Cyber threat intelligence: Difference between revisions
From ACT Wiki
Jump to navigationJump to search
(Create page - source - NCSC - https://www.ncsc.gov.uk/collection/building-a-security-operations-centre/threat-intelligence) |
(Add link.) |
||
| (2 intermediate revisions by the same user not shown) | |||
| Line 15: | Line 15: | ||
:(1) Indicator of Compromise (IoC) | :(1) Indicator of Compromise (IoC): | ||
:At the lowest level, there are open source TI feeds that will provide indicators of compromise. | |||
:This will include things like known bad IP addresses, domains, hashes and strings, all of which can compared with your logs. | :This will include things like known bad IP addresses, domains, hashes and strings, all of which can compared with your logs. | ||
| Line 24: | Line 26: | ||
:(2) Tactics Techniques and Procedures (TTPs) | :(2) Tactics Techniques and Procedures (TTPs): | ||
:Slightly more abstract than IoCs, Qualitative TI will often refer to attacker TTPs, which can be invaluable in creating behavioural analytics. | |||
:For example, a certain threat actor that is relevant to your organisation has been taking advantage of a couple of specific system tools to perform privilege escalation. | :For example, a certain threat actor that is relevant to your organisation has been taking advantage of a couple of specific system tools to perform privilege escalation. | ||
| Line 31: | Line 35: | ||
:(3) Situational | :(3) Situational: | ||
:Far more abstract information that might be useful in directing research and development, or the refinement of SOC strategies. | |||
:This would typically include information on trends and geopolitical situations." | :This would typically include information on trends and geopolitical situations." | ||
| Line 53: | Line 59: | ||
*[[Due diligence]] | *[[Due diligence]] | ||
*[[Information Commissioner's Office]] (ICO) | *[[Information Commissioner's Office]] (ICO) | ||
*[[Information technology]] | |||
*[[National Cyber Security Centre]] (NCSC) | *[[National Cyber Security Centre]] (NCSC) | ||
*[[Open source]] | *[[Open source]] | ||
| Line 58: | Line 65: | ||
*[[Public domain]] | *[[Public domain]] | ||
*[[Risk management]] | *[[Risk management]] | ||
*[[Treasury]] | |||
*[[Treasury risk]] | |||
| Line 63: | Line 72: | ||
*[https://www.ncsc.gov.uk/collection/building-a-security-operations-centre/threat-intelligence Building a Security Operations Centre - threat intelligence - UK National Cyber Security Centre] | *[https://www.ncsc.gov.uk/collection/building-a-security-operations-centre/threat-intelligence Building a Security Operations Centre - threat intelligence - UK National Cyber Security Centre] | ||
*[https://www.treasurers.org/hub/technical/cyber-security-guide-2024 Cyber security in corporate finance - ICAEW - 2024] | *[https://www.treasurers.org/hub/technical/cyber-security-guide-2024 Cyber security in corporate finance - ICAEW - 2024] | ||
[[Category:Accounting,_tax_and_regulation]] | [[Category:Accounting,_tax_and_regulation]] | ||
Latest revision as of 10:21, 30 July 2024
Treasury risk - information technology - cyber security - cyber threat.
Cyber threat intelligence is the assessment, validation and reporting of information on current and potential cyber threats.
Cyber threat intelligence is undertaken to maintain and improve an organisation’s cyber security awareness and cyber risk management responses.
- Three categories of cyber threat intelligence
- "Threat intelligence (TI) comes in multiple formats but you can group it into three broad categories.
- The actual extent of its use depends on available tools and resources in the Security Operations Centre (SOC).
- In an ideal situation, a SOC will make use of all types of TI.
- (1) Indicator of Compromise (IoC):
- At the lowest level, there are open source TI feeds that will provide indicators of compromise.
- This will include things like known bad IP addresses, domains, hashes and strings, all of which can compared with your logs.
- A match would indicate the system is interacting with a known bad IoC.
- There are many IoC feeds that can be used and ingested into monitoring solutions.
- (2) Tactics Techniques and Procedures (TTPs):
- Slightly more abstract than IoCs, Qualitative TI will often refer to attacker TTPs, which can be invaluable in creating behavioural analytics.
- For example, a certain threat actor that is relevant to your organisation has been taking advantage of a couple of specific system tools to perform privilege escalation.
- This kind of information, when used correctly, can be turned into detection use-cases.
- (3) Situational:
- Far more abstract information that might be useful in directing research and development, or the refinement of SOC strategies.
- This would typically include information on trends and geopolitical situations."
- Building a Security Operations Centre - threat intelligence - UK National Cyber Security Centre.
See also
- Compromise
- Corporate finance
- Credential stuffing
- Cyber attack
- Cyber breach
- Cyber risk
- Cyber security
- Cyber security: protecting your business and your clients
- Cyber threat
- Dark web
- Domain
- Domain name spoofing
- Due diligence
- Information Commissioner's Office (ICO)
- Information technology
- National Cyber Security Centre (NCSC)
- Open source
- Outside-in cyber review
- Public domain
- Risk management
- Treasury
- Treasury risk
