Chapter 83 · Flashcards

Threat Intelligence — Flashcards

10 cards covering threat intelligence purpose, OSINT sources and limitations, proprietary intelligence advantages, the CTA model, dark web access requirements, dark web content types, monitoring targets, TTPs, IOCs, and the OSINT validation requirement.

0 / 10 flipped
Concept
What is threat intelligence, and which roles in an organization use it?
Answer
Threat intelligence is the collection, analysis, and operationalization of information about current and potential cyber threats — including threat actors, their tools and techniques, and active campaigns. Its purpose is proactive defense: understanding adversaries before they act.

Who uses it:
SOC analysts — alert enrichment and prioritization
Incident responders — containment, attribution, TTP identification
Threat hunters — hypothesis-driven hunt development
Vulnerability management — actively exploited CVE prioritization
Executives — risk-informed investment decisions
Term
OSINT — three source categories and the critical limitation
Definition
Open-Source Intelligence — intelligence from publicly available sources, no payment or authorization required.

Three categories:
Internet — discussion forums, social media, security blogs, public repos, vulnerability databases
Government — national cybersecurity advisories, public hearings, regulatory reports, threat assessments
Commercial data — financial reports, mapping data, industry databases

Critical limitation: Information quality varies significantly. Data may be outdated, inaccurate, or deliberately misleading. OSINT must be validated and correlated before operational use. Acting on unverified OSINT can cause operational disruption.
Concept
What is the defining capability of proprietary/commercial threat intelligence that OSINT cannot provide?
Answer
Cross-organization correlation at scale.

A commercial vendor monitoring thousands of client environments simultaneously can detect an emerging attack campaign at one client and distribute protective indicators to all others — often before the attacker reuses the same techniques elsewhere.

No individual organization monitoring only its own environment can achieve this. OSINT cannot achieve it in real time.

Additional capabilities: Curated threat analytics, malware analysis, IOC distribution, attack infrastructure mapping, vulnerability exploitation intelligence.

Tradeoffs: Subscription cost, vendor dependency, data-sharing requirements.
Term
Cyber Threat Alliance (CTA) — four-step process
Definition
An industry collaboration for sharing validated threat intelligence among member organizations.

Process:
1. Submit — member uploads threat intelligence in CTA's standardized format
2. Validate — CTA verifies accuracy; cross-references with other submissions for corroboration
3. Score — CTA assigns credibility and severity score to each validated submission
4. Distribute — all members receive validated, scored intelligence to integrate into their defenses

Why standardization matters: Machine-readable format = immediately actionable for all recipients, not requiring manual analysis.
Why scoring matters: Enables prioritization; Critical/high-confidence = immediate response.
Concept
Why is information sharing especially valuable during zero-day attacks and active ransomware campaigns?
Answer
During zero-day attacks, no patch exists, no vendor advisory has been published, and OSINT has not yet caught up. The only organizations with firsthand, actionable intelligence are the ones currently being attacked.

Without sharing: that intelligence stays inside one incident report, never helping anyone else.

With sharing (CTA, ISAC): the intelligence derived from one organization being attacked becomes a distributed defense for all peers within hours — before the attacker can reuse the same technique at another target.

The earlier sharing occurs in a campaign, the fewer organizations are affected by it. Time is the variable; information sharing compresses it.
Term
Dark Web — what it is, how it is accessed, and why it matters for threat intelligence
Definition
What it is: Overlay networks using the internet as transport; not accessible through standard browsers or indexed by search engines.

How it is accessed: Requires specialized software and specific configurations — most commonly the Tor browser, which routes traffic through encrypted relays to conceal identity and location.

Why it matters for threat intelligence: The dark web is where threat actors communicate, sell stolen data, buy malware, and advertise services — including listing access to compromised networks, discussing planned targets, and posting proof-of-compromise content. It is the source closest to the adversary.
Concept
What four types of content are found on dark web criminal platforms, and what is the intelligence value of each?
Answer
Stolen data markets — credit cards, credentials, corporate data. Intelligence value: detect if organization data is for sale; invalidate credentials before use.

Malware markets — exploit kits, ransomware-as-a-service, RATs, zero-days. Intelligence value: develop detection signatures for tools before they are deployed against the organization.

Hacking services — DDoS-for-hire, initial access brokering, phishing services. Intelligence value: detect if network access is listed for sale; identify planned campaigns.

Forums and communications — technique discussions, target mentions, proof-of-compromise posts. Intelligence value: earliest possible warning before an attack begins or is publicized.
Term
Tactics, Techniques, and Procedures (TTPs) — three levels with examples, and why TTPs are more durable than IOCs
Definition
Tactics — high-level attacker goals: initial access, privilege escalation, lateral movement, data exfiltration.

Techniques — specific methods: spearphishing with attachment, pass-the-hash, living-off-the-land with built-in OS tools.

Procedures — actor-specific implementations: group X's known phishing template, their specific malware, their preferred C2 domain patterns.

Why TTPs > IOCs for durability: Attackers change infrastructure (IPs, domains, hashes) easily with minimal cost. Changing TTPs requires significant retooling. A detection built on TTP-level behavior remains effective even after the attacker cycles all infrastructure.
Concept
What specific items should an organization monitor for on the dark web?
Answer
Monitor for:

Organization name and domain — appearing in forum discussions, attack planning posts, or breach listings
Executive names and email addresses — targeted spearphishing preparation, credential dumps
Stolen credentials — employee accounts in credential dump marketplaces; enable proactive password resets
Data listings — organization's data appearing in extortion posts or breach marketplaces
Network access listings — initial access brokers selling access to the organization's network

The monitoring goal: detect evidence of past compromise or planned attacks early enough to act before the attacker does.
Concept
What are the three challenges of dark web intelligence operations?
Answer
1. Information reliability: Threat actors fabricate breaches, exaggerate capabilities, and post disinformation. A breach claim requires corroborating evidence before being treated as confirmed. Acting on a fabricated breach listing wastes response resources and may expose defensive capabilities to the adversary.

2. Legal and operational security: Accessing dark web criminal content requires careful operational security to avoid detection; legal frameworks around accessing criminal content vary by jurisdiction and require compliance review.

3. Data volume and structure: Dark web content is vast, unstructured, and constantly changing. Identifying relevant content requires specialized tools and trained analysts. Organizations without this capability should use commercial monitoring services rather than attempting it independently.