Lesson Introduction
As a new or recently practicing cybersecurity analyst, you must be able to demonstrate the importance of security intelligence and threat intelligence. As understanding of threat types and actors grows, those threat actors change their tactics and procedures to escape detection. Consequently, identifying and updating robust intelligence sources and setting up effective information sharing systems is a critical part of the role of a cybersecurity analyst. Threat intelligence feeds into the selection and configuration of distinct types of security controls. It is important that you be able to classify the function and operation of different control types.
Lesson Objectives
In this lesson you will:
- Identify security control types.
- Explain the importance of threat data and intelligence.
OBJECTIVES COVERED
Explain the importance of frameworks, policies, procedures, and controls.
In this topic you will review the responsibilities associated with the cybersecurity analyst role and explain the importance of classifying security controls by category and type.
CYBERSECURITY ROLES AND RESPONSIBILITIES
Cybersecurity refers to the protection of personal or organizational information or information resources from unauthorized access, attacks, theft, or data damage over computer or electronic systems and networks. A cybersecurity analyst is a senior position within an organization‘s security team with direct responsibility for protecting sensitive information and preventing unauthorized access to electronic data and the systems that process it. A cybersecurity team may contain junior and senior analyst levels, and an enterprise may develop specialized roles in different sectors of information assurance. Senior analysts are likely to report directly to the chief information security officer (CISO). Some generic analyst job functions and duties include the following:
- Implementing and configuring security controls, such as firewalls, Intrusion Detection Systems, and other threat management appliances and software
- Working in a leading role in the computer security incident response team (CSIRT) or security operations center (SOC) to manage security incidents
- Auditing security processes and procedures, performing due diligence on third parties, and delivering employee training
- Performing risk assessments, vulnerability assessments, and penetration tests and recommending appropriate security controls or procedures
- Maintaining up-to-date threat intelligence and awareness and advising on legal, compliance, and regulatory issues
Successful analysts require technical knowledge of network and security systems and programming/software development environments, tools, and procedures. Analysts must also be good at creative thinking and problem solving and be able to describe a problem and devise and report solutions to a nontechnical audience with clarity. Attention to detail and patience are also important characteristics. Finally, incident response situations can be highly pressured, so calm decision making is another important attribute.
SECURITY CONTROL CATEGORIES
Cybersecurity exists within a general process of business risk management. To mitigate risks arising from cyber threats and attacks, organizations must select and implement effective security controls. A security control is something designed to give a particular asset or information system the properties of confidentiality, integrity, availability, and nonrepudiation.
Historically, security controls may have been deployed in haphazard fashion, as a reactive response to emerging threats. For example, when hackers started to penetrate networks in the 1980s, firewalls were created to block access, and as viruses and worms started to infect computer systems in greater numbers through the 1990s, companies started to deploy anti-virus software on their workstations and servers. As modern cyber threats have become more sophisticated, it is now recognized that security controls should be selected and deployed in a structured way, within an overall risk management framework. An important part of this is to classify controls according to their category and/or type of function. This classification process assists in selecting a diversity of complementary controls that can act together to provide layered security or defense in depth.
One means of classifying security controls in the context of an overall risk management framework is set out in the NIST Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations (nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf). This document identifies controls as belonging to one of 18 families, such as access control (AC), audit and accountability (AA), incident response (IR), or risk assessment (RA). The family describes the basic functions of the controls. Similarly, the ISO 27001 framework identifies 14 control categories, such as information security policies, asset management, physical security, communications security, and so on.
The National Institute of Standards and Technology (NIST) Special Publications discussed are available at csrc.nist.gov/publications/sp. ISO 27001 is a proprietary standard (iso.org/standard/54534.html).
In the early versions of 800-53, each family is also assigned to a class, based on the dominant characteristics of the controls included in that family. The control categories identified in the CySA+ exam objectives are like those used by NIST:
- Technical—The control is implemented as a system (hardware, software, or firmware). For example, firewalls, anti-virus software, and OS access control models are technical controls. Technical controls may also be described as logical controls.
- Operational—The control is implemented primarily by people rather than systems. For example, security guards and training programs are operational controls rather than technical controls.
- Managerial—The control gives oversight of the information system. Examples could include risk identification or a tool allowing the evaluation and selection of other security controls.
Later revisions of 800-53 (rev 4 and up) no longer classify families of controls in this way, but individual controls can still be identified as being of a managerial, operational, or technical character.
The NIST schema isn’t the only way of classifying security controls, however. Some schemes do not distinguish between operational and managerial control types, calling them all administrative controls. Also, be aware that security processes may involve multiple controls of diverse types. For example, a vulnerability management process is governed by overall managerial controls that give oversight of the process, operational controls that govern how technicians perform and respond to scans, and technical controls that automate scanning and reporting software.
