Intelligence Foundations - Foundations and Lifecycle

Video Activity

The first step in responding to a cyber attack is gathering evidence (intelligence) during all phases of an attack from multiple data sources. In this video we'll examine the foundations and lifecycle of intelligence gathering focusing on the following areas: IoA (Indicators of Attack) - continuous monitoring of a wide range of things from the phys...

Join over 3 million cybersecurity professionals advancing their career

Sign up with

or

Already have an account? Sign In »

Intro to Cyber Threat Intelligence

Course

Time

4 hours 8 minutes

Difficulty

Intermediate

CEU/CPE

4

Video Description

The first step in responding to a cyber attack is gathering evidence (intelligence) during all phases of an attack from multiple data sources. In this video we'll examine the foundations and lifecycle of intelligence gathering focusing on the following areas:

IoA (Indicators of Attack) - continuous monitoring of a wide range of things from the physical to server performance problems to suspicious network activity.
IoC (Indicators of Compromise) - direct evidence of a compromise such as permission changes, data exfiltration and hiding, AV disabling, and firewall rule changes.
TTPs (Tactics, Techniques, and Procedures) - operational taks indicating a problem such as a procedure that no longer works.
CRITs (Collaborative Research into Threats) - open source databases containing malware repositories such as the MITRE webpage.
Raw data vs. aggregated data - raw data from network devices of a threat feed is typically in no usable form and must be examined and filtered through other processes to be meaningful. Aggregated data is pieced together from various sources. Alone may not be suspicious, but when aggregated may tell a different story.
SIEM (Security Information and Event Management) - devices used to monitor and log events. Must be tuned to minimize false positives.
IDPS (Intrusion Detection/Prevention System) - devices to detect and prevent attacks respectively. Typically located at firewalls.

Video Transcription

00:04

hello

00:05

And this module of cyber threat intelligence. We're gonna talk about the foundations of intelligence.

00:11

What does it actually come from?

00:13

What is its life cycle look like?

00:15

And

00:16

this also includes some terminology.

00:19

And the stage is off.

00:22

Ah, yes. Cyber attack is comprised.

00:28

So started, mother terminology. We have indicators of attack

00:33

now, depending on

00:35

how your organization does its continuous monitoring or how you d'oh

00:40

how you manage things like assume divisor and ideas or I p s

00:45

indicator of attack, maybe lots of different things.

00:49

It could be physical. Security related.

00:52

Uh,

00:53

it could be that the

00:56

there's performance problems with the

00:59

public facing website.

01:02

Any of these things

01:03

could be indicators that that show that there's something going on that appears suspicious or

01:08

at the very least, should be investigated to verify that it's normal activity,

01:14

always good to be able to differentiate between

01:18

suspicious and normal activities, since they can sometimes

01:22

look very similar when you're analyzing

01:23

different sources of monitoring information

01:30

indicators of compromise, On the other hand,

01:33

our little bit more direct

01:36

because now we can think about

01:38

actual evidence that something happened.

01:41

An attack is one thing knowing that you're under attack is one thing. That

01:45

finding that files have changed or that

01:49

permissions on a directory have been modified. Maybe there's information missing

01:53

or data has been found that's been

01:57

bundled up in a some kind of an archive, and it's been hidden into

02:00

a deep file system folder.

02:04

These are all things that could indicate that compromises occur,

02:07

or maybe something else. Other examples could be disabling anti virus

02:14

or

02:15

disabling certain firewall rules that were

02:19

helpful for the attack to continue. We can think about this in the context of

02:23

perhaps a, uh advanced, persistent threat.

02:27

So these IOC's, as they're known,

02:30

will vary in their credibility. There will vary in their level of detail.

02:35

The job of the analysts, of course, is to

02:38

pulls much of this information together as possible to make an educated guess as to

02:44

what's actually happening,

02:46

and that they could decide

02:47

what else might be done.

02:51

Some of the resources that are available include,

02:54

uh,

02:55

something some websites that will look at a little bit later in some different tools as well.

03:00

Then we move on to TT piece, tactics, techniques and procedures.

03:05

Anyone who's been in the

03:07

I work for the government or for the military is probably already familiar with this term.

03:14

And this could be

03:15

simple day today, operational

03:17

tasks that are being performed

03:20

in a particular environment

03:23

that indicate that there's a problem.

03:27

Um,

03:28

it could be the identification of a new threat, the identification of a new vulnerability

03:32

or the fact that simply that a procedure no longer works.

03:38

That in itself could be considered a

03:40

a threat or vulnerability, depending on the perspective, of course,

03:44

because if a procedure no longer works, people may stop doing it

03:47

and that information about a failed procedure may take some time to actually

03:54

correct.

03:57

So TTP served their purpose in several different areas.

04:00

Some of the NIST guidance actually

04:03

uses

04:04

the TTP concept

04:06

in regards to do and risk assessments.

04:11

Because you're looking at, where is the threat information come from? It's incredible.

04:15

Uh,

04:15

what is the impact of this threat and so much

04:19

Next we have Critz collaborative research into threats.

04:25

Dan,

04:26

the minor organization actually has

04:30

a nice white page on this,

04:32

and what this is showing us is a little bit information about

04:38

the fact that they decided back in 2014

04:42

to produce this

04:44

open source database.

04:46

This way you have a depository for malware

04:49

and because mount where is so prevalent and

04:54

is constantly expanding,

04:57

the idea here was to

05:00

providing a common database, a common point of access

05:03

to store information about malware and to be able to make it available to the general public.

05:11

And there are other references to the crates idea and other solutions that have been provided by different vendors.

05:18

But the minor organization at least has something that's

05:21

available unusable by

05:26

the the security practitioner or the threat analyst.

