And this module of cyber threat intelligence. We're gonna talk about the foundations of intelligence.
What does it actually come from?
What is its life cycle look like?
this also includes some terminology.
And the stage is off.
Ah, yes. Cyber attack is comprised.
So started, mother terminology. We have indicators of attack
how your organization does its continuous monitoring or how you d'oh
how you manage things like assume divisor and ideas or I p s
indicator of attack, maybe lots of different things.
It could be physical. Security related.
it could be that the
there's performance problems with the
public facing website.
could be indicators that that show that there's something going on that appears suspicious or
at the very least, should be investigated to verify that it's normal activity,
always good to be able to differentiate between
suspicious and normal activities, since they can sometimes
look very similar when you're analyzing
different sources of monitoring information
indicators of compromise, On the other hand,
our little bit more direct
because now we can think about
actual evidence that something happened.
An attack is one thing knowing that you're under attack is one thing. That
finding that files have changed or that
permissions on a directory have been modified. Maybe there's information missing
or data has been found that's been
bundled up in a some kind of an archive, and it's been hidden into
a deep file system folder.
These are all things that could indicate that compromises occur,
or maybe something else. Other examples could be disabling anti virus
disabling certain firewall rules that were
helpful for the attack to continue. We can think about this in the context of
perhaps a, uh advanced, persistent threat.
So these IOC's, as they're known,
will vary in their credibility. There will vary in their level of detail.
The job of the analysts, of course, is to
pulls much of this information together as possible to make an educated guess as to
what's actually happening,
and that they could decide
what else might be done.
Some of the resources that are available include,
something some websites that will look at a little bit later in some different tools as well.
Then we move on to TT piece, tactics, techniques and procedures.
Anyone who's been in the
I work for the government or for the military is probably already familiar with this term.
simple day today, operational
tasks that are being performed
in a particular environment
that indicate that there's a problem.
it could be the identification of a new threat, the identification of a new vulnerability
or the fact that simply that a procedure no longer works.
That in itself could be considered a
a threat or vulnerability, depending on the perspective, of course,
because if a procedure no longer works, people may stop doing it
and that information about a failed procedure may take some time to actually
So TTP served their purpose in several different areas.
Some of the NIST guidance actually
in regards to do and risk assessments.
Because you're looking at, where is the threat information come from? It's incredible.
what is the impact of this threat and so much
Next we have Critz collaborative research into threats.
the minor organization actually has
a nice white page on this,
and what this is showing us is a little bit information about
the fact that they decided back in 2014
open source database.
This way you have a depository for malware
and because mount where is so prevalent and
is constantly expanding,
the idea here was to
providing a common database, a common point of access
to store information about malware and to be able to make it available to the general public.
And there are other references to the crates idea and other solutions that have been provided by different vendors.
But the minor organization at least has something that's
available unusable by
the the security practitioner or the threat analyst.
Then we move on to the concept of raw data,
These are important concepts to understand as well.
Raw data means just what it sounds like. It's information that comes from some sort of device on the network, perhaps in monitoring device.
some sort of other threat feed,
and the problem with raw data is that it's
might not be in a format that's actually usable right away.
Hence the name raw data.
So this information needs to be
examined and perhaps filtered by some other process in order to
make it conform or into a format which is directly usable something like the cyst lock format.
Or perhaps the four meant that a, uh,
assume device might understand. Like Ark site.
The concept of aggregated data, on the other hand,
is using the idea of aggregation in general, which means that you're getting little bits and pieces of information from various sources
by themselves. They may not
They may not come prize
data that indicates anything too serious. You might get a little bit of information from this monitoring device that
doesn't appear to be suspicious, that maybe some information from another device that
that all by itself doesn't appear to be very suspicious. But when you start to put these pieces of the puzzle together, now you see a different picture,
and that aggregation concept could help to develop a larger
overview. Are a big picture of you
of what threat really means in your environment?
I already mentioned assume device security information and event management.
There are many choices in the marketplace for symbolizes.
Some of you may already have experience with
some of the industry leaders like Ark site
They have widely ranging price points and different features. Of course,
the main beauty of this kind of technology Is that
any device that's on your network
that generates log events?
Uh, this covers just about all networked devices. Whether it's a server or a workstation, I switch around, er firewall proxy,
operating system functions within Windows or UNIX or linen.
should be theoretically able to send its information to a some device.
Typically, the device that sending the data needs to have some sort of agent
or configuration change made
to that device. In order for the information to go to the proper destination,
you obviously have to configure a destination I i p address and a destination port.
But the large vendors for these types of devices make
agents that run on just about all of the other
major manufacturers equipment that you would typically find in a network infrastructure.
And once the same devices is initially set up, it requires some tuning. There were similar to an I. D. S R. V I P s
because you're going to get a lot of false,
uh, positive events.
These false positive events are confusing and canned,
sometimes give leave misleading information about whether or not suspicious activity is actually occurring.
The trick is trying to look at these and more detail in to identify areas where
certain activity that might appear to be suspicious is actually considered normal and acceptable.
So there is a tuning process that can last for quite some time until the devices
is more or less ready to use reliably.
The beauty of the technology beyond this tuning
is the fact that the events can be generated for just about
crashes, say the alerts can be generated for just about any type of event.
For instance, you might generate an alert because the route passport was changed on Important server.
Another alert might be generated because the system was rebooted.
Perhaps an alert will be generated
switch for it was was disabled or enabled
anything that's interesting to the
or the people that manage workstations of people that manage servers.
You're networking staff.
All these things can be
configured to send alerts to your SIM device,
so it's a great way to Artemis the notification process,
which, of course, is a big part of what continuous monitoring means for most organizations
the I. D s or the I PS Intrusion Detection and Prevention
performed a similar function
But we normally think of intrusion detection as a passive detection method.
Soon, devices are passing as well. Some vendors
action to take place when a certain event occurs.
This is, goes down a bit of a rabbit hole as far as how complex do you want your automated functions to be? But it's a nice future to have
in certain circumstances.
The I. D. S, on the other hand,
simply detects something that matches the signature or matches some behavior,
matches some other criteria
and then decides to send out. An alert
intrusion prevention system
is very similar to an ideas. It's still detects
suspicious actions or suspicious information.
But what it also offers is the capability to block
malicious behavior from a current.
It could do this in various ways that could turn
often interface. It could block the actions based on a source i p. Address sore sport.
merge these two capabilities together, and therefore they're called I'd GPS devices,
and this is a great complimentary piece of equipment to have stationed at various points on your network, usually
anywhere. You've got a fighter. While you probably want to have an I. D. P. S
so that you can see the traffic that's coming through the firewall and then also
get information about whether it was allowed or not, whether it was suspicious or not, so on.