Fatskills
Practice. Master. Repeat.
Study Guide: CompTIA CySA+ Cybersecurity Analyst Certification: The Basics of Threat and Vulnerability Management 1
Source: https://www.fatskills.com/comptia-cysa-cybersecurity-analyst-certification/chapter/comptia-cysa-cybersecurity-analyst-certification-the-basics-of-threat-and-vulnerability-management

CompTIA CySA+ Cybersecurity Analyst Certification: The Basics of Threat and Vulnerability Management 1

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~31 min read

Domain Objectives
1.1  Explain the importance of threat data and intelligence.
1.2  Given a scenario, utilize threat intelligence to support organizational security.
1.3  Given a scenario, perform vulnerability management activities.
1.4  Given a scenario, analyze the output from common vulnerability assessment tools.
1.5  Explain the threats and vulnerabilities associated with specialized technology.
1.6  Explain the threats and vulnerabilities associated with operating in the cloud.
1.7  Given a scenario, implement controls to mitigate attacks and software vulnerabilities.

Objective 1.1  Explain the importance of threat data and intelligence
It is an unfortunate reality that cybercriminals have some advantages over their targets, chiefly with time and information. Like the white pieces in chess, attackers get to make the first move. In other words, the attackers choose the targets; targets don’t choose the attackers. The hacker’s first-move advantage gives them considerable time to research their target’s security and people long before an attack takes place.
Meanwhile, unprepared organizations have no idea what’s coming. Their security defenses will exist in a generalized state rather than aligning more strategically with potential and imminent threats. Compounding this cybersecurity imbalance is the fact that today’s cybercriminals are considerably more numerous, intelligent, well-equipped, well-funded, and ambitious than ever before. Advantage bad guys.

Note: Cybersecurity experts estimate that 75 percent of a hacker’s overall attack effort is spent gathering target information. You can count on them knowing a great deal about your organization before striking. One of the oldest truisms of war remains as pertinent as ever—know your enemy.
Despite the challenges, organizations aren’t helpless. Having recognized the rise in cybercriminal attacks, businesses are hiring cybersecurity analysts to reduce the time and information advantages afforded to attackers. Among other things, cybersecurity analysts spend a lot of time collecting and analyzing threat intelligence to identify threats that have, will, or are currently targeting their organization. While scouting out threats in the wild, these analysts are equally engaged in the continuous monitoring of their organization’s in-house operations to identify any attacks in progress. Using this inside-out approach, organizations are deriving enough threat intelligence to better align their security defenses with probable threat tactics.

Ultimately, cybersecurity analysts share the same goal as other cybersecurity roles: help prevent, detect, and mitigate cybersecurity incidents. In doing so, organizations can focus on what’s most important, and that is organizational objectives.

Note: The modern era of targeted attacks must be met with targeted defenses. Although we can’t expect to know all attacker specifics before an attack, we can narrow down the possibilities, which permits us to better align our defenses.
Having said that, you need to key in on the concept of threat intelligence, which we discuss in the upcoming sections.

This includes several key concepts:
- Explain how we collect and analyze information from various intelligence sources.
- Explain how we assign confidence levels to intelligence findings.
- Explain how we use indicator management to share intelligence information with others in cybersecurity.
- Explain the different threat classifications and threat actors.
- Explain how intelligence cycles work.
- Explain how commodity malware works.
- Explain information sharing and analysis communities.

Key Terms: Cyber threat intelligence is the collection and analysis of threat trends to identify potential or actual threats to the organization. As a result, organizations will be better prepared to create preventative and detective cybersecurity measures.

We’ll briefly highlight how hackers collect information about their victims. Unlike the two-hour hacking wizardry you see in movies, attackers prefer to take their time to perform some reconnaissance on their targets before the attack. This simultaneously maximizes their chances of success while minimizing the odds of being detected. The initial reconnaissance effort by the attackers is often called footprinting. Through footprinting, attackers attempt to collect as much information about targets as possible.

Exam tip: Passive footprinting collects information about the target without directly interacting with it. This typically involves combing through the target’s website, job sites, forums, among other sites. Active footprinting collects information about the target through direct interaction, such as e-mailing, calling, and visiting the target’s physical location.

