Presentation on 'Understanding and Utilising Threat Intelligence in Cybersecurity' by Warren Finch for Cyberdefcon
Melden
APNICFolgen
17. Feb 2023•0 gefällt mir•249 Aufrufe
1 gefällt mir
Sei der Erste, dem dies gefällt
Mehr anzeigen
Aufrufe
Aufrufe insgesamt
0
Auf Slideshare
0
Aus Einbettungen
0
Anzahl der Einbettungen
0
Check these out next
Presentation on 'Understanding and Utilising Threat Intelligence in Cybersecurity' by Warren Finch for Cyberdefcon
17. Feb 2023•0 gefällt mir•249 Aufrufe
1 gefällt mir
Sei der Erste, dem dies gefällt
Mehr anzeigen
Aufrufe
Aufrufe insgesamt
0
Auf Slideshare
0
Aus Einbettungen
0
Anzahl der Einbettungen
0
Downloaden Sie, um offline zu lesen
Melden
Internet
Presentation on 'Understanding and Utilising Threat Intelligence in Cybersecurity' by Warren Finch for Cyberdefcon, Bangladesh, 21 January 2023
APNICFolgen
Recomendados
Cyber Threat Hunting Workshop.pdfssuser4237d4
Cyber Threat Hunting Workshop.pdfssuser4237d4
Cyber Threat IntelligenceMarlabs
Cyber Threat Hunting WorkshopDigit Oktavianto
Threat Hunting Procedures and Measurement MatriceVishal Kumar
How To Turbo-Charge Incident Response With Threat IntelligenceResilient Systems
Presentation on 'Understanding and Utilising Threat Intelligence in Cybersecurity' by Warren Finch for Cyberdefcon
- 1 v1.3
- 2 v1.3 Understanding and Utilising Threat Intelligence in Cybersecurity Threat intelligence is about understanding the who, what, when, where, why, and how of the threats facing your organization. - Lance Spitzner, Director of SANS Institute's Security Awareness
- 3 v1.3 • Definition of Threat Intelligence • Importance of Threat Intelligence • Types of Threat Intelligence • Sources of Threat Intelligence • Gathering and Analysing Threat Intelligence • Using Threat Intelligence • Challenges in Implementing Agenda
- 4 v1.3 Definition of Threat Intelligence (TI) • Threat intelligence is data that is collected, processed, and analyzed to understand a threat actor’s motives, targets, and attack behaviors. CrowdStrike (2022) Retrieved from https://www.crowdstrike.com/cybersecurity-101/threat-intelligence/ • Threat intelligence looks at the bigger picture – by interrogating the data and the broader context to construct a narrative that can inform decision-making. Kaspersky. (n.d.). Threat Intelligence. Retrieved from https://www.kaspersky.com/resource- center/definitions/threat-intelligence • Threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision- making processes. NIST (n.d) Retrieved from https://csrc.nist.gov/glossary/term/threat_intelligence
- 5 v1.3 Importance of Threat Intelligence (TI) https://medium.com/@scardot/the-evolution-of-cyber-security-be9fedc8f4c5
- 6 v1.3 Importance of Threat Intelligence (TI) https://www.cyber.gov.au/sites/default/files/2019-03/Mitigation_Strategies_2017.pdf
- 7 v1.3 What is this animal? • Likes to swim? What do you think it is? – Fish – Seal – Otter • Has a bill? – Duck – Goose – Swan • Has fur?
- 8 v1.3 Importance of Threat Intelligence (TI) https://blog.apnic.net/2019/07/09/how-to-analysing-packet-captures-with-security-onion/
- 9 v1.3 Importance of Threat Intelligence (TI) https://blog.apnic.net/2019/07/09/how-to-analysing-packet-captures-with-security-onion/
- 10 v1.3 Importance of Threat Intelligence (TI) https://blog.apnic.net/2019/07/09/how-to-analysing-packet-captures-with-security-onion/
- 11 v1.3 Importance of Threat Intelligence (TI) https://blog.apnic.net/2019/07/09/how-to-analysing-packet-captures-with-security-onion/
- 12 v1.3 Importance of Threat Intelligence (TI) • Gathers, analyse & share information on cyber threats to an organisation. • Helps to anticipate and prepare for potential threats before they occur. • Allows for efficient and effective use of security resources. • Improves incident response capabilities. • Helps to maintain a good reputation and trust of clients and stakeholders.
