یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * statistics...
TRANSCRIPT
![Page 1: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/1.jpg)
هوش تهدید سایبری
سید علیرضا کامرانی
فشرکت مدیریت امن الکترونیکی کاش
![Page 2: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/2.jpg)
![Page 3: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/3.jpg)
مسئولیت و اطالعیه حقوقیسلب
ی یادآورلذا است جهت آگاهی رسانی تهیه شده و نام بردن از شرکت ها یا سازمان های خارجی تنها باهدف بیان رویکردهای جهانی صرفاً ارائه این
.نیستارائهیا رد به کارگیری آن ها در قلمرو این تأیید می شود که
![Page 4: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/4.jpg)
اهم مطالب
مقدمه•تهدیدهوشانواع•سایبریتهدیدهوشبلوغمدلوحیاتچرخه•تهدیداطالعاتاشتراکگذاریبهاستانداردهای•STIX/TAXIIاستانداردازمختصریمعرفی•
سایبریتهدیدهوشسکوهایومحصوالتخدمات،•CSIRTوSOCدرسایبریتهدیدهوشجایگاه•
بانکیصنعتدرتهدیدهوش•
![Page 5: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/5.jpg)
The main trends in the 2017’s cyber threat landscape
• IncreasingAttack Volume, Complexity
• Threat agent of all types have advanced in obfuscation, that is, hiding their trails
• Malicious infrastructures continue their transformation
• Cyber-war is entering dynamically into cyberspace
![Page 6: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/6.jpg)
ENISA Threat Landscape Report 2017 15 Top Cyber-Threats and Trends -JANUARY 2018
![Page 7: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/7.jpg)
Deloitte & Touche Middle East 7
Financial services threat landscape report -July 2018
* Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute - 2015 Cost of Data Breach Study: Global Analysis
151% Increase in attack
indications
135 % Increase in bank data
offered for sale in the black
market
91% Increase in corporate email
addresses found on
phishing target list
40% Increase in corporate
credential leakage
(Employee or customer)
149% Increase in stolen credit
card information
49% Rise in fake social media
(profiles, apps, accounts)
Survey scope:
50 banks and financial services organizations in the US and Europe
![Page 8: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/8.jpg)
Risk
Managementprocess
Identify
Access
Mitigate
Review
![Page 9: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/9.jpg)
1تعریف -هوش تهدید سایبری
CTI: Cyber Threat Intelligence
It’s an important part of managing risk
• Threat intelligence is a critical tool for enabling the threat-centric side of a security equation and, at least in part, taking the fight to the adversary by identifying, exposing and sometimes prosecuting the threat actors.
![Page 10: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/10.jpg)
2تعریف -هوش تهدید سایبری
CTI: Cyber Threat Intelligence
ا،سازوکارهادله ،نشانگرها،وضعیت،دربردارندهکهتهدیدشواهدبرمبتنیاستدانشی
بابطمرتتهدیدییاخطرآمدنوجودبهیاوجودخصوصدرقابل پیگیریتوصیه هایوپیامدها
خاذاتتهدیدبهپاسخدررامناسبیاقداموتصمیمآن،اساسبرمی توانوباشدمیدارایی ها
.نمود
گارتنر-
![Page 11: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/11.jpg)
Types of Threat Intelligence
• Informal
• formal
• Strategic
• Operational
• Strategic
• Tactical
• Strategic
• Operational
• Tactical
• Technical
![Page 12: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/12.jpg)
![Page 13: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/13.jpg)
![Page 14: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/14.jpg)
![Page 15: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/15.jpg)
Real World Example: Email Found on DarkWeb
• Date & Time?• Where and who had this on the DarkWeb?• Captured for spam?• Stolen credentials?• Targeted campaign?• Without any context what will you do?• http://haveibeenpwned.com/
![Page 16: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/16.jpg)
Real World Example: Phishing URL
http://www.shaparaksaman.ga/payment.php
• Collected from telegram?• Date & Time?• Related to what threat vector or threat?• Mobile app?• Propagation methods• ….
![Page 17: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/17.jpg)
Real World Example: DDoS attack
• Campain? motivation?• Internal or external?• Botnet quality• Related to what threat vector or threat?• If you’re not looking how can you protect with
assurance?• ….
