Saturday, 29 December 2018

Thank You for Another Exciting Year

The (ISC)² team would like to extend our gratitude to you for being an (ISC)² member. Thank you for all you do each day to help us achieve our vision of inspiring a safe and secure cyber world.

ISC2 Tutorial and Material, ISC2 Guides, ISC2 Study Materials, ISC2 Certification

We are excited by the progress and development made in 2018 as the global (ISC)² team continues their commitment to delivering value to you. I’m happy to share some of the teams’ accomplishments with you, including:

Multi-Factor Authentication Now Available

I’m thrilled to share that we have added Multi-Factor Authentication as an additional layer of security to your online (ISC)² member account. MFA is just one feature of the new and improved Member Dashboard that was introduced this week. I encourage you to activate this feature in your account, as well as update other communication preferences.

Digital End-To-End Transformation

Speaking of technology enhancements, our team is dedicated to delivering value to you at every encounter. That is why we have invested in a digital end-to-end transformation that took place largely in 2018. (ISC)² revamped much of our online presence, and we are continuing to improve the various platforms and technologies that you use to engage with us and that (ISC)² employees use for our day-to-day business operations.

Sold-Out (ISC)² Security Congress

I am excited to share that this was the second year in a row with a sold-out Security Congress. We are looking forward to 2019’s event in Orlando, Florida at the Walt Disney World Swan and Dolphin Resort October 28-30. The new venue will provide us with increased capacity to grow the conference and welcome colleagues from all over the globe. Due to its large and international travel-friendly airport, Orlando will be the home of Security Congress for years to follow, at the Hyatt Regency Orlando. Registration is open now, so make plans to join us in Florida next year!

New Advocates and Growth in Asia-Pacific

Tony Vizza, CISSP joined our team as Director of Cybersecurity Advocacy, Asia-Pacific. With more than 25 years of experience, Tony will focus on educating the public and private sectors about the need for stronger cybersecurity training, policies and recruitment. He will give a voice to the growing number of members in this incredibly dynamic region. Membership in Asia-Pacific exceeded 17,500 during the year, with China reaching the milestone of 2,000 members. Mary Jo de Leeuw joined (ISC)² just this month as our Director of Cybersecurity Advocacy, EMEA. She was recently ranked as one of the U.K’s 50 most influential women in cybersecurity and we are thrilled to have her as part of our team.

Keeping Families Safe Online

Your Center for Cyber Safety and Education continues to expand all its Safe and Secure Online educational and scholarship programs around the world. The award-winning Garfield cyber safety education program for children has been proven to increase cyber safety knowledge by 28%. The materials for parents and seniors are currently available in eight languages and the Center’s goal is to have it in 30 languages this next year. This opportunity for our profession to give back to the community in so many ways is something we as members should be very proud of and I encourage all of you to learn more about this effort to make it a safer cyber world.

Workforce Gap and Additional Industry Research

The cybersecurity skills shortage is continuing to grow in awareness each day. Our latest Cybersecurity Workforce Study found the gap to be 2.93 million worldwide. But our research is focused on more than the gap as we examine challenges facing the profession to find solutions for not just the profession, but the professional. Other 2018 research reports include Building a Resilient Cybersecurity Culture and Hiring and Retaining Top Cybersecurity Talent.

Think Tank Webinar Channel Awarded

The (ISC)² Think Tank webinar channel, which features 60-minute roundtable discussions with industry experts was honored by the BrightTALK platform as the Highest Growth Channel in the IT category. If you’re not already taking advantage of these free webinars, I highly encourage you to do so. Not only is the material useful to your day-to-day work, but the on-demand, weekly webinars are an easily accessible way to keep up with your CPE requirements.

Professional Development Opportunities

A key focus for (ISC)² next year is to provide more professional development for you, as well as ensure that all of our material is deeply enriching to your career, no matter where you are in your journey. We debuted two courses this year that are free for (ISC)² members: GDPR for Security Professionals: A Framework for Success and DevSecOps: Integrating Security into DevOps. We look forward to bringing you even more courses in the new year.

