Putting my notes on a page for a couple of reasons. Present me is looking out for future me. Future me is going to lose these handwritten notes somehow. Thank me later. I am also going to need to reference this quickly when I am trying to study. Sometimes I can't read my own writing and trying to figure out what I wrote or what I meant is frustrating and time consuming. This is much more legible. Again, thank me later...
OSINT is available in the following formats.
Proprietary Information is generally not available to the public and usually will requir a fee or subscription to access
Timeliness is one of the main reasons people would opt for a Closed Source Information source. These platforms provide near real time alerts concerning threats.
Relevancy is another reason why closed source informations would be attractive. A typical feature of a Closed Information Source is the ability to search and organize data to enhance relevancy.
Accuracy and Confidence Levels may be the most compelling reasons to choose a Closed Information Source. Security Analyst rely on the data they recieve to make security assesments and decisions. Acquired data must be accurate if it is to be relied upon. Security Analyst muste be able to implicitly trust incoming data without assesing if the data was intended to mislead or deceive. This extra analysis takes away time from the overall resolution of an incident. Many network attacks use false information to misdirect network defenses.
Indicator Management Systems manage the collection and analysis of IoCs.
STIX Structured Threat Information eXpression- Is an XML based programming language that can be used to communicate cybersecurity information among subcribers of the language.
STIX was created to identify problems that could indicate cyber threats, facilitate cyber threat response activities, including prevention, detection, and response. STIX also is used to share Cyber threat informatoin with organizations , outside partners and communities that benefit from the information.
While originally sponsored by the CS&C (The Office of Cyber Security and Communications) within the DHS (Department of Homeland Security), it is now under the management of OASIS (Organization for the Advancement of Structured Information Standards).
Trusted Automated eXchange of Indicator Information- An application protocol for exchanging CTI over HTTPS. It defines two primary services; Collection and Channels.
A Collection is an interface to a logical repository of CTI objects provided by a TAXII server that allows a producer to host a set of CTI data that can be requested by consumers.
A Channel allows producers to push data to many customers and allows consumers to receive data from many producers.
TAXII clients exchange information with other TAXII clients in a publish subscribe model. TAXII services can support a variety of sharing models including
Terms you will want to remember...
An open framework designed for sharing thrat intelligence in a machine readable format written in XML
Threats that are common knowledge and easily indenitified through signatures by antivirus and intrusion detectoin system engines or throught domain reputation blacklist.
Lurking threats that have been indentified but for which no signature is available.
Vulnerabilities discovered in live environments and have no current fix or patch.
A hacking process that targets a specific entity and is carried out over a long period of time.
Work that involves web searches, interviews, indentifying sources, and monitoring data.
The correlation of data to identify pieces of information that have th following characteristics
Solutions that must be communicatd to the proper personnel for deployment.
Malware that is widely available for purchase or free download. It is not customized or tailored to a specific attack. It usually does not require complete understanding of its processes, and is used by a wide range of threat actors with a range of skill levels.
Give at least 2 examples of open source intelligence data: 1. Unclassified Government Data 2. Print and online media
Open IoC is an open framework that is designed for sharing threat intelligence in a machine readable format
STIX is an XML based programming language that can be used to communiate cybersecurity data amang those using this language.
Cyberintelligence Analytics Platform (CAP) v2.0 uses its proprietary artificial intelligence and machine learning algorithms to help organizations unravel cyber risks and threats, as well as, enabling proactive cyber posture management.
Which threat actor has already prformed network penetration? Nation State
List the commn sharing models used in TAXII. Hub and spoke, Peer to peer, Source and Subscriber
Hacktivist are hacking for a cause such as animal rights. They use hacking as a means to get their message out and affect the businesses that they feel are detrimental to their cause.
Describe the characteristics of a Zero Day threat. A threat appearing in live environments with no known solution.
Describe some differences between a Terrorist and an Advance Persistent Threat (APT). APT attacks are carried out over a long period of time, sometimes sponsored by a Nation State. A Terrorist does not hack specifically for money, but rather to destroy or deface.
APT attacks are typically sourced and carried out by by which group of threat actors? Nation State.
What intelligence gathering step is necessary because of the amount of potential information may be so vast? Analysis.
The Aviation Government Coordinating council is Chartered by which organization? Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA)