Chapter 4: Threat Intelligence

While higher levels of detail can be useful, it isn't a common measure used to assess threat intelligence. Instead, the timeliness, accuracy, and relevance of the information are considered critical to determining whether you should use the threat information.

The lack of complexity and nuance most likely indicates that she has discovered an attack by an unskilled attacker, sometimes called a “script kiddie”.

Threat intelligence dissemination or sharing typically follows threat data analysis. The goal is to get the threat data into the hands of the organizations and individuals who need it.

Understanding what your organization needs is important for the requirements gathering phase of the intelligence cycle. Reviewing recent breaches and compromises can help to define what threats you are currently facing. Current vulnerability scans can identify where you may be vulnerable but are less useful for threat identification. Data handling standards do not provide threat information, and intelligence feed reviews list new threats, but those are useful only if you know what type of threats you're likely to face so that you can determine which ones you should target.

The U.S. government created the information sharing and analysis centers (ISACs). ISACs help infrastructure owners and operators share threat information, as well as provide tools and assistance to their members.

Nation-state actors are government sponsored and typically have the greatest access to resources, including tools, money, and talent.

Hacktivists execute attacks for political reasons, including those against governments and businesses. The key element in this question is the political reasons behind the attack.

Attack vectors, or the means by which an attacker can gain access to their target, can include things like USB key drops. You may be tempted to answer this question with adversary capability, but remember the definition: the resources, intent, or ability of the likely threat actor. Capability here doesn't mean what they can do but their ability to do so. The attack surface might include the organization's parking lot in this example, but this is not an example of an attack surface, and there was no probability assessment included in this problem.

Behavioral assessments are very useful when you are attempting to identify insider threats. Since insider threats are often hard to distinguish from normal behavior context of the actions performed, such as after-hours logins, misuse of credentials, and logins from abnormal locations or in abnormal patterns, other behavioral indicators are often used.

Threat actors like criminal organizations frequently operate via the dark web. Forums operate as clearinghouses for information, resources, and access via TOR-hosted sites. While social media, blogs, or government bulletins may provide information about a criminal organization, more likely to publish information themselves on the dark web.