(IS

ei] SOC Analyst

Module 05
Enhanced Incident Detection with
Threat Intelligence
Certified SOC Analyst EXAM 312-34
Enhanced Incident Detertion with Threat Intelligence

me
U
MODULE OBJECTIVE
Ted to lat vou U st mportante and uit case od eat imalgersee tor SO anakhrst ro
burden af analyaing fake pa ers tom the erhastive volume eet, Hu helog SOC analystta DEd

# Fundamental
Core pets on Threat Intelkg ere
" Diferent Threat intelkgenoe Soros trom Which intelgenre can be OPTaned
-

Module 05 Page 573 Certified $OC Analyst Copyright £ by EP-Eounril

All Rights Reserved. Reprodurtion is Strictly Prohibited.
Certified SOC Analyst EXAM 312-239
Enhanced Incident Detection with Threat Intelligence

CSA
tees | sot Aaalyst

Say Threat Intelligence is Critical for achieving

Strong Security Posture.

EEN TALE ER EE

Module 05 Page 574 Certified SOC Analyst Copyright @ by EC-Couneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-239
Enhanced Incident Detection with Threat Intelligence

CSA
dente | SOt Aaalyet

is reguired to enhance
incident detection and response

TT TEER ELE EE

Module 05 Page 575 Certified SOC Analyst Copyright @ by EE-Counmcil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-239
Enhanced Incident Detection with Threat Intelligence

CSA
tem | sot Aaalyst

Understanding Cyber Threat Intelligence

TT T TE EE EE OE IN

Module 05 Page 576 Certified SOC Analyst Copyright @ by EC-Couneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-34
Enhanced Incident Detertion with Threat Intelligence

Cyber Threat Intelligence (CTD C

SA
Cyher Threat Intelligence (CTI] is defined as the collertien and analysis
of information abaut threats and adversaries and drawing patterns that
prexide an ability io make kriwledfgeable detisiërs or the preparedrie
ss, prevention, and response arts against various ryber-attacks
$@oboPP

IE irvalves oalleeting, researching,

and analysing trends ard terhnical dewelopmaents
in thê area af ryher threats (i.e. ryber erime, harktvirm,
B$pRnage. str.)

Cyher threat intelligerice helps the organization tn identify and mitigate varinus iusimess risks by CDmerting unknown threats inte krian threats
and helps in imnplementing warius advanced and praactive deferse strategies

CTL, often presented in the form cf Indicaters

of Compramise [Iste] ar hreat fesds, provides svidenee-hased krawiedge regarding an
Drganitation's unigue threat landscape

In Cyber Thraat Intelligence (CTH, analysis is performed bassd on the meent, capabilty, and onpartundty triad

Veith Hie study of his triad. experts can ewaluate and make andormed, Forward-eaning strategic, nperational, and tartical decisions an eaisting
or emerging threats D the arganizatiar

Cyber Threat Intelligence (CTI)

The threat intelligence, usually known as CTI, is defined as the collection and analysis of
information about threats and adversaries and drawing patterns that provide an ability to make
knowledgeable decisions for the preparedness, prevention, and response actions against various
cyber-attacks. It is the process of recognizing or discovering any "unknown threats” that an
organization can face so that necessary defense mechanisms can be applied to avoid such
occurrences. It involves collecting, researching, and analyzing trends and technical developments
in the field of cyber threats (i.e., cybercrime, hacktivism, espionage, etc.). Any knowledge about
threats that result in the planning and decision-making in an organization ta handle it is athreat
Intelligence. The main aim of the CTI is ta make the organization aware of the existing or
emerging threats and prepare them to develop a praactive cybersecurity posture in advance
before these threats could exploit them. This process, where the unknown threats are converted
into the possibly known ones, helps in anticipating the attack before it could happen and
ultimately results in better and secured system in the organization. Thus, threat intelligence is
useful in achieving secured data sharing and transactions among organizations globally.
Threat intelligence process can be used to identify the risk factors that are responsible for
malware attacks, SOL injections, web application attacks, data leaks, phishing, and denial-of-
service (Do5) attack. Such risks, after being filtered out, can be put on a checklist and handled
appropriately. Threat intelligence is beneficial for an organization to handle cyber threats with
effective planning and execution alang with thorough analysis of the threat; it also strengthens
the organization's defense system, creates awareness about the impending risks, and aids in
responding against such risks.

Module 05 Page 577 Certified SOC Analyst Copyright £ by EE-Eomril

All Rights Reserved. Reprodurtion is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

Objectives of Threat Intelligence CSA

wane | sot Aaalyst

Enhanced and automated incident prevention

Automation of security operations and remediation activities

@

Guidance to cyber security activities

oo

Improved risk management

E1

Improved incident detection

Ed

EEN All Ri€hts Reserved. Reproductionis Strictly Prohibited.

Objectives of Threat Intelligence

Many organizations are using threat intelligence to enhance areas such as network security,
incident response, and risk management. The threat intelligence helps SOC enhance, implement,
and manage various security controls to prevent their IT assets from emerging threats. The
inclusion of threat intelligence in the cybersecurity programs can assist and improve the threat
assessment process and provide more accurate information on which security controls need to
be incorporated to thwart emerging threats in an enterprise environment.

Discussed below are the organizational objectives for threat intelligence:

“ Enhanced and Automated Incident Prevention
Many organizations use threat intelligence to improve and automate their incident
prevention mechanisms. Organizations consume and analyze external threat intelligence
to improve internal security controls to thwart evolving threats.

" Automation of Security Operations and Remediation Activities

Organizations use threat intelligence to automate and enhance their security operations
and remediation activities. Threat intelligence guides organizations in the decision-
making process of cybersecurity investigations by focusing more on people and process
aspects.

Module 05 Page 578 Certified SOC Analyst Copyright @ by EE-Counmcil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

" Guidance to Cybersecurity Activities

Many organizations establish a threat intelligence center or service to provide guidance

and monitor various cybersecurity activities of smaller sections within the organization.
“ Improved Risk Management

Many organizations consume threat intelligence to improve the efficiency of risk

management process. Threat intelligence is used to enhance the risk management
metrics and mitigation strategies.

“ Improved lncident Detection

In many organizations, SOC utilizes threat intelligence to enhance incident detection

mechanism in various security systems of the organization. Many malware detection
systems use threat intelligence to detect malicious files entering the organization's
network. The SOC professionals use threat intelligence to identify internal threats by
extracting information such as loCs, threat actors, and TTPs.

Module 05 Page 579 Certified SOC Analyst Copyright @ by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

I
How Can Threat Intelligence Help Organizations ( $ A
wed | SOt Aaalyet

'N With the innovative TTPs used by threat actors,

cyber threats are becoming major risks to any
business sector

To thwart these threats, it is important for

organizations to incorporate and leverage
actionable threat intelligence to strengthen their
current security posture

TT TEER ELE EE

How Can Threat Intelligence Help Organizations

With the innovative TIPs, cyber threats are becoming major risks to any business sector. To
thwart these threats, it is important for the organizations to incorporate and leverage actionable
threat intelligence to strengthen their current security posture.
Threat intelligence can be effectively leveraged to enhance the following areas of cybersecurity:

" (dentify and Protect

o The monitoring of internal and external threats reveals unknown threats and
vulnerabilities that pose risks to the organization.
o Threat intelligence aids in adapting the current security strategy to the attacker's TTPs
to thwart evolving threats.

o A prepared assessment helps organizations to evaluate their capability to leverage

and operationalize the threat intelligence.
" Detect
o Real-time threat monitoring and intelligence helps organizations to detect attacks
more rapidly and efficiently.

o Threat intelligence helps analysts to discover and focus on attacks at an early stage
and reduces the irrelevant and false-positive alerts.

Module 05 Page 580 Certified SOC Analyst Copyright @ by EG-Couneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

o Reliable intelligence feeds provide indicators of threats that help organizations

uncover ongoing hidden intrusions.

" Respond
o Threat intelligence provides contextual information about the attacks including loCs,
TTPs, etc., which helps organization prevent propagation of the attacks, reduce the
impact caused, reduce the duration of attack, and provide appropriate mitigations.

o Threat intelligence supports decision-making process with relevant details, which lead
to enhanced incident response activities.

" Recover

o Threat intelligence detects and removes persistent mechanisms of threat actors, such
as malicious files installed on the systems, leading to rapid and efficient recovery from
attacks.
o lIncorporating threat intelligence helps organizations meet the compliance
reguirements.

o Threat intelligence, by prioritizing security investments, helps in enhancing the

existing security mechanisms.

Module 05 Page 581 Certified SOC Analyst Copyright @ by EG-Couneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-239
Enhanced Incident Detection with Threat Intelligence

Types of Threat Intelligence - Strategic Threat Intelligence CSA

wane | sot Aaalyst

' Strategic Threat Intelligence provides high-level information regarding cyber security posture, threats, and its
impact on business

It is consumed by high-level executives and management of the organization

lt is collected from sources such as OSINT, CTI vendors, ISAO/ISAC's, etc.

It is generally in the form of a report that mainly focuses on high-level business strategies

N It is used by the management to take strategic business decisions and to analyze the effect of such decisions

EEN ! s Reserved. Reproduction

is Strictly Prohibited.

Types of Threat Intelligence - Tactical Threat Intelligence CSA

arme | so€ aas

N Tactical threat intelligence provides information related to the threat actor's (attacker's) Tactics, Technigues, and
Procedures (TTPs) used to perform attacks

It is consumed by cyber security professionals such as IT service managers, security operations managers,
administrators, architects, etc.

'N The collection sources for tactical threat intelligence include campaign reports, malware, incident reports, attack
group reports, human intelligence, etc.

'N It is generated in the form of a report that includes highly technical information such as malware, campaigns,
technigues, tools, etc.

'N It helps the cyber security professionals to understand how the adversaries are expected to perform the attack on
the organization, the technical capabilities, and goals of the adversaries along with their attack vectors

LES . All Rights Reserved. Reproduction is Strictly Prohibited.

Module 05 Page 582 Certified SOC Analyst Copyright @ by EG-Gouncil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

Types of Threat Intelligence - Operational Threat Intelligence ( $ A

Certified | SOC Analyst

'N It provides information about specific threats against the organization

'N It is generally used by the security managers or heads of incident response, network defenders, security forensics,
and fraud detection teams

It is collected from sources such as humans, social media, chat rooms, etc.

'U It is generally in the form of a report that contains identified malicious activities, recommended courses of action,
and warnings of emerging attacks

'N It helps organizations to understand the possible threat actors along with their intention, capability, and opportunity
to attack, vulnerable IT assets, and the impact of the attack if it is successful

'N It helps IR and forensics teams in deploying security assets with the aim of identifying and stopping upcoming attacks,
improving the capability of detecting attacks at an early stage, and reducing its damage on IT assets

All Ri€hts Reserved. Reproductionis Strictly Prohibited.

Types of Threat Intelligence - Strategic Threat Intelligence, Tactical Threat

Intelligence and Operational Threat Intelligence
Threat intelligence is a contextual information that describes threats and guides organizations in
taking various business decisions. It is extracted from a huge collection of sources and
information. It provides operational insight by looking outside the organization and issuing alerts
on evolving threats to the organization. For the better management of information that is
collected from different sources, it is important to subdivide threat intelligence into different
types. This subdivision is performed based on the consumers and goals of the intelligence. Based
on the consumption of threat intelligence, it is divided into three different types. They are,
namely, strategic, tactical, and operational threat intelligence. These three types differ in terms
of data collection, data analysis, and intelligence consumption.

" StrategicThreat Intelligence

Strategic threat intelligence provides high-level information regarding cybersecurity

posture, threats, details about the financial impact of various cyber activities, attack
trends, and the impact of high-level business decisions. This information is consumed by
high-level executives and management of the organization such as IT management and
chief information security officer (CISO). It helps the management in identifying current
cyber risks, unknown future risks, threat groups, and attribution of breaches. The
intelligence obtained provides a risk-based view that mainly focuses on high-level
concepts of risks and their probability. It mainly focuses on long-term issues and provides

Module 05 Page 583 Certified SOC Analyst Copyright @ by EE-Counmcil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

real-time alerts of threats on organization's critical assets such as IT infrastructure,

employees, customers, and applications. This intelligence is used by the management to
take strategic business decisions and to analyze the effect of such decisions. Based on the
analysis, the management can allocate sufficient budget and staff to protect critical IT
assets and business processes.

The strategic threat intelligence is generally in the form of a report that mainly focuses
on high-level business strategies. Since the characteristic of strategic threat intelligence
is preeminent, the data collection also relates to high-level sources and reguires highly
skilled professionals to extract the intelligence. This intelligence is collected from sources
such as open-source intelligence (OSINT), CTI vendors, and Information Sharing and
Analysis Organizations (ISAOs) / Information Sharing and Analysis Centers (ISACS).
The strategic threat intelligence helps organizations to identify similar incidents that
might have happened in the past, their intentions, or attribution to know the adversaries
of an attack, why the organization is within the scope of an attack, major attack trends,
and how to reduce the risk level.
Generally, the strategic threat intelligence includes the following information:

o The financialimpact of the cyber activity

o Aftribution for intrusions and data breaches

o Threat actors and attack trends
o Threat landscape for various industry sectors

o Statistical information on data breaches, data theft, and malware

o Geopolitical conflicts of various cyber-attacks

o Information on how adversary TIPs are changing over time

o Industry sectors that might impact due to high-level business decisions

" Tactical Threat Intelligence

Tactical threat intelligence plays a major role in protecting the resources of the
organization. It provides information related to TIPs used by threat actors (attackers) to
perform attacks. Tactical threat intelligence is consumed by cybersecurity professionals
such as IT service managers, security operations managers, network operations center
staff, administrators, and architects. It helps the cybersecurity professionals understand
how the adversaries are expected to perform the attack on the organization, identify the
information leakage from the organization, and the technical capabilities and goals of the
attackers along with the attack vectors. Using tactical threat intelligence, security
personnel develop detection and mitigation strategies beforehand by updating security
products with identified indicators, patching vulnerable systems, etc.
The collection sources for tactical threat intelligence include campaign reports, malware,
incident reports, attack group reports, human intelligence, etc. This intelligence is
generally obtained by reading white/technical papers, communicating with other

Module 05 Page 584 Certified SOC Analyst Copyright @ by EG-Couneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

organizations, or purchasing intelligence from third parties. It includes highly technical

information such as malware, campaigns, technigues, and tools in the form of forensic
reports.
Tactical threat intelligence provides day-to-day operational support by helping analysts
assess various security incidents related to events, investigations, and other activities. It
also guides high-level executives of the organizations in arriving at strategic business
decisions.

