Chapter 4 Signature

Question 1

Data collection methods

Answer 1

Question 2

Types of data

Answer 2

Question 3

Types of threat intelligence data collection

Answer 3

Question 4

Building a threat intelligence collection plan

Answer 4

A good threat intelligence collection plan can drive the intelligence collection teams to generate good results in reducing the organizational risks.

1. Design a threat intelligence collection strategy
   
   1. Understand the limitations of the area of operations
   2. Understand the area of interest
2. Understand different collection sources and solutions that match your needs
3. Ensure reliability of Data Collection method providing actionable data
4. Align the collected internal external data and data sources to your organisational specific intelligence analysis needs in further stages
5. Normalise the information with industry standard
6. Store the information in secure and easily accessible infrastructure
7. Share the information with other analysis team

Question 5

Threat intelligence feeds

Answer 5

Threat intelligence feeds refer to a stream of indicators or data derived from the various sources related to potential or evolving threats to an organization’s security.

• 1. External intelligence feeds: includes information that is acquired from globally available sources
     
     1. Journals groups forums and blogs
     2. Law enforcement feeds
     3. Business associations
     4. Security researchers
     5. Underground forums
     6. Hash records
     7. GEOIP statistics
  2. Internal intelligence feeds: includes information that is acquired from locally available sources and from local infrastructure or system
     
     1. Fraud analysis
     2. Security activity data
     3. Mailbox misuse information
     4. Human intelligence
     5. Vulnerability information
     6. Sandbox
  3. Proactive surveillance feeds: includes information that is required using real-time assessment of system activities and events
     
     1. Honeynets
     2. Malware forensics
     3. Brand monitoring
     4. P2p monitoring
     5. DNS monitoring
     6. Watchlist monitoring
     7. Infrastructure and application logs

Question 6

Threat intelligence sources

Answer 6

Apart from the sources mentioned above, you can also collect the threat information from the following government and law enforcement sources:

• 1. Open source intelligence (OSINT) information is collected from publicly available sources and analysed to obtain a rich use full form of Intelligence
     
     1. Media
     2. Internet
     3. Public government data
     4. Corporate/academic publishing
     5. Literature
  2. Human intelligence (HUMINT) Information is collected from interpersonal contacts
     
     1. Foreign defence personnel and Advisors
     2. Accredited diplomats
     3. NGOs
     4. Prisoners of War(POW)
     5. Refugees
     6. Traveler interview for debriefing
  3. Signals intelligence (SIGINT) Information is collected by intercepting the signals
     
     1. Communication intelligence(COMINT): Obtained from interception of communication signals
     2. Electronic intelligence(ELINT): Obtained from Electronic sensors like radar and lider
     3. Foreign instrumentation signals intelligence (FISINT): signals detected from nonhuman communication systems
  4. Technical intelligence (TECHINT) Information is collected from an adversary’s equipment or captured any material (CEM)
     
     1. Foreign equipment
     2. Foreign weapon systems
     3. Satellites
     4. Technical research papers
     5. Foreign media
     6. Human contacts
  5. GEO-spatial intelligence (GEOINT) Information is collected by exploitation and evaluation of Geo spatial information to assess the human activities on earth
     
     1. Satellite imagery
     2. Unmanned aerial vehicles(UAV) imagery
     3. Maps
     4. GPS waypoints
     5. IMINT (imagery intelligence)
     6. National Geospatial Intelligence Agency (NGA)
  6. Imagery intelligence (IMINT) Information is collected from objects that are used to reproduce the real scenario electronically by any kind of electronic media or device
     
     1. Visual photography
     2. Infrared sensors
     3. Synthetic aperture radar (SAR)
     4. MASINT (measurement and signature intelligence)
     5. LASER
     6. Electro-optics
  7. Measurement and signature intelligence (MASINT): information is collected from the sensors that are intended to record distinctive characteristics signatures of fixed or dynamic targets
     
     1. Electro-optical
     2. Acoustic sensors like Sonars
     3. Infrared
     4. Radar sensors
     5. Laser
     6. Spectroscopic sensors
  8. Covert human intelligence sources (CHIS)
     
     1. Information is collected covertly from the target person by maintaining a personal or other relationship with the target person
     2. CHIS is generally referred to a person or an agent under the regulation of investigatory Powers Act 2000 (RIPA) UK
     3. CHS sources are target persons from whom the information will be extracted
  9. Financial intelligence(FININT) information is collected from adversaries financial affairs and transaction that may involve tax evasion or money laundering etc which in turn provide information about the nature capabilities and intentions of the advisory. Sources include
     
     1. Financial intelligence unit
     2. Banks
     3. SWIFT
     4. Informal value transfer system (IVTS)
  10. Social media intelligence(SOCMINT): Information is collected from social networking sites and other types of social media sources
      
      1. Facebook
      2. LinkedIn
      3. Twitter
      4. WhatsApp
      5. Instagram
      6. Telegram
  11. Cyber counter intelligence(CCI) : Information is collected from proactively established security infrastructure or by employing various threat manipulation techniques to liya entrapped threats
      
      1. Honeypots
      2. Passive DNS monitors
      3. Online web trackers
      4. Sock puppets(fake profiling) on online forums
      5. Publishing false reports
  12. Indicators of compromise (IoCs): Information is collected from network security threats and breaches and also from the alerts generated on security interest share which will likely indicate the intrusion
      
      1. Commercial and industrial sources
      2. Free IOC specific sources
      3. Online security related sources
      4. Social media and news feeds
      5. IOC buckets
  13. Industry associations and vertical communities: Information is collected from various threat intelligence sharing communities where organisations share that intelligence information among each other vertical communities sources include the following:
      
      1. Financial services Information sharing and analysis centre(FS-ISAC)
      2. MISP (Malware Information sharing platform)
      3. MineMeld
      4. Dakreading.com
      5. kerberosonsecurity.com
  14. Commercial sources Information is collected from commercial entities and security vendors that provide the threatinformation to various organisations. Commercial sources include the following
      
      1. Kaspersky threat intelligence
      2. McAfee
      3. Avast
      4. Fortiguard
      5. Secureworks
      6. Cisco
  15. Government and law enforcement sources information is collected from Government and law enforcement sources Government sources include the following
      
      1. Us computer emergency response team (US-CERT)
      2. European Union agency for Network and information security (ENISA)
      3. FBI cyber crime
      4. Stop thinkConnect
      5. CERIAS Blog
  • International Police Organization (Interpol)
  • Central Intelligence Agency (CIA)
  • National Security Agency (NSA)
  • Homeland Security (DHS)
  • Central Bureau of Investigation (CBI)
  • National Investigation Agency (NIA)