Author: sparksoul

Threat Intelligence Sharing

Sharing threat intelligence involves distributing useful data to different teams within an organization to improve overall security. This information helps teams take action, whether it’s managing risks, responding to incidents, or enhancing security measures.

Sharing threat intelligence effectively can improve security across various functions. Here’s how it works for different areas, with examples:

1. Risk Management and Security Engineering

2. Incident Response

3. Vulnerability Management

4. Detection and Monitoring:

Risk Management and Security Engineering:

These teams use strategic threat intelligence to understand the latest threats and develop a security model that includes new controls or improved configurations for existing ones. For example, if threat intelligence identifies new ways to attack application code, this information should be shared with software development teams to enhance secure coding practices.

• Risk Management helps identify and prioritize threats to minimize their impact.

• Security Engineering designs secure systems to reduce the chances of attacks.

Example: If strategic threat intelligence reveals that a particular type of malware is targeting certain software, security engineers can strengthen defenses or adjust security settings accordingly. For instance, if there’s a new way to attack application code, this information should be shared with software developers so they can use secure coding practices to prevent such attacks.

Incident Response:

This team benefits from tactical threat intelligence to handle real-time threats. For example, if a suspicious domain appears in a log file, threat intelligence can provide information about its association with malware, helping the team quickly respond to potential attacks.

• Focuses on reacting to security incidents quickly and effectively.

Example: If a suspicious web domain is found in logs, operational threat intelligence can be used to check if that domain is linked to known malware. This helps the incident response team take swift action, like blocking the domain or investigating further.

Vulnerability Management:

Strategic threat intelligence helps identify new vulnerabilities, such as those in Internet of Things (IoT) devices, deep fakes (carbonblack.com/2019/07/15/what-do-high-level-deep-fakesmean-for-cybersecurity), or AI-facilitated fuzzing to discover zero-day vulnerabilities (threatpost.com/using-fuzzing-to-mine-for-zero-days/139683). Operational intelligence can prioritize which vulnerabilities need immediate action, like known exploits targeting a specific software version.

• Identifies and addresses security weaknesses in systems.

Example: If threat intelligence shows that hackers are targeting a specific vulnerability in web servers, teams can prioritize fixing that issue. Additionally, ongoing monitoring can help manage long-term risks from vulnerabilities like Meltdown and Spectre, which could still pose threats after their initial discovery.

Detection and Monitoring:

Accurate threat intelligence helps fine-tune automated detection systems. By adding new rules based on shared threat information, detection tools can better identify real threats. However, this can also increase false positives, where non-malicious activities are mistakenly flagged as threats.

Overall, sharing threat intelligence helps different security functions work together to protect the organization more effectively.

• Involves keeping an eye on systems for signs of attack.

Example: If companies in the same industry report a specific type of attack, using this intelligence in monitoring tools can help catch similar attacks in real time. However, adding more rules could also increase false positives, where harmless activities are flagged as threats.

Sharing threat intelligence not only boosts day-to-day security but also encourages strategic approaches like proactive threat modeling and hunting for potential risks before they become issues.

Threat Intelligence Sources Explained

As part of the requirements phase in the intelligence cycle, it’s important to assess where your threat intelligence comes from. Threat intelligence usually comes from outside sources, so it’s critical to evaluate these sources based on several key factors:

1. Timeliness

2. Relevancy

3. Accuracy

4. Confidence Level

Key Factors for Evaluating Threat Intelligence Sources:

Timeliness:Threats can change quickly as attackers adapt. After an adversary is exposed, they may change their tactics to avoid detection. It’s important to choose intelligence sources that can provide timely updates about evolving threats.Relevancy:The intelligence needs to be relevant to your specific needs. For example, if your systems are mainly cloud-based, threat intelligence about Windows vulnerabilities might not be very useful. You need to make sure the intelligence aligns with your organization’s environment and use cases.Accuracy:Accuracy means that the information is reliable and validated. It also refers to how specific intelligence is. Can it be used to create automated security rules, or is it more general and strategic? Good threat intelligence should be specific enough to be directly applied to your systems and security measures.Confidence Levels:Not all intelligence is equally reliable. Confidence levels help you determine how trustworthy the information is. Some sources use a grading system, like the Admiralty scale, which rates both the reliability of the source and the credibility of the information. For example, a rating of “A1” would mean the source is reliable and the information has been confirmed by multiple sources, while a lower rating means less certainty.

