Cyber threat intelligence involves collecting, analyzing, and sharing information about threats to help organizations assess risks and defend themselves. It follows principles like being centralized, objective, and continuous. The Structured Threat Information Expression (STIX) framework allows sharing threat data consistently between organizations using common language. Intrusion detection systems monitor networks and systems for malicious activity, using either signature-based methods to detect known threats or anomaly-based methods to find unknown behaviors.
2. What is Threat?
A threat is what we’re trying to protect against.
What is Intelligence?
Intelligence is information that is received or collected to answer specific
questions on who,what, where, when, how and why?
Cyber Threat Intelligence:
Cyber Threat intelligence is an evidence-based knowledge, including context,
mechanisms, indicators, implications and actionable advice,about an existing
or emerging threat that can be used to inform decisions regarding the subject's
response to that menace or hazard.
It is intelligence about the threat that enables organisations to prepare for it
and defend themselves. When an organisation knows how to answer key
questions regarding the threats it faces such as Who is likely to target what
assets, where, when, how and why then they stand a much better chance of
defending themselves.
If organisations have a good understanding of the threats they face, then they
are able to combine this understanding with an assessment of the maturity of
their defences to understand the likelihood of an incident occurring. This
likelihood can be combined with an assessment of the impact of such an
incident to understand the risk. This allows organisations to deploy their
usually limited security resources against the highest priority risks.
3. The principles of intelligence:
Intelligence should be.
1. Centralized
2. Responsive
3. Objective
4. Systematic
5. Sharing
6. Continuous Review
7. Accessible
8. Timely
4. Phases of Threat Intelligence:
1. Direction
2. Collection
3. Processing
4. Analysis
5. Dissemination
6. Feedback
Tools And People:
Threat intelligence solutions that are designed to collect, process, and analyze
all types of threat data from internal, technical, and human sources.
Existing security tools, such as SIEMs and security analytics tools and
Frameworks (STIX & TAXII) and Intrusion Detection System (IDS), which
collect and correlate security events and log data.
5. Structured Threat Information
Expression (STIX)
What is STIX?
STIX stands for Structured Threat Information Expression.STIX is a language
and serialization format used to exchange cyber threat intelligence (CTI).
What STIX Does?
STIX enables organizations to share CTI with one another in a consistent and
machine readable manner, allowing security communities to better understand
what computer-based attacks they are most likely to see and to anticipate
and/or respond to those attacks faster and more effectively.
Why STIX is developed?
STIX is for anyone involved in defending networks or systems against cyber
threats, including cyber defenders, cyber threat analysts, malware analysts,
security tool vendors, security researchers, threat sharing communities, and
more. STIX provides a common language for describing cyber threat
information so it can be shared, stored, and otherwise used in a consistent
manner that facilitates automation.
Working of STIX:
Architecture of STIX:
At a high level the STIX language consists of 8 key constructs and the
relationships between them.
1. Observable : Convey specific instances of cyber observation
(either static or dynamic) or patterns of what could potentially be
observed.
2. Indicator : Convey specific Observable patterns with
contextual information intended to represent artifacts.
6. 3. Incident : Convey details of specific security events affecting an
organization along with information discovered or decided during an
incident response investigation.
4. Tactics, Techniques & Procedures : Convey details of the
behavior (What?, Who?, How? etc. ).
5. Exploit Target : Convey vulnerabilities or weaknesses in
software.
6. Campaign : Convey perceived instances of Threat Actors
pursuing an intent, as observed through sets of Incidents and/or TTPs.
7. Threat Actor : Convey characterizations of malicious actors (or
adversaries) representing a cyber attack threat.
8. Course of Action : Convey specific actions to address threat
whether preventative to address Exploit Targets, or responsive to
counter or mitigate the potential impacts of Incidents
Intrusion Detection System
Intrusion Detection System
Intrusion Detection Systems look for attack signatures, which are specific
patterns that usually indicate malicious or suspicious intent.
7. Types of IDS:
IDS can be classified into two categories:
1. Network based IDS
2. Host based IDS
Network Based IDS:
It is a network Based Intrusion system. It monitor capture and analyze the
traffic on the network and matches the traffic to the library of known attacks. It
detect malicious data present in the packets moving on a network.
Host Based IDS:
It is host based or system based Intrusion Detection system. It monitors the
malicious activity in the system or monitor the packets from the system and
will alert the system administrator.
Methodologies of IDS:
1. Signature Based Intrusion Detection
2. Anomaly/Behavior Base Intrusion Detection.
Signature Based Intrusion Detection
Signature based IDS are based on looking for “known patterns” of detrimental
activity.
Pros:
1. Low alarm rates All it has to do is to look up the list of known signatures
of attacks and if it finds a match report it.
2. Signature based NID are very accurate.
8. 3. The systems are fast since they are only doing a comparison between
what they are seeing and a predetermined rule.
Cons:
1. They are unable to detect novel attacks.
2. We have to programme again for every new pattern to be detected.
Anomaly/Behavior Base Intrusion Detection:
Anomaly based IDS are based on tracking unknown unique behavior pattern
of detrimental activity. If it found any deviation it will send alert call.
Pros:
1. Helps to reduce the “limitations problem”.
2. Conducts a thorough screening of what comes through.
Cons:
1. False positives, catches too much because Behavior based NIDs
monitor a system based on their behavior patterns.
2. After an anomaly (even by mistake) has been detected, it become a
“signature” if both methods are used.