This topic will introduce the job roles, industry applications, terminology and definitions relevant to ‘threat hunting’, which involves gathering data from various sources, analysing and interpreting information for threats, inconsistencies and discrepancies.
In this topic, you will learn about:
- job roles and application
- industry terms and definitions
- legislative requirements
- Organisational policies and procedures.
Let us begin.
Types of Job Roles
This module covers the skills and knowledge that enable individuals responsible for supporting and preventing cyber threats attacking data in all business functions and any industry context.
The skills gained from completing this module will enable you to:
- work in information technology security (network and security specialists)
- gather logs from devices
- check abnormalities and respond accordingly.
Day in the Life: Cyber Threat Intelligence Analyst
The following video will give a glimpse of the role of a cyber threat intelligence analyst.
Analyst Skills and Responsibilities
The following video discusses what is involved in the role of a cybersecurity analyst. While watching the video, make note of the key responsibilities of this role.
Explore
- Explore threat-hunting jobs currently available in Australia at seek.com.au
- Explore the current job market for a cybersecurity analyst at seek.com.au, career advice to find out the key skills and experience employers are looking for.
Cyber Security Trends
Australian Legislative Framework
Several laws and regulations in Australia pertain to data collection, privacy, and cybersecurity, which can indirectly impact how organisations and government agencies gather, analyse, and interpret threat data.
However, as the regulatory and legal landscape can change, it is essential to consult the latest legislation and regulations for the most up-to-date information when dealing with threat data in Australia, especially given the evolving nature of cybersecurity threats.
The following video discusses Australia’s data security and privacy legal framework.
Privacy Act 1988
The primary legislative framework governing data security and privacy in Australia is the Privacy Act 1988 . This Act mainly addresses the protection of personal information, including its collection and handling, which is highly relevant when dealing with threat data containing personal details.
As collecting and analysing data related to threats may involve personal information, organisations must consider the obligations set out in this Act for handling personal data, including when and how personal information can be used or disclosed.
The Australian Privacy Principles (APPs)
There are legislative requirements outlined in the Guide to Data Analytics and the Australian Privacy Principles (APPs).
The following video provides an overview of the Australian Privacy Principles from the Privacy Act 1988.
Other laws and regulations
Additionally, various sector-specific laws and regulations impact the handling of threat data within their respective domains.
Organisations must be aware of the legislative requirements for collecting and using data as it applies to various states and territories in Australia as well as within different industry sectors.
Some examples of these specific laws and regulations include:
- My Health Records Act 2012
- Telecommunications Act 1997
- Online Safety Act 2021
- Data Availability and Transparency Act 2022
- Australian Cybercrime Act 2001
- Telecommunications (Interception and Access) Act 1979
- Intelligence Services Act 2001
Knowledge Check
Complete the following seven (7) activities to check your knowledge and understanding of the key legislative requirements. You may repeat this activity as often as you like. Use the arrows to move between the different activities.
Data, Information and Intelligence
- Data – made up of distinct facts and statistics that are acquired as the foundation for subsequent research.
- Information – a collection of data pieces used to answer certain inquiries.
- Intelligence – examines data and information to discover patterns and stories that may be used to make decisions.
Defining Threats and Threat Intelligence
What is a Threat?
A 'threat' is an action or event that has the potential to adversely impact an organisation's operations, assets, or individuals through an information system. The threat can result in unauthorised access, destruction, disclosure, modification of information and denial of services. A threat mainly has three components: intent, opportunity and capability.
What is Threat Intelligence?
'Threat intelligence' is all about analysing information related to adversaries with the intent, opportunity and capability to harm businesses and individuals.
Threat intelligence is data collected, processed and analysed to understand a threat actor's motives, targets and attack behaviours. Threat intelligence enables us to make faster, more informed, data-backed security decisions and change their behaviour from reactive to proactive in the fight against threat actors.
Threat Hunting Terminology
The following video explains the importance of conducting threat-hunting processes to find threats before a cybersecurity breach. It will introduce some key terminology, synonyms and definitions frequently used in the cybersecurity industry. While watching the video, make note of any new industry jargon you encounter.