Through various footprinting and network-scanning activities, attackers are likely to acquire several types of information:
- Organizational details (employee details, telephone numbers, location, organizational background, and so on)
- Network details (domains, subdomains, IP address ranges, WHOIS records, DNS records, and so on)
- Open ports
- Installed operating systems, services, and applications
- Hardware and software vulnerabilities
- Network map
- Usernames


Intelligence Sources
To stay abreast of the latest security threats, threat actors, and vulnerabilities, cybersecurity analysts are tethered to accurate and up-to-date intelligence sources. They use a variety of security tools and web browsers to harvest this threat data via multiple open-source and closed-source intelligence feeds. Keep in mind, however, that the goal isn’t simply to collect as much threat data as possible; instead, they must focus on acquiring data that is relevant, accurate, timely, and presented to the organization in a useful way.
Although terms like threat data and threat intelligence are often used interchangeably, they’re not identical. Threat data is merely raw information about known malicious domains, URLs, IP addresses, and hash values. No context is provided. Think of them as individual puzzle pieces—important yet generic on their own. In contrast, threat intelligence is the enhanced version of threat data that has been analyzed, refined, and, by extension, creates the crucial context that organizations need to understand the threat landscape. Threat intelligence is the outcome of puzzle pieces connected to form a partial or complete picture of the puzzle.
This section goes through multiple intelligence sources, so you’ll have a better idea of how cybersecurity analysts gather information about threats.

Open-Source Intelligence
If attackers are using open-source intelligence (OSINT) to learn about us, we’d be wise to follow suit. OSINT involves the collection of any information available on public sources. For example, you can learn a lot about CompTIA via its website and social media channels. Although cybersecurity analysts and hackers utilize OSINT, the information desired by both camps will be quite different.

For instance, hackers collect information about their organizational targets from the following sources:
- Google hacking: Advanced Google searches to find target data
- Internet registries: ARIN, AFRINIC, APNIC, LACNIC, RIPE NCC
- Job sites: Monster, LinkedIn, Indeed, CareerBuilder
- Social media: LinkedIn, Facebook, Twitter, YouTube
- WHOIS: IP address range, company contact, company address, phone number, e-mail address

Except for social media channels, cybersecurity analysts won’t learn much, if anything, about potential attackers via these sources. Instead, they’ll need to utilize various “good guy” OSINT sources listed below.

OSINT Sources
Images

Not surprisingly, cybersecurity analysts will concentrate on threat feeds found throughout the Internet. Threat feeds are real-time data streams that publish large volumes of potential and actual threats. These feeds are typically hosted on security vendor websites and also shared by a global community of independent threat researchers and security professionals. Unlike closed-source intelligence feeds, OSINT feeds contain free-to-use information.

Shown next are just a few good examples of organizations with public threat feeds:
- AT&T Cybersecurity (formerly AlienVault)
- Department of Homeland Security: Automated Indicator Sharing
- FBI: InfraGard
- MITRE Corporation ATT&CK
- SANS: Internet Storm Center
- The U.S. Computer Emergency Readiness Team (US-CERT), which was recently absorbed into the U.S. Cybersecurity and Infrastructure Security Agency (CISA): VirusShare and VirusTotal


CAUTION: Cybersecurity analysts often drown in threat data. If your security tools are collecting threat data from multiple OSINT sources, super repositories may be created. If you’re unable to isolate useful threat data and generate intelligence from it, you’re more likely to miss true threats (known as false negatives) and to label benign traffic as a threat (a false positive).

The types of data to keep an eye out for in OSINT sources are shown below.

Threat Data Types
Images

Proprietary and Closed-Source Intelligence

Often superior to its OSINT counterpart, closed-source intelligence involves the collection of information from restricted, covert, or fee-based sources. In other words, the information found in these sources is not available to the general public. These closed sources can range from “underground” dark web sites to classified government systems, which are only accessible to individuals with security clearances.

Note: A good example of a fee-based closed source comes from FireEye, a leading cybersecurity and threat intelligence organization. FireEye provides various subscription-based threat intelligence services.
Although not always the case, OSINT threat feeds tend to share threat data as opposed to threat intelligence. Closed-source intelligence groups will generally review the accuracy and authenticity of threat data, plus enhance it wherever possible, before posting it online.

The following are some closed-source intelligence sources:
- Threat intelligence platforms
- Classified government systems
- Dark web materials only available to “black market” customers
- Private intelligence sharing communities

Whereas closed-source intelligence focuses on data not being available to the general public, proprietary data refers to the more secretive or confidential nature of business data that, if unlawfully disclosed, could severely damage an organization’s competitive edge. For example, research and development departments often have proprietary data in the form of technical and performance specifications, product plans, code names, and technical reports.

