1.1 Explain the importance of threat data and intelligence

Intelligence sources:
Open-source intelligence: publicly available information
Proprietary/closed-source intelligence: info with restricted access (e.g. police record)
Timeliness: tim ely receipt/operationalisation (impact > intelligence cost)
Relevancy: mustaddress a threat and allow for effective action; usable delivery format
Accuracy: must save organisations more in success than errors/mistakes
Confidence levels
Indicator management:
- STIX: describes cyber threat information (motivation, abilities, capabilities, response)
- TAXII: describes how threat info (STIX) can be shared (hub-and-spoke; source/subscriber; peer-to-peer); discovery, collection management, inbox, poll
- OpenIOC: standard format for defining/recording/sharing artifacts
Threat classification:
- Known threat vs unknown threat: external/removable media, attrition, web, email, impersonation, improper usage, equipment loss/theft etc.
- Zero-day: unknown vulnerabilities that have no patches
- APT: skilled attackers supported by extremely large resources
Threat actors:
- Nation-state: geopolitically motivated groups with dedicated resources/personnel, extensive planning & coordination
- Hacktivist: ideologically motivated groups that rely on widely available tools
- Organised crime: profit-driven groups that target PII, credit cards etc.
- Insider threat:
  - Intentional: disgruntled or profit-driven employee stealing/damaging/exposing systems
  - Unintentional: personal negligence/poor security practices
Intelligence cycle:
- Requirements: determine exact customer requirements (IRs), how it should be collected
- Collection: gather data from wide array of desired/reliable/timely sources
- Analysis: raw info + other sources => intelligence; assess importance/accuracy/reliability
- Dissemination: timely conveyance of intelligence in appropriate format to customers
- Feedback: solicit feedback from customer, refine existing IRs
Commodity malware: widely available paid/free malware used by many threat actors
Information sharing and analysis communities:
- Healthcare: H-ISAC, Healthcare Ready
- Financial: FS-ISAC
- Aviation: A-ISAC
- Government: EI-ISAC (elections), DIB-ISAC (defense), NEI (nuclear)
- Critical infrastructure: E-ISAC (electricity), ONG-ISAC (oil & gas), PT-ISAC (public transit)

PreviousQuestions NextPage 1

Last updated 2 years ago

1.1 Explain the importance of threat data and intelligence

Intelligence sources:
Open-source intelligence: publicly available information
Proprietary/closed-source intelligence: info with restricted access (e.g. police record)
Timeliness: tim ely receipt/operationalisation (impact > intelligence cost)
Relevancy: mustaddress a threat and allow for effective action; usable delivery format
Accuracy: must save organisations more in success than errors/mistakes
Confidence levels
Indicator management:
- STIX: describes cyber threat information (motivation, abilities, capabilities, response)
- TAXII: describes how threat info (STIX) can be shared (hub-and-spoke; source/subscriber; peer-to-peer); discovery, collection management, inbox, poll
- OpenIOC: standard format for defining/recording/sharing artifacts
Threat classification:
- Known threat vs unknown threat: external/removable media, attrition, web, email, impersonation, improper usage, equipment loss/theft etc.
- Zero-day: unknown vulnerabilities that have no patches
- APT: skilled attackers supported by extremely large resources
Threat actors:
- Nation-state: geopolitically motivated groups with dedicated resources/personnel, extensive planning & coordination
- Hacktivist: ideologically motivated groups that rely on widely available tools
- Organised crime: profit-driven groups that target PII, credit cards etc.
- Insider threat:
  - Intentional: disgruntled or profit-driven employee stealing/damaging/exposing systems
  - Unintentional: personal negligence/poor security practices
Intelligence cycle:
- Requirements: determine exact customer requirements (IRs), how it should be collected
- Collection: gather data from wide array of desired/reliable/timely sources
- Analysis: raw info + other sources => intelligence; assess importance/accuracy/reliability
- Dissemination: timely conveyance of intelligence in appropriate format to customers
- Feedback: solicit feedback from customer, refine existing IRs
Commodity malware: widely available paid/free malware used by many threat actors
Information sharing and analysis communities:
- Healthcare: H-ISAC, Healthcare Ready
- Financial: FS-ISAC
- Aviation: A-ISAC
- Government: EI-ISAC (elections), DIB-ISAC (defense), NEI (nuclear)
- Critical infrastructure: E-ISAC (electricity), ONG-ISAC (oil & gas), PT-ISAC (public transit)

PreviousQuestions NextPage 1

Last updated 2 years ago