Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

Cyber Threat

Download as pptx, pdf, or txt
Download as pptx, pdf, or txt
You are on page 1of 67

CYBER THREAT

INTELLIGENCE
Syllabus
 Welcome
 Instructor’s bio
 Objectives of Threat Intelligence
 What's in a name?
 How do Organisations Use CTI
 The role of a CTI analyst
 Introduction to threat actors
 Grey White and Black Hat Hackers
 CIA Triad
 Threat vectors
 The attack surface
 Solarwinds Hack
 The intelligence cycle
 Core of CTI
 Introduction to law and ethics
 Responsible Disclosures
 Conclusion
 End of Course Assessment
WELCOME

 Welcome to the SGS Cyber Threat Intelligence course.

The purpose of this course is to provide a short introduction to some of the key
concepts you will likely come across whilst operating in the role of a cyber threat
intelligence analyst.
Instructor’s Bio
Objectives of Threat Intelligence

 What is Cyber Threat Intelligence?


Cyber Threat Intelligence (CTI) refers to the process of collecting, analyzing, and
disseminating information about current and potential cyber threats that pose risks
to an organization’s security. This intelligence helps organizations understand the
threats they face, their potential impact, and how to effectively mitigate them.
What’s in a name?
Cyber

“Widespread interconnected digital network”


-not just the internet!
The word "cyber" signifies the intersection of technology, digital communication,
and virtual environments. It emphasizes the importance of control, security, and
interaction within the realm of computers and the internet. As digital technology
continues to advance and integrate into daily life, the relevance and use of the term
"cyber" will likely expand further
WHAT DOES 'CYBER' MEAN?

 The word 'cyber' denotes a relationship with information


technology (IT), i.e., computers. (It can relate to all aspects of
computing, including storing data, protecting data, accessing
data, processing data, transmitting data, and linking data.)

The word 'cyber' carries the following connotations:


 A relationship with modern computing (i.e., the digital age). (For
example, early computers and home PCs from the 80s and 90s
do not attract the term 'cyber.')
 A relationship with the cutting edge of modern technology. (For
example, IT security sounds more routine than cyber security,
which implies a guard against the latest attack types.)
Basic Concept of Web Layers
Using the iceberg analogy to explain the layers of the internet is a
helpful way to visualize the different levels of content and
accessibility. The internet can be divided into three main layers: the
Surface Web, the Deep Web, and the Dark Web. Here’s how each
layer corresponds to the parts of an iceberg:
1. Surface Web (Tip of the Iceberg)
 Visibility: This is the smallest and most visible part of the
iceberg, analogous to the portion that is above the water.
 Accessibility: Easily accessible through standard search engines
like Google, Bing, and Yahoo.
 Content: Includes websites, blogs, news articles, social media
platforms, and other web pages that are indexed by search
engines.
 Examples: Wikipedia, YouTube, public websites, and social media
profiles.
2. Deep Web (Submerged Iceberg)

 Visibility: This part of the iceberg is below the water surface,


representing the majority of the iceberg that is hidden from plain
sight.
 Accessibility: Not indexed by standard search engines and
requires specific credentials or permissions to access.
 Content: Contains private databases, academic journals,
subscription sites, company intranets, medical records, legal
documents, and other secure data.
 Examples: Online banking, academic databases like JSTOR,
government databases, and private organizational websites.
3. Dark Web (Deepest Part of the Iceberg)

 Visibility: The deepest and most concealed part of the iceberg,


representing content that is intentionally hidden and accessible
only through special means.
 Accessibility: Requires specific software, configurations, or
authorization to access. The most common tool used to access
the dark web is the Tor browser.
 Content: Often associated with illegal activities, but not
exclusively. It includes black markets, illicit drug sales, illegal
arms sales, stolen data, as well as private communications and
activism in oppressive regimes.
 Examples: Silk Road (a now-defunct online black market),
various Tor-hidden services, and anonymous communication
forums.
Conclusion:
The iceberg analogy effectively illustrates that what we see and interact with on the
surface web is only a small fraction of the total internet content. The deep web and
dark web together form the bulk of the internet, containing vast amounts of data
and resources that are not immediately visible or accessible to the general public.
What’s in a name?