- 13 v1.3 Types of Threat Intelligence (TI) • Strategic: Bigger picture of threat landscape • Operational: Current specific threats • Technical: Vulnerabilities, attack methods, malware • Tactical: Actionable information for detection and response to specific threats. https://doi.org/10.1007/978-3-030- 60425-7_3
- 14 v1.3 Types of Threat Intelligence (TI) • Reputation: Tracking malicious actors • Risk-based: Prioritizing threats • Industry-specific: Industry- specific threats & vulnerabilities https://doi.org/10.1007/978-3-030- 60425-7_3
- 15 v1.3 Sources of Threat Intelligence (TI) https://ltu.diva-portal.org/smash/get/diva2:1629834/FULLTEXT01.pdf#page=57 https://www.mindmeister.com/1202902455/threat-intelligence
- 16 v1.3 Sources of Threat Intelligence (TI) https://www.threatblockr.com/wp-content/uploads/ThreatIntelIntegrationsInfographicMay2021.pdf
- 17 v1.3 Open Source projects • MISP (Malware Information Sharing Platform): https://www.misp-project.org/ • TheHive: https://thehive-project.org/ • OpenCTI: https://opencti.io/ • OSINT-SPY: https://github.com/SharadKumar97/OSINT-SPY • OTX AlienVault: https://otx.alienvault.com/ • STIX/TAXII: – https://stixproject.github.io/ – https://taxiiproject.github.io/ • CIF (Collective Intelligence Framework): https://github.com/csirtgadgets/massive-octo- spice • Mitre ATT&CK - https://attack.mitre.org • Awesome Threat Intelligence - https://github.com/hslatman/awesome-threat-intelligence
- 18 v1.3 Sources of Threat Intelligence (TI) • Structured Threat Intelligence eXpression (STIX) – Schema for threat intelligence – Cyber Observables • Schema for lower level observations • Trusted Automated eXchange of Indicator Information (TAXII) – HTTPS Application layer transport protocol – Exchange STIX content between systems Interoperability STIX Domain Objects & relationships Cyber Observables Patterning Language TAXII https://www.oasis-open.org/committees/tc_home.php
- 19 v1.3 Gathering and Analysing Threat Intelligence https://doi.org/10.3390/app12031205
- 20 v1.3 Gathering and Analysing Threat Intelligence https://doi.org/10.3390/app12031205
- Gathering and Analysing Threat Intelligence Unknown- Unknowns: • Threats that an organisation is not aware of and has no information about. Unknown- Knowns: • Threats that an organisation is not aware of but should be aware of. Known- Unknowns: • Threats that an organisation is aware of but does not have detailed information about. Known- Knowns: • Threats that an organisation is aware of and has detailed information about.
- 22 v1.3 Using Threat Intelligence • Improving security posture • Detecting and defending against threats • Responding to incidents https://www.crowdstrike.com/cybersecurity-101/threat-intelligence/
- 23 v1.3 Using Threat Intelligence https://mitre-attack.github.io/attack-navigator//#layerURL=https%3A%2F%2Fattack.mitre.org%2Fmitigations%2FM1019%2FM1019- enterprise-layer.json
- 24 v1.3 Using Threat Intelligence https://attack.mitre.org/mitigations/M1019/
- 25 v1.3 Using Threat Intelligence https://assets.sentinelone.com/wt-reports/watchtower_2022_eoy#page=6
- 26 v1.3 Using Threat Intelligence • Do your systems detect these malicious activities: – CLI or PowerShell attacks – C2 server communications – Ransomware – Trojans – Malicious scripts or executables – Man in the Middle attacks – Disabling Security Tools (T1089) – … and many more • Can you prove it? https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
- 27 v1.3 Challenges in implementing Threat Intelligence • Difficulty in obtaining high-quality intelligence • Limited resources for analysis and dissemination • Ensuring the accuracy and reliability of the intelligence • Financial Implications • Use of Artificial Intelligence (AI) https://www.pinterest.com.au/pin/552605816791388928/
- 28 v1.3 Financial implications
- 29 v1.3 Using Artificial Intelligence (AI) • Automate the process of collecting, analyzing, and disseminating • Identify patterns and anomalies in large amounts of data that might be difficult for humans to detect. • Produce biased results if the data used to train them is biased or if the algorithm used is not fair. Can lead to inaccurate results. • Require high computational power and big data storage, which may be costly and difficult to implement. • AI systems are only as good as the data they are fed, and if the data is not accurate or incomplete, the system might produce inaccurate results. • Can also be used by malicious actors to improve their capabilities.
