20.0 Introduction
20.0.1 Why Should I Take this Module?
It is important for you to keep up with the latest information when it comes to cybersecurity. How do you do that? Read this module to learn about information sources and threat intelligence services.
20.0.2 What Will I Learn in this Module?
Module Title: Threat Intelligence
Module Objective: Use various intelligence sources to locate current security threats.
| Topic Title | Topic Objective |
|---|---|
| Information Sources | Describe information sources used to communicate emerging network security threats. |
| Threat Intelligence Services | Describe various threat intelligence services. |
20.1 Information Sources
20.1.1 Network Intelligence Communities
To effectively protect a network, security professionals must stay informed about threats and vulnerabilities as they evolve. There are many security organizations which provide network intelligence. They provide resources, workshops, and conferences to help security professionals. These organizations often have the latest information on threats and vulnerabilities.
The table lists a few important network security organizations.
| Organization | Description |
|---|---|
| SANS | SysAdmin, Audit, Network, Security (SANS) Institute resources are largely free upon request and include:
|
| Mitre | The Mitre Corporation maintains a list of common vulnerabilities and exposures (CVE) used by prominent security organizations. |
| FIRST | Forum of Incident Response and Security Teams (FIRST) is a security organization that brings together a variety of computer security incident response teams from government, commercial, and educational organizations to foster cooperation and coordination in information sharing, incident prevention and rapid reaction. |
| SecurityNewsWire | A security news portal that aggregates the latest breaking news pertaining to alerts, exploits, and vulnerabilities. |
| (ISC)2 | International Information Systems Security Certification Consortium (ISC2) provides vendor neutral education products and career services to more than 75,000+ industry professionals in more than 135 countries. |
| CIS | The Center for Internet Security (CIS) is a focal point for cyber threat prevention, protection, response, and recovery for state, local, tribal, and territorial (SLTT) governments through the Multi-State Information Sharing and Analysis Center (MS-ISAC). The MS-ISAC offers 24×7 cyber threat warnings and advisories, vulnerability identification, and mitigation and incident response. |
To remain effective, a network security professional must:
- Keep abreast of the latest threats – This includes subscribing to real-time feeds regarding threats, routinely perusing security-related websites, following security blogs and podcasts, and more.
- Continue to upgrade skills – This includes attending security-related training, workshops, and conferences.
Note: Network security has a very steep learning curve and requires a commitment to continuous professional development.
20.1.2 Cisco Cybersecurity Reports
Resources to help security professionals stay abreast of the latest threats are the Cisco Annual Cybersecurity Report and the Mid-Year Cybersecurity Report. These reports provide an update on the state of security preparedness, expert analysis of top vulnerabilities, factors behind the explosion of attacks using adware, spam, and more.
Cybersecurity analysts should subscribe to and read these reports to learn how threat actors are targeting their networks, and what can be done to mitigate these attacks.
Search the internet to locate and download Cisco Cybersecurity Reports from the Cisco website.
20.1.3 Security Blogs and Podcasts
Another method for keeping up-to-date on the latest threats is to read blogs and listen to podcasts. Blogs and podcasts also provide advice, research, and recommended mitigation techniques.
There are several security blogs and podcasts available that a cybersecurity analyst should follow to learn about the latest threats, vulnerabilities, and exploits.
Cisco provides blogs on security-related topics from a number of industry experts and from the Cisco Talos Group. Search for Cisco security blogs to locate them. You can also subscribe to receive notifications of new blogs by email. Cisco Talos also offers a series of over 80 podcasts that can be played from the internet or downloaded to your device of choice.
20.2 Threat Intelligence Services
20.2.1 Cisco Talos
Threat intelligence services allow the exchange of threat information such as vulnerabilities, indicators of compromise (IOC), and mitigation techniques. This information is not only shared with personnel, but also with security systems. As threats emerge, threat intelligence services create and distribute firewall rules and IOCs to the devices that have subscribed to the service.
One such service is the Cisco Talos Threat Intelligence Group, shown in the figure. Talos is one of the largest commercial threat intelligence teams in the world, and is comprised of world-class researchers, analysts and engineers. The goal of Talos is to help protect enterprise users, data, and infrastructure from active adversaries. The Talos team collects information about active, existing, and emerging threats. Talos then provides comprehensive protection against these attacks and malware to its subscribers.
Cisco Security products can use Talos threat intelligence in real time to provide fast and effective security solutions. Cisco Talos also provides free software, services, resources, and data. Talos maintains the security incident detection rule sets for the Snort.org, ClamAV, and SpamCop network security tools.
20.2.2 FireEye
FireEye is another security company that offers services to help enterprises secure their networks. FireEye uses a three-pronged approach combining security intelligence, security expertise, and technology.
FireEye offers SIEM and SOAR with the Helix Security Platform, which uses behavioral analysis and advanced threat detection and is supported by the FireEye Mandiant worldwide threat intelligence network. Helix is cloud-hosted security operations platform that combines diverse security tools and threat intelligence into a single platform.
The FireEye Security System blocks attacks across web and email threat vectors, and latent malware that resides on file shares. It can block advanced malware that easily bypasses traditional signature-based defenses and compromises the majority of enterprise networks. It addresses all stages of an attack lifecycle with a signature-less engine utilizing stateful attack analysis to detect zero-day threats.
