3.2 Threat Intelligence

Section 3.2 Threat Intelligence

As you study this section, answer the following questions:

What is threat intelligence?
What are the benefits of threat intelligence sharing?
What potential threats exist for critical infrastructures such as government, healthcare, financial, and aviation?

In this section, you will learn to:

Perform reconnaissance with theHarvester
Perform reconnaissance with Nmap
Perform threat intelligence

The key terms for this section include:

Key Terms and Definitions

Key Terms and Definitions
Term	Definition
Publicly available information	An attacker can harvest information from public repositories and web searches. Available information includes categories such as the IP addresses of an organization's DNS servers, the range of addresses assigned to the organization, names, email addresses, phone numbers of contacts, and the organization's physical address.
Social media	Attackers can use social media sites like Facebook and LinkedIn to find an organization's information. Depending on how much an organization or an organization's employees choose to share publicly, an attacker may find posts or user profiles that give away sensitive information or simply act as another vector or target for the attacker to take advantage of.
HTML code	The HTML code of an organization's web page can provide information, such as IP addresses and names of web servers, operating system versions, file paths, and names of developers or administrators. The layout and organization of the code can reveal development practices, capabilities, and level of security awareness.
Metadata	Attackers can run metadata scans on publicly available documents using a tool like Fingerprinting Organizations with Collected Archives (FOCA). For example, Microsoft Office documents posted on the internet may not directly divulge sensitive information about an organization. However, an attacker could extract useful information from its metadata, including the names of authors or anyone who made a change to the document.
CERT	The goal of a CERT is to mitigate cybercrime and minimize damage by responding to incidents quickly. They work with local law enforcement, federal agencies, and other organizations to help prevent cyberattacks.
CSIRT	A computer security incident response team (CSIRT) is a group responsible for responding to security incidents involving computer systems.
Deep/dark web	The dark web serves as an operating platform for many cybercrimes. Threat actors utilize the dark web to organize their efforts and sell products such as credit card numbers, drugs, weapons, and malware.

This section helps you prepare for the following certification exam objectives:

Exam	Objective
CompTIA CySA+ CS0-003	1.2 Given a scenario, analyze indicators of potentially malicious activity Network-related Scans/sweep 1.4 Compare and contrast threat-intelligence and threat-hunting concepts. Confidence levels Timeliness Relevancy Accuracy Collection methods and sources Open source Blogs/forums Government bulletins Computer emergency response team (CERT) Cybersecurity incident response team (CSIRT) Deep/dark web Closed source Paid feeds Information sharing organizations Internal sources Threat intelligence sharing Vulnerability management Risk management Security engineering Detection and monitoring 2.1 Given a scenario, implement vulnerability scanning methods and concepts Passive vs. active Critical infrastructure
TestOut CyberDefense Pro	2.2 Detect threats using analytics and intelligence Use an Intrusion Detection System (IDS)

Exam

Objective

CompTIA CySA+ CS0-003

1.2 Given a scenario, analyze indicators of potentially malicious activity

Network-related
- Scans/sweep

1.4 Compare and contrast threat-intelligence and threat-hunting concepts.

Confidence levels
- Timeliness
- Relevancy
- Accuracy
Collection methods and sources
- Open source
- Blogs/forums
- Government bulletins
- Computer emergency response team (CERT)
- Cybersecurity incident response team (CSIRT)
- Deep/dark web
- Closed source
- Paid feeds
- Information sharing organizations
- Internal sources
Threat intelligence sharing
- Vulnerability management
- Risk management
- Security engineering
- Detection and monitoring

2.1 Given a scenario, implement vulnerability scanning methods and concepts

Passive vs. active
Critical infrastructure

TestOut CyberDefense Pro

2.2 Detect threats using analytics and intelligence

Use an Intrusion Detection System (IDS)

3.2.1 Open-Source Intelligence (OSINT)

This lesson covers the following topics:

Open-source intelligence (OSINT)
OSINT sources
Defensive OSINT

Open-Source Intelligence (OSINT)

Reconnaissance is often the precursor to more direct attacks. Understanding reconnaissance techniques and applying them to your own company and networks will reveal how much useful information is unintentionally provided to threat groups. You can also use reconnaissance as a counterintelligence tool to build up profiles of potential or actual adversaries.

