WEBVTT

00:07.310 --> 00:12.590
In this episode, we're going to talk about different collection methods that you can utilize as a Cysa

00:12.590 --> 00:13.250
analyst.

00:13.250 --> 00:18.470
What you need to understand when it comes to collection methodology is that it's not just about collecting

00:18.470 --> 00:20.150
information inside your network.

00:20.150 --> 00:26.210
If all we did as analysts was grab as much of the information coming into our network as humanly possible,

00:26.210 --> 00:30.260
we really wouldn't have a good idea of what else is going on out there in the interweb.

00:30.260 --> 00:31.490
We wouldn't understand that.

00:31.490 --> 00:37.880
Hey, this organization that closely aligns to my own has this type of attack that is constantly occurring,

00:37.880 --> 00:44.030
or that this thread over here is impacting other networks that could eventually impact my own collection.

00:44.030 --> 00:47.060
Methodology really refers to the art of understanding.

00:47.090 --> 00:52.220
Hey, I need to collect different information from different sources, so I have a bigger picture of

00:52.220 --> 00:57.740
the world around me, so I'm better prepared to defend my network against different types of attacks.

00:57.740 --> 01:02.300
We don't want this closed loop of information where all we're gathering is information that's coming

01:02.300 --> 01:03.600
from our own network.

01:03.600 --> 01:08.340
We need information from a lot of different sources so that we can better protect ourselves and our

01:08.340 --> 01:13.590
networks against different threat actors and the different threat vectors that may challenge our specific

01:13.590 --> 01:14.970
network infrastructure.

01:15.570 --> 01:19.680
The first type of collection methodology I want to talk about is open source.

01:19.710 --> 01:23.940
Open source methodologies are all those things that you've probably utilized throughout your entire

01:23.940 --> 01:24.510
career.

01:24.540 --> 01:26.640
We're talking about the social media out there.

01:26.640 --> 01:29.730
Maybe it's Twitter or X Facebook.

01:29.760 --> 01:31.740
It can be even Etsy.

01:31.770 --> 01:37.080
Believe it or not, different open source and social media information come from various sources to

01:37.110 --> 01:38.820
include different blogs.

01:39.090 --> 01:42.000
It's not uncommon for people to get open source information.

01:42.030 --> 01:44.760
Here's the problem with open source information, though.

01:44.760 --> 01:47.640
Everybody knows about it, including the threat actor.

01:47.640 --> 01:53.010
So once we publish something that says, hey, my network was attacked by this and be aware of it,

01:53.010 --> 01:59.310
they could change what they're doing, even a slight minutia that would change the entire attack vector.

01:59.310 --> 02:04.140
This poses problems to us as cybersecurity analysts, because once the threat actor knows that we're

02:04.170 --> 02:10.300
onto their game, they're going to change their their game a little bit to, uh, get around our protective

02:10.300 --> 02:10.960
measures.

02:10.960 --> 02:16.960
So open source collection methodology, while it's very valuable, can also pose some problems with

02:16.960 --> 02:20.560
the actual defense against that specific methodology as well.

02:20.590 --> 02:23.200
There's also blogs where people write about it.

02:23.200 --> 02:29.920
These are usually experts that write about a specific, uh, attack vector or a different threat actor

02:29.920 --> 02:36.700
then how their network or a network that they gained privileged access to is associated to a specific

02:36.700 --> 02:37.240
attack.

02:37.270 --> 02:41.830
The problem with blogs is they're usually about a 3 or 4 days after the attack occurs.

02:41.830 --> 02:47.770
So the information at best is 3 or 4 days old, at worst it's 2 or 3 months old, and this could cause

02:47.770 --> 02:49.420
problems into what's going on.

02:49.450 --> 02:57.400
There's often also government bulletins, government bulletins from, say, FBI's um Infragard systems.

02:57.400 --> 03:02.860
They provide those bulletins to us on a weekly basis or a monthly basis that tells us what's going on.

03:02.860 --> 03:07.410
And if you're an Infragard member, then you get access to those specific bulletins.

03:07.420 --> 03:09.550
It's not just FBI's Infragard, though.

03:09.550 --> 03:15.010
There's Cisa, there's other government bulletins that come out, and while they try their best to associate

03:15.010 --> 03:20.140
those bulletins specifically to an organization, some of them are very open source, meaning, again,

03:20.140 --> 03:21.790
threat actors have access to them.

03:21.790 --> 03:23.710
And finally, there's the dark web.

03:23.710 --> 03:25.840
The dark web is easy to access.

03:25.840 --> 03:31.690
Most people have it, and even those people that are on the dark web are constantly monitoring the different

03:31.690 --> 03:37.540
forums, the different aspects of those same blogs or social media posts, but they're just not provided

03:37.540 --> 03:38.890
on Facebook or Twitter.

