Chapter 2 Exploring Cybersecurity Threats
| Site: | ApexMoodle |
| Course: | Audit |
| Book: | Chapter 2 Exploring Cybersecurity Threats |
| Printed by: | Guest user |
| Date: | Saturday, 10 January 2026, 12:14 AM |
1. Exploring Cyber Security Threats
Audio
Transcript
Today we're going to start looking at Chapter 2.
So let's jump into chapter two, Section 1, which is exploring cyber security threats.
1.1. Classifying Cybersecurity Threats
Audio
Transcript
So let's look at classifying cybersecurity threats.
So the first thing is understanding our adversary. You have to kind of know who you're going up against.
What they're trying to do?
Where they're coming from, you need to understand them a little bit in order to put up a defense against them. Think of it as if.
You were.
Going to play a baseball game, but everybody else was playing football. You wouldn't stand too much of a chance of doing well.
But if you know what kind of attacker you have, you know a little bit about what their objectives are, then you have a better chance of defeating them.
So let's talk about the first one, which is internal versus external.
It's pretty simple, it's just as it says. Internal means they're on your team. They're an inside threat. They either work there, they're in the building constantly. They have permission to be there. They're not trespassing. There's somebody, and maybe it's a subcontractor.
Maybe it's an employee E that feels they've been slighted in some way, shape or form. They're disgruntled. They're looking to get back at you, something like that. That's an internal threat. So those are really dangerous because you think they're on your side and they're not. They're on the bad guys.
So then the other one is an external, so that's a threat from outside the company from outside your floor walls from outside your network, they're coming at you from outside trying to attack your network, either physically or through the web.
So those are different defenses to an external defense. You're putting up security guards, things like that, access keypads, retina, retina scanners, fingerprint scanners, and then.
Protections on your network for people coming in trying to come in when they shouldn't be. Firewalls intrusion protection, intrusion detection systems, things like that. And then for an internal it's hard to put a defense up. You're you're putting up things like.
At a loss prevention where you're looking for files that are going out. I know companies who you cannot hook a USB drive up in their system without sending out a.
Mark and that's to keep from having data copied. There are alerts where if it's so large of a file or if it's a file being renamed where it will alert so that you know something's happening. You may it may be after the fact. It may be like seconds.
After the fact.
But it alerts and at least you know who. Then your target is if something's going awry. So that's the difference between internal and external is that one is in your building in your network, and they have permission to be there. And then the other is extern.
So let's talk about levels of sophistication and capability. So threat actors vary greatly in their levels of cyber security, sophistication and capability. So and that that tend depends on who your attacker is. Is it Joe, Bob down the street?
Who's just doing it for fun? Or maybe has a grudge against your company. They didn't like something that happened, and they're going to DDoS attack you and try to shut down your website. Or are you big enough that nation state is coming after you?
Why is this different? Why is this level of sophistication and capability of it's different? Simply money Joe Bob down the street probably can't afford the same thing that Russia can. They can't afford to have teams of hackers going all day long trying to penetrate your system.
Teams that do ransomware, you know, these are large groups and they have more resources, more people and they can afford to do more things. They can spend more.
Time is is if John down the street, who is mad at your company or who you fired last week, is trying to do something through your network.
If they're worked in, they only have some hours in the day that they can spend trying to do something to you, whereas some of these more sophisticated and more capable teams could spend 24 hours a day hitting your.
Your system and then we start looking at resources and funding. Same thing you know, Nation state, actor, nation, state threat or large gang threats or large group of threats. These people have more act, more money they have more resources.
They have more computers, more computing power, things like that, so they can do more to you. And then the last thing is intent and motivation. Why are they motivated to attack you, your, your network, your system? What is their intent?
Again, is it Billy Bob down the street who's mad at you? Who you fired? You know, his intent is to get back at you, you know? So maybe he tries once or twice and goes away. Or is it China and you've got the latest, greatest patent for a chip and they're trying to steal that technology. You know, that's a that's a different motivation.
They're not going to quit just because you stopped them the 1st 100 times, they're going to keep coming and coming. And so you always have to be on your guard and be ready for them.
1.2. The Hats Hackers Wear
Audio
Transcript
So let's talk about the hats hacks. Hackers where we talked about this.
A couple sections ago, White Hat, Black Hat, Gray hat so White Hat is authorized. So like a pen tester or someone in on your team who? That's their job is to.
Do these things internally, vulnerability management, things like that. That's white hat. They are allowed. They're authorized. Nothing they're doing is illegal.
Gray hat is they have listed as semi authorized, so go with that definition on the exam is semi authorized but not always. Sometimes they're not authorized at all, but they don't have intent to do harm. They are trying to find the vulnerability and point it out to you so you can make your system better.
