1 00:00:00,320 --> 00:00:02,450 Intelligence sources. 2 00:00:02,450 --> 00:00:04,330 This is important because we have to consider 3 00:00:04,330 --> 00:00:06,580 the sources of our intelligence. 4 00:00:06,580 --> 00:00:08,960 Now there are lots of different sources to our intelligence 5 00:00:08,960 --> 00:00:11,930 that we can get out there, but not all are created equal. 6 00:00:11,930 --> 00:00:14,610 And so we have to be able to identify some factors 7 00:00:14,610 --> 00:00:17,860 to weigh the value of the intelligence that we're getting. 8 00:00:17,860 --> 00:00:20,190 Now, there are several factors that we can use. 9 00:00:20,190 --> 00:00:23,620 There is timeliness, relevancy, accuracy, 10 00:00:23,620 --> 00:00:25,200 and confidence level. 11 00:00:25,200 --> 00:00:26,800 When we talk about timeliness, 12 00:00:26,800 --> 00:00:29,050 this is the property of an intelligence source 13 00:00:29,050 --> 00:00:30,890 that ensures that it is up-to-date 14 00:00:30,890 --> 00:00:32,150 because over time, 15 00:00:32,150 --> 00:00:34,750 the information is not nearly as valuable. 16 00:00:34,750 --> 00:00:35,780 If I know that somebody 17 00:00:35,780 --> 00:00:37,550 has been attacking your network today, 18 00:00:37,550 --> 00:00:39,750 and I don't tell you about it for three years, 19 00:00:39,750 --> 00:00:41,089 it's not going to be very useful to you. 20 00:00:41,089 --> 00:00:44,000 It'd be a lot more useful if I told you today. 21 00:00:44,000 --> 00:00:46,090 And so that's the idea with timeliness, 22 00:00:46,090 --> 00:00:48,070 because once an adversary understands 23 00:00:48,070 --> 00:00:50,650 they've been identified, they're going to change tactics 24 00:00:50,650 --> 00:00:52,430 and they're going to change the way they do things. 25 00:00:52,430 --> 00:00:54,900 And that means your report that you wrote today 26 00:00:54,900 --> 00:00:58,570 may not be valid in a week, three weeks, three months, 27 00:00:58,570 --> 00:01:01,120 or three years from now because things change 28 00:01:01,120 --> 00:01:03,070 and so timeliness is important. 29 00:01:03,070 --> 00:01:05,300 Our second factor is relevancy. 30 00:01:05,300 --> 00:01:07,450 Now this is the property of an intelligence source 31 00:01:07,450 --> 00:01:10,750 that ensures it matches the use case it was intended for. 32 00:01:10,750 --> 00:01:11,920 Let's go back to my example 33 00:01:11,920 --> 00:01:14,250 of working for a large auto manufacturer. 34 00:01:14,250 --> 00:01:16,440 If I start seeing that there's a lot of attacks 35 00:01:16,440 --> 00:01:19,150 going against the Mac OSX operating system, 36 00:01:19,150 --> 00:01:20,740 does that really apply to me 37 00:01:20,740 --> 00:01:23,420 as somebody who is running a car company 38 00:01:23,420 --> 00:01:25,260 and is using Windows machines, 39 00:01:25,260 --> 00:01:28,490 or is using Linux in my embedded systems? 40 00:01:28,490 --> 00:01:29,360 Probably not. 41 00:01:29,360 --> 00:01:31,170 And so it's not nearly relevant to me 42 00:01:31,170 --> 00:01:32,400 for the use case I have. 43 00:01:32,400 --> 00:01:33,340 And so you need to consider that 44 00:01:33,340 --> 00:01:35,170 as you're looking at all the different information out there 45 00:01:35,170 --> 00:01:36,760 because it can be overwhelming, 46 00:01:36,760 --> 00:01:40,360 and you have to think what affects me and my organization 47 00:01:40,360 --> 00:01:42,070 so I can defend against it. 48 00:01:42,070 --> 00:01:44,140 The third area is accuracy. 49 00:01:44,140 --> 00:01:46,690 Now accuracy is the property of an intelligence source 50 00:01:46,690 --> 00:01:49,510 that ensures that it produces effective results. 