Threat Intelligence - a modern approach to ensuring information security
Imagine that you came to work, turn on the computer and see that your company's website is down, the cargo is stuck at customs and cannot reach the warehouse. And even on the screen saver of the computer unfamiliar someone posed a funny picture. An accountant comes to you and informs you that all the funds have been withdrawn from the accounts, and your personal data pleases the entire Internet with its presence. You take a cup of coffee and go to the window, and across the road a neighboring company already produces your once unique products. So your beautiful wife flew away with a more successful competitor. At this moment comes an understanding - you have been hacked.
But you were warned - it was necessary to put TI. But first, let's see how it works and protects.
Threat Intelligence is cyber intelligence, the task of which is to obtain and analyze data on actual threats in order to predict possible attacks and prevent them.
Threat intelligence consists of the following stages: the collection and accumulation of data on threats from various sources in a single system, their enrichment, analysis and application of knowledge gained.
Data collection and accumulation
Threats are collected using the following systems: 3r33231.
3r3355. Search robots
- systems for collecting information about existing sites on the Internet;
3r3355. Sandbox 3r3356. - an isolated environment for the safe execution of a suspicious code for the purpose of detecting and analyzing malware;
3r3355. Monitor botnet networks 3r3356. - networks of computers under the control of the attacker's control server;
- dedicated to the intruder as bait network segment, separated from the organization’s main secure network;
3r3355. Sensors 3r3356. - Agent programs that collect useful information from various devices.
Also, the database is replenished with databases of leaks - sensitive information that has got into open sources in an illegitimate way. These can be credentials from systems and services, email addresses, credit card details, passwords.
From open source OSINT come feeds (structured analyzed data) - data on IP addresses and domains from which malicious files are distributed, their samples and hashes; lists of phishing sites and postal addresses of the senders of phishing emails; Active C & C (Command & Control) servers; addresses from which networks are being scanned for the purpose of inventory and detection of system versions, service banners and vulnerabilities; IP addresses from which bruteforce attacks are conducted; Yara signatures for malware detection.
Useful information can be found on the sites of analytical centers, CERT and blogs of independent researchers: discovered vulnerabilities, rules for their detection, descriptions of investigations.
In the process of investigating targeted attacks, analysts receive samples of malicious files, their hashes, lists of IP addresses, domains, URLs containing illegitimate content.
Also, the system receives data on detected vulnerabilities in software and attacks from partners, vendors, customers.
Information is collected from SZI: antiviruses, IDS /IPS, Firewall, Web Application Firewall, traffic analysis tools, event loggers, unauthorized access protection systems, etc. 3r33231.
All collected data is accumulated in a single platform that allows you to enrich, analyze and disseminate information about threats.
Enriching the received data
The collected information on specific threats is supplemented with contextual information - the name of the threat, the time of detection, geolocation, the source of the threat, circumstances, goals and motives of the attacker.
Also at this stage there is an Enrichment - data enrichment - obtaining additional attributes of a technical nature to already known attacks: 3r-3231.
3r3186. URL 3r3187.
3r3186. IP addresses 3r3187.
3r3186. Domains 3r3187.
3r3186. Whois data 3r3187.
3r3186. Passive DNS 3r3187.
3r3186. GeoIP - Geographical information about the IP-address
3r3186. Samples of malicious files and their hashes
3r3186. Statistical and behavioral information - techniques, tactics and attack procedures 3r3187.
At the analysis stage, events and attributes related to one attack are combined, according to the following criteria: territorial location, time period, economic sector, criminal group, etc. 3r33231.
There is a definition of connections between different events - a correlation.
When working with feeds, the source of feeds is selected depending on the industry specifics; types of attacks relevant to a particular company; presence of attributes and IOCs that cover risks that are not covered by the rules of protection systems. The value of the feed is then determined and they are prioritized based on the following parameters: 3r-3231.
3r3186. Feed data sources - it is possible that this source is an aggregator of data from OSINT sources and does not provide any in-house analytics. 3r3187.
3r3186. Relevance - timeliness and "freshness" of the data provided. Two parameters must be taken into account: the time from the moment an attack is detected to the distribution of a feed with information about the threat should be minimal; the source must supply feeds with a frequency that ensures that information about threats is up to date. 3r3187.
3r3186. Uniqueness - the amount of data not found in other feeds. The amount of own analytics that the feed provides. 3r3187.
3r3186. Occurrence in other sources. At first glance, it may seem that if an attribute or IOC (Indicator of Compromise) is found in feeds from several sources, you can increase its level of trust. In fact, some feed sources may draw data from the same source, in which information may be unverified. 3r3187.
3r3186. The completeness of the context provided. How well the information was sorted, whether the objectives of the attack, the sector of the economy, the criminal grouping, the tools used, the duration of the attack, etc. are indicated. 3r3187.
3r3186. The quality (proportion of false positives) of the rules for GIS based on feed data. 3r3187.
3r3186. Data usefulness - the applicability of feed data in incident investigation. 3r3187.
3r3186. The format of the data. The convenience of processing and automating their loading into the platform is taken into account. Does the chosen platform for Threat Intelligence support the required formats, is some data lost? 3r3187.
The following tools are used to classify data from feeds:
3r3186. Taxonomies are a set of libraries classified according to the processes of conducting attacks, spreading threats, data exchange, etc. For example, ENISA, CSSA, VERIS, Diamond Model, Kill Chain, CIRCL, MISP have their own taxonomies. 3r3187.
3r3186. Clustering is a set of libraries classified by static signs of threats and attacks. For example, sectors of the economy; tools and exploits used; TTP (Tacticks, Techniques & Procedures), stages and methods of penetration, operation and consolidation in the system, based on the ATT & CK Matrix. 3r3187.
Analysts identify tactics, techniques and procedures of the attackers, impose data and events on the model of the invasion of the system and build chains of attack implementation. It is important to form a general view of the attack, taking into account the complex architecture of the protected system and the connections between the components. It takes into account the possibility of a multi-stage attack that will affect several hosts and vulnerabilities.
On the basis of the work done, forecasting is carried out - the probable attack directions are identified, systematized taking into account industry specifics, geolocation, timeframe, possible tools and the degree of destructive consequences. Identified threats are prioritized depending on the potential damage during their implementation.
Threat Intelligence information allows you to detect leaks of sensitive data from an organization trapped on the Internet and control brand risks — discussing attack plans in the darknet forums, illegitimate use of the brand when conducting phishing companies, disclosing trade secrets and its use by competitors.
The assembled knowledge base is used in writing the rules for detecting attacks for GIS, promptly responding to threats within the SOC, and investigating incidents.
Experts update the threat model and reassess risks due to changed conditions.
Such an integrated approach allows you to prevent attacks at the stage of attempts to penetrate the information system.
The platform for collecting and analyzing information about security threats is included in 3r33225. FSTEC requirements 3r33232. (paragraph 24) in the provision of SOC services. Moreover, Threat Intelligence can help in the exchange of information on threats within the framework of the State Administration for the State Administration of Antimonopoly Policy.
Using the experience of cyber prospecting professionals in collecting, analyzing and applying threat data allows the information security units to bring their company's information protection to the proper modern level.
It may be interesting
houston embroidery service
Houston Embroidery Service