- 30 v1.3 Using Artificial Intelligence (AI) • Artificial intelligence (AI) tools like ChatGPT3 can be useful for helping to plan and implement threat intelligence projects. • How to use: – Create an account – Think of a topic – Create a list of questions to ask – Refine or re-phrase the questions – Do more research if required
- 31 v1.3 Request for Comments (RFC) • RFC 7452 Intelligence-Based Security: A Request for Comments – This RFC discusses the concept of intelligence-based security and how intelligence can be used to inform security decisions and actions. • RFC 7708 Threat Intelligence on the Internet – This RFC discusses the use of threat intelligence on the Internet and how it can be used to improve security. • RFC 7970 A Framework for Threat Intelligence – This RFC provides a framework for understanding threat intelligence and how it can be used to improve security. • RFC 7979 Threat Intelligence Feeds and Sharing – This RFC discusses the use of threat intelligence feeds and the importance of sharing threat intelligence among organizations. • RFC 8049 Threat Intelligence Sharing for Internet Service Providers – This RFC discusses the use of threat intelligence by Internet Service Providers (ISPs) and how it can be used to improve security.
- 32 v1.3 International Telecommunication Union (ITU) • ITU-T Recommendation X.1055: Use of threat intelligence for cybersecurity – This recommendation provides guidance on the use of threat intelligence for cybersecurity, including how to collect, analyse, and use threat intelligence to improve security. • ITU-T Recommendation X.1530: Framework for threat intelligence sharing – This recommendation provides a framework for sharing threat intelligence among organisations, including guidelines for the format, structure, and content of threat intelligence reports. • ITU-T Recommendation X.1540: Guidelines for the use of threat intelligence in incident response – – This recommendation provides guidelines for the use of threat intelligence in incident response, including how to collect, analyse, and use threat intelligence to improve the effectiveness of incident response efforts. • ITU-T Recommendation X.1550: Best practices for the use of threat intelligence in cybersecurity – This recommendation provides best practices for the use of threat intelligence in cybersecurity, including how to collect, analyze, and use threat intelligence to improve security.
- 33 v1.3 Future of Threat Intelligence (TI) • Increased use of Artificial Intelligence (AI) and Machine Learning (ML). • Greater focus on proactive defenses. • More emphasis on sharing and collaboration. • Greater focus on privacy and security. • More emphasis on multi-vector and multi-stage attack vectors.
- 34 v1.3 Summary • Definition of threat intelligence and its importance in cybersecurity • Different types of threat intelligence. • Different sources of threat intelligence and how to gather and analyse it • How threat intelligence can be used in cybersecurity • The challenges in implementing threat intelligence, such as: – difficulty in obtaining high-quality intelligence, – limited resources for analysis and dissemination and – ensuring the accuracy and reliability of the intelligence
- 35 v1.3 Summary • Importance of threat intelligence to inform security decisions and actions, and the goal of moving as much information as possible from the unknown-unknown and unknown-known categories to the known-unknown and known-known categories.
- 36 v1.3 References • https://chat.openai.com • https://www.th3protocol.com/2022/ChatGPT-LeakSite-Analysis • https://ltu.diva-portal.org/smash/get/diva2:1629834/FULLTEXT01.pdf • https://github.com/topics/cyber-threat-intelligence • https://www.enisa.europa.eu/publications/cyberthreat-intelligence- overview/at_download/fullReport • https://gbhackers.com/cyber-threat-intelligence-tools/amp/ • https://attack.mitre.org • https://www.mindmeister.com/1202902455/threat-intelligence
- 37 v1.3 References • https://www.auditscripts.com/free-resources/open-threat-taxonomy
- 38 v1.3 International Telecommunication Union (ITU) • ITU-T Recommendation X.1217: Guidelines for applying threat intelligence in telecommunication network operation – This recommendation provides guidance for using threat intelligence to secure telecommunication networks.
- 39 v1.3 Thank You!
Hinweis der Redaktion
- Welcome to this course on Linux Basics by APNIC.
- So, what is Linux?