I know of a guy who hacked a city in another country through their red light camera, so the this this city had red light cameras up and he hacked their government network through that and was able to make himself an administrator and then once.
He erased all of his footprints. He sent them. I believe he sent them a letter telling them what had happened and how he did it. And that type of stuff so they could then go back and harden their network and make it stronger. And then Black Hat, these are the bad guys.
They're unauthorized. Their intent is bad, some worse than others. But you know, their intent is to do bad things to your system, to hack you for whatever reason, and whatever method. But they're the bad guys.
1.3. Threat Actors
Audio
Transcript
OK, let's talk a little bit more about threat actors themselves.
So the first one that we want to talk about is unskilled attackers or something called script kiddies. So these are basically people that have no real skills other than they know how to search the web. You can find scripts on the web.
To hack this.
Things and that's what they do. They download scripts and then they run them against companies until they either have some modicum of success or do something. You know these aren't real attackers. These are board kids and moms, basement who don't have anything better to do but.
They're commonly called script kiddies because they don't even have the ability to write their own scripts. They download them and use somebody else's work as their own and use that to try to do something. So you know their intent. Intent is not necessarily to.
Destroy your system, steal your data. It's mainly to be a pain in the **** to be honest, but that's their you know, their motivation is they're bored and looking for something to do. They want to feel like they're accomplished in the security world, and so they run these scripts. But realistically, you know, they don't have the ability to write it themselves.
They download it.
Then the next group is called hacktivist. So these are activists that are hackers and they're hacking into a system.
For whatever their cause is, you know we see in today's news where people are gluing themselves in into the roads and, you know, going into car dealerships and gluing themselves to floors and blocking roadways.
For well, you know hacktivists, those type of activists, but they're hacking into your computer, your network to.
For whatever their cause is, maybe they're against oil and they're try.
To hack into oil companies or their subsidiaries, or even the companies to make parts for for oil companies or, you know, part companies to make parts for cars that use oil and gasoline, those type of things. So that's what a hacktivist would.
Do.
So they break in.
For whatever their cause is, to try to further their cause along and then organized crime. So organized crime because.
Because if there's money to be made in it, then they are going to be involved. So that is why it's listed as organized crime, and that doesn't necessarily mean what we would think of back in the day as the mob just means they're an organized group. It could be, you know, like scammers in Nigeria.
That could be, you know, group gangs in Russia. It could be organized crime from Russia, but it could also be, you know, Nation state.
So you know, those are all you know, different types of organized crime. Don't think of it as just the mob. But you know, they're organized.
So you know, some of these are cyber dependent crimes. So they can only happen in a network and that is including ransomware.
Data company.
Nice distributed denial of service, which is also called a DDoS attack. That's when they attack your system and they flood it with so much information that it shuts it down and there's different ways of doing that. We won't get into them now. But you know, DDoS attack is just.
You know a way to shut down your website or your system. Normally it's.
Website website defacement and then attacks against crucial infrastructure. So if you attack a power plant and take it offline, well, that's crucial infrastructure and maybe lights go out in the state or states, things like that. So then there's.
Csam, which is child sexual abuse material including child *********** abuse and solicitation.
Unfortunately, that is part of the world and you know those groups make money in one of two ways. Selling that and then, you know, looking for that and blackmailing people that have that material. So that is part of the thing online.
Fraud, which includes credit card fraud and business e-mail compromises. So we all think we all understand what credit card fraud is, that type of activity and then you can compromise a business's e-mail to.
To steal their data to, you know, get financial information and possibly steal that dark web activity, including the sale of illegals, goods and services. And that is just a whole array of things, from counterfeit products to stolen products.
To selling of people that's all dark web selling of information. So security numbers, things like that. That's all dark web activity.
And then cross cutting crime factors include social engineering, money mules and the criminal criminal abuse of cryptocurrencies. So you know, Crypto has just come up in the last couple of years. And if there's a way to make money, there's a way to try to defraud people that make that money. So those are called.
Cross cutting crime factors and they go into multiple phases. So if you're doing social engineering, that may be you know.
Getting into the network, it may be you know, a physical thing of, you know, doing something to a person. So social engineering takes many forms. What I was taking my ethical hacking classes. We had to learn social engineering skills. And one of the tasks that we had.
As REACH had to pick the name of a classmate, and then we had to go on the Internet and find as much information out about that person as we could.
And then come back to the room. And when you have information on somebody, you can then use that information. So you know those are different things to think about when you talk about threat actors.
1.4. Threat Actors p2
Audio
Transcript
So threat actors Part 2, so we're going to talk a little bit more about threat actors in this slide. So the first is nation state attackers. They present advanced persistent threats, APT's and zero day attacks. So let's talk about.
