Cyber Threat Intelligence (CTI) Part 4— CTI Lifecycle — Collection
For a quick recap of an introduction to Cyber Threat Intelligence (CTI), what are the skill set requirements a CTI analyst should have and the first stage of the CTI Lifecycle — Planning & Direction, please check out the first 3 parts of this series:
Cyber Threat Intelligence Part 1 — Quick Introduction to Cyber Threat Intelligence
Cyber Threat Intelligence Part 2 — What are the skill set requirements for a Cyber Threat Analyst?
Cyber Threat Intelligence (CTI) Part 3 — CTI Lifecycle
I‘ll introduce the Collection stage of the CTI lifecycle(Second Stage). Once the Intelligence Requirements have been clearly defined in the first phase, we move on to the second phase of the CTI Lifecycle which is “Collection”. This phase ensures that there is a focus on the quality and quantity of raw data fed into the intelligence management tool. The goal during the collection process is to ensure that we collect as much data as possible about potential threats, vulnerabilities and any other public information that could aid a threat actor. During this phase of collection, it is essential to focus on the quality of data to reduce noise.
Organisations tend to use a Collection Management Framework (CMF). CMF helps in identifying the various sources of data and the type of data collected from the sources. It also helps analysts understand what data is available from various sources and how long it is available for usage. CMF helps an analyst make better-informed decisions.
The data collection is usually via these two sources.
Internal Sources:
During the collection phase, some of the important data can be sourced internally from an organisation. These include:
a. Vulnerability reports
A vulnerability report is a document that outlines the security weaknesses found in software applications, systems, or networks. It is typically the results of a security researcher’s assessment that has been conducted on an organisation or a vulnerability assessment using a vulnerability scanner on a target system. This report includes information about the vulnerabilities found, their severity, and recommendations on how to fix or mitigate them.
The report can be used by the organization that owns the system to prioritize and address the vulnerabilities and improve the security posture of their system. Vulnerability reports are an essential tool for identifying and addressing security issues proactively before they can be exploited by attackers.
b. Network logs and events
Network logs are records of events that occur on a computer network. These logs are created by various network devices, such as routers, switches, and firewalls, and they contain information about the traffic that passes through the network.
Network logs can include information about network connections, such as the source and destination IP addresses, ports, and protocols. They can also include information about network activity, such as the type of traffic (e.g., web browsing, email, file transfer), the amount of data transferred, and the time and duration of the connection.
Network logs are an important tool as they can be used to monitor network performance, and detect security threats. By analysing network logs, we can identify patterns of activity that may indicate a security breach or other abnormal behaviour.
c. Endpoint logs and events
Endpoint logs are records of events that occur on endpoint devices, such as desktops, laptops, servers, and mobile devices. These logs are created by various endpoint devices and contain information about the activities and changes that occur on those devices.
Endpoint logs can include information about user logins, software installations, system updates, and other changes made to the device. They can also include information about security events, such as malware infections, attempts to access sensitive files, and other security-related events.
Endpoint logs can be used to monitor endpoint activity, detect security threats, and investigate security incidents. By analysing endpoint logs, we can identify patterns of activity that may indicate a security breach or other abnormal behaviour.
External Sources:
The bulk of the data can be sourced by organisations from external sources. These include:
a. CERT
CERT stands for “Computer Emergency Response Team” or “Computer Emergency Readiness Team”. CERT usually consists of a group of individuals responsible for responding to and managing cybersecurity incidents, such as computer system hacks or network breaches. CERT is often used interchangeably with similar terms like “Computer Incident Response Team” (CIRT) or “Cyber Security Incident Response Team” (CSIRT). The activities of a CERT include resolving incidents such as data breaches and denial-of-service attacks, providing alerts and incident handling guidelines, assessing, managing, and preventing cybersecurity-related emergencies, and coordinating incident response efforts.
Examples of CERT are:
US-CERT coordinates defence against and responses to cyber-attacks across the US.
FIRST brings together a variety of computer security incident response teams from government, commercial, and educational organisations
b. OSINT
OSINT stands for “Open Source Intelligence”, which refers to the collection, analysis, and dissemination of information that is publicly available. This information can be collected from various sources, such as social media platforms, news outlets, public records, and other publicly accessible information.
OSINT can provide valuable insights into the activities of individuals or organizations and can be used to identify potential security threats, track the spread of misinformation, and monitor social and political trends.
OSINT is used by a wide range of organisations, and its importance is only expected to grow with the common use of social media among people. OSINT provides threat indicators. Threat indicators are data that associate observed artefacts such as URLs, file hashes, or IP addresses with known threat activity such as phishing, botnets, or malware.
Examples of OSINT are:
Shodan is a search engine for Internet-connected devices. Shodan gathers information about all devices directly connected to the Internet. If a device is directly hooked up to the Internet then Shodan queries it for various publicly-available information.
Maltego is software used for open-source intelligence and data forensics. Maltego focuses on providing a library of transforms for the discovery of data from open sources and visualizing that information in a graph format, suitable for link analysis and data mining.
c. Commercial Feeds
Commercial threat intelligence feeds are a combination of raw data from open-source intelligence (OSINT) sources, curation, commercial feeds, proprietary detections, and data enrichment that provide greater visibility into potential and current security threats. They offer rich contextual data that can be used to gain a greater understanding of targets, tactics, techniques, procedures (TTPs), attacks, and motives of the attackers.
Threat intelligence feeds provide streams of threat information that an organisation can ingest into security tools and platforms to block threats or derive helpful insights. This information includes information on threat actors, suspicious domains and IP addresses, malware hashes, and more.
Examples of Commercial feeds are:
d. iSAC
An Information Sharing and Analysis Centre (ISAC) is an industry-specific organization that gathers and shares information on cyber threats. Information Sharing and Analysis Centres (ISACs) are communities that help sectors work together to recognise and build resilience against their shared, systemic threats.
Organisations tend to use the same or similar capabilities to their sector peers for their application, infrastructure, or security landscape. Consequently, vulnerabilities and risk profiles are often comparable on a sector-by-sector basis.
Many ISACs are well-resourced, come with membership fees and have the infrastructure and full-fledged security operations centres for monitoring threats on a local and global scale.
Examples of iSAC are:
IT-ISAC was established to minimize threats, manage risk, and respond to cyber incidents impacting the IT sector.
IT-ISAC was established to minimize threats, manage risk, and respond to cyber incidents impacting the Financial Services sector.
e. Dark Web and Hacker Forums
To increase situational awareness commercial vendors and Threat analysts also give significant attention to the Dark Web and hacker forums, where significant quantities of malicious hacking tools are hosted.
The Dark Web includes online markets and social media platforms where hackers globally trade and sell significant quantities of malicious hacking tools, content, knowledge, and other cyber assets such as exploits on hacker forums, DarkNet Marketplaces (DNMs) and Internet-Relay-Chat (IRC). The Dark Web also contains information and marketplaces for illicit goods, such as hacking tools and exploits.
The Dark Web and hacker forums have a lot of malicious cybercriminal knowledge and tools which have enabled hackers to execute large-scale cyber-attacks. An analyst uses these forums for developing awareness of cybercriminal activities.
In the next part, I will talk about the third stage of the CTI Lifecycle — Processing
Thanks for reading and as always, all feedback is welcome.
Lastly, if you enjoy any of my blogs, it would be great if you could please follow me as a reward for the algorithm :)