CompTIA CySA+ Cybersecurity Analyst Certification: Threat and Vulnerability Management - Threat Data And Intelligence

Objective 1.1: Explain the importance of threat data and intelligence

Intelligence sources are where much of our external threat data and, ultimately, threat intelligence originates. Threat data must be acquired in a timely manner, relevant to the organization’s needs, and accurate to bring value to the collecting organization.
Once the threat data is analyzed, threat ratings are assigned to it to determine its potential danger level, with confidence ratings assigned afterward to indicate the organization’s assurance that the threat rating is accurate.
Indicator management involves organizations packaging and distributing threat data in a manner acceptable to other collecting parties. The STIX language describes the “what” of threat data, and TAXII describes “how” to transfer that data. OpenIOC is a lesser-known but open framework for exchanging threat data with other parties in a machine-readable format.
Threat classification identifies different threat types, including known threats versus unknown threats, zero-day attacks, and advanced persistent threats.
Threat actors include the attackers that attempt to compromise our systems, applications, and data. They come in many forms, including nation-state hackers, hacktivists, organized crime, plus intentional and unintentional insider threats.
An intelligence cycle is a continual process of collecting information, refining it, and reporting it to stakeholders for making key cybersecurity decisions. An intelligence cycle includes five stages: requirements, collection, analysis, dissemination, and feedback on reported intelligence. If this process is done properly, organizations will continue to improve their ability to not only collect threat data but also improve their cybersecurity defenses against cybercriminals.
Commodity malware was discussed as an “off-the-shelf” and generalized form of malware used to attack systems with well-known vulnerabilities. This is in contrast to the more advanced forms of malware that are crafted specifically for handpicked targets.
Information Sharing and Analysis Communities, better known as Information Sharing and Analysis Centers (ISACs), are non-profit organizations that collect, analyze, and distribute threat intelligence to public and private sector organizations with critical infrastructures. They exist all over the world and serve many industries and sectors with cybersecurity intelligence sharing, including healthcare, financial, aviation, government, and critical infrastructure.

Threat and Vulnerability Management

Attack Frameworks
It’s often said that to beat a hacker, you need to think like one. Helping us to do just that are attack frameworks. Frameworks are industry-proven methodologies and overarching processes, and attack frameworks specifically detail how adversaries behave before, during, and after cybersecurity breaches based on various circumstances.

They help cybersecurity professionals acquire as much knowledge as possible regarding a specific adversary’s tactics, techniques, and procedures (TTPs), which are defined as follows:
- Tactics: The highest-level description of an adversary’s behavior. For example, an attacker’s tactic may be the persistence of a connection to a target or privilege escalation.
- Techniques: Describe in more detail the behaviors used in a tactic. For example, creating a new service is a technique that will help achieve the tactic of persistence.
- Procedures: Describe in detail the tools and steps taken to create the new service to achieve persistence.
The CySA+ CS0-002 exam expects you to be familiar with three attack frameworks in particular—MITRE ATT&CK, the Diamond Model of Analysis, and the Cyber Kill Chain. Without further ado, let’s dig in.

MITRE ATT&CK
The MITRE Corporation is a nonprofit organization funded by the U.S. government for multiple national research initiatives, including cybersecurity. Best known for developing and maintaining the Common Vulnerabilities and Exposures (CVE) database, it also created the MITRE ATT&CK framework in 2013. ATT&CK is a public knowledgebase of threat tactics and techniques based on real-world observations of cyber attacks. It describes the many ways threat actors penetrate networks, move laterally across the network, escalate privileges, and evade target defenses.

Once a breach has been detected, organizations can use the framework to help determine certain specific information about the breach:
- How did threat actors penetrate the network?
- How are they moving around?
- What are they doing?

This framework also aids organizations in the development of their own threat models. If an organization wants to build a threat model for advanced persistent threats (APTs), it can easily reference the tactic and technique information found in ATT&CK.

Note: The ATT&CK “tactics” describe the why of an adversary’s attack, and the “techniques” describe the how for achieving the tactic’s goal. For example, the adversary’s tactic might be Execution, and the technique could be PowerShell.

For more examples of tactics and techniques, take a look at this graphic for a partial view of the MITRE ATT&CK framework.

