Cyber threat reconnaissance

From HandWiki
Revision as of 14:45, 16 November 2021 by imported>Wikisleeper (update)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Short description: Preparation for cyberwarfare
Short description: Preparation for cyberwarfare

Cyber Threat Reconnaissance is the active and continual observation of threat actors and their malicious infrastructures, in addition to third party networks for signals of compromise. The goal is to passively gain intelligence of threats external to the organization in as greater detail as possible, in the least disruptive manner. Unlike Cyber Reconnaissance that describes the process of how bad actors obtain information about potential attack victims to find exploitable weaknesses, Cyber Threat Reconnaissance is the inverse model. It describes how a potential victim proactively seeks and observes threats instead of waiting to become one.

Methodologies

Cyber Threat Reconnaissance requires access to internet telemetry, greater volumes of data result in superior visibility, and high levels of quality enable more efficient analysis and better results. Human resources utilized during this activity are called Threat Hunters, and their role is to translate data into actionable intelligence reports, typically used for defensive purposes. Threat Hunters are often supported by technology to scale their capabilities, and machine learning is leveraged regularly.

Other forms of Open Source Intelligence https://en.wikipedia.org/wiki/Open-source_intelligence (OSINT)

Goals and objectives

When seeking out active threats beyond network borders, there are many use cases and objectives that Governments and private Enterprise attempt to achieve. These are, but not limited to;

Proactively seeking threats that have potential to cause harm or impact;

  • Attacker Discovery and Monitoring – gaining visibility of attacker infrastructure to predict where attacks originate
  • Observing outbound Command & Control (C2) communications from either owned, or third party, networks
  • Compromised third parties - discovering connections between threat actor infrastructure and trusted partners/suppliers/third parties
  • Compromised victims - discovering connections between threat actor infrastructure and unknown or untrusted third party organizations or individuals

Sources/Further reading

  • Cyber Reconnaissance, Surveillance and Defense By Robert Shimonski

[1]

  • Conceptualizing Cyber Intelligence, Surveillance, and Reconnaissance by Col Matthew M. Hurley, USAF

[2]

References