Reading
Refer to the Cyber Security Terminology to learn their definitions and meaning at Australian Signals Directorate (ASD) | Australian Cyber Security Centre (ACSC) official website.
Refer to the article by IBM on What is threat hunting.
Security Equipment
Security equipment on networks are used to safeguard network infrastructure by monitoring, filtering, and controlling incoming and outgoing traffic. They play a crucial role in preventing unauthorised access, detecting threats, and ensuring overall network security.
Network security equipment includes hardware and software tools to protect computer networks and systems from cyber threats. Some examples of this equipment include:
- Firewalls - to monitor and control incoming/outgoing traffic
- Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) - to detect and prevent malicious activities
- Virtual Private Network (VPN) gateways – to secure data in transit
- Antivirus/Anti-malware tools - for endpoint protection
- Proxy servers – to regulate web traffic
- Surveillance Cameras and Closed-Circuit Television (CCTV) - for monitoring and recording activities in and around a specific area.
- Building Access Control Systems – to manage and restrict access to physical locations, such as buildings, server rooms, and facilities that contain network security equipment. This includes card readers, biometric scanners, keypads, and electronic locks.
These are just a few examples of security equipment, and the specific types and combinations used by organisations or individuals depending on their security needs, risk assessment, and budget. The use of security equipment is a fundamental aspect of maintaining safety and security in various settings, including businesses, government facilities, and critical infrastructure.
Threat Data Sources: An Overview
Threat data sources are the various channels and repositories from which organisations and cybersecurity professionals collect information and Intelligence about potential cybersecurity threats and vulnerabilities. These sources provide valuable data that can help identify, assess, and mitigate risks and respond to cyber incidents effectively. Following are some examples of threat data sources.
- Firewalls are critical threat data sources as they monitor and filter network traffic. They generate logs containing information on allowed and denied connections, intrusion attempts, and potential threats. Analysing firewall data provides insights into unauthorised access attempts, helping organisations effectively identify and respond to security risks.
- Network device logs such as router or switch logs, are essential threat data sources. They capture information about network activities, user access, and potential security events. Analysing these logs helps identify anomalies, unauthorised access, or malicious activities, providing crucial insights for effective threat detection and response in cybersecurity.
- Intrusion Detection Systems (IDS) act as a vital threat data source by monitoring network or system activities for suspicious behaviour or known attack patterns. IDS generate alerts upon detecting potential threats, providing valuable data for analysing and responding to security incidents, thus enhancing overall cybersecurity measures.
- Network Access Control (NAC) systems serve as valuable data sources as they manage and enforce security policies for devices seeking network access (e.g. directory services). They provide insights into device health, user authentication, and compliance status. Integrating NAC data into security analytics enhances the overall visibility and control over network access, strengthening cybersecurity measures.
- Security Information and Event Management (SIEM) System platforms collect and aggregate log data from various sources, including network devices, servers, and applications. They provide a centralised location for monitoring and detecting potential security incidents.
Collecting and aggregating data from these threat sources is essential for developing a comprehensive understanding of the threat landscape, enhancing security measures, and responding to cybersecurity incidents effectively. Organisations typically establish threat intelligence programs and utilise automated tools to streamline the collection and analysis of this data.
Knowledge Check
Complete the following three (3) activities to check your ability to identify security equipment and data sources. You may repeat this activity as often as you like. Use the arrows to move between the different activities.
Best Practice Resources and Frameworks
ISO/IEC 27001: Information security management
The following video explains how the ISO/IEC 27001 standard helps organisations protect their sensitive information. It requires organisations to implement comprehensive policies, procedures and controls to manage information security risks and establish an information security management system.
NIST Guidelines
The National Institute of Standards and Technology (NIST) guides cybersecurity policies and procedures, including gathering, analysing, and interpreting threat data. While NIST (National Institute of Standards and Technology) provides a framework, best practices, guidelines and templates for various security policies, they do not specifically prescribe policies for each aspect of threat data analysis.1
SANS Institute
The SANS Institute provides a comprehensive list of security policy templates compiled in collaboration with subject matter experts and leaders in information security.2
Protective Security Policy Framework (PSPF)
The Protective Security Policy Framework (PSPF) provides security policy guidelines to support Australian Government entities across security governance, information security, personnel security and physical security.3
Policies, Processes and Procedures
When working with data, it is important to understand the distinctions between business policies, processes, and procedures of data management and data governance.