FIGURE: MITRE ATT&CK framework

Scenario: Exfiltration
To follow this scenario correctly, have the MITRE ATT&CK framework handy to reference the tactics and techniques. Let’s say an adversary wants to steal classified or sensitive files from a CEO. The adversary performs the Initial Access tactic to acquire the credentials of the CEO’s secretary using a spear-phishing link delivered in an e-mail. Once they have the secretary’s credentials, the adversary will look for a remote system in the Discovery tactic.
- Tactics: Initial Access and Discovery
- Techniques: Spearphishing Link and Remote System Discovery
Although various details are left out for brevity, analyzing attack scenarios using ATT&CK would help us to flag the various attacker and system behaviors as suspicious, and, ultimately, enable us to remediate the attempted breach.

The Diamond Model of Intrusion Analysis
Finalized in 2013, the Diamond Model of Intrusion Analysis serves as a practical analytical methodology for cybersecurity analysts to utilize before, during, and after cybersecurity intrusions. Aimed at strengthening our intrusion analysis, it’s the first model of its kind that scientifically incorporates both the fundamentals of threat actors/activities (offense) and the analytical techniques needed to discover, understand, and counteract these threat actors/activities (defense).
The Diamond Model underscores the relationships and characteristics of an attack’s four main components:
- Adversary
- Capabilities
- Infrastructure
- Victim

Figure below shows a basic depiction of the Diamond Model mapping out an attacking adversary moving toward an intended goal by exercising a capability over infrastructure against a victim. Although the finer aspects of the Diamond Model are beyond the scope of the exam, cybersecurity analysts can use it to create a repeatable way to do the following:


FIGURE: The Diamond Model of Intrusion Analysis

- Characterizing organized threats
- Consistently tracking events as they progress
- Identifying and prioritizing one threat from another
- Identifying and implementing the most effective preventative, detective, and corrective countermeasures against such adversaries

Cyber Kill Chain
Militaries originally used the term “kill chain” to describe the stages of their attacks against enemies. It began with finding the enemy’s general location, fixing a more precise enemy location, tracking enemy movements, targeting the enemy with a weapon, engaging the enemy with the weapon, and assessing the weapon’s effect on the enemy.
Adapted into a cybersecurity context by the Lockheed Martin security and aerospace organization, the Cyber Kill Chain framework identifies the various stages of a cyberattack. 

The Cyber Kill Chain


That’s a little disconcerting so, perhaps, a list of countermeasures would do nicely? Have a look at the “opposite” series of steps recommended to counter the phases of the Cyber Kill Chain:
- Detect: Identify indicators of compromise.
- Deny: Prevent or halt imminent data breach.
- Disrupt: Minimize or redirect an attack away from key assets.
- Degrade: Counter-attack threat actor’s C2 server.
- Deceive: Confuse C2 server with misleading traffic.
- Contain: Isolate threat actor or threat to separate segment.

Note: The Cyber Kill Chain is sometimes criticized for emphasizing perimeter security countermeasures at the expense of internal security. Accordingly, a stronger Unified Kill Chain—which is an extended hybrid of the Cyber Kill Chain and MITRE’s ATT&CK framework—was created to enhance and balance the perimeter/internal security zones.

Threat Research
The early-20th-century pioneering criminologist Dr. Edmond Locard famously stated that every contact leaves a trace. A century later, cybercriminals are inundating the world with countless millions of threat traces each year. Awash in threat data, organizations face the unending challenge of researching the latest threats to continuously figure out what security solutions are needed, how they should be used, and how to respond to threats.
Regardless of the type of threat intelligence you acquire through research, you can categorize the information in three general ways:
- Strategic: Intelligence that identifies the long-term and “big picture” viewpoint about adversaries and threat trends, likely targets, plus adversarial motivations.
- Operational: Intelligence that identifies threat methodologies, attacker tools of the trade, and tactics, techniques, and procedures.
- Tactical: Intelligence that leads to the identification of current or imminent IOCs, including malicious domain names, URLs, e-mail addresses, IP addresses, and hash values.
Threat research is an important topic, so let’s dig into how it makes threat data visible and knowable to us. We’ll explore threat reputations, behavioral characteristics of threats, IOCs, and the hugely helpful Common Vulnerability Scoring System (CVSS).