" Operational Threat Intelligence

Operational threat intelligence provides information about specific threats against the
organization. It provides contextual information about security events and incidents that
help defenders disclose potential risks, provide greater insight into attacker
methodologies, identify past malicious activities, and perform investigations on malicious
activity in a more efficient way. It is consumed by security managers or heads of incident
response, network defenders, security forensics, and fraud detection teams. It helps
organizations understand the possible threat actors and their intention, capability, and
opportunity to attack; vulnerable IT assets; and the impact of the attack if it is successful.
In many cases, only government organizations can collect this type of intelligence, which
also helps IR and forensic teams in deploying security assets with the aim of identifying
and stopping upcoming attacks, improving the capability of detecting attacks at an early
stage, and reducing its damage on IT assets.

Operational threat intelligence is generally collected from sources such as humans, social
media, and chat rooms, and also from real-world activities and events that result in cyber-
attacks. Operational threat intelligence is obtained by analyzing human behavior, threat
groups, etc. This information helps in predicting future attacks and thus enhancing
incident response plans and mitigation strategies as reduired. Operational threat
intelligence is generally in the form of a report that contains identified malicious activities,
recommended courses of action, and warnings of emerging attacks.

Module 05 Page 585 Certified SOC Analyst Copyright @ by EG-Couneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-239
Enhanced Incident Detection with Threat Intelligence

Threat Intelligence Strategy ( $ A

tem | sot Aaalyst

' The organizations develop the intelligence strategy based on their business reguirement and risk level

The components considered while developing an intelligence strategy are:

Ts) Threat intelligence reguirement analysis @ Threat reports

LG Intelligence and collection planning @ Threat trending

n) Asset identification @ Intelligence buy-in

TT T TE EE EE OE IN

Threat Intelligence Strategy (Cont'd) ( $ A

armed | so aar

Threat Intelligence Intelligence and

Reguirements Analysis Collection Planning

'N The reguirement analysis plays an important The information collection planning is a
role in obtaining good guality information systematic process carried out to meet
suitable for the organization intelligence redguirements

' Reguirement analysis is performed to obtain This process uses all the available collection
relevant and most critical information before capabilities so that it can meet the priority
proceeding further reguirements of the decision maker

'N It avoids the chance of getting irrelevant

information and hence, saves from wastage
of time, finding irrelevant information

. All Rights Reserved. Reproduction is Strictly Prohibited.

Module 05 Page 586 Certified SOC Analyst Copyright @ by EG-Gouncil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

|
Threat Intelligence Strategy (Cont'd) ( $ A
wed | SOt Aaalyet

REG '4 An organization has to plan for classifying the assets based on the identification of the critical assets
sse
Identification 'N The identification of the assets should be performed based on the risk level and the sensitivity of
the assets

'N Threat reports are the statistics and researches related to the cyber-attacks that have occurred
Threat around the world
Reports ë
P '4. It is proof that supports the intelligence strategy

Thr
eat | 'U Threat trends are used to estimate and plan the future
Trending

Intelligence
ii ' Getting approval and gain buy-in from the higher management to implement the strategy
uy-In

TT TEER ELE EE

Threat Intelligence Strategy

An intelligence strategy is developed to implement the threat intelligence in the organizations to
counterattack the threats and reduce the damage. For developing any threat intelligence
strategy, there are three components: effective data sources, effective data analysis, and
effective policies and procedures.
The organizations need to develop the intelligence strategy based on their business reguirement
and risk level. The intelligence strategy should contain information about what are the
components that need to protect and what are the different plans to protect them.
The following components are considered while developing an intelligence strategy for the
organization:

" Threat Intelligence Reguirement Analysis

The reguirement analysis is the primary task in the process of threat intelligence strategy
development. The reduirement analysis plays a major role in obtaining good-dguality
information that is suitable for the organization. As there are too many sources that
provide intelligence to us, there might be a chance that we could get irrelevant
information. In some cases, even if we get relevant information, some of the information
might not be that much important or might be beyond the analytical capacity of the
organization. To avoid such scenario, reguirement analysis and prioritization should be
performed to obtain relevant and most critical information before proceeding further.

Module 05 Page 587 Certified SOC Analyst Copyright @ by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

The threat intelligence reguirements can be categorized into the following types:
O High-Level Reguirements
These are the critical reguirements, for example, obtaining threat intelligence
information from the countries with which we do business, from the sectors that are
doing the same business as we do, and from the critical business assets. These also
include crucial information about attackers who try to attack organizations and their
consumers who reguested this intelligence details.
Functional Reduirements

Many factors come under this type of threat intelligence redguirement analysis such as
information about the external devices, internal devices, and attacks that become
more critical to the organization. The external devices could be servers and other
network infrastructure, and the critical attacks could be buffer overflow, DoS attack,
and intellectual property exfiltration.
Capability Reduirements

In general, the intelligence that is obtained from organizations provides us more scope
and useful intelligence information to develop the reguirements efficiently. The
information such as email logs, network logs, and centralized storage logs is useful in
developing the redguirements.

In this way, the intelligence reguirement analysis process is cCategorized and used for the
development of the threat intelligence strategy.
m Intelligence and Collection Planning
In English, there is a saying called "Failing to plan is planning to fail.” This tells the
importance of planning to succeed in whatever task we do. This could be applicable in the
case of CT1 development as well; not having a well-planned approach could yield terrible
results.
The intelligence collection planning has five phases:

O Reguirements

The resources that we collected for the intelligence should meet our demands. So, to
save time and avoid wastage of the money, we need to identify the reguirements for
the intelligence strategy. These reguirements that we identified should meet the
purpose of the project and satisfy the decision-makers.

Resources

The resources for the intelligence collection are identified, and the aguality of these
resources is determined for the project by decomposing the resources into categories.
While collecting the resources, we have to proceed smoothly even if we face any
obstacles in the process.

Module 05 Page 588 Certified SOC Analyst Copyright @ by E£-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

o Prioritization

After identifying the reguirements and determining the resources, we further have to
prioritize the collection that we have. The most critical and valuable resources should
be given more priority compared to the others.

o Tasking

The prioritized resources are assigned to the members for collecting the resources,
and it is the duty of the members to obtain the resources based on the priority.
o Evaluation

While the members are collecting the intelligence from the prioritized resources, the
higher authorities should observe the progress of the intelligence collection. They
should also ensure that the process is going on at a pace that meets the redguired
deadline. The members should support their higher authorities in tracking the
progress by mentioning the status of their collection and record the status stating one
of the following: completed, pending, canceled, on hold, or reassigned.

Asset Identification

An organization has to plan for classifying the assets based on the identification of the
critical assets. This plan leverages the process of implementing the threat intelligence-
based strategy in such organizations. The determination of the assets should be
performed based on the risk level and the sensitivity of the assets. Through this
classification of the critical assets, we are protecting them through a strategical approach.

The assets identification is broadly classified into the following types:

o Physical Assets

These are visible and could be felt through touching; these are susceptible and
expensive assets. The physical assets of an organization could be computer systems,
storage devices, technical devices, networked devices, communication devices, etc.

o Nonphysical Assets
These are the assets that we cannot touch and feel. The nonphysical assets are
database information, archived information, applications, system software, etc.
Based on the above categorization, the critical assets have to be identified for an
organization.

Threat Reports

These are the statistics and researches related to the cyber-attacks that have happened
around the world. These statistics should be provided as a proof to support the strategy
that we designed for an organization. The higher authorities may or may not approve the
strategical design and do not provide with funding. These threat reports help in
understanding the realities that were happening to the nontechnical management and
are ulitimately useful for getting approval for the intelligence strategy with funding.

Module 05 Page 589 Certified SOC Analyst Copyright @ by E£-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

Threat Trending

The cybersecurity attacks and their trends could be helpful for the development of the
strategy. The cybersecurity trends that happened around the world every year have to be
observed to develop the strategic plan. Along with this information, self-experience and
the experiences of the colleagues could also be utilized for developing the strategic plan.
After performing all these activities, it is always a good practice to validate the strategical
plan with experts in cybersecurity trends for better improvements.
Intelligence Buy-In

The stage of getting approval for the threat intelligence strategy from the higher
management is not an easy task. We need to convince them regarding the efforts we put
in creating the strategy. Explain them the journey we have gone through from intelligence
gathering to strategic plan validation, the phases involved in the strategic plan, the budget
expenses for implementing the plan, and the revenue gained through implementing the
threat intelligence plan. Also, explain about the previous cyber-attacks or threats faced
by the organization, the significance of using this plan to face further attacks, and the
security controls that we implemented in this plan to overcome the high-risk transactions.

These best practices could help a lot in approving the budget for the strategy that we
have developed and make the management to move toward the intelligence buy-in.

Module 05 Page 590 Certified SOC Analyst Copyright @ by E£-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

Threat Intelligence Sources ( $ A

wane | sot Aaalyst

Type of source selected should be relevant to intelligence strategy

Typical sources of intelligence are:

8 Open Source Intelligence (OSINT)
$ Human Intelligence
8 Counter Intelligence
@ Internal Intelligence

EEN All Ri€hts Reserved. Reproductionis Strictly Prohibited.

Threat Intelligence Sources

The intelligence could be obtained from a number of sources, but an efficient intelligence
strategy should be such that has relevant, minimal sources. While choosing the sources, two
points have to be considered:

s The intelligence from a particular source should help us in developing a long-term

intelligence strategy.

“ The intelligence from a particular source should be relevant to our plan.

If the sources that do not satisfy the points mentioned above, then it is better to avoid such
sources. The intelligence could be obtained from a wide variety of sources such as vendors,
government sector, and public sector. Typical sources of intelligence are:

"Open Source Intelligence (OSINT)

“ Human intelligence

m" Counter intelligence

m" Internal intelligence

Module 05 Page 591 Certified SOC Analyst Copyright @ by EG-Gouncil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-34
Enhanced Incident Detertion with Threat Intelligence

Open Source Intelligence (OSINT) (

'M These are the intelligence collerted from external open sourtes
My The following are the sources af information that are defined 25 OSINT:
a Daily EWE napers a Radiu

“ Magazimes a Fhotas
ea Televsicn a Imterret, ste.

Same of te terhninues far Open Source Intelligence (OSINT]

My Callerting Regestratien Peres, Hy infermatian ealletinn using Search Engines
ii Calleeting 'Mhais Fepards 'd Infermstsan ealleetion uiing Google Harting
Database [GHDE
d Performing Damain Name Server [DNE] Lookup sees Ee).
: * Hy infereratian eallsetinn using People search,
“My Tracing route uiing Traceraute velle pages
My Emad Tracking 'M Infermatian enllettian using Social Networking
“Web Enumeratian sites (5NE]
i MH Iinfermatian
eallsrtien using Wehsites/Pertals,
“Da ting Metadata
TE Web Data Ertrartian
s Dump Site Seraping
“ Performing Comaetitme intelligenee

Open Source Intelligence (OSINT)

Open source or passive information gathering is the easiest way to collect information about a
threat vector or a target organization. lt refers to the process of gathering information from the
Open sources, that is, publicly available sources. Open sources may include newspapers,
television, social networking sites [SNSs), blogs, etc. Information is available from different
sources in a variety of ways; it is available through our day-to-day activities such as speaking with
people, reading newspapers, watching television, surfing the Internet, etc. This kind of
information gathering is also a part of intelligence development, and it is regarded as OSINT. This
type of intelligence gathering provides in-depth understanding at a low price.
The following are the sources of information that are defined as OSINT:
“ Daily newspapers, magazines, television, radio, etc.

" Search engines, blogs, forums, social networks, etc.

Advantages of OSINT
The following are the advantages of OSINT:
"lt is available for free of cost.
" ltis shareable among other firms.
“It helps in providing awareness about critical information.

Module 05 Page 542 Certified SOC Analyst Copyright £ by EE-Eomril

All Rights Reserved. Reprodurtion is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

m It could be used for legal proceedings.

Technidues for Open Source Intelligence
1. WHOIS Records
WHOIS is a guery and response protocol used for guerying databases that store the
registered users or assignees of an Internet resource, such as a domain name, an Internet
Protocol (IP) address block, or an autonomous system. This protocol listens to reguests
on port 43 (TCP). Regional Internet Registries (RIRs) maintain WHOIS databases and it
contains the personal information of domain owners. For each resource, WHOIS database
provides text records with information about the resource itself and relevant information
of assignees, registrants, and administrative information (creation and expiration dates).

Two types of data models exist to store and look up WHOIS information:

o Thick WHOIS—Stores the complete WHOIS information from all the registrars for the
particular set of data.
o Thin WHOIS—Stores only the name of the WHOIS server of the registrar of a domain,
which in turn holds complete details on the data being looked up.

An attacker gueries a WHOIS database server to obtain information about the target
domain name, contact details of its owner, expiry date, creation date, etc., and the WHOIS
sever responds to the guery with the reguested information. Using this information, an
attacker can create a map of the organization's network, trick domain owners with social
engineering, and then obtain internal details of the network.

2. Regional Internet Registries (RIRs)

The RIRs include:
o AFRINIC (African Network Information Center)
Source: https//www.afrinic.net

AFRINIC is the RIR for Africa, responsible for the distribution and management of
Internet number resources such as IP addresses and ASN (autonomous system
numbers) for the African region.
o ARIN (American Registry for Internet Numbers)
Source: httos//www.arin.net
ARIN provides services related to the technical coordination and management of
Internet number resources. ARIN offers its services in the form of three areas:
e Registration: Pertains to the technical coordination and management of Internet
number resources.
e Organization: Pertains to the interaction between ARIN members and
stakeholders and ARIN.

Module 05 Page 593 Certified SOC Analyst Copyright @ by EG-Couneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

e Policy development: Facilitates the development of policy for the technical

coordination and management of Internet number resources in the ARIN region.
e ARIN also developstechnicalservices to support the evolving needs of the Internet
community.

o APNIC (Asia Pacific Network Information Center)

Source: https//www.apnic.net
APNIC is one of five RIRs charged with ensuring the fair distribution and responsible
management of IP addresses and related resources that are reguired for the stable
and reliable operation of the global Internet.
o RIPE (Réseaux IP Européens Network Coordination Centre)
Source: httos//www.ripe.net

RIPE NCC provides Internet resource allocations, registration services, and

coordination activities that support the operation of the Internet globally.
o LACNIC (Latin American and Caribbean Network Information Center)
Source: httos//www.lacnic.net
LACNIC is an international nongovernment organization responsible for assigning and
administrating Internet numbering resources (IPv4, IPv6), ASNs, reverse resolution,
and other resources for the region of Latin America and the Caribbean.

