Threat Research – SY0-601 CompTIA Security+ : 1.5

Researching and understanding potential threats is an ongoing part of any security professional’s job. In this video, you’ll learn about vendor websites, vulnerability feeds, academic journals, RFCs, and more.

<< Previous Video: Threat Intelligence Next: Vulnerability Types >>


To be able to stop a threat you have to know the threat exists. And as an IT professional, you will be doing a lot of research around these threats. The threats are changing all the time, the scope of the threats is different every time. And although you may understand how an attacker gets into one network, it’ll be a completely different method they use for a different network. You also find yourself collecting research information from many different resources. Every resource has a different emphasis and a different amount of information they can provide and you’re going to have to bring all of that information together to really understand these threats.

If you’re interested in knowing the threats associated with an operating system or an application, you should start with the companies that wrote the operating system or the application. Those vendors know their products better than anyone else. And they’re also often the first one to know about vulnerabilities. There’s usually a page on a vendor’s website where they keep track of all of the known vulnerabilities. And usually there’s some type of notification process so they can inform you immediately when a new vulnerability is discovered.

The National Institute of Standards and Technology maintains a comprehensive database of vulnerabilities. This is the National Vulnerability Database and it keeps within that database a list of CVEs or Common Vulnerabilities and Exposures. It’s common to supplement this database with third party feeds from other organizations. You might roll up all of those vulnerability feeds into one central vulnerability management system. This allows you to keep track of all the latest vulnerabilities, identify vulnerabilities that may be specific to your environment and have some method to be able to be informed immediately when a vulnerability is disclosed.

Another good source of information comes from conferences. This is a place you can go to learn the latest of vulnerabilities and threats that could be affecting you. There are usually researchers that will present information at these conferences that can help explain things that they found that are new, trends that may be occurring in the industry or information about the latest hacks. This is also a good place where you can learn from people who’ve gone through these attacks. Very often there’s some lessons that can be taken away and their stories can help give you ideas of how to protect your network even better. And since this is a grouping of people who have similar goals, it’s a great opportunity to forge some professional relationships and have people you can talk to after the conference is over.

If you want to get detailed information about attack types and how people have had to deal with them, then you want to reference some academic journals. These are usually periodicals or online resources that are written by industry experts. They usually provide information about existing security technologies and evaluate which types of security technologies may be better than others. These are also great resources to learn detailed information about the technology. It’s common to find a deep dive into a type of malware where it has been broken apart, decompiled, and you really understand exactly the way the malware operates.

These journals are also great places to learn more about very specific aspects of the technologies you may be using today. If you want to learn more about the details behind the scenes, these academic journals will provide it. If you’ve done any type of work in information technology, then you’ve probably heard the term RFC referred to a standard or a method of doing a particular task. RFCs are a way to track and formalize a set of standards that anyone on the internet can use. And although many of these RFCs are standards documents, you’ll also find other types of documents such as Experimental, Best Current Practice, Standard Track, and Historic Documents.

Some of these RFCs also provide a detailed analysis of certain types of threats. For example, RCF 3833 is the threat analysis of the domain name system. By reading through these RFCs, you can not only understand how these standards are supposed to operate. But you can understand some of the vulnerabilities that may exist within the standards themselves. On my monthly study group meetings, you’ll often hear me encourage people to visit their local user group meetings. That’s because there is a wealth of information that you can gather not only from the people presenting at the user group but from the members of the user group as well. These are often local chapters where you can visit monthly or quarterly meetings to stay up to date on the latest news.

You may also find valuable information at user groups that are not specific to IT security but still very much a technology organization such as a Cisco user group, Microsoft user group or others. Not only are you learning valuable technical information at these user groups, you’re meeting the local people in your area that you can use whenever you might need some type of resource. There is a wealth of security information on social media. For example, the large hacker groups will often put information on Twitter that will describe recent vulnerabilities they’ve discovered or recent attacks that they’ve completed. There’s also a number of resources on Twitter that can give you details about new vulnerabilities that are discovered or new attacks that may be occurring. For example, there’s some honeypot accounts on Twitter that will tell you when new exploits are being attempted against those honeypots.

The search feature on Twitter can also be a valuable information gathering tool. You can search for a particular CVE or look for the terms bugbounty or 0-day to see what other people may be announcing or what they may be seeing on their network. This is also a good place to see other professionals having conversations about these threats and understanding more about ways to block these threats should it occur on your network. And it’s not too unusual to see social media used as a method of command and control. You may be able to monitor how certain malware is operating based on the posts that are being made to Twitter.

And although it’s useful to do these ad hoc social media searches, it’s also important to be informed immediately when a threat is emerging. That’s why you should have some type of automated threat feed that’s going to give you information about the most important threats you need to know about. There are many different resources for these threat feeds, for example, the US Department of Homeland Security, the FBI, the SANS Internet Storm Center, VirusTotal Intelligence, and other feeds as well.

The information you’re often looking for is a TTP. This is a tactic, technique, and procedure. This is understanding the methods that the attackers are using to get into your network and the process they’re going through once they get access. The more you understand the attacker’s TTP, the better you’re going to be at recognizing these tactics if they happen to appear on your network. And of course, one of the challenges with this is that the TTP will change depending on the situation. For example, an attacker might use a different tactic if it was a finance company versus a manufacturing company. It’s also good to know where an attacker likes to spend their time.

If you know they spend a lot of effort trying to find vulnerabilities in DNS or an IP address vulnerability, then you can focus your defense in those areas. Or you may find that a particular type of malware has become very popular and you’re able to put the proper mitigations in place to prevent that malware from operating on your network.