Where did the need for Threat Intelligence come from?
Statistics show that the number of threats is growing rapidly every day. For example, according to analytics conducted by the Pandalabs anti-virus laboratory at Panda Security for the first quarter of 2017, the number of new types of threats is increasing daily by 350,000.
Attacks and compromises can occur in minutes, and the Attack → Compromise → Data Leakage → Incident Detection → Response and Solution process takes days, weeks, and even months. And most often this happens after the attacker has compromised data. At the same time, according to Cisco's annual information security report, security specialists are able to process only 56% of incoming threat reports during their working day, and among these threat alerts only every second is recognized as reasonable (ie, 28%). Thus, 44% of incidents are ignored!
At the same time, the market is critically short of not only resources allowing to handle all incidents, but also a common system, thanks to which it would be possible to react to them in the early stages of cyber attacks - ideally before exploitation, and also to accumulate distributed knowledge about threats, share the received data , investigate the causes of threats and instantly respond to them. For faster accumulation of information about possible threats, you should strive to share useful data from a wide range of sources. At the same time, it is important that this information be standardized, that is, standards and protocols for transmitting and providing data are predetermined.
Threat tracking is one of the most important functions for effective business protection. TI is a system that allows you to learn about threats, attacks, before they can harm you. In cases where the incident still occurred, TI will allow to respond, analyze and investigate it, while expanding its knowledge base with context, mechanisms, indicators of compromise and analytics about existing or potential threats.
')
Figure 1. Threat Intelligence Tasks
Exploration and data collection on vulnerabilities and threats
TI should be integrated into the security system and should provide the ability to centrally collect information from open and closed sources about vulnerabilities and threats.
Analytics
TI should analyze and accumulate a knowledge base for detecting, disclosing, developing and issuing recommendations for responding to threats.
Data exchange
TI should also provide real-time data sharing. Analytical information should be instantly disseminated in a standardized format to both internal and external remedies.
Prompt alert
TI should promptly notify about attacks and threats at any endpoint, using a single standardized database with classified data.
TI involves working with three types of data: tactical, operational, and strategic.
Tactical
Attack data: tools, tactics, techniques and procedures (TTP) that violators use, compromise indicators (IoC) data — discrete data to detect signs of malicious activity in the infrastructure.
Operative
Data on current and predicted attacks, obtained by tracking new threat vectors, kill chain, ways of compromising information processes, etc.
Strategic
Analytical data on the trends of threats in the world with the further goal of developing a strategy for the development of information security systems.
To build processes for detecting threats and responding to them using measures based on information received from all available external and internal sources, it is necessary:
• identify data sources (feeds) - where to get the source data for indicators of compromise (both internal and external);
• conduct internal analytics - within the organization there can be a large number of specialists and experts in related departments who can identify and consolidate useful information on the direction;
• Introduce open standards and protocols for transmitting and providing data for effective communication between different sources of data. At this stage, it is important that all threats be described, combined into compromise classes and successfully transferred.
• implement a platform for processing and analyzing data. It is necessary to analyze whether this will be its own or ready-made open-source solution, which may already include feeds, APIs, standards and protocols, be able to integrate with various systems, etc.
Internal data sources
First of all, it is possible to conduct analytics within the company for a possible implementation of information gathering using, for example, SIEM or LM with internal information protection tools. Thus, you can get useful data:
• anomalies in network traffic (Netflow / jFlow / sFlow);
• activity from unusual IP addresses;
• DNS queries;
• URL and URI;
• SMTP headers;
• email addresses;
• samples of malicious code;
• user activity;
• failed login attempts;
• administrative access;
• operations with the DBMS;
• connections at atypical ports;
• the emergence of atypical protocols;
• inconsistency of packet sizes for service protocols with standards;
• addresses of anonymizers;
• User Agent in HTTP;
• malicious IP;
• reputation of users, sites and files, etc.
External data sources
In order to extend the capabilities of the protections, it is necessary to define external resources that can be accessed for IoC and other threats. It is necessary to take into account key factors when choosing sources of feeds depending on the needs of the company:
• source type;
• support for various data formats (JSON, XML, CyBOX, STiX, CSV, etc.);
• frequency of information provided;
• amount of data provided;
• trust in the source that provides the data;
• compliance with the company's infrastructure;
• price.