Timeliness
In the context of threat intelligence, timeliness is described as a relationship between the time that threat data is collected, organized, and finally reported. Since most threat data loses value over time, data must be quickly received and acted upon to make a difference. Yet, data collected too early or too late will either tell the wrong story or tell an old one. In either case, the lack of timeliness of data will likely result in ineffective decision making and, by extension, threat mitigations. Given the importance of timeliness, here are a few questions to keep in mind regarding the determination of timeliness requirements?
- How is the threat data delivered to ensure efficient use?
- How much time passes between threat detection and customer notification?
- Is threat data delivered immediately for expediency or eventually for completeness? Some customers may prefer one over the other.

Exam tip: Organizations should develop a well-defined schedule for data collection and reporting frequencies, in addition to prioritizing urgent data types that have time sensitivities.

Relevancy
Not every organization is at risk for the same kinds of threats. For example, if your organization doesn’t use Mozilla Firefox, don’t collect threat data about it. With organizations already full to bursting with data, be sure to exercise data frugality. We should concentrate on only collecting data that enlightens us into the probabilities and impacts of threats against actual technologies used at our companies.
Efforts to collect threat data will be hampered if businesses lack understanding about their hardware and software. Updating inventories would certainly help, but it’s also important for cybersecurity teams to conduct comprehensive risk assessments on those inventoried assets to ensure appropriate technologies are incorporated into threat intelligence efforts.

Exam tip: Threat data is best obtained from intelligence sources that align with your sector, industry, and organization. Yet, priority should be granted to internally sourced threat data since it will represent former, actual, and potential indicators of compromise (IOCs) coming from within the organization itself.

Accuracy
In some cases, inaccurate threat data can be worse than no threat data. Inaccuracy usually takes the form of threat data corruption, spoofing, or improper analysis, and one should not ignore the role played by false positives. False positives are inevitable, but too many indicate an ineffective threat intelligence program. Being flooded with false positives will prevent you from keying in on important threat data—and may even help create data inaccuracies by starving a system of its resources.

Exam tip: Being able to corroborate threat data via multiple intelligence sources will go a long way in determining its accuracy.

Confidence Levels
Organizations often subscribe to multiple threat intelligence sources to enhance their threat knowledge, and, by extension, implement the cybersecurity prevention, detection, and mitigation capabilities that were recommended. Yet, collecting more data means organizations will have more false positives to weed through, which may increase the difficulty of distinguishing real threat indicators from normal data.
Once threat indicators have been analyzed, analysts will often assign them threat and confidence ratings to determine the threat’s level of nastiness and the company’s confidence in that determination.

Key Terms: Threat rating is a ranking of a threat’s potential danger level. This is often measured on a scale of 0 to 5, with 5 representing the most critical type of threat.
Confidence rating (level) is a ranking of how confident we are that a threat rating is accurate. This is often measured on a scale of 0 to 100, with 100 representing the highest level of confidence. Note that confidence levels only apply to our trust in the source of threat information, not the likelihood that a threat will materialize.

Table below provides a generalized version of threat ratings that organizations may use.

Threat Ratings
Images

In addition to the ratings, other threat characteristics may be described, including the threat’s capabilities, whether it’s an opportunistic or targeted threat, and the phase or phases of the kill chain the threat currently occupies. Most threats are opportunistic in that the attacker came upon a target by chance and was motivated simply by the target’s weak security state alone. However, threats by themselves may not be enough to motivate decision-makers into spending time, resources, and dollars on countermeasures. We have to convince decision-makers that our confidence in potential and actual threats is well-founded.

Table below shows a generalized version of confidence ratings that organizations may use.

Confidence Ratings
Images

Our ability to classify threats into confidence levels is largely dependent on three things:
- Our ability to directly observe the threat
- The threat’s feasibility
- Whether or not the threat can be corroborated with legitimate sources.
A higher confidence rating in a threat grants us reasonable assurance that our cybersecurity response to the threat will not be in vain.

Indicator Management
Organizations can’t acquire sufficient threat data and intelligence in a vacuum. Maximizing cyber threat readiness requires our businesses, intelligence sharing communities, and security researchers to voluntarily share their threat intel with the global community.

However, information sharing on a global scale will naturally raise some standardization concerns:
- What should the shared threat data look like?
- What’s the best way to share threat data?
- What formatting should the threat data use to ensure efficient processing by recipients?

