Aquaboutic | Focus Security Research | Vulnerability Exploit | POC


how to make enterprise threat intelligence plan

Posted by fleschner at 2020-02-28

0x00 Preface

Last week, I spent a week with foreign friends. This week, I finished five days' work in four days. Now I am waiting for the plane at the airport. When I was waiting for the plane, I suddenly thought of a bubble in a giant group last week. The core of the discussion is how to operate the threat intelligence. So today's article comes out. Let's say that today's article is totally on Party A's side From the standpoint, it may not be applicable to Party B's threatening intelligence posts. This article will mainly discuss the following issues:

Please look down with an attitude of not liking or spraying.

0x01 operational PK high precision of Threat Intelligence

For Party A, in a strict sense, the source of threat information does not necessarily depend on the external, but mostly from the internal data analysis. When it comes to the internal data, the core is actually three pieces: logs, traffic, alarms. Most threat information products on the market generally rely on full flow analysis and log access to go to the cloud to match the IOC (generally some I P address, MD5 and other things, but there is actually a fatal place here. Generally speaking, the so-called tip or Threat Intelligence perception and other things, the vast majority of them are areas that cannot be connected to the Internet, so that every time the security manufacturer sends someone to upload the feature library to the platform, that is, the so-called pseudo cloud). But in fact, the IOC content of threat intelligence we need doesn't need these. What we need is "knowledge that can be used to mitigate / eliminate the loss caused by threat", which is what we need.

In line with the principle of safe data operability, we must try our best to ensure that the intelligence information we output is true, effective, highly reliable and operable. Quote one of my boss's articles:

In this case, we can set a rough evaluation standard for our own fintel deliverables

In this way, we can ensure that our fintel intelligence output is operational closed-loop, and will not cause security operators to ignore Threat Intelligence due to too many alarms. In this way, it is equal to no output (Party A pays for the output, remember, and will not pay you more because of your posture).

So many people here will say how to choose the high-precision and operational Threat Intelligence. If you have Party B's safety experience, your mentor will definitely tell you to give a report to the customer. When chatting with some friends, I found that there are only two ways for many companies to do Threat Intelligence. The first way is the easiest to implement: write a crawler and interface data acquisition tool to threaten intelligence websites or a threat intelligence business excuse to climb / upload the corresponding data to obtain Threat Intelligence, then make a pretty powerful map gun and put it on the large screen. The second way is to use a crawler and interface data acquisition tool to threaten intelligence websites The road is a little bit technical: on the basis of the first one, make a Suricata IDs or bro IDs to import all the traffic into the two, then run with Snort and emergency thread rules, and then make a very powerful map gun to put on the large screen. First of all, we will not discuss the advantages or disadvantages of the two techniques. First of all, you can ensure the quality of the source data and whether your local traffic data has been cleaned up. The third-party source data is a data that is difficult to control. In this way, it is no different from using garbage data to produce garbage data.

In fact, the significance of Party A's threat intelligence is to ensure the closed-loop of intelligence, to really let Threat Intelligence play a role - to find threats in time and guide security planning. When making Threat Intelligence, it is the significance of Party A's threat intelligence to find out the potential threat by constantly adjusting the intelligence baseline.

0x02 content of Threat Intelligence

The above describes how Threat Intelligence measures the operability and accuracy of threat intelligence. Next, in order to make our intelligence closed-loop, we must explain the content delivered by fintel.

For fintel, there will be three times in the complete life cycle of threat intelligence, respectively in the calculation, transmission and destruction. In a word, fintel is generated by a series of algorithms and delivered to the demander, and destroyed after failure. So here are some related indicators: content, demand side (or operator), failure signal, destruction operation. Let's elaborate:

Of course, the above content comes from the U.S. military's intelligence indicators and some of my own experience in the operation of the intelligence system. The specific content needs to be added or deleted in combination with the corresponding intelligence types and intelligence needs.

The above content is summed up as a sentence: reduce the response time as much as possible, and make the security operation personnel handle the threat of Threat Intelligence notification as simple as possible and complete the closed-loop

0x03 Threat Intelligence or Threat Intelligence

The discussion here may cause some people's discomfort. In Party A's opinion, threat intelligence should not be a simple purchase of services or a purchase of data collection API, or a purchase of a so-called tip platform in an iron box with chips that no one can use at all. I mentioned in the previous article that the work of threat intelligence is a complete ecosystem including operation, data, human, system platform and life cycle. The technology of Threat Intelligence focuses on data, analysis, operation and human. So if you really need Threat Intelligence, then you have to understand whether you need Threat Intelligence or threat intelligence.

The so-called threat intelligence requires you to obtain targeted intelligence when you understand the threat in your environment. In other words, your system may suffer from multiple threats. For example, there will be a large number of middleware and development technologies at the level of your system infrastructure. Once these technologies break out, a PoC or combination that can be hit precisely is required Attack the exp of payload, or construct sophisticated network weapons, which will pose a threat to your system. You need to collect who is beating around with this kind of thing, who is building this kind of thing, who is beating your friends with this kind of thing (hitting your friends may also hit you), and so on. These are your concerns. Let's draw a picture to show:

The picture above may not be very precise. I want to express the following points:

In this way, you may be able to make a usable Threat Intelligence Plan. As for how to associate or associate related algorithms, I will write them later (actually, I want to vote for the meeting).

0x04 summary

This article has been updated until now because of the low quality of hands and the non cooperation of machine programs. Please forgive me. If you have a small partner willing to study the operation and analysis of Threat Intelligence with me, please send your resume. Of course, we also receive other data related security tycoons. If you feel very good at data security analysis, please send your resume to elknot # or Zha Oyan17 Chen, according to boss, if you are really awesome, we will be happy to customize a JD for you.