To identify threats, we first must know the threats exist. In this video, you’ll learn about threat intelligence gathering techniques such as OSINT, third-parties, information sharing, the dark web, and more.
As an IT security professional, you’ll be expected to always keep up to date with the latest threats that could be affecting your organization. You not only need to know about the threats, you also need to know about the threat actors, which might tell you where a threat would originate. Fortunately, there is a lot of information on the internet that can inform you about the different hacker groups and help you understand the different tools that they might use to attack a network.
You can then make your security decisions based on this intelligence. If you need additional security tools, or you want to get trained on different types of security techniques, you may be able to specify what type of tools you’ll need based on this threat intelligence. And of course, there may be many different parts of the organization who can take advantage of this threat intelligence. This threat intelligence might be used by researchers in your organization to better understand the risk associated with these threats. And there may be parts of the IT department that are focusing on understanding threats and how to protect against them.
One source for information on may come from OSINT. This is Open-Source Intelligence, and it’s information that is available to anyone. You just have to know where to look. On the internet, you can focus on individual discussion groups, especially those that might be hosted by hacking groups. And there may be social media posts and other researchers who put information online that you may be able to gather.
You can also gather a great deal of information from the government. Almost everything the government makes is open-source and available to read so you can go through different public hearings, maybe view different reports and websites that can give you more details about the particular subject you’re researching. And there might be commercial data that’s publicly available. For example, an organization may release financial reports or databases that contain details about projects or risks associated with those organizations.
There are also companies that are built around this information intelligence, where they will compile the information for you and provide that to you for a fee. One advantage that threat intelligence services bring to the table is that they’re able to analyze threats across many different organizations simultaneously. And if they happen to see certain threats occurring in one segment, they can inform you of that threat before it arrives in your organization.
One advantage that these proprietary or third party intelligence sources provide is a way to view many different organizations simultaneously. So they may be able to see trends of attacks that are occurring across multiple enterprises and provide an alerting function for other organizations. These organizations are constantly monitoring the threat landscape to understand what the new threats might be. And they can give you ideas on how you may protect against those latest threats.
Some organizations will compile this threat intelligence to make the data available to their customers. Sometimes, this threat data is compiled from public sources. Other times, it’s from classified information that’s been made public. Private companies tend to collect specific types of intelligence. And often these private companies have additional resources that they can use to compile additional details about these threats.
This allows organizations to work together. They can look for information about threats on their network and share it with everyone else who may be part of that organization. An example of this is the Cyber Threat Alliance, or CTA. This is a group of organizations that gather details about these threats, put it together into a standard format, and distribute that information to everyone else in the alliance.
The alliance will validate each submission, and then they’ll score those submissions to set a severity level for that threat. Everyone in the alliance can then view that threat intelligence and decide how they want to use that intelligence with their network. One way to get detailed threat intelligence is you go to the source. And one of the best sources for that is the dark web. The dark web is an overlay network that uses the internet for transport. But all of the content on the dark web is only accessible by using specialized software.
On the dark web, you’ll find a number of different hacking groups. You can see what the activities they may be up to. You can see what tools and techniques they’re using to attack the different organizations. And you might even run across one of the stores where they sell information that they’ve acquired. For example, you can purchase credit cards on the dark web that have been acquired by these hacking groups in these different types of attacks. They’re usually forums and posts that you can view. And it might be a good idea to constantly monitor those to see if your organization’s name happens to pop up.