Fortunately, some cyber threat sharing protocols already exist to address these concerns. The three in particular we’re going to look at are Structured Threat Information eXpression (STIX), Trusted Automated eXchange of Indicator Information (TAXII), and OpenIOC.

Structured Threat Information eXpression (STIX)
You need a universal way to describe threat intel, so what language should you use? Enter STIX. STIX is a standardized language for describing the “what” of threat data. Like TAXII, it was developed by MITRE and is now maintained by the OASIS Cyber Threat Intelligence (CTI) Technical Committee. STIX is maintained in an ad-hoc fashion by various intelligence-sharing communities and organizations across the globe. Due to STIX’s structure, intelligence sharers are able to convey multiple characteristics about each threat:
- Threat motivations
- Threat capabilities
- Threat response

The figure below shows the various components of the updated STIX 2.0 architecture in terms of all the threat information that can be conveyed to others.

STIX Architecture
Images

So, if STIX describes the “what” of threat data, what do you suppose describes how to transfer that threat data to others? That is where TAXII comes in, which we’re going to look at next.

Trusted Automated eXchange of Indicator Intelligence (TAXII)
TAXII is a free cyber threat standard that describes how threat data can be shared. Designed to work directly with STIX, it uses a flexible communications API to make it compatible with the following multiple cyber threat sharing models:
- Hub-and-spoke A two-way sharing model where a central organization (hub) manages threat data synchronization between itself and partner organizations (spokes). The hub and spokes can synchronize threat data in either direction only if the hub approves.

This model is shown below
Images

FIGURE: Hub-and-spoke sharing model

- Source/subscriber A one-way sharing model where a central organization serves as the single source of threat data for other organizations. This is illustrated below.
Images

FIGURE: Source/subscriber sharing model

- Peer-to-peer A two-way sharing model where all participating organizations can send/receive threat data with each other without centralized approval requirements.

Take a look at the figure below:
Images

FIGURE: Peer-to-peer sharing model

Exam tip: Previous cyber threat sharing models were less efficient at sharing data. Since STIX and TAXII are machine-readable, they’re easily automated and more efficient at sharing.

OpenIOC
Although not as well-known as the aforementioned frameworks, OpenIOC is an open cyber threat sharing framework designed for exchanging threat data with other parties in a machine-readable format. It was developed by the American cybersecurity company Mandiant in November 2011 (later acquired by FireEye in 2013). OpenIOC is written in XML and is adaptable enough to permit incident responders easy translation of threat knowledge into a standard format. Businesses use OpenIOC to share IOCs with other businesses that serve the threat intelligence communities worldwide.

Threat Classification
Threats can be classified in many ways, depending on the methodology and the organizations that produce it. One of the most widely accepted classifications of threats comes from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30 (revision 1), “Guide for Conducting Risk Assessments.” In addition to providing an excellent methodology for conducting risk assessments, SP 800-30 provides a solid taxonomy of classifying threats and vulnerabilities and determining risk in general.

Appendix D to this publication states that there are four different types of threat sources (also known as threat agents) that can cause or generate a threat event:
- Adversarial: Includes malicious persons, groups, organizations, and nation-states
- Accidental: Users or administrators
- Structural: Equipment or software failure
- Environmental: Natural or man-made disasters and outages
Appendix E describes a plethora of potential threat events caused by these sources and categorizes them based on adversarial or non-adversarial threat events, as well as presents their confidence levels.

Exam tip: The definitions of threat, threat source, and threat event aren’t a CySA+ exam objective, although it is assumed that you are familiar with these terms.
Threats can be categorized in multiple different ways, depending on several factors. This can include the obvious, such as whether it’s environmental or man-made, adversarial or non-adversarial, but we can also classify threats according to the type of attack they represent, through which avenue of attack (called a threat vector), and whether they are known or unknown.

Known Threats vs. Unknown Threats
Now let’s turn our attention to known threats and unknown threats. The idea of a threat being “known” is subject to interpretation, as you can see below.

Known vs. Unknown Threats
Images

Predictably, “known knowns” are the most common threats we deal with. An example would be antimalware software detecting and eradicating a virus based on that virus’s known signature. Most of the malware that we acquire will be detected and remediated in this manner.


