CTI Midterm
Please describe 3-5 different types of attack vectors and corresponding IoC's.
1. DoS or DDoS Attack is a (distributed) denial of service type of attack where the server is overloaded by a large number of requests and becomes unable to service authorized request attampts, usually leading it to freeze or be unable to take any more requests. The IoC or indicator of compromise for this type of attack is a usually large number of requests. 2. ATP: an advanced persistent threat is a type of hacker group that continually attacks with a large motive behind, they are well thought out and consistent attacks at an organization. An indictor of compromise would include a large increase in the number of database volume. 3. Social Engineering: this is the process of humans attempts to trick or coerse information out of others through various lies or solicitation attempts. An indicator of compromise would include a log-in flag. 4. Phishing - phishing is the attempt to gather information through carefully crafted fraudulent emails. An indicator of compromise would include a large unusual amount of outbound traffic. 5. SQL inject- the attempt to gain unauthorized access to a database or server with SQL backend by injecting a line of SQL code which defaults to true and allows the user access. An indicator of compromise would include re-arranged files 6. Nmap - using a network scanning tool to identify open ports and gain unauthorized access to a network. IOC : network logs
Please identify and describe the components of the CTI Lifecycle.
1. Intelligence Strategy -this includes threats that are trending, asset identification, indicators of compromise, threat modeling, and intelligence buy-in 2. Intelligence Aggregation -this includes intelligence sources, internal intelligence, and open source intelligence [human, counter, finished] 3. Threat Analytics -this includes cyber kill chain -hacker profiling and tracking -fundamental analytics -visualization 4. Operational Intelligence -actionable intelligence -course of action -proactive defense -intelligence dissemination
Please describe some of the key functionalities of SIEM's.
1.Log collection - collect security relevant logs and context data, centralized, uses events per second aka rate at which IT infra sends events Log pre- processing - parsing, normalization, categorization, enrichment 4. Log retention - retain parsed and normalized data 'centralized' repository, tamper proof with time stamps and encryption, easy of retrieving and analyzing Reporting- security focused reporting Analysis: correlation, threat scoring, event prioritization Alerting and notification: Advanced security focused reporting Other features: incident management, analyst workflow, context analysis etc. 2. User activity monitoring -privileged user monitoring and audit (PUMA), complete audit trail 3. Real time event correlation - proactively dealing with threats, correlation boosts network security by processing millions of events simultaneously to detect anomalous events on the network - can be based on log search, rules, and alerts 5. IT compliance reports - core of all SIEM solution, out of box regulatory compliance reports such as PCI, HIPPA, GDPR etc. ability to customize and build new compliance reports to comply with future regulatory acts 6.file integrity monitoring - tracka dn report all changes, real time alerts 7.log forensics - track down intruder, intuitive and user friendly 8.dashboards- timely actions to make right decisions during network anomalies, presented intuitively and user-friendly manner, fully customizable so it admins can configure the security info they wish to see CONTEXT DATA, ENRICHMENT, CONTEXT ANALYSIS
Who are some of the major providers of commercial intelligence feeds today?
Anubis - target audience: defense organizations / CERTS, provides real time cyber feed, paid, uses infected emails, files, etc. iSight - paid, target audience: securest professionals, gets information from network traffic, IDS/IPS and antivirus FireEye- paid, target audience: security professionals, specializes in incident response and sensors, makes blog posts, reports, and attack databases Symantec- paid, target audience: securest professionals, gets information from network traffic, IDS/IPS and breaches
Please explain the value of CTI within an IT organization.
CTI helps answer 7 major questions: Who is attacking? CTI helps defenders attribute attacks and malicious activities to certain group such as cyber criminals, hacktivists, government and national agencies etc. Why are they doing it? knowing The Who allows defenders to understand moves, how much effort was put not an attack [aka atp vs an opportunist] and how business or industry specific assets should be What they are after? with this information defenders can prioritize their actions based on the importance of the asset or assets the attackers are targeting How are they proceeding? TTP's (tactics, techniques, and procedures) give insight about the way adversaries typically proceed, the tools and infrastructure they use, and more Where they come from? Correlating country of origin with geopolitical situation can help defenders understand enemies How to recognize them? Also dubbed IOC's (indicators of compromise) or artifacts, these technical telltales (IP address, hashes, etc.) provide clear information that can be used to detect and signal a malicious pattern How to mitigate them? Information about the steps a company can take to protect itself
Who are some major SIEM vendors today?
LogRythm Splunk McAfee Nitro IBM QRadar HP ArcSight
Please compare and contrast OSINT, internal intelligence, human intelligence, and counter intelligence. What is the value of each?