Most companies and their employees publish vast information about themselves online via blogs and social media sites. Some of this information is published intentionally; much is released unintentionally and exploited in unexpected ways. Attackers often "cyber stalk" their victims to discover information about them via Google™ Search or other tools. Open-source intelligence (OSINT) refers to publicly available information and associated tools for aggregating and searching it.

OSINT can allow an attacker to develop any number of strategies for compromising a target. Locating an employee on a dating site might expose opportunities for blackmail or entrapment. Finding an employee looking for a secondhand laptop or mobile device on an auction site might allow an attacker to get a compromised device into the employee's home or workplace. Knowing the target's routine or present location might facilitate break-ins or theft or create an opportunity for social engineering.

OSINT Sources

Some sources of OSINT include the following:

Type	Description
Publicly available information	An attacker can harvest information from public repositories and web searches. Available information includes categories such as the IP addresses of an organization's DNS servers; the range of addresses assigned to the organization; names, email addresses, and phone numbers of contacts within the organization; and the organization's physical address. This data is publicly available through Whois records, Securities and Exchange Commission (SEC) filings, telephone directories, and more.
Social media	Attackers can use social media sites like Facebook and LinkedIn to find an organization's information. Depending on how much an organization or an organization's employees choose to share publicly, an attacker may find posts or user profiles that give away sensitive information or simply act as another vector or target for the attacker to take advantage of.
HTML code	The HTML code of an organization's web page can provide information, such as IP addresses and names of web servers, operating system versions, file paths, and names of developers or administrators. The layout and organization of the code can reveal development practices, capabilities, and level of security awareness.
Metadata	Attackers can run metadata scans on publicly available documents using a tool like Fingerprinting Organizations with Collected Archives (FOCA). For example, Microsoft Office documents posted on the internet may not directly divulge sensitive information about an organization. However, an attacker could extract useful information from its metadata, including the names of authors or anyone that made a change to the document. By using search engines, FOCA ( https://github.com/ElevenPaths/FOCA/ ) can cross-reference files with other domains to find and extract metadata.

Defensive OSINT

Defensive OSINT is a type of intelligence gathering that focuses on identifying threats before they occur. It also helps create a strategy to minimize the impact of an attack before it occurs. The most critical component of defensive cybersecurity OSINT is identifying potential attackers and their attack methods beforehand.

Some sources for Defensive OSINT include the following:

Source	Description
Government bulletins	The government is responsible for protecting the country's constituents and the national infrastructure and publishing a wide variety of information and advice regarding observed threats. For example, the Department of Homeland Security and the Cybersecurity and Infrastructure Agency publish several types of cybersecurity guidance, including basic informational content and binding operational directives that federal agencies must implement.
CERT	The goal of a CERT is to mitigate cybercrime and minimize damage by responding to incidents quickly. They work with local law enforcement, federal agencies, and other organizations to help prevent cyberattacks. CERTs coordinate responses to major events like natural disasters or terrorist attacks. Because of this, CERTs can provide knowledge and information regarding trending and observed attacks.
CSIRT	A computer security incident response team (CSIRT) is a group responsible for responding to security incidents involving computer systems. The team typically consists of information security professionals, network administrators, system administrators, legal representatives, and other stakeholders. The team’s goal is to respond to security incidents quickly and effectively while minimizing the impact on the organization.
Deep/Dark web	The dark web serves as an operating platform for many cybercrimes. Threat actors utilize the dark web to organize their efforts and sell products such as credit card numbers, drugs, weapons, and malware. Observing this activity can provide insight into threat actor activities, future attacks, information regarding current tactics, and evidence of previously undiscovered breaches.
Internal sources	It is important to consider that evidence regarding active threats, reconnaissance activities, and suspicious behavior exists within the environment being protected. Activity logs are a goldmine of information and operational insight and must be continuously collected and analyzed.

3.2.2 Reconnaissance with TheHarvester

Click one of the buttons to take you to that part of the video.

Perform Reconnaissance with theHarvester 00:00-00:38 Reconnaissance is an important for understanding an organization's technological footprint. This means gathering emails, domains, subdomains, hosts, employee names, open ports, and banners from public sources like search engines, PGP key servers, and the SHODAN computer database. One tool that does part of this process is theHarvester. It's a good idea to check your own website to see what's out there because you want to know what an attacker can see about your organization. The program is pre-installed on Kali Linux, and you can read more about theHarvester at the kali.org website. Now let's see how theHarvester works and what we can find.

theHarvester Program and Usage Options 00:38-01:59 We're on our Kali Linux system. I have a terminal open. The first thing I'm going to do is type in ‘theharvester' and press Enter.