Most popular external feed sources
Figure 2. Most popular external feed sources
In addition to internal and external feeds within the company, an independent independent analyst can be conducted if:
• incident investigators;
• malware analyst experts;
• specialists who track “hot” news in the field of information security, for example:
o compromised and infected sites;
o phishing resources;
o hashes of malicious files;
o processes in which malicious code was detected;
o registry keys, etc.
• information that is revealed in real time.
All information found at this stage should be checked and tested by the relevant experts and only then recorded in a single source. In addition to testing and testing, it is also important at this stage to formulate recommendations for the mitigation of possible risks.
All identified threats should be described, standardized. It is also necessary to ensure the possibility of transmitting information about them. Currently, there are a large number of open standards and protocols for solving these data supply and transfer tasks. Consider the most popular:
• STIX (Structured Threat Information eXpression) is a standard used to provide Unified Cyber Threat Information (CTI). Allows you to share the description of various threats and related parameters in different areas. STIX provides unified incident information, including:
o information objects (for example, creation of a registry key, network traffic to certain IP addresses, sending email from a specific address, etc.);
o indicators;
o incidents;
o tactics, methods, procedures of the attacker (attack patterns, malware, exploits, etc.);
o objects of exploitation (for example, vulnerabilities, security errors or incorrect configurations);
o countermeasures (incident response or security vulnerabilities / security fixes);
o groups of cyber attacks (incident sets, TTP);
o participants in cyber threats (identification, characteristics of the enemy).
The STIX architecture is shown below:
Figure 3. STIX Architecture
• CybOX (Cyber Observable eXpression) - a standard that provides a general framework for describing and presenting indicators of observed security events. To date, over 70 different monitored objects have already been submitted: file, network connection, HTTP session, network traffic, X.509 certificate, etc.
• TLP (Traffic Light Protocol) - a protocol that allows you to “paint” information in four colors that affect who you can send the received information about threats:
- information is not for distribution;
- available only within the organization;
- available only within the community or community;
- available to all.
• IODEF (Incident Object Description and Exchange Format) (RFC 5070) - a standard that contains over 30 classes and subclasses of incidents in XML format, including information on contacts, financial damage, time, affected operating systems and applications, etc. IODEF is a fairly well-developed standard and already used a lot. IODEF-SCI (IODEF for Structured Cyber Security Information) is an extension for IODEF that allows you to add additional data to IODEF: attack patterns, information about platforms, vulnerabilities, neutralization instructions, danger level, etc.
• OpenIOC (Indicator of Compromise) - an open standard for describing indicators of compromise. Built on the basis of XML and contains over 500 different indicators, mainly node (host) —file, driver, disk, process, registry, system, hash, etc.
• MISP - an open format for a structured description of indicators, information about threats, actors, financial frade, is based on JSON.
• VERIS (Vocabulary for Event Recording and Incident Sharing) - a standard for describing threats and incidents. The VERIS scheme consists of five parts:
- Incident Tracking;
- Victim Demographics;
- Incident Description;
- Discovery & Response;
- Impact Assessment.
• TAXII (Trusted Automated Exchange of Intelligence Information) is a standard used to unify the exchange of information about cyber threats (CTI) using the HTTPS protocol described by STIX.
There are several ways to exchange data:
- Hub and Spoke. The architecture assumes that one organization acts as a clearing house - a hub for all other participants in the interaction - spokes. Spoke shares information with the hub, which re-shares this information with the rest of the spokes.
- Source / Subscriber. The architecture assumes that one organization acts as a source of information for all other companies.
- Peer to Peer. The architecture assumes that the organization can act as both a producer and a consumer of information.
TAXII may include the following services that can be used together or work separately:
- Inbox: services for receiving received content.
- Poll: service to request content.
- Collection Management: a service for working with data collections.
- Discovery: information about new supported services.
• VEDEF (Vulnerability and Exploit Description and Exchange Forma) is a standard for exchanging information about vulnerabilities and exploits.
Figure 4. Vulnerability and Exploit Description and Exchange Forma
Figure 5. Vulnerability and Exploit Description and Exchange Forma
• CAIF (COMMON ANNOUNCEMENT INTERCHANGE FORMAT) is an XML-based standard for storing and exchanging security objects. It provides a basic set of elements intended to describe the main problems related to security. It is important that the set of elements can be expanded. Allows you to group information for more than one target group of readers, and also provides multilingual text descriptions in one document.
• MMDEF (The Malware Metadata Exchange Format) is a standard for exchanging malware metadata.