Reputational
One of the many things proffered through threat intelligence sources is threat reputation. Like people, threats acquire reputations through direct observations or interactions shared by other parties. These threat intelligence sources—which may include researchers, security vendors, and governments—are painstakingly sharing reputation data regarding the malicious activities of threats and their origins. Using a combination of direct threat assessments and information acquired through other intelligence sources, experts are determining which of these Internet objects have good, bad, or unknown reputations.

Exam tip: Reputation data tends to describe suspicious DNS names, e-mail addresses, file hashes, IP addresses, URLs, and websites. Then, because it’s now easier for us to determine “friend” or “foe,” threats are formally assigned reputational scores. Higher scores indicate generally positive reputations, whereas lower scores indicate generally negative reputations. This information can then be automatically or manually distributed globally as part of threat intelligence sharing platforms.
Greatly aiding us in the distribution of threat reputation scores are services often provided by cybersecurity vendors called Threat Reputation Services (TRS). A TRS can automate the aggregation of threat data from other threat intelligence platforms, contextualize and score the data based on observed behaviors and shared intelligence, and notify subscribed members and devices immediately.

Behavioral
According to MITRE, an adversary dwells on an organization’s network for an average of 146 days before being detected. This is partly due to organizations relying too much on tools and techniques that specialize in detecting known threats. Discovering unknown threats is where behavioral methods come in. Despite being unknown, threats are still exhibiting observable behaviors in the environment. Behavioral threat detection involves first understanding how our environment normally behaves over a period of time and then identifying patterns of behavior that deviate from the norm. Although behavioral differences can be a false positive, they may also signify a threat indicator. Such threat behaviors may include the following:
- DDOS/C2 traffic
- Phishing
- Unknown or unapproved devices
- MAC/IP spoofing
- MITM/hijacking
- Malware
- Autostart apps
- Sandbox evasion
In a module about threat intelligence—which focuses on what we, or someone else, knows—you may be wondering how the detection of unknown threat behaviors is related. User behavior analytics (UBA), sometimes known as user and entity behavior analytics (UEBA), bridges the gap. UBA focuses on user behaviors, and how such behaviors may correlate with unusual behavior events in the environment in order to discover an insider threat. Unfortunately, UBA isn’t great at assigning context to the discovered behaviors. So, what entity is needed to provide context to threats? Threat intelligence. A threat intelligence platform could generate an alert that a suspicious user’s IP address has been previously flagged as malicious or of poor repute.

Indicators of Compromise (IOCs)
As the name implies, IOCs refer to events or data that identify potential or actual malicious activities on a network or system. 

IOCs Examples


As IOCs become known to your organization or others, they can be centrally shared with intelligence communities or shared peer-to-peer with organizations to enhance our global threat intelligence capabilities.

Common Vulnerability Scoring System (CVSS)
We know that threats are given reputation scores, but that can also apply to vulnerabilities. Enter the Common Vulnerabilities and Exposures (CVE) and the Common Vulnerability Scoring System (CVSS), which are discussed next.
Operated by MITRE, the CVE is a dictionary of publicly known cybersecurity vulnerabilities that afflict widely used software. Each vulnerability is given its own CVE entry, which includes a CVE ID, a brief vulnerability description, and references.

Scenario: CVE-2019-1136
On July 9, 2019, a Microsoft Exchange Server vulnerability was assigned a CVE ID of CVE-2019-1136. The CVE ID structure is simple: CVE is a constant, 2019 is the year of release, and 1136 is an ID number assigned uniquely to the vulnerability in question.

Note: The CVE ID is widely used by cybersecurity experts, vendors, and researchers as a standard method for identifying vulnerabilities, even across their own security tools, databases, and services.
For more information about the vulnerabilities documented in CVEs, take a look at the National Vulnerability Database (NVD), which is separately maintained by the National Institute of Standards and Technology (NIST).

