that can integrate well with cloud hosting.
CTI Narrative Reports
Analysis of certain adversary groups or a malware sample provided as a written document. These provide valuable information and knowledge, but in a format that must be assimilated manually by analysts. This is most useful at providing strategic intelligence to influence security control selection and configuration.
Threat Intelligence Sharing - Vulnerability Management
At a strategic level, threat intelligence can identify previously unrecognized sources of vulnerabilities, such as embedded systems, Internet of Things (IoT) home automation devices, deep fakes , or AI-facilitated fuzzing to discover zero-day vulnerabilities. At an operational level, threat intelligence can identify priorities for remediation, such as a campaign targeting a vulnerability in web server software. Threat intelligence can also provide ongoing monitoring and analysis of vulnerabilities such as Meltdown and Spectre which could pose lasting risks well past the impact of their initial announcement.
Technical Security Control Families
Audit and Accountability Identification and Authentication Access Control System and Communications Protection
Threat Intelligence Sharing - Incident Response
Better served by operational and tactical insights. For example, the analysis benefit of tactical threat intelligence is to allow you to pivot from a data point, such as a suspect DNS domain in a web access log entry, to information about that domain on a reputation list, and whether it is associated with specific malware tools or adversary groups.
What are the characteristics to use to evaluate threat data and intelligence sources?
Firstly, you can distinguish sources as either proprietary/closed-source, public/open-source, or community-based, such as an ISAC. Within those categories, data feeds can be assessed for timeliness, relevancy, and accuracy. It is also important for analyst opinions and threat data points to be tagged with a confidence level.
You work for a development company that provides specialized software and ATM firmware to financial services companies. Your company is transitioning from use of private, locally hosted network services to cloud-based solutions. In this context, you also want to review your security procedures and use of security tools and technologies, and threat intelligence capability specifically. Review the open-source feeds available at misp-project.org/feeds. What type of threat intelligence do these provide?
Industry-specific alerts and indicators plus separate reporting for analysts (technical reports and webinars) and senior leadership (C-suite).
Financial ISAC
Obvious target for fraud and extortion. Attackers can target both individual account holders and financial institutions themselves. Serious financial shocks, such as major trading platform or ATM outages, can also pose a national security risk.
Operational Security Control Families
Personnel Security Physical and Environmental Protection Contingency Planning Configuration Management Maintenance System and Information Integrity Media Protection Incident Response Awareness and Training
Security Intelligence Cycle steps
Requirements Collection and Processing Analysis Dissemination Feedback
What are the phases of the intelligence cycle?
Requirements (often called planning and direction), collection (and processing), analysis, dissemination, and feedback.
Managerial or Management Security Control Families
Risk Assessment Planning System and Services Acquisition Security Assessment and Authorization Program Management
SIC - Requirements
Sets out the goals for the intelligence gathering effort. This phase is also widely referred to as Planning and Direction. This phase should show how intelligence will support business goals, such as ensuring a trustworthy repository of company data. The analyst effort needs to be properly costed and resourced, with sufficient staffing levels and tools.
Bespoke Software
Software is custom or tailor-made software. The value of _____ software over off-the-shelf software is that it can be designed specifically for key business or legislative objectives.
Security Operations Center (SOC) design principles:
Supported by organizational policies, giving it the authority it needs to be effective. Able to balance its size and its presence in the organization, without overstepping its bounds. Staffed with motivated, skilled professionals and not overstaffed with under-qualified personnel. Able to incorporate a wide variety of security processes into a single operations center. Equipped to perform incident response duties. Able to protect the SOC's own systems and infrastructure from attack. Aware of the strengths and limitations of each tool it uses. Aware of the nuances involved in monitoring to be able to separate the signal from the noise. Willing to collaborate with other SOCs to share valuable information on threat intelligence and mitigation techniques.
Healthcare ISAC
Targeted by criminals seeking blackmail and ransom opportunities by compromising patient data records or by interfering with medical devices.
Aviation ISAC
Targeted for fraud, but there are also substantial risks from terrorists or hostile nation-state actors seeking to disrupt services or cause casualties. Air traffic control and the safe operation of aircraft depends on many interconnected systems, some of which use aging infrastructure or technology that is susceptible to interference and spoofing, such as radar and GPS.
Critical Infrastructure ISACS
The DHS identifies sixteen critical infrastructure sectors, such as communications, energy, water, nuclear reactors and waste, emergency services, and so on. Each sector is supported by its own ISAC. One of the primary areas of focus for cybersecurity in industries that support critical infrastructure is with embedded systems and industrial control systems.
