killchain-compendium/Miscellaneous/Threat Intelligence/Isac.md

48 lines
2.6 KiB
Markdown
Raw Normal View History

2022-11-13 16:00:22 +01:00
# Threat Intelligence
Data must be analyzed to be considered threat intelligence. Once analyzed and actionable, then it becomes threat intelligence. The data needs context around to become intel.
__Cyber Thread Intelligence (CTI)__ is a precautionary measure that companies use or contribute to so that other corporations do not get hit with the same attacks. Of course, adversaries change their TTPs all the time so the TI landscape is constantly changing.
Vendors and corporations will sometimes share their collected CTI in what are called __ISACs__ or __Information Sharing and Analysis Centers__. __ISACs__ collect various indicators of an adversary that other corporations can use as a precaution against adversaries.
Threat Intelligence is also broken up into three different types.
* Strategic
* Assist senior management make informed decisions specifically about the security budget and strategies.
* Tactical
* Interacts with the TTPs and attack models to identify adversary attack patterns.
* Operational
* Interact with IOCs and how the adversaries operationalize.
## Advance Persistent Threats (APTs)
* https://www.fireeye.com/current-threats/apt-groups.html
## TTP
TTP is an acronym for Tactics, Techniques, and Procedures, but what does each of these terms mean?
* The __Tactic__ is the adversary's goal or objective.
* The __Technique__ is how the adversary achieves the goal or objective.
* The __Procedure__ is how the technique is executed.
TI is an acronym for Threat Intelligence. Threat Intelligence is an overarching term for all collected information on adversaries and TTPs. You will also commonly hear CTI or Cyber Threat Intelligence which is just another way of saying Threat Intelligence.
## Indicator of Compromise
* __IOCs__ is an acronym for __Indicators of Compromise__, the indicators for malware and adversary groups. Indicators can include file hashes, IPs, names, etc.
## Information Sharing and Analysis Centers (ISACs)
According to the National Council of __ISACs__, "Information Sharing and Analysis Centers (ISACs) are member-driven organizations, delivering all-hazards threat and mitigation information to asset owners and operators". ISACs can be community-centered or vendor-specific. ISACs include CTI from threat actors as well as mitigation information in the form of IOCs, YARA rules, etc. ISACs maintain situational awareness by sharing and collaborating to maintain CTI, through a National Council of ISACs.
* ISACs
* [US-CERT](https://us-cert.cisa.gov/)
* [AlienVault OTX](https://otx.alienvault.com/)
* [ThreatConnect](https://threatconnect.com/)
* [MISP](https://www.misp-project.org/)