1st When nation state actor is it just means they're sponsored by a country.
So they may be sponsored by Russia, China, North Korea, any country that doesn't like us or doesn't like whatever country you're in could sponsor an attack. So that means they're funding it. They're paying the hackers, they're providing the computing power, whatever's needed.
That's the nation state attacker. So you know, just just keep that in mind. So then what is an advanced persistent threat? That means they're sophisticated, the threats are advance.
It's.
It's not a script, Kitty. These are people that actually know what they're doing and can get into your system if you screw up and the threats are persistent, which means they're not going to stop after they fail the first time. They're not going to stop after they fail the 1st 100 times, they're going to keep coming.
They may go, retool and then come back, but they're definitely not going away as long as they have a mission.
So a nation state actor, you know, they're being paid by government, so they don't. They're getting paid. They don't. You know, they're they are not going anywhere. They are going to keep coming and coming and coming. And you've got to find a way to keep stopping them and stopping them and stopping them.
So then zero day attacks, so zero day attack is the attack where?
That that flaw or that way they got in has never occurred before. And so it's new. It's a new attack. No one has a way to.
Defeat it yet.
Microsoft hasn't put out a security patch, or Apple hasn't put out a security patch that will stop the.
00 day attack.
Basically, these exploits or these vulnerabilities are unknown, so that's you know, it's the first day, it's day zero, Ground Zero. So they're called zero day attacks. And then another thing is insider threats. So we talked about insider attacks occurring when an employee contract.
Vendor or other person that's authorized to be there. They have authorized access to information.
Do they? They decide to do something to.
Hurt you for one reason or another. Whether they're disgruntled, whether they're person that's doing the same job, them making more money, they didn't get time off that they wanted. Whatever the reason is, they are an insider threat. They're inside. So and the threat of shadow.
It as dedicated employees often seek to achieve their goals and objectives through whatever means allows them to do so. Sometimes this involves purchasing technology services that aren't approved by the organization.
So shadow it means that I've purchased either software or hardware that is not approved by my network admin or whoever needs to approve those purchases and it could be harmful to the network. It could have vulnerabilities, it could be simply as it.
Collects information and resells it. It could be an access point. You know, it just is it equipment or it software that's not approved, not allowed on the system and therefore it's what's called shadow IT.
And then the last thing is competitors. So we talked about this, I believe back in chapter one.
Where you know if you're Ford or Chevy GM and you've just come out with the way to make an electrical vehicle, be able to travel across the whole country on one charge, I can guarantee you every other company wants to get that.
That.
Outlets, and so competitors may try to ask if I hack you to steal that knowledge and not necessarily, you know, if it's GM or not necessarily talking about Ford. But you know China might do that. North Korea might do that because when they have it, then they can sell it. And you know, China can use it to strengthen their own.
Economy and strengthen their own, you know, standing in the world. So competitors, competitors is anybody that can use the technology that you.
Have for whatever they're doing, and if you have the latest and greatest technology and they don't, they may want to try to steal that from you. So there was just a big thing last year at the end of last year where Apple, if you had an Apple Watch, it could do it could tell you
Your blood oxygen.
Level well, Apple lost the lawsuit where they're being sued by the company that makes that for medical equipment because they didn't have authorization to use that. And Apple lost lawsuit and had to take all of their watches with the exception of some older ones off the market and that feature.
Had to be removed so you know you could for a while there. I think you can now the Apple 9 watches are back up or Apple eights but for a while there all you could buy is the Apple SE or the Apple 2.
And it's because they they stole a competitors technology and used it and almost got away with it, but they lost the lawsuit. So, you know, it's not always nefarious. You know, you would think, oh, that's cool. Watch can do that. But that was somebody else's, you know, technology.
Intellectual property and they stole it.
1.5. Attacker Motivations
Audio
Transcript
So let's talk a little bit about attacker motivations. So we talked a few slides ago about knowing your adversary and if you know why what their motivation is, that will help you. So the first one, we want to talk about is data exfiltration attacks.
They're motivated by the desire to obtain sensitive or proprietary information, such as customer data or intellectual property. So we talked about that with Apple. Somebody data actually traded that technology to Apple. That's the end of the day. That's what happened. But it could be simply as.
Hey, in a month I'm leaving to go work for a competitor or I'm leaving next week, so I'm going to steal a customer list and all their information and how much they buy and how much they pay, et cetera. You know, it could be that from an internal actor, so.
Data exfiltration.
And then espionage attacks are motivated by an organization seeking to steal secret information from other organizations. This may come in the form of nation state.
