Chapter 8 - 02 - Discuss Various Threat Intelligence Feeds and Sources - 02_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82 Network Security Assessment Techniques and Tools Layers of Threat Intelligence Q Anintelligence provider can be an op...

Certified Cybersecurity Technician Exam 212-82 Network Security Assessment Techniques and Tools Layers of Threat Intelligence Q Anintelligence provider can be an open-source community or movement or a private or commercial body that provides threat intelligence as sources, threat intelligence feeds (Tl feeds), platforms, and professional services Providers aources Copyright © by Layers of Threat Intelligence An intelligence provider can be an open-source community, a movement, a private body, or a commercial body that provides threat intelligence as sources, feeds, platforms, and professional services. Threat intelligence providers are categorized based on the way they deliver or organize threat-related content. A threat intelligence provider is a body that provides a few or all four layers of threat intelligence. Threat intelligence is provided by commercial providers, government institutes, and independent research bodies. Providers Professional Plattorms Nervices Figure 8.4: Layers of threat intelligence Module 08 Page 1030 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Assessment Techniques and Tools Threat Intelligence Feeds Threat intelligence feeds (Tl feeds) are continuous streams of packaged data related to potential or current threats to the organization Different sources of TI feeds QO These feeds are easily available on the Internet (open QO An organization must purchase these feeds source, social listing, OSINT, etc.) (government, commercial vendors, etc.) O Examples of websites providing freely available TI feeds: O Examples of commercial Tl feed vendors: » SHODAN » Microsoft Cyber Trust Blog » Threat Connect » Kaspersky » Virus Total » IBM X-Force Exchange » AlienVaults Open Threat Exchange (OTX) » FireEye » Zeus Tracker » Thedark web » Recorded Future Threat Intelligence Feeds Threat intelligence feeds (Tl feeds) are continuous streams of packaged data related to potential or current threats to the organization. Threat intelligence feeds (Tl feeds) feature a packaged collection of data taken from different sources related to potential or current threats in an organization. Most feeds concentrate on domains, malicious IP addresses, or botnet activity. These comprise actionable information and are implemented along with technical controls to prevent cyber-attacks. Tl feeds are used by network defenders for the following purposes: = Coupling of TI feeds to security tools (e.g., blocking bad IP addresses after accepting feeds by some firewalls) = Use of Tl feeds to generate alerts (e.g., SIEM and user and entity behavior analytics (UEBA) correlate Tl feed data with internal security events to generate alerts) = Manual review to investigate threats if they seem relevant to the security posture It is recommended that organizations know their feed requirements before obtaining Tl feeds. To know their requirements, they should assess themselves based on the following factors. = Network infrastructure: how does the network infrastructure look like? = Current security posture: What are the unique risks to the organization? = Finance: What are the budget and resources available for implementing threat intelligence? = The ability of threat intelligence management. = |s the above information sufficient for building a strong strategy for the organization? Module 08 Page 1031 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Assessment Techniques and Tools Sources of Tl Feeds Important Tl feeds are obtained from the following sources. = Publicly available feeds These feeds are easily available on the Internet (open source, social listing, OSINT, etc.). Freely available Tl feeds include the following: o SHODAN o Threat Connect o Virus Total o AlienVaults Open Threat Exchange (OTX) o Zeus Tracker o The dark web = Commercial providers An organization (e.g., government and commercial vendors) needs to purchase these feeds. The following are some Tl commercial feed providers: o Microsoft Cyber Trust Blog o SecureWorks Blog o Kaspersky Blog o IBM X-Force Exchange o FireEye o Recorded Future Module 08 Page 1032 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Assessment Techniques and Tools Example: Free and Open-source TI Feed Providers o threatfeeds CatEeAS. ea. threatfeeds.io is a free and open-source threat intelligence !Hi o IPSpamist IPSpamList h,,,S,“,’:w,p,,a,,,,,,,_m oee * threatfeeds.io 5 G mzpslaw':w.ipspamfiumm io. B provider of popular free and open-source Tl feeds and sources A| 4 - : o Darklist H http://dorklist.de #ft threatfeedsio : SSLBL - B i O https://ssiblabuse.ch https://ssibl.abuse.ch B - - - e e Botvrij.eu - ips Botvrij.eu - ips |== =] https://www.botvrij.eu o Monitor Malicious.. Executable Urls H https://www.urlvir.com & https://thr 5.i0 Is.i0 Example: Free and Open-source TI Feed Providers = threatfeeds.io Source: https://threatfeeds.io threatfeeds.io is a free and open-source threat intelligence provider of popular free and open-source Tl feeds and sources. It also lists links for direct downloads and live summaries. «“ CC @@ threatfeedsio threatfeedsio aax « @ @ ¥ threatfeeds.io threat intelligence feeds. Q fosres Pasees tout rame rama o o Malware URLs ‘ o — = [===] =N % s. - Alienvault Alienvault 1P1P Reputation Reputation — |ooeut =1 | s- threatfeeds.ioo Figure 8.5: Screenshot of threatfeeds.i Module 08 Page 1033 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Certified Cybersecurity Technician Technician Exam 212-82 Exam 212-82 Network Security Assessment Techniques and Tools Network Security Assessment Techniques and Tools Some additional free and open-source Tl feed providers are listed below: = |PSpamlList |PSpamlist (http://www.ipspamlist.com) (http.//www.ipspamlist.com) = Darklist (http://darklist.de) = (https://sslbl.abuse.ch) SSL BL (https://sslIbl.abuse.ch) = (https.//www.botvrij.eu) Botvrij.eu - ips (https://www.botvrij.eu) = Monitor Monitor Malicious Executable Urls (https.//www.urlvir.com) Module 08 Page 1034 Certified Cybersecurity Technician Copyright © by EC-Council EG-Gouneil All Rights Reserved. Reproduction is Strictly Prohibited.

Use Quizgecko on...
Browser
Browser