• RID (Real-time Inter-network Defense) - a protocol that allows various security systems to interact, built on the basis of HTTP / HTTPS.
MITRE (sponsored by the government, operate FFRDCs):
• CVE (Common Vulnerabilities and Exposures) - a standard that defines a single naming of vulnerabilities.
• OVAL (Open Vulnerability and Assessment Language) is an open language describing vulnerabilities in scanners and security analysis systems.
• CCE (Common Configuration Enumeration) - a standard for describing configurations that can be further tested in scanners and security analysis systems.
• CEE (Common Event Expression) - a standard for describing, storing and exchanging alarms between dissimilar protections.
• CME (Common Malware Enumeration) - a standard similar to CVE, but focused on malware.
• CWE (Common Weakness Enumeration) - a standardized set of weak points in software.
• CPE (Common Platform Enumeration) - standard for describing and naming elements of the IT infrastructure.
• CAPEC (Common Attack Pattern Enumeration and Classification) - standard classification of attack patterns.
• CRF (Common Result Format) - a standard for describing test results or assessing security.
• SCAP (Security Content Automation Protocol) is an automation protocol for managing security data. It is a set of open standards defining technical specifications for the presentation and exchange of safety data.
• CVSS (Common Vulnerability Scoring System) - the standard for prioritizing vulnerabilities.
TI platforms are designed primarily to collect indicators of compromise from various sources. It is also necessary to classify and produce further appropriate actions.
The choice of platform should directly depend on the scale of the TI system planned for implementation. For powerful TI, you can consider such platforms, such as: Miter CRITs, Maltego, ThreatConnect, IBM i2, etc., for a simpler implementation, you can use open-source solutions, in this case preferring more price than scale, functionality and support . Consider the most popular platforms:
Anomali ThreatStream
• Having a wide variety of feeds.
Figure 6. Having a wide variety of feeds.
• Integration with many IS products and SIEM systems.
Figure 7. Integration with many IS products and SIEM systems
• Providing detailed information on the investigation of threats.
• API availability.
MANTIS (Model-based Analysis of Threat Intelligence Sources)
A threat management platform that allows you to import threat information obtained using OpenIOC, IODEF, CybOX, STIX, and TAXII standards. Example of imported STIX data:
Figure 8. Sample imported STIX data
Figure 9. Sample imported STIX data
CIF (Collective Intelligence Framework)
• The ability to collect and combine threat information from various sources supporting CIF.
• Use the information received to identify incidents.
• Detection and neutralization of threats by generating rules for Snort, iptables and other means of protection.
• Predominantly works with IP addresses, domain names and URLs associated with malicious activity.
• It uses IODEF as its storage format.
• Open-source platform.
• Availability of feeds and APIs.
Figure 10. Collective Intelligence Framework
IBM X-Force Exchange
• Threat analysis with a minute-by-minute dynamic update.
• Track threats from more than 25 billion web pages and images.
• Supported by a database containing information on more than 96,000 threats.
• Analysis of more than 8 million attacks using spam and phishing.
• Tracking reputation data of 820,000 malicious IP addresses.
• Integrates between IBM Security products and X-Force Exchange analysis data.
• The ability to link threats with protection products has been implemented.
• Ability to integrate with other security solutions based on STIX and TAXII standards using RESTful.
• Ability for subscribers to integrate threat analysis data from the X-Force Exchange into their own operations, including a corporate security center (SOC) or development environment (DevOps).
Misp
• Opensource platform for creating, processing, exchanging and collaborating on information about threats.
• Flexible automation, working with API.
• Supports both native STIX format, and STIX, OpenIOC, text and csv data imports.
• Support for automatic secure exchange of information about threats between different participants.
• Automatic generation of rules for IDS, SIEM, Bro, Snort, Suricata, etc.
Cybercriminals have long used the experience of others to launch new, more clever attacks. The security industry has been developing for a long time as a closed one; no one shared useful knowledge and experience to detect threats and prevent attacks.
TI is a large knowledge base about threats and trespassers, which accumulates information about the methods used by attackers to cause damage and how to counter them. TI works with dynamic information about the sources of threats and signs of compromise.
Of course, with the help of TI, it will not be possible to prevent all evils, but it is a powerful modern tool in response to cybercrime, which will help to quickly identify the direction in which attacks are conducted, and defend against them.