Attacks attacking each other or corporate espionage. So whether it's apple against the company that had the original O2 sensor or it's China versus the US, you know either one. So it happens in business all the time. You know, that doesn't make Apple a horrible.
Company. It doesn't make you know the other companies that do that, it happens in business all the time where company A has a product and we want to use it and we're going to ask for forgiveness instead of permission.
So espionage happens.
So then a service disruption, those attacks seek to takedown or interrupt critical systems or networks, such as banking systems or healthcare networks. So you know, not not just those, but you know it could be an attack that wants to say take down Amazon.
So you can't shop there. You know how much money would Amazon lose if they were down for 24 hours and nobody could buy?
Something. Yeah. So those those are those type of things.
So if I disrupt your server with ransomware blackmail you to get money or I get, you know, data from that disruption, blackmail, you'd be able to get back up or to have me not do it again. Things like that.
Financial gain most of the reasons for taking out another company are financial gain. Other than that company, you have an axe to grind against them for some other reason, but financial gains are motivated by the desire to make money through theft or fraud.
Organized crime is generally involved and motivated by financial gain, as are other types of attackers. Philosophical or political belief attacks, or motivated by ideological or political reasoning. So as you know, hacktivists would fall into that.
Pascal tax or white hat hacking, or motivated by desire to expose vulnerabilities and improve security. These attacks are often carried out by security researchers or ethical hackers with the permission.
With the permission of the organization. So that's key for it to be called a white hat is they have to have authorization.
Revenge attacks are motivated by a desire to get even with an individual or organization by embarrassing them or exacting some other form of revenge.
Disruption or chaos attacks are motivated by the desire to cause chaos or disrupt normal operations.
Of the company.
And lastly, war war may also be a motivation for cyber attacks, military units, and civilian groups may use hacking and attempt to disrupt military operations and change the outcome of an armed conflict, or even just a battle of it. You know, if you can hack into.
To the Americas warships and make them not go, you know, and you're the enemy trying to smuggle oil or gas or weapons or drugs from somewheres. You know, how much easier does it make your life if you know that you can shut down the ships that are near you?
1.6. Threat Vectors and Attack Surfaces
Audio
Transcript
OK, so let's talk about threat vectors and attack surfaces. SO1A bad guy wants to figure a way into your organization. They have to gain access through some means. Generally is going to be a system or software service that's running. They're looking to discover an attack surface.
That's what that's called. So that's either through an application or through some service that is running.
Then they must obtain access by exploiting one of those vulnerabilities, using what's called a threat vector. Threat vectors are the means that threat actors use to obtain access. One of the goals of security professionals is to reduce the size and complexity of an attack. So.
Office through effective security measures and risk mitigation services. So we took talked a little bit about shadow it where people download software and hardware that's not approved and This is why network admins don't want you to do that because it makes them vulnerable.
To having software that could be allow the bad guys in, so that is that is something to keep in mind. So let's talk about message based threat vectors.
So e-mail is one of the most commonly exploited threat vectors. You think of phishing messages, spam messages, other e-mail borne attacks, or simple ways to gain access to an organizations network. These attacks are easy to execute and can be launched against many users simultaneously.
The benefit for the attacker attacker is generally need to succeed only once to launch a broader attack, so you know, maybe I beat them 99 times, but they get through that 100 to somebody you know they're in.
So message based emails of big one phishing and things like that. So then wired networks both attackers may seek to gain direct access to an organization's wired network by physically entering the organization facility. So we talked about the need for security you have.
People that will walk.
In to a facility and start walking around looking for server closets or unmanned computers or, you know, come in at lunchtime. You know, maybe they pretend to be a housekeeping later in the evening or something like that, but they're looking for an unmanned system or some way to get into your.
Your server and they're coming right in through the wired.
Network.
So wireless networks, they all offer an even easier path to an organization's network. Attackers don't need to gain physical access to the network or your facilities if they are able to sit in a parking lot and access your network. So you know, if you have guest Wi-Fi.
That's an easy way in. So I talked earlier about having multiple routers in my house because Xfinity puts out basically a guest. Why?
Phi. We talked about geofencing where you can't access stuff to you're in the building or in a certain location. You know that's a good way to stop that.
Unless you're in hospitality, if you're a regular business, you really don't have a need for guest Wi-Fi. You know they'll live for the hour that they're in the meeting doing stuff with you. Hopefully, if not, you find a way, you know, maybe hotspot or something, but if you're giving them guest Wi-Fi, you're getting them into your network.
Hopefully you have it set up properly, but.
If you don't, if it's misconfigured, they could get in, so that's something to keep in mind so that systems individual systems may also serve as a threat vector, depending on how they are configured and the software installed on them.