I'll scroll up, and you can see we have theHarvester, and we're using version 3. We see the person who coded it, so thank you to him and anyone that helped him with the project.

We're looking for the usage options, which are right here.

The first one that I want to look at is the -d option. This specifies the domain or company name. That's pretty self-explanatory.

The next one is the -b option. This is specifying the data source. So, if we want to search any of these sources, we just type -b followed by one of these.

Now I want to jump down to -l. This will limit the number of results to work with. This can help our searches go faster if we want to limit things a bit.

-h will use the SHODAN database to query hosts. Remember, SHODAN is a search engine for the Internet of Things.

Next let's come down here and look at these examples. This first one starts with theHarvester and -d for domain, and that domain is microsoft.com. -l 500 means limit the results to 500. They're using -b google to specify Google as the source. The example ends with -h, which is the SHODAN database query. It ends with myresults.html, which writes the results to an html file.

So, what happens when you run it?

Search with theHarvester 01:59-03:45 I'm going to highlight this search query, copy it down here, and press Enter. It takes a second to run, and then we get some results. I'll scroll up a bit. I only see one email address, but we found 10 domains. Down a bit, you can see the Shodan database search results.

Let's try another search. I'll clear the screen. I'll use my up arrow to get back to our last search, and I'm going to modify it a little. This time, let's search google.com with bing as the source. That might be interesting. I'll press Enter and wait for it to finish. Here's our results. We found no emails and four domains.

Now let's swap those searches around. This time, I'll put bing.com here and then use Google as the search source. I'll press Enter and wait for my search to complete again. We found one email and eight domains and subdomains.

So far, we're having limited success. Let's make our search a little more aggressive. I'll used my up arrow key to bring up our last search, and I'll modify it a bit.

This time, I'm going to search illinois.gov. I'm bumping this number up to 1000, and I'm going to use the -b all argument to use all the data sources available wile gathering information on a target. This one takes several minutes to complete. I'll press Enter. While this is running, I'll pause the recording.

Okay, the scan is done. I'll scroll up. It only found a couple of emails, but it looks like it found over 1,000 domains and subdomains. I'll scroll back down to the bottom and look at something. During an analysis, you might find some domains that were set up for testing at one time and then forgotten about. Over here, there's some domains that say beta in them. I would guess those were set up to test various web applications at one time.

I'll clear the screen and use my up arrow to bring up the previous search.

Search Social Media 03:45-04:29 Before we end this demo, I want to talk about searching social media. theHarvester can search both Twitter and LinkedIn. For example, on LinkedIn, users voluntarily and publicly submitted information about themselves, such as their personal data, professional work history, education, contact information, interests, hobbies, and so on. All of this information is searchable with theHarvester.

Twitter is another point of potential security failure. Social media can be used to gain additional information about employees, such as phone numbers, email addresses, photos, and locations. Using theHarvester, we can also gather specific Twitter usernames.

I'm not going to run those searches to avoid bringing up personal information about others, but social media exploitation is an important risk that you should account for.

Summary 04:29-04:51 That's it for this demo. In this demo, we used theHarvester to perform reconnaissance. We explained some of the different parameters that are available and how to use them. We explained how theHarvester can use different data sources such as Google, Bing, Linkedin, and Twitter. And we did a few searches that had varied results.

3.2.3 Reconnaissance with Nmap

Click one of the buttons to take you to that part of the video.

Perform Reconnaissance with Nmap 00:00-00:35 Gathering information might be ne of the first things you do as a cybersecurity analyst. There are a lot of tools that can help you. Most cybersecurity analysts start with some very basic command line tools. In this demo, we're going to perform some reconnaissance using some of these basic tools. You might be analyzing a company domain but in this demo we will be using a domain set up by the Nmap Security Scanner Project and insecure.org. They've set up scanme.nmap.org to help people learn about Nmap and other tools. They authorize students to do scans as long as they're done within reason. Let's close the web browser.

Perform Basic Reconnaissance 00:35-01:47 To get started, we're going to go through some reconnaissance steps. First, I just want to make sure that the site is live, so let's ping it. I'll just type, ‘ping scanme.nmap.org', press Enter, and I get a response. I'll hit Ctrl+C to stop the ping, and I can confirm that the site is live.