Finally, next year marks our thirtieth anniversary and as we approach 150,000 members worldwide, we look forward to even more growth and development for (ISC)², and more importantly, for you. Thank you for another exciting year.

Best wishes to all for a safe and secure holiday season!

Friday, 28 December 2018

Beware of scams this holiday season

Over the past few weeks, I have noticed a marked increase in the number of phishing attempts, both using cyber based methods as well as traditional methods such as phone calls, text messages and even postal service scams.

Scammers rely on psychological trigger points to succeed. December, in particular, is a stressful time for many people. Boozy Christmas parties, buying presents for your family (and finding something your partner will like), planning the holiday getaway with the kids and of course wrapping up end-of-quarter and end-of-year and you have a hazy mix of peace on earth, goodwill to all, exhaustion, apathy and protective shields being down.

Scams to be mindful of at this time of year are as follows:

Email-Based Scams

Many of the email-based phishing attempts manage to bypass multiple layers of very strong technical security controls due to their targeted nature. They rely on a number of psychological triggers to elicit action - for example, the email I received about employee satisfaction at the time of year that traditionally sees Christmas bonuses handed out (example below).

ISC2 Tutorial and Material, ISC2 Guides, ISC2 Learning, ISC2 Study Materials

Fraudulent emails should be marked as "Junk" within your email client or browser and reported to internal information security personnel.

Text-Based Scams

A method that has featured prominently is the SMS (or text message) based phishing attempt. At this time of year where people are spending more than they usually might, people are more heightened to financial concerns. A text message purportedly from a financial institution warning of suspended access or fraudulent transactions may gain more attention at this time of year than others. Here is an example I received this morning purportedly from a banking institution I have no affiliation with:

ISC2 Tutorial and Material, ISC2 Guides, ISC2 Learning, ISC2 Study Materials

The recommendation here is to report the scam to local law enforcement or official scam reporting services and delete the text message.

Phone-Based Scams

A method that has become far more prevalent than ever involves robotic phone calls that deliver a dire warning to the person answering and soliciting some form of action to deal with the issue.

A popular variant at the moment suggests that there is a pending arrest warrant out on you due to a tax debt. These phone-based scams rely on fear and many fall victim to these scams. The link below provides an example of such a phone call: Sample Robot Phone call

It should also be noted that some phone-based scams rely on emotional elation to dupe a target. For example, a call suggesting you have won a sum of money, or a prize and then requesting details from you to forward across details on how to collect the "prize". Again, these scams rely on trickery and emotional manipulation.

The recommendation here is to hang up on these phone calls and report the scam to local law enforcement or official scam reporting services

Paper-Based Scams

Another way that scammers can defraud is through theft of postal mail from your letter box to determine personal details that allow them to create fraudulent bank accounts. I recently assisted a family member in such a situation, where they were (legitimately) notified by a bank of a new bank account created in their name - even though they had no association with the bank or any third party associated with the bank. Subsequent investigation revealed that the account had been created fraudulently.

Again, the recommendation here is to report the scam to local law enforcement or official scam reporting services and work with the institution to rectify the situation.

In addition, another prudent course of action is to set up credit alerts on your credit file. Credit monitoring and reporting agencies and bureaus can provide assistance with this.

Finally, never underestimate the value of locking your mailbox with a key or perhaps investing in a Post Office box and listing the Post Office Box details on all postal material. Its a simple but effective way to help prevent mail based fraud.

Other Methods

The methods that can be employed by scammers are endless and scammers are always looking for ways to succeed. Scamming attempts include:

◈ Fake charities and accosting those walking by with requests for donations. It is relatively simple for someone to create a convincing "ID" badge and walk around the streets seeking cash from those who want to do good, particularly around Christmas time.
◈ Door-knockers purporting to be from a utility provider, telecommunications provider or other legitimate provider seeking personal details.
◈ Dating scams, of which there are numerous ones to list.

