WEBVTT 1 00:00:00.270 --> 00:00:01.530 In this lesson, 2 00:00:01.530 --> 00:00:05.340 we will learn about external intelligence sources. 3 00:00:05.340 --> 00:00:10.050 External intelligence sources include data and insights 4 00:00:10.050 --> 00:00:13.020 gathered from outside an organization 5 00:00:13.020 --> 00:00:17.850 used to help identify potential threats or vulnerabilities. 6 00:00:17.850 --> 00:00:19.800 External intelligence sources 7 00:00:19.800 --> 00:00:23.400 include open source intelligence, or OSINT, 8 00:00:23.400 --> 00:00:27.450 information sharing and analysis centers, or ISACs, 9 00:00:27.450 --> 00:00:31.410 reliability factors, and dark web monitoring. 10 00:00:31.410 --> 00:00:35.760 OSINT includes collecting publicly available information 11 00:00:35.760 --> 00:00:40.020 from websites or forums to spot emerging threats. 12 00:00:40.020 --> 00:00:42.480 ISACs provide threat intelligence 13 00:00:42.480 --> 00:00:45.570 and collaboration among industries. 14 00:00:45.570 --> 00:00:50.130 Next, reliability factors assess the trustworthiness 15 00:00:50.130 --> 00:00:52.110 of external sources, 16 00:00:52.110 --> 00:00:55.530 ensuring that the gathered intelligence is credible. 17 00:00:55.530 --> 00:00:59.490 Finally, dark web monitoring tracks criminal activities 18 00:00:59.490 --> 00:01:01.290 and potential data leaks 19 00:01:01.290 --> 00:01:03.600 that could signal a targeted attack. 20 00:01:03.600 --> 00:01:07.680 Let's learn more about open source intelligence, or OSINT, 21 00:01:07.680 --> 00:01:11.430 information sharing and analysis centers, or ISACs, 22 00:01:11.430 --> 00:01:15.030 reliability factors, and dark web monitoring. 23 00:01:15.030 --> 00:01:18.150 First, we have open source intelligence. 24 00:01:18.150 --> 00:01:22.920 Organizations use open source intelligence, or OSINT, tools 25 00:01:22.920 --> 00:01:26.190 to gain insight into what data attackers 26 00:01:26.190 --> 00:01:29.460 could easily gather about their business. 27 00:01:29.460 --> 00:01:31.740 OSINT refers to the collection 28 00:01:31.740 --> 00:01:34.170 of publicly available information 29 00:01:34.170 --> 00:01:38.220 from sources like websites, social media, and forums. 30 00:01:38.220 --> 00:01:39.990 It helps security teams 31 00:01:39.990 --> 00:01:44.220 to understand their organization's external exposure 32 00:01:44.220 --> 00:01:47.490 and how attackers might exploit this information. 33 00:01:47.490 --> 00:01:51.000 For instance, tools like Maltego or Shodan 34 00:01:51.000 --> 00:01:53.190 allow security teams to see 35 00:01:53.190 --> 00:01:56.820 what publicly-facing systems or vulnerabilities 36 00:01:56.820 --> 00:01:59.370 could be visible to attackers. 37 00:01:59.370 --> 00:02:02.220 So OSINT can help organizations 38 00:02:02.220 --> 00:02:05.010 stay one step ahead of adversaries 39 00:02:05.010 --> 00:02:08.640 by showing them the same surface-level information 40 00:02:08.640 --> 00:02:11.040 that attackers are able to access. 41 00:02:11.040 --> 00:02:14.430 Additionally, OSINT can be leveraged by defenders 42 00:02:14.430 --> 00:02:17.640 to gain insights into attackers' tactics, 43 00:02:17.640 --> 00:02:20.850 techniques, and procedures, or TTPs. 44 00:02:20.850 --> 00:02:22.920 By studying the digital footprints 45 00:02:22.920 --> 00:02:25.440 and communications of threat actors, 46 00:02:25.440 --> 00:02:28.590 security teams can gather intelligence 47 00:02:28.590 --> 00:02:33.060 on how attackers are planning and executing their campaigns. 48 00:02:33.060 --> 00:02:37.080 This might involve monitoring threat actor forums, 49 00:02:37.080 --> 00:02:38.940 dark net marketplaces, 50 00:02:38.940 --> 00:02:42.060 or even public exploit databases 51 00:02:42.060 --> 00:02:45.210 where attackers share or sell information 52 00:02:45.210 --> 00:02:49.020 about new vulnerabilities and attack methods. 