3. Domain Name Server Lookup

DNS lookup reveals information about DNS zone data. DNS zone data include DNS domain
names, computer names, IP addresses, and much more about a particular network. An
attacker uses DNS information to determine key hosts in the network and then performs
social engineering attacks to gather even more information.

DNS interrogation tools such as DNSstuff.com enable user to perform DNS information
gathering. DNSstuff extracts DNS information about IP addresses, mail server extensions,
DNS lookups, WHOIS lookups, etc. It can extract a range of IP addresses utilizing an IP
routing lookup. If the target network allows unknown, unauthorized users to transfer DNS
Zone data, then it is easy for an attacker to obtain the information about DNS with the
help of the DNS interrogation tool.
When the attacker gueries the DNS server using the DNS interrogation tool, the server
responds with a record structure that contains information about the target DNS. DNS
records provide important information about the location and type of servers.
4. Traceroute

Finding the route of the target host on the network is necessary to test against man-in-
the-middle attacks and other relative attacks. Most operating systems come with a
traceroute utility to perform this task. It traces the path or route through which the target
host packets travel in the network.

Module 05 Page 594 Certified SOC Analyst Copyright @ by E£-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

Traceroute uses the ICMP protocol concept and TTL (Time to Live) field of IP header to
find the path of the target host in the network.

The traceroute utility can detail the path IP packets travel between two systems. It can
trace the number of routers the packets travel through, the round trip time duration in
transiting between two routers, and, if the routers have DNS entries, the names of the
routers and their network affiliation, as well as the geographic location. It works by
exploiting a feature of the IP called TTL. The TTL field indicates the maximum number of
routers a packet may transit. Each router, which handles a packet, decrements the TTL
count field in the ICMP header by one. When the count reaches zero, the tool discards
the packet and transmits an error message to the originator of the packet.
The utility records the IP address and DNS name of that router and sends out another
packet with a TTL value of two. This packet makes it through the first router, then times-
out at the next router in the path. This second router also sends an error message back
to the originating host. Traceroute continues to do this and records the IP address and
name of each router until a packet finally reaches the target host or until it decides that
the host is unreachable. In the process, it records the time it took for each packet to travel
round trip to each router. Finally, when it reaches the destination, the normal ICMP ping
response will be send to the sender. Thus, this utility helps to reveal the IP addresses of
the intermediate hops in the route of the target host from the source.
How to Use the tracert Command?

Goto the command prompt and type the tracert command along with the destination
IP address or domain name as follows:
C:Vtracert 216.239.36.10

Tracing route to ns3.google.com [216 .239.36.10] over a maximum of 30 hops:

1 1262 ms 186 ms 124 ms 195.229.252.10
2 2796 ms 3061 ms 3436 ms 195.229.252.130

3 155 ms 217 ms 155 ms 195.229.252.114

4 2171 ms 1405 ms 1530 ms 194.170.2.57
5 2685 ms 1280 ms 655 ms dxb-emix-ra.ge6303 .emix.ae
[195 .229.31.99]
6 202 ms 530 ms 999 ms drb-emix-rb.sol100.emix.ae
[195.229.0.230]
7 609 ms 1124 ms 1748 ms iarl1-so-3-2-0.Thamesside
.cw.net
[166.63.214.65]

8 1622 ms 2377 ms 2061 ms egixva-google-gige.google.com

[206.223.115.21]
9 2498 ms 968 ms 593 ms 216.239.48.193

10 3546 ms 3686 ms 3030 ms 216.239.48.89

11 1806 ms 1529 ms 812 ms 216.33.98.154

Module 05 Page 595 Certified SOC Analyst Copyright @ by EE-Counmcil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

12 1108 ms 1683 ms 2062 ms ns3.google.com [216.239.36.10]

Trace complete.

5. Email Tracking

Email tracking monitors and tracks the emails of a particular user. This kind of tracking is
possible through digitally time stamped records that reveal the time and date when the
target receives and opens a specific email. Using email tracking tools, an attacker can
collect information such as IP addresses, mail servers, and service provider involved in
sending the mail. Attackers can use this information to build a hacking strategy. Examples
of email tracking tools include eMailTrackerPro, Paraben E-mail Examiner, etc.

Information gathered about the victim using email tracking tools:

o Recipient's system IP address: Allows to track the recipients IP address.

o Geolocation: Estimates and displays the location of the recipient on the map and may
even calculate the distance from the attacker's location.
o Email received and read: Notifies when the email is received and read by the
recipient.

o Read duration: The duration of time spent by the recipient on reading the mail sent
by the sender.
o Proxy detection: Provides information about the type of server used by the recipient.

o Links: Checks whether or not the links sent to the recipient through email have been
checked.

o Operating system and browser information: Reveals information about the operating
system and the browser used by the recipient. The attacker can use this information
to find loopholes in that version of operating system and browser, in order to launch
further attacks.

o Forward email: Determines whether or not the email sent to the user is forwarded to
another person.

6. Web Enumeration

Enumeration is an important process to obtain the intelligence information that is

mentioned in the slide. Hyper Text Transfer Protocol is used by World Wide Web to
display and distribute the information. A client usually sends a reguest, and the server
duly responds. The means of access to the specific information using HTTP is typically by
means of user supplied uniform resource locators (URLs). The DNS will then look up the
URL and translate this to the URLs corresponding IP Address, and the message is sent to
the server. HTTP uses TCP port 80 and HTTPS uses TCP port 443 as their communication
channels. Number extension displays an Internet Service Provider of every website visited
along with some additional information. All the data are updated daily, and the prefix to
AS number mapping is from a real DFZ BGP feed.

Module 05 Page 596 Certified SOC Analyst Copyright @ by E£-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

7. Document Metadata

The word document could produce further information, such as when the feature "Track
Changes” is used, we could get the data such as the removed comments, deleted text,
etc. As this information contains sensitive information, the metadata has to be secured
from illegal access by others. For this purpose, we have the concept called document
sanitization, which protects the information from unauthorized access.
In the MS Office Word documents, the metadata could be found in the File | Properties
section of the file. It provides different information about the file such as when, where it
was created, when it was last modified, etc. In case of the PDF, the metadata could be
found in the File | Document Properties section of a PDF file.
The type of information that we obtain through metadata is useful for developing the
intelligence gathering. The information such as when the document is created, modified,
etc; this indicates the time of happening an incident/event. In some cases, we even could
get the type of the device that is used, which OS is running on that device to create that
event.
8. Dump Site Scraping
Web scraping is the process of extracting the web pages to obtain information. These
contents of the web pages could further be exported into the Excel sheets. Some useful
information such as URLS, usernames, and phone numbers could be obtained and utilized
for intelligence gathering.
To avoid the process of scraping the web pages, some site restricts the scraping bots from
extracting their content. There are various ways of scraping a web page that is discussed
below:

o Manual process: This is the efficient process for scraping a web page, as it is decided
by the user that what type of information is reguired and just copy-and-paste it into
the system. This is the best process in the case when the web sites are restricting the
web scrapers from extracting. But this is a very slow process and reduires some
patience to examine the whole web pages on a web site.

o Text pattern matching: In this, we provide a sample text of certain length and allow
to match it with the content of the web page; if any content on the page is matched
with the string we provide, then that is extracted from the page. This extracting is
performed by developing the tools.
o HTTP programing: The HTTP reguests are made to the web server for a particular
information from the web pages by using the socket programing. The result contains
static as well as dynamic web pages from the web server.
o Vertical harvesting: Many organizations have developed vertical harvesting bots to
monitor the web applications for specific verticals that do not reguire human
interaction. These vertical bots retrieve the right amount of information and extract
some hundreds of websites.

Module 05 Page 597 Certified SOC Analyst Copyright @ by EG-Couneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

o Semantic annotation recognizing: While scraping the webpages, they provide

metadata about the webpages, which are used for identifying a particular type of
data.

o Computer vision-based analysis: The concept of the computer vision along with the
machine learning is implemented to extract the contents of the webpages through
the webpage's visualization as a human does.
9. Search Engines
A search engine searches for information on the World Wide Web. It returns a list of
search engine results pages (SERPs). Many search engines can extract target organization
information such as technology platforms, employee details, login pages, intranet portals,
etc. Using this information, an attacker may build a hacking strategy to break into the
target organization's network and may carry out other types of advanced system attacks.
A Google search could reveal submissions to forums by security personnel that reveal
brands of firewalls or antivirus software in use at the target. Attackers sometimes
discover even the network diagrams, which enable them to launch an attack.

10. Google Hacking Database

Google search engine is used for retrieving the information that we need. But we should
be aware that the Google search engine could be used for hacking attacks as well. There
are some cases where the attackers compromised the resources by just using the Google
search data that they obtained. The Google dorks are used to filter the search results from
the Google search engine and discover the vulnerabilities and sensitive information.

Due to the capability of the Google dorks, the Google hacking was being treated as the
OSINT tool for gathering the intelligence. But searching with Google dorks is not an easy
task as with other OSINT resources; it takes a lot of effort to search over the Internet and
minimize the results by avoiding the unnecessary results. The information that could be
obtained through Google dorks includes administrator login credentials, usernames and
their passwords, flaws in the website, bank details, sensitive information, etc.

Advanced Google Hacking refers to the art of creating complex search engine gueries.
Proper gueries can retrieve valuable data about a target company from the Google search
results. Through Google Hacking, an attacker tries to find websites that are vulnerable to
numerous exploits and vulnerabilities. Attackers can use the Google Hacking Database, a
database of gueries, to identify sensitive data. Google operators help in finding reguired
text and avoiding irrelevant data. Using advanced Google operators, attackers locate
specific strings of text such as specific versions of vulnerable web applications. When a
aguery without advanced search operators is specified, Google traces for the search terms
in any part of the webpage that includes the title, text, URL, etc. In order to confine a
search, Google offers advanced search operators. Advanced search operators help to
narrow down the search guery and get the most relevant and accurate output.

The syntax to use an advanced search operator is: operator: search term
Note: Do not enter any spaces between the operator and the guery.

Module 05 Page 598 Certified SOC Analyst Copyright @ by E£-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

Some of the popular Google advanced search operators include:

o Site: This operator restricts search results to the specified site or domain.

For example, the [games site: www.example.com] duery gives information on games
from the example site.
o allinurl: This operator restricts results to only those pages containing all the guery
terms specified in the URL.
For example, the [allinurl: google career] guery returns only those pages containing
the words “google” and "career" in the URL.
o Inurl: This operator restricts the results to only those pages containing the word
specified in the URL.
For example, the [inurl: copy site:www.google.com] guery returns only those pages
in Google site in which the URL has the word "copy."
o allintitle: This operator restricts results to only those pages containing all the guery
terms specified in the title.
For example, the ([allintitle: detect malware] duery returns only those pages
containing the words "detect” and "malware” in the title.
o intitle: This operator restricts results to only those pages containing the specified term
in the title.
For example, the [malware detection intitle:help] guery returns only those pages that
have the term "help" in the title and "malware” and "detection"” terms anywhere
within the page.

o lInanchor: This operator restricts results to only those pages containing the guery
terms specified in the anchor text on links to the page.
For example, the [Anti-virus inanchor:Norton] duery returns only those pages with
anchor text on links to the pages containing the word "Norton" and the page
containing the word "Anti-virus."

o Allinanchor: This operator restricts results to only those pages containing all guery
terms specified in the anchor text on links to the page.
For example, the [allinanchor: best cloud service provider] guery returns only those
pages in which the anchor text on links to the pages contains the words “best,”
“cloud,” “service,” and "provider.”

o Cache: This operator displays Google's cached version of a web page, instead of the
current version of the web page.
For example, [cache:www.eff.org] will show Google's cached version of the Electronic
Frontier Foundation home page.
o link: This operator searches websites or pages that contain links to the specified
website or page.

Module 05 Page 599 Certified SOC Analyst Copyright @ by E£-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

For example, [link:www.googleguide.com] finds pages that point to Google Guide's

home page.

Note: According to Google's documentation, "you cannot combine a link: search with
a regular keyword search."

Also note that when you combine link: with another advanced operator, Google may
not return all the pages that match.

o related: This operator displays websites that are similar or related to the URL
specified.
For example, [related:www.microsoft.com] provides the Google SERP with websites
similar to microsoft.com.

o info: This operator finds information for the specified web page.
For example, [info:gothotel.com] provides information about the national hotel
directory GotHotel.com home page.
11. People Search, Yellow Pages

The people searching sites and the yellow pages have become a good source for
intelligence gathering. They mainly provide information about the details of the people
and sometimes even their sensitive information. These websites are useful to find the
information about email addresses, phone numbers, house addresses, and other. There
are many people-search online services available that help to find people. Examples of
such people-search services include pipl, AnyWho, etc.

Many individuals use people-search online services to provide people's names, addresses,
and contact details. Some people-search online services may also reveal the type of work
an individual does, businesses owned by a person, contact numbers, company email
addresses, cellphone numbers, fax numbers, dates of birth, personal email addresses, etc.
This information proves to be highly beneficial for attackers to launch attacks.
12. Social Networking Sites
Searching for people on SNSs is easy. Social networking services are the online services,
platforms, or sites that focus on facilitating the building of social networks or social
relations among people. These websites contain information that users provide in their
profiles. These websites help to directly or indirectly relate people to each other through
various fields such as common interests, work location, educational communities, etc.

SNSs allow people to share information guickly and efficiently, as they can update these
sites in real time. The sites allow updating facts about upcoming or current events, recent
announcements and invitations, etc. SNSs are a great platform for searching people and
their related information. Through people searching for social networking services, we
can gather critical information.

Module 05 Page 600 Certified SOC Analyst Copyright @ by E£-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

Following are the examples of SNSs:

O Linkedin

Linkedin is an SNS for professionals. It allows a user to find people by name, keyword,
company, school, etc. Searching for people on Linkedln returns information such as
name, position, organization name, current location, and educational gualifications.