It is always recommended to report is to report the scam to local law enforcement or official scam reporting services

The old adage that "if it sounds too good to be true, it probably is" is more relevant than ever.

Wednesday, 19 December 2018

CASP+ vs. CISSP: 4 Advantages of CompTIA’s Advanced Cybersecurity Certification

Employers need IT professionals who have advanced, hands-on skills for cybersecurity jobs including security architect, application security engineer, technical lead analyst and security engineer. These in-demand IT job roles are expected to grow over the next 10 years, according to the U.S. Bureau of Labor Statistics.

CASP, CISSP Tutorial and Material, CISSP Study Material, CISSP Cybersecurity

CompTIA Advanced Security Practitioner (CASP+), most recently updated in April 2018, is an advanced-level cybersecurity certification that includes both performance-based and multiple-choice questions. CASP+ assesses the hands-on skills of IT professionals who conceptualize, engineer, integrate and implement secure solutions across complex environments to support a resilient enterprise. Download the exam objectives to learn more.

CASP+ is often compared to (ISC)2 Certified Information Systems Security Professional (CISSP), and many IT pros ask themselves, “which certification is right for me?” Both exams assess advanced-level cybersecurity skills and are vendor neutral, but the similarities stop there.

4 Advantages of CASP+ Over CISSP

1. CASP+ is a performance exam.

Employers require hands-on cybersecurity skills, and CASP+ makes sure IT pros can “walk the walk” in addition to “talk the talk.” For example, two job roles shared by CASP+ and CISSP are security engineer and security architect, which require hands-on skills to build cybersecurity systems and programs. But only CASP includes simulations to test these skills on a network and various systems.

Passing the CASP+ exam and getting certified shows you have the proper skills right here, right now. Employer documentation is not required because you have proven you have the hands-on skills to perform the job. 

Why take an exam that includes only multiple-choice questions when employers need to know you have the performance skills certified by CompTIA Advanced Security Practitioner?

CompTIA performance certifications validate the skills associated with a particular job or responsibility. To earn the certification, candidates must demonstrate their ability to perform related tasks through simulations and performance-based questions, proving they not only know what a job entails, but how to do it.

2. CASP+ provides cybersecurity managers with technical mastery.

In many cases, it becomes challenging to manage a cybersecurity team or program if you don’t understand how a given technology works. For example, if the board of directors asks you to ensure compliance to a specific government standard, the request may involve rolling out complex cybersecurity technologies and infrastructure requirements.

CASP+-certified professionals understand this standard and how to comply with it. They also have the advanced skills needed to lead, design and implement the technical solution.

CASP+ covers the hands-on skills needed by cybersecurity architects. According to Cyberseek, cybersecurity architects earn a median salary of $133,000 per year, and there are more than 5,000 job openings in the United States alone. CASP+ can show employers that you have the skills they are looking for.

3. CASP+ fills an industry skills gap for advanced, hands-on cybersecurity jobs.  

CASP+ was born out of an industry need for a hands-on, advanced-level cybersecurity assessment. Many cybersecurity pros with more than five years of experience want to remain at the keyboard and work directly with cybersecurity technologies and tools. They may not want to be managers, or they may simply enjoy the day-to-day challenge of solving complex architecture-level security problems. CASP+ is the answer for them.

CASP, CISSP Tutorial and Material, CISSP Study Material, CISSP Cybersecurity
For example, for years the U.S. Navy used CISSP to certify advanced cybersecurity pros, regardless of their job role. But they had no good way of assessing advanced hands-on cybersecurity skills for personnel who were not in management positions. That is why they mandated CASP+.

Corporate cybersecurity workforces around the world are experiencing the same skills gap. That is why ManTech, Northrup Grumman, SMS Data Products Group and Booz Allen Hamilton all request CASP+ in their job ads.