KEY TERM   Signature-based detection involves the detection of attacks by looking for specific known types of information unique to a threat, such as network traffic characteristics or malware code, and comparing its “signature” with a well-known database of malicious signatures.
Just as predictably, our antimalware tools won’t have advance knowledge about all malware. For example, if a known polymorphic virus (one that can mutate) changes into an unknown variety, the new malware form will become unknown for some time. Since signature-based detection engines won’t yet be able to detect this malware, another method will be needed.
What if we use a technique that focuses on what a threat is doing as opposed to what the threat looks like? Heuristic-based detection can detect previously unknown malware by identifying unusual or suspicious properties within the code. As malware continues to automatically mutate, heuristic-based detection is becoming increasingly important. You may need to “tune” the heuristic engine’s detection level to a comfortable middle point. If the engine is too aggressive, more false positives will result. Predictably, if the engine is too passive, more false negatives will result.

Exam tip: Heuristic analysis can work statically, where suspected code is decompiled into source code for analysis, or dynamically, where the suspected code is isolated into a virtual environment where it can run in real time and be analyzed with less risk.

Zero-Day Threats
Microsoft has been warning us for years that after January 14, 2020, the Windows 7 “Extended Support” period will finally come to an end. To minimize any looming security exploitations, they’ve spent the past few years warning businesses and residential customers to upgrade to Windows 10 ASAP. Why? Zero-day threats. Zero-day threats are attacks against vulnerabilities that the hardware/software vendors don’t know about or haven’t created a security update for. A zero-day vulnerability refers to the time between when the existence of a vulnerability is known (to an attacker or even the vendor) and an exploit is produced for the vulnerability. In bad cases, this is zero days, meaning that when a vulnerability is discovered, an exploit for it is also discovered or known immediately as well.
However, when a vendor stops supporting a product—as in Microsoft’s case with Windows 7—any vulnerabilities discovered thereafter will remain indefinitely. That’s a major problem because a lot of businesses don’t want to, or cannot, move on from Windows 7 for the foreseeable future.

Note: Organizations that elect to pay Microsoft for “Extended Security Updates” will be able to get patches—although the costs will be prohibitive, and will steadily rise, as an incentive for businesses to upgrade to newer Microsoft products.

Advanced Persistent Threats
Advanced persistent threats (APTs) are essentially today’s digital spies. APTs are covert threat actors, typically at a military or government-sponsored level, who gain unauthorized access to systems with the goal of long-term data extraction and invisibility.
Here is the lifecycle for APTs:
1.: Define target.
2.: Find and organize accomplices.
3.: Build or acquire tools.
4.: Research target infrastructure/employees.
5.: Test for detection.
6.: Deployment.
7.: Initial intrusion.
8.: Outbound connection initiated.
9.: Expand access and obtain credentials.
10.: Strengthen foothold.
11.: Exfiltrate data.
12.: Cover tracks and remain undetected.

Threat Actors
Although the general public typically generalizes them as just “hackers,” threat actors are any entity that causes a threat to materialize. Although many people immediately think of threat actors as malicious, they are not always so. Of course, there are malicious threat actors, but there are accidental threat actors and environmental threat actors. Earlier in the module, we discussed how NIST SP 800-30 defines threat sources (synonymous with actors or agents) as adversarial, accidental, structural, and environmental. Also, as mentioned before, threats, along with the threat actors, can be classified in different ways. Some of these include nation-state threats, hacktivists, organized crime, and malicious insiders.

Nation-States
Nation-states conduct all types of electronic warfare, intelligence, counterintelligence, and even cyber attacks on enemies, and even sometimes allies, to gain tactical or strategic advantages. Nation-states typically have entire divisions of cybersecurity professionals who are acting as state-sponsored hackers. Earlier we mentioned the advanced persistent threat, which is almost always a nation-state–sponsored threat. The goal of nation-states is typically to get any information that can give them an advantage over another country, whether it is militarily or economically. Examples would be any information regarding national defense, trade secrets or proprietary data, economic data, and even data used to blackmail individuals in other countries.

Hacktivists
Creativity notwithstanding, if you put the words “hacker” and “activist” together, you’ll arrive at the term “hacktivist.” Hacktivists are individuals who use hacking as a vehicle to bring about political or social change. The causes they typically fight for include human rights, free speech, information, and societal change. Regardless of the means that hacktivists choose to achieve their goals, they tend to view themselves as the “good guys.”
History has seen many notable hacktivist individuals and groups, but perhaps two of the more “mainstream” variety deserve some mention:
- Edward Snowden: Formerly a CIA employee, Snowden became notorious for leaking highly classified NSA information due to his allegation that the NSA performed abusive surveillance practices domestically and abroad.
- WikiLeaks: This whistleblowing organization, created by Julian Assange, maintains a website that publishes secret or classified materials in an effort to “fight societal corruption.”


