Security + Topic 2B: Explain threat intelligence sources; Lesson 2: Explaining threat actors and threat intelligence
What is the dark net?
A network established as an overlay to Internet infrastructure by software that acts to anonymize usage and prevent a third-party from knowing about the existence of the network or analyzing any activity taking place over the network.
What is the dark web?
Any part of the world wide web that is not indexed by a search engine
You are assessing whether to join AIS. What is AIS and what protocol should your SIEM support in order to connect to AIS servers?
Automated Indicator Sharing (AIS) is a service offered by the Department of Homeland Security (DHS) for participating in threat intelligence sharing. AIS uses the Trusted Automated eXchange of Indicator Information (TAXII) protocol as a means of transmitting CTI data between servers and clients.
What does AIS stand for?
Automated indicator sharing
The outputs from the primary research undertaken by security solutions providers and academics can take three main forms, what are these forms?
Behavioral threat research, reputational threat intelligence, threat data
TAXII data pushed to subscribers is called what?
Channel
TAXII data requested by the client is called what?
Collection
What does CVE stand for?
Common Vulnerabilities and Exposures
Threat data is also known as what?
Cyber threat intelligence (CTI) data
You are consulting on threat intelligence solutions for a supplier of electronic voting machines. What type of threat intelligence source would produce the most relevant information at the lowest cost?
For critical infrastructure providers, threat data sharing via an Information Sharing and Analysis Center (ISAC) is likely to be the best option.
Within TTP, describe techniques
Generalized attack vectors
What does IoC stand for?
Indicator of Compromise
What does ISAC stand for?
Information Sharing and Analysis Centers
What is Common Vulnerabilities and Exposures (CVE)?
It is a list of vulnerabilities that are stored in databases
Define Trusted Automated eXchange of Indicator Information (TAXII)
It is a protocol that provides a means for transmitting CTI data between servers and clients.
What is an indicator of compromise (IoC)?
It is a residual sign that an asset or network has been successfully attacked or is continuing to be attacked. Put another way, and IoC is evidence of a TTP.
What is automated indicator sharing (AIS)?
It is a service offered by the department of homeland security for companies to participate in threat intelligence sharing.
What is a threat map?
It is an animated graphic showing the source, target, and type of attacks that have been detected by a CTI platform.
Describe the function of ISAC's
It is public and private information sharing centers, in many critical industries, that have been set up to share threat intelligence and promote best practice.
What is reputational threat intelligence?
It's a list of IP addresses and domains associated with malicious behavior, plus signatures of known file based malware
What does OSINT stand for?
Open Source Intelligence
Your CEO wants to know if the company's threat intelligence platform makes effective use of OSINT. What is OSINT?
Open source intelligence (OSINT) is cyber security relevant information harvested from public websites and data records. In terms of threat intelligence specifically it refers to research and data feeds that are made publicly available.
Define Structured Threat Information Expression (STIX)
Provides the framework and standard terminology for IOC's and ways of indicating relationships between them. Provides the syntax for describing CTI.
Within TTP, describe procedures
Specific intrusion tools and methods
Within TTP, define tactics
Strategy and approach
What does STIX stand for?
Structured Threat Information eXpression
Threat research is a counter intelligence gathering effort in which security companies and researchers attempt to discover the TTP's of modern cyber adversaries. What is TTP?
Tactics, techniques, procedures
What does TAXII stand for?
Trusted Automated eXchange of Indicator Information