From the course: Advanced Cyber Threat Intelligence
Introduction to data collection
From the course: Advanced Cyber Threat Intelligence
Introduction to data collection
- [Alyssa Berriche] Hello, this is Alyssa Berriche. Welcome again to the Advanced Cyber Threat Intelligence course. This is the first module, data collection. First lesson, what is data collection? In this video, we'll deep dive into data collection. We'll start with defining what is data collection and then we will detail the different types of data collection sources. Now let's start with the definition of collection. Collection is the process of gathering data and information to address intelligence requirements and objectives that were defined during the planning and direction phase of the intelligence lifecycle. The data collected can be a finished intelligence like intelligence reports from vendors or reports from cybersecurity blocks or raw data from different sources of logs like firewall endpoints, IPS, et cetera, or dumps, for example, a paste website. I have three recommendation about data collection. The first one is in order to get a full picture about threats, collecting data from one source is not sufficient. So basically the more data you collect, the more evidence you'll get in order to make assessment. But hold on, data needs to be relevant. Otherwise, these can slow down your investigations and cause knowledge gaps. So quality matters as much as quantity. Data collection is also a time consuming task so my recommendation here is automation. Automate as much as you can from the collection phase so you can save a lot of time for threat analysis. Now let's move to the types of collection sources. I can divide the collection sources into two big categories, internal data sources and external ones. Let's start with internal sources. We can find different types of internal sources. We can find logs or more known as raw data. Also, vulnerability scan results. We can also find network capture tools or internal databases. We can also find internal threat reports from previous investigations or indicators of compromises or IOCs, save it into SIM or threat intelligence platform, or even flat databases and store it from previous investigations or previous cases. For the external sources, there are a lot of types, we can say there are threatened threat data feeds, often social media, cyber security blogs, and threat reports shared by security experts or security vendors, threat actor forums, and the dark web. Let's summarize this video. This is the first lesson in the first module, data collection. We started with defining data collection phase, then the different categories of collection sources and then we gave some recommendation about data collection like collecting data from one source is not sufficient. Quality matters as much as quantity and automation can save a lot of time for analysis phase. this is it for this video, in the next video, we'll dig more into the internal data sources. See you there.
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.
Contents
-
-
-
Introduction to data collection4m 11s
-
(Locked)
Internal data acquisition6m 38s
-
(Locked)
External data sources7m 7s
-
(Locked)
Private data sources part 18m 37s
-
(Locked)
Private data sources part 23m 42s
-
(Locked)
Community data sources10m 48s
-
(Locked)
Public data sources part 18m
-
(Locked)
Public data sources part 23m 12s
-
(Locked)
Leveraging OSINT part 19m 22s
-
(Locked)
Leveraging OSINT part 26m 50s
-
-
-
-
-
-
-