The Crypto Winter has been happening for the longest time. Buzzes and rumours have circulated in the media saying that the 2017–2018 blockchain craze may actually just another hipster trend. Some…
Cyber Threat intelligence is the analysis of data using tools and techniques to generate meaningful information about existing or emerging threats targeting the organization. It helps organizations make faster, more informed security decisions and change their behavior from reactive to proactive with predictive capabilities to combat the attacks.
The threat intelligence helps the analysts to decide what to prioritize and what to ignore. Without understanding security vulnerabilities, threat indicators, and how threats are carried out, it is impossible to combat cyber-attacks effectively.
A cyber threat intelligence analyst is a security professional who monitors and analyzes external cyber threat data to provide actionable intelligence. These experts triage data of security incidents collected from different threat intelligence sources and study the pattern of attacks, their methodology, motive, severity, and threat landscape. This data is then analyzed and filtered to produce threat intelligence feeds and reports that help management (security officer) in making decisions concerning organizational security. Often, these individuals are Certified Threat Intelligence Analysts who come with both the knowledge and skills needed for the job role.
You can learn the fundamentals of cybersecurity in as little as 12 weeks. However, it may take anywhere from two to four years to develop the skills, knowledge, and experience to really excel in cybersecurity. However, this is also dependent on your education and experience.
There are various paths to a career in cybersecurity. For those in a formal degree program, it can take two years to earn an associate’s degree in cybersecurity and four years for a bachelor’s degree. A cybersecurity degree is not mandatory, however, so alternative training, education, and certification can also be done in the same amount of time.
A cybersecurity certificate is an increasingly popular way to fasttrack skills development and accelerate a career in cybersecurity. They show employers that you are knowledgeable about the threat landscape and cybersecurity best practices, and have trained in specific areas.
Aim to earn a new certification every 6 months. A few popular certifications include Certified Information Systems Security Professional (CISSP), CompTIA Security+, Certified Information Security Manager (CISM) and Certified Ethical Hacker (CEH).
Cyber Threat Intelligence is mainly categorized as strategic, tactical, technical, and operational.
Strategic threat intelligence provides an overview of the organization’s threat landscape. It is less technical and mainly for executive-level security professionals to drive high-level organizational strategy based on the findings in the reports. Ideally, strategic threat intelligence provides insights like vulnerabilities and risks associated with the organization’s threat landscape with preventive actions, threat actors, their goals, and the severity of the potential attacks.
Tactical threat intelligence consists of more specific details on threat actors’ tactics, techniques and procedures (TTPs) and is mainly for the security team to understand the attack vectors. Intelligence gives them insights on how to build a defense strategy to mitigate those attacks. The report includes the vulnerabilities in the security systems that attackers could take advantage of and how to identify such attacks.
The finding is used to strengthen the existing security controls/defense mechanism and helps to remove the vulnerabilities in the network.
Technical threat intelligence focuses on specific clues or evidence of an attack and creates a base to analyze such attacks. Threat Intelligence analyst scans for the indicator of compromise (IOCs), which includes reported IP addresses, the content of phishing emails, malware samples, and fraudulent URLs. Timing for sharing technical intelligence is very critical because IOCs such as malicious IPs or fraudulent URLs become obsolete in a few days.
Operational threat intelligence focuses on knowledge about the attacks. It gives detailed insights on factors like nature, motive, timing, and how an attack is carried out. Ideally, the information is gathered from hacker chat rooms or their discussions online through infiltration, which makes it difficult to obtain.
Raw data is not the same thing as intelligence — cyber threat intelligence is the finished product that comes out of a six-part cycle of data collection, processing, and analysis. This process is a cycle because new questions and gaps in the knowledge are identified during the course of developing intelligence, leading to new collection requirements being set. An effective intelligence program is iterative, becoming more refined over time.
The first step for producing actionable threat intelligence is to ask the right question. The questions that best drive the creation of actionable threat intelligence focus on a single fact, event, or activity — broad, open-ended questions should usually be avoided.
Prioritize your intelligence objectives based on the factors like your organization’s core values, the impact of your resulting decision and the time sensitivity of your decision.
One important guiding factor at this stage is understanding who will consume and benefit from the finished product — will the intelligence go to a team of analysts with technical expertise who need a quick report on a new exploit, or to an executive that’s looking for a broad overview of trends to inform their security investment decisions for the next quarter?
The next step is to gather raw data that fulfills the requirements set in the first stage. It’s best to collect data from a wide range of sources from internal ones like network event logs and records of past incident responses to external ones like the open web, the dark web, and technical sources.
Threat data is usually consists of lists of the indicator of compromise (IOCs), such as malicious IP addresses, domains, and file hashes, but it can also include vulnerability information, such as the personally identifiable information of customers, raw codes from paste sites, and text from news sources or social media.
Once all the raw data has been collected, you need to sort it, organizing it with metadata tags and filtering out redundant information or false positives and negatives.
Today, even small organizations collect data on the order of millions of log events and hundreds of thousands of indicators every day. It’s too much for human analysts to process efficiently — data collection and processing has to be automated to begin making any sense of it.
The next step is to make sense of the processed data. The goal of analysis is to search for potential security issues and notify the relevant teams in a format that fulfills the intelligence requirements outlined in the planning and direction stage.
