🟦
LSWSec-Defensive
  • LSWSec - Defensive Security Notes
  • General
    • Tool List
  • Threat Intelligence
    • Introduction
    • Threat Actors and APTs
    • Operational Threat Intelligence
    • Tactical Threat Intelligence
    • Strategic Threat Intelligence
    • Malware and Global Campaigns
  • Phishing
    • Introduction
    • Investigating a Phishing Email
    • Analysing
    • Defensive Action
    • Reactive Measures
    • Report Writing
  • Digital Forensics
    • Introduction
    • Digital Evidence and Handling
    • Memory, Pagefile and Hibernation file
    • Digital Evidence Collection
    • Windows Investigation
    • Linux Investigations
    • Volatility
    • Autopsy
    • Windows Commands
      • Network Discovery
      • DHCP
      • DNS
  • SIEM
    • Introduction
    • Logging
    • Correlation
  • Incident Response
    • Introduction
    • Preperation
    • Detection & Analysis
    • Containment, Eradication and Recovery
    • reporting
    • MITRE Att&ck
  • Event Viewer
    • event Summary
    • Event ID: 4648
    • Event ID: 4776
    • Event ID: 4673
    • Event ID: 4625
Powered by GitBook
On this page
  • Intelligence Sharing
  • IOC/TTP Gathering and Distribution
  • OSINT vs Paid-for Sources
  • Traffic Light Protocol (TLP)
  1. Threat Intelligence

Strategic Threat Intelligence

Intelligence Sharing

Companies can come together to form ISAC’s. These are groups to share intelligence.

These are often companies which do the same type of jobs like manufacturing.

IOC/TTP Gathering and Distribution

The security analyst has the job of gathering and distributing IOC’s to different people. This is since they will be doing a similar job anyway so it makes sense.

OSINT vs Paid-for Sources

OSINT

There is a lot of free information that can be collected. However there is a greater chance that this information could be fake. This means alot of this information will need to be confirmed.

  • TweetIOC

  • Spamhaus

  • URLhaus

  • AlienVault Open Threat Exchange

  • Virus Share

  • List of Free Threat Feeds

  • Anomali Weekly Threat Briefing

  • US Cybersecurity and Infrastructure Security Agency – Automated Indicator Sharing

  • SANS Internet Storm Center

  • Talos Intelligence – Free Version

Paid-source

Paid sources are very expensive and not viable to small or medium organisations, however these generally have better, more reliable information.

  • FireEye

  • Recorded Future

  • CrowdStrike

  • Flashpoint

  • Intel471

Traffic Light Protocol (TLP)

This is a system to work out which information can be shared with other organisations.

This entire protocol relies on trust so it is incredibly important to not breach the intended level of distribution.

White

This information is publicly shared. However, copyright results still apply.

Green

This information is shared within communities like information sharing and analysis centres (ISACs). This should not be shared outside of intended communities

Amber

This information can only be shared internally within the organisation, on a need to know basis.

Red

This information is extremely sensitive and could have severe consequences. Information cannot be shared with anyone who is not personally named. It cannot be shared under any circumstance without the author's permission.

PreviousTactical Threat IntelligenceNextMalware and Global Campaigns

Last updated 1 year ago