یربیاس دیدهت شوه ینارماک اضریلع...
TRANSCRIPT
![Page 1: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/1.jpg)
هوش تهدید سایبری
سید علیرضا کامرانی
فشرکت مدیریت امن الکترونیکی کاش
![Page 2: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/2.jpg)
![Page 3: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/3.jpg)
مسئولیت و اطالعیه حقوقیسلب
ی یادآورلذا است جهت آگاهی رسانی تهیه شده و نام بردن از شرکت ها یا سازمان های خارجی تنها باهدف بیان رویکردهای جهانی صرفاً ارائه این
.نیستارائهیا رد به کارگیری آن ها در قلمرو این تأیید می شود که
![Page 4: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/4.jpg)
اهم مطالب
مقدمه•تهدیدهوشانواع•سایبریتهدیدهوشبلوغمدلوحیاتچرخه•تهدیداطالعاتاشتراکگذاریبهاستانداردهای•STIX/TAXIIاستانداردازمختصریمعرفی•
سایبریتهدیدهوشسکوهایومحصوالتخدمات،•CSIRTوSOCدرسایبریتهدیدهوشجایگاه•
بانکیصنعتدرتهدیدهوش•
![Page 5: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/5.jpg)
The main trends in the 2017’s cyber threat landscape
• IncreasingAttack Volume, Complexity
• Threat agent of all types have advanced in obfuscation, that is, hiding their trails
• Malicious infrastructures continue their transformation
• Cyber-war is entering dynamically into cyberspace
![Page 6: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/6.jpg)
ENISA Threat Landscape Report 2017 15 Top Cyber-Threats and Trends -JANUARY 2018
![Page 7: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/7.jpg)
Deloitte & Touche Middle East 7
Financial services threat landscape report -July 2018
* Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute - 2015 Cost of Data Breach Study: Global Analysis
151% Increase in attack
indications
135 % Increase in bank data
offered for sale in the black
market
91% Increase in corporate email
addresses found on
phishing target list
40% Increase in corporate
credential leakage
(Employee or customer)
149% Increase in stolen credit
card information
49% Rise in fake social media
(profiles, apps, accounts)
Survey scope:
50 banks and financial services organizations in the US and Europe
![Page 8: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/8.jpg)
Risk
Managementprocess
Identify
Access
Mitigate
Review
![Page 9: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/9.jpg)
1تعریف -هوش تهدید سایبری
CTI: Cyber Threat Intelligence
It’s an important part of managing risk
• Threat intelligence is a critical tool for enabling the threat-centric side of a security equation and, at least in part, taking the fight to the adversary by identifying, exposing and sometimes prosecuting the threat actors.
![Page 10: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/10.jpg)
2تعریف -هوش تهدید سایبری
CTI: Cyber Threat Intelligence
ا،سازوکارهادله ،نشانگرها،وضعیت،دربردارندهکهتهدیدشواهدبرمبتنیاستدانشی
بابطمرتتهدیدییاخطرآمدنوجودبهیاوجودخصوصدرقابل پیگیریتوصیه هایوپیامدها
خاذاتتهدیدبهپاسخدررامناسبیاقداموتصمیمآن،اساسبرمی توانوباشدمیدارایی ها
.نمود
گارتنر-
![Page 11: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/11.jpg)
Types of Threat Intelligence
• Informal
• formal
• Strategic
• Operational
• Strategic
• Tactical
• Strategic
• Operational
• Tactical
• Technical
![Page 12: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/12.jpg)
![Page 13: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/13.jpg)
![Page 14: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/14.jpg)
![Page 15: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/15.jpg)
Real World Example: Email Found on DarkWeb
• Date & Time?• Where and who had this on the DarkWeb?• Captured for spam?• Stolen credentials?• Targeted campaign?• Without any context what will you do?• http://haveibeenpwned.com/
![Page 16: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/16.jpg)
Real World Example: Phishing URL
http://www.shaparaksaman.ga/payment.php
• Collected from telegram?• Date & Time?• Related to what threat vector or threat?• Mobile app?• Propagation methods• ….
![Page 17: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/17.jpg)
Real World Example: DDoS attack
• Campain? motivation?• Internal or external?• Botnet quality• Related to what threat vector or threat?• If you’re not looking how can you protect with
assurance?• ….