Facebook

Facebook is an SNS where users can connect with their friends, colleagues, and people
living around them—and others with whom they are affiliated. Also, a user can also
find professional information such as company or business they work for, current
location, phone number, email ID, photos, videos, etc. It allows searches by username
or email address, current location, phone number, email ID, photos, videos, etc. lt
allows searches by username or email address.

Twitter

Twitter is a social networking service that allows people to send and read text
messages (tweets). People increasingly use Twitter to share advice, news, concerns,
opinions, rumors, facts, etc. Posted tweets are public and are available for mining.

13. Websites/Portals, Web Data Extraction

The valuable information about the operating system, software versions, company's
infrastructure details, and database schema of an organization can be obtained by
performing footprinting on various job sites using different technigues. Many
organizations' websites provide recruiting information on a job posting page that, in turn,
reveals hardware, network-related information, and technologies used by the company
(e.g., firewall, internal server type, OS used, network appliances, etc.). Also, the website
may have a key employee list with email addresses. All this information may prove to be
a beneficial resource. For example, if an organization advertises a network administrator
job, it posts the reguirements related to that position.
Desired topics that need to be searched are shown below:
O Job reguirements

O Employee's profile
Oo Hardware information

Oo Software information

Examples of job portal sites that provide the information are shown below:
o htto//www.linkedin.com

o http//www.monster.com

o htto//www.careerbuilder.com
o htto//www.dice.com
o httop//www.simplyhired.com

Module 05 Page 601 Certified SOC Analyst Copyright @ by EC-Gouncil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

o htto//www.indeed.com

o httop//www.usajobs.gov
Many Internet users take advantage of blogs, groups, and forums for knowledge-sharing
purposes. Therefore, we focus on groups, forums, and blogs to find information.
Organizations do not monitor the exchange of information that employees reveal to other
users in forums, blogs, and group discussions. Employee information that an attacker can
gather from groups, forums, and blogs might include:
o Fullname of the employee
o Place of work and residence
o Home telephone, cell number, or office number

o Personal and organizational email address

o Pictures of the employee residence or work location that include identifiable

information

o Pictures of employee awards and rewards or upcoming goals

14. Competitive Intelligence

Competitive intelligence gathering is the process of identifying, gathering, analyzing,
verifying, and using information about your competitors from resources such as the
Internet. Competitive intelligence means understanding and learning what about other
businesses, in order to become as competitive as possible. It is non-interfering and subtle
in nature compared to the direct intellectual property theft carried out through hacking
or industrial espionage. It concentrates on the external business environment. In this
method, professionals gather information ethically and legally instead of gathering it
secretly. Competitive intelligence helps in determining:

o What the competitors are doing

o How competitors are positioning their products and services

Companies carry out competitive intelligence either by employing people to search for
the information or by utilizing a commercial database service, which can be lower in cost.

Module 05 Page 602 Certified SOC Analyst Copyright @ by E£-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

|
Human Intelligence C $ A
wed | SOt Aaalyet

'N Human intelligence is also known as HUMINT. It is the process of gathering information from different

human sources through human contact

'4 Information can be collected through many resources such as by having conversations, social engineering,

or obtaining sensitive information through secret detection and spying

TT TEER ELE EE

Human Intelligence
The human intelligence (HUMINT) could be obtained through many resources such as obtaining
the information by having the conversation, obtaining sensitive information through secret
detection, and spying. Collecting the information from the human beings depends upon their
nature such as their emotions and attitude. The nature of the people is not same for all, and they
even change by time; so to get an effective HUMINT, we should understand them first and follow
accordingly.

Some people provide the information without any effort, but some hesitate to reveal, and it takes
more time to gather the information. But finally, a successful HUMINT could produce a huge
amount of guality information. HUMINT is one of the crucial sources in developing the threat
intelligence strategies.
Social Engineering
Social engineering is an art of convincing people to reveal sensitive information to perform some
malicious action. Despite having security policies in place, attackers can compromise
organization's sensitive information by means of social engineering as it targets the weakness of
people.

Most often, employees are not even aware of a security lapse on their part and reveal
organization's critical information inadvertently. Some examples include unwittingly answering
the guestions of strangers and replying to spam email.

Module 05 Page 603 Certified SOC Analyst Copyright @ by EG-Gouncil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

TO succeed with the attack, attackers take special interest in developing social engineering skills
and can be so proficient that the victims might not even notice the scam. Aftackers always look
for new ways to access information. They will ensure that they know the organization's perimeter
and the people on the perimeter—for example, security guards, receptionists, and help-desk
workers to exploit human oversight. People have conditioned themselves not to be overly
suspicious; they associate certain behavior and appearances with known entities. For instance, a
man dressed in a uniform and carrying a stack of packages for delivery might lead anyone to
assume that he is a delivery person.
With the help of social engineering tricks, attackers can obtain confidential information,
authorization details, and access details of people by deceiving and manipulating them.
Social engineering is regarded as the most popular intelligence gathering technidues. There are
various technigues available for intelligence gathering such dumpster diving, eavesdropping,
shoulder surfing, etc.

Module 05 Page 604 Certified SOC Analyst Copyright @ by EG-Couneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

Counter Intelligence ( $ A
tem | sot Aaalyst

'N Counter intelligence is usually designed to mislead the attacker to the

wrong path to protect the system, and it can also be used to find out

more information about the attacker

'N Ahoneypotisan example of counter intelligence

There are three different categories of counter intelligence

8 Collective counter intelligence

8 Offensive counter intelligence

8 Defensive counter intelligence

EEN All Ri€hts Reserved. Reproductionis Strictly Prohibited.

Counter Intelligence
The counter Intelligence is the process of intelligence gathering to save ourselves from espionage
and other intelligence attacks. It is usually designed to mislead the attacker to the wrong path to
protect the system, and it can also be used to find out more information about the attacker. The
counter Intelligence could be used for both offensive and defensive purposes. The offensive
counter Intelligence refers to attacking the attacker as we come to know through intelligence
that he/she is trying to compromise our infrastructure, whereas the defensive counter
Intelligence refers to the use of the intelligence to just save ourselves from the attacker. The
process of collecting the information from the adversaries through the counter Intelligence is
known as the collective counter Intelligence.

Module 05 Page 605 Certified SOC Analyst Copyright @ by EG-Gouncil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

I
Internal Intelligence ( $ A
wed | SOt Aaalyet

'” Internal intelligence involves gathering intelligence from the internal employees who are well aware of

cyber threats

' The employees can be a good source of gathering intelligence

' The event monitoring solutions, like SIEM tools can also help in Internal intelligence

' Some of the ways of internal intelligence are as follows:

9 Employee monitoring

9 Behavior monitoring

9 Background verification

TT TEER ELE EE

Internal Intelligence
Internal intelligence is the intelligence gathered from the internal employees who are well aware
of the cyber threats. Whenever any unexpected incident or anonymous phishing attack occurs,
the employees have to identify and, instead of replying to the email or facing the security
incident, report the same to the security team. In this regard, the organizations have to provide
proper awareness about the security concepts to both technical and nontechnical employees.
This helps organizations to handle and respond to the security incidents efficiently. The
employees are a good source of the intelligence about the internal threats and incidents.

Apart from the employees, the event monitoring solutions like SIEM tools also provide huge
volumes of intelligence information about our organization. The loCs and honeypots are also the
good source of gathering the internal intelligence.
" Employee Monitoring
Employee monitoring is a common process in organizations and is performed for various
reasons including the probability that some employees may try to sell the trade secrets
to other competitors or some of employees are not performing well in their work. In both
the situations, the organizations try to monitor the activities of the employees if they are
found to be suspect. There are various ways an employee could be monitored; few of
them are discussed below:

Module 05 Page 606 Certified SOC Analyst Copyright @ by EG-Gouncil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

o Phone tapping: The organizations tap the phone conversations of the suspected
employees, the numbers they have dialed/received, the duration of the call, etc. are
monitored.
o Video surveillance: The video surveillance is a good practice to monitor the activities
of the employees.
o Internet usage: It is found that most of the employees spent more time in surfing the
Internet for online shopping, social networking, etc. than their actual work. The
organization's first choice of monitoring is also the Internet usage of their employees.

o Email: Most of the organizations monitor the email transactions of their employees
as they provide crucial information about their employees.
Advantages of Employee Monitoring
o Asthere is surveillance in the office, the employees do not waste their office time on
other activities.
o The employees will always be in alert and try to reduce the errors that they make
usually.
o Due to monitoring the employees, they do not express misbehavior with their
colleagues, especially with women employees (in the case of male candidates).

o The work environment becomes more transparent than it was before.

o The security of the office would be increased.

Disadvantages of Employee Monitoring
o ltreduces the good environment between the employees and the management, as
they feel that the management does not trust them.
o This kind of monitoring may put extra load of pressure on the employees.

o The insecurityfeeling and the pressure felt by the employees may affect the retention.
s Behavior Monitoring

There is a popular business adage that says "People are hired for their talents and fired
for their behavior!” Apart from activity monitoring, it is critical to monitor the behavior of
the employees. The organizations use the employee behavior monitoring tools to perform
this task. Behavior monitoring provides a good understanding on internal threats.

" Background Verification

A background check is a review of a person's commercial, criminal, and (occasionally)

financial records. Background checks are duite common; in fact, some surveys show that
up to 70% of employers reguire employees to undergo background checks before hiring.

The organizations perform the background verification for the employees who are hired
by them. The reason for this verification is to make sure that the employees have no
criminal background and does not involve in any of the crime-related activities. These

Module 05 Page 607 Certified SOC Analyst Copyright @ by E£-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

background verifications are common and used to know the nature of the employees,
especially in the fields of financial and commercial sectors.
lt is found that nearly half of the resumes submitted by the employees during the hiring
process contain fake information. So, the organizations want to make sure that they are
hiring adesired and skilled candidate for their vacant position. The type of the information
verified by the organizations are educational, family, financial, previous work experience,
criminal background, conduct, performance, etc.

Module 05 Page 608 Certified SOC Analyst Copyright @ by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detertion with Threat Intelligence

Threat Intelligence Lifecycle

Dissemlination and Integratien Planning and Directian

* Deliver Ehe intelligence ta the intended e * Define intelligente reguiremerrts
EOrIEUMErs, at different levels s “Maks a tllectien plan
Strategic (High level Business SErategies] * Farm an intelligence team
Taetscal (TYPE) Send reguests Par data collection
Dperatianal (5pecific Threats] N oe Plan and set reguirements for oeher phases.
Teehnical (las)

Collection
“ Callect remuired data that satisfy intelligence
Amalysis and Praductlan goals
; “ Callectian seurees indlude
* Cambine information From phase 3 inta
2 single eritity
DEINT

Indude Earts, findings, and farerasts

3 ) f HLIAAINT
* Analgis should be Id INT

Objeetive MASINT, ete

Timetr
Arrurate Processing and Exploitatlamn
Artionable “ Proesis raw data for exploitatian
*Perform Eenfsdenos based anahris * (Crmvert prossserd data into uiable format
for data analysis

Threat Intelligence Lifecycle

The threat intelligence lifecycle is a continuous process of develaping intelligence from raw data
that support organizations to develap defensive mechanisms to thwart emerging risks and
threats. The higher level executives of the organization will provide continuous suppart to the
intelligence team by evaluating and giving feedback at every stage. The threat intelligence
lifecycle consists of five phases: planning and direction, collection, processing and exploitation,
analysis and production, and dissemination and integration.
Dissemlinatlon and integration Planning and Direction
* Deler Ie inbelligenee
io he intended " Defing inlelligenee segpsr Eers
nesarmers ar difarenr krale Makea colertien plan
Sarategic (Higher Business Sirategiesi “Form ar intelligenee bear
Taesieal [TTPu] 1 : "Send reguests Tor data colertion
Dperarieral (Saerilie Threans] "Plan and et reguiremenes tor other ghakes
Technical dieEs]
Threat Collection
Intelligence * Collert reguired data that sstisfies
EMacycls mtelligenee goals
Analysis and Produrtiom 4
"Collection soaoes inrude
* (omkane Infarmstien trom phase * into
a Vegie erairy OSINT
3 MAMAINT
* Indlude facts, findings, and Forerasts
eo Anahysie dheudel be BAIMIT
Objertive MASINT, ete.
Tanely W——
Arrurate Pracessing and Euploitation
Aetemable Process raw data for esploftatlon
*Perfarn eonfiderce-based analysis “Conwert prooried daa inta uiabke Tormat
#or data analysis

Figure 5.1: Threat Intelligence liferycle

Module 05 Page 0a Certified $OC Analyst Copyright £ by EP-Eounril

All Rights Reserved. Reprodurtion is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

Planning and Direction

In this phase, proper plan is developed based on the strategic intelligence reguirement,
for example, what are the reguirements for developing the threat intelligence, which
intelligence information should be given priority, etc. This phase defines the entire
intelligence program from data collection to delivery of final intelligence product and acts
as a basis for the complete intelligence process. It also includes identifying the
reguirements of data, methods to be used to collect data, and establishing a collection
plan. The reguirements are set in such a way that effective and genuine intelligence data
can be gathered using the constant number of resources from various OSINT. Along with
the reduirements, reguests are sent to collect data from various internal and external
sources. During this phase, an intelligence team is formed, and their key roles and
responsibilities are also formulated. Also, the planning and reduirements are set for the
later stages of the cycle to provide proper support for its functioning.

Collection

In this phase, the focus is on collecting the desired intelligence that is defined in phase
one. The data can be collected in different ways through either technical or human
means. The collection of the information can be performed directly or secretly based on
the confidentiality of the information. The intelligence is collected through sources like
HUMINT, imagery intelligence (IMINT), measurement and signature intelligence
(MASINT), signal intelligence (SIGNT), OSINT, and loCs, and other third parties. This
includes collecting data from critical applications, network infrastructure, security
infrastructure, etc. Once the collection process is done, the data are transferred for
processing in the next stage.

Processing and Exploitation

Until this phase, the data are not in a proper format, and it is in the form of raw data. The
data obtained from previous phases are processed for exploitation and transformed into
useful information that could be understood by the consumers. This interpreted data are
converted into a usable format that can be directly used in the data analysis phase. The
processing to be effective reguires proper understanding of the data collection plan,
reguirements of the consumer, analytical strategy, and types of data that are being
processed. Many automated tools are used to apply data processing functions such as
structuring, decryption, language translation, parsing, data reduction, filtering, data
correlation, and data aggregation.