OSINT - stands for open source intelligence and it is representative of intelligence openly available on the internet to the public and easily gathered. Some examples of open source intelligence include intelligence feeds, blog posts, reports, and more. There is value in open source intelligence because it is a comprehensive view of the external threat landscape & it can serve as a resource for solving similar problems occurring at your organization internal intelligence- refers to intelligence gathered about an organization by lookin into the information an organization possess about itself in their cyber assets such as databases, network logs, security event management systems and IDS/IPS systems. Internal intelligence is timely, and provides invaluable information because it is specific to your internal organization. human intelligence refers to intelligence gathered regarding specific people and is usually conducted online through a variety of tactics such as tracing an individual's social media, presence on blogs and hacker forums, and could even include video game activity. It can also include direct hacker interactions. For example, after the Target data breach human intelligence led searchers to a young man in the Ukraine responsible. There is immense value in utilizing the internet to understand the individuals or groups behind an attack because it can help present motive and also allow for predictions about how dedicated the attacker was, if they will be a persistent threat or simply an opportunist. It is also very precise and can show deep knowledge and you can get data from difficult places. It can also be risky as it may attract threats to the organization or may return nothing at all counter intelligence- this is false intelligence used to deceive attackers so that the organization can strike back or protect itself, some of these things include tricking and trapping adversaries with things such as honeypots or anti-human intelligence or attacking the attackers. This is extremely valuable for deterring attackers, maintaining confidentiality and integrity of critical assets while also harming the adversary attempting to harm the organization. It is valuable because it is refined, analyzed intelligence
Please describe 2-3 STIX domain objects and describe their major properties.
Observed Data: this is the singular occurrence of something out of the norm on a system or network. It is not quite an indicator of compromise but something such as the appearance of a hash, IP address, or unknown login attempt, may or may not lead to the discovery of a malicious attack pattern Tool: this is the network infrastructure being hijacked, for example it could be the pdf that an adversary injects malware into, it is the abuse of a legitimate piece of hardware or software that is exploited to conduct an attack Indicator: this is also known as an indicator of compromise, these are patterns that are believed to be a sign of an attack occurring or a breach, it may be comprised of a pattern or repetitive observed data pattern Campaign: a grouping of adversarial behaviors that describes a set of malicious activities or attacks (sometimes called waves) that occur over a period of time against a specific set of targets. Campaigns usually have well defined objectives and may be conducted by a group with a specific target area with various victims and may be part of an Intrusion Set
Please describe 2-3 different types of threat actors.
Reckless employee- they are internal to the organization and non-hostile, an employee may carelessly release confidential information to the public or cause the security of the organization to be compromised, this could be by creating unsecured network access points or by falling victim to phishing or spear- schemes. They can cause damage and embarrassment to the firm, they act alone typically and have adept skills, their objective may be to copy, deny, destroy, damage or take corporate property. They are also covert or not openly acknowledged. Disgruntled Employee- a hostile internal member of the organization which has intent to exploit their access to create harm towards the organization. this may be through intentional leakage of customer data or intellectual property. They also damage or embarrass the company and have extra-legal major limits. They act alone and are operational with the objective to destroy or damage and may act over, covert, or clandestine but many dont care the secrecy. Civil Activist- they are external to the organization and act in pursuit of a generally political agenda. The outcome is to embarrass and they have extra-legal, minor limits. They are largely acting as part of an organization and they are adept, and objective is to copy and act in a covert manner.
Guest Speaker
Rob Goldberg from Deloitte Principal Cyber Risk Singer in the band corporate therapy, runs marathons, lived in Australia, met his wife at Winn Dixie worked for Walmart talked about no such thing as stand alone business anymore - everything is connected and we need to protect it start of the revolution of business protecting themselves great digital divide till 2007 when the iPhone and stock market crash changed everything and facebook blossoms technology adaptation is increasing exponentially and security adoption is lower, the gap between security and tech is increasing shift from waterfall to agile: "lets get something out there" shallow/ rogue IT high impact of technology and dependecy ex. McDonalds threat actors of today are things they can monetize, usually data on dark web or ransomware, but tomorrow more nation state political insolvent like hacktivists, companies dont want to deal with security until another 3 years or so can barely keep up with the technology revolution WannaCry russa targeted Ukraine Maersk shutdown as collateral damage threat intelligence is still primarily a technical practice but we need to get more strategic, we need to get more motives and less iOC and pattern matching, we need IOCs that aren't technical intelligence that is broader and less technical, driving strategic planning cyber teams must understand what is happening from a business perspective not just a technical one [ situational awareness] predict the future result of business decisions on cyber security, use intelligence for strategy and not just response companies and consumers suck at updating firmware
What value does a SIEM have in internal intelligence?
