Threat Intelligence Cycle

Planning and Requirements
1. What’s our goal
2. Business-aligned
3. Regulations
4. Most likely threats
Collection & Processing
1. Organized
2. Consistent
3. Automated
4. Choose sources of intelligence
5. Processing & Normalizing
Analysis
1. More Data but not too much data
2. Scripts (Bash, Python, PowerShell)
3. SIEM tool/devices (security information Event Manager)
Dissemination
1. Internal communication
2. Choose audience
Types:
- Strategic Intelligence - addresses long term objectives and priorities
- Operational Intelligence - day to day priorities to IT and managers
- Tactical Intelligence - real time threat intel - incident response procedures
c. Outside communication - communicate findings to other companies / consum
Feedback
1. New findings, new information
2. Lessons learned from previous attack
3. New threats
4. Need for change

Intelligence Sources

How secure are we
How threatening is the outside world

Sources

Narrative sources
Threat feeds - data feed of continuous flow of threats to monitor
Historical / Trend analysis
Reconnaissance
1. What could an attacker find out about us
2. where would they look
  1. Open-source(OSINT)
  2. The web
  3. Dedicated tools
  4. Feeds
3. closed source
Whois & DNS
1. whois
2. nslookup
3. dig(mac)
4. host
5. zone transfers - used to replicate DNS database between servers. Sometimes this can be exposed to outside traffic
OSINT Dedicated tools
1. OSINT Framework, checkusernames, haveIbeenPwned, BeenVerified, Censys, BuiltWith, Google Dorks, Maltego, Recon-Ng, theHarvester, Shodan, Jigsaw, SpiderFoot, creepy, Nmap, WebShag, OpenVAS, Fierce, Unicornscan, Foca, ZoomEye, Spyse, IVRE, Metagoofil, Exiftool 1.
  
  <aside> 💡
  - OSINT Framework: A collection of OSINT tools categorized for ease of use.
  - CheckUserNames: Allows you to check the availability of usernames across multiple platforms.
  - Have I Been Pwned: A service that lets you check if your email or domain has been compromised in a data breach.
  - BeenVerified: Provides background checks and public records information.
  - Censys: A search engine that enables researchers to ask questions about the devices and networks that compose the internet.
  - BuiltWith: Identifies the technologies used by websites.
  - Google Dorks: Advanced search techniques to find specific information using Google.
  - Maltego: An interactive data mining tool that renders directed graphs for link analysis.
  - Recon-Ng: A full-featured web reconnaissance framework written in Python.Medium
  - theHarvester: A tool for gathering emails, subdomains, hosts, employee names, open ports, and banners from different public sources.Medium
  - Shodan: The world's first search engine for internet-connected devices.Medium
  - SpiderFoot: An open-source intelligence automation tool with a web-based interface and extensive reporting capabilities.Medium
  - Creepy: A geolocation OSINT tool.Medium
  - Nmap: A free and open-source network scanner used to discover hosts and services on a computer network.
  - WebShag: A multi-threaded, multi-platform web server audit tool.
  - OpenVAS: An open-source vulnerability scanner and vulnerability management solution.
  - Fierce: A DNS reconnaissance tool for locating non-contiguous IP space.
  - Unicornscan: A user-land distributed TCP/IP stack for information gathering and correlation.
  - FOCA: A tool for finding metadata and hidden information in the documents it scans.
  - ZoomEye: A cyberspace search engine for finding specific network components.Medium
  - Spyse: A search engine for internet assets.
  - IVRE: A network recon framework.
  - Metagoofil: A tool for extracting metadata of public documents.
  - ExifTool: A platform-independent Perl library plus a command-line application for reading, writing, and editing meta information in a wide variety of files. </aside>
  <aside> 💡
  - OSINT Framework: https://osintframework.com
  - CheckUserNames: https://checkusernames.com
  - Have I Been Pwned: https://haveibeenpwned.com
  - BeenVerified: https://www.beenverified.com
  - Censys: https://censys.io
  - BuiltWith: https://builtwith.com
  - Google Dorks: https://www.exploit-db.com/google-hacking-database
  - Maltego: https://www.maltego.com
  - Recon-Ng: https://github.com/lanmaster53/recon-ng
  - theHarvester: https://github.com/laramies/theHarvester
  - Shodan: https://www.shodan.io
  - Jigsaw: https://jigsaw.google.com
  - SpiderFoot: https://www.spiderfoot.net
  - Creepy: https://www.geocreepy.com
  - Nmap: https://nmap.org
  - WebShag: https://www.scrt.ch/en/attack/downloads/webshag
  - OpenVAS: https://www.openvas.org
  - Fierce: https://github.com/davidpepper/fierce-domain-scanner
  - Unicornscan: https://github.com/jaminh/unicornscan
  - FOCA: https://www.elevenpaths.com/labstools/foca/index.html
  - ZoomEye: https://www.zoomeye.org
  - Spyse: https://spyse.com
  - IVRE: https://ivre.rocks
  - Metagoofil: https://github.com/laramies/metagoofil
  - ExifTool: https://exiftool.org </aside>
2. FOCA - fingerprinting organizations with collected archives - https://github.com/ElevenPaths/FOCA
3. TheHarvester - https://github.com/laramies/theHarvester
4. SHODAN - Used to identify unsecured devices
5. Maltego used to determine relationships between companies and even people
6. ReconNG - python tool - web recon
7. Census - device information gathering tool
8. Website Ripper - clones website files to local machine
9. Google dork/Google Hacking DB - https://www.exploit-db.com/google-hacking-database
Confidence Levels - Threat levels
Relevancy - does it apply to you
Accuracy - trust the source - can you build your defense off what is being reported
Fake news / click bait
Admiralty system - FM 2-22.3 - Human Intelligence Collector Operations - https://irp.fas.org/doddir/army/fm2-22-3.pdf

Security Intelligence Sharing

Information Sharing Communities
ISAC’s - information sharing and analysis centers
This fits into the Dissemintion part of the Threat Intel Cycle -

Threat Classification and Threat Actors