The NVD stores a copy of all CVEs while adding analytical details:
- Vulnerability’s severity scores
- Impact ratings
- Fix/patch information
In addition to CVEs, we also have the CVSS at our disposal. Since 2005, CVSS has been owned and managed by the Forum of Incident Response and Security Teams (FIRST). The CVSS is an open framework for scoring the severity of vulnerabilities. Unlike the distributed nature of threat reputation scoring, the CVSS scoring framework is centrally managed and standardized so that organizations worldwide have a single reference for assessing the risk presented by the vulnerability and, ultimately, determine the best course of action to address the risk.

Although more severity details exist, CVSS simplifies the scoring process of a CVE by assigning it a single Base Score. This score can range from None (0.0) to Critical (10.0). 

CVSS Version 3.x and scores used in CVSS Version 3.0 and 3.1.


Scenario: CVSS Base Score
Referencing our previous CVE-2019-1136 scenario mentioned earlier, it has a CVSS Base Score of 8.1 out of a possible 10—which is considered “High Severity.”

See below for a fuller look at the CVE-2019-1136 as it appears in the NVD.


FIGURE: CVSS for CVE-2019-1136

Threat Modeling Methodologies
Threat modeling is something people do every day: generals preparing against military foes, and cybersecurity analysts designing “attack trees” to identify threats and mitigations against cybercriminals. From an organizational context, threat modeling is most often applied whenever businesses are developing or acquiring new products, markets, and technologies, as well as the systems to support them, such as the introduction of new software, systems, networks, distributed systems, and even business processes. These are all qualifying conditions for threat modeling.
In its most common usage, threat modeling is the practice of identifying, prioritizing, and mitigating threats across all phases of a system’s lifecycle. Unlike more reactive security practices, threat modeling seeks to address potential threat events early in the process before they become realized.
Viewed from the “attacker’s point of view,” threat modeling aids us in developing a deeper understanding of our organizational attack surface because we’re simulating all possible threat causes and effects before actual attacks take place.

When designing a new system or application, we might consider asking and answering the following questions:
- What are the most likely threats to attack us?
- How will the threats attack us?
- Where are we most vulnerable to attacks?
- What assets are more likely to be targeted?
- Why would a threat attack us?
- What should we do to improve our security against the threats?

Common Threat Modeling Methodologies
Although there are several threat modeling methodologies out there, we’ll focus on the most common ones here:
- OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) A threat model methodology that focuses on organizational risk, particularly operational risk, security practices, and technology.
- Trike: An open-source threat modeling methodology that focuses on the security auditing process of risk management.
- STRIDE (Spoofing Tampering Repudiation Information Message Disclosure Denial of Service and Elevation of Privilege): A threat model methodology created by Microsoft to ensure Microsoft Windows developers incorporate security into the design phase of application development.
- VAST (Visual, Agile, and Simple Threat Modeling): A threat model methodology designed for scaling across both the organizational infrastructure and the entire Software Development Lifecycle (SDLC). It’s designed for integration with Agile projects and provides actionable outputs for various stakeholders, including developers, cybersecurity pros, and senior leadership. VAST also utilizes an application and infrastructure visualization scheme to encourage participation from non-SMEs (subject matter experts).
- PASTA (Process for Attack Simulation and Threat Analysis) A threat model methodology designed to merge technical requirements with business objectives. It uses an attacker’s perspective on potential threats and produces an asset-centric output.

Adversary Capability
Organizations implement threat models in large part to understand threats and how they might harm the organization. Our adversaries’ capabilities are characterized in terms of their resources, methods, and attack vectors.
- Resources: How much expertise do they have? How well funded are they? What technical resources can they employ? Adversarial resources can range from severely limited to national-level sophistication and strength.
- Methods: Are their methods simplistic or very sophisticated? Will our adversaries use someone else’s tools and malware, or will they develop their own specifically designed to attack us?
- Attack vectors Will they use cyber-based attacks, human-based attacks, or both? Will they attack us directly or go after our supply chain, which can include our vendors, suppliers, partners, ISP, and customers? Will they exploit our physical security? Wi-Fi? E-mail?

Total Attack Surface
Threat modeling provides an opportunity for us to analyze our attack surface from the threat actor’s perspective. What are the total number of unlocked “doors” and “windows” in our business for the bad guys to gain unauthorized entry? Total attack surfaces are the sum of all areas of our network, systems, or software that contain vulnerabilities accessible to threat actors for exploitation. With cloud computing, mobile, and IoT permeating our business and personal spaces, our attack surfaces have increased tremendously. The more surface area exposed to attackers, the greater the likelihood that we’ll experience a disastrous cyber attack.