The operating system configuration may expose open service ports that are not necessary to meet business needs or that allow the use of well known default credentials that would never.
Changed so there was a company that does security software.
And they had default passwords on some of their stuff, and they got hacked. This was a couple years ago and.
It was a big uproar in the security community, but you know, even even that a lot of companies, you know, don't go change the default password that may be added in 123. A lot of people when they get home routers don't think to change the default passwords to some.
Thing that somebody can't guess if you have a router in your house, you can go online and Google that specific router and it will tell you what the default password is. That's how easy it is. I could be sitting outside with my laptop and do a Wi-Fi explorer and it tells me what networks.
Finds and.
A lot of times they'll tell you what router it is or what kind of router.
And then you can Google and oh, it's this, and oh, here's the default passwords. And you know, it gives you the website to go to and you try to link into that and change the password. And then you have access. So that's one of the things there, you know, talk about systems.
Being misconfigured. There are whole companies.
That that's all they do for companies is go in and fix their misconfigurations. That's how big that is in the industry that their entire companies that that is all they do is fix misconfigurations for a company. So that files and images, individual files including images may also be.
Directors an attacker may create a file that contains embedded Melissa's code and then trick a user into opening that file. Activating malware, especially picture.
Ed. So when I was in ethical hacking, we were showing a picture and it was a white screen and in the middle of the screen it was a website with an image in the middle of the screen was a black dot.
So you know that should send up red flags. Why would it be just a black dot in the middle of the picture and it was malware. And so there's all kinds of things that we can can be hidden in pictures, you know codes. It's just, you know, and it's not, it's not exclusive to images.
Nowadays it can be PDFs, it can be word.
It can be all kinds of things, so that's that's something files and images then removable devices. So attackers also commonly use removable media such as USB drives. We talked about that there are companies that you in the network you just can't plug in.
A USB drive you can't plug in removable media. There are no.
DVD writable drives on their computers, just it's a way of protecting themselves, so removable devices, if I have a removable device, I throw it onto my computer. I can copy anything on the network to that it may send off a an alert, but am I out the door and gone before you figured out who it was?
So that's important then cloud cloud services can also be used as an attack vector. Attackers routinely scanned popular cloud services for files with improper access controls.
Systems that have security flaws or accidentally published API keys and passwords. So just because it's in the cloud doesn't mean it's special. All that means is it's stored off site, it's stored, you know there are no magical computers in the cloud. All that means is that somewhere.
There's a computer in a building that's hosting all this information and data.
And.
If you can find it, or you can find access to it, it can be hacked. So then the last thing is supply chain. Sophisticated attackers may attempt to interfere with an organization IT supply chain, including hardware providers, software providers and service providers attacking.
The organization vendors. So if you think about it, if if I as a company order 100 Dells every six, six months through or 100 IBM's through ABC vendor.
And a hacker can get in there and place something on the chip or place something into the machine itself before it goes out the door. How much trouble am I in so supply chain? That is the way to to get to, you know, you without you ever.
Knowing it.
Also, attackers that infiltrate MSPs may be able to use their access to the MSP network to leverage access, so let's talk about what an MSP is. A managed service provider that is someone that manages a service for you. They provide that service that used to be.
Just cyber security. So Nova Coach, my parent company is an MSP. We provide cyber security to 90 or 100 or something like that. Businesses you know some some number like that. But there are companies that provide other services
So you can get into that third party vendor. Maybe your network can get it. I can attack your network through them instead of having to come straight to you.
2. Threat Data and Intelligence
Audio
Transcript
So let's get into Section 2 of Chapter 2, and that is threat data and intelligence.
2.1. Threat Intelligence
Audio
Transcript
OK, so let's talk a little bit about threat intelligence. So if you get into cybersecurity, threat intelligence will become a lot of what you interact with to determine if something really happened. So threat intelligence, let's talk about what's called open source intelligence.
Or OSINT. OSINT. That is O S I N T.
So basically that is websites that you can go to that they're open to the public and you can research whether it be a blacklisted IP address, whether a file is known to have a virus, a website is known to have a virus, just different things like that. But these are all open source.
Which means they're free to be used. The information is free. There's lots of them. So it's basically publicly available sources.
That provide the information so that you know something is bad or not so.
We I used when I was an analyst, I used open source intelligence both when I worked for an in House cyber security team and working as a managed services team where we provided security to lots of people, both used open source intelligence.
It's.
So let's talk about vulnerability database.
So those are databases. There are essential part of threat intelligence. There are reports of vulnerabilities that.
Will help direct an organization with its defense. So though we talked about a zero day attack.
When somebody attacks you with something brand new, so that's a vulnerability that's never been seen, never been heard of boom, while vulnerability database keeps track of all the known ones. And not only that, but also tells you.
