Cyber Threat Management - Module 03 PDF

Summary

This Cisco training module provides information on threat intelligence, including various sources like reports, blogs, and podcasts. It also discusses threat intelligence platforms and communication standards. This module is designed for cybersecurity professionals.

Full Transcript

Module 3: Threat
Intelligence
Cyber Threat Management (CyberTM)
Module Objectives
Module Title: Threat Intelligence
Module Objective: Evaluate threat intelligence sources.

Topic Title Topic Objective

Evaluate information sources used to communicate emerging network
Information Sources
security threats.
Threat Intelligence Services Describe various threat intelligence services.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
3.1 Information Sources

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Information Sources
Network Intelligence Communities
Organization Description
SANS SANS Institute resources are largely free upon request and include:
The Internet Storm Center - the popular internet early warning system
NewsBites, the weekly digest of news articles about computer security.
@RISK, the weekly digest of newly discovered attack vectors, vulnerabilities with active exploits, and
explanations of how recent attacks worked
Flash security alerts
Reading Room - more than 1,200 award-winning, original research papers.
SANS also develops security courses.
Mitre It maintains a list of CVE used by prominent security organizations.
FIRST It is a security organization that brings together a variety of computer security incident response teams from
government, commercial, and educational organizations to foster cooperation and coordination in information
sharing, incident prevention and rapid reaction.
SecurityNews A security news portal that aggregates the latest breaking news pertaining to alerts, exploits, and vulnerabilities.
Wire
(ISC)2 It provides vendor neutral education products and career services to more than 75,000+ industry professionals in
more than 135 countries.
CIS It is a focal point for cyber threat prevention, protection, response, and recovery for SLTT governments through
the MS-ISAC that offers 24x7 cyber threat warnings and advisories, vulnerability identification,
© 2020 Cisco and
and/or its affiliates. All rights mitigation
reserved. Cisco Confidential and 12

incident response.
Information Sources
Network Intelligence Communities (Cont.)
To remain effective, a network security professional must:
Keep abreast of the latest threats – This includes subscribing to real-time feeds regarding
threats, routinely perusing security-related websites, following security blogs and podcasts, and
more.

Continue to upgrade skills – This includes attending security-related training, workshops,
and conferences.

Note: Network security has a very steep learning curve and requires a commitment to continuous
professional development.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Information Sources
Cisco Cybersecurity Reports

Resources to help security professionals stay abreast of the latest threats are the Cisco Annual
Cybersecurity Report and the Mid-Year Cybersecurity Report.

These reports provide an update on the state of security preparedness, expert analysis of top
vulnerabilities, factors behind the explosion of attacks using adware, spam, and more.

Cybersecurity analysts should subscribe to and read these reports to learn how threat actors are
targeting their networks, and what can be done to mitigate these attacks.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Information Sources
Security Blogs and Podcasts
Another method for keeping up to date on the latest threats is to read blogs and listen to podcasts.

Blogs and podcasts also provide advice, research, and recommended mitigation techniques.

There are several security blogs and podcasts available that a cybersecurity analyst should follow to
learn about the latest threats, vulnerabilities, and exploits.

Cisco provides blogs on security-related topics from several industry experts and from the
Cisco Talos Group.

Search for Cisco security blogs to locate them. You can also subscribe to receive notifications
of new blogs by email.

Cisco Talos also offers a series of over eighty podcasts that can be played from the internet
or downloaded to your device of choice.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Information Sources
Lab - Evaluate Cybersecurity Reports
In this Lab, you will meet the following objectives:

Part 1: Research Cyber Security Intelligence Reports
Part 2: Research Cyber Security Intelligence Based on Industry
Part 3: Research Cyber Security Threat Intelligence in Real Time

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
3.2 Threat Intelligence
Services

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Threat Intelligence Services
Cisco Talos

Threat intelligence services allow the exchange of threat information such as vulnerabilities,
indicators of compromise (IOC), and mitigation techniques.

This information is not only shared with personnel, but also with security systems.

As threats emerge, threat intelligence services create and distribute firewall rules and IOCs to the
devices that have subscribed to the service.

One such service is the Cisco Talos Threat Intelligence Group.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Threat Intelligence Services
Cisco Talos (Cont.)
It is one of the largest commercial threat
intelligence teams in the world, and is comprised of
world-class researchers, analysts, and engineers.
Its goal is to help protect enterprise users, data,
and infrastructure from active adversaries.
Its team collects information about active, existing,
and emerging threats.
It then provides comprehensive protection against
these attacks and malware to its subscribers.
Cisco Security products can use it in real time to
provide fast and effective security solutions, also
providing free software, services, resources, and data.
It maintains the security incident detection rule sets
for the Snort.org, ClamAV, and SpamCop network
security tools.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Threat Intelligence Services
FireEye
Another security company that offers services to help enterprises secure their networks, using a
three-pronged approach combining security intelligence, security expertise, and technology.

It offers SIEM and SOAR with the Helix Security Platform, which uses behavioral analysis and
advanced threat detection and is supported by the FireEye Mandiant worldwide threat intelligence
network.

Helix is cloud-hosted security operations platform that combines diverse security tools and threat
intelligence into a single platform.

The FireEye Security System blocks attacks across web and email threat vectors, and latent malware
that resides on file shares.

It can block advanced malware that easily bypasses traditional signature-based defenses and
compromises most enterprise networks.