For example, the MISP Project (misp-project.org/best-practices-in-threatintelligence.html) codifies the use of the admiralty scale for grading data and the use of estimative language for grading analyst opinion. The admiralty scale rates sources with letters from a (reliable) to g (purposefully deceptive) and information credibility from 1 (confirmed by multiple sources) to 6 (cannot be validated).ed by multiple sources) to 6 (cannot be validated).

Proprietary/Closed-Source Intelligence Sources Explained

Proprietary or closed-source intelligence refers to threat intelligence that is offered as a paid service. Companies that provide this type of intelligence usually charge a subscription fee for access to their updates and research.

Some of these providers gather and repackage information that is available for free from public sources, while others create their own unique data. This closed-source data comes from the provider’s own research, such as data collected from honeynets (traps set to detect attacks) or information gathered from their customers’ systems, which is anonymized to protect privacy.

Many commercial providers also offer their own platforms for processing and sharing threat intelligence. Some platform providers don’t create their own intelligence feeds but instead focus on distributing and organizing data from other sources.

Some examples of commercial providers include:

• IBM X-Force Exchange (exchange.xforce.ibmcloud.com)

• FireEye (fireeye.com/solutions/cyber-threat-intelligence/threat-intelligencesubscriptions.html)

• Recorded Future (recordedfuture.com/solutions/threat-intelligence-feeds)

Open-Source Intelligence Sources Explained

Open-source intelligence refers to threat information that is freely available to the public without subscription fees. Various organizations, including government agencies and community-driven platforms, provide such intelligence to help individuals and businesses stay informed about potential security threats.

Notable open-source intelligence sources include:

• US-CERT: The United States Computer Emergency Readiness Team offers feeds on current cyber activities, alerts, and comprehensive reports. Their Automated Indicator Service (AIS) provides real-time threat information .

• MISP Threat Sharing: An open-source platform that facilitates the sharing of threat intelligence, including indicators of compromise, to enhance collective security efforts

  .

• Open Threat Exchange (OTX): A community-driven platform where participants share and discuss security threats, providing real-time threat feeds and collaborative analysis .

Utilizing these open-source resources can enhance situational awareness and improve the ability to respond to emerging cyber threats.

Other examples of open-source providers include the following:

• AT&T Security, previously Alien Vault Open Threat Exchange (OTX) (otx.alienvault. com)

• Malware Information Sharing Project (MISP) (misp-project.org/feeds)

• Spamhaus (spamhaus.org/organization)

• SANS ISC Suspicious Domains (isc.sans.edu/suspicious_domains.html)

• VirusTotal (virustotal.com)

Implicit Knowledge in Cybersecurity

While threat feeds provide explicit knowledge—information that can be directly used in security processes—it’s important to also pay attention to implicit knowledge sources.

These include blogs and discussion forums where experienced cybersecurity professionals share their insights. These platforms not only report on the latest cybersecurity trends but also offer valuable lessons on the mindset, attitudes, and instincts that contribute to success in the field.

Learning from these seasoned experts helps you understand not just what to do, but how to think like a cybersecurity professional.

Security Intelligence Cycle: Analysis, dissemination, and feedback

The Security Intelligence Cycle is a systematic process used by organizations to collect, analyze, and act on information that helps identify and respond to security threats. It’s a continuous cycle that turns raw data into useful information. This information helps organizations spot potential security threats hidden in the vast amount of data created by their systems. The security intelligence cycle is a process that involves collecting, processing, and analyzing data to provide useful insights for decision-makers.

The cycle involves multiple steps, each building on the previous one, to ensure that security information is relevant, timely, and useful for decision-making.

1. Requirements (Planning and Direction)

2. Collection and Processing

3. Analysis

4. Dissemination,

5. Feedback

Let’s explore key steps in this cycle: analysis, dissemination, and feedback

After collecting and processing data(Please check my previous blog post for understanding), the next steps in the Security Intelligence Cycle are analysis, dissemination, and feedback. These steps help turn raw data into useful insights that can be shared with the right people in the organization.

3. Analysis: Making Sense of the Data

Once the data is collected and organized, the analysis phase begins. In this step, the data is studied to find patterns or unusual activities that could indicate security problems.