51 00:01:49,510 --> 00:01:51,440 Now this means that the information 52 00:01:51,440 --> 00:01:53,220 needs to be valid and true. 53 00:01:53,220 --> 00:01:54,850 If you tell me that I've been attacked 54 00:01:54,850 --> 00:01:56,660 and I look, and I can't find anything, 55 00:01:56,660 --> 00:02:00,190 well, was I really attacked, or was your information bad? 56 00:02:00,190 --> 00:02:01,270 We really don't know. 57 00:02:01,270 --> 00:02:02,320 And so it's really important 58 00:02:02,320 --> 00:02:04,930 to make sure the information we're getting is accurate. 59 00:02:04,930 --> 00:02:06,300 This means we want to try to eliminate 60 00:02:06,300 --> 00:02:08,260 as many false positives as possible, 61 00:02:08,260 --> 00:02:10,300 especially when using automated software, 62 00:02:10,300 --> 00:02:12,660 and machine learning, and artificial intelligence, 63 00:02:12,660 --> 00:02:14,741 and make sure that we're getting the right information 64 00:02:14,741 --> 00:02:17,970 so that we can do our analysis properly on good information 65 00:02:17,970 --> 00:02:19,770 and create good decisions. 66 00:02:19,770 --> 00:02:21,740 The fourth and final factor we have to consider 67 00:02:21,740 --> 00:02:23,210 is confidence levels. 68 00:02:23,210 --> 00:02:25,440 Now, this is the property of an intelligence source 69 00:02:25,440 --> 00:02:27,510 that ensures it produces qualified statements 70 00:02:27,510 --> 00:02:29,280 about reliability. 71 00:02:29,280 --> 00:02:30,890 When an analyst publishes a report, 72 00:02:30,890 --> 00:02:32,393 they don't have 100% of the facts, 73 00:02:32,393 --> 00:02:34,400 it's just the way this works. 74 00:02:34,400 --> 00:02:36,530 We are trying to guess our way through this, 75 00:02:36,530 --> 00:02:38,870 and we're getting lots of different pieces of information 76 00:02:38,870 --> 00:02:40,280 and lots of different indicators, 77 00:02:40,280 --> 00:02:43,470 and we try to put together the best report we can. 78 00:02:43,470 --> 00:02:44,700 Well, when we deal with this 79 00:02:44,700 --> 00:02:46,400 and we start taking all these sources, 80 00:02:46,400 --> 00:02:47,710 we have to look at these sources 81 00:02:47,710 --> 00:02:51,370 and figure out, are they reliable, are they accurate, 82 00:02:51,370 --> 00:02:53,000 are they relevant, and are they timely? 83 00:02:53,000 --> 00:02:54,920 And when we start talking about confidence level, 84 00:02:54,920 --> 00:02:57,030 we are going to actually put a grade on it 85 00:02:57,030 --> 00:02:59,760 of how good we think that information is. 86 00:02:59,760 --> 00:03:02,410 For example, the MISP Project codifies the use 87 00:03:02,410 --> 00:03:04,350 of the admiralty scale for grading data 88 00:03:04,350 --> 00:03:06,040 and estimative language. 89 00:03:06,040 --> 00:03:07,920 Now you can choose any scale you want 90 00:03:07,920 --> 00:03:10,790 but the admiralty scale is one of the more common ones. 91 00:03:10,790 --> 00:03:13,940 The way this works is that it breaks it down into two areas. 92 00:03:13,940 --> 00:03:16,210 It evaluates you based on source reliability 93 00:03:16,210 --> 00:03:17,840 and information content. 94 00:03:17,840 --> 00:03:19,770 If I look at the source reliability, 95 00:03:19,770 --> 00:03:22,740 this is going to get a letter grade from A through F. 96 00:03:22,740 --> 00:03:24,120 It tells you if it's reliable 97 00:03:24,120 --> 00:03:26,960 all the way down to I can't judge the reliability. 98 00:03:26,960 --> 00:03:28,900 For example, if I got this piece of data 99 00:03:28,900 --> 00:03:31,180 from my own sensors and I trust them, 100 00:03:31,180 --> 00:03:32,930 then there's no doubt, this is reliable 101 00:03:32,930 --> 00:03:34,660 give it a grade of A. 102 00:03:34,660 --> 00:03:37,030 Next we have the information content, 103 00:03:37,030 --> 00:03:40,470 and when we grade this, we do it on a scale of 1 to 6. 