You know the best way to defeat them? What software they came in, what weakness they are, et cetera, et cetera.
And then.Indicators of compromise Iocs these are telltale signs and attack that's taking place and may include file signatures, log patterns, and other evidence left behind by the attackers. I'll sees may also be found in file or code repositories that offer the intelligence information.
So.
Iocs are basically a pattern that the bad guys have used before and.
When you see it, you know it so like.
If somebody has gone to a particular website in the past and it's been bad, it'll tell you why. And then if if it's malware coming from that site when the malware is used on yours, you'll see indications of that. You might see that IP address, so you might run that IP address through.
A database and find out it's bad.
But you can look for indicators of compromise, like with internal actors, if a common one is if somebody works 9:00 to 5:00 and all of a sudden they're back in at ten 11:00 at night doing some, quote UN quote work, that may be an indicator of compromise as well. But you're looking for.
Patterns.
In that instance, and there are filed and code repositories that are online that you can check code against. So there's one called virus total where you can upload a file and it will check it for you. Some companies will have a sandbox that you can run a program in.
To look for bad code, bad files, things like that, you know all different sources of intelligence.
2.2. Open-Source Intelligence
Audio
Transcript
So I'm going to read through some of the open source threat intelligence. That's what's on this slide. The 1st is Sen ki.org senki.org.
The Open threat exchange, which is hosted by AT&T.
The MISP threat sharing project
Threat feeds dot IO and then there's some government sites, one is CISA, cisa, one is called DC3 and the other is ceases automated indicator sharing.
So those are some open source intelligence sites. Sankey has a toolkit that you can use.
The Open threat exchange has said is hosted by AT&T and it's part of a global community of security professionals and threat researchers to add to it. So it's not just information from AT&T, they get it other people share.
The Msip threat Sharing project provides standardized threat feeds for many sources with community driven collection, again a collaborative.
Threat feeds dot IO host a list of open source threat intelligence so you can go there and find Osment tools.
And details of when those were added. So then the government websites are always, you know, packed full of information. Csa.gov DC3 is a military1.millandthenanothercsa.gov which is the AI.
So.
All open source intelligence and the best thing about that for companies is that it's free.
2.3. Open-Source Intelligence p2
Audio
Transcript
So this slide lists some more open source intelligence, so some of the vendor websites are Microsoft Threat Intelligence blog and then Cisco Security advisory sites. So both of those are major corporations. Microsoft and Cisco, both hardware a lot of hardware. Microsoft obviously is software as well.
But you know, Cisco makes a lot of the well used, well known routers and switches. So both of those sites, then some public sources and one called sans Internet Storm Center.
One called virus share and virus total which I mentioned earlier. Spam House project and then of course there is the dark web.
So span house, let's talk about Sans Institute is isc.sans.org virus share contains details about malware uploaded to virus total. So if I upload to virus total it can get shared through virus share.
The Spam House project focuses on blacklists, including spam via the Spam House block list. So you can go online to spam house and it'll tell you if an IP address has been labeled blacklisted or if it's spam. It'll tell you when, give you all kinds of fun information to use.
And then obviously the dark web is out there and you know, if you choose to explore it, I wouldn't do it on your company.
That work, you know, but you could. You could, and I'm sure there's threat. Intelligence teams that do explore the dark web and they're looking to see if their information is out there. But if you're a sock one analyst, I wouldn't recommend that. Let that let the threat team or.
A different team do that.
2.4. Proprietary and Closed-Source Intelligence
Audio
Transcript
So let's talk about proprietary and closed source, intelligent.
That means that it's not open to the public, and you're generally going to have to pay to get it, either as a subscription to the service or you have some other package with them. And as part of the deal, so closed source intelligence that basically means it's not open to the public.
So they do own the information. They do their own gathering and research. They use custom tools, analysis models and other proprietary methods. And one reason companies might use that is that they don't want to share their data. So if I go to.
Fires total and certifiable and that goes to buyers share. While it will show who uploaded the file to check it, the name of the company, etcetera. And maybe I don't want people to know that information so
That's that's one reason people may use closed source intelligence. Another reason is there's so much open source stuff, it can be overwhelming, you know, which site do you believe which site is the most accurate, etcetera, etcetera. So having a single source that is closed that.
As proprietary may be a little less overwhelming so.
Commercial closed source intelligence is often part of the service offering, which can be compelling resource for security professionals. And then what do you do when a threat feed fails? The authors of the of the textbook learned lesson about up-to-date threat feeds a number of years ago after working.
With IDs and IPS vendors which is detection and prevention systems, the vendor promised up to date feeds and signatures were current issues, but they tended to run behind other vendors in the marketplace.