Threat

“A person or thing with the ability to inflict damage onto a victim”


WHAT DOES 'THREAT' MEAN?

 A threat is a statement indicating the will to cause harm to or create some other
kind of negative consequences for someone.

Many threats involve a promise to physically harm someone in retaliation for


what they have done or might do. Some threats are simply meant to intimidate,
and don’t involve pressuring someone to do something. Not all threats involve
violence.

A security threat is someone or something that might make a situation unsafe.

Threat can also mean a warning or sign that harm or trouble is coming.
What’s in a name?
Intelligence

“Insight an organisation uses to understand the threats they face”


The insight is used to mitigate the harm the an adversary might inflict
WHAT DOES 'INTELLIGENCE' MEAN?

 There is no agreed definition or model of intelligence. By the Collins English


Dictionary, intelligence is ‘the ability to think, reason, and understand instead of
doing things automatically or by instinct’. By the Macmillan Dictionary, it is ‘the
ability to understand and think about things, and to gain and use knowledge’.

Intelligence - within the context of cyber security - describes the practice of


collecting, standardising and analysing data that is generated by networks,
applications, and other IT infrastructure in real-time, and the use of that
information to assess and improve an organisation's security posture.
 RE-ORDER QUIZ

Have a go at the following question and let's see if you were paying
attention to the lecture.
Question: In the lecture, we introduced you to the basic concept of web layers. Can
you place these layers in the correct order?
DARK
SURFACE
DEEP
How do Organisations Use CTI?

 Cyber Threat Intelligence (CTI) plays a crucial role in modern cybersecurity


strategies. By providing actionable insights into the threat landscape, CTI enables
organizations to proactively defend against emerging threats, enhance their
incident response capabilities, and make informed decisions about risk
management and resource allocation. Integrating CTI into security operations,
training programs, and compliance efforts helps organizations build a resilient
defense posture, stay ahead of potential threats, and reduce the impact of
cyberattacks. Through collaboration and information sharing, organizations can
further strengthen their collective security efforts, contributing to a safer digital
environment.
Levels of Intelligence From an
Organisational Perspective
Strategic, tactical, and operational intelligence each play essential roles in
organizational decision-making and management:
 Strategic Intelligence guides long-term planning and strategic initiatives based on
comprehensive analysis and predictive insights.
 Tactical Intelligence translates strategic goals into actionable plans and initiatives,
focusing on short to medium-term objectives and resource allocation.
 Operational Intelligence supports day-to-day operations by providing real-time
insights and decision support to ensure efficient and effective execution of tasks
and processes.
By leveraging these levels of intelligence effectively, organizations can enhance their
competitive advantage, manage risks proactively, and achieve sustainable growth
and success in their respective industries.
To round off this recap we want to highlight some of the key reasons
that organisations use cyber threat intelligence:

Identify and assess potential threats to their networks and systems.


 Enhance their overall security posture by proactively taking
measures to prevent attacks.
 Improve incident response efforts by having up-to-date information
about known threats.
 Prioritise resources for the mitigation of high-risk vulnerabilities.
 Monitor external sources for signs of a potential breach or attack.
 Stay informed about the tactics, techniques, and procedures used
by malicious actors.
In the section we introduced the levels of intelligence from an organisational
perspective. It is very useful to understand these levels and how they differ to
ensure you provide the right kind of intelligence to the right person within an
organisation.
Question: Can you put these intelligence levels in the correct order according to
CREST?
 Operational
 Tactical
 Strategic
The role of a CTI analyst
Cyber threat intelligence analysts gather data to track, evaluate, and report on
threats that could have an impact on an organisation. They do this by combining
contextual knowledge of the whole threat landscape with analytical abilities.
 Analysts combine a variety of sources, including private data collections and open
source intelligence (OSINT) evaluation, to produce a complete picture of an
organisation's risk posture that informs the steps the business takes to mitigate
these risks.