SECURITY CONTROL FUNCTIONAL TYPES
However they are classified, as a category or family, controls can also be described according to the goal or function they perform:
- Preventative—The control acts to eliminate or reduce the likelihood that an attack can succeed. A preventative control operates before an attack can take place. Access control lists (ACL) configured on firewalls and file system objects are preventative-type controls. Anti-malware software also acts as a preventative control, by blocking processes identified as malicious from executing. Directives and standard operating procedures (SOPs) can be thought of as administrative versions of preventative controls.
- Detective—The control may not prevent or deter access, but it will identify and record any attempted or successful intrusion. A detective control operates during the progress of an attack. Logs provide one of the best examples of detective-type controls.
- Corrective—The control acts to eliminate or reduce the impact of an intrusion event. A corrective control is used after an attack. A good example is a backup system that can restore data that was damaged during an intrusion. Another example is a patch management system that acts to eliminate the vulnerability exploited during the attack.
As no single security control is likely to be invulnerable, it is helpful to think of them as delaying or hampering an attacker until the intrusion can be detected. The efficiency of a control is a measure of how long it can delay an attack.
While most controls can be classed functionally as preventative, detective, or corrective, a few other types can be used to define other cases:
- Physical—Controls such as alarms, gateways, locks, lighting, security cameras, and guards that deter and detect access to premises and hardware are often classed separately.
- Deterrent—The control may not physically or logically prevent access, but psychologically discourages an attacker from attempting an intrusion. This could include signs and warnings of legal penalties against trespass or intrusion.
- Compensating—The control serves as a substitute for a principal control, as recommended by a security standard, and affords the same (or better) level of protection but uses a different methodology or technology.
Adopting a functional approach to security control selection allows you to devise a Course of Action (CoA) matrix that maps security controls to known adversary tools and tactics, matching your cybersecurity defensive capabilities to the offensive capabilities of potential cyber adversaries.
SECURITY CONTROL SELECTION BASED ON CIA REQUIREMENTS
Another way of classifying security controls is to consider how they act to enforce and support the CIA triad—confidentiality, integrity, and availability. Consider the following table in which examples of technical controls are reviewed in terms of how they do or do not uphold the CIA principles.
Technical Control |
Upholds Confidentiality? |
Upholds Integrity? |
Upholds Availability? |
---|---|---|---|
User permissions for network share |
Yes, by keeping unauthorized users from accessing shared data |
No |
No |
Load balancers for web servers |
No |
No |
Yes, by routing traffic to hosts that are available and have capacity |
Message authentication codes (MACs) used in digital signatures |
No |
Yes, by comparing the expected message digest with the actual message digest upon output |
No |
As you can see, no single technology in this list of examples addresses all three attributes. An organization has well-rounded security when it specifically upholds all three components of the CIA triad.
Ultimately, your organization must define which parameters it needs to uphold to mitigate risk—this will drive your process for selecting the right controls. For example, there are several approaches you can use to address risks to confidentiality, such as encryption and access control. In both cases, the goal is to limit the readability of data to only authorized parties. What you implement will depend on your needs as an organization; access control may be enough to keep unwanted users from accessing somewhat sensitive data, but in scenarios where data is much more sensitive, you may want to aim for encryption to achieve the strongest confidentiality assurances.
Front of Flashcard 1 of 3
Despite operating a patch management program, your company has been exposed to several attacks over the last few months. You have drafted a policy to require a lessons learned incident report be created to review the historical attacks and to make this analysis a requirement following future attacks. How can this type of control be classified?
Back of Flashcard 1 of 3
It is implemented as an administrative control as it is procedural rather than technical in nature. Additionally, it is a managerial control rather than an operational control as it seeks oversight of day-to-day processes with a view to improving them. In terms of function, you can classify it as corrective, as it occurs after an attack has taken place.
Front of Flashcard 2 of 3
A bespoke application used by your company has been the target of malware. The developers have created signatures for the application’s binaries, and these have been added to endpoint detection and response (EDR) scanning software running on each workstation. If a scan shows that a binary image no longer matches its signature, an administrative alert is generated. What type of security control is this?
Back of Flashcard 2 of 3
This is a technical control as it is implemented in software. In functional terms, it acts as a detective control because it does not stop malware from replacing the original file image (preventative control) or restore the original file automatically (corrective control).
Front of Flashcard 3 of 3
Your company is interested in implementing routine backups of all customer databases. This will help uphold availability because you will be able to quickly and easily restore the backed-up copy, and it will also help uphold integrity in case someone tampers with the database. What controls can you implement to round out your risk mitigation strategy and uphold the components of the CIA triad?
Back of Flashcard 3 of 3
You should consider the confidentiality component. The backups contain the same privileged information as the live copy and so must be protected by confidentiality controls. Access controls can be used to ensure that only authorized backup operators have access to the data. Encryption can be used as an additional layer of protection.
The Importance of Threat Data and Intelligence
OBJECTIVES COVERED
Explain the importance of threat data and intelligence.
Given a scenario, utilize threat intelligence to support organizational security.
Intelligence-driven defense is a widely accepted approach to information security assurance and critical to the tasks you will perform as a cybersecurity analyst. In this topic you will discover the life-cycle approach to intelligence gathering and usage, and identify reliable sources of threat data.