So you know, if you're not getting an up-to-date feed or if your fees aren't accurate, then you could, you know, be running behind and have issues with getting hacked because you don't have the right patch or you are unaware of a vulnerability.
That came out two days ago, so depending on who you are, you know it. It could be that fast that you're attacked. So then threat man.
Threat maps are basically maps that show you where attacks are coming from and where they're going to. I've worked at a previous employer who used software called Crowd Strike, which is one of it's a premier software proprietary.
And they have an amazing.
Threat, Matt. And when something kicked off around the world, that map would blow up and you would know to be ready. You would know what was coming. The textbook list checkpoint, which is another proprietary company which has one. So basically it tells you you know where attacks are coming from.
And what part of the country or world they're going to so you know, if you're, if I live in Michigan. So if you're in Michigan and nothing's coming to your state, then you.
And rest a little easy. But when that map blows up, you know to to hold on and get ready. So but threat maps are cool because you can see what's going on in the world, not just limited to what's going on in your system.
2.5. Assessing Threat Intelligence
Audio
Transcript
So let's talk about assessing threat intelligence. So the first thing is it timely, that's important. Is it something that's going on now or is it something that happened a year ago? So you know, timely is important. You want to know.
1st about all the stuff that's going on right this minute.
If it's running behind a delay, can be costly. If it's giving you old information that just bogs down and can overwhelm your analyst. So what you need is timely information. That's.
And you know is occurring now, not something that occurred last year. So and you can't afford for it to be even hours behind in today's world. So it's the information accurate. So can you rely on what it says and how likely is it that the assessment is valid? Does it rely on a single source or multiple sources?
How often are those sources correct? So I've looked at blacklists that have a a website blacklist that and it was blacklisted five years ago. While they've done nothing to update that, to see if that website is still bad. You know, just because bad guy.
Was running on a certain IP address five years ago. Doesn't mean that somebody else doesn't have that IP address now. Same thing. It's just because an IP address was good.
Last week doesn't mean it's good now, so hackers will look for IP addresses that recently went dormant. So maybe a company that went out of business, they didn't renew their website, things like that and they want to grab those fresh, clean, not blacklisted websites and use those so.
Accurate and timely information is important, and that is the information relevant.
If it describes the wrong platform, software or reason for the organization to be targeted, it's not, you know, that's bad. If it tells you it's something in Microsoft that it's something in some other software, you know that doesn't do you any good. If it's attack that's targeted to hot at hospitals and you're not.
One and it leads you to believe that you may be targeted. That's not good. So the information has to be relevant. It has to tell you the exact vulnerability, what software or service that's involved with.
Is IT industry specific or is it organization specific? What makes it relevant to you as an organization?
2.6. Assessing the Confidence Level of Your Intelligence
Audio
Transcript
So let's look at assessing the confidence level.
Of your intelligence.
The first thing you want to look at is, is. It confirmed. So is it a confirmed attack or confirmed on their ability? Does it use independent sources? So if it's just Joe Bobs bad list?
Are they the only source or do they list multiple sources?
Is it direct analysis that proves the threat is real so so it's it's confirmed your confidence would be 90 to 100%?
If it's probable relies on logical inference inference but does not directly confirm the threat, so they're saying based on things that happened in the past, it's logical or logically, this attack could happen and could happen to you. That's kind of a 70 to 90% confidence.
It's like, OK, there's a chance that this attack could happen. You know, it's, you know, if you let's put it in terms of.
Sports. If a guy is a 300 hitter, that means every 10 at bats, he's going to get three hits. Well, if he's on his 7th at bat and he's only had two hits, it's getting probable that he's going to get another hit soon. So.
You can't guarantee it's going to be 8-9 or ten, but it's probable that he's be based on the logic of his average. It's probably.
So then possible a 50 to 70% reliance is used when some information agrees with the analysis, but the assessment is not confirmed so nobody has confirmed that it's really going on. But there's some analysis.
Firm.
That the information agrees with so.
Then there's doubtful which is 30 to 50%. It's assigned when the assessment is possible, but not the most likely option, or the assessment cannot be proven or disproven by the information.
Say they know there's a vulnerability that nation states are taking advantage of.
And your little mom and pop.
Hardware store or pizza shop. You know, maybe you got a couple locations you know, is it really possible that?
A nation state is going to attack you, you know? Yeah, it may be that vulnerability is real, but the chances of you being attacked, you know, are doubtful that improbable 2 to 29 means that the assessment is possible, but not the most logical.
Option or is refuted by other information that is available.
So basically.
