Threat Intelligence Sources | CompTIA Security+ SY0-601 | 1.5c

In this video you will learn about threat intelligence sources such as: open-source intelligence, vulnerability databases, public/private information sharing centers, the dark web, indicators of compromise, automated indicator sharing, predictive analysis, threat maps, & file/code repositories.

Threat Intelligence

Threat intelligence refers to the practice of collecting data, information and knowledge that keep an organization informed about potential cyber security threats.  Threat intelligence can be used to gather data on cyber attacks that have happened in the past, are currently happening, or that the organization may be affected by in the future.  Through threat intelligence, IT organizations gain a deeper understanding of their security vulnerabilities and can accurately organize and prioritize tasks to mitigate the known threats.[1]

Open-Source Intelligence (OSINT)

Open-source intelligence is the collection and analysis of data gathered from open sources (overt & publicly available sources) to produce actionable intelligence.  OSINT is primarily used in national security, law enforcement, and business intelligence functions and is of value to analysts who use non-sensitive intelligence in answering classified, unclassified, or proprietary intelligence requirements across the previous intelligence disciplines.  OSINT can be divided up into 6 categories of information:[2]

  • Media:  print newspapers, magazines, radio, & television from across and between countries.
  • Internet:  online publications, blogs, discussion groups, citizen media, YouTube, etc. This source also outpaces a variety of other sources due to its timeliness and ease of access.
  • Public Government Data:  public government reports, budgets, hearings, telephone directories, press conferences, websites, & speeches.  Although this source comes from an official source they are publicly accessible and may be used openly and freely.
  • Professional & Academic Publications:  information acquired from journals, conferences, symposia, academic papers, dissertations, and theses.
  • Commercial Data:  commercial imagery, financial & industrial assessments, and databases.
  • Gray Literature:  technical reports, preprints, working papers, business documents, unpublished works, & newsletters.

Vulnerability Databases

A vulnerability database is a platform aimed at collecting, maintaining, and disseminating information about discovered computer security vulnerabilities.  The database will customarily describe the identified vulnerability, assess the potential impact on affected systems, and any workarounds or updates to mitigate the issue.  A vulnerability database will assign a unique identifier to each vulnerability cataloged as a number or alphanumeric designation.  Information in the database can be made available via web pages, exports, or APIs.  A vulnerability database can provide the information for free, for pay, or a combination thereof.

Public/Private Information Sharing Centers

Information Sharing and Analysis Centers (ISACs) are industry-specific organizations that gather and share information on cyber threats to critical infrastructure.  ISACs also facilitate the sharing of data between public and private sector groups.[14]  Examples of ISACs include automotive, aviation, communications, IT, healthcare, etc.[6]

Dark Web

The dark web is the World Wide Web content that exists on darknets or overlay networks that use the Internet but require specific software, configurations, or authorization to access.[3]  Through the dark web, private computer networks can communicate and conduct business anonymously without divulging identifying information.[4]  The dark web forms a small part of the deep web, as part of the web not indexed by web search engines, although sometimes the term “deep web” is mistakenly used to refer specifically to the dark web.[5]  In some cases, security professionals go to the dark web to perform research and try to find different threats & exploits that could affect their organization.  This is why several companies sell “dark web monitoring” and threat intelligence services.[6]

Indicators of Compromise (IoC)

Indicators of compromise in computer forensics is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion.[7]  Typical indicators of compromise are virus signatures and IP addresses, MD5 hashes of malware files, or URLs or domain names of botnet command and control servers.  After IoCs have been identified via a process of incident response and computer forensics, they can be used for early detection of future attack attempts using intrusion detection systems and antivirus software.

Automated Indicator Sharing (AIS)

Automated Indicator Sharing enables the real-time exchange of machine-readable cyber threat indicators and defensive measures to help protect participants of the AIS community and ultimately reduce the prevalence of cyberattacks.  The AIS community includes private sector entities; federal departments and agencies; state, local, tribal, and territorial governments; information sharing and analysis centers and information sharing and analysis organizations; and foreign partners and companies.  AIS works with the public and private sector to identify and help mitigate cyber threats through information sharing and provide technical assistance, upon request, that helps prevent, detect, and respond to incidents.[8]  The types of automated indicator sharing that you need to be concerned with for the CompTIA Security+ SY0-601 certification exam are:

  • Structured Threat Information eXpression (STIX):  a standardized language which has been developed to represent structured information about cyber threats.  It has been developed so it can be shared, stored, & otherwise used in a consistent manner that facilitates automation and human assisted analysis.
  • Trusted Automated eXchange of Intelligence Information (TAXII):  a collection of services and message exchanges to enable the sharing of information about cyber threats across product, service and organizational boundaries.  It is a transport vehicle for STIX structured threat information and key enabler to widespread exchange.[9]

Predictive Analysis

Predictive analytics is an area of statistics that deals with extracting information from data and using it to predict trends and behavior patterns.  The enhancement of predictive web analytics calculates statistical probabilities of future events online.  Predictive analytics statistical techniques include data modeling, machine learning, AI, deep learning algorithms and data mining.[10]  Often the unknown event of interest is in the future, but predictive analytics can be applied to any type of unknown whether it be in the past, present or future.  For example, identifying suspects after a crime has been committed, or credit card fraud as it occurs.[11]  Predictive analytics apply statistical algorithms to historical data so that companies can predict future cyber attacks in real-time.  When coupled with machine learning, predictive analytics provide organizations with the tools to protect their security infrastructure from potential threats before they occur.[12]

Threat Maps

Cyber threat maps are real-time maps of the computer security attacks that are going on at any given time.  These maps are visualizations from data aggregated from many different sensors around the world.  Threat maps help illustrate how prevalent cyber attacks are.[6]

File/Code Repositories

A code repository is a file archive and web hosting facility where programmers, software developers, and designers store large amounts of source code for the software and/or web pages for safekeeping.[13]  Threat actors often release exploits and breached data to file repositories like GitLab and GitHub.[6]

References

  1. Threat Intelligence. Sumo Logic.
  2. Richelson, J. (2016). The US Intelligence Community.
  3. Going Dark: The Internet Behind The Internet. NPR.
  4. Ghappour, A. (2017). Searching Places Unknown: Law Enforcement Jurisdiction on the Dark Web. Stanford Law Review.
  5. Solomon, J. (2015). The Deep Web vs. The Dark Web: Do You Know The Difference?
  6. Santos, O.; Taylor, R.; Mlodziannowski, J. CompTIA Security+ SY0-601 Cert Guide.
  7. Gragido, W. (2012). Understanding Indicators of Compromise (IOC) Part 1. RSA.
  8. Automated Indicator Sharing. Cybersecurity & Infrastructure Security Agency.
  9. What is STIX and TAXII? Eclectic IQ.
  10. Predictive Analytics. Personali.
  11. Finlay, S. (2014). Predictive Analytics, Data Mining and Big Data. Myths, Misconceptions and Methods.
  12. Types of Security Analytics in a Post-Pandemic World. GWU.
  13. What is Code Repository Software? Crozdesk.
  14. Vijayan, J. (2019). What is an ISAC or ISAO? How These Cyber Threat Information Sharing Organizations Improve Security. CSO.