CASP+ meets the ISO/ANSI 17024 standard and is approved by U.S. Department of Defense to fulfill Directive 8570.01-M requirements. It complies with government regulations under the Federal Information Security Management Act (FISMA). Regulators and government rely on ISO/ANSI accreditation because it provides confidence and trust in the outputs of an accredited program. More than 1.3 million CompTIA ISO/ANSI-accredited exams have been delivered since January 1, 2011.

4. CASP+ costs less than CISSP.

CompTIA CASP+ costs USD $439 retail and includes both performance-based simulations and multiple-choice questions. CISSP costs USD $699 retail and only includes multiple-choice questions.

Why pay USD $699 for ​a multiple-choice exam when you can also assess your hands-on performance at USD $439 with CompTIA Advanced Security Practitioner?

Cybersecurity Certifications to Meet Employer Demand

Advanced cybersecurity jobs are in demand, and employers need IT professionals with the skills that match their open jobs. Show employers you have the knowledge, skills and abilities they need with CASP+.

Sunday, 16 December 2018

What’s the Difference Between the CISSP and the CISM Certifications?

CISSP Certifications, CISM Certifications, ISC2 Tutorial and Material, ISC2 Certificaton

Both the CISSP and CISM certifications are designed to improve the information security of businesses. Both require passing an exam, completing at least 5 years of work experience, agreeing to a code of ethics, and completing a requisite number of continuing education hours upon receiving certification. Both are also valuable certifications in the information security sector that can advance your career in one way or another. That being said, there are some key differences to consider when deciding which certification is right for you.

The CISSP Certification

CISSP, which stands for “Certified Information Security Systems Professional,” is a certification offered by (ISC)2 that indicates an individual’s ability to deal with the tactical side of information security systems in a business. This means that they’re able to implement and maintain an information security system. The domains covered by the CISSP certification are as follows:

Domain 1: Security and Risk Management
Domain 2: Asset Security
Domain 3: Security Architecture and Engineering
Domain 4: Communication and Network Security
Domain 5: Identity and Access Management
Domain 6: Security Assessment and Testing
Domain 7: Security Operations
Domain 8: Software Development Security

These domains are more technical than managerial, and as such this certification is for people interested in a technically-focused job trajectory.

The CISM Certification

CISM, which stands for “Certified Information Security Manager,” is a certification offered by ISACA that shows an individual’s ability to implement information security programs into a business in order to accomplish the business’ overall goals. If your career trajectory is headed in a managerial direction rather than a tactical one, the CISM may be the right certification for you. It covers the technical aspects of information security only basically, as the focus of the certification is management.  The domains covered by the CISM certification are as follows:

◉ Domain 1: Information Security Governance
◉ Domain 2: Information Risk Management
◉ Domain 3: Information Security Program Development and Maintenance
◉ Domain 4: Information Security Incident Management

Getting Both CISSP and CISM Certifications

It’s not uncommon for an information securities professional to decide to pursue both the CISSP and CISM certification. If you choose to pursue both certifications, it’s often a good idea to get CISSP-certified first in order to learn the technical skills behind information securities programs. Then, if it still interests you and you have a desire to advance to more managerial positions within the information securities sector, you can use the CISM certification to build upon your prior knowledge. Instead of viewing the CISSP and CISM certifications as separate certifications with different goals, try to see the two as complementary certifications that provide people with the tools necessary to support businesses and their information security networks from multiple viewpoints. While the CISSP may be more technically-focused and the CISM may be more managerially-focused, the skills learned through both certifications are helpful in ensuring the success of a company’s information security system.

Friday, 14 December 2018

CCSP or CISSP – Which is better?

CCSP Certification, CISSP Certification, CISSP Study Materials, CISSP Guides

Choosing between CCSP (Certified Cloud Security Professional) and CISSP (Certified Information Systems Security Professional) can be a bit tricky as both the certifications are nearly the same and developed by (ISC)2. However, one of them can be chosen based on what an individual wants to accomplish. CISSP is a certification that allows you to advance your career by moving into management, while CCSP helps you stay technical. Also, earning a CISSP credential stands as the entire experience required for a CCSP.