SECURITY INTELLIGENCE AND THREAT INTELLIGENCE
Security intelligence is the process through which data generated in the ongoing use of information systems is collected, processed, integrated, evaluated, analyzed, and interpreted to provide insights into the security status of those systems. While most security intelligence gathering efforts focus on information about your systems (firewall logs, intrusion detection alerts, and so on), threat intelligence, or more specifically cyber threat intelligence (CTI), provides data about the external threat landscape, such as active hacker groups, malware outbreaks, zero-day exploits, and so on. CTI is typically produced in one of two formats:
- Narrative reports—Analysis of certain adversary groups or a malware sample provided as a written document. These provide valuable information and knowledge, but in a format that must be assimilated manually by analysts. This is most useful at providing strategic intelligence to influence security control selection and configuration.
- Data feeds—Lists of known bad indicators, such as domain names or IP addresses associated with spam or distributed denial of service (DDoS) attacks, or hashes of exploit code. This provides tactical or operational intelligence that can be used within an automated system to inform real-time decisions and analysis as part of incident response or digital forensics.
The combination of security intelligence and CTI data can be processed, correlated, and analyzed to provide actionable insights that will assist you in identifying security problems. For example, security intelligence reveals that DDoS attacks were perpetrated against your web services from a range of IP addresses by collecting log and network traffic data. Threat intelligence associates those IP addresses with a hacktivist group. By linking the two sources of intelligence, you can identify goals and tactics associated with that group and use controls to mitigate further attacks.
SECURITY INTELLIGENCE CYCLE—REQUIREMENTS AND COLLECTION
Security intelligence is about more than just data collection, although collection is a big part of the process. Information regarding potential security problems is hidden within massive amounts of raw data produced as a byproduct through the ongoing use of your information systems. The security intelligence cycle involves various steps you perform to not only collect data, but also to process and analyze it so you can obtain actionable insights, which are formatted and organized to provide decision makers with relevant and useful information.
Requirements
The requirements phase sets out the goals for the intelligence gathering effort. This phase is also widely referred to as Planning and Direction. This phase should show how intelligence will support business goals, such as ensuring a trustworthy repository of company data. The analyst effort needs to be properly costed and resourced, with sufficient staffing levels and tools.
Goals can also be specified in more detail by creating use cases for each intelligence gathering and analysis activity. For example, an automobile manufacturer is highly exposed to compromises of electronics incorporated within its vehicles. Consequently, a vital use case will be implemented to investigate supply chain threats. By defining use cases, you can define specific requirements for intelligence sources and direct analyst effort to providing measurable results. There is a wide variety of potential data sources, some of which you may already capture, such as system and application logs. In other cases, you may need to enable additional logging or tracking capabilities in advance to ensure you have the data you need. Because the collection of some data requires advance planning and preparation, it is important to perform the planning step carefully and think through your intelligence requirements in advance. In a large organization, this should be conducted as a unified effort across departments and functional groups to ensure that the right data is being collected.
This phase should also consider any special factors and constraints that will determine requirements. For example, there may be regulatory or legal stipulations for types of data to gather and for how long it must be retained. There may also be technical constraints and challenges around import requirements for specific software tools.
Collection and Processing
Collection is usually implemented by software suites, such as security information and event management (SIEM). This software must be configured with connectors or agents that can retrieve data from sources such as firewalls, routers, IDS sensors, and servers.
** SIEM is usually pronounced “sim,” though some prefer “see-em” or other variants (twitter.com/anton_chuvakin/status/922607118175256577?lang=en). **
As part of the collection phase, or as a separate phase, the data retrieved from different systems must be processed. Processing puts data into a consistent format so that analysis tools can operate on it effectively. For example, the source IP address might be recorded in many different positions or columns in various log sources. Processing ensures that this data point is referenced consistently, can be searched/indexed, and can be correlated across multiple sources. Some solutions may require extensive scripting or may involve extensive manual processing.
Another consideration for the collection and processing phase is to keep security data secure. Many of the logs used in security intelligence collection contain information that is not only useful to those protecting the organization’s information systems but would also be useful to an attacker.
SECURITY INTELLIGENCE CYCLE—ANALYSIS, DISSEMINATION, AND FEEDBACK
The requirements and collection/processing phases establish a normalized, searchable data set that can be analyzed to produce useful information, or actionable intelligence, for dissemination to information consumers, such as incident response staff, software development teams, and IT operations teams.
Analysis
Once the data has been captured and normalized, significant effort may be required to analyze it and identify anomalies that may point to a potential problem. A comprehensive data set is more likely to capture data that identifies problems, but with more data comes a larger task to normalize, filter, and organize the data into a useful form. Many organizations now collect such volumes of data as to make human analysis impractical. Software solutions are appearing to perform automated analysis, using artificial intelligence (AI) and machine learning (ML) techniques.
