Chapter 8 - 02 - Discuss Various Threat Intelligence Feeds and Sources - 06_ocred_fax_ocred.pdf
Document Details
Uploaded by barrejamesteacher
null
Tags
Related
- Chapter 8 - 02 - Discuss Various Threat Intelligence Feeds and Sources - 01_ocred.pdf
- Chapter 8 - 02 - Discuss Various Threat Intelligence Feeds and Sources - 06_ocred.pdf
- Chapter 8 - 02 - Discuss Various Threat Intelligence Feeds and Sources - 01_ocred_fax_ocred.pdf
- Chapter 8 - 02 - Discuss Various Threat Intelligence Feeds and Sources - 02_ocred_fax_ocred.pdf
- Chapter 8 - 02 - Discuss Various Threat Intelligence Feeds and Sources - 03_ocred_fax_ocred.pdf
- Chapter 8 - 02 - Discuss Various Threat Intelligence Feeds and Sources - 05_ocred_fax_ocred.pdf
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Network Security Assessment Techniques and Tools...
Certified Cybersecurity Technician Exam 212-82 Network Security Assessment Techniques and Tools Threat Intelligence Frameworks MISP—Open MISP—Open o Source Threat MISP is used for sharing, storing and correlating Indicators of TC TC Identify Identify Intelligence Compromise (loCs) of targeted attacks, threat intelligence, - https://threotconnect.com https://threotconnect.com Platform financial fraud information, vulnerability information, etc. OSINT - Cisco I0S CVE-2018-0171 attack Yeti Yeti D Event 1D 108 10683 i https://yeti-platform.github.io https://yeti-platform.github.io Vald Vuld 5acB0002- 207842378830 SacB00e2 2a76-4237 8830 A0HHINIC0E AOLHINIC0S 11 Org cIRcL+1 [« Owner org CIRCL Contributors Contributors : Email Lmail stove clerectiferd steve clemertford bb : Tags. it x | estimative-language likelibood -piobabilitys*roughly-even-chance™ x : ThreatStream Thfeatstream estimative-language. contidence-in-analytic-judgmen sodersie” x. hllps://www.anomah.com https://www.onomali.com Date 2018.04.0707 201804 H Theeat Theeat Level Lovel Medum Medum Analysin Analysis Carrgimtnd Corvpiwted H Distribul Distribution Al communties Al communtios H mu:l tnto e cf'fl.'r. Ciaco OBINT m..n 105 GVE CVE-2018.0171 2018.0171 attack IBM IBM X-Force X-Force Exchange Exchange Published Published You Yos : https://exchange.xforce.ibmcloud.com FAttributes 1"" s Last change Last change 201804/1705 1630 20180417 061630 Lxtends : Lxtended by Event (10701); Constiuercy affected affected with CVE CVE 2018.0171 < Currertly Inin atomic view. Currerdly view. &O Sighings Sightings Y3 o)+ " H : IntelMQ Activity Activity :H htips://www.enisa.curopa.eu b¢ https.//www.misp-project.org Copyright © by L. All Rights Reserved. Reproductionisis Strictly Prohibited Prohibited. Threat Intelligence Frameworks = MISP—Open Source Threat Intelligence Platform Source: https://www.misp-project.org MISP is an open-source threat intelligence platform for sharing, storing, and correlating loCs of targeted attacks, threat intelligence, financial fraud information, vulnerability information, or even counter-terrorism information. MISP is used today in multiple organizations not only to store, share, collaborate on cyber security indicators, and malware analysis but also to use the IoCs and information to detect and prevent attacks or threats against ICT infrastructures, organizations, or people. Module 08 Page 1051 EC-Council Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Assessment Techniques and Tools OSINT - Cisco 10S I0S CVE-2018-0171 attack Event ID 10683 Uuid Sac8cee2-2a78-4237-88a0-d0b802de0b81 1 Sac8cee2-2a78-4237-88a0-d0b802de0Ob8 Org CIRCL Owner org CIRCL Contributors Email [email protected] Tags LURYATICE LRGSR x | eircl:osint-feed feircl:osint-feed x | estimative-language:likelihood-probability="roughly-even-chance" x cstimativc-Ianguagc:confidcnce-in-nnalytic-judgmcm="mioac7:r;)7f;: estimative-language:confidence-in-analytic-judgment="moderate” xxh S - a Date 2018-04.07 2018-04-07 Threat Level Medium Analysis Completed Distribution All communities Info OSINT - Cisco |IOS CVE-2018-0171 attack aftack Published Yes #Attributes #Altributes 14 Last change 2018/04/17 05:16:30 Extends Extended by Event (10701): Constituency affected with CVE-2018-0171 < Currently In atomic view. So Sightings 0(0) F Activity Figure 8.9: Screenshot of MISP—opensource threat intelligence platform Listed below are some of the additional threat intelligence frameworks: *» TC Identify ™ (https://threatconnect.com) = Yeti (https://yeti-platform.github.io) »= ThreatStream (https.