Author: Oksana Kotereva, Solution Manager
Informzaschita Company, o.kotereva@infosec.ru
Attacks and compromises can occur in minutes, and the Attack → Compromise → Data Leakage → Incident Detection → Response and Solution process takes days, weeks, and even months. And most often this happens after the attacker has compromised data. At the same time, according to Cisco's annual information security report, security specialists are able to process only 56% of incoming threat reports during their working day, and among these threat alerts only every second is recognized as reasonable (ie, 28%). Thus, 44% of incidents are ignored!
At the same time, the market is critically short of not only resources allowing to handle all incidents, but also a common system, thanks to which it would be possible to react to them in the early stages of cyber attacks - ideally before exploitation, and also to accumulate distributed knowledge about threats, share the received data , investigate the causes of threats and instantly respond to them. For faster accumulation of information about possible threats, you should strive to share useful data from a wide range of sources. At the same time, it is important that this information be standardized, that is, standards and protocols for transmitting and providing data are predetermined.
Threat tracking is one of the most important functions for effective business protection. TI is a system that allows you to learn about threats, attacks, before they can harm you. In cases where the incident still occurred, TI will allow to respond, analyze and investigate it, while expanding its knowledge base with context, mechanisms, indicators of compromise and analytics about existing or potential threats.
Threat Intelligence Tasks
')
Figure 1. Threat Intelligence Tasks
Exploration and data collection on vulnerabilities and threats
TI should be integrated into the security system and should provide the ability to centrally collect information from open and closed sources about vulnerabilities and threats.
Analytics
TI should analyze and accumulate a knowledge base for detecting, disclosing, developing and issuing recommendations for responding to threats.
Data exchange
TI should also provide real-time data sharing. Analytical information should be instantly disseminated in a standardized format to both internal and external remedies.
Prompt alert
TI should promptly notify about attacks and threats at any endpoint, using a single standardized database with classified data.
Types of Threat Intelligence
TI involves working with three types of data: tactical, operational, and strategic.
Tactical
Attack data: tools, tactics, techniques and procedures (TTP) that violators use, compromise indicators (IoC) data — discrete data to detect signs of malicious activity in the infrastructure.
Operative
Data on current and predicted attacks, obtained by tracking new threat vectors, kill chain, ways of compromising information processes, etc.
Strategic
Analytical data on the trends of threats in the world with the further goal of developing a strategy for the development of information security systems.
What is needed to build a Threat Intelligence process
To build processes for detecting threats and responding to them using measures based on information received from all available external and internal sources, it is necessary:
• identify data sources (feeds) - where to get the source data for indicators of compromise (both internal and external);
• conduct internal analytics - within the organization there can be a large number of specialists and experts in related departments who can identify and consolidate useful information on the direction;
• Introduce open standards and protocols for transmitting and providing data for effective communication between different sources of data. At this stage, it is important that all threats be described, combined into compromise classes and successfully transferred.
• implement a platform for processing and analyzing data. It is necessary to analyze whether this will be its own or ready-made open-source solution, which may already include feeds, APIs, standards and protocols, be able to integrate with various systems, etc.
Data sources
Internal data sources
First of all, it is possible to conduct analytics within the company for a possible implementation of information gathering using, for example, SIEM or LM with internal information protection tools. Thus, you can get useful data:
• anomalies in network traffic (Netflow / jFlow / sFlow);
• activity from unusual IP addresses;
• DNS queries;
• URL and URI;
• SMTP headers;
• email addresses;
• samples of malicious code;
• user activity;
• failed login attempts;
• administrative access;
• operations with the DBMS;
• connections at atypical ports;
• the emergence of atypical protocols;
• inconsistency of packet sizes for service protocols with standards;
• addresses of anonymizers;
• User Agent in HTTP;
• malicious IP;
• reputation of users, sites and files, etc.
External data sources
In order to extend the capabilities of the protections, it is necessary to define external resources that can be accessed for IoC and other threats. It is necessary to take into account key factors when choosing sources of feeds depending on the needs of the company:
• source type;
• support for various data formats (JSON, XML, CyBOX, STiX, CSV, etc.);
• frequency of information provided;
• amount of data provided;
• trust in the source that provides the data;
• compliance with the company's infrastructure;
• price.
Most popular external feed sources
Figure 2. Most popular external feed sources
Internal Analytics
In addition to internal and external feeds within the company, an independent independent analyst can be conducted if:
• incident investigators;
• malware analyst experts;
• specialists who track “hot” news in the field of information security, for example:
o compromised and infected sites;
o phishing resources;
o hashes of malicious files;
o processes in which malicious code was detected;
o registry keys, etc.