Analysis needs to be performed in the context of use cases. Pointing to a large data set and issuing an instruction to “discover evil” is unlikely to yield timely, relevant, and accurate results with a high degree of confidence. Use cases are developed from threat analysis to provide a working model of what to look for within a data set. For example, within the domain of authentication, individual use cases would be developed to detect indicators for irregular Windows and SSH log-ons. Each use case should be supported by filter or query strings to extract relevant data.
Dissemination
The dissemination phase refers to publishing information produced by analysis to consumers who need to act on the insights developed. Dissemination can take many forms, from status alerts sent to incident responders to analyst reports circulated to C-suite executives. One of the challenges of implementing this phase is to formulate intelligence in different forms for different audiences. A report written for an audience composed of other analysts will use different language and detail to one advising executive employees. Intelligence distribution can be thought of as occurring at strategic, operational, and tactical levels.
- Strategic intelligence addresses broad themes and objectives, affecting projects and business priorities over weeks and months.
- Operational intelligence addresses the day-to-day priorities of managers and specialists.
- Tactical intelligence informs the real-time decisions made by staff as they encounter alerts and status indicators.
Feedback
The final phase of the cycle is feedback and review, utilizing the input of both intelligence producers and intelligence consumers. The goal of this phase is to improve the implementation of the requirements, collection, analysis, and dissemination phases as the life cycle develops. For example, feedback might address some of the following points:
- Lessons learned—What incidents occurred that threat intelligence failed to mitigate?
- Measurable success—What metrics show the success or failure of intelligence sources? One of the aims of the intelligence cycle should be to avoid collecting information for information’s sake.
- Address evolving security threats—What new features of the threat landscape or the legal/regulatory landscape affect the way security and threat intelligence is collected and used?
THREAT INTELLIGENCE SOURCES
As part of the collection phase of the intelligence cycle, it is important to assess sources as they are incorporated within the data set. This is particularly important when considering threat intelligence, as this data is likely to derive from external sources. Some factors that identify the value of threat intelligence include timeliness, relevancy, accuracy, and confidence level:
- Timeliness—Threats diminish or change and evolve. Once an adversary group has been identified in an analyst’s report, they are likely to try to disguise future activities and adopt different tactics. You must assess whether an intelligence source can research and disseminate updates in a timely manner.
- Relevancy—You must assess whether the intelligence produced by a source is relevant to the use cases developed for your analysis effort. For example, a threat intelligence source that focuses on Windows security is of limited use if your systems are primarily cloud applications accessed via Chrome OS workstations.
- Accuracy—In one sense, accuracy means showing that the information produced is validated and true. Accuracy can also refer to whether the intelligence is of a general or specific nature. Is it specific and accurate in the sense that you can use it to create rulesets in an automated software suite, or is it more strategic in nature? Threat intelligence is combined (or correlated) with security intelligence to produce insights that are directly relevant to your systems. For this to be successful, threat intelligence must be tagged with attributes that can be correlated to attributes in your log files and network traces. There are various schemas and frameworks for classifying threat information, which we will explore later in the course.
- Confidence levels—When a data point or analyst observation is published, the act of publishing lends the point a certain authority. It is usually appropriate to temper that authority by grading the data or analysis on some scale between reliable and unreliable. For example, the MISP Project (misp-project.org/best-practices-in-threat-intelligence.html) codifies the use of the admiralty scale for grading data and the use of estimative language for grading analyst opinion. The admiralty scale rates sources with letters from a (reliable) to g (purposefully deceptive) and information credibility from 1 (confirmed by multiple sources) to 6 (cannot be validated).
PROPRIETARY/CLOSED-SOURCE INTELLIGENCE SOURCES
Threat intelligence is very widely provided as a commercial service offering, where access to updates and research is subject to a subscription fee. Some of these commercial sources primarily repackage information coming from free public registries, while others provide proprietary or closed-source data that may not be found in the free public registries. Closed-source data is derived from the provider’s own research and analysis efforts, such as data from honeynets that they operate, plus information mined from its customers’ systems, suitably anonymized. Most of the commercial feed providers also market their own platform for processing and disseminating threat intelligence. There are also platform providers who do not produce their own security feeds. Some examples of commercial providers include:
- IBM X-Force Exchange (exchange.xforce.ibmcloud.com)
- FireEye (fireeye.com/solutions/cyber-threat-intelligence/threat-intelligence-subscriptions.html)
- Recorded Future (https://www.recordedfuture.com/platform/threat-intelligence)
OPEN-SOURCE INTELLIGENCE SOURCES
Open-source feeds are available to use without subscription. Open-source repositories include threat feeds similar to the commercial providers, but also reputation lists and malware signature databases. Government agencies represent one source of public threat information. The United States Computer Emergency Readiness Team (US-CERT) provides feeds of current activity and alert news, plus regular bulletins and analyst reports (us-cert.gov/ncas). US-CERT also provides a bidirectional threat feed called the Automated Indicator Sharing (AIS), available at us-cert.gov/ais. The UK’s National Cyber Security Center provides similar services via the Cyber Security Information Sharing Partnership (ncsc.gov.uk). Other examples of open-source providers include the following:
· AT&T Security, previously Alien Vault Open Threat Exchange (OTX) (otx.alienvault.com)
· Malware Information Sharing Project (MISP) (misp-project.org/feeds)
· Spamhaus (spamhaus.org/organization)
· VirusTotal (virustotal.com)
While threat feeds contribute to explicit knowledge—insights that can be directly applied to a security process—you should also be aware of sources that communicate implicit knowledge. Blogs and contributions to discussion forums from experienced practitioners provide not only reporting on the latest trends in cybersecurity issues, but also invaluable insights into attitudes and instincts that contribute to success in a career as a cybersecurity professional.