![Page 18: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/18.jpg)
"lists of bad IP addresses without context isn’t CTI”• No ability to determine the precise nature of their badness
• No information about an actual threat and threat actors, and no sources for the conclusions
• No timing information about when the IP address was actually associated with malicious
• Single usage ("block this IP") rather than faceted range of uses that enriches your understanding of the threat
Black and white in nature (good/bad), while intelligence is never black and white
![Page 19: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/19.jpg)
![Page 20: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/20.jpg)
![Page 21: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/21.jpg)
CTI must be
Actinoable
Timely
Relevant and Accurate
Structured and linked format
Durability
![Page 22: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/22.jpg)
![Page 23: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/23.jpg)
![Page 24: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/24.jpg)
![Page 25: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/25.jpg)
Acquire Threat Intelligence
• Various servicesCommercial
• Social media, Web sites, Public resources
• Dark web, Deep web,…OSINT
• FS-ISAC, ISAOs
• CSIRT , …Community-driven
or industry-led
![Page 26: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/26.jpg)
Use case regards to commercial providers-1
Phishing Detection
• PhishMe
• DomainTools
Vulnerability Prioritization
• Kenna Security
• Core Security,
Social Media Monitoring
• ZeroFOX
• Recorded Future,
Surface, Deep and Dark Web Monitoring
• Flashpoint
• IntSights
Brand Monitoring
• Digital Shadows, BrandProtect
Threat Indicator Investigations and
Response
• Verisign
• Group IB
![Page 27: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/27.jpg)
Use case regards to commercial providers-3
Threat Intelligence Analyst
Augmentation
• FireEye (iSIGHT)
• Digital Shadows
Threat Intelligence Sharing
• EclecticIQ,
• ThreatConnect
Threat Actor Tracking
• Intel 471
• SenseCy
Rogue or Fake Mobile App Detection
• RiskIQ, PhishLabs, BrandProtect
![Page 28: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/28.jpg)
Sample: Kaspersky Threat Intelligence Service
• Threat Data Feeds – enhance your SIEM solution and improve forensicscapabilities using Cyber Threat Data from Kaspersky Lab.
• APT Intelligence Reporting – gain exclusive, proactive access to descriptions of high-profile cyber-espionage campaigns, including indicators of compromise (IOC).
• Customer-specific Threat Intelligence Reporting – identify externally available critical components of your network - employee social network profiles, personal email accounts and other information - that are potential targets for attack.
![Page 29: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/29.jpg)
OSINT
![Page 30: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/30.jpg)
Sample of community driven / Industry-led
• ISACs: Information Sharing and Analysis Centers
collect, analyze and disseminate private-sector threat information to industry and government and provide members with tools to mitigate risks and enhance resiliency
• ISAOs: Information Sharing and Analysis Organizations
• CSIRTs
![Page 31: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/31.jpg)
FS-ISAC
• Enable trusted sharing between members globally
• Track 500,000+ industry-specific threat indicators
• Add 1000’s of industry threat indicators monthly
• Process 10,000+ threat repository requests/day
• Handle 420 significant threat advisories/month
• Periodic threat calls in Europe and Asia Pacific
![Page 32: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/32.jpg)
February 4, 2019 — FS-ISAC Confidential. © 2016 FS-ISAC32
Analysis
• Full-time ISAC Analysis Team (IAT)
o Additional analyst locations under development
• Two Security Operations Centers (SOCs) 24x7
operations (Virgina, Poland)
• Senior staff embedded at US National Cybersecurity
and Communications Integration Center (NCCIC)
o Any information shared by FS-ISAC with government organizations is
anonymous and only with the permission of the originator (submitter). The
FS-ISAC community is based on trust and the originator (submitter)
controls where the information goes.
• Real-time monitoring & sharing of threats,
vulnerabilities and incidents as attacks unfold
“For threat intelligence, the FSISAC is…one of the best and most valuable resources of
information I’ve ever experienced in my career.” – A Member
TLP Green
![Page 33: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/33.jpg)
![Page 34: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/34.jpg)
Local source for threat hunting
Malware analysis and reverse eng.
Incident investigation and forensic
Honeypots or deception solutions
SIEM/IDS/NGFW/WAF/EP/etc. solutions
Spam (and phishing email) traps
Botnet connections
…..
![Page 35: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/35.jpg)
Threat
![Page 36: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/36.jpg)
Modern SOCs
![Page 37: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/37.jpg)
![Page 38: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/38.jpg)
![Page 39: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/39.jpg)
![Page 40: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/40.jpg)
![Page 41: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/41.jpg)
Threat intelligence fusion
Link Enrich RelateValidate and
ContextualizeRank Reformat
Suspect IP is not duplicate and link to
pre-exist data.
Whois, check in blacklists, …
Correlation such as IP to campain
…
Compare with logs, other reports,…
Trust and usage
malware IPs into
NIDS signatures
![Page 42: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/42.jpg)
• Firewall, Flow data, IPS,…IP
• IPS/IDS, Email Gateway, Web Proxy,…URL
• DNS , IPS/IDS, Web Proxy,…Domain
• NGFW, Email gateway, Endpoint management, …File Hash
• Email Gateway, IPS/IDS, …Email Addr
![Page 43: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/43.jpg)
Share it!
Pick a sharing mechanism
• Web server
• File sharing site
• Threat intelligence platform (TIP)
• …
Tell people how to get it
• Internal customers
• a friend
• External Trust communities
![Page 44: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/44.jpg)
Recent trends of CTI Sharing
MRTITIP
Open standards
![Page 45: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/45.jpg)
Increasing Cyber Risks• Malicious actors have become much
more sophisticated & money driven.• Losses to US companies now in the tens
of millions; WW hundreds of millions.• Cyber Risks are now ranked #3 overall
corporate risk on Lloyd’s 2013 Risk Index.
Solving the Problem• Security standards recently matured.• Cyber Intelligence Sharing Platform
revolutionizing sharing and utilization of threat intelligence.