- Imagine that a city is under constant threat of attacks from criminals and bandits. The city's leaders have invested heavily in a strong police force, surveillance cameras and other security tools to protect the city's citizens and their properties. However, despite these efforts, the city is still experiencing regular attacks. One day, the city's leaders decide to establish a specialized intelligence unit, tasked with gathering information about the criminals, their methods and their plans. This unit starts to gather information from various sources, such as police reports, eyewitness accounts and even undercover agents. They also started to track the activities of known criminal groups and individuals. With this new intelligence, the city's leaders were able to take proactive measures to protect the city and its citizens. They were able to identify and block specific attacks, increase patrols in high-risk areas and develop new security measures to protect against emerging threats. As a result, the number of attacks in the city dropped dramatically and the citizens felt much safer. The city's reputation as a safe place to live also improved, and more people decided to move there. This analogy illustrates how threat intelligence can be used to stay ahead of attackers and protect an organization or a city from security breaches. It highlights the importance of gathering and analyzing threat intelligence, and how this information can be used to improve an organization's security posture.
- The Australian Signals Directorate (ASD) has developed prioritised mitigation strategies to help technical cyber security professionals in all organisations mitigate cyber security incidents https://www.cyber.gov.au/publications/strategies-to-mitigate-cyber-security-incidents
- You have a packet capture of network activity; how would you know if there is any suspicious activity? https://academy.apnic.net/virtual-labs?labId=126072 https://blog.apnic.net/2019/07/09/how-to-analysing-packet-captures-with-security-onion/
- You have a packet capture of network activity; how would you know if there is any suspicious activity? https://academy.apnic.net/virtual-labs?labId=126072 https://blog.apnic.net/2019/07/09/how-to-analysing-packet-captures-with-security-onion/
- You have a packet capture of network activity; how would you know if there is any suspicious activity? https://academy.apnic.net/virtual-labs?labId=126072 https://blog.apnic.net/2019/07/09/how-to-analysing-packet-captures-with-security-onion/
- You have a packet capture of network activity; how would you know if there is any suspicious activity? https://academy.apnic.net/virtual-labs?labId=126072 https://blog.apnic.net/2019/07/09/how-to-analysing-packet-captures-with-security-onion/
- Imagine that a city is under constant threat of attacks from criminals and bandits. The city's leaders have invested heavily in a strong police force, surveillance cameras and other security tools to protect the city's citizens and their properties. However, despite these efforts, the city is still experiencing regular attacks. One day, the city's leaders decide to establish a specialized intelligence unit, tasked with gathering information about the criminals, their methods and their plans. This unit starts to gather information from various sources, such as police reports, eyewitness accounts and even undercover agents. They also started to track the activities of known criminal groups and individuals. With this new intelligence, the city's leaders were able to take proactive measures to protect the city and its citizens. They were able to identify and block specific attacks, increase patrols in high-risk areas and develop new security measures to protect against emerging threats. As a result, the number of attacks in the city dropped dramatically and the citizens felt much safer. The city's reputation as a safe place to live also improved, and more people decided to move there. This analogy illustrates how threat intelligence can be used to stay ahead of attackers and protect an organization or a city from security breaches. It highlights the importance of gathering and analyzing threat intelligence, and how this information can be used to improve an organization's security posture.
- Image from: Montasari, R., Carroll, F., Macdonald, S., Jahankhani, H., Hosseinian-Far, A., & Daneshkhah, A. (2020). Application of Artificial Intelligence and Machine Learning in Producing Actionable Cyber Threat Intelligence. In Digital Forensic Investigation of Internet of Things (IoT) Devices (pp. 47–64). Springer International Publishing. https://doi.org/10.1007/978-3-030-60425-7_3
- Image from: Montasari, R., Carroll, F., Macdonald, S., Jahankhani, H., Hosseinian-Far, A., & Daneshkhah, A. (2020). Application of Artificial Intelligence and Machine Learning in Producing Actionable Cyber Threat Intelligence. In Digital Forensic Investigation of Internet of Things (IoT) Devices (pp. 47–64). Springer International Publishing. https://doi.org/10.1007/978-3-030-60425-7_3
- https://www.mindmeister.com/1202902455/threat-intelligence https://ltu.diva-portal.org/smash/get/diva2:1629834/FULLTEXT01.pdf#page=57 Erik Lopez (2021) Master’s Thesis for Luleå University of Technology called “A Framework to Establish a Threat Intelligence Program”
- https://youtu.be/qAb7hL0HQ2M?t=127 https://www.oasis-open.org/committees/tc_home.php
- Image is from page 3 of this research paper Amaro, L. J. B., Azevedo, B. W. P., de Mendonca, F. L. L., Giozza, W. F., Albuquerque, R. de O., & Villalba, L. J. G. (2022). Methodological Framework to Collect, Process, Analyze and Visualize Cyber Threat Intelligence Data. Applied Sciences, 12(3), 1205–. https://doi.org/10.3390/app12031205 Also available at https://www.mdpi.com/2076-3417/12/3/1205 Data can be from things like: Alerts, logs, feeds, configuration, dark web or forensics