• Challenges of Data Volume: Since many organizations collect a large amount of data, it can be difficult for humans to manually analyze everything. This is where automated tools, like artificial intelligence (AI) and machine learning (ML), come in handy to process and analyze the data faster.

• Use Cases for Analysis: To get meaningful results, organizations create use cases—specific scenarios to guide the analysis. For example, a use case could be set up to detect irregular login attempts on a company’s system. These use cases help narrow down what to look for in the data and make the analysis more focused.

4. Dissemination: Sharing the Information

After the data is analyzed and insights are developed, the next step is dissemination. This is the process of sharing the information with people who need to act on it, such as incident response teams, IT staff, or company executives.

• Different Audiences: The information needs to be shared in different ways depending on the audience. For example, a detailed report might be sent to security analysts, while a high-level summary is sent to executives.

• Types of Intelligence:

  • Strategic Intelligence: Long-term information that helps plan projects or security policies.

  • Operational Intelligence: Information that helps managers and specialists with day-to-day security tasks.

  • Tactical Intelligence: Real-time information that helps staff respond to immediate security alerts.

5. Feedback: Improving the Process

The final step is feedback. After the intelligence is used, feedback is collected to improve the entire process for the future.

• What to Review: Feedback might focus on what worked well and what didn’t. It’s important to review whether intelligence helped prevent or respond to incidents effectively.

• Continuous Improvement: This step ensures the organization is always improving how it collects, analyzes, and shares security information. It also helps adapt to new threats and changes in regulations.

Conclusion

The analysis, dissemination, and feedback phases ensure that raw data is turned into actionable insights and shared with the right people. By reviewing what worked and continuously improving the process, organizations can stay ahead of potential security threats and respond more effectively.

Security Intelligence Cycle : Requirements and Collection.

The Security Intelligence Cycle is a systematic process used by organizations to collect, analyze, and act on information that helps identify and respond to security threats. It’s a continuous cycle that turns raw data into useful information. This information helps organizations spot potential security threats hidden in the vast amount of data created by their systems. The security intelligence cycle is a process that involves collecting, processing, and analyzing data to provide useful insights for decision-makers.

The cycle involves multiple steps, each building on the previous one, to ensure that security information is relevant, timely, and useful for decision-making.

1. Requirements (Planning and Direction)

2. Collection and Processing

3. Analysis

4. Dissemination,

5. Feedback

Let’s explore two key steps in this cycle: Requirements and Collection.

1. Requirements Phase: Setting Clear Goals

The requirements phase is where the goals for data collection are set. This step is also called Planning and Direction.

• Why It’s Important: This phase ensures that the data collection process helps achieve business objectives, like protecting company data or identifying security risks.

• Defining Use Cases: To make the intelligence gathering more effective, organizations often create use cases. For example, a car manufacturer might focus on tracking threats in its supply chain, especially related to the electronics used in its vehicles. These use cases help define what specific data is needed and guide analysts in their work.

• Identifying Data Sources: Organizations gather data from various sources, like system logs or application logs. Some data might already be available, but in other cases, extra tools or logging features may need to be added to collect the required information.

• Legal and Technical Considerations: It’s also important to consider any legal rules about what kind of data must be collected and how long it should be stored. Technical limitations, such as the need for specific software tools, must also be considered.

2. Collection and Processing: Gathering the Data

Once the goals are clear, the next step is data collection. This involves gathering data from different systems in a consistent and secure way.

• Collection Tools: Organizations typically use software like Security Information and Event Management (SIEM) tools to collect data. These tools are set up to retrieve data from various sources, such as firewalls, routers, servers, and intrusion detection systems (IDS).

• Processing the Data: After collection, the data must be processed. This step ensures that the data is formatted consistently so that it can be easily analyzed. For example, an IP address might appear in different formats in different logs, so processing ensures it is recorded in the same way everywhere.

• Security of Data: Keeping the collected data secure is crucial because security logs often contain sensitive information. This data, if accessed by attackers, could be harmful, so organizations must ensure that it is properly protected.

Conclusion

The requirements and collection phases are the foundation of the security intelligence cycle. Setting clear goals and collecting the right data is essential for identifying and responding to security threats effectively. Proper planning and careful data collection ensure that the intelligence gathered is both useful and actionable for decision-makers.

