Chapter 8 - 02 - Discuss Various Threat Intelligence Feeds and Sources - 06_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Threat Intelligence Frameworks MISP—Open Source Threat Intelligence Platform MISP is used for sharing, storing and correlating Indicators of Compromise (loCs) of targeted attacks, threat intelligence, financial fraud information, vulnerability information, etc. o TC Identify https://threotconnect.com - OSINT - Cisco I0S CVE-2018-0171 attack D 108 Vuld SacB00e2 Org cIRcL Owner org CIRCL Contributors Email Tags 2a76-4237 8830 AOLHINIC0S 1 it x | estimative-language likelibood -piobabilitys*roughly-even-chance™ estimative-language. contidence-in-analytic-judgmen Date Theeat mu:l sodersie” x : x : Lovel hllps://www.anomah.com H Medum Corvpiwted Al communties e Published FAttributes Last change cf'fl.'r H H m..n 105 GVE 2018.0171 attack IBM You : 1" s X-Force Exchange https://exchange.xforce.ibmcloud.com 2018041705 1630 Lxtends : Lxtended by Event (10701); Sighings Currertly In atomic view. O Activity Thfeatstream. 201804 07 Analysis Distribul https://yeti-platform.github.io : stove clerectiferd b. Yeti i Constiuercy affected with CVE Y3 2018.0171 < " : H : https.//www.misp-project.org b Copyright © by IntelMQ htips://www.enisa.curopa.eu L. All Rights Reserved. Reproductionis Strictly Prohibited. Threat Intelligence Frameworks = MISP—Open Source Threat Intelligence Platform Source: https://www.misp-project.org MISP is an open-source threat intelligence platform for sharing, storing, and correlating loCs of targeted attacks, threat intelligence, financial fraud information, vulnerability information, or even counter-terrorism information. MISP is used today in multiple organizations not only to store, share, collaborate on cyber security indicators, and malware analysis but also to use the IoCs and information to detect and prevent attacks or threats against ICT infrastructures, organizations, or people. Module 08 Page 1051 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 OSINT - Cisco I0S CVE-2018-0171 attack Event ID 10683 Uuid Sac8cee2-2a78-4237-88a0-d0b802de0b81 Org CIRCL Owner org CIRCL Contributors Email [email protected] Tags LURYATICE x feircl:osint-feed x | estimative-language:likelihood-probability="roughly-even-chance" cstimativc-Ianguagc:confidcnce-in-nnalytic-judgmcm="mioac7:r;)7f;: Date 2018-04.07 Threat Level Medium Analysis Completed Distribution All communities Info OSINT - Cisco |IOS CVE-2018-0171 Published Yes #Attributes 14 Last change 2018/04/17 05:16:30 xh S a x - attack Extends Extended by Event (10701): Constituency affected with CVE-2018-0171 Sightings Currently In atomic view. o 0(0) F < Activity Figure 8.9: Screenshot of MISP—opensource threat intelligence platform Listed below are some of the additional threat intelligence frameworks: » TC Identify ™ (https://threatconnect.com) = Yeti (https://yeti-platform.github.io) = ThreatStream (https.//www.anomali.com) = |BM X-Force Exchange (https://exchange.xforce.ibmcloud.com) = IntelMQ (https://www.enisa.europa.eu) Module 08 Page 1052 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Standards and Formats for Sharing Threat Intelligence Cyber Observable eXpression (CybOX™) is a standardized language for encoding and communicating high-fidelity information about cyber observables Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange CTI S S — Trusted Automated Exchange of Intelligence Information (TAXII™) is an application-layer protocol for the communication of CTl in a simple and scalable manner Copyright © by EC-Council. Al Rights Reserved. Reproductson is Strictly Prohibited Standards and Formats for Sharing Threat Intelligence The use of common standards and formats is necessary for an effective exchange of intelligence. Using standard data formats for exchange of threat indicators helps in enhancing the interoperability and supports timely dissemination of intelligence. Unstructured formats such as text documents and email messages are mainly suitable to represent high-level threat intelligence reports intended for high-level executives and cyber security professionals rather than machines. Also, using standard data formats for automatic configuration of various security controls such as firewalls and IDS/IPS reduces the need for human assistance. It is also important that organizations information sharing. Discussed below are some need to participate in the development of the important standards and formats of standards for threat used in sharing threat intelligence: " CybOX Source: https://cyboxproject.github.io CybOX allows organizations to share indicators and detections for incoming computer network attacks in a standard format. The Cyber Observable eXpression (CybOX™) is a standardized language for encoding and communicating high-fidelity information about cyber observables. It is not targeted at a single cyber security use case but is intended to be flexible the ability allow both measured Module 08 Page 1053 enough to offer a common solution for all cyber security use cases requiring to deal with cyber observables. It is also intended to be flexible enough to the high-fidelity description of instances of cyber observables that have been in an operational context, as well as more abstract patterns for potential Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 observables that may be targets for observation and analysis apriori. CybOX is targeted to support a wide range of relevant cyber security domains including: = o Threat intelligence o Malware characterization o Security operations o SIEM/Logging o Incident response o Indicator sharing o Digital forensics STIX Source: http.//stixproject.github.io Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange cyber threat intelligence (CTI). It enables organizations to share CTI with one another in a consistent and machine-readable manner, allowing security communities to better understand what computer-based attacks they are most likely to see and to anticipate and/or respond to those attacks faster and more effectively. STIX is designed to improve many different capabilities, such as collaborative threat analysis, automated threat exchange, automated detection and response, and more. Figure 8.10: STIX relationship example = TAXI Source: https://taxiiproject.github.io Trusted Automated Exchange of Intelligence Information (TAXII™) is an application layer protocol for the communication of cyber threat information in a simple and scalable manner. TAXII is a protocol used to exchange cyber threat intelligence (CTl) over HTTPS. It enables organizations to share CTI by defining an API that aligns with common sharing models. TAXIl is specifically designed to support the exchange of CTI represented in STIX. TAXII defines two primary services to support a variety of common sharing models: o Collection A Collection is an interface to a logical repository of CTI objects provided by a TAXII Server that allows a producer to host a set of CTl data that can be requested by Module 08 Page 1054 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 consumers: TAXIl Clients and Servers exchange information in a request-response model. o Channel Maintained by a TAXII Server, a channel allows producers to push data to many consumers and consumers to receive data from many producers: TAXII Clients exchange information with other TAXII Clients in a publish-subscribe model. Collections Channels Consumer Producer TAXII Server Request * Response. * = Client sl Client Publish TAXIl | i Client Subscribe Consumer TAXII Client Figure 8.11: TAXII Module 08 Page 1055 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.