- Image is from page 7 and 8 of this research paper Amaro, L. J. B., Azevedo, B. W. P., de Mendonca, F. L. L., Giozza, W. F., Albuquerque, R. de O., & Villalba, L. J. G. (2022). Methodological Framework to Collect, Process, Analyze and Visualize Cyber Threat Intelligence Data. Applied Sciences, 12(3), 1205–. https://doi.org/10.3390/app12031205 Also available at https://www.mdpi.com/2076-3417/12/3/1205 • Gathering and analysing threat intelligence o Identifying key information sources o Developing a process for collecting and organising information o Analysing and interpreting the data o Disseminating the intelligence to relevant parties
- One way of classifying threat intelligence is based on the degree of certainty and familiarity that an organization has with the threat. One popular framework for this classification is the "known-unknown-unknown-known" framework, which separates threats into four categories: Known-Knowns: These are threats that an organization is aware of and has detailed information about. This type of threat intelligence is typically the easiest to deal with, as the organization has a clear understanding of the threat and can take appropriate actions to mitigate it. Known-Unknowns: These are threats that an organization is aware of, but does not have detailed information about. For example, an organization may know that a certain type of malware exists, but may not have specific information about how it works or how to detect it. This type of threat intelligence can be more challenging to deal with, as the organization will need to conduct further research and analysis to better understand the threat. Unknown-Knowns: These are threats that an organization is not aware of, but should be aware of. For example, an organization may not be aware of a new vulnerability in a piece of software that it uses, even though a patch for the vulnerability has been released. This type of threat intelligence can be particularly challenging to deal with, as the organization may not even realize that it is at risk. Unknown-Unknowns: These are threats that an organization is not aware of and has no information about. This type of threat intelligence is the most difficult to deal with, as the organization has no information to work with and must rely on other means, such as threat hunting, to discover and assess it.
- Threat report for 2022, accessed on 20 Jan 2023
- Threat report for 2022, accessed on 20 Jan 2023
- Difficulty in obtaining high-quality intelligence: One of the main challenges in implementing threat intelligence is obtaining high-quality intelligence that is relevant and actionable. This can be difficult because there is a lot of low-quality or irrelevant information available, and it can be time-consuming and resource-intensive to collect and filter through all of this information to find the valuable intelligence. Limited resources for analysis and dissemination: Another challenge is having the resources to analyze and disseminate the intelligence once it has been collected. This includes having the personnel and technology to process large amounts of data, as well as the ability to communicate the intelligence to the right people within an organization in a timely and effective manner. Ensuring the accuracy and reliability of the intelligence: Ensuring that the intelligence that is collected is accurate and reliable is crucial, as bad intelligence can lead to poor decision-making and wasted resources. This can be a challenge because it can be difficult to verify the accuracy of the information, and there is a risk that false or misleading information may be included in the intelligence. Financial Implications: Implementing threat intelligence can be costly, both in terms of the initial investment and ongoing expenses. This includes the cost of buying or developing the technology and tools to collect and analyze the intelligence, as well as the cost of hiring and training personnel. Using Artificial Intelligence (AI): AI can be used to improve the efficiency and effectiveness of threat intelligence,
- https://www.innovationaus.com/cyber-threat-platform-costing-govt-59k-a-day/ https://aws.amazon.com/marketplace/pp/prodview-vffbkdmopipia
- In this example I asked the ChatGPT3 AI tool about resources for Threat intelligence and it responded with the following results for standards
- In this example I asked the ChatGPT3 AI tool about resources for Threat intelligence and it responded with the following results for standards What is ChatGPT? ChatGPT is a natural language processing (NLP) model developed by OpenAI that is designed to generate human-like text in real-time. It is based on the GPT-3 (Generative Pre-training Transformer v3) language model, which is a transformer-based neural network trained on a large dataset of text. ChatGPT is trained specifically on a dataset of human conversation, which enables it to generate text that is more natural and human-like than models trained on other types of text. GPT-3 is a large-scale language model that was trained on a dataset of billions of words, including books, articles, and websites. It is able to generate a wide range of text, from short phrases to full-length articles, and is capable of completing tasks such as translation, summarization, and question answering. GPT-3 has received a lot of attention in the media and the tech industry due to its impressive language generation capabilities and its potential to be used in a variety of applications. One of the key features of ChatGPT is its ability to continue a conversation based on a prompt or previous conversation history. For example, you can provide ChatGPT with a prompt such as "Hello, how are you?" and it will generate a response