** There are too many useful blog and discussion sources to include here, but the list curated by Digital Guardian (digitalguardian.com/blog/top-50-infosec-blogs-you-should-be-reading) is a good starting point. **
** While we are considering open-source or public threat intelligence feeds here, also be aware of the use of the term open-source intelligence (OSINT) to refer to a reconnaissance technique. OSINT refers to methods of obtaining information about a person or organization through public records, websites, and social media. OSINT techniques can also be a source of threat data, as researchers use them to discover more about adversary groups and malicious actors. **
INFORMATION SHARING AND ANALYSIS CENTERS (ISACS)
Since the 1990s, governments have mandated that industries where cyberattack poses risks to life or health or to national security must form public/private partnerships and industry associations to disseminate sector-specific threat intelligence. For each critical industry, Information Sharing and Analysis Centers (ISACs) have been set up. Where a generic open-source or commercial threat intelligence provider might use corporate or academic networks to gather data, ISACs produce data from their members’ systems, so the data is highly industry-specific and relevant. Information shared within an ISAC is given legal protections by the PCII program operated by the Department of Homeland Security (dhs.gov/cisa/pcii-program). A list of all US-based ISACs is available at nationalisacs.org/member-isacs-3. In the UK, the Cyber Security Information Sharing Partnership (ncsc.gov.uk/section/keep-up-to-date/cisp) serves a similar purpose.
Critical Infrastructure
The DHS identifies sixteen critical infrastructure sectors (dhs.gov/cisa/critical-infrastructure-sectors), such as communications, energy, water, nuclear reactors and waste, emergency services, and so on. Each sector is supported by its own ISAC. One of the primary areas of focus for cybersecurity in industries that support critical infrastructure is with embedded systems and industrial control systems.
Government
The Multi-State ISAC (cisecurity.org/ms-isac) serves non-federal governments in the US, such as state, local, tribal and territorial governments. One of the key cybersecurity concerns for governments is interference in the electoral process and the security of electronic voting mechanisms. In fact, there is an ISAC dedicated to election infrastructure security issues (cisecurity.org/ei-isac).
Healthcare
Healthcare providers are targeted by criminals seeking blackmail and ransom opportunities by compromising patient data records or by interfering with medical devices. The Health ISAC is at h-isac.org.
Financial
The financial sector is an obvious target for fraud and extortion. Attackers can target both individual account holders and financial institutions themselves. Serious financial shocks, such as major trading platform or ATM outages, can also pose a national security risk. The Financial Services ISAC is at fsisac.com.
Aviation
As with most commercial industries, the aviation industry is targeted for fraud, but there are also substantial risks from terrorists or hostile nation-state actors seeking to disrupt services or cause casualties. Air traffic control and the safe operation of aircraft depends on many interconnected systems, some of which use aging infrastructure or technology that is susceptible to interference and spoofing, such as radar and GPS. The Aviation ISAC is at a-isac.com.
What do these steps look like from the pen tester’s/hacker’s perspective?
What do these steps look like from the security analyst’s/defender’s perspective?
Locard’s Exchange Principle
The perpetrator of a crime will:
- Bring Something to the crime scene
- Leave something at the crime scene
Map controls to IoC (Indicators of Compromise)
Focus on esstional resources
- Servers (application level)
- End users (logins, privilege escalation)
- End points
- Processes
The Goal:
- Obtain information about
- Indicators of Attack (IoA)
- Indicators of Compromise (IoC)
- Apply logic and specific conditions
- Context
- Boolean
- Identify courses of action
Information Sharing Ecosystem
- Information Sharing and Analysis Center (ISAC) – bigshot
- Two-way: Gather and disseminate information
- Organized by critical infrastructure sector
- Information Sharing and Analysis Organization (ISAO) – less organized
- Not organized by sector
- Less exclusive
- Fewer legal restrictions
ISAC Essentials
- Organized by sector
- Automotive
- Aviation
- Manufacturing
- IT
- Finance
- Healthcare
- Energy
- Elections
- Must conform to minimum standards
- But less restrictive than an ISAC
- https://cisa.gov/automated-indicator-sharing-ais
STIX – Structured Threat Information eXpression
- Standardized language for describing threat information
- Developed by MITRE
- OASIS Cyber Threat Intelligence (CTI) Technical Committee
- Used by various Intelligence Sharing (ICS) entities
TAXII – Trusted Automated eXchange of Intelligence Information
- Defines how cyber threat info can be shared between
- Services
- Message exchanges
- Three models
- Source / subscriber
- Hub and spoke
- Source / subscriber
- Yeti – an open source TAXII implementation
Sharing categorized threat intel via TAXII
- Push and pull information
- By category
- By threat
- Organizations can then ingest that intelligence
- Sharing with groups
- Organizations with a TAXII client can push information to TAXII servers
- Groups trust the source
- Private groups can exist
- TAXII Clients
- STAXX
Joining a threat Feed
- Download the STAXX Client
- Configure your data sources
- Set up your download schedule
- Find a service
- Set up a client (e.g., TAXII)
- Available for download (e.g., YETI)
- Services
- Purchase or otherwise obtain a PKI certificate from a commercial provider
- Provide additional information (e.g., IP address, sign agreements).