SIEM allows to gather, analyze and present information from network and security devices, identify and access management application, vulnerability mgmt, policy comliance tools, correlation analysis on the OS, DB, and application logs, external threat data there is a rise in data breaches due to internal and external threats attackers are smart and traditional security tools just won't suffice must mitigate sophisticated cyber attacks and manage increasing volumes of logs from multiple sources and meet compliance requirements
Please list 3-5 major CTI companies and their specialties. 3. Anubis
Target Audience: Defense orgs / CERTS data sources: infected computers, files, emails, etc. Features: real-time cyber feed Availability: paid
Please list 3-5 major CTI companies and their specialties. 4. Intel Security, McAfee Threat Center
Target audience: cybersecurity researchers data sources: anti-virus engine features: cyber threat library availability: free
Please draw and explain each node in the diamond model.
The diamond model is used as a way to conduct threat modeling and consists of 4 nodes: Adversary- describes who is acting agains the organization to achieve their intent. Can be divided into two parts: customer and operator. The operator controls and builds the attacks and techniques while the customer has the ability to purchase from the operator on the dark web and deploy against an organization Capabilities: the adversary arsenal part of capabilities are: the tools and techniques the adversary used in the event. the TTP (tactics, techniques, and procedures), the capacity capability has to do with what does the victim possess in terms ofvulnerabilities and exposures that can be exploited Victim: the target of the adversary and who the attack is conducted against, who's vulnerabilities are exploited and who the capabilities are used on also the critical assets they house -Victim Susceptibilities :the set of vulnerabilities and exposures of a victim susceptible to exploitation is referred to as the victim susceptibilities. Infrastructure- these are the physical or logical communication structures the adversary uses to deliver a capability or maintain control of capability (eg. command and control / c2) and effect results from victim (exfiltrate data) ex. networks, email, database typ1. owned by adversary typ2. infrastructure owned by intermediary which victim will usually see as adversary ie. botnet, zombie computer, compromised server
Please identify 3-4 questions which should be answered in the executive summary. What value do each of these questions provide?
What is the current threat landscape? -This allows the organization to help predict future attacks, assess what should be of the highest priority for investment in protecting other critical assets, and assess the effectiveness and improve current CTI How often to do organizations suffer security breaches? This allows us to quantify the reality of how quickly and how easy it is to infiltrate cyber infrastructure. It also allows us to plan for how many attempts we can expect or how many breaches we can expect. It helps remind the organizations that breaches are very real and constantly occurring. How is this changing the strategies that organizations must make to move into intelligence? Organizations must move from merely being reactive to breaches and waiting for them to occur but be proactive and actively seek out avenues for predicting potential vulnerabilities, threats, and attacks. What are some real data breach costs for organizations? This allows us to conceptualize the real financial value of protecting critical assets from compromise. This also allows us to better plan and allocate funds for potential future compromises. It can be leveraged as incentive to to convince upper level managers to invest in more cyber security practices and threat intelligence.
What are some considerations when selecting intelligence feeds?
choose based off: need - what kind of intelligence does the organization need specialization- how specialized or general does the intelligence need to be, public deeds tend to specialize more cost - how much does the intelligence feed cost v. how much can the organization afford to spend, commercial data feeds usually charge support - how much personalized support does the intelligence fedd provide, commercial feeds generally provide more support
Please explain what CTI is and is not. -definitions
defined by a wide range of activities: -knowledge about adversaries and their motivations, intentions, and. methods -collected, analyzed, and disseminated -help security and business staff at all levels -protect critical assets -planning and information collection -aimed at maintaining or enhancing relative security -provide forewarning of threats or potential threats -allows for timely implementation of a preventative policy or strategy -continually gather insights based on analysis of contextual and situational risks -tailored to organizations specific threats landscape, industry, markets -provide significant value to organization
Please compare and contrast the four hacker community sources (hacker forums, IRC channels, Darknet markets, and carding shops). Please discuss the value of each and be as detailed as possible.
hacker forums - online sharing site where hackers can detail their hacking tools, ideas, and knowledge, subforms and threads for specific topics and discussions, share tutorials, source code, attachments, hyperlinks and more value: we can look to see what types of tools are available and emerging including emerging threats to predict security of our own organization and prep IRC channels: Internet Relay chat is an application that facilitates plaintext communication designed fro group communication, declining in popularity, hacker groups used to use to discuss hacking related (usually hacktivist) related activities, data collected in real time Darknet markets: commercial websites on the dark web that act as black markets, canbatch data and more, malware such as key loggers or SQL injections, hacking tutorials and related e books, carding products like account info, bank ID, zero day attacks Carding shops- place you can go to purchase a variety of financial data such as stolen credit and debit card numbers and credentials lists of stolen card details(metadata) we can infer useful knowledge to identify emerging threats and targets collection and analysis of carding shop metadata: risk measure /type, location analysis, pricing structure
What are some considerations when selecting a SIEM?