CAUTION   Although not an exam topic, if you’re a U.S. person possessing a U.S. federal government security clearance, including both federal workers and contractors, be advised that you might be banned by the U.S. government from viewing WikiLeaks due to it potentially possessing classified materials. This rule does not apply to any U.S. citizen who does not possess a security clearance.

Organized Crime
The stereotypical, lone-wolf, hacker-in-a-hoodie guy isn’t the norm anymore. Hoodies are being replaced with suits, and lone wolves are increasingly working for cybercriminal organizations. With historic sums of money to be made today, huge global crime rings, hacker corporations, and state-sponsored groups have been built around this new cybercriminal business model. Cybercrime is definitely the next generation of organized crime.
With organized crime organizations spear-heading much of the hacking, we must prepare our defenses for such organizations. Groups like Anonymous, Syrian Electronic Army, Lizard Squad, and many others have the intelligence, capital resources, business plans, and operational efficiencies similar to large enterprises. It puts a whole new spin on cybersecurity to realize that we’re not guarding our organization against mere hackers, but against organized crime hacker organizations!
Many of these hacker groups have large social media followings, and they’re not above threatening or announcing their plans on social media as a way to taunt their targets. Do your homework as you would with any other threat vector.

Note: Organized crime groups are known for conducting widespread ransomware operations, cryptojacking, bribery, and blackmail, and they have a particular affinity for hustling millions of dollars out of duped CEOs. Collect whatever organized crime intel you can find and start raising awareness within your organization before it’s too late.

Insider Threats
There’s a reason why physical security is still the most important kind—because insider threats are still, on average, the most dangerous adversary to an organization. Insider threats are typically people who work for an organization and have privileged access and knowledge about that organization’s operation and assets. Skilled or unskilled, malicious or not, the fact that insiders have keys, ID badges, and user accounts makes it easy for them to cause harm. However, not all insider threats are created equal, as we’ll explore in the next section.

Intentional
Many insider threats fully intend on causing harm to the organization. Such staff are typically disgruntled and perhaps are about to resign or get fired. Malicious insiders are known for either sabotaging company assets or stealing confidential data.
In other cases, professional insiders were installed by, perhaps, a state-sponsor, competitor, or organized crime group for espionage purposes. They’re looking to collect sensitive information to sell it to competitors or the black market for financial gain.
Although not the most common, compromised insiders are compelled against their will by an external threat actor. These individuals are manipulated by the external threat into performing various theft and sabotage exercises on their behalf.

Unintentional
Although research shows that most security incidents occur from insiders, what often surprises people is that the majority of those insider threats are unintentional. A significant risk to organizational data is accidents, which are caused by a negligent or complacent employee. Their lack of education on cybersecurity best practices and negligence on following company policies are the most common root causes of unintentional insider threats. Unfortunately, many organizations suffer both data and financial losses caused by the “innocent” mistakes of their staff.
Negligent employees bear watching and can be characterized by their poor password management habits, oversharing on social media sites, storing confidential materials on network drives or flash drives, and sending such data through conventional e-mail and IM messaging channels.

Intelligence Cycle
We’ve discussed various topics throughout this module, but let’s recall that this exam objective focuses on the importance of threat data and intelligence. Getting such data, making it useful, and then basing cybersecurity decisions from it is what cybersecurity analysis is all about. To that end, let’s talk about the methodical way cybersecurity teams make this happen through what we call the intelligence cycle.
The intelligence cycle is the never-ending process of collecting raw information, generating actionable intelligence from it, and sending it to stakeholders to make decisions that help the organization meet particular cybersecurity objectives. These stakeholders can range from security operations center (SOC) analysts to senior-level management. Through successful intelligence cycles, organizations stand to gain several advantages:
- Quick detection and remediation of threats
- Better regulatory compliance
- Reduction of confidentiality, integrity, and availability breaches
- Increased efficiencies of cybersecurity implementations
Although you’ll see many variations of the intelligence cycle out there, we can safely anchor them to five essential phases, which we’ll cover next.