Now let's find the path to our target by performing a traceroute. On Windows, you do that by typing tracert. But we're on our Kali Linux system, so we need to type in ‘traceroute scanme.nmap.org' and then Enter. I get over a dozen hops between me and the target. These, down here, aren't responding to the request, but my traceroute still continues. This is normal behavior. Let's clear our screen.

Now, I'm interested in finding the name server information for our target. I'm going to type in ‘nslookup scanme.nmap.org' and press Enter. I get the IP addresses for both IP version 4 and version 6 along with the server names.

You can perform a whois search from the command line in Linux. To do that, I'll type in ‘whois nmap.org' and press Enter. I'll scroll up, and here, I can see all the information about nmap that's available from whois. I'll clear the screen again.

More Reconnaissance Tools 01:47-02:40 Next, let's see what happens if we try to make a connection with the remote system. I know that port 80 is open because we were just at the website. Let's use Netcat to see if we can make a connection to the site on port 80. For that, I'll type in ‘nc -v scanme.nmap.org 80' and press Enter. I get a response back, and it looks like I'm connected. Typically, if you want to make sure you're connected, you can type ‘help', and you'll get a response. I do get a response. Not only that, I get some information about what sort of server they're running and even the version.

Let's try another. I'll use my up arrow to get back to our last command. I'll change the 80 to a 22 and press Enter. I get a connection again and see that they're running SSH, and I get the version number along with some other information. All right, let's move on. I have to press Ctrl+C to get out of this, and I'll also clear the screen.

Perform Basic Reconnaissance with Network Mapper 02:40-03:51 You'll get a lot of use out of Nmap as a cybersecurity analyst. We were just using Netcat to make connections to ports. But with 65,535 possible ports, that would take all day. We can use Nmap to do a scan to see what ports are open. To do a port scan, I'll type, ‘nmap -sS scanme.nmap.org' and press Enter. The -sS parameter scans the 1,000 most common ports. I get some results back. I know what ports are open. I know the state of the port and what service is running. Now, if I want to continue working with Netcat, I have a list of ports I know are open.

Earlier, we did a ping to see if the remote system was alive. Let's repeat that now to get the IP address. I'll type ‘ping scanme.nmap.org' and press Enter. I'll press Ctrl+C to stop the ping. Now, I want to do a ping sweep to see what other IPs might be associated with scanme.nmap.org. To do a ping sweep, I'll type in ‘namp -sn 45.33.32.1-255' and press Enter. Now I can go through this list and see which other IPs might be associated with scanme.nmap.org.

Summary 03:51-04:15 That's it for this demo. In this demo, we did some basic reconnaissance. First, we used some command line tools to find information about the remote system. Then we used Netcat to connect to open ports. Finally, we used Nmap to perform a basic port scan and a ping sweep.

3.2.4 Threat Intelligence Types

Click one of the buttons to take you to that part of the video.

Threat Intelligence 00:00-00:22 In this video, we're going to discuss threat intelligence. Threat intelligence refers to the information and insights that organizations use to identify potential security threats and vulnerabilities. It involves gathering, analyzing, and interpreting data from various sources to identify emerging risks and inform security strategies.

Open-Source Intelligence 00:22-01:03 Open-source intelligence is obtained from sources available to the public, free of charge. Because of the overwhelming number of threats, most organizations openly share threat-specific intelligence. This open-source approach helps organizations to use information gathered from industry professionals to build extensive indexes of active threats. Government organizations like the FBI and Department of Homeland Security and private companies like Microsoft and Cisco provide open-source web-based platforms for industry professionals to share up-to-date intelligence. By analyzing data and incidents recorded by other organizations, cybersecurity analysts can make informed decisions to improve their overall security posture.

Closed-Source Intelligence 01:03-01:34 Closed-source intelligence is obtained from private organizations. Unlike open-source intelligence, which collaborates with the general public, one organization researches and documents closed-source intelligence. This data is typically kept confidential because it's sold or licensed by security companies or contains proprietary information. By limiting access to this confidential intelligence, organizations can reduce their risk of data breaches and other security incidents that could compromise their operations or reputation.