05:31

Then we move on to the concept of raw data,

05:34

an aggregated data.

05:38

These are important concepts to understand as well.

05:40

Raw data means just what it sounds like. It's information that comes from some sort of device on the network, perhaps in monitoring device.

05:48

It could be from

05:50

some sort of other threat feed,

05:54

and the problem with raw data is that it's

05:58

might not be in a format that's actually usable right away.

06:02

Hence the name raw data.

06:04

So this information needs to be

06:08

examined and perhaps filtered by some other process in order to

06:13

make it conform or into a format which is directly usable something like the cyst lock format.

06:18

Or perhaps the four meant that a, uh,

06:21

assume device might understand. Like Ark site.

06:26

The concept of aggregated data, on the other hand,

06:30

is using the idea of aggregation in general, which means that you're getting little bits and pieces of information from various sources

06:38

by themselves. They may not

06:40

compromise.

06:42

They may not come prize

06:44

data that indicates anything too serious. You might get a little bit of information from this monitoring device that

06:51

doesn't appear to be suspicious, that maybe some information from another device that

06:57

that all by itself doesn't appear to be very suspicious. But when you start to put these pieces of the puzzle together, now you see a different picture,

07:04

and that aggregation concept could help to develop a larger

07:10

overview. Are a big picture of you

07:13

of what threat really means in your environment?

07:17

I already mentioned assume device security information and event management.

07:23

There are many choices in the marketplace for symbolizes.

07:28

Some of you may already have experience with

07:30

some of the industry leaders like Ark site

07:33

or Splunk

07:35

for Kiwi.

07:36

They have widely ranging price points and different features. Of course,

07:42

the main beauty of this kind of technology Is that

07:46

any device that's on your network

07:47

that generates log events?

07:50

Uh, this covers just about all networked devices. Whether it's a server or a workstation, I switch around, er firewall proxy,

08:01

a VPN concentrator,

08:05

even things like

08:07

operating system functions within Windows or UNIX or linen.

08:13

Any long event

08:16

should be theoretically able to send its information to a some device.

08:20

Typically, the device that sending the data needs to have some sort of agent

08:26

or configuration change made

08:28

to that device. In order for the information to go to the proper destination,

08:33

you obviously have to configure a destination I i p address and a destination port.

08:39

But the large vendors for these types of devices make

08:43

agents that run on just about all of the other

08:46

major manufacturers equipment that you would typically find in a network infrastructure.

08:52

And once the same devices is initially set up, it requires some tuning. There were similar to an I. D. S R. V I P s

08:58

because you're going to get a lot of false,

09:01

uh, positive events.

09:03

These false positive events are confusing and canned,

09:07

uh,

09:09

sometimes give leave misleading information about whether or not suspicious activity is actually occurring.

09:16

The trick is trying to look at these and more detail in to identify areas where

09:20

certain activity that might appear to be suspicious is actually considered normal and acceptable.

09:26

So there is a tuning process that can last for quite some time until the devices

09:33

is more or less ready to use reliably.

09:35

The beauty of the technology beyond this tuning

09:41

is the fact that the events can be generated for just about

09:46

crashes, say the alerts can be generated for just about any type of event.

09:50

For instance, you might generate an alert because the route passport was changed on Important server.

09:56

Another alert might be generated because the system was rebooted.

10:01

Perhaps an alert will be generated

10:03

because a

10:05

switch for it was was disabled or enabled

10:07

anything that's interesting to the

10:11

the, uh

10:11

I T security staff

10:13

or the people that manage workstations of people that manage servers.

10:18

You're networking staff.

10:20

All these things can be

10:22

configured to send alerts to your SIM device,

10:24

so it's a great way to Artemis the notification process,

10:28

which, of course, is a big part of what continuous monitoring means for most organizations

10:33

the I. D s or the I PS Intrusion Detection and Prevention

10:37

performed a similar function

10:39

in some ways.

10:41

But we normally think of intrusion detection as a passive detection method.

10:48

Soon, devices are passing as well. Some vendors

10:52

allow a scripted

10:54

action to take place when a certain event occurs.

10:58

This is, goes down a bit of a rabbit hole as far as how complex do you want your automated functions to be? But it's a nice future to have

11:05

in certain circumstances.

11:07

The I. D. S, on the other hand,

11:09

simply detects something that matches the signature or matches some behavior,

11:16

matches some other criteria

11:18

and then decides to send out. An alert

11:22

intrusion prevention system

11:24

is very similar to an ideas. It's still detects

11:26

suspicious actions or suspicious information.

11:31

But what it also offers is the capability to block

11:33

the, uh,

11:35

malicious behavior from a current.

11:39

It could do this in various ways that could turn

11:41

often interface. It could block the actions based on a source i p. Address sore sport.

11:48

A lot of devices

11:50

merge these two capabilities together, and therefore they're called I'd GPS devices,

11:56

and this is a great complimentary piece of equipment to have stationed at various points on your network, usually

12:03

anywhere. You've got a fighter. While you probably want to have an I. D. P. S

12:07

so that you can see the traffic that's coming through the firewall and then also

12:11

get information about whether it was allowed or not, whether it was suspicious or not, so on.

Up Next

Intelligence Foundations - Attacks and Defense

CTI Perceptions - Risk Fundamentals

CTI Perceptions - Analyst Roles

Tactical Threat Intelligence - Hunting Down Threats

Tactical Threat Intelligence - IOC Lifecycle and Tools

Intro to Cyber Threat Intelligence

The CTI course consists of 12 information-packed modules. CTI is a critical function within any organization that involves roles like analysts, methodologies, tools, teams, and policies. From threat analysis to the Cyber Kill Chain, learn it here.

Instructed By

CEO of SteppingStone Solutions