{"id":1415,"date":"2021-04-01T06:00:42","date_gmt":"2021-04-01T06:00:42","guid":{"rendered":"https:\/\/people.utm.my\/azhari\/?p=1415"},"modified":"2021-04-01T06:01:01","modified_gmt":"2021-04-01T06:01:01","slug":"threat-intelligence","status":"publish","type":"post","link":"https:\/\/people.utm.my\/azhari\/2021\/04\/01\/threat-intelligence\/","title":{"rendered":"Threat Intelligence"},"content":{"rendered":"\n<figure class=\"wp-block-image is-style-rounded\"><img decoding=\"async\" src=\"https:\/\/anomali.cdn.rackfoundry.net\/files\/svg\/TIP_Diagram_Overview-v2.svg\" alt=\"Threat intelligence platform\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">TIP Defined<\/h2>\n\n\n\n<h4 class=\"wp-block-heading\">Threat<\/h4>\n\n\n\n<p>The potential for any other party to access or interfere with the normal planned operations of an information network. Common threats today include:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>APT<\/li><li><a href=\"https:\/\/www.anomali.com\/blog\/teach-a-man-to-phish\">Phishing<\/a><\/li><li><a href=\"https:\/\/www.anomali.com\/blog\/the-truth-about-the-dangers-of-malware\">Malware<\/a><\/li><li>Botnets<\/li><li>DDOS<\/li><li>Ransomware<\/li><\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Intelligence<\/h4>\n\n\n\n<p>Knowledge of a threat gained by human analysts or identified by events within the system. Intelligence is a broad term, but a TIP presents analysts with specific kinds of intelligence that can be automated, including:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Technical knowledge of attacks including indicators<\/li><li>Finished intelligence &#8211; the output of human beings looking at the available information and reaching conclusions about situational awareness, predicting potential outcomes or future attacks, or estimating adversary capabilities<\/li><li>Human intelligence &#8211; any intelligence gathered by humans, such as lurking within forums to check for suspicious activity<\/li><\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Platform<\/h4>\n\n\n\n<p>A packaged product that integrates with existing tools and products, presenting a threat intelligence management system that automates and simplifies much of the work analysts have traditionally done themselves.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Who Uses a TIP?<\/h2>\n\n\n\n<p>A Threat Intelligence Platform is useful to many parties within an organization.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Security Operations Center (SOC) Teams<\/h3>\n\n\n\n<p>These teams are focused on operational day-to-day tasks and responding to threats as they occur. A TIP provides automation for routine activities such as integrations, enrichment, and scoring.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Threat Intelligence Teams<\/h3>\n\n\n\n<p>These teams look to make predictions based on associations and contextual information between actors, campaigns, etc. A TIP provides them with a \u201clibrary\u201d of information that simplifies and streamlines this process.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Management and Executive Teams<\/h3>\n\n\n\n<p>A TIP provides management with a single platform through which to view reports at both technical and high levels. This enables them to effectively share and analyze data as incidents occur.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Data Aggregation<\/h2>\n\n\n\n<p>A Threat Intelligence Platform automatically collects and reconciles data from various sources and formats. Ingesting information from a variety of sources is a critical component to having a strong security infrastructure. Supported sources and formats include:<\/p>\n\n\n\n<p><strong>Sources:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Open-source<\/li><li>3rd party paid<\/li><li>Government<\/li><li><a href=\"https:\/\/www.anomali.com\/isacs-sharing\">Trusted Sharing Communities (ISACs)<\/a><\/li><li>Internal<\/li><\/ul>\n\n\n\n<p><strong>Formats:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/www.anomali.com\/resources\/what-are-stix-taxii\" target=\"_blank\" rel=\"noreferrer noopener\">STIX\/TAXII<\/a><\/li><li>JSON and XML<\/li><li>Email<\/li><li>.csv, .txt, PDF, Word document<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image is-style-rounded\"><img decoding=\"async\" src=\"https:\/\/anomali.cdn.rackfoundry.net\/files\/svg\/TIP_Diagram_Step1.svg\" alt=\"Threat intelligence platform: Manage\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image is-style-rounded\"><img decoding=\"async\" src=\"https:\/\/anomali.cdn.rackfoundry.net\/files\/svg\/TIP_Diagram_Step2.svg\" alt=\"Threat intelligence platform: Collect\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Normalization and Enrichment of Data<\/h2>\n\n\n\n<p>Collecting data across a wide variety of feeds results in millions of indicators to sort through per day, making it vital to process data efficiently. Processing includes several steps but is comprised of three main elements- normalization, de-duplication, and enrichment of data.