104 00:03:40,470 --> 00:03:41,970 Now, when we grade this from 1 to 6 105 00:03:41,970 --> 00:03:43,940 we're going to say that this could be confirmed 106 00:03:43,940 --> 00:03:45,710 or it cannot be judged. 107 00:03:45,710 --> 00:03:46,543 When I confirm it, 108 00:03:46,543 --> 00:03:49,130 this means that I had multiple independent sources 109 00:03:49,130 --> 00:03:50,750 that told me this information, 110 00:03:50,750 --> 00:03:52,641 it's not just hearsay from one person. 111 00:03:52,641 --> 00:03:56,820 Now, as I go down the scale, I get less and less stringent 112 00:03:56,820 --> 00:03:58,680 on how well I can confirm that information, 113 00:03:58,680 --> 00:04:00,720 all the way down to cannot be judged 114 00:04:00,720 --> 00:04:03,350 which means it's basically just a best guess. 115 00:04:03,350 --> 00:04:04,300 Now this is useful, 116 00:04:04,300 --> 00:04:06,700 especially when reporting up to higher authorities 117 00:04:06,700 --> 00:04:07,900 or up to your bosses, 118 00:04:07,900 --> 00:04:10,450 because you can say, "Hey, I have this information, 119 00:04:10,450 --> 00:04:11,700 I heard there's this threat 120 00:04:11,700 --> 00:04:13,610 but I'm not real confident about it, 121 00:04:13,610 --> 00:04:15,860 it only has a grade letter of C." 122 00:04:15,860 --> 00:04:17,730 And you can take less actions against that maybe 123 00:04:17,730 --> 00:04:19,720 than something that has a strength of A 124 00:04:19,720 --> 00:04:21,340 because A is much more certain. 125 00:04:21,340 --> 00:04:23,700 And this is the idea when you deal with the admiralty scale. 126 00:04:23,700 --> 00:04:25,360 For the exam, you do not need to know 127 00:04:25,360 --> 00:04:26,860 the admiralty scale in depth, 128 00:04:26,860 --> 00:04:28,740 but it is something I wanted to make you aware of 129 00:04:28,740 --> 00:04:30,990 because you may see it out in the workplace. 130 00:04:30,990 --> 00:04:32,300 Now, the next thing we need to talk about 131 00:04:32,300 --> 00:04:34,540 is the three places you can get information from. 132 00:04:34,540 --> 00:04:36,350 You can find information that's proprietary, 133 00:04:36,350 --> 00:04:38,930 closed-sourced, or open-source. 134 00:04:38,930 --> 00:04:41,567 The first source we have is what's known as proprietary. 135 00:04:41,567 --> 00:04:43,790 Proprietary is threat intelligence 136 00:04:43,790 --> 00:04:46,240 that comes as a commercial service offering, 137 00:04:46,240 --> 00:04:47,670 where you're going to pay for access 138 00:04:47,670 --> 00:04:50,830 to these updates and research based on a subscription fee. 139 00:04:50,830 --> 00:04:52,194 Now, some of these commercial services 140 00:04:52,194 --> 00:04:55,060 are really just repackaging information that's available 141 00:04:55,060 --> 00:04:56,470 in free public registries, 142 00:04:56,470 --> 00:04:59,120 without providing any of their own data inside of it. 143 00:04:59,120 --> 00:05:01,040 And these aren't nearly as useful. 144 00:05:01,040 --> 00:05:02,430 This brings us to the second type, 145 00:05:02,430 --> 00:05:04,210 which is closed-source data. 146 00:05:04,210 --> 00:05:06,840 Now closed-source data is data that's derived 147 00:05:06,840 --> 00:05:09,410 from the provider's own research and analysis efforts, 148 00:05:09,410 --> 00:05:11,840 such as data from honeynets as they operate, 149 00:05:11,840 --> 00:05:13,240 plus information that's mined 150 00:05:13,240 --> 00:05:16,450 from their other customer systems and suitably anonymized. 