# Module 24: Threat Intelligence
:::success
Here is a cheat sheet generated from the course content using ChatGPT. It recaps the main concepts of each module, definitions and examples. At the end of (almost) each part, you will find a link to online related flashcards.
:::
### 24.1 Information Sources
---
#### 24.1.1 Network Intelligence Communities
To remain effective, network security professionals must:
- **Stay updated on the latest threats**:
- Subscribe to real-time threat feeds.
- Follow security-related websites, blogs, and podcasts.
- Monitor ongoing security reports and updates.
- **Upgrade skills**:
- Attend security workshops, training, and conferences.
> **Note**: Network security requires a strong commitment to continuous professional development due to its steep learning curve.
**Network Intelligence Communities Table**
| **Organization** | **Description** |
|-----------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------|
| **SANS** | SysAdmin, Audit, Network, Security (SANS) Institute resources include:<br> - The Internet Storm Center<br> - Weekly digests (NewsBites, @RISK)<br> - Flash security alerts<br> - Reading Room with 1,200+ research papers<br> - Security courses. |
| **Mitre** | Maintains a list of common vulnerabilities and exposures (CVE) used by prominent security organizations. |
| **FIRST** | Forum of Incident Response and Security Teams brings together response teams from government, commercial, and educational organizations for cooperation and information sharing. |
| **SecurityNewsWire** | A security news portal aggregating the latest breaking news on alerts, exploits, and vulnerabilities. |
| **(ISC)<sup>2</sup>** | Provides vendor-neutral education products and career services for 75,000+ professionals across 135+ countries. |
| **CIS** | The Center for Internet Security (CIS) supports SLTT governments with threat prevention, protection, response, and recovery via MS-ISAC, offering 24x7 cyber threat warnings. |
---
#### 24.1.2 Cisco Cybersecurity Reports
- **Reports**: Cisco provides two key cybersecurity reports:
1. **Annual Cybersecurity Report**
2. **Mid-Year Cybersecurity Report**
- **Purpose**:
- Analyze top vulnerabilities and threats.
- Report on the explosion of attacks using adware, spam, and similar methods.
- Provide mitigation techniques to address current and emerging threats.
> **Action**: Cybersecurity analysts should download and study these reports to understand threat actor behaviors and improve network defenses.
> **Tip**: Search for "Cisco Cybersecurity Reports" on the Cisco website to access these valuable resources.
>[!Warning]Recap
>There are many organizations which provide network intelligence. Network security organizations include SANS, Mitre, FIRST, SecurityNewsWire, (ISC)$^2$, and CIS. You must keep abreast of the latest threats and continue to upgrade your skills. The Cisco Annual Cybersecurity Report and the Mid-Year Cybersecurity Report are great resources to use. It is also useful to read blogs and listen to podcasts.
---
#### 24.1.3 Security Blogs and Podcasts
- **Purpose**:
- Stay informed about the latest threats, exploits, and vulnerabilities.
- Learn about mitigation techniques and emerging security trends.
- **Cisco Resources**:
- **Cisco Security Blogs**:
- Written by industry experts, including insights from the Cisco Talos Group.
- Notifications for new blog posts can be subscribed to via email.
- **Cisco Talos Podcasts**:
- Over 80 episodes covering security research and threat analysis.
- Podcasts can be streamed online or downloaded.
> **Action**: Regularly follow these blogs and podcasts to ensure you stay ahead of evolving cybersecurity challenges.
### 24.2 Threat Intelligence Services
---
#### 24.2.1 Cisco Talos
- **Purpose**: Cisco Talos Threat Intelligence Group protects enterprise users, data, and infrastructure from adversaries.
- **Features**:
- World-class researchers collect and analyze information about active, existing, and emerging threats.
- Provides real-time protection to Cisco security products using threat intelligence.
- Maintains **Snort.org**, **ClamAV**, and **SpamCop** security tools for incident detection.
- **Benefit**: Talos distributes firewall rules and Indicators of Compromise (IOCs) to its subscribers.
---
#### 24.2.2 FireEye
- **Approach**: Combines **security intelligence**, **security expertise**, and **technology**.
- **Key Tools**:
- **Helix Security Platform**: Combines SIEM and SOAR, advanced behavioral threat detection, and FireEye Mandiant threat intelligence.