Government ISAC
The Multi-State ISAC (cisecurity.org/ms-isac) serves non-federal governments in the US, such as state, local, tribal and territorial governments. One of the key cybersecurity concerns for governments is interference in the electoral process and the security of electronic voting mechanisms. In fact, there is an ISAC dedicated to election infrastructure security issues (cisecurity.org/ei-isac).
Corrective Security Control Functional Type
The control acts to eliminate or reduce the impact of an intrusion event. A corrective control is used after an attack. A good example is a backup system that can restore data that was damaged during an intrusion. Another example is a patch management system that acts to eliminate the vulnerability exploited during the attack.
Preventative Security Control Functional Type
The control acts to eliminate or reduce the likelihood that an attack can succeed. Control operates before an attack can take place. Access control lists (ACL) configured on firewalls and file system objects. Anti-malware software also acts as a preventative control, by blocking processes identified as malicious from executing. Directives and standard operating procedures (SOPs) can be thought of as administrative versions of these controls.
Managerial or Management Security Control Category
The control gives oversight of the information system. Examples could include risk identification or a tool allowing the evaluation and selection of other security controls.
A bespoke application used by your company has been the target of malware. The developers have created signatures for the application's binaries, and these have been added to endpoint detection and response (EDR) scanning software running on each workstation. If a scan shows that a binary image no longer matches its signature, an administrative alert is generated. What type of security control is this?
This is a technical control as it is implemented in software. In functional terms, it acts as a detective control because it does not stop malware from replacing the original file image (preventative control) or restore the original file automatically (corrective control).
Threat Intelligence considerations - Timeliness
Threats diminish or change and evolve. Once an adversary group has been identified in an analyst's report, they are likely to try to disguise future activities and adopt different tactics. You must assess whether an intelligence source can research and disseminate updates in a timely manner.
CTI Feedback: Address Evolving Security Threats
What new features of the threat landscape or the legal/regulatory landscape affect the way security and threat intelligence is collected and used?
CTI Feedback: Lessons Learned
What incidents occurred that threat intelligence failed to mitigate?
CTI Feedback: Measurable Success
What metrics show the success or failure of intelligence sources? One of the aims of the intelligence cycle should be to avoid collecting information for information's sake.
Threat Intelligence considerations - Confidence levels
When a data point or analyst observation is published, the act of publishing lends the point a certain authority. It is usually appropriate to temper that authority by grading the data or analysis on some scale between reliable and unreliable.
Information Sharing and Analysis Centers (ISACs)
Where a generic open-source or commercial threat intelligence provider might use corporate or academic networks to gather data, these produce data from their members' systems, so the data is highly industry-specific and relevant. Information shared within this is given legal protections by the PCII program operated by the Department of Homeland Security
Threat Intelligence considerations - Accuracy
Whether the intelligence is of a general or specific nature. Is it specific and accurate in the sense that you can use it to create rulesets in an automated software suite, or is it more strategic in nature? Threat intelligence is combined (or correlated) with security intelligence to produce insights that are directly relevant to your systems. For this to be successful, threat intelligence must be tagged with attributes that can be correlated to attributes in your log files and network traces. There are various schemas and frameworks for classifying threat information, which we will explore later in the course.
Your chief information security officer (CISO) wants to develop a new collection and analysis platform that will enable the security team to extract actionable data from its assets. The CISO would like your input as far as which data sources to draw from as part of the new collection platform, worrying that collecting from too many sources, or not enough, could impede the company's ability to analyze information. Is this a valid concern, and how can it be addressed within an intelligence life-cycle model?
Yes, it is a valid concern. The requirements (or planning and direction) phase of the intelligence cycle can be used to evaluate data sources and develop goals and objectives for producing actionable intelligence to support use cases demanded by intelligence consumers. You can also mention that the feedback phase of the cycle provides the opportunity to review sources and determine whether they are delivering valuable intelligence.
Threat Intelligence considerations - Relevancy
You must assess whether the intelligence produced by a source is relevant to the use cases developed for your analysis effort. For example, a threat intelligence source that focuses on Windows security is of limited use if your systems are primarily cloud applications accessed via Chrome OS workstations.
Your company is interested in implementing routine backups of all customer databases. This will help uphold availability because you will be able to quickly and easily restore the backed-up copy, and it will also help uphold integrity in case someone tampers with the database. What controls can you implement to round out your risk mitigation strategy and uphold the components of the CIA triad?
You should consider the confidentiality component. The backups contain the same privileged information as the live copy and so must be protected by confidentiality controls. Access controls can be used to ensure that only authorized backup operators have access to the data. Encryption can be used as an additional layer of protection.
SIC - Collection and Processing
__________ usually implemented by software suites, such as security information and event management (SIEM). This software must be configured with connectors or agents that can retrieve data from sources such as firewalls, routers, IDS sensors, and servers. __________ puts data into a consistent format so that analysis tools can operate on it effectively.