Intelligence Considerations 01:34-02:51 The volume of information that you can gather in these feeds can be quite high. When reviewing threat feeds, you may notice a confidence rating. The threats are usually ranked from high to low, with the higher numbers being threats with a higher-threat potential. Low numbers typically indicate threats that may be annoying but not malicious. It's also important to consider the context of all information. Your intelligence should be evaluated based on timeliness, relevancy, and accuracy.

Timeliness refers to the urgency associated with the particular threat information. It indicates how quickly an organization needs to respond to a threat to prevent or mitigate its impact on the business. Relevancy refers to the degree of applicability of a particular threat information to an organization's specific IT environment, assets, and business processes. It indicates how closely the threat information aligns with an organization's unique security requirements and helps determine the priority of action that needs to be taken to mitigate the threat. Accuracy refers to the degree of correctness and reliability of a particular piece of threat information. It indicates how well the threat information reflects the current and actual state of the threat landscape, enabling organizations to make informed decisions regarding their security posture.

Summary 02:51-03:02 That's it for this lesson. In this lesson, we discussed threat data and intelligence. We discussed open-sourced and closed-sourced intelligence and intelligence considerations.

3.2.5 Threat Intelligence Types Facts

This lesson covers the following topics:

Open-source intelligence sources
Closed-source intelligence sources
Indicator management
Intelligence considerations

Threat intelligence data refers to information collected, analyzed, and contextualized to identify and assess potential security threats. Data can come from various sources, including open-source, human, and technical intelligence. Threat intelligence data is categorized into two broad types: strategic and operational. Strategic threat intelligence provides a high-level view of the threat landscape, including emerging trends, tactics, and techniques threat actors use. On the other hand, operational threat intelligence provides more granular details about specific threats, such as indicators of compromise, malware analysis, and network forensics. Threat intelligence data aims to provide actionable insights and recommendations that organizations can use to better protect themselves against potential security threats.

Open-Source Intelligence Sources

Open-source intelligence is obtained from sources that are available to the public. Because of the overwhelming number of threats, most organizations openly share threat-specific intelligence. This open-source approach helps organizations to build extensive indexes of active threats. The following table lists a few of the many websites that provide open-source threat data resources.

Source	Description
Cybersecurity and Infrastructure Security Agency (CISA.gov)	This US Department of Homeland Security site includes extensive information on recent attacks, threats, and security updates. Self-reporting links are provided for reporting known incidents, phishing, malware, vulnerabilities, and indicators.
Cyber Crime Center’s Vulnerability Disclosure Program (www.dc3.mil)	This Department of Defense site provides a repository for ethical hackers across the globe to share knowledge to help organizations improve network security.
AT&T Alien Labs Open Threat Exchange (cybersecurity.att.com)	Alien Labs, now known as AT&T Cybersecurity, provides an open-source threat exchange. The site encourages that threats be recorded with actional defenses to provide a collaborative environment for security professionals.
InfraGard (infragard.org)	InfraGard provides a site for security collaboration between the FBI and industry professionals.

Closed-Source Intelligence Sources

Closed-source intelligence (sometimes referred to as proprietary intelligence) is obtained from private organizations. Unlike open-source intelligence, which collaborates with the general public, closed-source intelligence is researched and documented solely by one organization. This data is typically kept private because it is sold or licensed by security companies or contains proprietary information.

Threat intelligence is widely provided as a commercial service offering, where access to updates and research is subject to a subscription fee. Some of these commercial sources primarily repackage information coming from free public registries. In contrast, others provide proprietary or closed-source data that may not be found in the free public registries. Closed-source data is derived from the provider's own research and analysis efforts, such as data from honeynets that they operate, plus information mined from its customers' systems, suitably anonymized. Most commercial feed (sometimes called paid feed) providers also market their own platform for processing and disseminating threat intelligence. There are also platform providers who do not produce their own security feeds. Some examples of commercial providers include the following:

CrowdStrike Falcon Threat Intelligence ( https://www.crowdstrike.com/products/threat-intelligence/ )
IBM X-Force Exchange ( https://exchange.xforce.ibmcloud.com/ )
Mandiant (previously FireEye) Threat Intelligence ( https://www.mandiant.com/advantage/threat-intelligence/ )
Recorded Future ( https://www.recordedfuture.com/research/intelligence-reports/ )

Indicator Management

Managing threat information on a large scale can get messy without a standardized information-sharing method. The following table describes open-source standards used to share threat indicators.