It's improbable it could happen. There's a one in ten chance, you know, one in 100 chance that it could happen, but most likely it's not going to. And there's no information out there to say that it's not. So I'll use my weather for today.
We were calling for 80° and rain.
And it was beautiful with sunshine all day long. And all you had to do was look out the window and there was information to refute the possibility of rain because there was no rain clouds. And there was bright sunset. So that would make it improbable that was going to rain. Now that's a little bit of a stretch of analogy.
From security, but basically you get the gist there. It's just most likely not happening. You know to your network, to your company.
And then the last is discredited is there's a 1% chance for that 1% confidence.
Now the.
1% confidence. I'm sorry is used when the assessment has been confirmed to be inaccurate or incorrect. So there's an assessment, but people have already proved that it's not accurate and it's not happening.
2.7. Information Sharing Organizations
Audio
Transcript
So let's talk about information sharing organizations. There's two that we're going to cover. One is the information sharing and analysis centers. So that is what's called isacs.
And there's multiple ones of them. So I'll go over a little.
Bit about the tech says.
Information sharing analysis centers isacs help infrastructure owners operate shared threat information and provides tools and assistance to their members. So it's proprietary. It's not.
3 The ISAC concept was introduced in 1998 as part of the presidential decision, which asked critical infrastructure sectors to establish organizations to share information about threats and vulnerabilities.
Isacs operate on a trust model, allowing in-depth sharing of threat information for both physical and cyber threat. Most Isaacs operate 24/7, providing Isaac members with in their sector with incident response and threat analysis.
In addition to the Isacs, there are specific US agencies or department partners for each critical infrastructure. So what that means is that there's these information sharing organizations, isacs and they are set up by infrastructure.
So like there will be an Isaac for.
Medical there are being Isaac for financial there are being Isaac for industrial. There being an Isaac for airline, there's an Isaac for NASA. So there's these different isacs and what happens is 24/7 they're running.
And if something pops, you will get an alert which will tell you, hey, you know this vulnerability is out there or this attack is happening. Here's tools that can be used and it shares the information within inside that structure to its members.
One of the things is if you remember, you agree not to share that outside of the membership. So it's proprietary. So that's that is one of the things. And then outside let's talk about the other one which is the National Protective Security Authority NPS a that's in the United Kingdom.
Outside the United States, government bodies and agencies with similar responsibilities exist in many countries.
The one in the UK is the Npsa, which I said was the National Protective Security Authority. It's tasked with providing threat information, resources and guidance to industry and academia as well as other parts of the UK Government and law enforcement. I like our better.
Because it's more regulated to specific industry. So if you're in medical, you're only getting the medical alerts, you're not getting the others. And the fact that it runs 24/7, I was at a previous organization.
That was in the financial field and we got those and I worked a 12 hour shift, 13 hour shift. I went in at 7:00 at night and got off at 8:00 in the morning and we'd get them at 2:00 AM. Hey, this happened and we would have to investigate to see if any of that.
In our system, so you know very that information is you know very relevant, very timely. You know that's something that you would have high confidence in coming from them.
2.8. Conducting Your Own Research
Audio
Transcript
So this next slide is going to talk about conducting your own research and that's important if you're going to be a good analyst, whether you're SoC level one, level 2, Level 3, whatever you happen to be conducting your own research. So that's basically your job is to determine through all the information that you have.
At your fingertips is if something is real or not.
So the first is vendor security information websites, so if you get an alert that comes in and it's a Microsoft code, well, you're going to go to their website and put in that code to see what you get and see what it is.
Vulnerability and threat feeds. We've talked a lot about those. So you want to to take that information and then you know, look at other maybe ocean sources.
Academic journals and technical publications. Internet requests for comments, RFC documents. So those are all you know, especially technical publications. If you're having issues with, you know you think somebody's hacking your hardware or your software.
You know, you could go to a technical publication by either the company that put out the software or third party companies that are troubleshooters. You know, bug catchers that would put out that type of information.
Professional conferences and local industry groups. Those are all real big, you know, gives you a chance to to meet individuals that are in the same industry but also talk about what's going on, talk about what they're seeing versus what you're seeing, how they dealt with it, social media accounts.
Of prominent security professionals and I know we used to use back in the day, Twitter before it became ex and those were really great for following Twitter feeds of security companies and being able to get really up to date stuff.
And then learning adversaries, tactics, techniques and procedures.
We talked about knowing your adversary, so learn their what's called TTPS, their tactics, their techniques and their procedures. How are they doing things? If you know how they're doing things, it's a lot easier to stop them. So if you know, if you're a network admin and you know.
That bad guys are always coming in through port 123 of your network. Then you know why do you have that open? Go close that port. So different things like that learn how they're doing things that will help keep your network safe.