They create short-term and long-term evaluations to help security teams better
understand the threats they face and what they can do to prevent attacks and
breaches in the future.

As mentioned in this short video, we consider the goal of an analyst to be the


creation of insight through the combination of the art, craft and the science of
CTI.
The roles and responsibilities of a
CTI Analyst typically include:
 Identifying organisational intelligence requirements
 Collecting relevant data and conducting all-source analysis to
inform decision making process
 Identifying, monitoring, and assessing potential threats or
weaknesses
 Validating that security qualifications and requirements are met
 Creating reports that highlight key findings for security teams
and other members of the organization
 Presenting findings to other teams and proposing counteractions
to mitigate threats
Introduction to threat actors:
 Threat actors, also known as cyberthreat actors or malicious
actors, are individuals or groups that intentionally cause harm to
digital devices or systems. Threat actors exploit vulnerabilities in
computer systems, networks and software to perpetuate various
cyberattacks, including phishing, ransomware and malware
attacks.
 In this module we will be taking a look at the word 'hacker' and
the negative connotations often associated with it. We will then
break that down into three distinct groups before focussing on
and introducing you to, cyber threat act
Grey, White and Black Hat Hackers:

 A hacker is an individual who uses computer, networking or other


skills to overcome a technical problem. The word has been used
over the years to refer to anyone who uses their abilities to gain
unauthorised access to systems or networks in order to commit
crimes. A hacker may, for example, steal information to hurt
people via identity theft or bring down a system and, often, hold
it hostage in order to collect a ransom.
 Black hat hackers are criminals who break into computer networks with
malicious intent. They may also release malware that destroys files, holds
computers hostage, or steals passwords, credit card numbers, and other personal
information. Black hats are motivated by self-serving reasons, such as financial
gain, revenge, or simply to spread havoc. Sometimes their motivation might be
ideological, by targeting people they strongly disagree with.
 White hat hackers – sometimes also called “ethical hackers” or “good hackers” –
are the antithesis of black hats. They exploit computer systems or networks to
identify their security flaws so they can make recommendations for
improvement.
 Grey hat hackers are somewhere between white and black are gray hat hackers.
Gray hat hackers enact a blend of both black hat and white hat activities. Gray
hat hackers often look for vulnerabilities in a system without the owner's
permission or knowledge. If issues are found, they report them to the owner,
sometimes requesting a small fee to fix the problem.
NATION STATE ACTORS
 Nation State Actors work for governments to disrupt or
compromise other target governments, organisations or
individuals to gain access to intelligence or valuable data. They
have been known to create significant international incidents.

Generally speaking they can operate without fear of legal


retribution in their home country and are often part of 'hackers
for hire' companies aligned to the aims of a government or
dictatorship.
CYBER CRIMINALS
 Cyber Criminals are individuals or teams of people who commit
malicious activities on networks and digital systems, with the
intention of stealing sensitive organisation data or personal data,
and generating profit.

It's important to note that the distinction between cyber criminals


and nation state actors is becoming increasingly blurred.
HACKTIVISTS
 Hacktivists generally operate within the social or political sphere, breaking into
and causing damage to computer systems and networks. Targets of hacktivists
can vary dramatically from things like the Church of Scientology, to
pharmaceutical companies and drug dealers.

Hacktivism is a combination of the words 'Hacking' and 'Activism'. One of the


most (in)famous hacktivist groups of recent times would have to be Anonymous,
and they are well worth doing some reading on.
CIA Triad
 'CIA triad' stands for Confidentiality, Integrity, and Availability. It is a common
model that forms the basis for the development of secure systems.

Confidentiality - Confidentiality is to do with keeping an organisation’s data


private. This often means that only authorised users and processes should be
able to access or modify data.
 Integrity - Integrity means that the data can be trusted. It means that it should
be maintained in a correct state, kept so that it cannot be messed around with,
it should be correct and also needs to be reliable.
 Availability - It's all well and good maintaining confidentiality and integrity but
the data must be available to use. This means keeping systems, networks and
devices up and running.
 Being aware of these 3 concepts and how they overlap is important some
organisations may lean more towards Confidentiality whilst others focus more on
Availability depending on what their system or platform is being designed to do.
Questions

Which of the following...