Definitions
- Policy - A high-level statement or guideline that outlines the organisation's goals, objectives and the principles that should govern data-related activities. It sets the overarching framework for managing data within the organisation.
- Processes - A series of structured activities and tasks designed to achieve a specific business goal or outcome. Furthermore, a business process defines how data is collected, processed, stored, and used to support the organisation's operations.
- Procedures: - A step-by-step set of instructions or guidelines that specify how a particular task or operation should be performed. Procedures are highly detailed and provide specific guidance for carrying out activities.
Application of Policies, Processes and Procedures When Handling Data
Policies provide the strategic direction, business processes define how data is handled in a broader context, and procedures offer detailed, step-by-step instructions for specific data-related tasks. All three elements are interrelated and play a vital role in any data-related activity, ensuring data is managed efficiently and securely and complies with organisational policies and external regulations.
The following video discusses how the NIST's Privacy Framework is used as a guideline to ensure the data processing policies, processes and procedures comply with legislative requirements such as data privacy.
Organisational policies and procedures applicable to gathering, analysing and interpreting threat data can be identified within the following broad categories.
Security Documentation
These policies define the requirements for documenting the results of security assessments, including vulnerability scans, penetration tests, and threat intelligence analyses.
Documentation of established requirements
These policies specifically outline the requirements for gathering and analysing threat data. They define the scope, objectives and compliance standards for the process.
For example, some of these types of policies, standards and guidelines are commonly known as:
- Information security policies
- Wireless communication standards
- Anti-virus guidelines
Go to SANS Institute’s official website and refer to the Information Security Policy Templates to find out more examples of these documentation that include established requirements.
Documentation of findings and recommendations
These policies specifically outline the process for documenting findings and making recommendations based on threat data analysis.
They include procedures for documenting and reporting findings, vulnerabilities, and potential threats and define how recommendations for mitigating risks should be recorded and communicated to relevant stakeholders.
For example, some of these types of documentation are commonly known as:
- Incident/Security response plan policies
- Disaster recovery policies
- Incident response form checklists/playbooks
Establishing Security Equipment and Data Sources
It is important to understand an enterprise's security equipment and data sources as these are frequently the entry points of malicious actors.
These policies outline the process for maintaining an inventory of all security-related equipment and data sources, such as firewalls, intrusion detection systems, and threat intelligence feeds. It includes procedures for regular updates and monitoring of these assets.
Organisations may also have policies and procedures that outline what security equipment and data sources need to be protected and how to access and use them. Some of these policies and procedures may include:
- Acceptable use policies
- Access control policies
- Remote access policies
- Email and communication policies
- Device encryption policies
- Equipment disposal policies
- Device security policies
Go to SANS Institute’s official website and refer to the Information Security Policy Templates to find out example policies that include documentation of established security equipment and data sources.
Information Collection Processes
These policies address the classification of data based on sensitivity and the procedures for collecting, storing, and transmitting threat data. It may include guidelines for using reputable threat intelligence feeds and establishing relationships with external organisations for data sharing.
For example, these types of policies are commonly known as:
- Security/information logging standard
- Threat response policies
- Incident communication logs
- Email retention policy
- Access review policies
- Information classification standard
Processes in Obtaining and Analysing Results
These policies define the procedures for obtaining threat data and incident-related information, such as logs, alerts, and reports. It also outlines the process for analysing these results, including incident categorisation, prioritisation, and escalation.
For example, some of these types of policies are commonly known as:
- Risk/threat assessment policies
- Security Incident management
- Business Continuity Plan
How Did You Go?
Congratulations on completing the topic Industry insights.
In this topic, you learnt about the following related to gathering, analysing and interpreting threat data:
- job roles and responsibilities
- legislative requirements
- industry terms and definitions
- organisational policies and procedures.
Practice
Refer to the SANS Institute' Security Policy Templates' and Protective Security Policy Framework' Policies' to identify the types of policies that relate to the following:
- Documentation of established requirements, findings and recommendations
- Establishing security equipment and data sources
- Information collection processes
- Processes in obtaining and analysing results