Manually Sharing Ineffective• Expensive because it is slow manual
process between people.• Not all cyber intelligence is processed;
probably less than 2% overall = high risk.• No way to enforce cyber intelligence
sharing policy = non-compliance.
Yesterday’s Security
Intelligence SharingIdentify and track threats, incorporate knowledge and share what you know manually to trusted others, which Is
extremely time consuming and ineffective in raising the costs to the attackers.
Network AwarenessProtect the perimeter and patch the holes
to keep out threats share knowledge internally.
Situational AwarenessAutomate sharing – develop clearer picture
from all observers’ input and pro-actively mitigate.
Today’s Problem Tomorrow’s Solution
?
? ?
? ??
45
![Page 46: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/46.jpg)
Sharing Solution
Intelligence
Repository
Org A Many Trusted
Orgs
1
2 4
3
5
46
![Page 47: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/47.jpg)
CTI standards
• IODEF 2007 Incident Object Description and Exchange Format
• CIF 2009 Educause Collective Intelligence Framework
• VERIS 2010 Verizon Vocabulary for Event Recording and Incident Sharing
• OpenIOC 2011 Mandiant
• MILE 2011 Managed Incident Lightweight Exchange
• OTX 2012 Alien Vault Open Threat Exchange
• TLP
47
![Page 48: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/48.jpg)
MITRE
![Page 49: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/49.jpg)
Traffic Light Protocol (TLP)
Restricted to a defined group (e.g., only those present in a meeting.) Information labeled RED should not be shared with anyone outside of the group
AMBER information may be shared with FS-ISAC members.
GREEN Information may be shared with FS-ISAC members and partners (e.g., vendors, MSSPs, customers). Information in this category is not to be shared in public forums
WHITE information may be shared freely and is subject to standard copyright rules
49
![Page 50: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/50.jpg)
50
You Host the Connection
Indicators are pulled from the DHS TAXII server via your own TAXII capability where they can be used in multiple ways.
AIS Indicators
DHS TAXII Server
Analysts
Securitydevices
Database
TAXIIclient
Splunk, etc.
Soltra Edge,etc.
![Page 51: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/51.jpg)
STIX v1.0
What Activity are
we seeing?
What Threats
should I be
looking for and
why?
Where has this
threat been
Seen?
What does it Do?
What
weaknesses
does this threat
Exploit?
Why does it do
this?
Who is
responsible for
this threat?
What can I do?
51
![Page 52: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/52.jpg)
| 52 |
![Page 53: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/53.jpg)
| 53 |
![Page 54: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/54.jpg)
| 54 |
![Page 55: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/55.jpg)
| 55 |
![Page 56: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/56.jpg)
| 56 |
![Page 57: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/57.jpg)
| 57 |
![Page 58: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/58.jpg)
| 58 |
![Page 59: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/59.jpg)
| 59 |
![Page 60: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/60.jpg)
| 60 |
![Page 61: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/61.jpg)
What you are looking for
Why were they doing it?
Who was doing it?
What were they looking to exploit?
What should you do about
it?
Where was it seen?
What exactly
were they doing?
| 61 |
Why should you care about it?
![Page 62: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/62.jpg)
![Page 63: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/63.jpg)
Key Features of Sample TIP
![Page 64: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/64.jpg)
ThreatConnect ،EclecticIQ ،LookingGlass ،MISP ،TruSTAR،CRITS ،Threstelligence
![Page 65: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/65.jpg)
Standards and Guidelines for information sharing
65
![Page 66: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/66.jpg)
Challenges for not sharing
• Quality issues
• Untrusted participants
• The natural instinct for organizations to not share
• Believing that there is a little chance of a successful prosecution
• The unawareness of the victimized organization about a cyber incident
• Sharing faster is not sufficient
![Page 67: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/67.jpg)
![Page 68: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/68.jpg)
Threat IntelligenceSources
Validation
Vetted Intel
SIEM Use Cases
Security Operations Center
False Positives
Cyber Investigators
Business Partners
STIX/TAXI
STIX/TAXI
Event Remediation
Cyber Intelligence Incident Response Team
Sample process
![Page 69: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/69.jpg)
![Page 70: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/70.jpg)
![Page 71: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/71.jpg)
SWIFT ISAC – Cyber security information sharing
![Page 72: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/72.jpg)
![Page 73: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/73.jpg)
Next-Gen Threat Intelligence providersTruSTAR was selected for its unique “Connective Defense” approach to cybersecurity, which fuses threat intelligence, fraud, and physical security data into the platform for increased data correlation and collaboration across teams
![Page 74: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/74.jpg)
![Page 75: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/75.jpg)
![Page 76: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/76.jpg)
![Page 77: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/77.jpg)
![Page 78: یربیاس دیدهت شوه ینارماک اضریلع دیسconf.mbri.ac.ir/ebps8/assets/Download/کامرانی.pdf · •Threat intelligence is a critical tool for enabling](https://reader031.vdocuments.net/reader031/viewer/2022011902/5f0c8faf7e708231d436049b/html5/thumbnails/78.jpg)
Q&A