Skip to main content

Mastering the Intelligence Lifecycle - Cybrary

Advanced Cyber Threat Intelligence

1. Introduction to the Intelligence Lifecycle

The course begins by outlining the intelligence lifecycle, a structured approach comprising:

  • Collection: Gathering raw data from various sources.
  • Processing: Organizing and structuring the collected data.
  • Analysis: Interpreting processed data to generate actionable intelligence.
  • Dissemination: Sharing intelligence with relevant stakeholders.

This framework ensures a systematic method for developing and leveraging threat intelligence programs.

2. Data Collection Sources

Effective threat intelligence begins with robust data collection from both internal and external sources:

Internal Sources:

  • Endpoint Logs: Data from devices within the organization.
  • Network Traffic: Information from firewalls, routers, and switches.
  • Security Tools: Outputs from SIEMs, IDS/IPS, and antivirus solutions.

External Sources:

  • Private Feeds: Subscription-based services like Recorded Future or Anomali.
  • Community Sharing: Information from ISACs and ISAOs.
  • Public Data: Open-source intelligence (OSINT) from platforms like VirusTotal or Shodan.
Example: An organization might use internal firewall logs to detect unusual outbound traffic and correlate this with external threat feeds to identify potential command-and-control (C2) communications.
Example: A security team may gather IOCs (Indicators of Compromise) from their SIEM (internal) and compare them with OSINT sources like Abuse.ch (external) for validation.

3. Processing and Data Management

Raw data must be processed to extract meaningful insights:

  • Standardization: Utilizing formats like STIX and TAXII to ensure consistency.
  • Scoring Systems: Applying CVSS (Common Vulnerability Scoring System) to assess the severity of vulnerabilities.
Example: By converting diverse threat data into STIX format, analysts can more easily share and interpret information across different platforms and organizations.

4. Analysis Techniques

This is the core of the course and emphasizes the importance of deep, structured analysis.

Structured Analytic Techniques:

  • ACH (Analysis of Competing Hypotheses): Evaluating multiple hypotheses to determine the most probable explanation.
  • Cyber Kill Chain: Understanding attack stages to disrupt adversaries (e.g., Reconnaissance → Delivery → Exploitation).
  • Diamond Model: Maps adversary, victim, infrastructure, and capability relationships.

Campaign Analysis:

  • MITRE ATT&CK Framework: Mapping adversary tactics and techniques to understand behavior patterns.
  • Heatmaps and Visualizations: Identifying trends and anomalies in attack data.

Visual Analysis

Visual Analysis is a technique used by cyber threat analysts to detect patterns, anomalies, and relationships in large datasets by representing the data visually. Instead of reviewing long logs or tables, visual tools allow analysts to quickly interpret complex attack data and identify potential threats more efficiently.

Real-World Example:

Imagine a SOC team investigating a series of login attempts. Instead of combing through thousands of log entries, they use a heatmap that highlights login activity by time and location. This immediately reveals that most logins are from internal IPs, but there’s a suspicious spike from a foreign country at 3 AM, which could indicate a brute-force or credential stuffing attempt.

Tools Often Used:

  • Maltego – for mapping relationships between actors and infrastructure.
  • ELK Stack (Elasticsearch, Logstash, Kibana) – for visualizing logs and timelines.
  • MITRE ATT&CK Navigator – to track adversary techniques across campaigns.

Course of Action (CoA)

In the Course of Action step, analysts and defenders recommend specific defensive or responsive actions based on the findings from threat intelligence. These actions are tied closely to where the adversary is in the Cyber Kill Chain and the nature of their tactics.

Real-World Example:

If an organization detects a phishing campaign that leads to credential theft (Delivery → Exploitation in the Kill Chain), a recommended course of action might include:

  • Blocking the phishing domain.
  • Resetting affected user passwords.
  • Deploying Multi-Factor Authentication (MFA).
  • Educating employees on phishing recognition.

The Diamond Model can also assist by analyzing the adversary, their infrastructure, capabilities, and the victim profile to suggest targeted responses.

Example: A campaign using phishing and credential dumping techniques can be tracked using ATT&CK to predict the next steps.
Example: During the analysis of a phishing campaign, ACH can help determine whether the observed activities align more closely with financially motivated cybercriminals or state-sponsored actors.

5. Attribution and Bias Management

Attributing cyberattacks to specific actors involves careful consideration:

  • Attribution Challenges: Similar tools and techniques can be used by different threat actors.
  • Cognitive Biases: Awareness of biases like confirmation bias is crucial.
  • Logical Fallacies: Avoiding flawed reasoning that leads to false conclusions.

Nation-State Attribution

Nation-State Attribution is the process of linking a cyberattack to a state-sponsored actor. This is particularly complex and sensitive because it involves geopolitical implications and requires strong, corroborated evidence. Analysts typically use a combination of malware signatures, TTPs (Tactics, Techniques, and Procedures), infrastructure, and historical context.