Coming Up Next: Analysis, Dissemination, and Feedback

The next part of the blog series will explore how to analyze the collected data, share the insights with the right people, and use feedback to continuously improve your security intelligence efforts. Stay tuned!

What is networking?

A network is a group of connected devices. The devices on a network can communicate with each other over network cables or wireless connections. Devices need to find each other on a network to establish communications. These devices will use unique addresses, or identifiers, to locate each other. The addresses will ensure that communication happens with the right device. These are called the IP and MAC addresses. Devices can communicate on two types of networks: a local area network, also known as a LAN, and a wide area network, also known as a WAN.

Understanding Networks and Communication:

A network is a collection of devices connected to each other, allowing them to communicate and share information. These connections can be established using network cables or wireless signals, depending on the type of network in place. To communicate effectively, each device needs to find and connect to other devices on the network. This is done through unique addresses known as IP (Internet Protocol) and MAC (Media Access Control) addresses.

The IP address acts like a mailing address, helping data to reach the correct destination by identifying devices on the network. The MAC address, on the other hand, is a permanent identifier assigned to each device’s network hardware, ensuring that communication happens with the exact device intended.

Devices on a network can communicate through two main types of networks: Local Area Networks (LANs) and Wide Area Networks (WANs). A LAN is typically used for a smaller, more localized group of devices, such as those in a home or office. These networks cover a limited geographical area and are often faster and more secure because they don’t rely on external connections.

In other hand, a WAN covers a much larger area and connects devices across cities, countries, or even continents. It is often made up of several interconnected LANs and uses public networks, such as the internet, to facilitate communication. While WANs allow for long-distance communication, they may be slower and more susceptible to security risks compared to LANs.

In summary, networks enable devices to communicate using IP and MAC addresses, and they can be classified as either LANs for local connections or WANs for broader, long-distance communication.

Networking Tools:

Hub

Switch

Router

Modem

Firewall

Client and Server

Wireless Access Point

Virtualization

Network tools such as hubs, switches, routers, and modems are physical devices.

Hub:

A hub is a network device that broadcasts information to every device on the network. It repeats all information out to all ports. Hubs are more commonly used for a limited network setup like a home office. A hub like a radio tower that broadcasts a signal to any radio tuned to the correct frequency. Hubs are not secure. its vulnerable to intrusion.

Switch:

A switch makes connections between specific devices on a network by sending and receiving data between them. A switch is smarter than a hub. It only passes data to the intended destination. This makes switches more secure than hubs and enables them to control the flow of traffic and improve network performance.

A switch is a device that helps send data between devices connected to it. When data is sent, the switch looks at the destination address and sends it to the correct device. Switches use a MAC address table, which stores the MAC addresses of devices and matches them to specific ports on the switch. This allows the switch to forward data to the right place. Switches work at the data link layer of the TCP/IP model. They improve both the speed and security of the network.

Router:

A router is a network device that connects multiple networks together. Routers connect different networks and help direct data based on the destination’s IP address. They allow devices on separate networks to communicate. In the TCP/IP model, routers work at the network layer. The IP address of the destination is found in the packet’s IP header. The router reads this information and forwards the packet to the next router, repeating this until it reaches the destination. Some routers also have firewalls that can block or allow traffic, preventing harmful data from reaching the private network and causing damage.

For example, if a computer in one network wants to send information to a laptop on another network, then the information will be transferred like this: First, the information travels from the computer to the router. Then, the router reads the destination address and forwards the data to the intended network’s router. Finally, the receiving router transfers that information to the laptop.

Modem:

A modem is a device that connects your router to the internet and brings internet access to the LAN. Modems usually connect your home or office to the internet through an internet service provider (ISP). ISPs give you internet access using telephone lines or cables. The modem takes digital signals from the internet and changes them into analog signals that can travel through the connection from your ISP. Modems often connect to a router, which sends the internet signals to your local network.For large businesses, enterprise networks use other technologies instead of modems to manage a lot of traffic.

For example, if a computer from one network wants to send information to a device on a network in a different geographic location, it would be transferred as follows: The computer would send information to the router, and the router would then transfer the information through the modem to the internet. The intended recipient’s modem receives the information and transfers it to the router. Finally, the recipient’s router forwards that information to the destination device.