It addresses all stages of an attack lifecycle with a signature-less engine utilizing stateful attack
analysis to detect zero-day threats.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Threat Intelligence Services
Automated Indicator Sharing

The U.S. Department of Homeland Security (DHS) offers a free service called Automated Indicator
Sharing (AIS).

It enables the real-time exchange of cyber threat indicators (e.g., malicious IP addresses, the
sender address of a phishing email, etc.) between the U.S. Federal Government and the private
sector.

It creates an ecosystem where, as soon as a threat is recognized, it is immediately shared with the
community to help them protect their networks from that threat.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Threat Intelligence Services
Common Vulnerabilities and Exposures (CVE) Database

The United States government sponsored the MITRE Corporation to create and maintain a
catalog of known security threats called Common Vulnerabilities and Exposures (CVE).

The CVE serves as a dictionary of common names (i.e., CVE Identifiers) for known cybersecurity
vulnerabilities.

The MITRE Corporation defines unique CVE Identifiers for known information-
security vulnerabilities to make it easier to share data.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Threat Intelligence Services
Threat Intelligence Communication Standards
Network organizations and professionals must share information to increase knowledge
about threat actors and the assets they want to access.
Several intelligence sharing open standards have evolved to enable communication
across multiple networking platforms.
These standards enable the exchange of CTI in an automated, consistent, and machine-
readable format.
Three common threat intelligence sharing standards include the following:
Structured Threat Information Expression (STIX) - A set of specifications for
exchanging cyber threat information between organizations. The CybOX standard has been
incorporated into STIX.

Trusted Automated Exchange of Indicator Information (TAXII) – The specification for
an application layer protocol that allows the communication of CTI over HTTPS. TAXII
is designed to support STIX.

CybOX - A set of standardized schemas for specifying, capturing, characterizing,
and communicating events and properties of network operations that supports
many cybersecurity functions.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Threat Intelligence Services
Threat Intelligence Communication Standards (Cont.)

These open standards provide the specifications that aid in the automated exchange of
cyber threat intelligence information in a standardized format.

The Malware Information Sharing Platform (MISP) is an open-source platform for
sharing indicators of compromise for newly discovered threats.

MISP is supported by the European Union and is used by over 6,000 organizations globally.

MISP enables automated sharing of IOCs between people and machines by using STIX and
other export formats.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Threat Intelligence Services
Threat Intelligence Platforms
There are many sources of threat intelligence information, each of which may have its own data
format.

Accessing and using multiple threat intelligence sources can be very time-consuming.

To help cybersecurity personnel make the best use of threat intelligence, TIP have evolved.

A threat intelligence platform centralizes the collection of threat data from numerous data sources and
formats.

There are three major types of threat intelligence data: the first is IOC, the second tools, techniques,
and procedures (TTP), and the third is reputation information about internet destination or domains.

The volume of threat intelligence data can be overwhelming, so the threat intelligence platform is
designed to aggregate the data in one place and--most importantly--present the data in a
comprehensible and usable format.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Threat Intelligence Services
Threat Intelligence Platforms (Cont.)

Organizations can contribute to threat intelligence by sharing their intrusion data over the
internet, typically through automation.

Many threat intelligence services use subscriber data to enhance their products and to keep
current with the constantly changing immerging threat landscape.

Honeypots are simulated networks or servers that are designed to attract attackers.

The attack-related information gathered from honeypots can then be shared with threat intelligence
platform subscribers but hosting honeypots can itself be a risk.

Basing a honeypot in the cloud isolates the honeypot from production networks.

This approach is an attractive alternative for gathering threat intelligence.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Threat Intelligence Services
Lab - Identify Relevant Threat Intelligence
In this Lab, you will meet the following objectives:

Part 1: Research MITRE CVEs
Part 2: Access the MITRE ATT&CK Knowledge Base
Part 3: Investigate Potential Malware

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
3.3 Threat Intelligence
Summary

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Threat Intelligence Summary
What Did I Learn in this Module?

There are many organizations which provide network intelligence like SANS, Mitre,
FIRST, SecurityNewsWire, (ISC)2, and CIS.
You must keep abreast of the latest threats and continue to upgrade your skills.
The Cisco Annual Cybersecurity Report and the Mid-Year Cybersecurity Report are great resources
to use.
It is also useful to read blogs and listen to podcasts.
Threat intelligence services allow the exchange of threat information such as vulnerabilities, IOC,
and mitigation techniques not only with personnel, but also with security systems.
As threats emerge, threat intelligence services create and distribute firewall rules and IOCs to
the devices that have subscribed to the service.
One such service is the Cisco Talos Threat Intelligence Group.
FireEye is another security company that offers services to help enterprises secure their networks.
FireEye uses a three-pronged approach combining security intelligence, security
expertise and technology.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Threat Intelligence Summary
What Did I Learn in this Module? (Cont.)

The U.S Department of Homeland Security (DHS) offers a free service called Automated Indicator
Sharing (AIS).
AIS enables the real-time exchange of cyber threat indicators between the U.S. Federal
Government and the private sector.
The United States government sponsored the MITRE Corporation to create and maintain a catalog
of known security threats called Common Vulnerabilities and Exposure (CVE).
Three common threat intelligence sharing standards include Structured Threat Information
Expression (STIX), Trusted Automated Exchange of Indicator Information (TAXII), and CybOX.
These open standards provide the specifications that aid in the automated exchange of cyber
threat intelligence information in a standard format.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30