- Connect and get info!
- Customize and share!
https://yeti-platform.github.io/
THREAT INTELLIGENCE SHARING
As well as identifying timely, relevant, and accurate sources of threat intelligence, you need to consider use cases for making that data actionable as it is disseminated to different intelligence consumers. Threat intelligence can be used to improve capabilities across different security functions.
Risk Management and Security Engineering
Risk management identifies, evaluates, and prioritizes threats and vulnerabilities to reduce their negative impact. Security engineering focuses on the design and architecture of hardware, software, and network platforms to reduce their attack surface. Strategic threat intelligence is important for establishing an up-to-date model of threat sources and actors, and their motivations, capabilities, and tactics. This model can be used as part of a risk management framework and security engineering to select and deploy new technical and administrative security controls, or to improve the configuration of existing controls. Threat intelligence should be shared with network and application operational security teams so that they can apply best practices to the controls that they have responsibility for. For example, threat intelligence can provide information about new vectors for attacking application code. It is important for this information to be shared with software development teams so that they can adopt suitable secure coding practices in response.
Incident Response
Where risk management and security engineering make best use of strategic insights, incident response is better served by operational and tactical insights. For example, the analysis benefit of tactical threat intelligence is to allow you to pivot from a data point, such as a suspect DNS domain in a web access log entry, to information about that domain on a reputation list, and whether it is associated with specific malware tools or adversary groups.
Vulnerability Management
At a strategic level, threat intelligence can identify previously unrecognized sources of vulnerabilities, such as embedded systems, Internet of Things (IoT) home automation devices, deep fakes (https://www.securityweek.com/deepfakes-are-growing-threat-cybersecurity-and-society-europol), or AI-facilitated fuzzing to discover zero-day vulnerabilities (threatpost.com/using-fuzzing-to-mine-for-zero-days/139683). At an operational level, threat intelligence can identify priorities for remediation, such as a campaign targeting a vulnerability in web server software. Threat intelligence can also provide ongoing monitoring and analysis of vulnerabilities such as Meltdown and Spectre (securityintelligence.com/spectre-meltdown-and-more-what-you-need-to-know-about-hardware-vulnerabilities), which could pose lasting risks well past the impact of their initial announcement.
Detection and Monitoring
Acquiring accurate and relevant information about attacks suffered by organizations working in similar industries will improve automated detection and monitoring systems, though there will be some increased risk of false positive alerts and notifications. Adding more rules and definitions based on observed incidents to automated tools will create more chances for malicious indicators to be matched (true positives). Unfortunately, it also creates more chances for non-malicious data points to be matched as suspected indicators (false positives).
As well as improving operational capabilities, threat intelligence promotes new strategic approaches to information assurance, such as proactive threat modeling and threat hunting techniques, which will be the subject of the next lesson.
Front of Flashcard 1 of 3
Your chief information security officer (CISO) wants to develop a new collection and analysis platform that will enable the security team to extract actionable data from its assets. The CISO would like your input as far as which data sources to draw from as part of the new collection platform, worrying that collecting from too many sources, or not enough, could both impede the company’s ability to analyze information. Is this a valid concern, and how can it be addressed within an intelligence life cycle model?
Back of Flashcard 1 of 3
Yes, it is a valid concern. The requirements (or planning and direction) phase of the intelligence cycle can be used to evaluate data sources and develop goals and objectives for producing actionable intelligence to support use cases demanded by intelligence consumers. You can also mention that the feedback phase of the cycle provides the opportunity to review sources and determine whether they are delivering valuable intelligence.
Front of Flashcard 2 of 3
What are the characteristics to use to evaluate threat data and intelligence sources?
Back of Flashcard 2 of 3
Firstly, you can distinguish sources as either proprietary/closed-source, public/open-source, or community-based, such as an ISAC. Within those categories, data feeds can be assessed for timeliness, relevancy, and accuracy. It is also important for analyst opinions and threat data points to be tagged with a confidence level.
Front of Flashcard 3 of 3
What are the phases of the intelligence cycle?
