Podcast
Questions and Answers
Which of the following organizations provides network intelligence?
Which of the following organizations provides network intelligence?
What is the name of the weekly digest of news articles about computer security published by SANS?
What is the name of the weekly digest of news articles about computer security published by SANS?
NewsBites
What does CVE stand for?
What does CVE stand for?
Common Vulnerabilities and Exposures
What is the name of the open-source platform for sharing indicators of compromise for newly discovered threats?
What is the name of the open-source platform for sharing indicators of compromise for newly discovered threats?
Signup and view all the answers
The Cisco Talos Threat Intelligence Group is a commercial threat intelligence team.
The Cisco Talos Threat Intelligence Group is a commercial threat intelligence team.
Signup and view all the answers
FireEye uses a three-pronged approach, combining security intelligence, security expertise, and technology, to help enterprises secure their networks?
FireEye uses a three-pronged approach, combining security intelligence, security expertise, and technology, to help enterprises secure their networks?
Signup and view all the answers
What are some of the ways to stay up-to-date on the latest cybersecurity threats?
What are some of the ways to stay up-to-date on the latest cybersecurity threats?
Signup and view all the answers
Automated indicator sharing (AIS) is a free service offered by the U.S. Department of Homeland Security (DHS).
Automated indicator sharing (AIS) is a free service offered by the U.S. Department of Homeland Security (DHS).
Signup and view all the answers
Threat intelligence platforms are designed to aggregate data from numerous sources and present the data in a comprehensible format.
Threat intelligence platforms are designed to aggregate data from numerous sources and present the data in a comprehensible format.
Signup and view all the answers
Honeypots are designed to attract attackers, and the attack-related information gathered from honeypots can be shared with threat intelligence platform subscribers.
Honeypots are designed to attract attackers, and the attack-related information gathered from honeypots can be shared with threat intelligence platform subscribers.
Signup and view all the answers
Study Notes
Module 3: Threat Intelligence
- This module evaluates threat intelligence sources.
- Topics include information sources and threat intelligence services.
3.1 Information Sources
-
SANS Institute: Offers resources, including the Internet Storm Center, NewsBites, @RISK, Flash security alerts, and Reading Room.
-
Mitre: Maintains a list of CVE (Common Vulnerabilities and Exposures).
-
FIRST: A security organization bringing together various incident response teams from different sectors.
-
SecurityNews: A portal aggregating breaking security news.
-
(ISC)²: Provides vendor-neutral education and career services.
-
CIS: A focal point for cyber threat prevention for governments, offering 24/7 threat warnings.
-
Staying Updated: Network security professionals must stay abreast of the newest threats via real-time feeds, security blogs, podcasts and websites. Continuous professional development, via training, workshops, and conferences, is required.
-
Cisco Cybersecurity Reports: Annual and Mid-Year reports, analyze security preparedness, vulnerabilities, the explosion of attacks through malware.
-
Security Blogs and Podcasts: Provide advice, research, and mitigation techniques for threats and exploit.
-
Labs: Research cyber security intelligence reports, industry based cyber security intelligence, and real-time cyber security threats are key learning objectives.
3.2 Threat Intelligence Services
- Cisco Talos: Exchanging threat information like vulnerabilities, compromise indicators (IOC), and mitigation techniques. This is shared with personnel and security systems. Firewall rules and IOCs are distributed to subscribed devices.
- FireEye: A security company offering security intelligence, expertise, and technology. Combining security intelligence, security expertise, and technology via a three-pronged approach. Uses behavioral analysis and advanced threat detection with the Helix Security Platform and FireEye Mandiant worldwide threat intelligence network. Blocks attacks across web and email threat vectors, and latent malware. Addresses all stages of an attack lifecycle with a signature-less engine using stateful attack analysis to detect zero-day threats.
Automated Indicator Sharing
- DHS (US Department of Homeland Security): Offers Automated Indicator Sharing (AIS). Real-time exchange of cyber threat indicators (malicious IPs, phishing emails) between the US Federal Government and the private sector. Immediately shares recognized threat to the community to help protect networks.
Common Vulnerabilities and Exposures (CVE) Database
- MITRE Corporation: Created and maintains a catalog of known security threats (CVE), acting as a dictionary of common names (CVE identifiers) for known cybersecurity vulnerabilities. Facilitating data sharing.
Threat Intelligence Communication Standards
- Standards: Network organizations and professionals require sharing information to increase knowledge about threat actors and the assets they want to access; several standardized communication formats evolved to enable this.
- STIX (Structured Threat Information Expression): A specification for exchanging cyber threat information between organizations, including the CybOX standard.
- TAXII (Trusted Automated Exchange of Indicator Information): The specification of an application layer protocol that allows communication of threat intelligence (CTI) over HTTPS, supporting STIX.
- CybOX: Standardized schemas used to specify, capture, characterize network operations, and communicate events.
- MISP (Malware Information Sharing Platform): An open-source platform for sharing indicators of compromise (IOCs) for newly discovered threats. Supported by the European Union, used by over 6,000 organizations globally.
Threat Intelligence Platforms
- Sources and Formats: Many sources of threat intelligence information each having its own format. Accessing multiple sources can be time-consuming.
- Threat Intelligence Platform (TIP): Centralizes collection of threat data from numerous sources, aggregating data in a comprehensible and usable format.
- Data Types: Three major types of threat intelligence data: Indicators of Compromise (IOC), Tools, Techniques, Procedures (TTP), and reputation data for internet destinations/domains.
- Honeypots: Simulated networks used to attract attackers, and collecting attack-related data for sharing. Cloud-hosted honeypots are isolated from production networks.
Lab - Identify Relevant Threat Intelligence
- Objectives: Research MITRE CVEs, access the MITRE ATT&CK Knowledge Base, and investigate potential malware.
3.3 Threat Intelligence Summary
- Organizations: Several organizations provide threat intelligence (SANS, Mitre, FIRST, SecurityNewsWire, (ISC)2, CIS).
- Stay Updated: Staying abreast of threats and skill upgrades are critical.
- Resources: Cisco reports (Annual, Mid-Year), blogs, and podcasts are helpful.
- Intelligence Services: Threat intelligence services facilitate exchanging threat information, thus creating and distributing firewall rules and IOCs.
- Specific Services: Cisco Talos, FireEye are examples providing these services.
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
Related Documents
Description
This quiz covers the various sources of threat intelligence, essential for understanding the cybersecurity landscape. Topics include notable organizations like SANS Institute, Mitre, FIRST, and the importance of staying updated on threats through continuous professional development.
