In the context of CompTIA CySA+, threat intelligence collection constitutes the vital second phase of the intelligence cycle, focusing on gathering raw data to assess potential security risks. Effective Security Operations rely on a diversified approach involving Open Source Intelligence (OSINT), c…In the context of CompTIA CySA+, threat intelligence collection constitutes the vital second phase of the intelligence cycle, focusing on gathering raw data to assess potential security risks. Effective Security Operations rely on a diversified approach involving Open Source Intelligence (OSINT), closed-source feeds, and internal telemetry.
OSINT involves aggregating data from publicly available sources such as social media, security forums, government reports (like CISA), and public blocklists. While accessible, OSINT often requires significant filtering to determine relevance and accuracy. Conversely, closed-source or proprietary intelligence includes paid vendor feeds and data shared within Information Sharing and Analysis Centers (ISACs). These sources often utilize the STIX/TAXII standards for automated sharing and generally offer higher fidelity and curated context regarding specific adversarial TTPs (Tactics, Techniques, and Procedures).
Internal collection is equally critical, utilizing data from the organization's own SIEM, firewall logs, and Endpoint Detection and Response (EDR) systems to identify indicators of compromise (IoCs) present within the network. Additionally, active collection methods involve deploying honeypots or honeynets—decoy assets designed to lure attackers—allowing analysts to observe distinct behaviors and signatures safely.
Analysts must assess all collected data for timeliness, relevancy, and accuracy, assigning confidence levels to ensure that the intelligence feeds into the analysis phase effectively. By combining these distinct collection streams, security teams can move from reactive postures to proactive threat hunting.
Threat Intelligence Collection Methods
What is Threat Intelligence Collection? In the context of the CompTIA CySA+ and the Intelligence Cycle, Collection is the phase where raw data is gathered to satisfy the intelligence requirements set during the Planning and Direction phase. Before data can be analyzed and turned into actionable intelligence, it must first be sourced from reliable places. This data serves as the fuel for the rest of the detection and remediation process.
Why is it Important? Without effective collection methods, a security team is operating blindly. Collection is vital because: 1. Contextualization: It helps analysts understand if an internal alert is a false positive or part of a known global campaign. 2. Proactive Defense: By collecting data on TTPs (Tactics, Techniques, and Procedures), organizations can patch vulnerabilities before they are exploited. 3. Resource Allocation: It helps security leaders decide where to spend budget (e.g., if collection shows a rise in phishing against the company's sector, they invest in email security).
How Key Collection Methods Work For the CySA+ exam, you must distinguish between the specific sources and methods of collection:
1. Open Source Intelligence (OSINT) This is the collection of data from publicly available sources. It is legal, usually free, but often requires significant filtering to reduce noise. Examples: Social media, news reports, government publications, public blocklists, and DNS registrars.
2. Closed Source (Proprietary) Intelligence This involves data being collected by commercial vendors who sell access to their findings. This data is usually curated, vetted for accuracy, and delivered via feeds. Examples: Subscription feeds from companies like Mandiant or Recorded Future, or antivirus vendor threat reports.
3. Information Sharing and Analysis Centers (ISACs) These are non-profit organizations that provide a central resource for gathering information on cyber threats between organizations within the same sector. Examples: Financial Services ISAC (FS-ISAC) or Healthcare ISAC (H-ISAC). Collection here relies on trust and specific data formats.
4. Internal Intelligence Often overlooked, this is intelligence collected from your own network. Examples: SIEM logs, firewall logs, NetFlow data, and forensics from previous incidents.
How to Answer Questions on Collection Methods When facing exam scenarios, the question will usually present a problem (e.g., "An analyst needs to proactively monitor for credentials leaked from a recent breach"). To answer correctly: 1. Identify the Goal: Is the goal low cost? High fidelity? Industry specific? 2. Match the Source: - If the question mentions "publicly available" or "social media," the answer is OSINT. - If it mentions "industry partners" or "sector-specific," the answer is an ISAC. - If it mentions "guaranteed accuracy" or "service level agreements," look for Proprietary/Commercial sources. - If it involves "standardized automation," look for TAXII (the transport method) or STIX (the language).
Exam Tips: Answering Questions on Threat Intelligence Collection Methods Tip 1: Know STIX vs. TAXII Remember that STIX (Structured Threat Information eXpression) is the format (the XML/JSON description of the threat), while TAXII (Trusted Automated eXchange of Inspector Information) is the transport mechanism (how the STIX data is sent via HTTPS).
Tip 2: Commodity vs. Custom Malware Collection methods help differentiate threats. Remember that relying solely on static file hashes (collected indicators) is often insufficient for modern threats because attackers easily change hashes. The exam prefers answers that focus on collecting TTPs (behavioral changes) over simple indicators of compromise (IOCs) like IP addresses.
Tip 3: Confidence Scores In exam scenarios involving automated collection, look for answers that mention Confidence Levels. You should not automate blocking based on data with a low confidence score, as it leads to business interruption.