- **FireEye Security System**:
- Blocks web and email threat vectors.
- Detects latent malware on file shares.
- Uses signature-less stateful attack analysis to block zero-day threats.
- **Focus**: Protects enterprises from advanced malware that bypasses traditional defenses.
---
#### 24.2.3 Automated Indicator Sharing (AIS)
- **Provider**: U.S. Department of Homeland Security (DHS).
- **Function**: Enables real-time sharing of **cyber threat indicators** like:
- Malicious IP addresses.
- Phishing sender addresses.
- **Goal**: Share emerging threats immediately with the community to enhance protection.
---
#### 24.2.4 Common Vulnerabilities and Exposures (CVE) Database
- **Created By**: MITRE Corporation, sponsored by the U.S. government.
- **Purpose**: Catalogs publicly known **cybersecurity vulnerabilities** with unique **CVE Identifiers**.
- **Benefit**: Simplifies data sharing about vulnerabilities.
---
#### 24.2.5 Threat Intelligence Communication Standards
To share cyber threat intelligence (CTI) consistently, the following **open standards** have been developed:
1. **Structured Threat Information Expression (STIX)**:
- Standardizes the exchange of threat information between organizations.
- Incorporates **Cyber Observable Expression (CybOX)**.
2. **Trusted Automated Exchange of Indicator Information (TAXII)**:
- An application layer protocol for sharing CTI over **HTTPS**.
- Designed to support **STIX**.
3. **Cyber Observable Expression (CybOX)**:
- Provides schemas to capture and communicate network events, aiding in many cybersecurity functions.
4. **Malware Information Sharing Platform (MISP)**:
- An open-source platform for sharing **Indicators of Compromise (IOCs)**.
- Supported by the **European Union** and used globally by 6,000+ organizations.
- Integrates with STIX and other export formats for automated sharing.
---
#### 24.2.6 Threat Intelligence Platforms (TIP)
- **Definition**: Centralizes threat data from various sources into one platform for better usability.
- **Three Major Types of Threat Intelligence Data**:
1. **Indicators of Compromise (IOC)**: Signs of intrusion.
2. **Tools, Techniques, and Procedures (TTP)**: Methods used by threat actors.
3. **Reputation Information**: Data on internet domains or destinations.
- **Purpose**:
- Aggregates overwhelming threat intelligence data.
- Presents actionable insights for cybersecurity professionals.
- **Contribution**:
- Organizations share their intrusion data via automation.
- Subscriber data enhances products and stays up-to-date with emerging threats.
- **Honeypots**:
- Simulated servers/networks to attract attackers and gather threat-related information.
- Hosting honeypots in the cloud isolates them from production systems, mitigating risks.
:::danger
**Check Your Understanding** :ballot_box_with_check:
You can find the answers to the quiz by clicking [here](nswers.net/20-2-7-check-your-understanding-identify-the-threat-intelligence-information-source-answers.html).
:::
>[!Warning]Recap
>Threat intelligence services allow the exchange of threat information such as vulnerabilities, indicators of compromise (IOC), and mitigation techniques. This information is not only shared with personnel, but also with security systems. As threats emerge, threat intelligence services create and distribute firewall rules and IOCs to the devices that have subscribed to the service. One such service is the Cisco Talos Threat Intelligence Group. FireEye is another security company that offers services to help enterprises secure their networks. FireEye uses a three-pronged approach combining security intelligence, security expertise and technology. FireEye offers SIEM and SOAR with the Helix Security Platform which uses behavioral analysis and advanced threat detection and is supported by the FireEye Mandiant worldwide threat intelligence network. The U.S Department of Homeland Security (DHS) offers a free service called Automated Indicator Sharing (AIS). AIS enables the real-time exchange of cyber threat indicators between the U.S. Federal Government and the private sector. The United States government sponsored the MITRE Corporation to create and maintain a catalog of known security threats called Common Vulnerabilities and Exposure (CVE). Three common threat intelligence sharing standards include Structured Threat Information Expression (STIX), Trusted Automated Exchange of Indicator Information (TAXII), and CybOX. These open standards provide the specifications that aid in the automated exchange of cyber threat intelligence information in a standard format.
Sign in with Wallet
Connect another wallet