Troy McMillan - CompTIA Cybersecurity Analyst (CySA+) CS0-002 Cert Guide, 2ed Edition

Troy McMillan
()

Chapter 1. The Importance of Threat Data and Intelligence

This chapter covers the following topics related to Objective 1.1 (Explain the importance of threat data and intelligence) of the CompTIA Cybersecurity Analyst (CySA+) CS0-002 certification exam:

: Examines open-source intelligence, proprietary/closed-source intelligence, timeliness, relevancy, and accuracy

: Covers the importance of identifying levels of confidence in data

: Introduces Structured Threat Information eXpression (STIX), Trusted Automated eXchange of Indicator Information (TAXII), and OpenIOC

: Investigates known threats vs. unknown threats, zero-day threats, and advanced persistent threats

: Identifies actors such as nation-state, hacktivist, organized crime, and intentional and unintentional insider threats

: Explains the requirements, collection, analysis, dissemination, and feedback stages

: Describes the types of malware that commonly infect networks

: Discusses data sharing among members of healthcare, financial, aviation, government, and critical infrastructure communities

When a war is fought, the gathering and processing of intelligence information is critical to the success of a campaign. Likewise, when conducting the daily war that comprises the defense of an enterprises security, threat intelligence can be the difference between success and failure. This opening chapter discusses the types of threat intelligence, the sources and characteristics of such data, and common threat classification systems. This chapter also discusses the threat cycle, common malware, and systems of information sharing among enterprises.

Do I Know This Already? Quiz

The Do I Know This Already? quiz enables you to assess whether you should read the entire chapter. If you miss no more than one of these seven self-assessment questions, you might want to skip ahead to the Exam Preparation Tasks section. lists the major headings in this chapter and the Do I Know This Already? quiz questions covering the material in those headings so that you can assess your knowledge of these specific areas. The answers to the Do I Know This Already? quiz appear in Appendix A.

Table 1-1 Do I Know This Already? Foundation Topics Section-to-Question Mapping

Which of the following is an example of closed-source intelligence?

a. Internet blogs and discussion groups

b. Print and online media

c. Unclassified government data

d. Platforms maintained by private organizations

Which of the following is an application protocol for exchanging cyber threat information over HTTPS?

a. TAXII

b. STIX

c. OpenIOC

d. OSINT

Which of the following are threats discovered in live environments that have no current fix or patch?

a. Known threats

b. Zero-day threats

c. Unknown threats

d. Advanced persistent threats

Which of the following threat actors uses attacks as a means to get their message out and affect the businesses that they feel are detrimental to their cause?

a. Organized crime

b. Terrorist group

c. Hacktivist

d. Insider threat

In which stage of the intelligence cycle does most of the hard work occur?

a. Requirements

b. Collection

c. Dissemination

d. Analysis

Malware that is widely available for either purchase or by free download is called what?

a. Advanced

b. Commodity

c. Bulk

d. Proprietary

Which of the following information sharing and analysis communities is driven by the requirements of HIPAA?

a. H-ISAC

b. Financial Services Information Sharing and Analysis Center

c. Aviation Government Coordinating Council

d. ENISA

Threat intelligence comes in many forms and can be obtained from a number of different sources. When gathering this critical data, the security professional should always classify the information with respect to its timeliness and relevancy. Lets look at some types of threat intelligence and the process of attaching a confidence level to the data.

(OSINT) consists of information that is publicly available to everyone, though not everyone knows that it is available. OSINT comes from public search engines, social media sites, newspapers, magazine articles, or any source that does not limit access to that information. Examples of these sources include the following:

Print and online media

Internet blogs and discussion groups

Unclassified government data

Academic and professional publications

Industry group data

Papers and reports that are unpublished (gray data)

sources are those that are not publicly available and usually require a fee to access. Examples of these sources are platforms maintained by private organizations that supply constantly updating intelligence information. In many cases this data is developed from all of the providers customers and other sources.

An example of such a platform is offered by CYFIRMA, a market leader in predictive cyber threat visibility and intelligence. CYFIRMA announced the launch of cloud-based Cyber Intelligence Analytics Platform (CAP) v2.0. In 2019, using its proprietary artificial intelligence and machine learning algorithms, CYFIRMA helping organizations unravel cyber risks and threats and enable proactive cyber posture management.

One of the considerations when analyzing intelligence data (of any kind, not just cyber data) is the of such data. Obviously, if an organization receives threat data that is two weeks old, quite likely it is too late to avoid that threat. One of the attractions of closed-source intelligence is that these platforms typically provide near real-time alerts concerning such threats.