53 00:02:49.020 --> 00:02:52.290 So OSINT serves as a powerful tool 54 00:02:52.290 --> 00:02:53.880 for both understanding 55 00:02:53.880 --> 00:02:57.060 an organization's external vulnerabilities 56 00:02:57.060 --> 00:03:01.170 and gaining valuable insights into attackers' methods. 57 00:03:01.170 --> 00:03:04.290 By utilizing publicly available data, 58 00:03:04.290 --> 00:03:07.860 organizations can view their own digital footprint 59 00:03:07.860 --> 00:03:10.230 through the eyes of potential attackers 60 00:03:10.230 --> 00:03:13.710 and take proactive measures to mitigate risks. 61 00:03:13.710 --> 00:03:18.570 Furthermore, by studying the OSINT TTPs of threat actors, 62 00:03:18.570 --> 00:03:21.600 defenders can stay ahead of emerging threats 63 00:03:21.600 --> 00:03:24.990 and tailor their security strategies accordingly. 64 00:03:24.990 --> 00:03:29.460 Second, we have information sharing and analysis centers, 65 00:03:29.460 --> 00:03:30.750 or ISACs. 66 00:03:30.750 --> 00:03:34.770 ISACs are organizations that facilitate collaboration 67 00:03:34.770 --> 00:03:38.220 among companies within specific industries 68 00:03:38.220 --> 00:03:42.180 to share cybersecurity information and intelligence. 69 00:03:42.180 --> 00:03:45.570 ISACs help businesses collectively understand 70 00:03:45.570 --> 00:03:48.000 and respond to cyber threats 71 00:03:48.000 --> 00:03:50.760 by pooling resources and knowledge. 72 00:03:50.760 --> 00:03:54.360 For example, the Financial Services-ISAC 73 00:03:54.360 --> 00:03:55.860 is a well-known group 74 00:03:55.860 --> 00:03:59.280 that enables banks and other financial institutions 75 00:03:59.280 --> 00:04:00.690 to share information 76 00:04:00.690 --> 00:04:03.600 about emerging threats and vulnerabilities, 77 00:04:03.600 --> 00:04:07.140 helping to protect the entire financial sector 78 00:04:07.140 --> 00:04:09.090 from coordinated attacks. 79 00:04:09.090 --> 00:04:12.630 Similarly, other industries have their own ISACs, 80 00:04:12.630 --> 00:04:15.750 such as the Health-ISAC for healthcare, 81 00:04:15.750 --> 00:04:18.870 the Energy-ISAC for the energy sector, 82 00:04:18.870 --> 00:04:22.320 and the Aviation-ISAC for aviation, 83 00:04:22.320 --> 00:04:25.740 each providing sector-specific intelligence 84 00:04:25.740 --> 00:04:28.890 to enhance cybersecurity resilience. 85 00:04:28.890 --> 00:04:31.050 A more complete list of ISACs 86 00:04:31.050 --> 00:04:36.050 can be found at https://www.nationalisacs.org/members. 87 00:04:43.950 --> 00:04:47.460 ISACs often provide regular threat reports, 88 00:04:47.460 --> 00:04:50.070 alerts, and best practices 89 00:04:50.070 --> 00:04:52.380 that organizations can integrate 90 00:04:52.380 --> 00:04:54.900 into their security measures. 91 00:04:54.900 --> 00:04:58.470 Some ISACs offer paid membership tiers, 92 00:04:58.470 --> 00:05:00.750 granting access to more detailed 93 00:05:00.750 --> 00:05:03.030 and real-time intelligence, 94 00:05:03.030 --> 00:05:06.960 while others provide basic services at no cost, 95 00:05:06.960 --> 00:05:10.200 such as alerts and community discussions. 96 00:05:10.200 --> 00:05:12.210 So for enterprises, 97 00:05:12.210 --> 00:05:16.230 investing in a paid membership can provide deeper insights, 98 00:05:16.230 --> 00:05:19.830 enabling quicker responses to emerging threats. 99 00:05:19.830 --> 00:05:21.000 This is important, 100 00:05:21.000 --> 00:05:23.130 because by sharing information 101 00:05:23.130 --> 00:05:25.890 about threats seen by one organization, 102 00:05:25.890 --> 00:05:30.090 others can act more quickly to mitigate similar risks. 103 00:05:30.090 --> 00:05:33.480 For instance, if a member of a healthcare ISAC 104 00:05:33.480 --> 00:05:36.540 detects a specific ransomware strain 105 00:05:36.540 --> 00:05:39.030 targeting electronic health records, 106 00:05:39.030 --> 00:05:42.480 they can share that intelligence with other hospitals, 107 00:05:42.480 --> 00:05:46.020 reducing the chances of widespread damage. 