Threat Intelligence

Question 1

What are the different classifications of Threat Intelligence?

Answer 1

• Strategic Intel
  
  • high-level intel that looks into the organisation’s threat landscape and maps out the risk areas based on trends, patterns and emerging threats that may impact business decisions
• Technical Intel
  
  • examines evidence and artefacts of attacks an adversary uses
  • create a baseline attack surface to analyse and develop defence mechanisms
• Tactical Intel
  
  • assesses adversaries’ tactics, techniques, and procedures (TTPs)
• Operational Intel
  
  • assesses an adversary’s specific motives and intent to perform an attack
  • use this intel to understand the critical assets available in the organisation (people, processes, and technologies) that threat actors may target

Question 2

Which intel classification is known as IOC-based Threat Intelligence?

Answer 2

Technical Intel

Question 3

How would you compare Threat Intelligence Producers and Threat Intelligence Consumers?

Answer 3

• Producers: gather, analyse and disseminate threat intelligence data for others and themselves
• Consumers: consume Threat Intelligence created by Producers

Question 4

What are the IOCs that are commonly distinguised in Threat Intelligence feeds?

Answer 4

• Domains
  
  • typically attributed to URLs used to host malicious files, C2 callbacks or email domains used for spam
• IP Addresses
  
  • commonly attributed to addresses known to execute attacks seen from external assets or outbound callbacks from malware

Question 5

What are some of the steps conducted in Intelligence-Driven Prevention?

Answer 5

• IP/Domain Blocking via Firewall
• Domain Blocking through Email Gateways
• Domain Blocking through DNS Sinkhole

Question 6

What acronym is commonly used for Threat Intelligence?

Answer 6

CTI (Cyber Threat Intelligence)

Question 7

What is the primary goal of CTI?

Answer 7

understand the relationship between your operational environment and your adversary and how to defend your environment against any attacks

Question 8

To be able to understand the relationship between your operational environment and your adversary and how to defend your environment against any attacks, what questions should be asked?

Answer 8

• Who’s attacking you?
• What are their motivations?
• What are their capabilities?
• What artefacts and indicators of compromise (IOCs) should you look out for?

Question 9

What are the categories of different sources from which threat intelligence is gathered?

Answer 9

• Internal
  
  • corporate security events, vulnerability assessments and incident response reports
• Community
  
  • open web forums & dark web communities for cybercriminals
• External
  
  • threat intel feeds (Commercial & Open-source)
  • government data, publications, social media, financial and industrial assessments

Question 10

What is the CTI lifecycle?

Answer 10

• Direction
  
  • every threat intel program requires to have objectives and goals defined
• Collection
  
  • security analysts will gather the required data to address them
• Processing
  
  • data is extracted, sorted, organised, correlated with appropriate tags and presented visually in a usable and understandable format to the analysts
• Analysis
  
  • once the information aggregation is complete, security analysts must derive insights
• Dissemination
  
  • different organisational stakeholders will consume the intelligence in varying languages and formats
• Feedback
  
  • analysts rely on the responses provided by stakeholders to improve the threat intelligence process and implementation of security controls

Question 11

What is the purpose of Trusted Automated eXchange of Indicator Information (TAXII)?

Answer 11

• facilitate automated sharing of information about security threats in a standardized format, enhancing the ability of organizations and security systems to detect and respond to cyber threats
• define protocols for securely exchanging threat intel to have near real-time detection, prevention and mitigation of threats

Question 12

What are the two sharing models supported by Trusted Automated eXchange of Indicator Information (TAXII)?

Answer 12

• Collection
  
  • threat intel is collected and hosted by a producer upon request by users using a request-response model
• Channel
  
  • threat intel is pushed to users from a central server through a publish-subscribe model

Question 13

What is Structured Threat Information Expression (STIX)?

Answer 13

language developed for the “specification, capture, characterisation and communication of standardised cyber threat information”

Question 14

What is Threat Intelligence?

Answer 14

collection of data about existing or emerging threats

Question 15

What does Threat Intelligence include?

Answer 15

information about malicious IPs, domains, file hashes, tactics, techniques, and procedures (TTPs) of threat actors