![Page 18: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/18.jpg)
"lists of bad IP addresses without context isn’t CTI”• No ability to determine the precise nature of their badness
• No information about an actual threat and threat actors, and no sources for the conclusions
• No timing information about when the IP address was actually associated with malicious
• Single usage ("block this IP") rather than faceted range of uses that enriches your understanding of the threat
Black and white in nature (good/bad), while intelligence is never black and white
![Page 19: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/19.jpg)
![Page 20: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/20.jpg)
![Page 21: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/21.jpg)
CTI must be
Actinoable
Timely
Relevant and Accurate
Structured and linked format
Durability
![Page 22: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/22.jpg)
![Page 23: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/23.jpg)
![Page 24: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/24.jpg)
![Page 25: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/25.jpg)
Acquire Threat Intelligence
• Various servicesCommercial
• Social media, Web sites, Public resources
• Dark web, Deep web,…OSINT
• FS-ISAC, ISAOs
• CSIRT , …Community-driven
or industry-led
![Page 26: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/26.jpg)
Use case regards to commercial providers-1
Phishing Detection
• PhishMe
• DomainTools
Vulnerability Prioritization
• Kenna Security
• Core Security,
Social Media Monitoring
• ZeroFOX
• Recorded Future,
Surface, Deep and Dark Web Monitoring
• Flashpoint
• IntSights
Brand Monitoring
• Digital Shadows, BrandProtect
Threat Indicator Investigations and
Response
• Verisign
• Group IB
![Page 27: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/27.jpg)
Use case regards to commercial providers-3
Threat Intelligence Analyst
Augmentation
• FireEye (iSIGHT)
• Digital Shadows
Threat Intelligence Sharing
• EclecticIQ,
• ThreatConnect
Threat Actor Tracking
• Intel 471
• SenseCy
Rogue or Fake Mobile App Detection
• RiskIQ, PhishLabs, BrandProtect
![Page 28: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/28.jpg)
Sample: Kaspersky Threat Intelligence Service
• Threat Data Feeds – enhance your SIEM solution and improve forensicscapabilities using Cyber Threat Data from Kaspersky Lab.
• APT Intelligence Reporting – gain exclusive, proactive access to descriptions of high-profile cyber-espionage campaigns, including indicators of compromise (IOC).
• Customer-specific Threat Intelligence Reporting – identify externally available critical components of your network - employee social network profiles, personal email accounts and other information - that are potential targets for attack.
![Page 29: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/29.jpg)
OSINT
![Page 30: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/30.jpg)
Sample of community driven / Industry-led
• ISACs: Information Sharing and Analysis Centers
collect, analyze and disseminate private-sector threat information to industry and government and provide members with tools to mitigate risks and enhance resiliency
• ISAOs: Information Sharing and Analysis Organizations
• CSIRTs
![Page 31: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/31.jpg)
FS-ISAC
• Enable trusted sharing between members globally
• Track 500,000+ industry-specific threat indicators
• Add 1000’s of industry threat indicators monthly
• Process 10,000+ threat repository requests/day
• Handle 420 significant threat advisories/month
• Periodic threat calls in Europe and Asia Pacific
![Page 32: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/32.jpg)
February 4, 2019 — FS-ISAC Confidential. © 2016 FS-ISAC32
Analysis
• Full-time ISAC Analysis Team (IAT)
o Additional analyst locations under development
• Two Security Operations Centers (SOCs) 24x7
operations (Virgina, Poland)
• Senior staff embedded at US National Cybersecurity
and Communications Integration Center (NCCIC)
o Any information shared by FS-ISAC with government organizations is
anonymous and only with the permission of the originator (submitter). The
FS-ISAC community is based on trust and the originator (submitter)
controls where the information goes.
• Real-time monitoring & sharing of threats,
vulnerabilities and incidents as attacks unfold
“For threat intelligence, the FSISAC is…one of the best and most valuable resources of
information I’ve ever experienced in my career.” – A Member
TLP Green
![Page 33: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/33.jpg)
![Page 34: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/34.jpg)
Local source for threat hunting
Malware analysis and reverse eng.
Incident investigation and forensic
Honeypots or deception solutions
SIEM/IDS/NGFW/WAF/EP/etc. solutions
Spam (and phishing email) traps
Botnet connections
…..
![Page 35: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/35.jpg)
Threat
![Page 36: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/36.jpg)
Modern SOCs
![Page 37: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/37.jpg)
![Page 38: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/38.jpg)
![Page 39: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/39.jpg)
![Page 40: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/40.jpg)
![Page 41: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/41.jpg)
Threat intelligence fusion
Link Enrich RelateValidate and
ContextualizeRank Reformat
Suspect IP is not duplicate and link to
pre-exist data.
Whois, check in blacklists, …
Correlation such as IP to campain
…
Compare with logs, other reports,…
Trust and usage
malware IPs into
NIDS signatures
![Page 42: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/42.jpg)
• Firewall, Flow data, IPS,…IP
• IPS/IDS, Email Gateway, Web Proxy,…URL
• DNS , IPS/IDS, Web Proxy,…Domain
• NGFW, Email gateway, Endpoint management, …File Hash
• Email Gateway, IPS/IDS, …Email Addr
![Page 43: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/43.jpg)
Share it!
Pick a sharing mechanism
• Web server
• File sharing site
• Threat intelligence platform (TIP)
• …
Tell people how to get it
• Internal customers
• a friend
• External Trust communities
![Page 44: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/44.jpg)
Recent trends of CTI Sharing
MRTITIP
Open standards
![Page 45: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/45.jpg)
Increasing Cyber Risks• Malicious actors have become much
more sophisticated & money driven.• Losses to US companies now in the tens
of millions; WW hundreds of millions.• Cyber Risks are now ranked #3 overall
corporate risk on Lloyd’s 2013 Risk Index.