Attack Vector
If total attack surfaces are the sum, attack vectors make up its parts. Attack vectors are individual pathways or methods by which threat actors can gain unauthorized access to systems. The threat intelligence collected from threat modeling will yield multiple cyber-based and human-based entrance points into our organization, a few of which you’ll find summarized here:
- Brute force: A trial-and-error process of guessing usernames, passwords, encryption keys, session ID numbers, and so on, in order to gain unauthorized access to a system.
- Buffer overflow: Occurs when more data is written to a memory buffer than it was designed to hold. This can lead to a cascading overflow effect that crashes a program or permits privilege escalation attacks against it.
- Cross-site scripting (XSS): Involves the injection of malicious scripts into a vulnerable website, which are then run by a victim who visits the website.
- Distributed denial of service (DDoS): Malicious attempt to disrupt or disable an application or hardware system from being able to provide its services. Typically achieved by overwhelming the target with traffic from hundreds or thousands of senders.
- Malicious insiders: Individuals inside an organization who may be current or former employees, contractors, vendors, or suppliers that intentionally breach organizational systems and data.
- Malware: Making up the majority of attack vectors used, malware is any kind of malicious software designed to compromise systems or data.
- Man in the middle: Attacks where adversaries secretly intercept and possibly alter the communications between two endpoints that believe they are directly communicating with each other.
- Misconfiguration: Poor hardware or software configurations that make it susceptible to compromise.
- Phishing Malicious practice of sending legitimate-looking e-mails to individuals in order to solicit confidential info.
- Poor or missing encryption: Lack of cryptography or continuing to use an older cryptographic algorithm like DES, Blowfish, or MD5 increases the success rates of brute force attacks against data at rest, in use, and in transit.
- Ransomware: A malicious program that either restricts victims from accessing data, systems, or networks or threatens to publish confidential information unless the attacker is paid a “ransom.”
- Session hijacking: Practice of taking control of another user’s session to gain unauthorized access to the user’s account and data.
- SQL injection: A code injection attack in which the attacker inputs SQL code into a website form input box to gain access to unauthorized resources or make changes to sensitive data.
- Supply chain attack: A breach against any of your organization’s producers, vendors, warehouses, transportation companies, distribution centers, or retailers that leads to the compromise of your organization’s data.
- Vulnerabilities: Weaknesses in hardware, software, people, or processes that can be exploited by a threat actor.
- Weak credentials: A username, password, PIN, or other value used for identification that is easy to detect both by humans and computers.

Impact
With potential threats and attack vectors identified, threat modeling shifts toward the potential impacts such threat events can bring to the company. Impact describes the degree of damage or costs to the organization resulting from breaches. Organizations must carefully evaluate the degree of impact brought by threats in order to align security controls in the most urgent directions first. Here are some examples of organizational impacts:
- Breaches of legal, regulatory, or contractual requirements
- Classification level of impacted information (Confidential, Secret, Top Secret)
- Confidentiality, integrity, and availability requirements of breached assets
- Damage of organizational reputation
- Disruption of organizational plans and deadlines
- Loss of business and financial value

The table below originates from Federal Information Processing Standards (FIPS) Publication 199, you can see how these threat impacts are typically categorized as High, Moderate, or Low in terms of their effect on security objectives such as confidentiality, integrity, and availability.

Potential Impact Definitions for Security Objectives


Likelihood
Potential impacts must be balanced by the likelihood of occurring in the first place. Although asteroids careening into our building would generate severe impact, that’s very unlikely to happen. Malicious port scanning is highly likely to occur, yet its immediate impact is minor or negligible at best. Impact or likelihood by themselves don’t mean much, but, taken together, they help clarify the degree of risk we should ascribe to threats.