//www.anomali.com) = |BM X-Force Exchange (https://exchange.xforce.ibmcloud.com) = IntelMQ (https://www.enisa.europa.eu) IntelMQ Module 08 Page 1052 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Assessment Techniques and Tools Standards and Formats for Sharing Threat Intelligence Cyber Observable eXpression (CybOX™) is a standardized language for encoding and communicating high-fidelity information about cyber observables Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange CTI S — Trusted Automated Exchange of Intelligence Information (TAXII™) is an application-layer S protocol for the communication of CTl in a simple and scalable manner Copyright © by EC-Council. Al Rights Reserved. Reproductson is Strictly Prohibited Standards and Formats for Sharing Threat Intelligence The use of common standards and formats is necessary for an effective exchange of intelligence. Using standard data formats for exchange of threat indicators helps in enhancing the interoperability and supports timely dissemination of intelligence. Unstructured formats such as text documents and email messages are mainly suitable to represent high-level threat intelligence reports intended for high-level executives and cyber security professionals rather than machines. Also, using standard data formats for automatic configuration of various security controls such as firewalls and IDS/IPS reduces the need for human assistance. It is also important that organizations need to participate in the development of standards for threat information sharing. Discussed below are some of the important standards and formats used in sharing threat intelligence: " CybOX Source: https://cyboxproject.github.io CybOX allows organizations to share indicators and detections for incoming computer network attacks in a standard format. The Cyber Observable eXpression (CybOX™) is a standardized language for encoding and communicating high-fidelity information about cyber observables. It is not targeted at a single cyber security use case but is intended to be flexible enough to offer a common solution for all cyber security use cases requiring the ability to deal with cyber observables. It is also intended to be flexible enough to allow both the high-fidelity description of instances of cyber observables that have been measured in an operational context, as well as more abstract patterns for potential Module 08 Page 1053 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Assessment Techniques and Tools observables that may be targets for observation and analysis apriori. CybOX is targeted to support a wide range of relevant cyber security domains including: o Threat intelligence o Malware characterization o Security operations o SIEM/Logging o Incident response o Indicator sharing o Digital forensics = STIX Source: http.//stixproject.github.io Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange cyber threat intelligence (CTI). It enables organizations to share CTI with one another in a consistent and machine-readable manner, allowing security communities to better understand what computer-based attacks they are most likely to see and to anticipate and/or respond to those attacks faster and more effectively. STIX is designed to improve many different capabilities, such as collaborative threat analysis, automated threat exchange, automated detection and response, and more. Figure 8.10: STIX relationship example = TAXI Source: https://taxiiproject.github.io Trusted Automated Exchange of Intelligence Information (TAXII™) is an application layer protocol for the communication of cyber threat information in a simple and scalable manner. TAXII is a protocol used to exchange cyber threat intelligence (CTl) over HTTPS. It enables organizations to share CTI by defining an API that aligns with common sharing models. TAXIl is specifically designed to support the exchange of CTI represented in STIX. TAXII defines two primary services to support a variety of common sharing models: o Collection A Collection is an interface to a logical repository of CTI objects provided by a TAXII Server that allows a producer to host a set of CTl data that can be requested by Module 08 Page 1054 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Assessment Techniques and Tools consumers: TAXIl Clients and Servers exchange information in a request-response model. o Channel Maintained by a TAXIl TAXII Server, a channel allows producers to push data to many consumers and consumers to receive data from many producers: TAXII Clients exchange information with other TAXII Clients in a publish-subscribe model. Collections Channels Consumer Producer = =T Request Client * Publish TAXII Response. sl TAXIl | i TAXIT Subscribe Consumer * Client Client Server TAXII Client Figure 8.11: TAXII Module 08 Page 1055 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