Practice Questions
Question 1
A security firm hires a new cybersecurity analyst. The CIO mentions that he hired the candidate due to having exceptional soft skills. Which relevant skills to the position does the CIO refer to? Select all that apply.
A.Creative thinking
B.Problem solving
C.Software development
D.Information protection
** Soft skills are just as important as technical skills. Creative thinking skills allow an individual to envision and consider different approaches to an issue at hand.
Problem solving skills are useful in approaching and considering a resolution to an incident. Such skills allow for an individual to consider all possibilities, both traditional and non-traditional, and the steps required within to remedy a situation.
Software development is a technical skill required to create functional software applications.
Information protection refers to the steps and processes that enable the safekeeping and security of electronic data **
Question 2
A security firm establishes an office in a new building. In the office, security analysts monitor and manage client systems for security concerns. The office functions as which type of facility?
- ISAC
- NOC
- SOP
- SOC
** A Security Operations Center (SOC) is a location where security professionals monitor and protect critical information assets in an organization.
Information Sharing and Analysis Centers (ISAC) gather and produce data from member systems in sector-specific areas. The resulting data is highly industry-specific and relevant in researching threat intelligence.
A Network Operations Center (NOC) is a location where personnel monitor and maintain the health of server systems, including communication and connectivity.
A Standard Operating Procedure (SOP) is a set of documented steps and notes used as a guideline for a process. **
Question 3
A client asks a security analyst to construct a security plan for a small business. The resulting plan outlines several suggested controls. One such control is the placement of a security guard outside of a high-profile datacenter. Evaluate the control classes and determine which one the analyst specifies.
- Managerial
- Technical
- Operational
- Detective
** People, rather than systems, implement an operational control. For example, security guards and training programs are operational controls.
A managerial control gives oversight of the information system. Examples could include risk identification or a tool allowing the evaluation of other controls.
Systems (hardware, software, or firmware), implement a technical control. For example, firewalls, anti-virus software, and OS access control models are technical controls.
A detective control is a functional control that may not prevent or deter access. It will identify and record any attempted or successful intrusion. A system log is an example of a detective control. **
Question 4
A technology firm configures a backup system that protects several Windows servers. The backup runs a full job once over the weekend, and differential jobs, daily, during the week. In the event of an attack on a system, which security function does the backup system perform?
- Corrective
- Preventative
- Detective
- Compensating
** After an attack, a system uses a corrective control. A good example is a backup system that can restore data damaged during an intrusion.
A preventive control acts to eliminate or reduce the likelihood that an attack can succeed. A preventative control operates before an attack can take place. An access control list (ACL) is an example of a preventive control.
A detective control may not prevent or deter access, but it will identify and record any attempted or successful intrusion. A detective control operates during the progress of an attack. Systems logs are an example of a detective control.
A compensating control serves as a substitute for a principal control, as recommended by a security standard, and affords the same (or better) level of protection. **
Question 5
The IT department at a medium-sized manufacturer, deals with cyber threats daily. In response to the growing level of malicious activity, the IT manager establishes guidelines based on the security intelligence lifecycle. Which phase of the lifecycle does the IT manager use to distribute information to executives?
- Feedback
- Dissemination
- Analysis
- Collection
** The dissemination phase refers to publishing information produced by analysis, to consumers who need to act on the insights developed.
The final phase of the cycle is one of feedback and review, utilizing the input of both intelligence producers and intelligence consumers. A goal of this phase is to improve the implementation of the requirements.
Once the system captures and normalizes the data, admin analyzes the data to identify anomalies that may point to a potential problem.
Software suites usually implement the lifecycle collection, such as security information and event management (SIEM). **
Question 6
The CIO of a financial datacenter creates a threat assessment matrix. Which factor helps to identify threats as they relate to specific industries?
- Timeliness
- Accuracy
- Confidence
- Relevancy
** Some threat intelligence sources highly focus on specific industries, such as healthcare, and the insights generated may not be as relevant to other sectors.
Threats diminish or change and evolve. Admin should make assessments as to whether an intelligence source can research and disseminate updates in a timely manner.
Accuracy means showing that any information produced is validated and true. Accuracy can also refer to whether any intelligence is of a general or specific nature.
When publishing a data point or analyst observation, the act of publishing lends the point a certain authority. **
Question 7
The IT security engineer at a large auto dealership implements tools to monitor and detect attempted attacks that are specific and relevant to the organization. Evaluate the varying approaches and determine which one the engineer utilizes when implementing such tools.
- Acquiring information about attacks suffered by organizations working in similar industries.
- Establishing an up-to-date model of threat sources and their motivations, capabilities, and tactics.
- Identifying previously unrecognized sources of vulnerabilities.
- Using threat intelligence to identify priorities for remediation.
** Acquiring relevant information about attacks suffered by organizations in similar industries improves automated detection and monitoring systems, although some increased risk of false positive alerts and notifications may occur.
