Learn to use AI like a Pro. Learn More

Insights on Intelligence Sources in Cyber Security

CompTIA CySA+ Full Course Part 05: Intelligence Sources

Estimated read time: 1:20

    Learn to use AI like a Pro

    Get the latest AI workflows to boost your productivity and business performance, delivered weekly by expert consultants. Enjoy step-by-step guides, weekly Q&A sessions, and full access to our AI workflow archive.

    Canva Logo
    Claude AI Logo
    Google Gemini Logo
    HeyGen Logo
    Hugging Face Logo
    Microsoft Logo
    OpenAI Logo
    Zapier Logo
    Canva Logo
    Claude AI Logo
    Google Gemini Logo
    HeyGen Logo
    Hugging Face Logo
    Microsoft Logo
    OpenAI Logo
    Zapier Logo

    Summary

    In this session on CompTIA CySA+ course Part 05, the focus is on intelligence sources in cybersecurity. The video begins with defining security intelligence as the process of collecting and analyzing information from various sources to assess organizational security. It highlights the importance of distinguishing between security intelligence and cyber threat intelligence, which includes details about external threats like active hacker groups and zero-day exploits. The discussion covers different intelligence sources, both open and closed, like open-source intelligence (OSINT) available through public platforms and subscription-based intelligence from security vendors. The session also emphasizes the necessity of evaluating the reliability and relevancy of intelligence sources.

      Highlights

      • Gathering security intelligence requires analyzing data from all parts of your company. 🏢
      • Cyber threat intelligence (CTI) helps in understanding what's happening on the broader internet. 🌍
      • Threat feeds and data feeds automate the information gathering process, saving time and effort. ⏱️
      • Open-source intelligence relies on publicly accessible information, aiding in reconnaissance. 📚
      • Tools like Shodan, Maltego, and The Harvester are crucial for internet-connected device exploration. 🕵️
      • Understanding the trustworthiness of information sources is key in cybersecurity. ✅

      Key Takeaways

      • Security intelligence is the art of collecting and interpreting data to safeguard systems. 🔍
      • Cyber threat intelligence focuses on external threats like hacker groups. 🚨
      • Open-source intelligence (OSINT) is information publicly available and accessible by anyone. 🌐
      • Subscription-based intelligence from security vendors provides more curated data. 💼
      • Tools like Google and LinkedIn can be invaluable in gathering intelligence. 🔧

      Overview

      Cybersecurity intelligence, in its essence, is about collecting, analyzing, and interpreting data from various streams within and outside your organization to bolster protection against cyber threats. The process provides insights into security postures and potential vulnerabilities, making it crucial for any cybersecurity framework.

        The distinction between security intelligence and cyber threat intelligence (CTI) is significant, where the former pertains to internal security assessment and the latter to understanding external cyber threats. Recognizing zero-day exploits, active hackers, and threat feeds from the internet helps organizations stay ahead of potential security breaches.

          Open-source intelligence (OSINT) and paid intelligence sources form the backbone of cybersecurity intelligence gathering. OSINT is available through publicly accessible data like media, blogs, and community-driven feeds. In contrast, paid intelligence is curated content from security vendors. Both sources require scrutiny regarding their relevance and reliability to ensure effective threat management strategies.