Threat intelligence can take many forms depending on the initial objectives and the intended audience, but the idea is to get the data into a format that the audience will understand. This can range from simple threat lists to peer-reviewed reports.
The finished product is then distributed to its intended consumers. For threat intelligence to be actionable, it has to get to the right people at the right time.
The final step is when the intelligence cycle comes full circle, making it closely related to the initial planning and direction phase. After receiving the finished intelligence product, whoever made the initial request reviews it and determines whether their questions were answered. This drives the objectives and procedures of the next intelligence cycle, again making documentation and continuity essential.
Originally published in 2011, the Cyber Kill Chain outlines seven steps that an attacker takes during an intrusion:
It is an effective model because it authoritatively lays out the typical steps an attacker takes.
Sergio Caltagirone, Andrew Pendergrast and Christopher Betz felt that linear cybersecurity intrusion models had a few weaknesses. They wished to focus on specific hacker behaviors and create a model that allowed cybersecurity professionals to identify the relationships between attacker motivations, the victim and the technology used to wage an attack.
Like a diamond, an event has four quadrants, and each quadrant describes core features:
· Adversary: The persona of the individual or group attacking you
· Infrastructure: IP addresses, domain names or email addresses
· Capabilities: What the adversary can do (e.g., malware, exploits, manipulate infrastructure)
· Victim: Can include people, services, network assets or information
Using the Diamond Model, it is possible to string together multiple events — or diamonds — and create an activity group. This allows us to follow the steps of an attack throughout an entire hacker campaign.
One result of the Diamond Model is that it helped turn the activity of intrusion detection from an art into a science — where the activity can be taught and replicated. Also, this model allowed software developers to apply AI to the activity of intrusion detection.
According to the MITRE model, hackers take the following steps:
As you can see, the MITRE ATT&CK Navigator does more than just list a few steps. It maps specific tactics and procedures to each step. With the MITRE ATT&CK Navigator, you can map specific tactics and procedures to actual threat groups, identifying common techniques and procedures that attackers might take when they target your company.
· Blocks access to key components of the network (ransomware)
· Installs malware or additional harmful software
· Covertly obtains information by transmitting data from the hard drive (spyware)
· Disrupts certain components and renders the system inoperable
Social engineering is a tactic that adversaries use to trick you into revealing sensitive information. They can solicit a monetary payment or gain access to your confidential data. Social engineering can be combined with any of the threats to make you more likely to click on links, download malware, or trust a malicious source.
A zero-day exploit hits after a network vulnerability is announced, but before a patch or solution is implemented. Attackers target the disclosed vulnerability during this window of time. Zero-day vulnerability threat detection requires constant awareness.
6. Man-in-the-Middle Attack
Man-in-the-middle (MitM) attacks, also known as eavesdropping attacks, occur when attackers insert themselves into a two-party transaction. Once the attackers interrupt the traffic, they can filter an steal data.
Two common points of entry for MitM attacks:
1. On unsecure public Wi-Fi, attackers can insert themselves between a visitor’s device and the network. Without knowing, the visitor passes all information through the attacker.
2. Once malware has breached a device, an attacker can install software to process all of the victim’s information.
A Structured Query Language (SQL) injection occurs when an attacker inserts malicious code into a server that uses SQL and forces the server to reveal information it normally would not. An attacker could carry out a SQL injection simply by submitting malicious code into a vulnerable website search box.
DNS tunneling utilizes the DNS protocol to communicate non-DNS traffic over port 53. It sends HTTP and other protocol traffic over DNS. There are various, legitimate reasons to utilize DNS tunneling. However, there are also malicious reasons to use DNS Tunneling VPN services. They can be used to disguise outbound traffic as DNS, concealing data that is typically shared through an internet connection. For malicious use, DNS requests are manipulated to exfiltrate data from a compromised system to the attacker’s infrastructure. It can also be used for command and control callbacks from the attacker’s infrastructure to a compromised system.
Cybersecurity Analysts use a variety of tools in their jobs, which can be organized into a few categories: network security monitoring, encryption, web vulnerability, penetration testing, antivirus software, network intrusion detection, and packet sniffers.
These tools are used to analyze network data and detect network-based threats.
Encryption protects data by scrambling text so that it is unreadable to unauthorized users.
These software programs scan web applications to identify security vulnerabilities.
Penetration testing, also known as “pen test”, simulates an attack on a computer system in order to evaluate the security of that system.
This software is designed to find viruses and other malware, including ransomware, worms, spyware, adware, and Trojans.
An Intrusion Detection System (IDS) monitors network and system traffic for unusual or suspicious activity and notifies the administrator if a potential threat is detected.
A packet sniffer, also called a packet analyzer, protocol analyzer or network analyzer, is used to intercept, log, and analyze network traffic and data.
A lot of people are complaining about there being too many Medium-related articles. I’d guess most of you are aware of the saying, “See no evil, hear no evil, speak no evil”. Well, Medium has added a… Read more
Have you ever felt stuck in a rut, going through the motions of life without any real sense of purpose or fulfillment? I know I certainly did. However, I am proud to say that I completely changed my… Read more
La polizia italiana ha cercato in casa di dell’avvocato Gianluca Meranda che è indagato per corruzione internazionale sul presunto meeting nell’hotel di Mosca per il trasferimento dei fondi… Read more