108 00:05:46.020 --> 00:05:48.990 This collaborative approach allows companies 109 00:05:48.990 --> 00:05:51.990 to enhance their threat detection capabilities 110 00:05:51.990 --> 00:05:56.550 while improving overall industry resilience against attack. 111 00:05:56.550 --> 00:05:59.910 Third, we have reliability factors. 112 00:05:59.910 --> 00:06:03.870 Reliability factors refer to the evaluation 113 00:06:03.870 --> 00:06:06.810 of the credibility and trustworthiness 114 00:06:06.810 --> 00:06:09.720 of external intelligence sources. 115 00:06:09.720 --> 00:06:12.870 In cybersecurity, this means ensuring 116 00:06:12.870 --> 00:06:14.760 that the information gathered 117 00:06:14.760 --> 00:06:17.250 from a third-party intelligence feed 118 00:06:17.250 --> 00:06:19.380 is accurate and timely. 119 00:06:19.380 --> 00:06:21.990 Various products like Recorded Future 120 00:06:21.990 --> 00:06:24.180 or Mandiant Threat intelligence 121 00:06:24.180 --> 00:06:27.930 provide external data that organizations use 122 00:06:27.930 --> 00:06:30.630 to enhance their security postures. 123 00:06:30.630 --> 00:06:33.750 But it's important to assess the reliability 124 00:06:33.750 --> 00:06:35.340 of these sources. 125 00:06:35.340 --> 00:06:39.180 This is where the Admiralty Scale comes into play. 126 00:06:39.180 --> 00:06:42.480 The Admiralty Scale is a system commonly used 127 00:06:42.480 --> 00:06:45.600 to evaluate both the source of intelligence 128 00:06:45.600 --> 00:06:48.000 and the information provided. 129 00:06:48.000 --> 00:06:50.970 The Admiralty Scale assigns two ratings, 130 00:06:50.970 --> 00:06:54.240 one for the reliability of the source, 131 00:06:54.240 --> 00:06:56.910 ranging as a grade from A to F, 132 00:06:56.910 --> 00:07:00.180 and another for the accuracy of the information 133 00:07:00.180 --> 00:07:02.910 ranging on a scale from 1 to 6, 134 00:07:02.910 --> 00:07:05.220 where one is the most reliable. 135 00:07:05.220 --> 00:07:07.950 This scale helps security teams 136 00:07:07.950 --> 00:07:09.840 gauge whether the intelligence 137 00:07:09.840 --> 00:07:12.330 is coming from a trusted source 138 00:07:12.330 --> 00:07:15.990 and how likely it is that the information is accurate. 139 00:07:15.990 --> 00:07:18.690 For example, an A1 rating 140 00:07:18.690 --> 00:07:21.660 would indicate a highly reliable source 141 00:07:21.660 --> 00:07:24.330 with confirmed credible information, 142 00:07:24.330 --> 00:07:28.350 while an F6 rating would suggest an unreliable source 143 00:07:28.350 --> 00:07:30.570 with unverified information. 144 00:07:30.570 --> 00:07:33.720 So the use of the Admiralty Scale 145 00:07:33.720 --> 00:07:35.970 prevents inaccurate intelligence 146 00:07:35.970 --> 00:07:40.590 from wasting resources or even increasing vulnerabilities. 147 00:07:40.590 --> 00:07:42.930 For instance, if a threat feed 148 00:07:42.930 --> 00:07:46.890 falsely identifies a benign website as malicious, 149 00:07:46.890 --> 00:07:50.490 it could lead to unnecessary remediation efforts 150 00:07:50.490 --> 00:07:52.350 or business disruptions. 151 00:07:52.350 --> 00:07:55.920 Similarly, if a company mistakenly overreacts 152 00:07:55.920 --> 00:07:59.010 to false intelligence about a phishing campaign, 153 00:07:59.010 --> 00:08:01.020 it might divert resources 154 00:08:01.020 --> 00:08:04.320 from addressing actual more critical threats. 155 00:08:04.320 --> 00:08:08.160 So for enterprises, ensuring the reliability 156 00:08:08.160 --> 00:08:10.860 of external intelligence is critical, 157 00:08:10.860 --> 00:08:14.490 because inaccurate or unverified information 158 00:08:14.490 --> 00:08:17.250 can lead to misinformed decisions 159 00:08:17.250 --> 00:08:22.110 which may result in financial losses or wasted resources. 160 00:08:22.110 --> 00:08:23.910 To avoid such issues, 161 00:08:23.910 --> 00:08:27.900 organizations often use multiple sources of intelligence 162 00:08:27.900 --> 00:08:31.020 and employ cross-verification techniques, 163 00:08:31.020 --> 00:08:33.870 ensuring that the intelligence they act upon 164 00:08:33.870 --> 00:08:38.520 is not only timely but also trustworthy and accurate. 