Question: Conducts hacking activities without owner consent and with malicious
intent
 Black Hat
 White Hat
 Grey Hat
Which of the following..

Question: Conducts hacking activities without owner consent but usually stops short
of malicious activities.

 Black Hat
 White Hat
 Grey Hat
Which of the following...

Question: Conducts activities with consent of the technology owner.

 Black Hat
 White Hat
 Grey Hat
Have a look at the following question and see if you have been paying attention.
Question: Which of the following statements could be considered true when talking
about Cyber Criminals? There are two correct answers.
 They are often concerned with political affairs
 They are motivated by financial gain
 They can operate with impunity within their country of origin
 They are known to attack critical and national infrastructure
 They are likely to create and disseminate malware
ADDITIONAL RESEARCH
If you are interested in learning more about black, grey and white hat hackers. Here
are a few interesting names that a simple search will return a lot of information on:

Tim Berners-Lee - Famous for inventing the World Wide Web and a member of the
white hat hacking camp.

Gary McKinnon - Gained access to over 97 military networks and left the message on
their system "your security is crap". He says he was looking for a UFO cover up.

Michael Calce (AKA MafiaBoy) - He launched a series of highly publicised DoS attacks
against some pretty large organisations.
There are many names and many stories out there for you to read about... a big part
of being a CTI Analyst is curiosity after all!
Threat Vectors

What is a threat vector?


Cybersecurity threat vectors, or attack vectors, are methods or mechanisms
cybercriminals use to gain illegal, unauthorized access to computer systems
and networks. The motivations for using cybersecurity threat vectors vary by
the type of attacker.
Cybercriminals that effectively leverage cybersecurity threat vectors include:
 individual hackers
 disgruntled former employees
 politically motivated groups
 hacktivists
 cybercrime syndicates
 state-sponsored groups
Following a successful infiltration with a threat vector, cybercriminals may use additional
vectors to perform additional misdeeds, such as:
 Stealing valuable information (e.g., login credentials, personally identifiable information
(PII), protected health information (PHI), trade secrets, financial data)
 Launching ransomware for extortion
 Damaging systems
 Causing system failures
 Taking control of systems
There are many examples of cybersecurity threat vectors. Most can be categorized as active
or passive.
Examples of passive cybersecurity threat vectors include those that use methods to gain
access without affecting system resources, such as phishing, pretexting, baiting,
piggybacking, tailgating, and other social engineering vectors.
Conversely, examples of cybersecurity threat vectors that are active share a disruptive
characteristic; they seek to alter a system or affect its operation. Examples include malware,
ransomware, exploiting unpatched vulnerabilities, email spoofing, man-in-the-middle
attacks, and denial-of-service (DoS) attacks.
WHAT IS THE ATTACK SURFACE?

 When we talk about the attack surface within the context of cyber threat
intelligence, what we mean is the sum total of all the ways a malicious actor or
hacker could potentially gain unauthorised access to a target system or
network. This includes everything from the visible interfaces like websites or
apps, to the underlying protocols and technologies that enable communication
and data exchange.

Think of it like a house - the attack surface would be all the doors, windows,
vents, and any other potential points of entry that someone could use to break
in. In the same way, the attack surface in cyber security refers to all the entry
points a hacker could use to gain access to a target's sensitive information.

So, the goal of understanding the attack surface is to identify the potential
weaknesses in a system and prioritise the most pressing threats. This
information is then used to inform and guide the development of mitigation
strategies that can help prevent successful attacks and keep the target system
and its data secure.
THE SOLARWINDS HACK

 Arguably one of the largest and most complex attacks in recent


times, the SolarWinds hack took the world by storm towards the
end of 2020.

