Notes from Security 601+ – Module 1.5

threat intelligence is an essential tool for cyber security practitioners. While it’s all well and to have a system in place to react to threats additional work needs to be done to proactively prepare for threats BEFORE it happens.

The issue is, how can a single researcher or even a whole department hope to keep up with the myriad number of bad actors out there all intent on breaching their systems?

The answer of course is Threat Intelligence Source.

Threat Intelligence Sources allows Security Practitioners to build adaptive security measures which protect against threats.

According to the Comptia Security+ syllabus the essential sources to review are Open Source Intelligence (OSINT), Closed or Propietary Intelligence and Vulnerability Databases. I will however be expanding on a few other options which are not covered as they seem valuable sources which shouldn’t be overlooked.

Open Source Intelligence (OSINT)

Open Source Intelligence (aka. OSINT) is a type of intelligence which is open to all. It is publicly available information which while useful to practitioners is also available to malicious actors to exploit.

The three key main sources of OSINT are the open internet, governmental data and open source commercial data

CSSonline state that open source intelligence activities an organisation should be as follows:

1. Discovering Public Facing Assets – This relates to IT discovering and manging public facing assets to ensure that information isn’t provided which can assist bad actors.
2. Discovering relevent information from outside the organisation – Keeping tabs on data sources such as Social Media, forum posts and the like to ensure there isn’t anything in the public domain that can provide entry.
3. Collate discovered information into actionable form – This usually uses OSINT tools to format data in a way which is easily actionable

There are a vast variety of OSINT tools which can help greatly. Many of them have specialisations in specific areas which equal to a formidable package if combined.

With regards to point two above, this is the obvious definition which comes to mind when performing threat intelligence research. The common places reviewed for information is:

1. Vendor Websites
2. Vulnerability Feeds < — Definition page to Add
3. Conferences
4. Academic Journals
5. Requests for comment (RFC) <- Definition page to add
6. Local Industry Groups
7. Social Media
8. Threat Feeds

Closed & proprietary Intelligence

While OSINT is free for all if you know where to look, closed and proprietary data is data collected by private organisations and provided for a fee. While this may seem like a downside it’s got it’s own up and downsides compared to OSINT.

The upsides of this intelligence type is:

1. It’s convenient. Organisations don’t have to expend resources or maintain and update their gathering methods to stay up to date with current intelligence.
2. It’s constantly updated. The companies providing this information have the teams, the resources and the tools to keep data constantly up to date and available.
3. Many companies provide methods for their data to be integrated into automated solutions.

The downside, of course as expected is that there is a cost premium to these upsides for the organisation.

Vulnerability Database

Vulnerability databases are resources, often government provided which provide massive sources of data on threats, vulnerabilities and current intelligence. These are often maintained by security professionals and are a valuable resource for any organisation.

Some of the most well known vulnerability databases are:

1. CVE (Common Vulnerabilityies and Exposures)
2. US national vulnerability dastabase

Sharing Vulnerabilities

Say you discover a vulnerability, previous reference can’t be found anywhere, what should you do?

Convention states that it should be submitted for addition to vulnerability databases to make others aware of the issue. This may be a vulnerability in your own software or one found in a piece of software you’re using.

Most people will share these vulnerabilities in either a Public Threat Database, a Private Threat Database or the Cyber Threat Alliance (CTA). The accepted format for sharing these vulnerabilities is AIS (Automated Indicator Sharing) and includes descriptions, motivations, abilities, capabilities and response management.

Finally AIS data is shared using the Trusted Automated Exchange of Indicator Information (TAXII)

So what other areas can information be gathered from?

So now we’ve covered the main methods it’s time to briefly review the other places threat information can be gathered.

1. The Dark Web – part of OSINT this is part of the dark web and adds a layer of complexity to information gathering due to the anonomous nature of it. It is however useful for finding if there has been a breach or to find evidence of successful attacks.
2. File / Code Repositories – Github is a heaven in that a large chunk of open source code is published here. Researchers have found they can often monitor and as such pre-empt upcoming hacks are being created by attackers.
3. Local Industry Groups – This is a collection of researchers from the same industry which gathers to discuss and share information on threats which can be actioned at each respective company.