Both the certifications have been elaborated hereunder for clearer and better understanding.

Certified Cloud Security Professional (CCSP)

CCSP is a premier cloud security certification and considered as a global credential representing the highest cloud security certification. Earning a CCSP certification validates your skills and hands-on experience in cloud security architecture, design, operations and service orchestration.

The prerequisites for this certification include a minimum of five years of experience in IT, out of which one year must be spent dealing with the six domains of the CCSP Common Body of Knowledge (CBK).

The targeted audience for this course includes:

◈ Enterprise Architect
◈ Security Administrator
◈ Systems Engineer
◈ Security Architect
◈ Security Consultant
◈ Security Engineer
◈ Security Manager
◈ Systems Architect

A CCSP certification makes you eligible for instant credibility and you earn recognition as it enables you to earn the highest credential for cloud security expertise. It allows you to stay ahead of others by keeping you current on the latest technologies, threats and mitigation strategies. This certification allows you to work on various cloud platforms and enables you to protect the sensitive data in a global environment. CCSP also helps you come across various opportunities and move into roles most appropriate for you.

Certified Information Systems Security Professional (CISSP)

CISSP helps advance your career in cyber security. Earning a CISSP credential demonstrates your expertise in designing, implementing and managing a highly reliable cyber security program.

The prerequisites to becoming a CISSP include a minimum of five years of work experience in security, i.e., experience in at least two of the eight CISSP CBK (Common Body of Knowledge) domains.

The target audience for this certification include:

◈ Chief Information Security Officer
◈ Chief Information Officer
◈ Director of Security
◈ IT Director/Manager
◈ Security Systems Engineer
◈ Security Analyst
◈ Security Manager
◈ Security Auditor
◈ Security Architect
◈ Security Consultant
◈ Network Architect

CCSP Certification, CISSP Certification, CISSP Study Materials, CISSP Guides

The benefits of earning a CISSP certification include the immediate recognition that one receives as it is highly respected by large organizations. As per a survey conducted by the Global Information Security and Workforce, the average salary earned by CISSP professionals is 25% more than the average salary earned by their non-certified colleagues. Also, the rate at which the salary hikes are received by CISSP professionals exceeds many other domains in the IT industry.

Salary Comparison

If we compare the pays being withdrawn after pursuing these courses, a CCSP earns an annual average salary of $100,800 (upon averaging salary reports form US, Philadelphia, PA, Washington, DC, Dallas-Fort Worth, TX and Shreveport, LA) according to Glassdoor, while the annual average salaries earned by CISSP professionals vary between $80,540 for an Information Security Analyst and $110,451 for a Security Architect, as per a study was done by the PayScale.

Wednesday, 12 December 2018

CISSP and (ISC)² Membership Recognized by the NCSC

The National Cyber Security Centre (NCSC) has outlined new rules of the road for earning its Certified Cyber Professional (CCP) specialist certification. The new pilot program for the certification commences in 2019 and focuses on assessing two main areas of specialism: risk management and security architecture.

CISSP Tutorial and Material, CISSP Guides, CISSP Learning, ISC2 Study Material

Why is this of interest to you? The NCSC has outlined three ways in which candidates can demonstrate foundational cybersecurity knowledge in order to qualify for the scheme. One of those ways is to hold a CISSP certification and a full (ISC)2 membership. This is yet another signpost that highlights the industry recognition of our noted certification. As the NCSC blog post states:

“As you’d expect, we’ve spent a lot of time reviewing professional certifications and currently the only one we think meets our criteria is the International Information System Security Certification Consortium’s (ISC)2 Certified Information Systems Security Professional (CISSP). Consequently, we’ll recognise CISSP plus an (ISC)2 endorsement of being in good standing as evidence of foundational knowledge.”