Standard	Description
Structured Threat Information eXpression (STIX)	STIX is built on the XML framework. It was initially provided by the Department of Homeland Security. STIX defines malware, threat actors, tools, and attack patterns. The objects are related to field names such as type, name, description, and primary motivation. This simplistic format allows users to read the data manually or to use the data in automated systems.
Trusted Automated eXchange of Indicator Information (TAXII)	TAXII is used with STIX and provides a method for the threat information to be shared at the application level using HTTPS.
OpenIoC	OpenIoC is also built on the XML framework. Like STIX, it uses metadata such as author, name, and description to provide information about known threats.

Intelligence Considerations

The volume of information that you can gather in these feeds can be pretty high. When reviewing these feeds, you will want to consider the following:

Consideration	Description
Confidence level	When reviewing threat feeds, you may notice a confidence rating. The threats are usually ranked from high to low, with the higher numbers indicating threats with a higher-threat potential. Low numbers typically indicate threats that are more annoying than malicious.
Context	Any intelligence you gather should be evaluated based on timeliness, relevance, and accuracy.

Threat intelligence data depends on three crucial attributes: timeliness, relevancy, and accuracy, which are described in the following table:

Attribute	Description
Timeliness	The speed at which threat data is collected and disseminated to ensure it is up-to-date and relevant.
Relevancy	The usefulness of the data in the context of a specific threat and the actionable insights and meaningful context it provides.
Accuracy	The reliability and correctness of the threat data. For example, ensuring it is free from errors, bias, or false information.

This lesson covers the following topics:

Information Sharing and Analysis Centers (ISACs)
Critical infrastructure

Since the 1990s, governments have mandated that industries where cyberattack poses risks to life or health, or national security must form public/private partnerships and industry associations to disseminate sector-specific threat intelligence. For each critical industry, Information Sharing and Analysis Centers (ISACs) have been set up. Where a generic open-source or commercial threat intelligence provider might use corporate or academic networks to gather data, ISACs produce data from their members' systems. Hence, the data is highly industry-specific and relevant. Information shared within an ISAC is given legal protections by the PCII program operated by the Department of Homeland Security (DHS) ( dhs.gov/cisa/pcii-program ). A list of all US-based ISACs is available at nationalisacs.org/member-isacs-3 . In the UK, the Cyber Security Information Sharing Partnership ( ncsc.gov.uk/section/keep-up-to-date/cisp ) serves a similar purpose.

Critical Infrastructure

The DHS identifies 16 critical infrastructure sectors ( cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors ), such as communications, energy, water, nuclear reactors and waste, emergency services, etc. Each sector is supported by its own ISAC. One of the primary areas of focus for cybersecurity in industries that support critical infrastructure is embedded systems and industrial control systems.

A screenshot of the C I S A website listing critical infrastructure sectors.

Description
The website has a header at the top left that reads, Cybersecurity and Infrastructure Security Agency with its logo. The page has a header that reads "Critical Infrastructure Sectors." There is a block of text below the header and sections for 4 of the sectors: the Chemical Sector, the Commercial Facilities Sector, the Communications Sector, and the Critical Manufacturing Sector.
CISA website listing critical infrastructure sectors. (Image contents created by Department for Homeland Security and released to public domain.)

Sector	Description
Government	The Multi-State ISAC ( cisecurity.org/ms-isac ) serves nonfederal governments in the US, such as state, local, tribal, and territorial governments. One of the key cybersecurity concerns for governments is interference in the electoral process and the security of electronic voting mechanisms. In fact, there is an ISAC dedicated to election infrastructure security issues ( cisecurity.org/ei-isac ).
Healthcare	Healthcare providers are targeted by criminals seeking blackmail and ransom opportunities by compromising patient data records or by interfering with medical devices. For more information on the Health ISAC, visit h-isac.org .
Financial	The financial sector is an obvious target for fraud and extortion. Attackers can target both individual account holders and financial institutions themselves. Serious financial shocks, such as major trading platform or ATM outages, can also pose a national security risk. For more information on the Financial Services ISAC, visit fsisac.com .
Aviation	As with most commercial industries, the aviation industry is targeted for fraud, but there are also substantial risks from terrorists or hostile nation-state actors seeking to disrupt services or cause casualties. Air traffic control and the safe operation of aircraft depend on many interconnected systems, some of which use aging infrastructure or technology susceptible to interference and spoofing, such as radar and GPS. For more information on the Aviation ISAC, visit a-isac.com .