Analysis and Production

After processing the intelligence into a proper format, analyzing the intelligence for
getting refined information is performed in this phase. The analysis includes facts,
findings, and forecasts, which enable the estimation and anticipation of attacks and
results. The analysis should be objective, timely, accurate, and actionable. To extract
timely and accurate information, analysts need to implement four types of reasoning
technigues, which include deduction, induction, abduction, and scientific method based

Module 05 Page 610 Certified SOC Analyst Copyright @ by E£-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

on confidence. As the information is obtained from different sources, analysts try to

combine these various sources into a single entity in this phase.

The raw data are converted into information by applying various data analysis technidgues
such as gualitative and guantitative analysis, machine-based technigues, and statistical
methods. When the analyzed information provides sufficient context for identifying a
threat, then it is elevated to intelligence. This phase identifies potential threats to the
organization and further helps in developing appropriate countermeasures to respond to
the identified threats.
“ Dissemination and Integration

The analyzed information is then ready for the integration and distribution to the
intended consumers, which is done either by automated means or by manual methods.
Major threat information types that are generally used for dissemination include threat
indicators, adversary TIPs, security alerts, threat intelligence reports, and tool
configuration information for using tools to automate all the phases of threat intelligence.
Different intelligence reports are generated to meet the reguirements of the
management and higher level executives at strategic, operational, tactical, and technical
levels.

The strategic threat intelligence is consumed by high-level executives and management

and focuses on high-level business strategies. The operational threat intelligence is
consumed by cybersecurity professionals such as security managers and network
defenders and mainly focuses on specific threats to the organizations. The tactical threat
intelligence is consumed by cybersecurity professionals such as IT service and SOC
managers, administrators, and architects and focuses on adversary's TIPs. The technical
threat intelligence is consumed by SOC staff and IR teams and includes information
related to the identified loCs. The disseminated intelligence helps organizations in
building defensive and mitigation strategies for the identified threats. Sharing threat
intelligence internally and externally helps the organizations gain situational awareness
and also to enhance the current security posture and risk management processes.

This phase also provides feedback giving more inputs to the information reduirements,
thereby repeating the threat intelligence lifecycle. The feedback is an assessment that
describes whether the extracted intelligence meets the reguirements of the intelligence
consumer. This feedback helps in producing more accurate intelligence through relevant
and timely assessments.

Module 05 Page 611 Certified SOC Analyst Copyright @ by EG-Couneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

Threat Analyst Roles in Threat Intelligence Lifecycle ( $ A

wane | sot Aaalyst

`'r| Threat Feeds

Collection FrresssreKKasEEFEBRRREEEEE si Internal and External Sources

“ss [0Cs, Incident, and Malware Reports

Ee ees ees *| Indexing Raw Data

Processing and !
, 8 besk R REKE EER RR RR RR RR REKE ER si Sorting and Filtering Raw Data
Exploitation :
Vee *| Formatting and Structuring Raw Data

EE LG *| Integrating and Fvaluating Data

Analysis
alysis san N ” Analyzing Data
Production ë
beseer *| Assessing and Defining Courses of Action

REKE ERK EER Strategic Consumers

2 s Tactical Consumers
Dissemination and
Integration H Operational Consumers

EE # Technical Consumers

EEN All Ri€hts Reserved. Reproductionis Strictly Prohibited.

Threat Analyst Roles in Threat Intelligence Lifecycle

The main goal of CTI analysts is to extract relevant, timely, accurate, and actionable intelligence
on various emerging cyber threats that are specifically related to hacktivism, insider threats,
script kiddies, espionage, malicious software, cybercrime, social engineering, etc. The analysts
need to concentrate more on who, what, when, where, and why aspects of cyber threats to the
business, which further help in reducing overall business risks.

The CT1 analyst plays a major role in the lifecycle of TIPs. In the collection phase of the lifecydle,
the analyst is responsible for collecting relevant data from various sources such as threat feeds,
internal and external sources, loCs, and incident and malware reports to meet the reguirements
and goals of threat intelligence.
In the processing and exploitation phase, the analyst needs to process the raw data to bring it
into a usable format so that it is directly consumed in data analysis phase. In this phase, the
analyst needs to perform indexing, sorting, filtering, structuring, and formatting of raw data. The
processed data are then fed into the data analysis phase.
In the analysis and production phase, the analyst needs to integrate and evaluate the processed
data and perform analysis and assessment to identify and define various courses of action. The
output of data analysis is elevated to threat intelligence, which is disseminated to strategic,
tactical, operational, and technical consumers.
In the dissemination and integration phase, the analyst is responsible for generating reports that
meet the reguirements of consumers at different levels.

Module 05 Page 612 Certified SOC Analyst Copyright @ by EE-Counmcil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-34
Enhanced Incident Detertion with Threat Intelligence

Cyber Threat Analyst Responsibilities (

Collert up-to-date and arcurate data from the dark web, intelligenre fees, intelligence sources, ete.

Analyze the collected data and understand the technical aspect of serurity

ldentify business risks and refine the information into intelligence that is disseminated
to higher level business
exerutives

Identify, monitor, assets, and defend against various attacks performed by both internal and external threat actors

Stay ahead of an adversary by understanding the latest attack TTPS

Extract threat intelligence that includes contextual information, Is, TTPs, conseguenres, and actionable
intelligence about evolsing threats

Linderstand the motivation of the adwersaries by analyzing the characteristics and habits
of threat actors

Guide organizations in building effective defsnse and mitigation strategies

Collabarate with IT, incident handling, and SOU teams by generating timely threat reparts

Cyber Threat Analyst Responsibilities

A CTI analyst plays a major role in the CISO structure of the organization and supports the
functions of the SOC like a backbone. The analyst is responsible for identifying, preventing, and
protecting the organization from threats emerging from various sources. The analyst collects data
from several intelligence feeds, analyzes to identify certain events that may affect the security of
an organization, and develops mitigation and defense strategies beforehand.
Listed below are the major responsibilities of CT1 analysts:
Collect up-to-date and accurate data from the dark web, intelligence feeds, intelligence
sources, etc.
Analyze the collected data and understand the technical aspect of security
ldentify business risks and refine the information into intelligence that is disseminated to
higher level business executives
ldentify, monitor, assess, and defend against various attacks performed by both internal
and external threat actors
Stay ahead of the adversary by understanding latest attack TTPs
Provide organizations with threat intelligence that includes contextual information, laCs,
TTPs, conseguences, and actionable intelligence about evolving threats

Module 05 Page 613 Certified $OC Analyst Copyright £ by EP-Eounril

All Rights Reserved. Reprodurtion is Strictly Prohibited.
Certified SOC Analyst EXAM 312-239
Enhanced Incident Detection with Threat Intelligence

" Understand the motive of the adversaries by analyzing the characteristics and habits of
threat actors

" Guide organizations in building effective defense and mitigation strategies

m Collaborate with IT, incident handling, and SOC teams by generating timely threat reports

Module 05 Page 614 Certified SOC Analyst Copyright @ by EC-Counmeil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-239
Enhanced Incident Detection with Threat Intelligence

CSA
tente | SOC haalyst

The tradi nt h of aggregating, correlating, and

analyzing threat data from multiple sources is becoming
cumbersome due to the increased number of threats and events.

Copyright @ by . All Rights Reserved. Reproduction is Strictly Prohibited.

Module 05 Page 615 Certified SOC Analyst Copyright @ by EG-Couneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

I
Threat Intelligence Platform (TIP) ( $ A
wed | SOt Aaalyet

'N Withlarge volumes of data, the exponential increase of complexity of threat vectors, and lack of Threat intelligence analysts,
organizations are choosing to implement TIPs to facilitate the management of cyber threat intelligence

'y TIP is becoming a critical security tool for the organizations as it helps them to automate the process of aggregating, correlating,
and analyzing threat data from multiple sources in real-time

Capabilities of TIP include:

8 Collection: The TIP should collect and aggregate data in multiple data formats from multiple sources

$ Integration: The TIP should disseminate and integrate cleaned data to other existing security systems/tools/products used by an
organization such as SIEM

TT TEER ELE EE

Threat Intelligence Platform (TIP)

Nowadays, cybersecurity environment is facing common problems like large amount of data,
shortage of skilled security analysts, and growingly adversarial attacks. To handle these problems,
existing security system is using various tools. These tools can manage the problems but are
incapable to store information in a centralized format. Thus, this becomes a tedious task for the
system to manage in limited resources and time.

With large volumes of data, exponential increase of complexity of threat vectors, and lack of Threat
intelligence analysts, organizations are choosing to implement TIPs to facilitate the management of cyber
threat intelligence. It can be installed as a SaaS or on the premises to gather and manage
information about evolving threats and its associated entities like threat actors, loCs, bulletins,
and TTPs. It is becoming critical security tools for the organizations as it helps them to automate
the process of aggregating, correlating, and analysing threat data from multiple sources in real
time.

Its basic capabilities include data collection, data correlation, data enrichment and
contextualization, data analysis, and data integration:

“ Data Collection

CTI1 facilitates data collection by collecting and aggregating information in multiple data
formats from multiple sources in central location. Open source, government, trusted
sharing communities (ISACS), etc. are the examples of sources, whereas JSON, XML,
STIX/TAXII, PDF, .LXt, etc. are the examples of formats.

Module 05 Page 616 Certified SOC Analyst Copyright @ by EG-Gouncil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

Data Normalization and Correlation

After collecting data from multiple sources, it's necessary to process data effectively to
identify tons of indicators. Processing is performed through multiple steps but its three
main aspects are data normalization, data de-duplication, and data improvement. Data
normalization means determining connected data across multiple inputs and sources.
Data de-duplication means deleting duplicate data and data improvement means
eliminating false positives, fake indicators, etc. Once the data are normalized, it is
correlated and pivoted to identify actionable intelligence.

Data Enrichment and Contextualize

After correlating data, TIP should build enriched context around the threats. This can be
performed automatically or using third-party analysis applications that provide as much
as possible information related to threat actor, his capabilities, and infrastructure.

Data Analysis

TIP should analyze the content of threat indicators. By analysis, they can investigate
threats and suggest investigation working process. Besides this, they can also determine
the implication of threats on the organization.

Data Integration

TIP should disseminate and 'integrate cleaned data to other existing security
systems/tools/products used by an organization such as SIEM, firewalls, intrusion
detection and prevention systems, ticketing systems, etc.

Module 05 Page 617 Certified SOC Analyst Copyright @ by E£-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-34
Enhanced Incident Detertion with Threat Intelligence

Threat Intelligence Platform: TC CompleteTM (

TE Complete" (Security
Operations and Analytics BE—R
Platform] s bult an the n E
ThreatConnert Platform - Ee
providing nat anly the
ability to orchestrate your " dm
seeuriey fynctions but also —. NN sa — an — ee
the confidence that you wa
are hasing your tasks and - F SE FEE ' - — ve
derisions on vetted, | Di Ee I
relewant threat intelligente N TEN

NEE Ham Emm Emm

” - EEN HORE EE Homes
“2 * THREATCONNECT id EEEEI BEEA BE
Feed EE] HET
kETaL arena BARS
er wER Em

Threat Intelligence Platform: TC CompleteTV

Source: https//www.threatconnect.com

TC Complete" (security operations and analytics platform) is built on the ThreatConnect

Platform—providing not only the ability to orchestrate your security functions but also the
confidence that you are basing your tasks and decisions on vetted, relevant threat intelligence.
lt includes all the features of ThreatConnectë such as indicator analytics, threat intelligence
analysis, orchestration, tasking, and more, allawing for informed decision-making based on the
power of the target organization's threat intelligence. Using this platform, you can orchestrate
your security processes, analyze your data, and proactively hunt threats in one central place.
With TC Complete'", you can perform the following:
“ Analyzing, hunting, creating, and taking action on your threat intelligence
" Studying what worked (and what didn't) so that you can continue to improve vour
defense mechanisms
“ Configuring your ThreatConnect@ instance with custom apps, playbooks, indicators,
attributes, and import rules

Module 05 Page 618 Certified $OC Analyst Copyright £ by EP-Eounril

All Rights Reserved. Reprodurtion is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

Benefits of TC Complete"
" Gains visibility: It explores who is attacking your organization and how:

o Aggregating and normalizing threat data from any source

o Viewing how often indicators are observed and how relevant they are
o Easily identifying platform ratings, team votes, and false-positive counts per indicator
or incident
" Maximizes efficiency: TC Complete'“ helps analysts to do the following:
o Creating automated, configurable playbooks in a single click without coding
o Automating nearly any security operation or task such as sending alerts, enriching
data, or assigning tasks to teams
" Takes control: It configures the platform based on organizational needs:
o Proactively hunting threats in your network
o Creating custom dashboards to view the data that are most critical and useful for your
team

o Customizing indicators, attributes, import rules, etc.

Oo Creating private communities for secure, role-based collaboration

DASHBOARD POSTE” ANALYZE PLAYBOOKS BROWSE

My Dashboard - @ @

O. Create a Nen Ouer Observations& False Postves (Last 30 Days)

otseresens peer 0 h
ETE

'D Top Souroes

by Observatons (30 Dars) AA. Vatesr intel
`N skylte com. sa OSIF - Mal. 11-02-2017

myplsyehye
Ba.226.226101 ThrestCo.. 10-262017 ThrestConneetIn
incident Booking
8 Tax fo Faketoken Technical Blog
Black Hat SEO BCo- 1026
OSIF - MalwareDo. N incident Protected: Siobreaker Daily Cyber Diges. Technic
3 1064 14396220 TRreetto. T1O26-20I7
o

Observed Indicators

Groups (Past 30 Days) `N) TopSources by False Positives (30 Days)

TerEER
OSIF- Snoke

ia EA
0

Figure 5.2: Screenshot of TC complete

Module 05 Page 619 Certified SOC Analyst Copyright @ by EG-Couneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-239
Enhanced Incident Detection with Threat Intelligence

Additional Threat Intelligence Platforms CSA

ae | SOC haalyst

FireFye iSIGHT Threat

IBM X-Force Exchange Pulsedive
Intelligence

gf
https //exchange.dorce.ibmcloud. com https//pulsedive.
com
https//www.fireeye.com

Be IntelMa € RSA NetWitness Platform ed DeepSight'" Intelligence

pl nups//www.enisa.europa-eu G Petpss//www.rsa. com — ps /www.symantee.com

`N AlienVaulte USMe Anywhere LogRhythm TLM Platform Ë 7 Splunke Enterprise Security

E— https //www.alienvault. com https//logrhythm.com Lr http//dev.splunk.com

EA Threat Intelli
Bed oe LEARN RE Ba Malstrom threat note
Pd Platform BE GED EE https /fgithub.com
https//www.cyberint.com

RisklO AutoFocus'" AbuseHelper

hitps//www.riskig.com
T

https//www.paloaltonetworks.com https//github.com

TT AT EE

Additional Threat Intelligence Platforms

Listed below are some of the additional TIPs:
" IBM X-Force Exchange

Source: httos//www.ibm.com
IBM X-Force Exchange is a cloud-based TIP that allows you to consume, share, and act on
threat intelligence. It enables you to rapidly research the latest global security threats,
aggregate actionable intelligence, consult with experts, and collaborate with peers. IBM
X-Force Exchange, supported by human- and machine-generated intelligence, leverages
the scale of IBM X-Force to help users stay ahead of emerging threats.

