MIST 5775 Quiz 1: Fundamental CTI Concepts
Threat
A set of circumstances that exploits vulnerabilities to cause loss or harm
Vulneribilities
A weakness in the system These can be exploited to cause loss or harm.
How to recognize them?
Also dubbed indicators of compromise (IOC) or artifacts, these technical telltales (IP addresses, hashes, etc.) provide clear information that can be used to detect and signal a malicious presence.
Control/countermeasure
An action/device/procedure/technique that eliminates or reduces a vulnerability
Who is attacking?
CTI helps defenders attribute attacks/malicious activities to certain groups (cyber criminals, hacktivists, government/national agencies, etc.)
just an automated data feed, waiting for an attack, or cleaning up a breach.
CTI is NOT:
Timely: catching threats and pending attacks as early as possible Informative: improving threat, attack, and threat actor identification to enable decision making Adaptive: customizing and tuning intel for your organization, not just buying intel feeds
CTI is:
Where do they come from?
Correlating an adversary's country of origin with its geopolitical situation can help defenders understand their enemies.
How to mitigate them?
Information about the steps a company can take to protect itself.
CTI Lifecycle
Intelligence Strategy -> Intelligence Aggregation -> Threat Analytics -> Operational Intelligence
Adversary based Risk Focused Process oriented Tailored for diverse consumers
Key characteristics of CTI
Why are they doing it?
Knowing who is behind an attack helps defenders understand their adversary's motivations, how much effort they would put into an attack (advanced persistent threat [APT] vs opportunistic attacks), and how business/industry-specific such attacks could be.
How are they proceeding?
The so-called tactics, techniques, and procedures (TTPs) give insight about the way adversaries typically proceed, the tools and infrastructures they use, and more.
Intelligence Strategy
Threat trending •Asset Identification •Indicators of Compromise •Threat Modeling •Intelligence Buy-in
Confidentiality, Integirty, Avaliability
What do we mean by "protect?"
To protect cyber infastructure
What is the main goal of cybersecurity
What are they after?
With this information defenders can prioritize their actions based on the importance of the asset or assets the attackers are targeting.
Distributed Denial of Service (DDoS)
a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.
Decryption
a process that decodes a message or file so that it can be read by the right people
Encryption
a process that encodes a message or file so that it can be only be read by certain people
Advanced Persistent Threat (APT)
a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an
NIST Framework
consists of standards, guidelines and best practices to manage cybersecurity risk
Proper identity and access management
enables the right individuals to access the right resources at the right times and for the right reasons
Cyber Threat Intelligence
knowledge about adversaries and their motivations, intentions, and methods that is collected, analyzed and disseminated in ways that help security and business staff at all levels protect the critical assets of the enterprise
Ransomware
malicious software that infects your computer and displays messages demanding a fee to be paid in order for your system to work again
Threat
often utilize the word _____ to refer to a risk.
Integrity
the ability of a cyber infrastructure to ensure that assets are modifiable only by authorized parties.
Avaliability
the ability of a cyber infrastructure to ensure that assets are usable by and accessible to all authorized parties.
Confidentiality
the ability of a cyber infrastructure to ensure that assets are viewable only by authorized parties.
NICE Framework
the blueprint to categorize, organize, and describe cybersecurity work
Phishing/spoofing
the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.
Social Engineering
the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.
Structure of CTI Lifecycle
• Focus on understanding the organization first, then collecting relevant data, analyzing, using and disseminating intelligence.
Operational Intelligence
•Actionable intelligence •Course of action •Proactive defense •Intelligence dissemination
Threat Analytics
•Cyber kill chain •Hacker profiling & tracking •Fundamental analytics •Visualization
Intelligence Aggregation
•Intelligence Sources •Internal Intelligence •Open Source Intelligence