Requirements
All cycles have beginnings, and, in the case of intelligence cycles, it starts with requirements. Defining requirements simply means that we’re getting all our ducks in a row to conduct an efficient and sustainable intelligence cycle. It starts with the company stakeholders determining the cybersecurity goals of the intelligence cycle—chiefly the identification of cybersecurity issues and proposed resolutions. The following requirements will need to be defined to achieve the goals:
- Team roles and responsibilities
- Resources allocated to team members
- Timelines for meeting objectives
- Prioritization of assets, risks, and threats
- Sources for threat intelligence
- Determination of threat intelligence types
- Tools/techniques needed to collect, analyze, and report cybersecurity intelligence

Collection
Guided by aforementioned requirements, we start collecting raw data from a variety of open- and closed-source locations to help identify the current and most likely threats facing the organization. We’ll use a range of tools to collect threat data, including the following:
- Security information event management (SIEM)
- Threat intelligence platforms
- Threat intelligence providers
- User behavior analytics (UBA)
- Network traffic analysis tool
- Cybersecurity communities
Once all relevant raw data has been collected, it’ll need to be normalized and formatted into contextually useful information for analysis in the next phase.

Analysis
With threat data now in an intelligible format, analysis will help us turn that data into threat intelligence—which is when the data becomes contextually useful—and we can truly understand what it says. Analysis helps us to determine the significance and implications of the data, such as the following:
- Does the data show indicators of compromise?
- Does the data show that we’re being targeted?
- What threat predictions can we draw from the data?
- What threat solutions should we consider implementing to quell the threats?
The last thing you should do in this phase is to make a report of all your analyzed findings. Stakeholders have no patience for data that is unwieldy, incomplete, inconsistent, or unreadable.

Dissemination
With the data carefully analyzed, we must disseminate that information to the stakeholders. This will come in the form of a concise and actionable report that someone can use to make effective and expedient decisions based on its contents.
Recall earlier that anyone, from cybersecurity personnel to senior management, can be a stakeholder. Make sure you know who they are and that you give careful consideration to how you disseminate intelligence to them. Take a look at the following for some guidance:
- Ensure the right stakeholder is given the data most relevant to their needs.
- Ensure data is formatted in the most understandable and useful manner.
- Ensure stakeholders are given updated information as it becomes available.

Feedback
The final phase of the intelligence cycle is feedback. As you can imagine, the producers of the intelligence (us) and the consumers of the intelligence (stakeholders) should discuss how well the intelligence efforts have met stakeholder requirements. Whether the requirements are sufficiently met or not, you can make some changes for subsequent threat collection and mitigation cycles. New requirements may arise, threat data collected may change, and new analysis and dissemination techniques may be needed to ensure requirements are better met going forward.

Commodity Malware
Recall from earlier in the text that attackers often handpick a specific organization, research its security defenses and people, and then carefully exploit its vulnerabilities, whether through phishing e-mails or malware. In these targeted instances, attackers are known for using malware specifically crafted for that organization. Although more likely to succeed in such targeted attacks, the malware’s custom design, scarcity, and high cost don’t make it a desirable fit for more generalized and opportunistic types of attacks.
Most malware encountered by organizations will be of the more prevalent sort—nowadays called commodity malware. Commodity malware is widely available—either for free or purchase on the dark web—for use in opportunistic and common attacks. Think of it as “off-the-shelf” malware akin to buying general-purpose products from the local store. Granted, it has a relative lack of precision, but that is mostly nullified by organizations softened up by poor patch management as well as antimalware and antiphishing countermeasures. Since most organizations fall under that banner, commodity malware is more common than advanced malware.

Exam tip: Ransomware like WannaCry is a good example of commodity malware due to its use all over the world across all major sectors and industries.

Information Sharing and Analysis Communities
The final section of this guide covers formal information sharing communities that serve federal and local governments. This is in contrast to the threat intelligence sources discussed earlier, which are more likely consumed by enterprises. As its more commonly known, an Information Sharing and Analysis Center (ISAC) is a non-profit organization that collects, analyzes, and distributes threat intelligence to public and private sector organizations with critical infrastructures. Its goal is to help these organizations protect themselves from all security threats, including cyber and physical threats.
Organizations with critical infrastructures are those that have systems, networks, or assets that are crucial to federal and local governments, plus society in general. These organizations may include the following:
- Chemical and nuclear
- Energy
- Financial
- Food and agriculture
- Health
- Public and legal order and safety
- Space and research
- Transport
- Water

ISACs serve a vital role for their respective industries, which is evident by having 24/7 threat warning and incident notification capabilities and may even set threat levels for their respective industries. And many ISACs have a track record of responding to incidents and sharing pertinent threat information more quickly than government partners. In the next several sections, we’ll go over ISACs that are specific to certain sectors or industries.