This lesson covers the following topics:

Threat intelligence sharing
Confidence levels
Threat intelligence sharing benefits

Threat information sharing is crucial for cyber defense teams and cybersecurity organizations. Cyber threat intelligence sharing focuses on finding indicators of compromise, tracking threat actor groups, documenting findings, discussing strategies, and distributing this knowledge.

Many leading cybersecurity vendors openly share threat information via the Cyber Threat Alliance (CTA). One of the most critical tactics to help bolster defensive team capabilities and effectiveness is participating in an industry group that actively shares information on threats and attacks.

Screenshot of Cyber Threat Alliance website listing many of the participating organizations.

The Cyber Threat Alliance website. (Screenshot courtesy of Cyber Threat Alliance).

One of the best ways to decrease the time spent detecting threats is by performing information sharing on an industry-wide scale. When peers proactively share information, also known as information sharing, it helps to strengthen collective resiliency and responsiveness to known, emerging, and potential threats. The Automated Indicator Sharing (AIS) ecosystem enables the exchange of machine-readable cyber threat indicators and defensive measures. AIS is managed and maintained by the US Cybersecurity and Infrastructure Security Agency (CISA). AIS enables participants to share indicators and defensive measures against cyber threats, such as information on observed adversarial activities, actions, and compromises (when discovered). This helps other AIS organizations fortify their defenses and ultimately limit an adversary's use of a particular method of attack.

With in-depth, contextualized threat information, organizations can better predict and recognize malicious activities and leverage the knowledge to accelerate the detection and prevention of attacks. Automating threat intelligence derived from internal and external data sources via a cybersecurity ecosystem of tools and open-source intelligence (OSINT) data feeds supports the production and delivery of timely threat information. Given the likelihood of threat actors operating similarly, it is increasingly vital for organizations to share threat intelligence and leverage community expertise to enhance their security posture.

An effective threat information platform enables the analysis and distribution of IOCs, tactics, techniques, and procedures (TTPs), threat actors, courses of action, incidents, and other similar types of information. These details are shared in real-time using machine-readable formats such as the Trusted Automated eXchange of Indicator Information (TAXII) message exchange and Structured Threat Information eXpression (STIX) formats. This type of information sharing helps support incident response teams, risk managers, security engineers, and security and vulnerability analysts by providing context and descriptions of the attacks they should prepare for and seek to identify. Focusing detection and monitoring activities in this way can help reduce detection times and vastly improve monitoring effectiveness by assisting teams to focus on high-probability issues.

Confidence Levels

This type of strategic intelligence provides deep insight into broad-based or longer-term trends. It provides early warning about threats to help leaders understand the risks that cyber threats pose to their organizations. Additionally, threat feed information helps craft alerts and search for relevant security incidents using rule templates based on imported threat intelligence.

Threat intelligence analysts use threat information to develop confidence levels that help reduce noise and prioritize highly relevant and targeted activities. Platforms like MISP implement taxonomies called Admiralty-Scale or Estimative-Language to help analysts develop and describe confidence levels for different types of threat information.

More information about the MISP Threat Sharing platform can be obtained from https://www.misp-project.org/ .

Threat intelligence sharing helps improve several aspects of cybersecurity, including incident response, vulnerability management, risk management, and security engineering.

Function	Benefit
Incident response	Threat intelligence sharing can help organizations respond to security incidents more effectively by providing information about threat actors' tactics, techniques, and procedures (TTPs). By sharing information with other organizations, incident responders can better understand the threat landscape and develop more effective incident response plans.
Vulnerability management	Threat intelligence sharing can help organizations identify and prioritize vulnerabilities more effectively. Organizations can quickly identify and mitigate potential risks by sharing information about emerging threats and vulnerabilities before attackers exploit them.
Risk management	Threat intelligence sharing can help organizations manage risk more effectively by providing insight into emerging threats and attack trends. By leveraging threat intelligence, organizations can make more informed decisions about where to allocate resources and which security controls to implement to reduce risk.
Security engineering	Threat intelligence sharing can also help inform security engineering efforts. By understanding the TTPs threat actors use, security engineers can design and implement more effective security controls to prevent and detect attacks.