Key Features of IBM X-Force Exchange

o Accesstoa wealth of threat intelligence data
o Collaborative platform for sharing threat intelligence
o (Integrated solution to help duickly stop threats

o Easy-to-use interface for organizing and annotating findings

o Monitor applicable indicators with watch lists
o Add third-party threat intelligence licenses to the platform

o Getthe latest actionable threat research

Module 05 Page 620 Certified SOC Analyst Copyright @ by EE-Counmcil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

" IntelMO

Source: https//www.enisa.europa.eu
IntelMO is a solution for IT security teams (CERTS, CSIRTs, abuse departments, etc.) for
collecting and processing security feeds using a message gueue protocol. Its a
community-driven initiative called Incident Handling Automation Project which was
conceptually designed by European CERTs/CSIRTS during several InfoSec events. Its main
goal is to give to incident responders an easy way to collect and process threat
intelligence, thus improving the incident handling processes of CERTS.
IntelMO's design was influenced by AbuseHelper; however, it was rewritten from scratch
and aims at:

o Reducing the complexity of system administration

o Reducing the complexity of writing new bots for new data feeds
o Reducing the probability of events lost in all process with persistence functionality
(even system crash)
o Use and improve the existing data harmonization ontology
o Use SON format for all messages
o |Integration of the existing tools (AbuseHelper, CIF)
o Provide easy way to store data into log collectors like ElasticSearch, Splunk, and
databases (such as PostgreSOL)
o Provide easy way to create your own blacklists
o Provide easy communication with other systems via HTTP RESTFUL API
" AlienVaulte USM* Anywhere
Source: https//www.alienvault.com
AlienVaulte USM Anywhere'“ provides centralized security monitoring for your cloud, on-
premises, and hybrid IT environments, including your endpoints and cloud apps like Office
365 and G Suite. With multiple essential security capabilities in one unified platform, USM
Anywhere simplifies and accelerates threat detection, incident response, and compliance
management for today's resource-constrained IT security teams. It deploys rapidly and
enables you to start detecting threats within minutes. Because there's no hardware
appliance to install or maintain in your data center, you save significant time, resources,
and money for an overall low total cost of ownership.
USM Anywhere uses virtual sensors that run on VMware and Microsoft Hyper-V to
monitor your on-premises physical and virtual IT infrastructure. In the cloud, lightweight
cloud sensors natively monitor Amazon Web Services and Microsoft Azure Cloud. In
addition, you can deploy AlienVault Agents on your Windows and Linux endpoints.
Security analysis and log storage are centralized in the AlienVault Secure Cloud and
provide you with centralized security visibility of your critical infrastructure.

Module 05 Page 621 Certified SOC Analyst Copyright @ by EC-Coumcil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

USM Anywhere also receives a continuous stream of threat intelligence updates from the
AlienVault Labs Security Research Team so that you always have the latest security
intelligence at your fingertips. AlienVault Labs leverages data from the Open Threat
Exchange" (OTDXC“)—the world's largest open threat community—to gain expansive
intelligence on threats as they appear in the wild.

" ArgosThreat intelligence Platform

Source: httos//www.cyberint.com
As cyber criminals and hacktivists grow more sophisticated, perimeter-based security
technologies are essentially fighting a losing battle. Even the most robust traditional
security cannot adeguately protect an organization from today's targeted cyber threats.
Only new thinking that redefines your cybersecurity strategy can outsmart the threat
actors in the cyber war. Argos pools both human and technological resources to gather
targeted and actionable intelligence. It generates real-time incidents of targeted attacks,
data leakage, and stolen credentials compromising your organization. It also identifies
threat actors targeting you in real time and provides contextual data about them. Besides
this, it can access hundreds of sources (feeds, IRC, Darkweb, blogs, social media, forums,
and paste sites) to collected targeted data and automate a proven intelligence process. lt
analyzes results with actionable recommendations and utilizes 10,000 strong entity
databases of threat actors and tools for attribution and to maximize context.

" RisklO

Source: https //www.riskig.com

RisklO provides the most comprehensive discovery, intelligence, and mitigation of threats
associated with an organization's digital presence. It enables security organizations to
match and scale digital threat management capabilities to their needs and augment their
security teams with the most advanced Internet-scale security data available.
" Pulsedive

Source: https//pulsedive.com
Pulsedive is a TIP that leverages open-source threat intelligence (OSINT) feeds and user
submissions to deliver actionable intelligence. It allows users to submit, search, correlate,
and update IOCs; lists "risk factors" for why IOCs are higher risk; and provides a high level
view of threats and threat activity.

" RSA NetWitness Platform

Source: https//www.rsa.com
The RSA NetWitness Platform applies the most advanced technology to enable security
teams to work more efficiently and effectively. It uses behavioral analysis, data science
technigues, and threat intelligence to help analysts detect and resolve both known and
unknown attacks before they disrupt your business. And it uses machine learning to
automate and orchestrate the entire incident response lifecycle. Because the RSA
NetWitness Platform does all of this—and more—on a single platform, it allows security

Module 05 Page 622 Certified SOC Analyst Copyright @ by EG-Couneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

teams to collapse disparate security tools and the data they generate into a single,
powerful, and blazingly fast user interface.
s LogRhythm TLM Platform
Source: httops//logrhythm.com
The LogRhythm NextGen SIEM Platform aligns your team, technology, and processes. It
helps you see broadly across your IT environment, identify threats, and guickly mitigate
and recover from security incidents. Its end-to-end solution helps you uncover threats
and minimize your risk though threat lifecycle management (TLM), a detection, and
response framework for SOCs. TLM enables you to sift through the noise, investigate
concerning incidents, and increase your organization's security maturity.

“ Malstrom

Source: https//github.com
Malstrom not only aims to be a repository for threat tracking and forensic artifacts but
also stores YARA rules and notes for investigation.
" AutoFocusT"

Source: https//www.paloaltonetworks.com
AutoFocus'" is a threat intelligence service that provides an interactive, graphical
interface for analyzing threats in your network. With AutoFocus, you can compare threats
in your network to threat information collected from other networks in your industry or
across the globe, within specific time frames. AutoFocus statistics are updated to include
the most recent threat samples analyzed by Palo Alto Networks?. Access to this
information allows you to keep up with threat trends and to take a preventive approach
to securing your network.

" FireEye iSIGHT Threat Intelligence

Source: httos//www.fireeye.com
FireEye iSIGHT Threat Intelligence is a proactive, forward-looking means of dgualifying
threats poised to disrupt your business based on the intents, tools, and tactics of the
attacker. Our high-fidelity, comprehensive intelligence delivers visibility beyond the
typical attack lifecycle, adding context and priority to global threats before, during and
after an attack. It helps mitigate risk, bolster incident response, and enhance your overall
security ecosystem. It also enables you to predict attack and refocus your attention on
what matters most to your business.

“ DeepSight'“ Intelligence
Source: httos//www.symantec.com
DeepSight'" Intelligence is a cloud-hosted CT1 platform that provides access to technical
and adversary intelligence collected by Symantec through its endpoints and other security
products and aggregated through its big data warehouse. The data are enriched, verified,
and analyzed to provide attribution and to connect seemingly disparate indicators into

Module 05 Page 623 Certified SOC Analyst Copyright @ by EG-Couneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

campaigns with known actors and motivations behind them. It is powered by two newly
released CTI services: Managed Adversary and Threat Intelligence and Directed Threat
Research.
Splunk* Enterprise Security
Source: https//splunkbase.splunk.com
Splunk Enterprise Security gives security teams the insight to dguickly detect and respond
to internal and external attacks and simplify threat management minimizing risk. ES helps
teams gain organization-wide visibility and security intelligence for continuous
monitoring, IR, SOC operations, and providing executives a window into business risk.

Benefits of Splunk* Enterprise Security

o Continuously monitor: It clearly visualizes security posture with dashboards, key
security indicators, static and dynamic thresholds, and trending.

o Prioritize and act: It optimizes, centralizes, and automates IR workflows with alerts,
centralized logs, and predefined reports and correlations.

o Conduct rapid investigations: It uses ad-hoc search and correlations to detect

malicious activities.

o Handle multistep investigations: It traces activities associated with compromised

systems and applies the kill-chain methodology to see the attack lifecycle.
threat note

Source: https//github.com
threat note is a web application built by defense point security to allow security
researchers the ability to add and retrieve indicators related to their research. It includes
the ability to add IP addresses, domains, and threat actors, with more types being added
in the future. This app fills the gap between various solutions currently available, by being
lightweight, easy to install, and by minimizing fluff and extraneous information that
sometimes gets in the way of adding information. To create a new indicator, you only
really need to supply the object itself.

Other applications built for storing indicators and research have some shortcomings that
threat note hopes to fix. Some common complaints with other apps are:
o Hard to install/configure/maintain
o Need to payfor added features (enterprise licenses)
o Too much information
AbuseHelper
Source: https//github.com
AbuseHelper is an open-source framework for receiving and redistributing abuse feeds
and threat intel.

Module 05 Page 624 Certified SOC Analyst Copyright @ by E£-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-239
Enhanced Incident Detection with Threat Intelligence

CSA
ae | SOC haalyst

Why Threat Intelligence-Driven SOC?

TT AT EE

Module 05 Page 625 Certified SOC Analyst Copyright @ by EG-Gouncil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-239
Enhanced Incident Detection with Threat Intelligence

|
Key Challenges in Traditional (Non-Intelligence-Driven) SOC ( $ A
Certified | OC Aaalyst

No strategic view
of the existing threat landscape, or awareness of attacks to the organization or organization working in the
similar domain

Inability to communicate
the business risk associated with security breaches to the non-technical board level executives

TT

Key Challenges in Traditional (Non-Intelligence-Driven) SOC

The following are the key challenges of Traditional SOC:
Fails to identify sophisticated and advanced attacks as it is restricted to follow rule and
Ssignature-based detection technidgues
Unable to respond immediately to sophisticated threats and implement continuous
monitoring and continuous threat protection processes

Threat intelligence is utilized as a one-way product instead of process, thus resulting in

poor security approach
There is no strategic view of existing threat landscape, or awareness of attacks to the
organization or organization working in similar domain

Poor prioritization of incidents and real incidents is getting neglected among thousands
of insignificant security alerts
Without proper understanding of attacker's TTPs, remediation of an incident causing
advanced attacks is getting overlooked
Rise of false negatives due to unavailability of threat data
Inability to communicate business risk associated with security breaches to the
nontechnical board level executives

Module 05 Page 626 Certified SOC Analyst Copyright @ by EG-Couneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-239
Enhanced Incident Detection with Threat Intelligence

Threat Intelligence-Driven SOC ( $ A

wed | SOt Aaalyet

'N It provides an effective and structured approach to detect, handle, respond, remediate, and
mitigate the risk earlier than in the traditional SOC

Threat intelligence-driven SOC can help the organization become aware of the current threat
scenario, including its strengths, risks, and vulnerabilities

TT TEER ELE EE

Threat Intelligence-Driven SOC

The increase in the growth of polymorphic attacks and availability of hacking tool have affected
the security status of an organization. To detect and prevent such types of attacks, organization
needs to switch from its traditional SOC to threat intelligence-driven SOC that can help
organization becoming aware of the current threat scenario including its strengths, risks, and
vulnerabilities. It provides an effective and structured approach to detect, handle, respond,
remediate, and mitigate the risk earlier than in the traditional SOC. It works beyond preventive
methodologies and event-based monitoring and uses intelligence technigue to monitor and
analyze all aspects of security operations. It includes an adaptive, dynamic architecture and
context-aware components that overcomes the challenges of the new "detection and response"
paradigm.
In addition to SIEM, threat intelligence-driven SOC is capable of performing threat intelligence
and threat hunting. Threat intelligence improves the visibility and ability to determine
Sophisticated threats. It also supports SOC in implementing continuous monitoring and
continuous threat protection processes. Furthermore, it also minimizes the false positives by
integrating with available security tools. Threat hunting is a process of detecting and hunting
Suspicious activities on past data or logs, by utilizing the capabilities of big data and analytics up
to maximum level. It can be either hypothesis or OC driven wherein security analyst builds the
possible threat scenarios with respective threat actors and vectors. It is helpful in detecting
patterns of low and slow attacks that are not detected through SIEM.

Module 05 Page 627 Certified SOC Analyst Copyright @ by EG-Couneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

How Threat Intelligence Helps SOC ( $ A

wane | sot Aaalyst

Collects data from multiple sources such as open source and commercial data feeds, internal and external sources, etc.

Creates customized and prioritized alerts based on the IT infrastructure of the organization

Helps in identifying initial Indicators of Compromise (loCs) and gradually pivots on to identify related indicators and
artifacts to assess the possibility of an attack

Provides an ability to implement new protection strategies to prevent upcoming attacks

Provides an understanding of active campaigns that includes who, what, when, where, why, and how of emerging
security threats

Provides insight into the probability of risks and its impact on business

Recommends various remediation and risk mitigation solutions

All Ri€hts Reserved. Reproductionis Strictly Prohibited.