Real-World Example:

A ransomware variant is discovered in a bank’s network. The malware uses custom encryption routines and communicates with C2 servers linked to known infrastructure used by a group like APT28 (Fancy Bear). These are linked through:

  • Malware code similarity.
  • Infrastructure re-use (same domains or IPs).
  • Timezone-based activity patterns.

The analysis might suggest Russia-based nation-state involvement, but analysts must avoid jumping to conclusions due to false flag tactics — where attackers mimic other groups to mislead attribution.

Example: Jumping to conclusions based on previous incidents without verifying data can lead to false positives.
Example: The presence of a particular malware strain should not automatically result in attributing an attack to a known group without supporting evidence.

6. Dissemination and Feedback

The final stage of the lifecycle involves sharing intelligence and gathering feedback.

Intelligence Types:

  • Tactical Intelligence: Short-term, technical details like IPs and malware hashes.
  • Operational Intelligence: Information about ongoing campaigns or TTPs.
  • Strategic Intelligence: High-level analysis for decision-makers.

Sharing Intelligence:

  • Collaboration with other organizations enhances defense.
  • Feedback improves future data collection and analysis.
Example: Sharing IOC data with a sector-specific ISAC can help identify industry-wide threats.
Example: A strategic report highlighting emerging ransomware trends can inform executive decisions on investing in backup and recovery solutions.

Reference: Screenshots and course summary content taken from Advanced Cyber Threat Intelligence - LinkedIn Learning.

Labels:

Comments

Post a Comment

Please do not enter any spam link here.

Popular posts from this blog

Do you know, by blindly following trends and using hashtags you can be the victim of cyber crime? : #couplechallenge

Awareness is necessity "Nohashtag challenges" Nowadays, #couplechallenge, #smilechallenge, #chirichchallenge trending on social media platforms. But do you know the history of hashtags? Lets see, how hashtag was invented. Chris Messina a product designer who has been working in Silicon Valley created the idea of hashtag. He and his small group of colleagues were thinking that twitter needs some kind of frame work. He got the idea of hashtag from internet chat room that had pound symbol in front of them. His main idea to create hashtag was for the internet and wanted that anybody writing text on internet be able to participate in global conversation. In 2007, he asked one of his friends to use #sandiego for his tweets and this way the use of hashtag started. In 2009, Twitter added the option of hashtag to its search bar. And this way hashtag became a trend. This trend then being followed by other apps like tumbler, Facebook, instag...
Post a Comment
Read more

પ્રાઇઝ સ્કેમ: જો તમારે ઇનામ મેળવવા માટે ચૂકવણી કરવી પડતી હોય તો તે ઇનામ નથી

Awareness is necessity શું તમને ક્યારેય કોઈ કોલ્સ આવ્યા છે કે જેમાં તમે કોઈ પણ ઓનલાઇન શોપિંગ વેબસાઇટમાંથી ઇનામ અથવા લોટરી જીતી લીધી હોય તેવું કહે છે? શક્યતા છે કે આ કોલ્સ ફ્રોડ છે. સાયબર સ્વયંસેવક તરીકે, મેં આ પ્રકારની છેતરપિંડીઓના કેટલાક કેસ નું અધ્યયન કર્યું છે. ચાલો સમજીએ કે આ પ્રકારની છેતરપિંડી કેવી રીતે થાય છે? !! છેતરપિંડી કરનાર તમને કોઈપણ વિશ્વસનીય ઓનલાઇન શોપિંગ સાઇટમાંથી કર્મચારી હોવાનુ કહે છે.તેઓ તમને સાઇટ પરથી તમારી છેલ્લી ખરીદી વિશેની વિગતો, ઉત્પાદન અને ઓર્ડર ની વિગતો સાથે તમને મનાવવાનો પ્રયાસ કરે છે. જ્યારે કોઈ વ્યક્તિ માને છે કે છેતરપિંડી કરનાર ઓનલાઇન સાઇટનો કર્મચારી છે, ત્યારે તેઓ તમને વિવિધ ઇનામો જેવા કે લેપટોપ, ટીવી, મોબાઇલ ફોન વિશે આકર્ષક યોજનાઓ આપે છે અને તમારી પાસેથી એક ઇનામ પસંદ કરવાનો વિકલ્પ આપે છે.જ્યારે તમે થોડી રુચિ બતાવો અને ઇનામ પસંદ કરો ત્યારે ઉલ્લેખિત ઇનામમાંથી, તેઓ તમને SMS તરીકે એક લિંક મોકલે છે.મોકલેલી લિંક એ છેતરપિંડીની લિંક છે જે તમારી વિગતો જેવી કે બેંક વિગતો તેમજ વ્યક્તિગત માહિતી માટે પૂછે છે.નોંધણી કરતી વખતે, તે તમને તમારા સ્થા...
Post a Comment
Read more