            Chapters

            • 00:00 - 01:00: Introduction to Security Intelligence In this introduction to security intelligence, it begins with a discussion on intelligence, suggesting that if you're watching this, you likely have a certain level of intelligence stemming from your genes or education. However, security intelligence is portrayed as a separate realm that demands significant effort to master. The introduction teases a deeper exploration into what security intelligence actually entails.
            • 01:00 - 02:00: Cyber Threat Intelligence (CTI) This chapter explores the concept of Cyber Threat Intelligence (CTI). It discusses the process of collecting and analyzing information from various sources within a company to draw conclusions. If these conclusions are related to the security of the organization or its systems, it is referred to as security intelligence. Specifically, when this intelligence pertains to computer systems or electronic data, it falls under the realm of CTI.
            • 02:00 - 03:00: Sources of Intelligence The chapter titled 'Sources of Intelligence' discusses the concept of cyber security intelligence, abbreviated as CTI. It aims to provide understanding about the external threats in the cyber world, focusing on current global vulnerabilities and attacks. The discussion covers the state of the internet, identifying potential threats and hacker activities, especially those targeting similar companies, and zero day exploits.
            • 03:00 - 04:00: Data Feeds and Threat Feeds In the chapter titled 'Data Feeds and Threat Feeds,' the discussion revolves around understanding zero-day exploits, active hacker groups, and other current cybersecurity threats. The narrative explains the importance of security intelligence and cyber threat intelligence, underscoring their role in identifying potential adversaries, understanding their methods, and taking preventative measures. The chapter also poses the question of how to obtain this intelligence, beginning with the suggestion of staying informed about different attack types.
            • 04:00 - 05:00: Historical and Trend Analysis The chapter titled "Historical and Trend Analysis" discusses the importance of understanding past attack methods and common vulnerability types. This knowledge is crucial when purchasing security equipment, choosing vendors, and deciding on specific features. It also aids in reconfiguring network security, especially when extending or adding new branches or applications to a company. The process, however, necessitates significant manual effort and the involvement of skilled personnel, emphasizing the complexity and cost associated with effective security management.
            • 05:00 - 06:00: Reconnaissance and Open Source Intelligence (OSINT) The chapter 'Reconnaissance and Open Source Intelligence (OSINT)' discusses the use of data feeds or threat feeds as an alternative to manual intelligence gathering. These feeds are online sources designed to be queried automatically by applications, security, and networking devices. They provide a continuous stream of information about potentially harmful elements such as blacklisted domains, URLs hosting malware, IP addresses with poor reputations, attack signatures, spam sources, and even antivirus database updates. This automated flow of data supports more efficient monitoring and preemptive security measures.
            • 06:00 - 07:00: Reconnaissance Tools and Techniques This chapter discusses Reconnaissance Tools and Techniques, focusing on threat feeds and their automation. It highlights the benefits of automated threat feed updates, such as reducing manual intervention and providing real-time attack information. However, it also points out the common trade-off between automation, reliability, and cost, suggesting that a high-quality threat feed may require financial investment.
            • 07:00 - 08:00: Closed Source Intelligence In the 'Closed Source Intelligence' chapter, the focus is on the significance of historical data and trend information as a crucial source of intelligence. The chapter suggests that the largest amount of information is often found in existing data records like logs, alerts, and historical trends, which have been generated over time. These sources are emphasized as valuable for extracting insights and information.
            • 08:00 - 10:00: Basic Tools for Intelligence Gathering The chapter titled 'Basic Tools for Intelligence Gathering' discusses the importance of recognizing patterns in information. It draws a parallel to the movie 'The Matrix,' suggesting that understanding patterns is crucial in fields like cybersecurity. The chapter emphasizes that patterns can help in identifying mistakes and potential threats, sometimes even before they fully materialize. It highlights the importance of perspective when analyzing information, as an example illustrates with seemingly trivial actions, such as an employee logging in twice in 10 minutes, which could be a signal for deeper investigation.
            • 10:00 - 12:00: Secondary Tools and Google Hacking In this chapter, the discussion revolves around identifying and mitigating potential cyber security threats. The conversation begins by highlighting how certain connection patterns, such as initial connections from the US followed by connections from China, can be indicative of emerging security issues. The chapter's focus is on understanding these threats and exploring the foundational steps one can take to defend against potential cyber attacks. It emphasizes starting with reliable intelligence sources to recognize and respond to these threats effectively.
            • 12:00 - 14:00: Trustworthiness and Evaluation of Sources The chapter on 'Trustworthiness and Evaluation of Sources' discusses the concept of reconnaissance in the context of cybersecurity. Reconnaissance involves gathering information about a target that can be used in an attack. However, in the context of cybersecurity defense, understanding the attacker's mindset is crucial for adequately protecting against potential threats. The chapter highlights the importance of identifying what a potential attacker could discover, emphasizing the role of open source intelligence (OSINT) as the first category of information gathering.
            • 14:00 - 15:00: Conclusion and Exam Preparation In the concluding chapter on exam preparation, the focus shifts to the accessibility of public data. This data, equally available to both the general public and malicious hackers, is sourced from media, the internet, government records, financial information, and digital publications. A significant portion of this information can be collected without any direct interaction with the company or individual, highlighting the potential security risks of publicly available data. Websites additionally serve as information-rich resources, particularly those that list detailed information about staff members, underscoring the need for careful online presence management. Holistic understanding and strategic planning are crucial in using these insights for effective exam preparation and real-world application.