Strategic threat intelligence is important for establishing an up-to-date model of threat sources and actors, and their motivations, capabilities, and tactics. Security has used this model as part of a risk management framework.
At a strategic level, threat intelligence can identify previously unrecognized sources of vulnerabilities, such as embedded systems, Internet of Things (IoT) home automation devices, deep fakes, and more.
At an operational level, threat intelligence can identify priorities for remediation, such as a campaign targeting a vulnerability in web server software. **
Question 8
Management at a large legal firm establishes a policy that warns of legal penalties for unauthorized access to any internal computer system. Considering security controls and their functions, which safeguard does management put in place?
- Detective
- Compensating
- Deterrent
- Preventative
** A deterrent control may not physically or logically prevent access, but psychologically discourages an attacker from attempting an intrusion. This could include signs and warnings of legal penalties.
A detective control may not prevent or deter access, but it will identify and record any attempted or successful intrusion. A detective control operates during the progress of an attack. Systems logs are an example of a detective control.
A compensating control serves as a substitute for a principal control, as recommended by a security standard, and affords the same (or better) level of protection.
A preventive control acts to eliminate or reduce the likelihood that an attack can succeed. A preventative control operates before an attack can take place. An access control list (ACL) is an example of a preventive control. **
Question 9
Which of the following formats are typically produced by cyber threat intelligence? Select all that apply.
- Vulnerability management
- Narrative reports
- Security engineering
- Data feeds
** Narrative reports can contain analysis of certain adversary groups, or a malware sample provided as a written document. These provide valuable information and knowledge, but only in a format assimilated manually by analysts.
Data feeds may contain lists of known bad indicators, such as domain names or IP addresses associated with spam or distributed denial of service (DDoS) attacks, or hashes of exploit code.
Admins can use Vulnerability Management to provide ongoing monitoring and analysis of vulnerabilities.
Security engineering focuses on the design and architecture of hardware, software, and network platforms to reduce their attack surface. **
Question 10
90.0% completeQuestion
The security intelligence lifecycle includes the process of identifying anomalies that may point to a potential problem. In which phase does this activity take place?
- Feedback
- Analysis
- Dissemination
- Collection
** Once a system captures and normalizes data, an admin uses analysis to identify anomalies that may point to a potential problem.
The final phase of the cycle is one of feedback and review, utilizing the input of both intelligence producers and intelligence consumers. A goal of this phase is to improve the implementation of the requirements.
The dissemination phase refers to publishing information produced by analysis to consumers who need to act on the insights developed.
Software suites usually implement the collection phase in the life cycle, such as security information and event management (SIEM). **
Performance-based Questions
An insurance firm contracted you as a security expert. The firm has changed ownership many times and does not have any IT presence or systems use policies and procedures in place. Currently, the data center is accessible to any employee or visitor at any time of the day. As a result, the company’s data is vulnerable to damage and/or theft. To remedy the situation, the company hires you as part of the team to implement improvements. To organize and present your suggestions, you create a Course of Action (CoA) matrix. To be effective, you decide that the matrix should utilize a mix of control classes and functions.
Notes and Requirements
- Utilize a combination of operational, technical, and managerial security solutions.
- Identify appropriate solutions and their control function type.
- The data center is in a heavily-traveled area of the building and should be secure.
- Systems use needs hardening.
- Management requests a synchronized backup solution.
- Management requests a physical lock on the datacenter door.
- Management is open to using written policies to reinforce how the firm uses systems and data.
- Management would like access to be role-based.
- The firm’s location is a shared space, that has 24 monitoring personnel.
ANSWERS
Issues | Controls | ||
Technical | Operational | Managerial | |
Datacenter Security | Locking mechanism requested – BIOMETRICS | Monitoring solution suggested – SECURITY GUARD | Set company expectations – SECURITY POLICY |
Systems Security | Implement an auditing process – EVENT LOGS | Establish role-based permissions – STAFF RESPONSIBILITIES | Set staff expectations – ACCEPTABLE USE POLICY |
Disaster Recovery | Syncronized storage plan – CLOUD SERVICE | Create an inicident response plan – RECOVERY PROCEDURES | Establish Guidelines – INCIDENT TRAINING |
REASONING
Securing the datacenter is a high priority. Since management requested a physical lock, you recommend a biometric lock. As the firm’s location is in a shared space with a 24-hour security presence, you recommend that a security guard add the datacenter to the routine rounds. You also suggest that management create a policy regarding the appropriate personnel and their use of systems in the datacenter.
In effort to secure systems use, you recommend using an audit policy that will log all (successful and failed) logins for the systems. As management requests that the use of systems and related permissions be role-based, it is essential in understanding and outlining departmental roles and rights. Lastly, you recommend that management create a specific systems use policy to govern what personnel may and may not use the systems for.
For the area of disaster recovery, you recommend a cloud sync service for data as requested. As part of operational goals for the firm, you also recommend an incident response plan. This plan will address contacts, and the order of procedures to follow, in the event there is an incident. An overall training program, approved by management, will complement the incident response plan.