e-SIM fraud : All you need to know about e-SIM and SIM swapping fraud

Awareness is necessity Ever heard about the place, Jamtara? Many of you must have seen the famous series "Jamtara: Sab ka number ayega" on Netflix. It is located near Jharkhand's capital Ranchi. This place has become a hub for phishing and bank fraud. Recently, Jamtara has come in the limelight because this place's fraudsters have started a new type of crime/ fraud, i.e. e-SIM fraud. Do you know what eSIM is? e-SIM stands for the "Embedded Subscriber Identity Module." You don't need to buy a telecom operator's SIM card separately and insert it into your mobile. e-SIM is a part of your smartphone's hardware. This e-SIM chip comes pre-installed on your smartphone. Its working is the same as our standard SIM, which saves information like IMSI number, some contact details etc. e-SIM is re-writable means previous telecom operator related details can be erased and new information can be written again by a new telecom operator. This type o...
1 comment
Read more

OLX fraud : Beware of this new fraud/scam of 'Army men'

Awareness is necessity Nowadays, OLX related frauds are increasing, such as share OLX password/OTP, QR code scams, Paytm link scam etc. The most occurring cases are related to Army personnel. Instead of writing all the things, it will be better to watch the video by a YouTuber, Mr. Rohit R Gaba and lets see How fraudster makes fools to people as Army personnel. Here, in the video, the fraudster talked about QR code. Let's understand what a QR code is and how fraud can be occurred by QR code. QR code ( Quick Response code ), We can store so much information within it in text form. I made one QR code that stores information such as a person's name, aadhar card number, etc. We can store any data with the QR code. Same fraudster store bank details and malicious code so that when you scan that QR code, the money will be debit from the account directly. How to protect ourselves from online OLX frauds? Always prefer face to face meetings with buyers or sellers and ...
Post a Comment
Read more

શું તમે જાણો છો કે હેશટેગ્સ #couplechallenge નો ઉપયોગ કરીને, તમે સાયબર ક્રાઇમનો ભોગ બની શકો છો?

Awareness is necessity "Nohashtag challenges" આજકાલ, સોશિયલ મીડિયા પ્લેટફોર્મ પર #couplechallenge, #smilechalenlenge, #chirichchallenge ટ્રેંડિંગ છે. પરંતુ શું તમે હેશટેગ્સનો ઇતિહાસ જાણો છો? ચાલો પહેલા જોઈએ કે #hashtag ની શોધ કેવી રીતે થઈ. સિલિકોન વેલીમાં કામ કરતા પ્રોડકટ ડિઝાઇનર ક્રિસ મેસિના એ હેશટેગનો આઈડિયા બનાવ્યો હતો.તે અને તેના કર્મચારીઓ મિત્રો વિચારી રહ્યા હતા કે ટ્વિટરને કેટલાક માળખાની જરૂર છે.તેને સામે પાઉન્ડ સિમ્બોલ હતું તેમાંથી હેશટેગ કન્સેપ્ટ મળ્યો.હેશટેગ બનાવવાનો તેમનો મુખ્ય વિચાર ઇન્ટરનેટનો હતો, અને ઈચ્છતા હતા કે વૈશ્વિક વાર્તાલાપમાં ભાગ લેવા ઇન્ટરનેટ પર કોઈપણ લખાણ લખે. 2007 માં, તેણે તેના એક મિત્રને તેના tweet માટે #sandiego નો ઉપયોગ કરવા કહ્યું અને આ રીતે, હેશટેગનો ઉપયોગ શરૂ થયો. 2009 માં, ટ્વિટરે તેના સર્ચ બારમાં હેશટેગનો વિકલ્પ ઉમેર્યો. અને આ રીતે, હેશટેગ એક વલણ બની હતી. આ વલણ પછી અન્ય એપ્લિકેશન્સ જેવી કે ટમ્બલર, ફેસબુક, ઇન્સ્ટાગ્રામ અને અન્ય social media પ્લેટફોર્મ સુધી વિસ્તરિત થયો હતો. શરૂઆતમાં, હેશટેગ...
Post a Comment
Read more

Customer Care number frauds : Be careful regarding your google search

Awareness is necessity ALERT !! "Careful during searching on google for customer care number regarding online shopping, bank loan or online job search." The number you find on Google need not be real all the time. It can be a fake number. When you are looking for a customer care number, go to that particular site and search for their help centre section or contact us section. Don't search for such help centre numbers on other sites, as it can be fake. Here, I am sharing the latest case study of September 2020 regarding customer care fraud !! A person from Gujarat wanted to buy a mobile and he searched on an online website. Now he wanted to buy a mobile on the EMI installment, but he didn't know what was the procedure for EMI installment. He randomly searched on google for the customer care number of that online website and found a mobile number from some random website. He called that number, and the person on the other s...
Post a Comment
Read more