• information that is revealed in real time.
All information found at this stage should be checked and tested by the relevant experts and only then recorded in a single source. In addition to testing and testing, it is also important at this stage to formulate recommendations for the mitigation of possible risks.
TI Standards
All identified threats should be described, standardized. It is also necessary to ensure the possibility of transmitting information about them. Currently, there are a large number of open standards and protocols for solving these data supply and transfer tasks. Consider the most popular:
• STIX (Structured Threat Information eXpression) is a standard used to provide Unified Cyber Threat Information (CTI). Allows you to share the description of various threats and related parameters in different areas. STIX provides unified incident information, including:
o information objects (for example, creation of a registry key, network traffic to certain IP addresses, sending email from a specific address, etc.);
o indicators;
o incidents;
o tactics, methods, procedures of the attacker (attack patterns, malware, exploits, etc.);
o objects of exploitation (for example, vulnerabilities, security errors or incorrect configurations);
o countermeasures (incident response or security vulnerabilities / security fixes);
o groups of cyber attacks (incident sets, TTP);
o participants in cyber threats (identification, characteristics of the enemy).
The STIX architecture is shown below:
Figure 3. STIX Architecture
• CybOX (Cyber Observable eXpression) - a standard that provides a general framework for describing and presenting indicators of observed security events. To date, over 70 different monitored objects have already been submitted: file, network connection, HTTP session, network traffic, X.509 certificate, etc.
• TLP (Traffic Light Protocol) - a protocol that allows you to “paint” information in four colors that affect who you can send the received information about threats:
- information is not for distribution;
- available only within the organization;
- available only within the community or community;
- available to all.
• IODEF (Incident Object Description and Exchange Format) (RFC 5070) - a standard that contains over 30 classes and subclasses of incidents in XML format, including information on contacts, financial damage, time, affected operating systems and applications, etc. IODEF is a fairly well-developed standard and already used a lot. IODEF-SCI (IODEF for Structured Cyber Security Information) is an extension for IODEF that allows you to add additional data to IODEF: attack patterns, information about platforms, vulnerabilities, neutralization instructions, danger level, etc.
• OpenIOC (Indicator of Compromise) - an open standard for describing indicators of compromise. Built on the basis of XML and contains over 500 different indicators, mainly node (host) —file, driver, disk, process, registry, system, hash, etc.
• MISP - an open format for a structured description of indicators, information about threats, actors, financial frade, is based on JSON.
• VERIS (Vocabulary for Event Recording and Incident Sharing) - a standard for describing threats and incidents. The VERIS scheme consists of five parts:
- Incident Tracking;
- Victim Demographics;
- Incident Description;
- Discovery & Response;
- Impact Assessment.
• TAXII (Trusted Automated Exchange of Intelligence Information) is a standard used to unify the exchange of information about cyber threats (CTI) using the HTTPS protocol described by STIX.
There are several ways to exchange data:
- Hub and Spoke. The architecture assumes that one organization acts as a clearing house - a hub for all other participants in the interaction - spokes. Spoke shares information with the hub, which re-shares this information with the rest of the spokes.
- Source / Subscriber. The architecture assumes that one organization acts as a source of information for all other companies.
- Peer to Peer. The architecture assumes that the organization can act as both a producer and a consumer of information.
TAXII may include the following services that can be used together or work separately:
- Inbox: services for receiving received content.
- Poll: service to request content.
- Collection Management: a service for working with data collections.
- Discovery: information about new supported services.
• VEDEF (Vulnerability and Exploit Description and Exchange Forma) is a standard for exchanging information about vulnerabilities and exploits.
Figure 4. Vulnerability and Exploit Description and Exchange Forma
Figure 5. Vulnerability and Exploit Description and Exchange Forma
• CAIF (COMMON ANNOUNCEMENT INTERCHANGE FORMAT) is an XML-based standard for storing and exchanging security objects. It provides a basic set of elements intended to describe the main problems related to security. It is important that the set of elements can be expanded. Allows you to group information for more than one target group of readers, and also provides multilingual text descriptions in one document.
• MMDEF (The Malware Metadata Exchange Format) is a standard for exchanging malware metadata.
• RID (Real-time Inter-network Defense) - a protocol that allows various security systems to interact, built on the basis of HTTP / HTTPS.
