Threat Intelligence & Threat research Sources

1. Friendly Tip: Please take notes to better remember concepts
In this video we will
learn about Threat
Intelligence & Threat
research Sources
Core Cyber Security Concepts

2. Mechanisms of an attack
How to identify that an attack is happening
How different types of attacks might affect the business
Action-oriented advice about how to defend against
attacks
Threat Intelligence is evidence-based information about cyber
attacks that cyber security experts organize and analyze. This
information may include:
What is Threat Intelligence ?

3. Simply put, threat intelligence refers to the actions
taken in order to gain intelligence or information
about a threat.
Examples of organizations that generate threat intelligence
reports:

4. Threat Intelligence Providers
Threat intelligence providers are the
organizations/independent researchers that
generate threat intelligence reports for
organizations to be prepared against known threats.
There are different types of Threat intelligence
Providers.

5. Public Information Sharing centers
These are publically available threat intelligence reports.
Closed/Proprietary Threat Intelligence Providers
Such threat intelligence providers only share their threat
intelligence commercially, they only provide these reports to
organizations that pay the intelligence provider , this could
be in the form of paid subscriptions.

6. Websites of Vendors
Assume you're trying to look up information on a certain ip
address reputation, you can look it up by accessing websites
such as ipvoid and check it's reputation.
Open-Source Intelligence (OSINT)
Open-Source Intelligence (OSINT) is intelligence produced from
publicly available information that is collected, exploited, and
disseminated in a timely manner to an appropriate audience for
the purpose of addressing a specific intelligence requirement.
OSINT draws from a wide variety of information and sources

7. The information required to carry out threat intelligence is acquired by
conducting Threat research.
In the process of Threat research , information regarding threats (past &
present) are collected and thoroughly studied to come up with accurate
conclusions.
The organizations that collect, study & distribute threat information
reports are known as threat research sources. These organizations
include reputed universities, CS research agencies and the Darkweb.
What is Threat Research ?

8. Threat Research Types
The data Threat intelligence researchers study can
be classified into three threat research categories
Behavioral threat research
Reputational threat research
Information accquired via client network and
logs

9. Behavioral threat research
In this research, the researchers try to gain an understanding of
the actions taken by the malwares and it's intentions to better
understand the malware's goals and behavioral patterns. this
information can be utilized in developing a counterattack/fix.
As part of behavioral threat research, the date when the first
time a malware is detected is noted and this older version of
malware is compared against present form/version of malware ,
inorder to understand how the malware has evolved.

10. Reputational threat research
This keeps track of the reputation of certain sites, domains & IP
addresses linked to malicious activity. If a site were to pose as
offering useful services, but instead prompts unsuspecting
visitors to download malwares, such sites with bad reputation
are studied by Threat research organizations and included in
the threat intelligence report.

11. Information accquired via client network and logs
In this type of research, the information from
client's network - the devices, their traffic & network
logs is thoroughly studied, in order to better
understand & detect suspicious activity.
This helps in early detection & prevention of Cyber
attacks/

12. IOC - Indicators of Compromise

13. " Indicators of compromise (IOCs) refer to data that indicates a
system may have been infiltrated by a cyber threat. They provide
cybersecurity teams with crucial knowledge after a data breach or
another breach in security "
IOC's share evidence of intrusion and alert the Information
Security department of a potential security breach, IOCs don't
warn you of an incoming attack, but they alert you of an intrusion
that's already happened.

14. We'll learn more about IOCs by comparing them with
Indicators of Attack.
IOAs focus on identifying the
activity linked with the attack
while the attack is happening.
Whereas IOCs aid the
organization if it's under
attack or if there's a security
breach

15. Outbound traffic during off-peak hours or traffic
communicating with a suspicious IP could indicate an IoC
security threat.
Common Indicators of Compromise
Unusual Outbound Network Traffic
Anomalies in Privileged User Account Activity
A high-privilege user account accessing sensitive data
during off-peak hours or on files rarely accessed could
indicate credentials were phished or stolen.

16. Activity from strange geographic regions:
Most organizations have traffic that comes from a targeted
area. State-sponsored attacks and those that come from
countries outside of the organization’s targeted geographic
could indicate compromise
High authentication failures
Attackers use automation to authenticate using phished
credentials. A high rate of authentication attempts could
indicate that an attacker has stolen credentials and is
attempting to find an account that gives access to the network.

17. Large Numbers of Requests for the Same File
Hackers often try again and again to request files they
are trying to steal. If the same file is being requested
many times, this may indicate a hacker is testing out
several different ways of requesting the files, hoping to
find one that works.
Mismatched Port-application Traffic
Attackers may exploit obscure ports as they execute an
attack, If an unusual port is being used, this can indicate an
attacker attempting to penetrate the network through the
application or to affect the application itself.

18. Suspicious configuration changes:
Changing configurations on files, servers, and devices could
give an attacker a second backdoor to the network. Changes
could also add vulnerabilities for malware to exploit.
Flooded traffic to a specific site or location:
A compromise on devices could turn them into a botnet. An
attacker sends a signal to the compromised device to flood
traffic at a specific target. High traffic activity from multiple
devices to a specific IP could mean internal devices are part
of a DDOS attack

19. Key Takeaways
Threat intelligence refers to the actions taken in order to gain
intelligence or information about a threat.
Threat intelligence providers are the
organizations/independent researchers that generate threat
intelligence reports for organizations to be prepared against
known threats.
The organizations that collect, study & distribute threat
information reports are known as threat research sources
IOC's share evidence of intrusion and alert the Information
Security department of a potential security breach

20. https://www.fortinet.com/resources/cyberglossary/in
dicators-of-compromise
https://osint.org/about/
https://www.proofpoint.com/us/threat-
reference/indicators-compromise
Sources