In this post, I highlighted the different phases of Threat Intelligence. It all sounds well and good on
paper and for companies that have dedicated cyber security resources. Here is where I dive into some tips for the Planning phase. This post is all about Collection.
Collection
This phase is where you are to gather all of the raw data that supports the entire program. I believe that next to the planning phase, collection is the most critical portion of the Threat Intelligence Program. Wrong decisions made here can have adverse impacts to the rest of the threat intelligence lifecycle. An attempt to collect too much information will overwhelm the rest of the lifecycle making it impossible to achieve your goals. Collecting the wrong information will impede analysis and cause you to come to the wrong conclusions.
This phase is where you are to gather all of the raw data that supports the entire program. I believe that next to the planning phase, collection is the most critical portion of the Threat Intelligence Program. Wrong decisions made here can have adverse impacts to the rest of the threat intelligence lifecycle. An attempt to collect too much information will overwhelm the rest of the lifecycle making it impossible to achieve your goals. Collecting the wrong information will impede analysis and cause you to come to the wrong conclusions.
But don't fret about making the wrong decisions, that's why the process is cyclical. You can make mistakes, get feedback from later phases, and then course correct. Each iteration is a chance to learn, evolve, and improve. So mistakes are good, use them to make your program better.
When making your collection decisions, I believe it is important to do so with specific goals in mind. Many will argue...convincingly... that you should collect as much as you can so that if you need to go back and filter through the data later you have that option. The drawback to this approach is that there is a cost associated with all this collection in both time and resources. I believe the greatest cost is the expense associated with getting caught in the muck and mire of too much data. Analysis paralysis. Instead, if you are looking for specific types of threats and their potential attack vectors you can make targeted decisions related to what you are collecting.
So the obvious question now is: "What attacks should I be looking for? How will I know what data is associated with it?"
A common source that can point you in the right direction is the Cyber Kill Chain.
The Cyber Kill Chain is a framework created by Lockheed Martin. It is meant to describe the methodologies used by attackers to compromise, persist, and exfiltrate data from a company. As a defender, the earlier in the chain you are able to detect an attack the greater your chance at having success as a defender. By taking a look at their methods and common ways of execution, you will begin to get an understanding of the artifacts that are left as they are executing the attack.
An example is an attacker is attempting to use commonly used passwords to log into your website. The attacker has done recon to discover your website is not using Multi-factor authentication. They have weaponized a tool to try many different passwords that are commonly used to see if they can gain privileged access. A collection source could be to gather application log data that tracks all failed logon attempts. Perhaps it also logs the IP address that the attempts are coming from as well as date and times. You have now identified a source of data that can be further analyzed that will provide you a lot of intelligence that you can now operationalize to take specific actions.
The Cyber Kill Chain or the Mitre ATT&CK framework are good sources to use for a threat based program.
The previous scenario is an example of an internal source that can be used for threat intelligence. A common misconception is that Threat Intelligence needs to be a feed from external sources that aggregates data that you can use in the protection of your networks. These feeds can be very expensive and vary greatly in their usefulness. Threat Intelligence data collection does not need to be something that carries great cost. There are many internal sources of valuable data that is already specific to your environment. There are also open source and affordable options that can be incorporated into your Threat Intelligence program. Here are a small sample of examples of data sources that could support the collection phase of your program:
Internal
When making your collection decisions, I believe it is important to do so with specific goals in mind. Many will argue...convincingly... that you should collect as much as you can so that if you need to go back and filter through the data later you have that option. The drawback to this approach is that there is a cost associated with all this collection in both time and resources. I believe the greatest cost is the expense associated with getting caught in the muck and mire of too much data. Analysis paralysis. Instead, if you are looking for specific types of threats and their potential attack vectors you can make targeted decisions related to what you are collecting.
So the obvious question now is: "What attacks should I be looking for? How will I know what data is associated with it?"
A common source that can point you in the right direction is the Cyber Kill Chain.
The Cyber Kill Chain is a framework created by Lockheed Martin. It is meant to describe the methodologies used by attackers to compromise, persist, and exfiltrate data from a company. As a defender, the earlier in the chain you are able to detect an attack the greater your chance at having success as a defender. By taking a look at their methods and common ways of execution, you will begin to get an understanding of the artifacts that are left as they are executing the attack.
An example is an attacker is attempting to use commonly used passwords to log into your website. The attacker has done recon to discover your website is not using Multi-factor authentication. They have weaponized a tool to try many different passwords that are commonly used to see if they can gain privileged access. A collection source could be to gather application log data that tracks all failed logon attempts. Perhaps it also logs the IP address that the attempts are coming from as well as date and times. You have now identified a source of data that can be further analyzed that will provide you a lot of intelligence that you can now operationalize to take specific actions.
The Cyber Kill Chain or the Mitre ATT&CK framework are good sources to use for a threat based program.
The previous scenario is an example of an internal source that can be used for threat intelligence. A common misconception is that Threat Intelligence needs to be a feed from external sources that aggregates data that you can use in the protection of your networks. These feeds can be very expensive and vary greatly in their usefulness. Threat Intelligence data collection does not need to be something that carries great cost. There are many internal sources of valuable data that is already specific to your environment. There are also open source and affordable options that can be incorporated into your Threat Intelligence program. Here are a small sample of examples of data sources that could support the collection phase of your program:
Internal
- An Asset discovery tool (Zabbix, AssetTiger, Snipe-IT)
- GRC Tools (Eramba)
- Application Logs
- Netflow data
External
- Shodan
- Open Threat Exchange (OTX)
- CVE Details
- RiskIQ Community Edition
Whatever you decide for your collection sources it is important to track them and the types of data collected from them. This helps analysis further in the cycle by understanding the enablers and constraints. This will also allow you to track your capabilities relative to your requirements. If you are collecting data that is redundant you can remove them to improve processing.
The goal of this post is to highlight that there are many collection sources that exist within your environment. Much of the data you need is at your fingerprints. By understanding attacker methodologies that are outlined by various frameworks, you can get tips about which techniques are relevant to you and the tools that are already at your disposal to best thwart attacks.
Caesars Casino & Racetrack - Mapyro
ReplyDeleteFind the 영천 출장샵 best prices on Caesars Casino 군포 출장안마 & Racetrack in 경상남도 출장안마 Laughlin, NV. See map, 나주 출장안마 reviews and more 광양 출장샵 to see place a better bet.
Casino - Jordan King - Airjordan
ReplyDeleteCasino air jordan 18 stockx cheap · Welcome to Jordan King, the world's first virtual air jordan 18 retro red to you casino for virtual gambling top air jordan 18 retro red suede · Enjoy our award-winning virtual tour around the world. 스 크릴 · top air jordan 18 retro red suede Enjoy free