CISSP Tutorial and Material, CISSP Guides, CISSP Learning, ISC2 Study Material

It’s still early days and this pilot has not yet launched. Nonetheless, it’s important to recognize the influence and stature that our CISSP holds within the community. For a government organization like the NCSC to recognize it, in combination with full (ISC)2 membership, as one of the key indicators for foundational, experience-based knowledge of the cybersecurity profession says a lot about its value. We’ll continue to do as much as we can to support the U.K. government’s efforts to further professionalize our industry.

As data is gathered about the pilot’s results, we’ll be sure to keep you updated. Watch this space for more updates in 2019.

Friday, 7 December 2018

What is the difference between big data and cloud computing?

Big Data, Cloud Computing, ISC2 Certification, ISC2 Guides, ISC2 Learning, ISC2 Tutorial and Material

Big data and cloud computing are the trending terms in the information technology (IT) world. The terms have also grown popular among business owners who are willing to take advantage of technologies to expand their businesses. However, big data and cloud computing are also some of the most confused terms in IT.

Big Data

Big data is not only a term used to refer to big volume of data, but also used to mean a refreshing way of gathering, storing, organising and analysing numerous types of data.

Big data is can be explained as huge volume data that are analysed with computers for identifying trends, patterns and similarities. It is a terminology that explains large quantity of data (structured, semi-structured and unstructured) that can be processed for valuable information.

When talking about big data, there are key characteristics that are combined together that makes it up.

Characteristics of Big Data

Big data is identified by certain important characteristics. These features are volume, variety and velocity of data.

To qualify as big data, the data in question has to be of great volume. Such data must be within the range of exabytes, petabytes or terabytes in a given duration. Also, it should come from different varieties of sources including sales record, gathered findings from experiments and internet information.

Moreover, a data cannot be christened big data unless it is in wide variety. Big data is commonly of different file types such as structured data, streaming data and unstructured data.

Finally, big data is usually analysed at a great speed (velocity). Velocity is an important characteristic of big data because big data analysis is continuous applied in different fields such as artificial intelligence (AI) and machine learning.

Cloud Computing

Cloud computing is the technology for sharing computer facilities instead of owning personal resources or in-house services to run programmes. Cloud computing is a term used to explain the storing and access data and applications through the internet.

The term cloud in ‘cloud computing’ connotes internet. The internet, as opposed to hard drive, serves as platform for running applications and saving files.

Cloud Computing Categories

Big Data, Cloud Computing, ISC2 Certification, ISC2 Guides, ISC2 Learning, ISC2 Tutorial and Material
Software as a Service (SaaS)

SaaS cloud computing involves the use of internet-based applications to finish tasks. SaaS applications are also known as web services and users can access them through compatible devices and internet facilities. Microsoft Office 365 is an example of SaaS

Infrastructure as a Service (IaaS)

IaaS refers to an aspect of cloud computing that is concerned with file transfer. This service provides users with a specific storage strength for configuring, accessing and restructuring their space. Microsoft OneDrive, Google Drive and Amazon Cloud Drive are popular examples of IaaS.

Platform as a Service (PaaS)

PaaS is an aspect of cloud computing that helps users to develop and manage software applications through host development tools that are provided by PaaS providers. Some of these providers are Google App Engine, AWS 

Wednesday, 5 December 2018

Report: Cyberattacks Pose Big Business Risks Around the Globe

Cyberattacks, ISC2 Tutorial and Material, ISC2 Guides, ISC2 Learning, ISC2 Certification

Cyberattacks rank as the number one risk of doing business in North America, Europe and the East Asia-Pacific region, according to a World Economic Forum report, Regional Risks of Doing Business. While business leaders in other areas of the globe are more concerned about unemployment, unstable governments and oil prices, cyber risks rank as the fifth highest worldwide.

Cyberattacks, ISC2 Tutorial and Material, ISC2 Guides, ISC2 Learning, ISC2 Certification
The concern about cyberattacks shows just how critical cybersecurity has become, ranking even higher than terrorism in the global top 10. Not surprisingly, cyber risks are a bigger concern among the most industrialized areas of the globe such as North America, where cyberattacks have become an all-too-common occurrence.

