Cyber Security Intelligence Cycle

 

Cyber Security Intelligence Cycle

The intelligence cycle is a core process used by most government and business intelligence and security teams to process raw signals into finished intelligence for use in decision-making. The intelligence cycle is the never-ending process of collecting raw information, generating actionable intelligence from it, and sending it to stakeholders to make decisions that help the organization meet particular cybersecurity objectives.

Following  picture shows steps of cyber security Intelligence Cycle, 

if any organization successful implement intelligence cycle, it get following serval advantages,

• Quick detection and remediation of threats
• Increased efficiencies of cybersecurity implementations
• Better report for decision makers and higher management
• Better regulatory compliance

Requirements (Plaining & Direction)

Security intelligence cycle starts with requirements. The requirements phase sets out the goals for the intelligence gathering effort .The following requirements will need to be defined to achieve the goals:

•   Team roles and responsibilities

•   Resources allocated to team members

•   Timelines for meeting objectives

•   Prioritization of assets, risks, and threats

•   Tools/techniques needed to collect, analyze, and report cybersecurity intelligence

Collection (& Processing)

Start collecting raw data from a variety of open- and closed-source locations to help identify the current and most likely threats facing the organization. The collection process is implemented by software tools, such as SIEMs, and then processed for later analysis. Range of tools to collect threat data, including the following:

•   Security information event management (SIEM)

•   Threat intelligence platforms

•   Threat intelligence providers

•   User behavior analytics (UBA)

•   Network traffic analysis tool

Analysis

Analysis is the act of making sense of what you observe. With threat data now in an intelligible format, analysis will help us turn that data into threat intelligence—which is when the data becomes contextually useful—and we can truly understand what it says. The analysis is performed against the given use cases from the planning phase and may utilize automated analysis, artificial intelligence, and machine learning. Analysis helps us to make a report of all your analyzed findings .

Dissemination

Distributing the requested intelligence to the customer occurs at the dissemination phase. The dissemination phase refers to publishing information produced by analysis to consumers who need to act on the insights developed strategic, operational & tactical.

Make sure you know who they are and that you give careful consideration to how you disseminate intelligence to them. Take a look at the following for some guidance:

•   Make sure the right stakeholder is given the data most relevant to their needs.

•   Make sure data is formatted in the most understandable and useful manner.

Feedback

The final phase of the intelligence cycle is feedback. The phase that aims to clarify requirements and improve the collection, analysis, and dissemination of information by reviewing current inputs and outputs.

Threat Actors

Before I discuss Threat Actor, Firstly you know about what is Threat? A cyber or cybersecurity threat is a malicious act that seeks to damage data, steal data, or disrupt digital life in general. I explain you Threat & Threat Classification in other blog.

“Threat Actor” is commonly used in cybersecurity. This is anyone who has the potential to impact your security. Threat Actor is an entity that is partially or wholly responsible for an incident that impacts – or has the potential to impact -- a Country or Organization's security.

A threat actor can be a single person carrying out a security incident, as well as a group, an organization, or even a country involved in carrying out a cyberattack

Threat actors and threat actor groups may span across multiple classifications, usually depending on the targets and motives of the activity we’re considering.

Nation-state Actor:-A type of threat actor that is supported by the resources of its host country's military and security services. Like many government-supported operations, nation-state threat actor activities are often conducted to achieve political, economic, or strategic military goals. Identifying and tracking these actors can be difficult, since many of the individuals involved use common techniques across teams, operate behind robust infrastructure, and use methods to actively obfuscated their behavior. Alternatively, they many use toolsets that are not often seen or impossible to detect at the time of the security event, such as a zero-day exploit.

Organized Crime:-A type of threat actor that uses hacking and computer fraud for commercial gain. They targeting to theft of intellectual property or personal user data, these criminals’ primary objective is to make money by selling stolen data.

Terrorists/Extremists:-Terrorist’s use of the internet and other telecommunications devices is growing both in terms of reliance for supporting organizational activities and for gaining expertise to achieve operational goals. Terrorists’  try to achieve objectives and computer vulnerabilities that might lead to an attempted cyberattack against the critical infrastructure of Country.

Hacker/Hacktivist:- A type of threat actor that is motivated by a social issue or political cause. They often rely on readily available tools and mass participation to achieve their desired effects against a target. Hacktivists are also known to use social media and defacement tactics to affect the reputation of their targets, hoping to erode public trust and confidence in their targets.

Trusted Insider:-A type of threat actor who is assigned privileges on the system that cause an intentional or unintentional incident. Ex-employees can be classified as internal threats or treated as external threats with insider knowledge.

Insider threats can be either intentional or unintentional,

• Intentional: :A threat actor who conducts an attack with a specific purpose
• Unintentional: A threat actor that causes a vulnerability or exposes an attack vector without malicious intent. Shadow IT is a form of unintentional insider threat

Thrill Seekers:-A thrill seeker is a person, who attacks computer systems merely to prove himself, in order to learn or experiment. While thrill seekers are not interested in damaging systems, they are interested in figuring out how things work and may cause surprising problems to systems and products.

 

Impersonation Social Engineering Attacks

At Social-Engineer, we define impersonation as the “practice of pretexting as another person with the goal of obtaining information or access to a person, company, or computer system.” Impersonation is a social engineering tactic that continues to threaten enterprises.

There are many ways to obtain information of person. Some of them are following,

Phishing

Phishing is an attack technique used through e-mail to trick the user into performing various actions, which may include clicking harmful links or even replying to an e-mail with a user’s personal information, such as a password, credit card information, and so on. Phishing is a form of social engineering that is simply executed through e-mail.

• A phishing e-mail is typically designed to look exactly like a legitimate e-mail from a person or entity the user trusts. It may even contain embedded pictures or stationary that resembles a trusted organization, such as a bank or google. That request to user click on hyperlink
• The hyperlink connect to malicious website and, when the user input his or her credentials, then attacker steals the user's credentials.   
• Spear phishing attackers are similar to phishing attack, but more directed. The attacker email come from more trusted source (e.g. from management or or a trusted coworkers)

Pharming Attack

In Pharming the hackers misuse the DNS system to be used as the key weapon. While phishing is attempted using legitimate-looking websites that are actually spoofed, pharming happens at the server level of the DNS. 

• The attacker uses DNS poisoning  to redirect traffic from legitimate suites to a different or malicious site

Vishing Attack

In Vishing attack the attacker use telephone to perform a phishing attack.

• The attacker impersonate a trusted source ( or attempt to impersonate a trusted source)
• The false attack  may also arrive by SMS initially, asking the person to call a number to resolve the issue.

Whaling Attack

Whaling attack also a for of phishing attack, that targets to high-profile, well-known, and wealthy individuals.

• The attacker used business email to other for transfer funds or do other things as per attacker instruction,

Smashing Attack

in Smashing attack the attacker send SMS to perform or click on specific link. The attacker give charm to victim like win  a thing.

• Hackers purchase spoofed phone numbers and blast out messages containing malicious link.

Baiting Attack

Baiting is also a type social engineering attack.  The attacker lure victims into providing sensitive information by promising them something valuable in return.

• Attacker create pop-ads that offer free games, music, or movie downloads. If you click on the link, your device will be infected with malware and steal you data.

Tailgating  Attack

In Tailgating attacks , the user giving unauthorized access to users (like a coworker or child) of company devices. They may put your device at risk and spread malicious code throughout the rest of company.