Healthcare
You probably wouldn’t think it, but healthcare data is one of the most sought-after information categories by cybercriminals and other threat sources worldwide. When money talks, data walks. Healthcare information fetches a great deal more black-market dollars than credit cards and Social Security numbers. Malware attacks, particularly ransomware and bots, are very common in this industry. There has also been a significant increase in socially engineered attacks in recent years, since healthcare users are an easy target for confidentiality breaches. 

Healthcare Key Terms:


Images

Health Information Sharing and Analysis Center (H-ISAC)
With so many cyber attacks against healthcare organizations today, proactivity is key. Healthcare organizations would be well-served to make frequent use of the Health Information Sharing and Analysis Center (H-ISAC) to obtain updated health-related threat intelligence. According to H-ISAC’s official website, it is a “global, non-profit, member-driven organization offering healthcare stakeholders a trusted community and forum for coordinating, collaborating and sharing vital physical and cyber threat intelligence and best practices with each other.”
H-ISAC’s community is focused on sharing timely and useful threat intelligence, including incidents, vulnerabilities, tactics, techniques, mitigations, and cybersecurity best practices.

Financial
The financial industry is also one of the more targeted industries due to the tremendous value of informational and monetary assets up for grabs. These organizations have been seeing a lot of DDoS, phishing, man-in-the-middle, and credential-stuffing attacks (an attack where credentials stolen from one organization are used to compromise accounts in a second organization).

Exam tip: The Gramm–Leach–Bliley Act (GLBA) of 1999 plays an important role in the financial industry. It requires financial organizations to disclose how they share and protect their customers’ private information.

Financial Services Information Sharing and Analysis Center (FS-ISAC)
Like it’s H-ISAC counterpart, the FS-ISAC is the global financial industry’s go-to resource for all physical and cyber threat intelligence sharing. In the past 20 years, it has expanded its influence to include several industry initiatives to increase protection and services for the global financial services industry.

Aviation
For a very different reason, cyber attacks against the aviation industry should concern us all. As airplanes become more computerized, and Internet and Wi-Fi capable, hackers will be looking to disrupt airline systems to create flight delays, cancellations, and security alerts. Worse, airplanes can get hacked, which could prevent takeoff or landing, or the plane might be remotely controlled by attackers. An attacker may ask for millions of dollars in ransom, or worse, to halt an attack on an airborne craft and spare the lives of its passengers and crew, not to mention potentially thousands of innocent victims on the ground.

Aviation Information Sharing and Analysis Center (A-ISAC)
Aviation cybersecurity concerns are significant enough that multiple ISACs have sprouted around the globe. Of particular note is the A-ISAC, which, like most other ISACs, seeks to exchange threats, vulnerabilities, incidents, and best practices with its worldwide constituents. Europe has its own aviation-focused ISAC as well, called the European Centre for Cyber Security in Aviation (ECCSA). However, there is some concern that having multiple aviation ISACs might cause standardization challenges.

Government
By most accounts, governments are both the most cyber-targeted “industry” and, arguably, the least prepared to deal with it. Various reports reveal that U.S. government infrastructure often contains unpatched systems, outdated Windows XP and Windows Server 2003 systems, and even several-decades-old COBOL-based systems for which very few experts remain today. This is a big problem considering people’s reliance on government for obtaining passports, student loans, Social Security numbers, and drivers’ licenses.

National Defense Information Sharing and Analysis Center (ND-ISAC)
Although government ISACs are more plentiful and may have specific focuses, the ND-ISAC is the U.S. national defense sector’s ISAC to enhance our national cybersecurity. Like other ISACs, the ND-ISAC provides national defense sector groups, such as the Defense Industrial Base (DIB) ISAC, for example, with a community for sharing cyber and physical security threat intelligence, best practices, and mitigations.

Critical Infrastructure
The healthcare, financial, aviation, government, and many more industries all contain critical infrastructure. However, the CySA+ exam also considers critical infrastructure in terms of utility and public organizations such as electricity, nuclear, oil and gas, public transit, and water. Shown here are the ISACs for those respective industries:
- Electricity ISAC (E-ISAC)
- Nuclear ISAC (NEI)
- Oil and gas (ONG-ISAC)
- Public transit (PT-ISAC)
- Water ISAC (Water-ISAC)

Note: The National Council of ISACs (NCI) was formed in 2003 and is the ISAC “hub” for a few dozen different ISACs globally.



ADVERTISEMENT