It wasn't just one organisation that suffered at the hands of this


hack though. SolarWinds develops software for businesses to
help manage their networks globally. The hack triggered an
incident that affected thousands of organisations and even
included the United States government.
A Comprehensive Overview
 The SolarWinds hack, discovered by FireEye in December 2020, is a major cyber
espionage incident involving a sophisticated supply chain attack. Attackers
compromised SolarWinds' Orion software, distributing the SUNBURST malware
via updates to over 18,000 organizations, including US government agencies and
Fortune 500 companies. The malware created a backdoor for espionage,
remaining undetected through advanced evasion techniques. Several Common
Vulnerabilities and Exposures (CVEs), such as CVE-2020-10148 and CVE-2021-
35211, were exploited in the attack. The breach is attributed to APT29, also
known as Cozy Bear, a Russian state-sponsored group linked to the Russian
Foreign Intelligence Service (SVR). This incident prompted extensive response
efforts, highlighting the need for improved supply chain security and
collaboration between cybersecurity firms and government agencies. The
SolarWinds hack underscores the critical importance of robust cybersecurity
measures to protect against advanced threats
Threat Intelligence Cycle
THE CORE OF CYBER THREAT
INTELLIGENCE
The intelligence cycle is at the core of cyber threat intelligence because it provides a
structured framework for collecting, processing, analysing, and disseminating
information about potential cyber threats. The intelligence cycle and its steps can be
communicated in different ways dependent on who you speak with but some of the
key elements that everyone can agree with sit below:

Defining what information is needed to support decision-making and security


operations.
 Gathering data from various sources, such as open source intelligence (OSINT),
proprietary databases, and sensor networks.
 Converting raw data into usable information by verifying, validating, and fusing it
into a coherent picture.
 Assessing the significance of the information and identifying patterns, trends, and
potential threats.
 Sharing the results of the analysis with stakeholders who need it to make
informed decisions and take appropriate actions.
 Using the results of the analysis to inform future collection and analysis efforts,
as well as to validate the accuracy and reliability of the information.
 By following this structured process, organisations can ensure that they have a
complete and up-to-date understanding of the cyber threat landscape, and can
take effective steps to protect themselves from potential threats.
As we explained, the intelligence cycle is incredibly important and useful to cyber
threat intelligence analysts.
Question: Can you put the intelligence cycle in the correct order?

Analysis
Dissemination
Direction
Collection
Introduction to Law and Ethics

LAW VS ETHICS - WHAT'S THE DIFFERENCE?


Put simply, laws are structured rules that are used to govern society. Ethics are
generally considered as moral values that an individual may establish as their own
personal rules to live by.

Organisations may also produce their own internal ethics and guidelines that they
expect employees to adhere to. Though there may be no legal consequences for
choosing not to follow them, ignoring them could result in the loss of employment.
Specific legal articles that you should be aware of includes
 Data Protection Act 1998
 Computer Misuse Act 1990
 Police and Justice Act 2006
 Bribery Act 2010
 Regulation of Investigatory Powers Act 2000
 Proceeds of Crime Act 2002
 Official Secrets Act 1989
 Telecommunications 2000
 Human Rights Act 1998
RESPONSIBLE DISCLOSURES - AND WHY
HONESTY IS THE BEST POLICY
In 2018, Zoetop - holding company behind Shein and Romwe suffered
a data breach that saw the names, emails and hashed passwords of a
combined customer base around 46 million people, stolen. You would
think that was bad enough!
 Zoetop did not adequately inform their affected customers and tried to keep the
impact of the data breach quiet, which has resulted in a fine this year to the tune
of $1.9 million dollars.

How would you feel if your personal information was stolen? Now... how would
you feel if the company that allowed your personal information to be stolen lied
about it too?

