Threat Intelligence: The Big Picture

This course provides a solid baseline for cyber threat intelligence. You will learn how to leverage intelligence to understand adversary behavior and make use of indicators of compromise to detect and stop malware.
Course info
Rating
(12)
Level
Beginner
Updated
Aug 3, 2017
Duration
1h 43m
Table of contents
Description
Course info
Rating
(12)
Level
Beginner
Updated
Aug 3, 2017
Duration
1h 43m
Description

Security incidents have become harder to detect, mostly because of the increase in malware complexity and variety. In this course, Threat Intelligence: The Big Picture, you'll learn the foundational knowledge of Cyber Threat Intelligence. First, you'll explore how to classify indicators of compromise using industry standard methodologies. Next, you'll discover how to search for and consume existing intelligence about the threats that you're dealing with. Finally, you'll cover how to maintain the quality of malware detections with a solid set of best practices. When you're finished with this course, you'll have the skills and the knowledge of threat intelligence to implement it into your current incident handline process.

About the author
About the author

Cristian is a Information Security Professional with experience in supply chain, manufacturing, gaming, and entertainment sectors for Fortune 500 companies. He has provided expertise in incident response cases by performing forensic investigations, malware analysis, and elaborating mitigation plans against complex cyber attacks.

More from the author
Section Introduction Transcripts
Section Introduction Transcripts

Course Overview
Hello everyone. My name is Cristian Pascariu, and welcome to my course, Threat Intelligence: The Big Picture. I'm an information security professional, and my main goal is for you to start leveraging threat intel to improve threat detection, and gain insight into adversary techniques, tactics, and procedures. This course is built upon the concept of identifying malicious activity by focusing on the common patterns between the events in your environment and events associated with malicious behavior of cyber threats. Some of the major topics that we will cover include threat intelligence methodologies, searching for indicators of compromise, reconstructing the infection chain, sharing standards, and legal requirements. By the end of this course, you'll know the basics of threat intelligence, and how to get the most out of it. Before beginning this course, you should be familiar with basic information security concepts. I hope you'll join me on this journey to learn more about threat intelligence with the Threat Intelligence: The Big Picture course at Pluralsight.

Threat Intelligence Methodologies
As with any new strategy, implementing threat intelligence can be prone to errors, and in this module, we'll go through some of the existing methodologies towards leveraging it in an efficient way. This module will basically go over the how to for threat intelligence. We will look at what are the common and most-used methodologies for dealing with malware outbreaks. We will go into deeper detail with the cyber security kill chain methodology. The scope of this is to make better sense of security incidents, how to approach them in terms of detection, how to deal with them in terms of analysis, and how to close them in terms of recovery. Next, let's first take a look at some of the common challenges that might come up.

Sharing and Ingesting Intelligence
Sharing intelligence is a very important topic when building up and implementing a threat intel strategy, and there are a few particularities that we need to highlight, as this will influence the overall success of the program. We will start by looking at the fundamental aspects of sharing threat intelligence. After this, we'll look at how to best leverage open-source intelligence, and we will focus on dedicated online platforms, as well as incident reports. Similar to threat intel methodologies, there are some requirements that we need to take into consideration when planning to share intelligence around security incidents and breaches. There are also dedicated procedures that can help streamline the process and have meaningful results. There are two different aspects towards sharing threat intelligence. The first aspect and one that you might have used already is called consuming or ingesting threat intelligence. In a few words, this means that during an investigation, intelligence is used to enrich the quality of the indicators, and gain more background context into threats. On the other side, we have generating threat intelligence. This means that through analysis, more insights into malware threats are discovered, and these are stored to be later used for consumption. There is also a catch to generating threat intelligence, this relies on the security maturity of the team and organization, meaning that it will require a skilled analyst and a lot of resources to generate high fidelity intelligence. Now let's look into the details around consuming threat intelligence.

Searching for Indicators of Compromise
As we dive deeper into the threat intelligence, we have arrived at the point which we will learn how to search for indicators of compromise, to help detect malicious activity and establish the root cause of the infection. The biggest challenge is with large data sets. Searching for indicators can consume a lot of time and a lot of system resources. We will go over some of the more important threat hunting techniques like baselining, blacklisting, whitelisting, and also some of the more advanced concepts like frequency of occurrence. First, let's take a look at some of the challenges analyzing large quantities of data. This will be much easier to explain by example. So I'll be presenting some data gathered from my own analysis VM and my workstation. To have a good metric, we will take into consideration the number of files on a system. The analysis VM, which has just an operating system and a few programs installed, has a total amount of 2700 files. On the other hand, the workstation has more than 18 thousand files. So if we were to scan all the files for malicious signatures, and on the analysis VM, it would take roughly 10 minutes, for example. That means that the workstation, it would take more than an hour. So now that we have acknowledged the problem, let's take a look at ways to mitigate it.