<\/p>\n\n\n\n<p>These are expensive to address in regards to computational exertion, analyst time, and money. A Threat Intelligence Platform automates these processes, freeing analysts to analyze rather than manage collected data.<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Normalization<\/strong>&nbsp;&#8211; Consolidating data across different sources formats<\/li><li><strong>De-Duplication<\/strong>&nbsp;&#8211; Removal of duplicate information<\/li><li><strong>Enrichment<\/strong>&nbsp;&#8211; Removal of false positives, scoring of indicators, and the addition of context<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Integrations<\/h2>\n\n\n\n<p>Data that has been normalized, vetted, and enriched must then be delivered to systems that can use it for automated enforcement and monitoring. The purpose of this is to provide these technologies with what is essentially a \u201ccyber no-fly list\u201d, much like the kind of no-fly list you\u2019d encounter at an airport. Based on background knowledge, certain IPs, domains, and more should not be accessed or allowed within the network.<\/p>\n\n\n\n<p>A Threat Intelligence Platform works with SIEM and log management system vendors behind the scenes, pulling down indicators to push across to security solutions within the customer network infrastructure. The burden of establishing and maintaining these integrations is therefore lifted from the analysts and instead shifted over to the SIEM and TIP vendors.<\/p>\n\n\n\n<p>Possible security product integrations include:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>SIEM<\/li><li>Endpoint<\/li><li>Firewall<\/li><li>IPS<\/li><li>API<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image is-style-rounded\"><img decoding=\"async\" src=\"https:\/\/anomali.cdn.rackfoundry.net\/files\/svg\/TIP_Diagram_Step3.svg\" alt=\"Threat intelligence platform: Integrate\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Analysis &amp; Response<\/h2>\n\n\n\n<p>A Threat Intelligence Platform provides features that aid with analysis of potential threats and corresponding mitigation. More specifically, these features help analysts to:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Explore threats<\/li><li>Provide investigation workflows<\/li><li>Understand the broader context and implications of threats<\/li><li>Share information<\/li><\/ul>\n\n\n\n<p>A TIP will take all the possible data, enrichments, and other context available and display that information in ways that provide value, such as in dashboards, rulers, alerts, and notes.<\/p>\n\n\n\n<p>A Threat Intelligence Platform also aids analysts by automating the research and collection processes, significantly reducing response time. Some specific functionalities of the analysis part of a&nbsp;<a href=\"https:\/\/www.anomali.com\/products\">Threat Intelligence Platform<\/a>&nbsp;include:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Support for indicator expansion and research<\/li><li>Incident escalation and response processes<\/li><li>Analyst workflow processes<\/li><li>Producing intelligence products and sharing them with stakeholders<\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>TIP Defined Threat The potential for any other party to access or interfere with the normal planned operations of an information network. Common threats today include: APT Phishing Malware Botnets DDOS Ransomware Intelligence Knowledge of a threat gained by human analysts or identified by events within the system. Intelligence is a broad term, but a [&hellip;]<\/p>\n","protected":false},"author":14428,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"off","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[10,3],"tags":[],"class_list":["post-1415","post","type-post","status-publish","format-standard","hentry","category-gallery","category-news"],"_links":{"self":[{"href":"https:\/\/people.utm.my\/azhari\/wp-json\/wp\/v2\/posts\/1415","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/people.utm.my\/azhari\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/people.utm.my\/azhari\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/people.utm.my\/azhari\/wp-json\/wp\/v2\/users\/14428"}],"replies":[{"embeddable":true,"href":"https:\/\/people.utm.my\/azhari\/wp-json\/wp\/v2\/comments?post=1415"}],"version-history":[{"count":1,"href":"https:\/\/people.utm.my\/azhari\/wp-json\/wp\/v2\/posts\/1415\/revisions"}],"predecessor-version":[{"id":1416,"href":"https:\/\/people.utm.my\/azhari\/wp-json\/wp\/v2\/posts\/1415\/revisions\/1416"}],"wp:attachment":[{"href":"https:\/\/people.utm.my\/azhari\/wp-json\/wp\/v2\/media?parent=1415"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/people.utm.my\/azhari\/wp-json\/wp\/v2\/categories?post=1415"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/people.utm.my\/azhari\/wp-json\/wp\/v2\/tags?post=1415"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}