            CompTIA CySA+ Full Course Part 05: Intelligence Sources Transcription

            • 00:00 - 00:30 if you're an intelligent person and i know you are because you're watching this well that intelligence probably comes from your parents either genes or education but when it comes to security intelligence well that's a completely different story and it takes some real effort before you can brag about it [Music] so what is security intelligence it's an
            • 00:30 - 01:00 entire process where information that comes from well pretty much everything that can generate information in your company is collected is analyzed and then we draw some conclusions based on it well if those conclusions refer in any way to how secure is our organization or our systems then that is security intelligence and as you can probably guess if this intelligence is about computer systems or electronic data
            • 01:00 - 01:30 we're going to call it cyber security intelligence now cti keyword threat is about that information or intelligence of the world outside this time how bad is the neighborhood that we live in how bad is the internet what attacks are currently happening in the world are there companies similar to ours that are being targeted zero day exploits active hacker groups
            • 01:30 - 02:00 zero day exploits active hacker groups anything bad that is currently happening out there so security intelligence and cyber threat intelligence together help you know exactly who is out there to get you how are they doing it and what you need to do about it now that sounds like intelligence right but how exactly do you get this information where should we look for this intelligence well first you can just read about them what types of attacks are out there or
            • 02:00 - 02:30 have been detected in the past what attack methods or vulnerability types are more common this is a very useful information when you need to buy some security equipment and you have to decide on a vendor and a specific feature set and also when you need to reconfigure some stuff in your network for example when you're extending your network or your company how do you secure that new branch or when you add a new application in your company now i don't need to tell you that this requires a lot of manual effort and expensive people if you want a job well
            • 02:30 - 03:00 done so an alternative to the manual effort is the data feed or the threat feed that is an online source of data designed to be queried automatically by applications security and networking devices the data feed provides a continuous flow of information about specific things to look out for like back domains or urls that host malware ip addresses with bad reputation attack signatures spam sources even your antivirus database and
            • 03:00 - 03:30 the updates that it receives can be considered a threat feed the purpose is to minimize manual intervention data feed updates can be automated and ideally they would also be always up to date and sometimes they can even provide real-time information about attacks or threats that are currently happening right now in the world of course if you want it to be automated reliable and cheap i can only choose two so a good threat feed will cost you some money for the
            • 03:30 - 04:00 subscription another very important source of information is looking into the historical or trend information we'll get back to this later but just to keep things short where do you think is the largest amount of information located well obviously if it's already out there then it must have been generated sometime in the past so it should be in your logs in your alerts in your historical trends that you've generated over time that is where you can look and
            • 04:00 - 04:30 where you can start seeing patterns like in the matrix i hope you're not studying it or cyber security without having seen the movie matrix so patterns is where you can learn from mistakes and know when something goes off pattern and it might signal a threat even before you know what the threat is and of course it depends on how you look at this information one might be some mundane information like an employee logging in twice in 10 minutes
            • 04:30 - 05:00 but correlated with some other factors like the first connection came from the us and the second one came from china it might indicate some problems so we are talking about computer threats cyber security threats and later on we'll see how to mitigate them or avoid them completely but until we reach that point let's start with the basics say you want to defend yourself against potential attackers where do you start a good starting point are those intelligent sources that we've
            • 05:00 - 05:30 mentioned which are also a source for reconnaissance and reconnaissance basically means finding out more stuff about your target that you can leverage when you're about to attack that target but we're the good guys right we don't usually attack but we need to know the mindset of the attacker in order to properly defend ourselves and this starts with the question what could a potential attacker find out about us well the first category is open source intelligence or oh sent
            • 05:30 - 06:00 that's data available in public sources which are just as easily accessible for you as they are for the hackers these sources give a lot of information without actually being involved or interacting with a company or a person so it's information that you can find in the media on the internet in public government data including financials or online publications your website is another very important source of information for example if you're listing all your staff members in
            • 06:00 - 06:30 there linkedin can also provide a lot of information about your company and be very careful with job descriptions that you're posting you might be giving up valuable information about your id systems if you're looking for a firewall engineer or of a specific brand or model there you go everybody knows that you own those firewalls now in general be aware that you're probably giving out more information than you think the outside world go ahead search your name or a work colleague or the company you
            • 06:30 - 07:00 work for on google and uh i'll see what you can find by the way open source means overt or publicly accessible it's not related to open source software in any way of course dedicated tools for reconnaissance can make your life just a bit easier by automating your reconnaissance efforts like correlating information from multiple search engines we'll have a look over some of these tools in a moment and you also have open source feeds well
            • 07:00 - 07:30 they give you access to reputation databases and malware signatures without any subscription government agencies are one such open source for example in the us you have the ncas no not ncis which is the national cyber awareness system the alien vault guys are nice enough to provide some free threat intelligence as well the misp project is another standardized
            • 07:30 - 08:00 collection of open source feeds and you might not think about it and you probably know about virustotal that it can be used to analyze malware files but can also provide some insight into the reputation of specific urls and don't forget about blogs or convention websites a lot of smart people are constantly contributing to the security blogs and publications at least have a look over this list of top 50 security blocks and try to figure out