“In Canada, 87% of businesses reported being the victim of a successful breach in 2017,” the report says. “In early 2018, the U.S. Director of National Intelligence cited cyber vulnerability as a top risk for government and businesses alike in a hearing before the Senate Select Committee on Intelligence.”

Around the globe, cyberattacks rose to number five in 2018 from eight the previous year. The report attributes this to massive cyber events such as the WannaCry and NotPetya ransomware infections in spring 2017, which jumped countries and continents to cause disruption and inflict damage.

“The WannaCry ransomware attack affected 300,000 machines across 150 countries, while the NotPetya malware attack caused huge corporate losses. For example, Merck, FedEx and Maersk each reported losses of around $300 million in the third quarter of 2017 alone,” the report says, adding: “2017 was the year the world began to take seriously the potential extent of our vulnerability to cyberattack disruptions.”

Regional Differences

The WEF’s report was based on 12,548 responses to a question about business risks in the organization’s Executive Opinion Survey, conducted between January and June 2018. Despite regional differences in the perspective of business risks, the survey found that cyberattacks also rank high in some places outside North America, Europe and the East Asia and Pacific region.

For instance, cyberattacks are among the top three biggest risks in Bangladesh, Botswana, Ethiopia, Hong Kong, India, Indonesia, Israel, Japan, Kenya, Korea, Malaysia, Qatar, Saudi Arabia, Singapore, Tanzania and the United Arab Emirates. A related risk, “data fraud or theft,” ranked in the top three in Bulgaria, China, Denmark, The Gambia, Germany, Indonesia, Jamaica, Luxembourg, Malaysia, Netherlands, Norway, Senegal, Singapore and the United States.

The report acknowledges that cyberattacks are a bigger concern in more advanced economies, where business leaders typically don’t have to worry as much about government instability, unemployment or economic crisis.

“Of the 19 countries that ranked it number one, 14 were from Europe and North America (the others were India, Indonesia, Japan, Singapore and the United Arab Emirates). By contrast, of the 34 countries that ranked “unemployment or underemployment” first, 22 were from sub-Saharan Africa,” the report said.

Heightened Awareness

The rise of cyberattacks in the global top 10 business risks highlights just how serious the problem has become. But perhaps more importantly, it means business leaders are paying more attention to cyber risks. Hopefully, it will compel them to adopt comprehensive cybersecurity policies and practices.

Sunday, 2 December 2018

Threat Hunting: Data Collection And Analysis


Threat hunting requires proactively looking within the network and searching for anomalies that might indicate a breach. The vast amount of data that needs to be collected and analyzed means that it is a painstaking and time-consuming process, and the speed of this process can hamper its effectiveness. However, that can be highly improved by the use of proper data collection and analysis methods. In this article, we’ll discuss the various data collection and analysis methods that can be used by threat hunters and analysts during a hunt.

What Kind of Data Are We Collecting?

As a threat hunter, you require adequate data in order to perform your hunt. Without the right data, you cannot hunt. Let’s take a look at what qualifies as the right data used for hunting.

Data Collection And Analysis, Threat Hunting, Threat, ISC2 Certifications, ISC2 Tutorial and Material

It’s important to also note that determining the right data depends on what you will be looking for during your hunt. Generally, data can be classified into three sections:

1. Endpoint Data

Endpoint data comes from endpoint devices within the network. These devices can, for instance, be end-user devices such as mobile phones, laptops and desktop PCs, but may also cover hardware such as servers (like in a data center). Definitions of what an endpoint actually is will significantly vary, but for the most part, it is what we have described above.