Cross-Reference
Impact and likelihood are the two key components used when determining risk to an organization, a system, or even a business process. These two components, as well as risk, are covered much more in depth in Objective 5.2.
To better understand the likelihood of human threat actors, we must also determine their motivation. Malicious hackers always have one or more motivations for conducting their nefarious acts. These things don’t happen in a vacuum; therefore, you should consider the following motivations:
- Financial gain through information theft
- Espionage (competitor/nation-states)
- Egotistical or fun (challenge)
- Ideological (religious/political)
- Grudge (former employee/customer/partner)
Also important to plan for, threat sources may include natural disasters such as tornados, hurricanes, earthquakes, volcanos, floods, tsunamis, blizzards, and wildfires. An organization’s region, proximity to a threat source, emergency procedures, awareness training, facility structure, as well as the time of year will play key roles in exposures caused by natural disasters.

Threat Intelligence Sharing with Supported Functions
Threat intelligence sharing involves organizations sharing their threat data with other businesses and groups in the global cybersecurity community. The latest threat data empowers businesses to make better decisions regarding defensive requirements, threat detection techniques, and remediation strategies. Plus, through the correlation and analysis of threat data from multiple sources, organizations can enhance existing threat information and make it more actionable.

Note: Organizations that receive threat data, use it to mitigate a threat, and share that data with others are helping to prevent the spread of that threat. Locally, it may not seem like much, but this process will allow organizations to better detect campaigns that target specific industry sectors, industries, or organizations.
For various reasons, including lack of awareness, resources, and know-how, most organizations shy away from threat intelligence sharing. Fortunately, the government and other non-profit groups are helping to create a more receptive threat intelligence sharing ecosystem through laws and alliances, as detailed here:
- Cybersecurity Information Sharing Act of 2015 (CISA): A federal law that seeks to “improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.” It authorizes businesses to monitor and implement security defenses on their systems to counter cyber threats and provides certain protections to encourage companies to share IOCs and mitigations with the federal government, state and local governments, and other companies.
- Cyber Threat Alliance (CTA): A non-profit organization working to improve the cybersecurity of our global digital ecosystem by enabling near-real-time, high-quality cyber threat information sharing among companies and organizations in the cybersecurity field.
Threat intelligence sharing is accessible to all organizations, big and small, and generally occurs in two different ways:
- Unidirectional: Instance where intelligence sharing occurs in one direction only. For example, open-source and closed-source sharing groups generate and share intelligence, while other groups and individuals merely consume it. Many entities elect not to share any intelligence due to lack of resources, privacy and liability concerns, lack of expertise, belief of having nothing valuable to share, or not wanting to disclose or give the impression that they’ve been compromised.
- Bidirectional Instance where intelligence sharing occurs in two directions. The best examples of this are the Information Sharing and Analysis Centers (ISACs) and other Information Sharing and Analysis Organizations (ISAOs). These industry and government-based sharing organizations both share intelligence and receive it from other partner organizations.

Incident Response
Incident response focuses on detecting and responding to cybersecurity incidents. Its reliance on cutting-edge threat data makes it a perfect candidate for the information received through threat intelligence sharing mechanisms. As updated threat data is fed into an organization’s security information event management (SIEM) tool, such as Splunk Enterprise or LogRhythm, the organization can accelerate its incident response and recovery actions much earlier into an adversary’s attack cycle.

Vulnerability Management
Vulnerability management is the ongoing process of identifying, classifying, prioritizing, and remediating software vulnerabilities. Threat intelligence sharing is crucial to this effort through the acquisition of timely information on real-time threats, which helps improve detection and mitigation response times. The correlation of vulnerabilities found on your systems with real-time threats, known exploits, malware, and available software patches can save your organization considerable time with vulnerability remediation.

Scenario: Google Chrome Vulnerabilities
The Multi-State Information Sharing & Analysis Center (MS-ISAC) shared threat intelligence on February 25, 2020, about multiple vulnerabilities in Google chrome possibly allowing for arbitrary code execution. It reported that CVE-2020-6418 (Google vulnerability) is being exploited in the wild. The risks to government, businesses, and home users are outlined below.

Risks to Government, Business, and Home Users


Recommended remediations are as follows (source: https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-google-chrome-could-allow-for-arbitrary-code-execution_2020-025/):
- Apply the stable channel update provided by Google to vulnerable systems immediately after appropriate testing.
- Run all software as a non-privileged user (one without administrative privileges) to reduce the effects of a successful attack.
- Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources.
- Educate users regarding the threats posed by hypertext links contained in e-mails or attachments, especially from untrusted sources.
- Apply the principle of least privilege to all systems and services.