151 00:05:16,450 --> 00:05:19,580 So for example if you, and 100,000 other people 152 00:05:19,580 --> 00:05:21,400 all subscribed to a certain service, 153 00:05:21,400 --> 00:05:23,170 and they're monitoring your networks, 154 00:05:23,170 --> 00:05:25,980 they can collect all that data from the 100,000 users 155 00:05:25,980 --> 00:05:28,470 and then be able to make analysis and reports 156 00:05:28,470 --> 00:05:30,900 based off of that in an anonymized fashion 157 00:05:30,900 --> 00:05:32,540 back to those 100,000 users 158 00:05:32,540 --> 00:05:34,780 so you all can share the information. 159 00:05:34,780 --> 00:05:36,553 Now, a good example of this is FireEye. 160 00:05:36,553 --> 00:05:39,360 FireEye is a proprietary information source 161 00:05:39,360 --> 00:05:40,630 that is closed-source. 162 00:05:40,630 --> 00:05:43,160 They provide their own data, and you can subscribe 163 00:05:43,160 --> 00:05:45,320 using their threat intelligence subscription service 164 00:05:45,320 --> 00:05:47,203 to get data and updates from them. 165 00:05:48,050 --> 00:05:50,909 Now, the third type we have is what's known as open-source. 166 00:05:50,909 --> 00:05:53,320 Open-source is data that's available for use 167 00:05:53,320 --> 00:05:55,990 without a subscription, and this may include threat feeds 168 00:05:55,990 --> 00:05:57,490 similar to commercial providers, 169 00:05:57,490 --> 00:05:59,490 and it can contain reputation lists, 170 00:05:59,490 --> 00:06:01,740 and malware signature databases too. 171 00:06:01,740 --> 00:06:03,210 There are a lot of great sources 172 00:06:03,210 --> 00:06:04,960 of open-source intelligence out there. 173 00:06:04,960 --> 00:06:07,130 And so if your organization is a little weary 174 00:06:07,130 --> 00:06:08,590 about spending a lot of money 175 00:06:08,590 --> 00:06:10,530 on commercial sourced information, 176 00:06:10,530 --> 00:06:12,490 they can start out with open-source information 177 00:06:12,490 --> 00:06:14,670 and then upgrade from there later on. 178 00:06:14,670 --> 00:06:16,550 Now, when you talk about open-source intelligence 179 00:06:16,550 --> 00:06:18,560 there are lots of different sources. 180 00:06:18,560 --> 00:06:20,070 First, we have the US-CERT, 181 00:06:20,070 --> 00:06:21,130 which is the United States 182 00:06:21,130 --> 00:06:23,320 Computer Emergency Readiness Team. 183 00:06:23,320 --> 00:06:25,150 This provides you with feeds of current activity 184 00:06:25,150 --> 00:06:27,945 and alert news, plus regular bulletins and analysis reports. 185 00:06:27,945 --> 00:06:30,450 They also have a bi-directional threat feed 186 00:06:30,450 --> 00:06:33,015 called the automated indicator service that you can use. 187 00:06:33,015 --> 00:06:34,240 The next one we have 188 00:06:34,240 --> 00:06:37,040 is the UK's National Cyber Security Center 189 00:06:37,040 --> 00:06:40,530 which provides similar services to the US-CERT. 190 00:06:40,530 --> 00:06:42,170 There are some other ones out there as well, though. 191 00:06:42,170 --> 00:06:45,280 We have AT&T Security, which was actually alien vault 192 00:06:45,280 --> 00:06:47,160 open threat exchange previously, 193 00:06:47,160 --> 00:06:49,260 but it was bought out by AT&T. 194 00:06:49,260 --> 00:06:51,920 After that we have MISP, which we talked about before. 195 00:06:51,920 --> 00:06:54,230 This is the malware information sharing project. 196 00:06:54,230 --> 00:06:56,370 And again, it's an open-source intelligence feed 197 00:06:56,370 --> 00:06:57,690 that you can use. 198 00:06:57,690 --> 00:07:00,120 We also have VirusTotal, which is a great place 199 00:07:00,120 --> 00:07:02,250 to upload any file you're not sure of. 200 00:07:02,250 --> 00:07:03,360 If you upload this file, 201 00:07:03,360 --> 00:07:06,420 it will check across 40 to 50 different antivirus products 202 00:07:06,420 --> 00:07:08,770 to see if any of them know if it's a virus or not, 203 00:07:08,770 --> 00:07:11,680 and it's a public repository for malware. 