how much native support does the SIEM provide for the relevant log sources? Can the SIEM supplement existing logging capabilities? How effectively can the SIEM make use of threat intelligence? What forensic capabilities can the SIEM provide? What features does the SIEM provide that assist in data examination and analysis? How timely, secure, and effective are the SIEM's automated response capabilities? For which security compliance initiative does the SIEM provide built-in reporting support?
What is the value of intelligence formats in CTI?
intelligence formats they help develop organizations relevant CTI and often require multiple data sources -common data formats: text, CSV etc. -community has developed several standards for data formats when aggregating multiple data sources in order to ensure CTI can be consumed and used efficiently one example: STIX
Please explain the role and value of OSINT in CTI.
intelligence gathered from publicly available sources and involves no classified information amount of freely available data is immense good look at what is happening external to the org / real world growing at a rapid rate insight can be drawn view of activities outside of organization can: what breaches have already occurred who is talking about you and how what devices you have exposed on your network what types of tools are available that can be used for exploit purposes
What is the role of internal intelligence in CTI?
internal intelligence is intelligence from examining an organizations internal cyber assets, it is gathered by utilizing data generated by your own systems value: -timely -relevant to critical assets -increases trust -massive amount of information - tune to what you want to see
Please explain what CTI is and is not. NOT edition
not: -just an automated data feed -waiting for an attack -cleaning up after a breach
Please list 3-5 major CTI companies and their specialties. 2. iSight Partners
target audience: security professionals data sources: Network traffic, IDS/IPS, antivirus engines Features: Reports, API Availability: Paid
Please list 3-5 major CTI companies and their specialties. 5. Symantec Deepsight Intelligence
target audience: security professionals data sources: breaches, network traffic, IDS/IPS features: reports availability: paid
Please list 3-5 major CTI companies and their specialties. 1.FireEye
target audience: security professionals data sources: incident response, sensors features: blogs, reports, attack databases availability: paid
Please describe the process of threat trending. Be as descriptive as possible.
threat trending is the process of modeling an organizations threat landscape by collecting information from various industry reports (Symantic, iSight, Fireye) regarding threats affecting their realm of cyber security. these threats indicate a big picture analysis of the threats an organization faces and they can be global or local meaning they can be threats plaguing everyone or just organizations of a similar industry or our company itself. Tracking the threats that are trending helps us predict the future of the CTI we might need and helps ensure we maintain relevant CTI and improve its effectiveness. It can also be a tool to show upper managers for continual CTI improvement and development. It is often viewed in a three year sliding window. Threats trending indicate which are the most prominent. Threat trending also indicates if the occurrence of these threats has increased or decreased over the last year. It also shows how the occurrence of these threats has increased or decreased in various emerging areas such as Big Data, Cloud computing, or IoT. In the global landscape it answers questions such as: Who is being attacked? Where are they being attacked? What kind of security measures did they have in place? How much money was lost? How are they being attacked? Has the amount of attacks increased 12 months? By how much?
Please explain what CTI is and is not. -3 key characteristics it is no matter what
timely - catching threats and pending attacks as early as possible informative - improving threat, attack, and threat actor identification to enable decision making adaptive - customizing and tuning intel for your organization, not just buying intel feeds
Please describe the value of Twitter and Facebook when developing OSINT. (traditional data sources)
twitter and facebook are traditional OSINT data sources and are therefore have widespread usage, many hacker group share o hint their next target or share their exploits can be a potential news source for identifying breaking attacks -also FB: insight into emerging hacking trends
Please explain why an organization must understand its critical assets.
we need to know WHAT to protect, what critical assets are most important given the current threat landscape. critical assets are any data/systems that will cause major impact to the organization if breached. Some examples include: OS, databases, usernames and passwords, credit card numbers, systems and services on the network, confidential file etc. Identifying helps improve efficiency, we can determine what is most vulnerable and what is most important to ensure an efficient use of resources. This leads to proper investment and effort. Some examples of things to protect are: customer data, databases, employee data, credit card information, intellectual property, IT assets and network infrastructure, financials and financial data, reputation, serviceability. you can identify critical assets with a ranking system such as bronze, silver, gold based on factors such as financial impact of security breach of asset, repetitional impact, health ad safety impact, sensitive info, intellectual property etc.