such as "I'm doing well, thanks for asking. How are you?" You can then provide a follow-up prompt, and ChatGPT will continue the conversation based on its understanding of the previous exchanges. To generate text, ChatGPT uses a process called "transformer-based language modeling." This involves using machine learning algorithms to analyze the patterns and relationships in the training data (in this case, human conversation), and using this analysis to predict what words or phrases are likely to come next in a conversation. ChatGPT is able to generate text that is difficult to distinguish from human-written text because it has learned to mimic the patterns and structures of human conversation. Here's an example of how this might work in practice: Imagine you are playing a game of chess, and you have a computer program that is trying to predict which move you will make next. The computer might start by analyzing the positions of all the pieces on the board, and then creating a list of all the possible moves that you could make. It could then use that list to build a model of what kind of moves you are likely to make based on the current state of the game. So, in this case, the computer is "looking at" the positions of the pieces on the board (similar to how GPT-3 looks at the previous words in a sequence), and using that information to try to predict what move you will make next (similar to how GPT-3 tries to predict the next word in a sequence).
- All of these are incorrect and provided by chatGPT3
- All of these are incorrect and provided by chatGPT3
- Increased use of Artificial Intelligence (AI) and Machine Learning (ML): As the volume of data and the complexity of threats continue to increase, organizations will likely turn to AI and ML to help them analyze and make sense of this information. This could include using AI and ML to automatically identify patterns and anomalies in large amounts of data, as well as to automate the collection, analysis, and dissemination of threat intelligence. Greater focus on proactive defense: In the past, organizations have primarily focused on reactive defense, meaning they only acted after a threat had been identified. However, the future of threat intelligence is likely to involve a greater focus on proactive defense, where organizations use threat intelligence to identify potential threats before they can cause harm. This could include using threat intelligence to identify vulnerabilities in systems and networks, as well as to identify the tactics, techniques, and procedures (TTPs) used by attackers. More emphasis on sharing and collaboration: As the threat landscape continues to evolve, organizations will need to share information and collaborate more effectively to stay ahead of threats. This could include the development of industry-wide threat intelligence sharing platforms, as well as the formation of information-sharing and analysis centers (ISACs) and government-industry partnerships. Greater focus on privacy and security: The use of threat intelligence will increasingly raise concerns about privacy and security, particularly as organizations begin to collect and analyze more sensitive information. As a result, organizations will need to ensure that they are complying with data protection laws and regulations, as well as implementing robust security controls to protect the information they collect and share. More emphasis on multi-vector and multi-stage attack vectors: The future of threat intelligence will also include more focus on understanding and defending against multi-vector and multi-stage attack vectors. This could include understanding how different types of threat actors work together, and how different types of attacks are orchestrated, in order to develop more effective defense strategies.
- But in reality this is a valid ITU-T recommendation
- Haven't tested but would assume like previous slides all of these are incorrect and provided by chatGPT3
- In this example I asked the ChatGPT3 AI tool about resources for Threat intelligence and it responded with the following results for standards
- One way of classifying threat intelligence is based on the degree of certainty and familiarity that an organization has with the threat. One popular framework for this classification is the "known-unknown-unknown-known" framework, which separates threats into four categories: Known-Knowns: These are threats that an organization is aware of and has detailed information about. This type of threat intelligence is typically the easiest to deal with, as the organization has a clear understanding of the threat and can take appropriate actions to mitigate it. Known-Unknowns: These are threats that an organization is aware of, but does not have detailed information about. For example, an organization may know that a certain type of malware exists, but may not have specific information about how it works or how to detect it. This type of threat intelligence can be more challenging to deal with, as the organization will need to conduct further research and analysis to better understand the threat. Unknown-Knowns: These are threats that an organization is not aware of, but should be aware of. For example, an organization may not be aware of a new vulnerability in a piece of software that it uses, even though a patch for the vulnerability has been released. This type of threat intelligence can be particularly challenging to deal with, as the organization may not even realize that it is at risk. Unknown-Unknowns: These are threats that an organization is not aware of and has no information about. This type of threat intelligence is the most difficult to deal with, as the organization has no information to work with and must rely on other means, such as threat hunting, to discover and assess it.