204 00:07:11,680 --> 00:07:13,360 Another one we have is Spamhaus 205 00:07:13,360 --> 00:07:15,740 which is very focused on spam and email. 206 00:07:15,740 --> 00:07:19,030 And finally, we have SANS ISC Suspicious Domains, 207 00:07:19,030 --> 00:07:20,550 which, as the name implies, 208 00:07:20,550 --> 00:07:23,180 is focused on providing a feed of suspicious domains 209 00:07:23,180 --> 00:07:25,260 that they think might be malicious. 210 00:07:25,260 --> 00:07:27,500 Now all of these feeds are really great, 211 00:07:27,500 --> 00:07:28,860 and they provide you with what's known 212 00:07:28,860 --> 00:07:30,400 as explicit knowledge, 213 00:07:30,400 --> 00:07:34,130 which is knowledge you can write down, see, feel, and touch. 214 00:07:34,130 --> 00:07:36,620 But there's another great source of knowledge out there too, 215 00:07:36,620 --> 00:07:38,820 and it's known as implicit knowledge. 216 00:07:38,820 --> 00:07:40,860 Implicit knowledge is really useful, 217 00:07:40,860 --> 00:07:42,030 but you can only get it 218 00:07:42,030 --> 00:07:44,300 from experienced practitioners in the field. 219 00:07:44,300 --> 00:07:46,480 This is kind of that sense that they have 220 00:07:46,480 --> 00:07:48,840 that they just go, "Ah, I know something is wrong here 221 00:07:48,840 --> 00:07:51,050 because of my 20 years of experience." 222 00:07:51,050 --> 00:07:52,060 Now they may not always have 223 00:07:52,060 --> 00:07:53,840 the latest trends in cybersecurity, 224 00:07:53,840 --> 00:07:55,620 although most of the time they do, 225 00:07:55,620 --> 00:07:57,140 but they also have the ability 226 00:07:57,140 --> 00:07:59,100 to give you that attitude and instinct 227 00:07:59,100 --> 00:08:01,820 because of their career as a cybersecurity professional. 228 00:08:01,820 --> 00:08:03,670 Over time, you're going to develop this 229 00:08:03,670 --> 00:08:05,740 as you become a senior cybersecurity analyst 230 00:08:05,740 --> 00:08:07,780 where you just know this is wrong 231 00:08:07,780 --> 00:08:09,830 because you've seen it 100 times before, 232 00:08:09,830 --> 00:08:11,180 and you start getting this feeling 233 00:08:11,180 --> 00:08:14,010 of what is going to come next based on your experience. 234 00:08:14,010 --> 00:08:16,130 And that is something that we call implicit knowledge 235 00:08:16,130 --> 00:08:17,230 because you can't write it down, 236 00:08:17,230 --> 00:08:19,290 you can't codify it in a procedure, 237 00:08:19,290 --> 00:08:20,570 it's just something you know 238 00:08:20,570 --> 00:08:22,720 based on your years of experience. 239 00:08:22,720 --> 00:08:24,210 Now, the last thing I want to mention here 240 00:08:24,210 --> 00:08:25,810 is what's known as OSINT. 241 00:08:25,810 --> 00:08:27,930 Now open source intelligence or OSINT 242 00:08:27,930 --> 00:08:30,040 is a very popular thing these days. 243 00:08:30,040 --> 00:08:31,930 This is a method of obtaining information 244 00:08:31,930 --> 00:08:33,470 about a person or organization 245 00:08:33,470 --> 00:08:36,190 through public records, websites, and social media. 246 00:08:36,190 --> 00:08:38,470 As you go out and you look at your organization 247 00:08:38,470 --> 00:08:40,240 from the outside looking in, 248 00:08:40,240 --> 00:08:42,010 anything people can find out about you 249 00:08:42,010 --> 00:08:45,332 on Google, on Facebook, by doing enumeration scans, 250 00:08:45,332 --> 00:08:47,580 that is all considered OSINT. 251 00:08:47,580 --> 00:08:49,410 It's ways for you to get information 252 00:08:49,410 --> 00:08:51,943 from public records, websites, and social media.