Solving the Problem• Security standards recently matured.• Cyber Intelligence Sharing Platform
revolutionizing sharing and utilization of threat intelligence.
Manually Sharing Ineffective• Expensive because it is slow manual
process between people.• Not all cyber intelligence is processed;
probably less than 2% overall = high risk.• No way to enforce cyber intelligence
sharing policy = non-compliance.
Yesterday’s Security
Intelligence SharingIdentify and track threats, incorporate knowledge and share what you know manually to trusted others, which Is
extremely time consuming and ineffective in raising the costs to the attackers.
Network AwarenessProtect the perimeter and patch the holes
to keep out threats share knowledge internally.
Situational AwarenessAutomate sharing – develop clearer picture
from all observers’ input and pro-actively mitigate.
Today’s Problem Tomorrow’s Solution
?
? ?
? ??
45
![Page 46: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/46.jpg)
Sharing Solution
Intelligence
Repository
Org A Many Trusted
Orgs
1
2 4
3
5
46
![Page 47: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/47.jpg)
CTI standards
• IODEF 2007 Incident Object Description and Exchange Format
• CIF 2009 Educause Collective Intelligence Framework
• VERIS 2010 Verizon Vocabulary for Event Recording and Incident Sharing
• OpenIOC 2011 Mandiant
• MILE 2011 Managed Incident Lightweight Exchange
• OTX 2012 Alien Vault Open Threat Exchange
• TLP
47
![Page 48: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/48.jpg)
MITRE
![Page 49: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/49.jpg)
Traffic Light Protocol (TLP)
Restricted to a defined group (e.g., only those present in a meeting.) Information labeled RED should not be shared with anyone outside of the group
AMBER information may be shared with FS-ISAC members.
GREEN Information may be shared with FS-ISAC members and partners (e.g., vendors, MSSPs, customers). Information in this category is not to be shared in public forums
WHITE information may be shared freely and is subject to standard copyright rules
49
![Page 50: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/50.jpg)
50
You Host the Connection
Indicators are pulled from the DHS TAXII server via your own TAXII capability where they can be used in multiple ways.
AIS Indicators
DHS TAXII Server
Analysts
Securitydevices
Database
TAXIIclient
Splunk, etc.
Soltra Edge,etc.
![Page 51: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/51.jpg)
STIX v1.0
What Activity are
we seeing?
What Threats
should I be
looking for and
why?
Where has this
threat been
Seen?
What does it Do?
What
weaknesses
does this threat
Exploit?
Why does it do
this?
Who is
responsible for
this threat?
What can I do?
51
![Page 52: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/52.jpg)
| 52 |
![Page 53: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/53.jpg)
| 53 |
![Page 54: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/54.jpg)
| 54 |
![Page 55: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/55.jpg)
| 55 |
![Page 56: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/56.jpg)
| 56 |
![Page 57: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/57.jpg)
| 57 |
![Page 58: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/58.jpg)
| 58 |
![Page 59: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/59.jpg)
| 59 |
![Page 60: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/60.jpg)
| 60 |
![Page 61: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/61.jpg)
What you are looking for
Why were they doing it?
Who was doing it?
What were they looking to exploit?
What should you do about
it?
Where was it seen?
What exactly
were they doing?
| 61 |
Why should you care about it?
![Page 62: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/62.jpg)
![Page 63: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/63.jpg)
Key Features of Sample TIP
![Page 64: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/64.jpg)
ThreatConnect ،EclecticIQ ،LookingGlass ،MISP ،TruSTAR،CRITS ،Threstelligence
![Page 65: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/65.jpg)
Standards and Guidelines for information sharing
65
![Page 66: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/66.jpg)
Challenges for not sharing
• Quality issues
• Untrusted participants
• The natural instinct for organizations to not share
• Believing that there is a little chance of a successful prosecution
• The unawareness of the victimized organization about a cyber incident
• Sharing faster is not sufficient
![Page 67: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/67.jpg)
![Page 68: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/68.jpg)
Threat IntelligenceSources
Validation
Vetted Intel
SIEM Use Cases
Security Operations Center
False Positives
Cyber Investigators
Business Partners
STIX/TAXI
STIX/TAXI
Event Remediation
Cyber Intelligence Incident Response Team
Sample process
![Page 69: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/69.jpg)
![Page 70: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/70.jpg)
![Page 71: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/71.jpg)
SWIFT ISAC – Cyber security information sharing
![Page 72: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/72.jpg)
![Page 73: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/73.jpg)
Next-Gen Threat Intelligence providersTruSTAR was selected for its unique “Connective Defense” approach to cybersecurity, which fuses threat intelligence, fraud, and physical security data into the platform for increased data correlation and collaboration across teams
![Page 74: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/74.jpg)
![Page 75: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/75.jpg)
![Page 76: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/76.jpg)
![Page 77: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/77.jpg)
![Page 78: یربیاس دیدهت شوه ینارماک اضریلع ...©امرانی.pdf · * Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute -](https://reader030.vdocuments.net/reader030/viewer/2022013010/6000452cc505796aa1211937/html5/thumbnails/78.jpg)
Q&A