Search for FireEye on the internet and view the security intelligence resources it offers.
20.2.3 Automated Indicator Sharing
The U.S. Department of Homeland Security (DHS) offers a free service called Automated Indicator Sharing (AIS). AIS enables the real-time exchange of cyber threat indicators (e.g., malicious IP addresses, the sender address of a phishing email, etc.) between the U.S. Federal Government and the private sector.
AIS creates an ecosystem where, as soon as a threat is recognized, it is immediately shared with the community to help them protect their networks from that particular threat.
Search the internet for “DHS AIS” service to learn more.
20.2.4 Common Vulnerabilities and Exposures (CVE) Database
The United States government sponsored the MITRE Corporation to create and maintain a catalog of known security threats called Common Vulnerabilities and Exposures (CVE). The CVE serves as a dictionary of common names (i.e., CVE Identifiers) for publicly known cybersecurity vulnerabilities.
The MITRE Corporation defines unique CVE Identifiers for publicly known information-security vulnerabilities to make it easier to share data.
Search the internet for “Mitre Corporation” and view information about CVE
20.2.5 Threat Intelligence Communication Standards
Network organizations and professionals must share information to increase knowledge about threat actors and the assets they want to access. Several intelligence sharing open standards have evolved to enable communication across multiple networking platforms. These standards enable the exchange of cyber threat intelligence (CTI) in an automated, consistent, and machine readable format.
Three common threat intelligence sharing standards include the following:
- Structured Threat Information Expression (STIX) – This is a set of specifications for exchanging cyber threat information between organizations. The Cyber Observable Expression (CybOX) standard has been incorporated into STIX.
- Trusted Automated Exchange of Indicator Information (TAXII) – This is the specification for an application layer protocol that allows the communication of CTI over HTTPS. TAXII is designed to support STIX.
- CybOX – This is a set of standardized schema for specifying, capturing, characterizing, and communicating events and properties of network operations that supports many cybersecurity functions.
These open standards provide the specifications that aid in the automated exchange of cyber threat intelligence information in a standardized format. Search the internet to learn more about STIX, TAXII, and CybOX.
The Malware Information Sharing Platform (MISP) is an open source platform for sharing indicators of compromise for newly discovered threats. MISP is supported by the European Union and is used by over 6,000 organizations globally. MISP enables automated sharing of IOCs between people and machines by using STIX and other export formats.
20.2.6 Threat Intelligence Platforms
As we have seen, there are many sources of threat intelligence information, each of which may have its own data format. Accessing and using multiple threat intelligence sources can be very time-consuming. To help cybersecurity personnel make the best use of threat intelligence, threat intelligence platforms (TIP) have evolved.
A threat intelligence platform centralizes the collection of threat data from numerous data sources and formats. There are three major types of threat intelligence data. The first is indicators of compromise (IOC). The second is tools, techniques, and procedures (TTP). The third is reputation information about internet destinations or domains. The volume of threat intelligence data can be overwhelming, so the threat intelligence platform is designed to aggregate the data in one place and–most importantly–present the data in a comprehensible and usable format.
Organizations can contribute to threat intelligence by sharing their intrusion data over the internet, typically through automation. Many threat intelligence services use subscriber data to enhance their products and to keep current with the constantly changing immerging threat landscape.
Honeypots are simulated networks or servers that are designed to attract attackers. The attack-related information gathered from honeypots can then be shared with threat intelligence platform subscribers. However, hosting honeypots can itself be a risk. Basing a honeypot in the cloud isolates the honeypot from production networks. This approach is an attractive alternative for gathering threat intelligence.
20.3 Threat Intelligence Summary
20.3.1 What Did I Learn in this Module?
Network Intelligence Communities
There are many organizations which provide network intelligence. Network security organizations include SANS, Mitre, FIRST, SecurityNewsWire, (ISC)2, and CIS. You must keep abreast of the latest threats and continue to upgrade your skills. The Cisco Annual Cybersecurity Report and the Mid-Year Cybersecurity Report are great resources to use. It is also useful to read blogs and listen to podcasts.
Threat Intelligence Services
Threat intelligence services allow the exchange of threat information such as vulnerabilities, indicators of compromise (IOC), and mitigation techniques. This information is not only shared with personnel, but also with security systems. As threats emerge, threat intelligence services create and distribute firewall rules and IOCs to the devices that have subscribed to the service. One such service is the Cisco Talos Threat Intelligence Group. FireEye is another security company that offers services to help enterprises secure their networks. FireEye uses a three-pronged approach combining security intelligence, security expertise and technology. FireEye offers SIEM and SOAR with the Helix Security Platform which uses behavioral analysis and advanced threat detection and is supported by the FireEye Mandiant worldwide threat intelligence network. The U.S Department of Homeland Security (DHS) offers a free service called Automated Indicator Sharing (AIS). AIS enables the real-time exchange of cyber threat indicators between the U.S. Federal Government and the private sector. The United States government sponsored the MITRE Corporation to create and maintain a catalog of known security threats called Common Vulnerabilities and Exposure (CVE). Three common threat intelligence sharing standards include Structured Threat Information Expression (STIX), Trusted Automated Exchange of Indicator Information (TAXII), and CybOX. These open standards provide the specifications that aid in the automated exchange of cyber threat intelligence information in a standard format.