Vulnerability Management Standards
MITRE (sponsored by the government, operate FFRDCs):
• CVE (Common Vulnerabilities and Exposures) - a standard that defines a single naming of vulnerabilities.
• OVAL (Open Vulnerability and Assessment Language) is an open language describing vulnerabilities in scanners and security analysis systems.
• CCE (Common Configuration Enumeration) - a standard for describing configurations that can be further tested in scanners and security analysis systems.
• CEE (Common Event Expression) - a standard for describing, storing and exchanging alarms between dissimilar protections.
• CME (Common Malware Enumeration) - a standard similar to CVE, but focused on malware.
• CWE (Common Weakness Enumeration) - a standardized set of weak points in software.
• CPE (Common Platform Enumeration) - standard for describing and naming elements of the IT infrastructure.
• CAPEC (Common Attack Pattern Enumeration and Classification) - standard classification of attack patterns.
• CRF (Common Result Format) - a standard for describing test results or assessing security.
• SCAP (Security Content Automation Protocol) is an automation protocol for managing security data. It is a set of open standards defining technical specifications for the presentation and exchange of safety data.
• CVSS (Common Vulnerability Scoring System) - the standard for prioritizing vulnerabilities.
Platform for processing and analyzing data
TI platforms are designed primarily to collect indicators of compromise from various sources. It is also necessary to classify and produce further appropriate actions.
The choice of platform should directly depend on the scale of the TI system planned for implementation. For powerful TI, you can consider such platforms, such as: Miter CRITs, Maltego, ThreatConnect, IBM i2, etc., for a simpler implementation, you can use open-source solutions, in this case preferring more price than scale, functionality and support . Consider the most popular platforms:
Anomali ThreatStream
• Having a wide variety of feeds.
Figure 6. Having a wide variety of feeds.
• Integration with many IS products and SIEM systems.
Figure 7. Integration with many IS products and SIEM systems
• Providing detailed information on the investigation of threats.
• API availability.
MANTIS (Model-based Analysis of Threat Intelligence Sources)
A threat management platform that allows you to import threat information obtained using OpenIOC, IODEF, CybOX, STIX, and TAXII standards. Example of imported STIX data:
Figure 8. Sample imported STIX data
Figure 9. Sample imported STIX data
CIF (Collective Intelligence Framework)
• The ability to collect and combine threat information from various sources supporting CIF.
• Use the information received to identify incidents.
• Detection and neutralization of threats by generating rules for Snort, iptables and other means of protection.
• Predominantly works with IP addresses, domain names and URLs associated with malicious activity.
• It uses IODEF as its storage format.
• Open-source platform.
• Availability of feeds and APIs.
Figure 10. Collective Intelligence Framework
IBM X-Force Exchange
• Threat analysis with a minute-by-minute dynamic update.
• Track threats from more than 25 billion web pages and images.
• Supported by a database containing information on more than 96,000 threats.
• Analysis of more than 8 million attacks using spam and phishing.
• Tracking reputation data of 820,000 malicious IP addresses.
• Integrates between IBM Security products and X-Force Exchange analysis data.
• The ability to link threats with protection products has been implemented.
• Ability to integrate with other security solutions based on STIX and TAXII standards using RESTful.
• Ability for subscribers to integrate threat analysis data from the X-Force Exchange into their own operations, including a corporate security center (SOC) or development environment (DevOps).
Misp
• Opensource platform for creating, processing, exchanging and collaborating on information about threats.
• Flexible automation, working with API.
• Supports both native STIX format, and STIX, OpenIOC, text and csv data imports.
• Support for automatic secure exchange of information about threats between different participants.
• Automatic generation of rules for IDS, SIEM, Bro, Snort, Suricata, etc.
Conclusion
Cybercriminals have long used the experience of others to launch new, more clever attacks. The security industry has been developing for a long time as a closed one; no one shared useful knowledge and experience to detect threats and prevent attacks.
TI is a large knowledge base about threats and trespassers, which accumulates information about the methods used by attackers to cause damage and how to counter them. TI works with dynamic information about the sources of threats and signs of compromise.
Of course, with the help of TI, it will not be possible to prevent all evils, but it is a powerful modern tool in response to cybercrime, which will help to quickly identify the direction in which attacks are conducted, and defend against them.
Author: Oksana Kotereva, Solution Manager
Informzaschita Company, o.kotereva@infosec.ru
Source: https://habr.com/ru/post/336676/
All Articles