Cysa+ (CS0-003)

Lesson 2
Exploring Threat Intelligence and
Threat Hunting Concepts

Copyright © 2023 CompTIA, Inc. All Rights Reserved. | CompTIA.org

1
Objectives
• Understand threat actor concepts.
• Explore advanced persistent threats.
• Review tactics, techniques, and procedure (TTP) concepts.
• Understand the importance of identifying active threats.
• Review open-source intelligence and information-sharing concepts.
• Review different types of threat-hunting activities.
• Understand the importance of Indicators of Compromise (IoC).
• Review decoy methods.
2
Lesson 2

Topic 2A
Exploring Threat Actor Concepts

Copyright © 2023 CompTIA, Inc. All Rights Reserved. | CompTIA.org

3
Threat Actor Types
• Nation-State
• Organized Crime
• Hacktivist
• Insider Threat
• Script Kiddie
• Supply Chain Access

4
Advanced Persistent Threat (APT)
• Threat Actors • Targets
• Nation State • Large organizations
• Organized Crime • Government
• Tools
• Command and Control
• Rootkits
• Custom Crafted Tools

5
Tactics, Techniques, and Procedures
• TTPs: the study of threat actor behavior
• Identify threat actors
• Understand methods attackers use
• MITRE ATT&CK

6
MITRE Attack Matrix

(Screenshot courtesy of MITRE ATT&CK) 7

 Review Activity: Threat Actor Concepts
1. This threat actor group is generally associated with advanced
persistent threats.
2. After gaining unauthorized access, an attacker takes time to
remove evidence of the actions they performed. These actions are
commonly known as ______-____________.
3. This framework provides very detailed documentation regarding
threat actor tactics, techniques, and procedures.

8
 Lab Activity
• Assisted Lab: Reviewing IoC and Threat Intelligence Sources

9
Lesson 2

Topic 2B
Identifying Active Threats

Copyright © 2023 CompTIA, Inc. All Rights Reserved. | CompTIA.org

10
Open-Source Intelligence (OSINT)
• Publicly available information
• Public repositories and web searches
• IP addresses of DNS servers
• Range of addresses assigned
• Names, email addresses, and phone numbers of employees and staff
• Physical address

11
Open-Source Intelligence (OSINT) cont.
• Social media
• Facebook, LinkedIn, etc.
• Posts or user profiles that give away sensitive information

12
Open-Source Intelligence (OSINT) cont.
• HTML code
• HTML on a web page provides:
• IP addresses
• Names of web servers
• Operating system versions
• File paths
• Names/emails of developers and administrators
• The layout and organization of the code reveals:
• development practices, capabilities
• level of security awareness

13
Open-Source Intelligence (OSINT) cont.
• Documents may not directly divulge sensitive information
• Metadata
• Metadata scans on publicly available documents
• Fingerprinting Organizations with Collected Archives (FOCA)
• Finds and extracts metadata
• File author names
• Names of users that made changes to a document
• Software name and version info (adobe Acrobat Office 2019, etc.)
• File paths and hostnames
• Usernames
14
Defensive OSINT
• Intelligence gathering that focuses on identifying threats
• Government bulletins
• CERT
• CSIRT
• Deep/Dark web
• Internal sources

15
Proprietary/Closed-Source Intelligence Sources
• Paid data feeds
• Special Interest and "member only" groups
• Threat intelligence data depends on three important attributes
• Timeliness
• Relevancy
• Accuracy

16
Information Sharing and Analysis Centers (ISACs)
• Provide cybersecurity information and services for critical
infrastructure teams
• All US-based ISACs: https://www.nationalisacs.org/member-isacs-3

• All UK-based ISACs: https://ncsc.gov.uk/section/keep-up-to-date/cisp

• Critical Infrastructure
• The DHS identifies 16 critical infrastructure sectors

• https://www.dhs.gov/cisa/critical-infrastructure-sectors

17
Threat Intelligence Sharing
• Crucial for cyber defense teams
• Threat intelligence sharing goals
• Identifying indicators of compromise
• Tracking threat actor groups
• Documenting findings
• Discussing strategies
• Distributing knowledge
18
 Review Activity: Active Threats
1. True or False. Open-Source intelligence describes the use of Linux
to identify potential attackers.

2. What type of threat intelligence is only available via subscription

or by purchasing specialty vendor-supported equipment?

3. What metric helps rank or score threat intelligence to help isolate

highly applicable or highly likely threat intelligence?

19
Lesson 2

Topic 2C
Exploring Threat-Hunting Concepts

Copyright © 2023 CompTIA, Inc. All Rights Reserved. | CompTIA.org

20
Understand Threat Hunting Concepts
• "Assume breach" mentality
• Analyze routine activities and network traffic
• Use skills and experience to identify potential threats
• Indicators of Compromise (past)
• Indicators of Attack (present)
• Search for threat actors based on established TTPs

21
Explain Indicators of Compromise (IoC)
• Suggest that a security incident may have occurred
• Sources of IoC
• System and applications logs
• Network monitoring software
• Endpoint protection tools
• Security Information and Event Management (SIEM) platforms

22
Explain Indicators of Compromise (IoC) cont.
• Provide a summary of malicious actions
• Identify the potential source of incident
• Inform a response plan
• Identify the systems and services to isolate or monitor

• Identify which users and accounts to lock

• Describe security issues accurately and efficiently

• Protect organizations from future threats

23
Digital Forensics
• Applying threat-hunting
techniques often requires using
data provided by information-
sharing platforms and "field
notes" created by professional
incident responders.

24
Decoy Methods and Concepts
• Active Defense
• Honeypots
• Redirect malicious traffic away
(decoys)
• Provide an early warning for
ongoing attacks
• Collect intelligence on the
attackers (Reproduced with permission of GitHub, Inc. COPYRIGHT ©
2023 All Rights Reserved.)

25
 Review Activity: Threat-Hunting Concepts
1. What activity is best defined by the "assume breach" mindset?
2. What term describes when an attacker has successfully moved to
another system within the environment after gaining initial
access?
3. True or False. Indicators of attack (IoA) depend upon forensic
evidence to identify that unauthorized access has occurred.

26
 Lab Activity
• Assisted Lab: Performing Threat Hunting

27
Cysa+ (CS0-003)

Lesson 2
Summary

Copyright © 2023 CompTIA, Inc. All Rights Reserved. | CompTIA.org

28