Honesty is always the best policy when it comes to these sorts of things. The
sooner a data breach is disclosed to the relevant customers and authorities, the
sooner a business can begin fixing their issues and repairing reputational
damage. According to a Kaspersky report 'How businesses can minimize the cost
of a data breach’, small and medium sized business that voluntarily disclose
breaches to their stakeholders and the public, are likely to lose 40% less
financially than their peers that saw the incident leaked to the media. A similar
trend has been found among enterprise cases too.
Conclusion
 In conclusion, this Cyber Threat Intelligence (CTI) course has provided a
comprehensive understanding of the critical role CTI plays in enhancing
organizational security. Through this course, participants have gained insights into
the fundamentals of CTI, including the collection, analysis, and dissemination of
actionable intelligence.
 Key takeaways include the importance of timely and relevant intelligence in
mitigating threats, the integration of CTI into security operations for proactive
defense, and the strategic value CTI brings to informed decision-making and long-
term planning. By leveraging CTI, organizations can not only respond effectively to
current threats but also anticipate and prepare for future challenges, thereby
significantly improving their overall cybersecurity posture.
 We hope that the knowledge and skills acquired through this course will empower
you to implement robust CTI practices within your organizations, contributing to a
more secure and resilient digital environment. Thank you for your participation and
commitment to advancing your understanding of cyber threat intelligence.
End of Course Assessment
Q1. The paper considers that the Stuxnet worm may have been transferred to computers at the
reactor site via?
 A drop box account
 A successful email phishing attempt
 CDs and flash memory sticks

Q2. What was the name of the project that took place to simulate computer-based attacks on a
power generator's control system?
 Bushehr
 Smart Grid
 Aurora

Q3. How many IP addresses does the paper suggest were infected by Stuxnet?
 50,000
 30,000
 40,000
Q4. Cyber threat intelligence has only one definition.
 True
 False

Q5. Which team or specialty would an organisation request help from in the event of a
breach occurring?
 The board
 Threat intelligence
 Incident response
 Penetration testing

Q6. What does SOC stand for


 Security Operations Cell
 Security of Cyber
 Security Operation Centre

Q7. What statement best describes Cyber Threat Intelligence?
 CTI is the framework from which businesses build security measures
 CTI is the study of organizational vulnerabilities
 CTI is the basis for all cyber security
 CTI is at its core, a structured analysis of the threat

Q8. Cyber security is fundamentally about.


 Good vs Bad
 Attackers vs Defenders
 Criminals vs Law Enforcement
 Computer Systems
Q9. What does IOC stands for?
 Intelligence on Compromise
 Information of Compromise
 Indicator of compromise
 Insight on Compromise

Q10. Threat Intelligence is typically considered at three levels within an organisation,


what are they?
 Data, Information, Intelligence
 Strategic, Operational, Tactical
 Standard, Protected, Secret
 Simple, Organised, Detailed
Q11. The board and senior decision makers would be addressed in CTI reports at
which communication level?
 Tactical
 Operational
 Strategic

Q12. Consent not given would be applied to which hacker description?


 Red Hat
 Grey Hat
 White Hat
 Black Hat
Q13. Which hacker will typically stop short of committing illegal activities?
 Red Hat
 Grey Hat
 White Hat
 Black Hat

Q14. The CIA Triad stands for what?


 Confidentiality, International, Availability
 Considerate, Interest, Accepted
 Collection, Intelligence, Access
 Confidentiality, Integrity, Availability
Q15. What year was the word 'hack' supposedly introduced?
 1955
 1965
 1945
 1995

Q16. Which of these is a well-known hacktivist group?


 Anonymous
 Lazarus Group
 Carbanak Group
 Sneaking Panda
Q17. Who invented the world wide web?
 Alistair Calce
 Tim Berners-Lee
 Stewart k Bertram
 Tom Rogers

Q18. Which Threat Actor group would typically be considered as having the most
resources at their disposal?
 Insider Threats
 Nation State
 Hacktivists
 Cyber Criminals
Q19. What would be considered a typical motivation for a Cyber Criminal?
 Money
 Political Affairs
 Activism
 LuIz

Q20. What was the name of the malware used to insert a backdoor into software
builds of the SolarWinds Orion IT management product?
 Sunset
 Sunspot
 Sunbrust
 Sunshine
Q21. Which of the following is a Common Vulnerability and Exposure (CVE) related
to the SolarWinds attack?
 CVE-2020-1139
 CVE-2020-10148
 CVE-2020-13095
 CVE-2020-1192

Q22. Who was considered to be the perpetrator of the SolarWinds hack?


 China
 Russia
 USA
 Iran

You might also like