--- title: CTIA-2 tags: tutorials disqus: hackmd --- :::info [TOC] ::: [CTIA-3](/f_h7dYHcSJe-3tEIFDEOtA) # CH3 ## 組織 - Identify critical threat 1. Asset DATA Incident 2. Identify &prioritize threat 3. Priortized list - Identify - 資產的識別與分級 - 威脅利用弱點對==資產==產生==影響==的可能性 - 弱點 - 風險 - 威脅 - 非蓄意 - 蓄意 :::danger - sercurity pressurre posure - attractive - map ideal target state - requirement - production requreeg ::: :::warning - MoSCoW 需求分析法 - 一定要 MUST Have(Compulsory) - 應該要 SHOULD (Have high priority) - 可以要 COULD Have (Preferred but not essential) - 不需要 Won’T Have (Can be postponed or can be suggested for future project execution) ::: - Non-dislosure agreement - 職場需特別注意 - avoid comman threat(陷阱) - Unreliable intellegence resource - 求證 - inadequate communication - data without context - 凡走過必留下痕跡 - 訊息必會有背景 - ||True|False| |-|-|-| |Positive 檢出 |TP|<font color="#F00"> FP(誤報)type1 error</font>| |Negative 未檢出|TN|<font collor="#F00">FN(漏報)type 2 error </font> | - lack of standardization - 自動化 - lack of technology capailities ## 威脅情資規劃 - prepare - people - 好的人比較重要 - precesses - SOP - technology - 技術 - plan :::info - Identify data sources - phishing messages - inducators of malware - compromised devise - IP Reputation - Malicious infrastructure - <font color="F00">C2</font> ::: - schrdule :::info - goal -----------Task / object1 WBS 1. | object2 ===> 2. | object3 3. \ .... ::: - review the project charter - build work breakdown structure(WBS) - identify all deliverables - define all actives - Identify the sequence of activities - Identify and estimate resources for all activities - Identify task dependencies - Estimate duration of each activity - Develop the final schedule - Aggregate - platform - portal - integration - 情資使用 - Brand protection - Identification of attacker Networks - Identification of Third-Party Risks - track metrics - Time taken to detect incidents - encounter rate - false - 相關資料 - OTX - IBM e platform ## 管理階層的支持 - establlish - DRIVER - 1 - 1 ## Biuild team - organization - find threat - different seed - TTPs - intellengence-sharing - threat analysis and incident response support - threat analysis - intellegence - malware - intellgence roles reponsebility - IR - 將事情處理好 - E-discover&Forensic Examiner - 把證據找出來 - DFIR - sercurity operator - ..... - :fire:Define talent acquistion strategy - 內轉 - 空降(Recruiting) - 委外(MSSP) ## intellegence sharing - consideration - Data handing classification - information sercurity - intellengence covergence - 紅綠燈條款 - - OFFICIAL - ISACs - Comercial vendors - trading partner - informal contacts - Threat provider - threat indicater - threat data feeds - comprehensive cyber threat informatiom - 情資安全 - authentication - authorization - data protaction - logging activity ## 情資計畫檢討 - review - openess - objectiveness - Document sucess - look with hindsight - . # CH4 ## 資料收集 - Data collection - 注意 - 慎選來源 - multipul resource - Method - 被動 - packge - log... - 主動 - <font color="#F00">observeration of the adversary systems without any legal & privacy breach</font> - Hybrid Data collection - shared net work - honeypot - Data type - Raw data - Exploited(資料) - 處理過的資料 - Production(情報) - 分析過的結果 - 含主觀想法 ### operation - sercurity - operartion sercuriry(OPSEC) - use sercure tunneling protocol - SSH - HTTPS - VM - msdn - ... - VPN - reliable - therelevance - crediable - collection critiria - establish new protection mechanism - mitie evolng threats - estimate frequency - plan ### feeds&source - feed - external - internal - proactive - honeypod - intellegence - OSINT(開放) - internet - HUMIT(人員) - SIGUNT - 訊號 - TECHINT(技術) - GEOINT(地理) - FININT(財務) - MASINF(量測) - CHIS(personal/others relationship) - SOCMINT(社群媒體) - CCI(網路反情報) - IoCs ### OSINT - collection - search engine(ex:Google) - web - deep web - hidden/unindexed - dark Net - navigate anoymously - surface - simply browsser - whois lookup - :fire:Fast-Flux DNS - DNS-based proxy redirection - 隱藏C2 - DDNS:fire: - custom domain name - duck DNS、ngrok... - DNS zone transfer - Maltego - OSTrICa - .... - 相關資料 - GHDB - spamhaus - alexa - internet archive - domain tool - 小鴨DNS ### HUMINT - collection - 社交工程 - interviewing(訪談) & interrogation(訊問) - Honeypod - passive DNS Monitoring - passive total - malware sinkholes - YARA rule - 病毒查詢網頁 ## IoCs - collection - external - commercial & industry - free - MISP - internal - Splunk - graylog - redline(記憶體分析) - pestudio(靜態) - anyrun(動態) - 相關資料 - Sysmon - graylog - facknet - IBM X-force exchangeㄌ ## Bulk data - define - volume:star: - velocity:star: - variety:star: - varibility - complexity - distributed processing - distributed - forms - structured - Unstructured form - 檔案介於兩者之間 - 標頭 - 內容 - TOOL ## DATA PROCESS - 資料處理 - 資料正規化 > 相同意義的東西聚在一起 - 結構/形式 - 意義 - filtering、tagging、queuing - 格式 - OPIOC(舊) - STIX(1x,2x) - CybOX(敘述語言)(2x整合) - TAXII ||CTI|www| |-|-|-| |語言|STIX|HTML| |協定|TAXII|http| - Data sampling(樣本最好具母體代表性) - probability - 無代表性 - 平均 - purposive - specific group - convenience - 運用手邊資源 - Storage - cloud - local - vistualizing - graphical/pictorial representation ---