165 00:08:38.520 --> 00:08:40.740 Additionally, the Admiralty Scale 166 00:08:40.740 --> 00:08:42.990 adds an additional layer of rigor 167 00:08:42.990 --> 00:08:45.300 in evaluating this intelligence, 168 00:08:45.300 --> 00:08:47.670 helping to prioritize responses 169 00:08:47.670 --> 00:08:52.320 based on the reliability and credibility of the information. 170 00:08:52.320 --> 00:08:56.340 Fourth and last, we have dark web monitoring. 171 00:08:56.340 --> 00:09:00.930 Dark web monitoring involves tracking and analyzing activity 172 00:09:00.930 --> 00:09:03.180 on hidden parts of the internet, 173 00:09:03.180 --> 00:09:07.020 often used by cyber criminals for illegal activities 174 00:09:07.020 --> 00:09:08.940 like selling, stolen data, 175 00:09:08.940 --> 00:09:10.770 offering hacking services, 176 00:09:10.770 --> 00:09:12.930 or sharing vulnerabilities. 177 00:09:12.930 --> 00:09:16.320 Enterprises can use dark web monitoring tools, 178 00:09:16.320 --> 00:09:20.970 such as DarkOwl, to keep an eye on criminal marketplaces 179 00:09:20.970 --> 00:09:24.210 for signs that their data has been compromised, 180 00:09:24.210 --> 00:09:26.910 or that they are being specifically targeted 181 00:09:26.910 --> 00:09:28.440 by threat actors. 182 00:09:28.440 --> 00:09:32.340 For instance, if an organization's user credentials 183 00:09:32.340 --> 00:09:34.560 appear for sale on the dark web, 184 00:09:34.560 --> 00:09:36.720 it likely indicates a breach, 185 00:09:36.720 --> 00:09:40.980 prompting the organization to immediately reset passwords 186 00:09:40.980 --> 00:09:43.770 and investigate the source of the leak. 187 00:09:43.770 --> 00:09:47.670 Dark web monitoring is important in enterprise security 188 00:09:47.670 --> 00:09:50.400 because it provides early indicators 189 00:09:50.400 --> 00:09:53.850 of potential data breaches or planned attacks. 190 00:09:53.850 --> 00:09:56.250 By actively watching the dark web, 191 00:09:56.250 --> 00:09:57.780 companies can detect 192 00:09:57.780 --> 00:10:01.020 whether their sensitive data is being sold 193 00:10:01.020 --> 00:10:03.540 or when hackers are discussing attacks 194 00:10:03.540 --> 00:10:05.520 on their organization. 195 00:10:05.520 --> 00:10:10.140 This early detection can give an enterprise valuable time 196 00:10:10.140 --> 00:10:13.650 to respond to breaches before they escalate. 197 00:10:13.650 --> 00:10:17.460 So remember, external intelligence sources 198 00:10:17.460 --> 00:10:19.950 help organizations to identify 199 00:10:19.950 --> 00:10:22.620 potential threats and vulnerabilities 200 00:10:22.620 --> 00:10:25.170 from outside their own network. 201 00:10:25.170 --> 00:10:30.170 These sources include open source intelligence, or OSINT, 202 00:10:30.270 --> 00:10:34.260 information sharing and analysis centers, or ISACs, 203 00:10:34.260 --> 00:10:38.070 reliability factors, and dark web monitoring. 204 00:10:38.070 --> 00:10:41.130 OSINT collects publicly available information 205 00:10:41.130 --> 00:10:43.230 to spot potential threats. 206 00:10:43.230 --> 00:10:47.490 Next, ISACs enable industry-specific collaboration 207 00:10:47.490 --> 00:10:49.920 on cybersecurity intelligence. 208 00:10:49.920 --> 00:10:54.060 Then reliability factors, like the Admiralty Scale, 209 00:10:54.060 --> 00:10:56.910 are used to evaluate the trustworthiness 210 00:10:56.910 --> 00:10:58.740 of intelligence sources 211 00:10:58.740 --> 00:11:02.910 to ensure informed decisions are based on credible data. 212 00:11:02.910 --> 00:11:05.430 And finally, dark web monitoring 213 00:11:05.430 --> 00:11:09.600 helps track criminal activities and detect data leaks, 214 00:11:09.600 --> 00:11:13.230 providing early warning signs of potential breaches. 215 00:11:13.230 --> 00:11:16.710 Together, these external intelligence sources 216 00:11:16.710 --> 00:11:18.930 provide a comprehensive approach 217 00:11:18.930 --> 00:11:22.923 to identifying and mitigating cyber threats.