You will be interested in collecting the following data from within endpoints:

◈ Process execution metadata: This data will contain information on the different processes running on hosts (endpoints). The most sought-after metadata will include command-line commands and arguments, and process file names and IDs.
◈ Registry access data: This data will be related to registry objects, including key and value metadata, on Windows-based endpoints.
◈ File data: This data will, for example, be dates when files on the host were created or modified, as well as their size, type and location where they are stored within the disk.
◈ Network data: This data will define the parent process for network connections.
◈ File prevalence: This data will shed light on how common a file is in the environment (host).

2. Network Data

This data will have its sources from network devices such as firewalls, switches and routers, DNS and proxy servers. You will mostly be interested in collecting the following data from network devices:

◈ Network session data: Of interest here will be connection information between hosts on the network. This information will, for instance, include source and destination IP addresses, connection duration times (including start and end times), netflow, IPFIX and other similar data sources.
◈ Monitoring tool logs: Network monitoring tools will collect connection-based flow data and application metadata. This logged data is what you want to be collecting here. Application metadata on HTTP, DNS and SMTP will also be of interest.
◈ Proxy logs: Here you will be collecting HTTP data containing information on outgoing Web requests such as internet resources that are being accessed within the internal network.
◈ DNS logs: The logs you will get here will contain data related to domain name server resolution. These will include domain-to-IP address mappings and identification of internal clients that are making resolution requests.
◈ Firewall logs: This data is one of the most important data that you will be collecting. It will contain information on network traffic at the border of a network.
◈ Switch and router logs: This data will basically show what is going on behind your network.

3. Security Data

This data will have its sources from security devices and solutions such as SIEM, IPS and IDS solutions. You want to be collecting the following data from security solutions:

◈ Threat intelligence: This is data will include the indicators and tactics, techniques and procedures (TTPs) as well as the operations that malicious entities are executing on the network.
◈ Alerts: Data here will include notifications from solutions such as IDS and SIEMs, indicating that a ruleset was violated or any other incident had occurred.
◈ Friendly intelligence: This data will for instance include critical assets, accepted organization assets, employee information and business processes. The importance of this data is to help the hunter and analyst to understand the environment in which they operate.

What Are the Four Threat-Hunting Techniques for Data Collection?

One of the most important parts of a threat-hunting process is having experienced personnel employ effective data collection and analysis methods. There are four main methods/techniques that hunters use for data collection, and these are:


Data Collection And Analysis, Threat Hunting, Threat, ISC2 Certifications, ISC2 Tutorial and Material

This technique is used when you have a large data set and you establish specific data points on groups (called clusters) of the large data set. It is advisable to use this method when the data points you are working on do not share behavioral characteristics. Using this method, you will be able to find precise cumulative behaviors. You can, for example, find an unusual number of instances of a common occurrence using various applications such as outlier detection.


This technique is best used when you are hunting for artifacts that are unique yet similar. It takes these unique artifacts and identifies them by using specific criteria. The specific criteria that are used to group data are determined by, for instance, events occurring within a certain time. Specific items of interest are also taken and used as input.


This is a technique in which hunters can query data for certain specific artifacts which can be used in most tools. However, it is ineffective due to the fact that hunters only get results that they searched for, making it quite difficult to obtain outliers from the search results. The hunter is forced to make specific searches, since general searches would otherwise result in an overload of results. Care should be taken while performing searches, since a very narrow search might yield ineffective results.

Stack Counting (Stacking)

This technique is used when investigating a hypothesis. The hunter counts the number of occurrences for specific value types while examining the outliers of the results. This technique is most effective as long as the hunter has thoughtfully filtered the input. Hunters can predict the volume of output if they properly understand the input.

There are some things to note, though. When using stacking, you should count the number of command artifact executions.

Even though the standard data collection methods described above exist and are manual, threat hunters are also able to employ machine learning (or data science-powered techniques) which involve creating frameworks of feedback given to automated classification systems. Simply put, what the hunter needs to ensure is that training data is properly used to tune algorithms so that these algorithms can accurately label unclassified data. You should note that although it is not a strict requirement that you employ machine learning techniques, knowing that the technique exists might help you when you need it.