03:38.890 --> 03:41.680
They're on the own version of the dark web sphere.

03:41.710 --> 03:46.180
Now, this could be a specific website that constantly changes, or it could be an older website that

03:46.180 --> 03:47.620
people are still active on.

03:47.620 --> 03:52.060
It doesn't really matter, but that open source information, where the dark web serves the same problem

03:52.090 --> 03:56.410
of the information usually being old or the attacker has access to it anyway.

03:56.410 --> 04:01.930
So dark web information, however, does provide us a key look into what's going on sometimes before

04:01.930 --> 04:07.600
the threat actor actually does the attack, which is obviously quite well for us because it gives us

04:07.600 --> 04:09.580
a different outlook into what's going on.

04:10.810 --> 04:13.540
Then we have what's called closed source information.

04:13.540 --> 04:19.990
These are usually paid fees that are put on by a specific security organization, whether it's Cloudflare

04:20.020 --> 04:25.300
or another organization that does their own security, vulnerability testing or research.

04:25.300 --> 04:28.600
These paid fees usually fund that research.

04:28.630 --> 04:33.730
Now, the great thing about closed feeds is most threat actors aren't subscribing to those types of

04:33.730 --> 04:39.640
feeds, and most closed source feeds have a specific requirement of you have to have equipment or be

04:39.640 --> 04:46.540
a network that is, uh, reliable and actually been validated before they provide those feeds to you.

04:46.570 --> 04:49.180
Do those feeds sometimes end up in the general public?

04:49.210 --> 04:49.930
Absolutely.

04:49.960 --> 04:52.540
Do they try their best not to make that happen again?

04:52.570 --> 04:53.170
Yes.

04:53.200 --> 04:59.080
Paid fees provide us a pathway into a specific research company that is providing the research towards

04:59.080 --> 05:04.660
a vulnerability or a known exploit, and giving us the most up to date information as it comes to bear.

05:04.690 --> 05:09.160
They could have warnings or warnings where they come out and say, hey, we're seeing this new vulnerability

05:09.160 --> 05:10.000
that's being exploited.

05:10.000 --> 05:12.890
We don't have new information about it, but be aware of it.

05:12.890 --> 05:16.730
That provides us a closed feed of information of an ongoing attack.

05:16.760 --> 05:21.530
They like to do information sharing, which provides us the most up to date information as it's coming

05:21.530 --> 05:22.010
by.

05:22.040 --> 05:28.130
However, this also poses the problem of not being readily accessible or very thought through.

05:28.160 --> 05:33.110
Meaning that while the information is up to date, it's only the information they have access to, which

05:33.110 --> 05:34.550
means sometimes it's a little off.

05:34.550 --> 05:39.770
It could be attacking, say, port 443, but on the back end we didn't realize there was a malware going

05:39.800 --> 05:43.190
into effect that caused that port to be vulnerable to attack.

05:43.190 --> 05:46.550
All we may know is that, hey, something's happening on port 443.

05:46.580 --> 05:49.280
We know that it's happening, but that's all the information we have.

05:49.310 --> 05:52.940
However, some information is usually better than no information.

05:52.970 --> 05:55.430
It usually comes also from internal sources.

05:55.430 --> 06:00.050
For instance, if I have a firewall and I'm part of that vendor, then that vendor may have their own

06:00.050 --> 06:00.980
security research.

06:00.980 --> 06:05.810
And they're sending out to everybody that owns their firewall the latest paid information that comes

06:05.810 --> 06:06.890
with that firewall.

06:06.890 --> 06:11.390
This is great for us if you own the firewall, but if you don't, sometimes you don't have access to

06:11.420 --> 06:11.630
it.

06:11.630 --> 06:13.970
This would be a closed source information.

06:14.010 --> 06:19.050
Now I'm going to show you a open source of information that you have readily accessible to you, as

06:19.050 --> 06:20.280
long as you sign up.

06:20.280 --> 06:21.150
Let's take a look at that.

06:21.150 --> 06:29.010
Now, this is OT Alienvault open source of threat identification, meaning it's a threat feed that is

06:29.010 --> 06:30.750
open source to anybody that signs up for it.

06:30.780 --> 06:31.680
It didn't take much.

06:31.680 --> 06:35.940
I signed up, it literally took two minutes and it gave me access to this information.

06:35.940 --> 06:42.390
You can see here right here we have Coin miner 7181, meaning that's the number of counts that they've

06:42.390 --> 06:44.400
seen and that we have feature of one.

06:44.400 --> 06:48.060
We can see related pulses associated with it on different websites.

06:48.060 --> 06:55.290
For instance, Seaborg provides us one month ago, and it was modified 26 minutes ago by this person.

06:55.290 --> 06:57.450
And it tells us exactly what's going on.

06:57.450 --> 07:02.370
If I right click on this and open a new tab, it brings me up to a new feature.