How Threat Intelligence Helps SOC

SOC are implementing threat intelligence process to gather valuable insights in situational and
contextual risks. It provides information to correlate data efficiently from multiple sources to
determine expected attacks before they occur. It also enables the SOC team to address on most
common issues such as minimizing response time, collecting data from different feeds to get the
exact picture of a security incident, and prioritization and reaction to security incidents.
Threat intelligence can help SOC in:
Collecting data from multiple sources such as open-source and commercial data feeds,
and internal and external sources
Creating customized and prioritized alerts based on the IT infrastructure of the
organization
dentifying an initial loCs and gradually pivots on to identify related indicators and
artifacts to assess the possibility of an attack
Providing an opportunity to implement new protection strategies to prevent upcoming
attacks
Understanding active campaigns that include who, what, when, where, why, and how of
emerging security threats
Providing insight into the probability of risks and its impact on business
Recommending various remediation and risk mitigation solutions

Module 05 Page 628 Certified SOC Analyst Copyright @ by EE-Counmcil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

I
Benefits of CTI to SOC Team ( $ A
wed | SOt Aaalyet

' Properly applied cyber threat intelligence can help SOC team in:

8 Providing greater insight into cyber threats

8 Preventing data loss by identifying the causes of data leakage

8 Guiding in incident response

8 Conducting data analysis to identify exploitable data

8 Providing actionable strategic and tactical choices

8 Conducting threat analysis for detecting advanced threats

8 Sharing threat information to spread awareness

8 lIdentifying Indicators of Compromise (loCs)

8 Discovering Tactics, Technigues, and Procedures (TTPs) for possible attacks

TT TEER ELE EE

Benefits of CTI to SOC Team

In the current scenario, threat intelligence has become a necessity for SOC. SOC teams use threat
intelligence to prevent and protect their IT infrastructure from various internal and external
threats. It also helps in identifying various cyber risks that affect the business. ldentifying these
risks in advance helps SOC teams to take defensive measures to mitigate the risks.

Properly applied CTI program helps the SOC team in the following manner:

Providing greater insight into cyber threats

Preventing data loss by identifying the causes of data leakage

Guiding in incident response

Conducting data analysis to identify the exploitable data

Providing actionable strategies and tactics that can be implemented to yield desirable
results

Conducting threat analysis for detecting advanced threats

Sharing threat information to spread awareness

dentifying loCs
Discovering TIPs for possible attacks
Detecting breaches at early or initial stage

Module 05 Page 629 Certified SOC Analyst Copyright @ by EG-Couneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-239
Enhanced Incident Detection with Threat Intelligence

Leveraging threat modeling process

Utilizing indicators for building a more proactive perimeter defense

Focusing mainly on the most exploitable vulnerabilities and threats

Prioritizing loCs for faster detection and escalation of potential events

Providing situation awareness through contextual data that helps security teams to shift
their investigation from specific indicators to attacker's TTPs
Fnhancing internal security systems by configuring security controls with threat
intelligence to automatically block significant threat indicators

Reducing incident response time by providing context to various security incidents using
threat intelligence
Implementing intelligence-driven patch management process to identify and prioritize
critical vulnerabilities
Providing high-level situational awareness to management and executives to understand
significant threats and allocate necessary resources to protect critical assets and business
processes
Improving the communication with internal and external stakeholders about various
business risks and possible actions of the threat actors in the future and return on
investment (ROI) in security
Automating SIEM solutions with threat intelligence to correlate events with attacks more
guickly and reliably

Enabling incident response and forensic teams to duickly recover from the damage
caused by attacks and prevent evolving attacks
Providing greater insight to the management to allocate sufficient budget to mitigate
business risks

Module 05 Page 630 Certified SOC Analyst Copyright @ by EE-Counmcil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

|
Benefit of Threat Intelligence to SOC Analyst ( $ A
va] SOC haaks
Fa

It helps SOC analyst to detect the emerging risks and share this information to other to improve security

sien Ee Re Strategic Threat Intelligence EE 1

1
1
i
Fa

It helps SOC analyst to understand adversary intent and make informed decision to ensure appropriate security in
alignment with risk i1
1
1

“se “sae Operational Threat Intelligence `1

|
d

' 8 SOC analysts are getting aware with latest threats on an organization's infrastructure based on automated updates !
! with the help of SIEM or other SOC tools 1
1 1
' 1
1

Benefit of Each Types of Threat Intelligence to SOC Analyst

SOC team aggregates and analyzes threat data and produces tactical, operational, and strategic
threat intelligence to determine and mitigate threats.
Tactical Threat Intelligence
Tactical threat intelligence helps SOC analyst to detect the emerging risks and share this
information to others to improve security. It mainly focused on loCs, artifacts, rules and
signatures, and other evidence that clues the security teams about an existing and
evolving threats on the network. Different tactical events such as exfiltration of data, port
scanning, etc. are integrated together to protect the target from being attacked.
Strategic Threat Intelligence
Strategic threat intelligence helps SOC analyst to understand adversary intent and make
informed decision to ensure appropriate security in alignment with risk. It mainly focused
on monitoring, analyzing, and remediating existing risks and vulnerabilities in the security
system. It also provides information about capability of threat actors and its potential
impacts on the systems. lt is beneficial to most senior decision-makers like CISO, security
manager, etc.

Operational Threat Intelligence

SOC analysts are getting aware with latest threats on organization's infrastructure based
on automated updates with the help of SIEM or other SOC tools. This enables the SOC

Module 05 Page 631 Certified SOC Analyst Copyright @ by EC-Coumcil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-239
Enhanced Incident Detection with Threat Intelligence

analysts to develop logical system rules to identify specific indicators of suspicious and
malicious activities. It helps in designing relevant detection, IR, and threat-hunting
programs.

Module 05 Page 632 Certified SOC Analyst Copyright @ by EC-Counmeil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

Threat Intelligence Use Cases for SOC Analyst ( S A

seat | SOC haaks

Machine-Based Prioritization 'U Helps SOC analyst to automate the process of incident prioritization

“Wy Supplies SOC analyst a context and situational awareness which helps them in
lncidentAlert and Event Tans making a guick decision on alerts that needs to be investigated first

'y The threat data provided to SOC analyst can help them to identify which alerts
Analysis and Validation
Y can pose a serious threat to the organization

. All Rights Reserved. Reprodurtion is Strictly Prohibited.

Threat Intelligence Use Cases for SOC Analyst

The following are the typical threat intelligence use cases for SOC analyst:
Machine-Based Prioritization
Machine-based prioritization use case helps SOC analyst to automate the process of
incident prioritization using SIEM, log management, and security analytics tools. It helps
SOC analysts to detect real attack indicators among the thousands of alarms, alerts, and
events and neglect those that are false positives or won't affect the system. For example,
SOC teams can build SIEM rules to find threat indicators on the network with threat
intelligence. When such matches are identified, the SIEM will automatically change the
priority of alert or event based on their criticality to the organization.
Incident Alert and Event Triage
Although machine-based prioritization can perform much of the heavy lifting in finding
the real threats, then also SOC analysts have to perform challenging tasks to identify
critical alerts and events. CTI can accelerate this process by supplying SOC analyst
summary threat data that offers context and situational awareness. This helps them to
guickly decide which alerts and events to investigate first. For example, if malware is
correlated with an alarm, then threat intelligence willimmediately inform the SOC analyst
regarding malicious activity associated with malware.

Module 05 Page 633 Certified SOC Analyst Copyright @ by EC-Coumcil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

" Analysis and Validation

Threat intelligence facilitates SOC analyst to analyze and validate security events and
threats. This provides SOC analyst a threat data which help them to determine which
alerts and events are related to critical threats and need to be escalated to the incident
response team for further evaluation.

Module 05 Page 634 Certified SOC Analyst Copyright @ by EE-Counmcil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

How Threat Intelligence Can Help SOC Analyst ( $ A

ae | sot Aaalrst

Narrow down the problem of analyzing and prioritizing a large number of security alerts

Lower down the burden of sorting out false positives and low-priority alerts from a large volume of alerts

Can auickly be able to identify alerts associated threats to the organization

Can auickly be able to assemble and assess the evident of attack and help to make a better decision for incident escalation

eserved. Reproduction is Strictly Prohibited.

How Threat Intelligence can help SOC Analyst

Threat intelligence can help SOC analyst in the following manner:
It helps SOC analysts to keep updated regarding all vulnerabilities and threats so that they
can prevent them instead of respond.
It collects data from different feeds and provides both machine-generated, tactical
intelligence, like malevolent URLs, IPs, etc., and human-generated, strategic intelligence,
like threat actors, TIPs, etc.
It enables SOC analyst to streamline investigations and threat research.
It supports public and private collaboration to organize workflows and structure
response.
It proactively informs SOC analyst about future cybersecurity threats.
It enables SOC analysts to focus their hunt missions to those areas which are unreachable
to security service providers.
It narrows down the problem of analyzing and prioritizing huge volume of security alerts
and events.
It eliminates the burden of sorting out huge volume of invalid and low-priority alerts.
It can duickly identify alerts associated threats to the organization.
It can guickly assemble and assess the evident of attack and help to make better decision
for incident escalation.

Module 05 Page 635 Certified SOC Analyst Copyright @ by EC-Counmcil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

Threat Intelligence Use Cases in SOC ( $ A

wane | sot Aaalyst

Alarms, Events,
'N Threat Intelligence allows the analysts to prioritize the level of threats that are reported for reviews
and Alerts
by the security teams
Prioritization

Incident 'N Threat intelligence solutions help Incident Response (IR) teams, forensics teams, and threat detection
Response groups to analyze complex threats easily and more guickly

Assists in
Threat intelligence solutions help IR teams or security teams to uncover the possible effects of
Investigation and
related threats and help to prevent the network from the damage
Mitigation

Fusion 'N Threat intelligence fusion analysis is performed to create a more complete picture of threats and
Maalisi€ | risks posed by an attack to the organization, where intelligence is gathered from different sources
YSi
and source types to create a single threat report

All Ri€hts Reserved. Reproductionis Strictly Prohibited.

Threat Intelligence Use Cases in SOC

Threat intelligence solutions can be used in a variety of ways by a SOC to enhance the security
infrastructure, thereby protecting the network from various outside threats. Hence, it is
important to effectively leverage threat intelligence based on the maturity of the organization.
The following are some of the important use cases for threat intelligence in SOC:
Alarms, Events, and Alerts Prioritization

Threat intelligence allows the analysts to prioritize the level of threats that are reported
for reviews by the security teams. Prioritization is done to save the analysts from the
labor-intensive task of sorting received alarms, events, and alerts that are false positives
and do not have any impact on the organization. It can be done by generating SIEM rules,
which match the threat indicators present on the organization's network with threat
intelligence. Threat Intelligence further connects these indicators to the threat actors of
target industry. By evaluating SIEM rule, if an indicator is matched with the threat actor,
the SIEM automatically increases the priority rating, ensuring that the security teams
focus their attention only on the high-risk issues rather than looking at every alarm raised.
Incident Response

Threat intelligence solutions help incident responseteams, forensic teams, and threat
detection groups to analyze complex threats easily and more guickly so that they can
respond to the attacks in a specific way to protect the network. Incident response is

Module 05 Page 636 Certified SOC Analyst Copyright @ by EE-Counmcil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

accelerated by the content on initial indicators of a threat, provided by the knowledge

base of CTI. This content consists of effects of initial indicators on the network, its
technical characteristics, and information about where it was observed in the recent
time.

" Investigation and Mitigation

Threat intelligence solutions help IR teams or security teams to uncover the possible
effects of related threats and to prevent the network from any potential damage.
Information about tools and technigues used in launching the attack can help the security
teams to determine the number of systems that were compromised during an attack and
the amount of damage it had caused to the network. This type of insight can help the
security teams to easily locate and remove the attacker's footprint and incorporate
certain defense policies in the network to protect against same or similar technigues in
the future.
" Fusion Analysis

To create a complete picture of threats and risks posed by an attack to the organization,
threat intelligence fusion is performed where intelligence is gathered from different
sources and source types to create a single threat report. Clustering, guerying, and
pivoting are essential steps in fusing multiple intelligence sources. Security teams perform
fusion analysis to further refine the knowledge of intelligence on relevant threats
including their capabilities and effects. The information gathered from the fusion analysis
can be used by an organization's TIP to find out the connections among threats, threat
actors, indicators, incidents, and other components. Furthermore, this information can
be used by the security teams to enhance security policies of the organization's network.

Module 05 Page 637 Certified SOC Analyst Copyright @ by E£-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

|
Integration of Threat Intelligence into SIEM ( $ A
wed | SOt Aaalyet

' SIEM protects an organization's IT assets from data breaches occurred due to internal and external threats

'” Organizations integrate threat intelligence into SIEM to take control of chaos, gain in-depth knowledge of threats, eliminate
false positives, and implement proactive intelligence driven defense

Benefits of integrating cyber threat intelligence (CTI) into SIEM:

Help organizations to guickly thwart evolving threats that create high-impact on their IT assets
OO

Provide real-time support to SOC analysts to identify and take appropriate actions upon indications of compromise scenarios

Enhance the effectiveness of threat detection mechanism, reducing the false positive alarm rates
OO OO

Provide contextual information that speeds up a triage of alerts and incident investigation process

Enhance the threat tracking process by combining internal monitoring logs with external and internal threat intelligence

Verify historical data toward the current threat intelligence data to uncover unknown threats
O

TT TEER ELE EE

Integration of Threat Intelligence into SIEM

Organizations integrate threat intelligence into SIEM to take control of chaos, gain in-depth
knowledge of threats, eliminate false positives, and implement proactive intelligence-driven
defense.
Listed below are the benefits of integrating CTI into SIEM:

Integration of CTI into SIEM helps organizations dguickly thwart evolving threats that
create high impact on their IT assets.

CTI provides real-time support to SOC analysts to identify threats and take appropriate
actions upon indications of compromise scenarios.

Threat data feeds integrated with SIEM enhance the effectiveness of threat detection
mechanism, reducing the false-positive alarm rates.
CTI1 provides SIEM with the capability of providing real-time alerts of upcoming threats
along with the complete understanding of the threat and its TIPs.
High-aguality threat intelligence feeds provide contextual information that speeds up
triage of alerts and incident investigation process.

CTI enhances the threat-tracking process by combining internal monitoring logs with
external and internal threat intelligence.

