- Define “ Security Intelligence “:, - The process where data is generated and is then collected, processed, analyzed, and disseminated to provide insights into the security status of information systems., - Define “ Cyber Threat Intelligence “:, - Investigation, collection, analysis, and dissemination of information about emerging threats and threat sources to provide data about the external threat landscape 2 forms of cyber threat intelligence, these include:, - Narrative Reports, - Data Feeds, - You don’t use narrative reports or data feeds… you use both!, - Most security companies like McAfee, FireEye, Red Canary, and numerous others produce threat intelligence reports.

- Security intelligence is a process. This process includes:, - Requirements (Planning & Direction):, - This Sets out the goals for the intelligence gathering effort., - What do we want to measure and collect?, - Collection (& Processing):, - This is Implemented by software tools to gather data which is then processed for later analysis., - This is also the processing part is where we will convert all the data into a standard format., - Analysis:, - This is Performed against the given use cases from the planning phase and may utilize automated analysis, A.I., and machine learning., - This is sorted into three categories:, - Known good, - Known bad, - Not sure, - Dissemination:, - Publishes information produced by analysts to consumers who need to act on the insights developed, this includes:, - Strategic, - Operational, - Tactical Feedback, - These aims to clarify requirements and improve the collection, analysis, and dissemination of information by reviewing current inputs and outputs, this includes:, - Lessons learned, - Measurable success, - Evolving threat issues

- What are the Factors Used to Evaluate Sources: , - Timeliness: , - This ensures an intelligence source is up-to-date. , - Relevancy: , - This ensures an intelligence source matches its intended use case. , - Accuracy: , - This ensures an intelligence source produces effective results. , - Confidence Level: , - This ensures an intelligence source produces qualified statements about reliability Example of a scale: MISP Project codifies the use of the admiralty scale for grading data and estimative language. , - Looks at reliability of the data and the quality of the information content. , - There are three general sources of information: , - Proprietary: , - Threat intelligence is very widely provided as a commercial service offering, where access to updates and research is subject to a subscription fee. , - Closed-Source: , - Data derived from the provider's own research and analysis efforts, such as data from honeynets that they operate, plus information mined from its customers' systems, suitably anonymized. , - Open-Source: , - Data that’s available without subscription, which may include threat feeds, reputation lists, and malware signature databases. , - Different sources of open-source intelligence. , - US-CERT , - UK’s NCSC , - AT&T Security (OTX) , - MISP , - VirusTotal , - Spamhaus , - SANS ISC Suspicious Domains , - Define a “ Threat feed “: , - This is a form of explicit knowledge, but implicit knowledge from experienced practitioners is also useful. , - Define “ Open-Source Intelligence (OSINT) “: , - A method of obtaining information about a person or organization through public records, websites, and social media.

- This is a not-for-profit group set up to share sector-specific threat intelligence and security best practices amongst its members., - Define the Cyber Security Information Sharing Partnership ( C.I.S.P. ):, - This is Similar to ISAC, but set up within the UK. , - ISACS exist in many areas including:, - Define Critical Infrastructure:, - This is any physical or virtual infrastructure that is considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination of these., - I.C.S., SCADA, and embedded system threats are a main focus within critical infrastructure., - Define Government:, - Serves non-federal governments in the US, such as state, local, tribal and territorial governments., - Define Healthcare:, - This serves healthcare providers that are targets of criminals seeking blackmail and ransom opportunities by compromising patient data records or interfering with medical devices., - Define Financial:, - This serves the financial sector to prevent fraud and extortion of both the consumer and financial institutions., - Define Aviation:, - This serves the aviation industry to prevent fraud, terrorism, service disruptions, and unsafe operations of air traffic control systems.

- Define “ Risk Management “:, - This Identifies, evaluates, and prioritizes threats and vulnerabilities to reduce their negative impact., - Define “ Incident Response “:, - This is an organized approach to addressing and managing the aftermath of a security breach or cyberattack., - Define “ Vulnerability Management “:, - This is the practice of identifying, classifying, prioritizing, remediating, and mitigating software vulnerabilities., - Define “ Detection and Monitoring “:, - The practice of observing activity to identify anomalous patterns for further analysis.

- What are the controls in I.S.O 27001:2022 that cover Threat Intelligence?, - 5.7:, - Threat intelligence (Organizational control), - This control requires organizations to collect and analyze information relating to information security threats to produce threat intelligence., - However, it's important to understand that Threat Intelligence isn't just about this single control., - Its effective implementation often involves and supports other controls within the standard., - Here's how:, - Clause 6.1:, - Risk Assessment., - Threat intelligence directly feeds into the risk assessment process. By understanding current and emerging threats, organizations can better identify, analyze, and evaluate their information security risks., - The insights gained from threat intelligence help in determining the likelihood and impact of potential threats, leading to a more informed risk treatment plan.

- 5.1:, - Information Security Policies., - The organization's overarching information security policies should acknowledge the importance of threat intelligence and may outline the approach to collecting, analyzing, and disseminating threat-related information., - 6.3:, - Information Security Awareness, Education and Training., - Threat intelligence can inform the content of security awareness programs, making them more relevant and timely by highlighting current threats and attack methods., - 5.24:, - Planning for Information Security Incident Management., - Understanding potential threats through threat intelligence allows organizations to better anticipate the types of incidents that might occur and to develop more effective incident response plans., - 8.16:, - Monitoring Activities /( Technological control )., - Threat intelligence can inform what to monitor for in the organization's systems and networks, helping to detect malicious activities based on known threat patterns and indicators of compromise., - 8.9:, - Configuration Management ( Technological control )., - Insights from threat intelligence can help in making informed decisions about system configurations to mitigate known vulnerabilities and attack vectors., - 8.12:, - Data Leakage Prevention ( Technological control )., - Understanding the tactics and techniques used by threat actors to exfiltrate data can help in deploying more effective data leakage prevention measures., - Control 5.7:, - Threat intelligence., - Mandates the establishment of a threat intelligence capability, and the information derived from this capability should be used to inform and enhance various other security controls and processes within the ISMS.