Risk Management
Threat intelligence plays an important role in an organization’s overall risk management strategy. The information gleaned from threat intelligence sharing can help inform the security controls selected by an organization during its risk management processes.
According to NIST SP 800-37 Rev. 2, risk management is the management of security and privacy risks to organizational operations, assets, individuals, and other affiliated organizations. It focuses on information security categorization; control selection, implementation, and assessment; system and common control authorizations; and continuous monitoring. In other words, risk management seeks to reduce all security risks to the organization to an “acceptable level.” Risk management processes can be broken down into seven unique phases:
- Prepare: Get the organization ready for risk management by identifying risk management roles and risk management strategy, conducting a risk assessment, establishing baselines, identifying security controls, prioritizing organization systems, and developing continuous monitoring strategy.
- Categorize: Key organizational systems are identified and described, plus the organization’s security and privacy requirements are defined.
- Select: Security controls are selected, adapted, and documented for the protection of organizational systems.
- Implement: Selected security controls are implemented.
- Assess: Determine if selected security controls are implemented correctly and provide desired security.
- Authorize: Executive leadership determines if the organization’s current security posture, resulting from the applied security controls, is acceptable and formally authorizes systems to operate if it is.
- Monitor: Continuous monitoring of organizational security posture and risk to determine if changes have or need to take place to ensure residual risks remain at an accepted level.

Security Engineering
Whereas cybersecurity analysis focuses more on the “offensive” side of security—identifying security issues, threat hunting, performing vulnerability assessments, and penetration tests—security engineering emphasizes the “defensive” aspects by constructing security solutions. Informed through the exchange of real-time threat information, organizations will respond by either enriching their existing security controls or implementing more “targeted defenses,” which include the following:
- Harden platforms or systems targeted by the latest threats by strengthening their configurations or installing patches.
- Install new security tools designed to counteract the attacks detailed in the latest threat reports.

Detection and Monitoring
Threat intelligence sharing enhances an organization’s detection and monitoring capabilities by allowing an organization to anticipate potential or real threats before they strike. Using shared threat information from reliable sources of threat intelligence, organizations can perform the following tasks proactively:
- Create custom IDS and firewall rules linked to real-time threat data
- Install more sensor equipment
- Utilize file integrity monitoring (FIM)
- Implement honeypots and honeynets
- Monitor access to specific files/URLs
- Implement log management technology/SIEMs
- Implement vulnerability scanners

 

Objective 1.2: Given a scenario, utilize threat intelligence to support organizational security

Attack frameworks are an important form of threat intelligence because they are well-known methodologies created by the cybersecurity industry to help us understand adversarial behaviors before, during, and after cybersecurity breaches. The MITRE ATT&CK, Diamond Model of Intrusion Analysis, and Cyber Kill Chain are some of the most popular attack frameworks that help cybersecurity professionals around the world analyze the tactics, techniques, and procedures of adversaries based on specific attack scenarios.
For more up-to-date information about potential and real threats, organizations conduct threat research to determine the reputations of threats, their behavioral characteristics, and known IOCs in order to strategize an effective cybersecurity response. Also, cybersecurity professionals research the vulnerabilities targeted by such threats by first determining the CVE ID number of the vulnerability and then determining the severity scores of the vulnerability through the NIST NVD.
Threat modeling allows you to examine your organization’s security from the hacker’s perspective. Various threat modeling methodologies exist, including OCTAVE, VAST, STRIDE, Trike, VAST, and PASTA. By employing these methodologies, you can better identify an adversary’s capabilities, your total attack surface, attack vectors utilized by attackers, the impact that breaches could have on your organization, and the likelihood that the breach will occur in the first place.
Threat intelligence sharing, whether unidirectional or bidirectional, permits an organization to either share its threat knowledge with others or acquire others’ knowledge for itself. The information obtained from the collaborative efforts of threat intelligence sharing will help enhance your incident response procedures, vulnerability management, risk management, security engineering, and detection and monitoring capabilities.