Module 05 Page 638 Certified SOC Analyst Copyright @ by EE-Counmcil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

m CTI provides SIEM with the capability to verify historical data against the current threat
intelligence data to uncover unknown threats.
m CTI integrated with SIEM helps organizations use contextual information such as loCs to
prioritize incidents, retain historical threat data along with related indicators and past
incidents, and generate threat profiles.

n CTIis used to find the scope of an incident by relating the local observations to the threat
data feeds to identify all the compromised IT resources and traces of an attack.
m CTI helps analysts mitigate advanced threats by collaborating on response and protection
mechanisms without analyzing huge volumes of log data.

m CTI allows proactive analysis by pivoting outside the threat information and known loCs
to add context and intelligence to the evolving threats.
n CTI integrated with SIEM adds context and relationship to the identified indicators that
enable organizations to understand the nature of threats and the level of risk they pose
to their IT assets and provide an effective response.

Module 05 Page 639 Certified SOC Analyst Copyright @ by E£-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

Integration of Threat Intelligence into SIEM (Cont'd) ( $ A

wane | sot Aaalyst

Threat Intelligence Platform (TIP) Exposure Identification

STRATEGIC N Risk Assessment

A Ë
sd

n
3Yy Sensor/fFilter Enrichment
- OPERATIONAL seep Impact Assessment
Threat Feeds Information z
ed
Processing D.
im da
ti EI 1] 3 Current Investigations
ie d B TACTICAL * TTP analysis

Security Analytics

Security s.
and Event
Management(SIEM)

EEN All Ri€hts Reserved. Reproductionis Strictly Prohibited.

Integration of Threat Intelligence into SIEM (Cont'd)

Threat intelligence signifies the combination of information detailing potential threats and the
proper knowledge and understanding of organization's network structure, operations, and
activities. Threat intelligence is generally represented by loCs or threat feeds, which provide
evidence-based knowledge regarding an organization's unigue threat landscape. To obtain this
evidence-based knowledge that is used by network defenders, the threat feeds that contain
information on the technidues and indicators need to be contextualized by verifying it with the
baseline knowledge of network activity.
The collection and structuring of threat feeds is the generation of threat intelligence, which is
used in security analytics to improve the efficiency of threat detection. In network defense
setting, security analytics will exist in one of the two forms:

m" TIP that consumes data collected from network to discover trends

m SIEM infrastructure to detect anomalous activity on the network

Both the forms are independent of each other and do not need threat intelligence to function.
However, all the acguired information is then informed to strategic, tactical, operational, and
technical level.
The strategic threat intelligence helps organizations in the development and testing of future
cybersecurity posture by performing the following:
" ldentifying and understanding evolving threats and their possible mitigation strategies

Module 05 Page 640 Certified SOC Analyst Copyright @ by EE-Counmcil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

" Generating test scenarios of the identified threats

" Developing network security controls to counter vulnerabilities that support various
business cases

" Guiding device enrichment for network defense policy

The above factors help SOC analyst to understand the possibility to compromise, to increase the
capability to detect various threats, and to undertake a rapid recovery process. It also helps in
understanding operation-level activities such as the following:
" ldentifying emerging capabilities of an adversary by performing trend analysis

" Understanding the indicators that reveal existing attack vectors that are being exploited

" Tracing the changes in the capability of attacks

s Learning the operational cycle of attacks

" Identifying the possibilities of exploiting potential vulnerabilities
m Elucidating a clear picture of the threat environment

The tactical threat intelligence helps SOC analyst to employ real-time threat monitoring activities
such as the following:
" Uncovering ongoing attack on infrastructure and its methodology
" ldentifying current and emerging threats and risks
" Comparing and analyzing detected activities with the TIPs and loCs

" Discovering the conseguences of compromise and actionable advice

" Suggesting defensive and mitigation strategies for the current and emerging threats
The technical-level threat intelligence helps network defenders to focus on specific loCs and
improve defensive mechanisms. Activities at technical-level threat intelligence include the
following:
" Extracting loCs from active campaigns

" ldentifying specific loCs such as malware, IP addresses, and domains

" Updating and enhancing detection mechanisms based on the identified indicators

Based on the accuracy and reliability of the threat data feeds, the extracted threat intelligence
covers three temporal aspects: past, present, and future.

" Threat intelligence uncovers unknown vulnerabilities by exploiting threat details of past
incidents.
m lt prioritizes ongoing investigations based on the alerts of active threats.
mt monitors the IT infrastructure to identify and prevent repeated attacks.

Module 05 Page 641 Certified SOC Analyst Copyright @ by EG-Couneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

Threat Intelligence Uses Cases For Enhanced Incident |

Response C $ A
wed | SOt Aaalyet

'y Intelligence can be integrated into the incident response process, which can help IR teams with reguired resources
to act against security incidents guickly

It helps in identifying who/what might be performing an attack, how it operates, what are the campaigns it is part
of, and where else to search on the network

Phases of escalation involved in the incident response management:

Phase 1: Pre-Planning Phase 2: Event

U Using CTI, security analysts can find out the answers ' Operational and tactical threat intelligence helps in
to the following aguestions: providing context to the alerts generated by an
organization's security mechanisms such as Security
% Which hacker groups would target the organization
and the reason behind it? Incident and Event Management (SIEM), Security
Operations Center (SOC) or other security tools
8 Whichare the different assets, they are targeting?
'N This information can be used to determine an event
9 What are the various capabilities that adversaries 3 Ee
possess? that can escalate into a security incident

8 What are the possible attack scenarios?

TT TUT RT EE N

Threat Intelligence Uses Cases For Enhanced Incident |

Response(Cont'd) C $ A
Gie] SOc Aaalyst

Phase 3: Incident

N After an incident has been taken place in the network, operational threat intelligence can be used by the security
analysts to gain more insight into the technigues, operations, actor's objectives, and past incidents

' Operationalthreat intelligence helps to obtain knowledge about the threat using the threat triangle that includes
information regarding the threat actor's capability, intent, and opportunity

6 Aa 6 Am

@ @ @
Phase 4: Breach

N An organization considers it essential to report an incident when it escalates into a breach

N Strategic and operational threat intelligence helps in providing answers to the following guestions:

$ What happened?

% How and what was the reason behind occurrence of the breach?
$ What are the essential steps that need to be taken to not to face such a breach in the future?

Copyrigh y ts Reserved. Reproduction is Strictly Prohibited.

Module 05 Page 642 Certified SOC Analyst Copyright @ by EG-Gouncil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

Threat Intelligence Use Cases for Enhanced Incident Response

Threat intelligence also plays an important role in incident response process. Intelligence can be
integrated into the incident response process, which can help IR teams with reguired resources
to act against security incidents guickly. It helps in identifying who/what might be performing an
attack, how it operates, what are the campaigns it is part of, and where else to search on the
network.

Given below are the phases of escalation involved in the incident response management:
" Phase 1: Preplanning
IR teams use practice test and scenarios to test the security plan. Strategic- and
operational-level threat intelligence can be integrated in this aspect of incident response
in various ways. With the use of CTI, security analysts can find out the answers to the
following guestions:

o Which threat actor groups would target the organization and the reason behind it?

o Which are the different assets they are targeting?

o What are the various capabilities that adversaries possess?

o What are the possible attack scenarios?

Preplanning phases can be divided into two categories:

o Incident Response

Operational threat intelligence can be used in IR to develop threat scenarios. Threat

intelligence can be used to identify TTPs used by an adversary to perform an attack,
which can further be translated into incident responder workflows. Therefore, if the
network experiences a same type of attack, then the defenders would have reguired
tools, workflow, and procedure to protect the network.
o Breach Response

Breach response is similar to incident response but with only one difference, that is,
it manages risks associated with the business. A plan to address business risks is
developed by the panel involving CIO, CISO, risk management, PR/crisis management,
counsel, and other stakeholders. They also take decisions regarding what the
communication would be to regulators, clients, consumers, and the ordinary public.
Operational and strategic threat intelligence can be integrated in breach response
process by answering the following internal and external justification line of
duestions:

Internal justification:
e What is the organizational risk that this effort diminishes or gives an organization
a more detailed information on the risk?

e What are the various manual tasks that this effort helps in automating?
e What is the cost that this effort reduces?

Module 05 Page 643 Certified SOC Analyst Copyright @ by EG-Couneil

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

e What level of resources (labor and material) does this take to perform an activity
successfully?
External justification:
e What are the new tasks the security team will have after an implementation of a
solution and what are the tasks that are already on the to-do list for the team?
e What new information the team can use to work beyond what it already
possesses?

e What is the cost of this new information?

e What is the problem that this information is capable of solving?
Phase 2: Event

Operational and tactical threat intelligence helps in providing context to the alerts
generated by an organization's security mechanisms such as SIEM, SOG, or other security
tools. The type of information included in this intelligence is loCs, such as IP addresses,
malware, compromised devices, domains, URLs, traffic pattern, TIPs used by adversaries,
and phishing messages or emails. This information can be used to determine an event
that can escalate into a security incident.

Phase 3: Incident

Once an adversary sets a foothold in the victim's network, an event is known to have
escalated into an incident. After an incident has been taken place in the network,
operational threat intelligence can be used by the security analysts to gain more insight
into the technigues, operations, actor's objectives, and past incidents. Therefore,
operational threat intelligence helps obtain knowledge about the threat using the threat
triangle, which includes information regarding threat actor's capability, intent, and
opportunity.

Phase 4: Breach

It becomes essential for an organization to report an incident when it escalates into a

breach. This type of scenarios usually takes place after data exfiltration has occurred, so
the organization must report it to the stakeholders, clients, customers, and employees.
Therefore, an incident response defines how the organization responds internally,
whereas breach response defines how the organization responds externally.
Strategic and operational threat intelligence play an important role in the analysis on a
breach. This information helps in providing answers to the following guestions:

o What happened?
o How and what was the reason behind occurrence of the breach?

o What are the essential steps that need to be taken to avoid such a breach in the
future?

Module 05 Page 644 Certified SOC Analyst Copyright @ by E£-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

CSA
Enhancing Incident Response by Establishing SOPs for
Threat Intelligence wed | SOt Aaalyet

'U Threat intelligence usually consists of indictors of threats such as IP addresses, URLs, domain names, malware hashes, and file names
Standard operating procedures or SOPs play an important role in improving incident response
'U To establish SOPs, it is necessary to obtain answers to following guestions about each indicator

IP Addresses URLS
% Which network devices are more critical than others? @ Is it possible for the security analysts to view
8 Is there a specified way to determine if those critical devices are sending or receiving traffic suspicious URLs and the end-users who visited them?
to/from suspicious IP address? 8 Is there any documented process that can assist in
8 Is there any documented process that can assist in performing such kind of research? performing such kind of research?
8 Does the organization have an in-depth understanding of the security technologies to carry & Does the organization have an in-depth
out research under pressure? understanding of the security technologies to carry
out research under pressure?

Domain Names
B Does the security analyst have the capability to view and monitor domain traffic?
8 Does the security analyst have the capability to view the “whois” database for those domains Malware Hashes and File Names
for information regarding registration? 8 Can the security analyst view an endpoint to determine
8 Is there any documented process that can assist in performing such kind of research? if a specific file name or malware hashes exist on any of
8 Does the organization have an in-depth understanding of the security technologies to carry the endpoints?
out research under pressure?

TT TEER ELE EE

Enhancing Incident Response by Establishing SOPs for Threat Intelligence

Threat intelligence usually consists of indictors of threats such as IP addresses, URLs, domain
names, malware hashes, and filenames. Standard operating procedures (SOPs) play an important
role in improving incident response. Therefore, to establish SOPs, it is necessary to obtain
answers to the following guestions about each indicator:
" IP Addresses

O Which network devices are more critical than others?

O Is there a specified way to determine if those critical devices are sending or receiving
traffic to/from suspicious IP address?
Is there any documented process that can assist in performing such kind of research?
Does the organization have in-depth understanding on the security technologies to
carry out research under pressure?

“ Domain Names

o Does the security analyst have the capability to view and monitor domain traffic and
also to view the "WHOIS” database for those domains for information regarding
registration?

o |sthere any documented process that can assist in performing such kind of research?

Module 05 Page 645 Certified SOC Analyst Copyright @ by E£-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

o Does the organization have in-depth understanding on the security technologies to

carry out research under pressure?

" URLS

o Is it possible for the security analysts to view suspicious URLs and the end users who
visited them?
o Isthere any documented process that can assist in performing such kind of research?
o Does the organization have in-depth understanding on the security technologies to
carry out research under pressure?

“ Malware Hashes and Filenames

o Does the security analyst view an endpoint to determine if a specific filename or

malware hashes exist on any of the endpoints?

Obtaining answers to these guestions can help identify the presence of malicious indicators in
the organization's network. The information can also help in developing defensive policies to
enhance the security of network devices and endpoints. Using this information, network devices
and endpoints can be configured in such a way that alerts can be generated if any malicious
activity has occurred. These alerts can assist security analysts to investigate and mitigate the
threats to protect the organization's digital assets.

Module 05 Page 646 Certified SOC Analyst Copyright @ by E£-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Certified SOC Analyst EXAM 312-39
Enhanced Incident Detection with Threat Intelligence

I
Module Summary ( $ A
wed | SOt Aaalyet

Cyber threat intelligence helps the organization to identify and mitigate various business risks by converting unknown
threats into known threats and helps in implementing various advanced and proactive defense strategies

My CTI, often presented in the form of Indicators of Compromise (loCs) or threat feeds, provides evidence-based
knowledge regarding an organization's unigue threat landscape

An intelligence-driven security approach is reguired to improve incident detection and response

4 Intelligence-driven SOC provides an effective and structured approach to detect, handle, respond, remediate, and
mitigate the risk earlier than in the traditional SOC

' With large volumes of data, the exponential increase of complexity of threat vectors and lack of Threat intelligence
analysts, organization are choosing to implement TIPs to facilitate the management of cyber threat intelligence

'U Integrating threat intelligence into SIEM helps narrow down the problem of analyzing and prioritizing huge volume
number of security alerts and events

TT TEER ELE EE

Module Summary
In this module, we have discussed CT1 and its objectives, along with its types and benefits to SOC.
This module has also provided an overview of threat intelligence sources and various phases of
threat intelligence lifecycle. We have also discussed TIP and its capabilities to aggregate,
correlate, and analyse threat data from multiple sources. This module ends with a discussion of
need of threat intelligence-driven SOC and threat intelligence use cases for SOC and SOC analyst,
how integration of threat intelligence is performed in SIEM, and the role of SOPs in improving IR.

Module 05 Page 647 Certified SOC Analyst Copyright @ by EE-Counmcil

All Rights Reserved. Reproduction is Strictly Prohibited.