            • 08:00 - 08:30 which one of these apply to you and your company finally closed source intelligence is collected and organized by security vendors they're usually subscription based which means that you'll have to make some payments from time to time but they should be better maintained than the open source ones just be careful some smaller vendors out there just repackage open source content and uh ask you money for those some examples here would be ibm's force
            • 08:30 - 09:00 exchange from surprise ibm fireeye another very well known security vendor fortinet is another very popular security vendor and they have their own subscription service called fortiguard and of course we should mention cisco with their talos cloud service which not only provides you with security intelligence but also learns from current cisco customers and
            • 09:00 - 09:30 given just how widespread cisco is within the enterprise environment telos has become a very powerful tool before digging into more advanced tools don't forget about the most basic tools either like whois this is a free public database about who is responsible for pretty much every internet resource uh websites ip addresses also this database can be accessed on a
            • 09:30 - 10:00 number of websites google a couple of them just pick one and go dns can also be queried for a lot of interesting information especially when looking for alternate domains subdomains mail servers web servers and sometimes you can even find out some information about internal servers of some company if the dns server is not configured properly on linux and mac os you can also use mostly out of the box tools like dig and host
            • 10:00 - 10:30 or you can use a web service instead like the dig utility from google toolbox finally zone transfers can sometimes be attempted on badly configured dns servers normally a zone transfer is an internal operation used by admins to replicate a dns database between multiple servers but sometimes it just happens mostly because somebody was not careful that this functionality is exposed to the internet as well when this happens you
            • 10:30 - 11:00 can simply request the entire dns information on the server and it will be handed to your client no questions asked the number of tools at your disposal for gathering open source intelligence is huge i'm mentioning just a few of them here that might help you on the exam but for the exam purposes you really only need to recognize them and be aware of how they work in general foca or fingerprinting organizations with
            • 11:00 - 11:30 collected archive if it sounds weird it might be because it seems to be translated from spanish anyway it's a tool for scanning document metadata so anything that can be extracted from office files pdf files exif information and images uses a couple of search engines to find out more information about that extracted data the harvester sounds like a wrestler's name determines the company's external threat landscape on the internet so it answers
            • 11:30 - 12:00 the question how exposed are we searches for names email subdomains valid ip addresses and urls using multiple public sources on the internet by the way this is not illegal everything is just public information you're not hacking anything or anyone shodan it's a search engine for anything connecting to the internet widely used to identify unsecured servers iot devices home routers and webcams
            • 12:00 - 12:30 maltego uses open source intelligence information and can determine relationships between companies even between people reckon ng it's a python tool that performs web reconnaissance and can also be used in pen testing scenarios sometimes census it's another device search engine searches among any devices connected to the internet and provides you with as much information as can be gathered from
            • 12:30 - 13:00 the outside website rippers are another category they simply clone an entire website's files on your machine of course you will not be able to copy the perhaps the php or the asp scripts in the backend and neither you will be able to copy the database but web page code might reveal some forgotten information might expose some vulnerabilities might include some email addresses in there not to mention that you could find
            • 13:00 - 13:30 out that you have access to specific website regions that are normally hidden from normal user navigation a very special mention has to be made for google google in itself indexes a large portion of the public internet which means that there is a lot of useful information in its index you just have to be able to look for it some examples here you can use quotes to search for specific phrases you can add a minus sign in front of a word or a quoted phrase to exclude it from results you can return pages that include both
            • 13:30 - 14:00 search terms because by default google assumes an or operator between all your search words you can search for specific file types titles or url components most of them can be accessed from the advanced search page on google as well google hacking database includes some very smart examples that extensively use these operators finally the last step in your
            • 14:00 - 14:30 intelligence gathering quest will be answering the question is this source trustworthy and is this specific piece of information true also i might tell you that i trust this source and i believe this information is this enough for you to trust the same source and believe the same information so the criteria that we should be looking for would be timeliness information should not be old that's especially important in cyber security
            • 14:30 - 15:00 because simply discovering a threat talking about it showing up in the media this tells the attacker that their attack has become public knowledge so that makes the threat evolve so is the intel source up to date or not relevancy does it apply to you you might have an intel source about a specific threat that attacks systems or protocols or processes that are completely absent in your environment it has to be relevant to you
            • 15:00 - 15:30 accuracy is the source so specific that it'll allow you to immediately build some sort of defense and control against it or is it just something generic some threat out there to think about that we don't really know how it looks how it behaves and we have just a general idea about how to protect ourselves against it and of course now more than ever be aware of fake news and fake information sometimes a clickbait is just that nowadays
            • 15:30 - 16:00 everybody has a voice on the internet so it's up to you which ones you listen to and since all this sounds terribly subjective to interpretation well for the exam we need to know something called the admiralty system or the nato system which is a method for evaluating the reliability of a source and the credibility of the information now of course government organizations would be more in touch with this rather than the private sector but unfortunately also is your dear exam
            • 16:00 - 16:30 now for the exam make sure you understand the different intelligence sources that we've discussed about and you can provide some examples of them and you can also recognize some of those threat information sources remember that even simple tools like google or linkedin or utilities like pink whois or simple dns lookups can provide with you a lot of valuable information about a person or a company and keep in mind
            • 16:30 - 17:00 that you need to always be on top of this information because hackers have access to it too thank you for your time don't forget to subscribe to certify breakfast good luck and see you on the next video you