1.1 Explain the importance of threat data and intelligence

  • Intelligence sources:

  • Open-source intelligence: publicly available information

  • Proprietary/closed-source intelligence: info with restricted access (e.g. police record)

  • Timeliness: tim ely receipt/operationalisation (impact > intelligence cost)

  • Relevancy: mustaddress a threat and allow for effective action; usable delivery format

  • Accuracy: must save organisations more in success than errors/mistakes

  • Confidence levels

  • Indicator management:

    • STIX: describes cyber threat information (motivation, abilities, capabilities, response)

    • TAXII: describes how threat info (STIX) can be shared (hub-and-spoke; source/subscriber; peer-to-peer); discovery, collection management, inbox, poll

    • OpenIOC: standard format for defining/recording/sharing artifacts

  • Threat classification:

    • Known threat vs unknown threat: external/removable media, attrition, web, email, impersonation, improper usage, equipment loss/theft etc.

    • Zero-day: unknown vulnerabilities that have no patches

    • APT: skilled attackers supported by extremely large resources

  • Threat actors:

    • Nation-state: geopolitically motivated groups with dedicated resources/personnel, extensive planning & coordination

    • Hacktivist: ideologically motivated groups that rely on widely available tools

    • Organised crime: profit-driven groups that target PII, credit cards etc.

    • Insider threat:

      • Intentional: disgruntled or profit-driven employee stealing/damaging/exposing systems

      • Unintentional: personal negligence/poor security practices

  • Intelligence cycle:

    • Requirements: determine exact customer requirements (IRs), how it should be collected

    • Collection: gather data from wide array of desired/reliable/timely sources

    • Analysis: raw info + other sources => intelligence; assess importance/accuracy/reliability

    • Dissemination: timely conveyance of intelligence in appropriate format to customers

    • Feedback: solicit feedback from customer, refine existing IRs

  • Commodity malware: widely available paid/free malware used by many threat actors

  • Information sharing and analysis communities:

    • Healthcare: H-ISAC, Healthcare Ready

    • Financial: FS-ISAC

    • Aviation: A-ISAC

    • Government: EI-ISAC (elections), DIB-ISAC (defense), NEI (nuclear)

    • Critical infrastructure: E-ISAC (electricity), ONG-ISAC (oil & gas), PT-ISAC (public transit)

PreviousQuestionsNextPage 1

Last updated