Firewall:

A firewall is a security tool that watches and controls traffic going in or out of your network. It acts as your first line of defense. Firewalls can block or allow certain types of traffic based on rules set by the organization. They are usually placed between a safe internal network and the less trusted outside network, like the internet. However, firewalls are just one part of a bigger cybersecurity plan.

Clients and Server:

Servers give information and services to devices like computers, smart home devices, and smartphones on a network. The devices that connect to the server are called clients. This setup is known as the client-server model. In this model, clients ask the server for information or services, and the server provides what the clients need. Examples include DNS servers that help find website addresses, file servers that store and retrieve files, and mail servers that manage emails for a company.

Wireless Access Point:

A wireless access point sends and receives signals through radio waves to create a wireless network. Devices with wireless adapters, like phones or laptops, connect to it using Wi-Fi. Wi-Fi is a set of rules that allow devices to talk to each other without wires. The wireless access point and the connected devices use Wi-Fi to send data through radio waves, which are then passed to routers and switches to reach their final destination.

Modems connect your home to the internet through cables, convert digital signals from the internet into analog signals that can travel through telephone lines or coaxial cables. while wireless access points create a Wi-Fi network so devices can connect without wires. Send and receive digital signals over radio waves, enabling devices like laptops and smartphones to connect via Wi-Fi.

Network devices keep track of information and services for users on a network. They connect using wired or wireless methods. Once connected, these devices send data packets, which contain information about where the data is coming from and where it’s going. This is how data is shared between different devices on the network.

The network itself is the system that lets devices talk to each other. Special devices like routers and switches manage the flow of data, while other devices like computers and phones connect to the network through these network devices.

Virtualization:

Network tools like hubs, switches, routers, and modems are physical devices. But many of the tasks these devices do can also be handled by virtualization tools, which are software programs. Virtualization tools can do the same jobs as hubs, switches, routers, and modems, and they are provided by cloud services. Using these tools can save money and help the network grow more easily.

A cloud network is a collection of servers or computers that stores resources and data in remote data centers that can be accessed via the internet.

What is TCP/IP?

TCP/IP is a suite of protocols that is used to facilitate communication between devices on a network. It is the foundation of the internet and is used by most modern computer networks.

TCP/IP is a layered protocol, which means that it is made up of several different protocols that work together to provide communication services. The four layers of TCP/IP are:

• Application Layer: This layer is responsible for providing services to applications, such as HTTP, FTP, and SMTP.

• Transport Layer: This layer is responsible for providing reliable data transfer between devices. TCP and UDP are the two main protocols used at this layer.

• Internet Layer: This layer is responsible for routing data packets between networks. IP is the main protocol used at this layer.

• Network Access Layer: This layer is responsible for providing physical access to the network. Ethernet is the most common protocol used at this layer.

How does TCP/IP work?

TCP/IP works by breaking data into packets and sending them across the network. Each packet contains a header that includes the source and destination addresses, as well as other information needed for routing.

When a packet is sent, it is routed through the network until it reaches its destination. At the destination, the packet is reassembled and delivered to the appropriate application.

TCP vs. UDP

TCP and UDP are the two main protocols used at the Transport Layer. TCP is a reliable protocol that guarantees delivery of packets. UDP is an unreliable protocol that does not guarantee delivery of packets.

TCP is used for applications that require reliable data transfer, such as file transfers and email. UDP is used for applications that do not require reliable data transfer, such as streaming audio and video.

TCP/IP header

The TCP/IP header contains information about the source and destination addresses, as well as other information needed for routing. The header is used by routers to determine the best path for the packet to take.

TCP/IP data packet

The TCP/IP data packet contains the actual data that is being sent. The data is broken into segments and encapsulated in the TCP/IP header.

Conclusion

TCP/IP is a suite of protocols that is used to facilitate communication between devices on a network. It is the foundation of the internet and is used by most modern computer networks.

TCP/IP is a layered protocol that is made up of a number of different protocols that work together to provide communication services. The four layers of TCP/IP are:

• Application Layer

• Transport Layer

• Internet Layer

• Network Access Layer

TCP and UDP are the two main protocols used at the Transport Layer. TCP is a reliable protocol that guarantees delivery of packets. UDP is an unreliable protocol that does not guarantee delivery of packets.