Chapter 8 - 02 - Discuss Various Threat Intelligence Feeds and Sources - 02_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Layers of Threat Intelligence Q Anintelligence provider can be an open-source community or movement or a private or commercial body that provides threat intelligence as sources, threat intelligence feeds (Tl feeds), platforms, and professional services Providers aources Copyright © by Layers of Threat Intelligence An intelligence provider can be an open-source community, a movement, a private body, or a commercial body that provides threat intelligence as sources, feeds, platforms, and professional services. Threat intelligence providers are categorized based on the way they deliver or organize threat-related content. A threat intelligence provider is a body that provides a few or all four layers of threat intelligence. Threat intelligence is provided by commercial providers, government institutes, and independent research bodies. Providers Plattorms Figure 8.4: Layers of threat intelligence Module 08 Page 1030 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Threat Intelligence Feeds Threat intelligence feeds (Tl feeds) are continuous streams of packaged data related to potential or current threats to the organization Different sources of TI feeds QO These feeds are easily available on the Internet (open QO An organization must purchase these feeds O O source, social listing, OSINT, etc.) Examples of websites providing freely available TI feeds: (government, commercial vendors, etc.) Examples of commercial Tl feed vendors: » SHODAN » Threat Connect » Virus Total » AlienVaults Open Threat Exchange (OTX) » Zeus Tracker » Thedark web » Microsoft Cyber Trust Blog » Kaspersky » IBM X-Force Exchange » FireEye » Recorded Future Threat Intelligence Feeds Threat intelligence feeds (Tl feeds) are continuous streams of packaged data related to potential or current threats to the organization. Threat intelligence feeds (Tl feeds) feature a packaged collection of data taken from different sources related to potential or current threats in an organization. Most feeds concentrate on domains, malicious IP addresses, or botnet activity. These comprise actionable information and are implemented along with technical controls to prevent cyber-attacks. Tl feeds are used by network defenders for the following purposes: = Coupling of TI feeds to security tools (e.g., blocking bad IP addresses after accepting feeds by some firewalls) = Use of Tl feeds to generate alerts (e.g., SIEM and user and entity behavior analytics (UEBA) correlate Tl feed data with internal security events to generate alerts) = Manual review to investigate threats if they seem relevant to the security posture It is recommended that organizations know their feed requirements before obtaining Tl feeds. To know their requirements, they should assess themselves based on the following factors. = Network infrastructure: how does the network infrastructure look like? = Current security posture: What are the unique risks to the organization? = Finance: What are the budget and resources available for implementing threat intelligence? = The ability of threat intelligence management. = |s the above information sufficient for building a strong strategy for the organization? Module 08 Page 1031 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Sources of Tl Feeds Important Tl feeds are obtained from the following sources. = Publicly available feeds These feeds are easily available on the Internet (open source, social listing, OSINT, etc.). Freely available Tl feeds include the following: = o SHODAN o Threat Connect o Virus Total o AlienVaults Open Threat Exchange (OTX) o Zeus Tracker o The dark web Commercial providers An organization (e.g., government and commercial vendors) needs to purchase these feeds. The following are some Tl commercial feed providers: o Microsoft Cyber Trust Blog o SecureWorks Blog o Kaspersky Blog o IBM X-Force Exchange o FireEye o Recorded Module 08 Page 1032 Future Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Example: Free and Open-source TI Feed Providers o threatfeeds CatEeAS. io | 4 threatfeeds.io is a free and open-source threat intelligence. provider of popular free and open-source Tl feeds and sources - Hi o : o H ft threatfeedsio : - O e - - ==. o IPSpamist h,,,S,“,’:w,p,,a,,,,,,,_m Darklist http://dorklist.de SSLBL https://ssiblabuse.ch Botvrij.eu - ips https://www.botvrij.eu Monitor Malicious H Executable Urls https://www.urlvir.com & https://thr Is.i0 Example: Free and Open-source TI Feed Providers = threatfeeds.io Source: https://threatfeeds.io threatfeeds.io is a free and open-source threat intelligence provider of popular free and open-source summaries. « C @ Tl feeds and sources. It also lists links for direct threatfeedsio downloads and a « live @ ¥ threatfeeds.io threat intelligence feeds. Q Pasees tout rame o o Malware URLs o — % Alienvault 1P Reputation |ooeut | s Figure 8.5: Screenshot of threatfeeds.io Module 08 Page 1033 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Assessment Techniques and Tools Some additional free and open-source Tl feed providers are listed below: = |PSpamlist (http.//www.ipspamlist.com) = Darklist (http://darklist.de) = SSL BL (https://sslbl.abuse.ch) = Botvrij.eu - ips (https://www.botvrij.eu) = Monitor Malicious Executable Urls (https.//www.urlvir.com) Module 08 Page 1034 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.