07:02.370 --> 07:09.120
This feature goes on to tell me that, hey, it's in reference to CVE 2024, meaning it's recent today

07:09.120 --> 07:12.510
and it's the 32,000th version of that feed.

07:12.510 --> 07:16.200
I can copy that, but I can also go down to a more relevant one.

07:16.200 --> 07:17.580
If we scroll down to a.

07:17.610 --> 07:23.610
Historically we can see all the way down to 2022 and you get the point.

07:23.610 --> 07:24.870
It really goes down all the way.

07:24.870 --> 07:30.870
So this has been around, uh, related to the CVE since as early as 20, probably 2021.

07:30.870 --> 07:34.320
If I kept on scrolling, I can go all the way back here, actually.

07:34.320 --> 07:36.600
And you can see again 2021.

07:36.630 --> 07:36.930
Right.

07:36.960 --> 07:42.660
So the most up to date information is going to be right here on the CVE 2024 32,000.

07:42.690 --> 07:44.910
I can see the indicator of compromises.

07:44.910 --> 07:47.370
And it tells me that the CVE is 15,000.

07:47.400 --> 07:51.780
It tells me other the URLs associated with it and then the domain as well.

07:51.780 --> 07:53.790
And it's only showing the last ten entries.

07:53.790 --> 07:59.160
If I scroll down, I can see other information like the file hash associated with the specific one.

07:59.160 --> 08:05.850
So if I see this on my network, I can actually rule it out and go through and identify anything associated

08:05.850 --> 08:07.440
with that specific hash.

08:07.470 --> 08:13.830
Again, I can go down to the more, uh, recent information of 32,003, and you can see the related

08:13.830 --> 08:18.940
pulses If I go here, I can look at the different comments that somebody that's already associated with

08:18.940 --> 08:21.880
this specific feed has identified as part of this.

08:21.910 --> 08:26.740
Now, comments are like anything else, you have to take that with a grain of salt, but sometimes it

08:26.740 --> 08:28.660
provides us some good information.

08:28.780 --> 08:34.450
By drop down we can see see link for common Windows Services Update and it provides me some link and

08:34.450 --> 08:35.860
some valuable information.

08:35.860 --> 08:41.140
This is just an example of one threat feed that maybe you should subscribe to, but there's various

08:41.140 --> 08:41.860
ones out there.

08:41.860 --> 08:46.630
There's ones on Cloudflare, there's other ones associated with sticks or taxi.

08:46.630 --> 08:48.010
Those are more well known.

08:48.010 --> 08:50.680
But for this one, Alienvault does a pretty good job.

08:50.680 --> 08:55.450
And this episode we talked about open and closed source threat feeds and what you should be aware of

08:55.480 --> 08:56.650
as a threat analyst.

08:56.650 --> 09:02.170
In your Cisa exam, you're going to be asked specific questions about whether a feed is open source

09:02.170 --> 09:05.200
or closed source, but it should be fairly high level.

09:05.200 --> 09:11.560
You shouldn't see any direct questions about paid feeds versus information sharing or internal sources,

09:11.560 --> 09:15.220
or even the different feeds that are associated with open source versus closed source.

09:15.220 --> 09:19.630
Most of your questions are going to be very rudimentary when it comes to threat intelligence feeds,

09:19.630 --> 09:21.580
and maybe why they're important.

09:21.580 --> 09:23.590
Usually the answers are common sense.

09:23.590 --> 09:28.330
To give you some relation to this type of questions that you might see, I would really understand that

09:28.330 --> 09:29.920
a closed source is paid feed.

09:29.920 --> 09:35.440
It provides information sourcing and it's usually from internal sources, usually from a vendor with

09:35.440 --> 09:36.490
open source feeds.

09:36.490 --> 09:40.900
We're really talking about information that's available freely on the internet, and it's shared across

09:40.900 --> 09:44.350
the different aspects of that specific threat feed.

09:44.380 --> 09:49.090
You really need to understand that the big difference between a closed source and an open source feed,

09:49.090 --> 09:54.070
and how they provide reliability versus subjectivity when it comes to those types of feeds.

09:54.070 --> 09:59.170
You might see scenarios based questions asking you specifically if a feed is closed source.

09:59.170 --> 10:03.760
Maybe it'll ask something like you paid for a feed and this feed provides you X, Y, and Z.

10:03.790 --> 10:07.840
Is this a closed source, an open source, or just a regular source?

10:07.840 --> 10:09.250
You kind of get the picture.

10:09.250 --> 10:15.010
I wouldn't expect to see any truly in-depth questions when it comes to Sisa about open source versus

10:15.010 --> 10:20.380
closed source, but I would expect to see some rudimentary high level questions and why they may be

10:20.380 --> 10:22.930
important for you as a cybersecurity analyst.