Hacking Book | Free Online Hacking Learning


"magic" of threat intelligence

Posted by bassolino at 2020-04-15


Analysis of current situation of information security attack and defense

Intelligence is the clue. Threat Intelligence is all the clues needed to restore the attack that has occurred and predict the attack that has not occurred. The so-called threat intelligence is the knowledge that helps us to find threats and deal with them. This knowledge is what we call Threat Intelligence. The work of threatening intelligence has moved us from confidant to confidant. In the network attack and defense, only knowing one's own and knowing the other can one hundred battles be invincible.

In the current violations, 97% of the violations cause damage in one day or less; meanwhile, 60% of the violations cause data leakage in a few hours; 85% of the violations need "weeks" or more to be discovered; 90% of the violations need "days" to be repaired.


Traditional information security protection system is facing difficulties

Traditional information security protection often collects log data and associates security events with multiple types of security devices, such as intrusion detection devices, web application firewalls and so on, to guide security personnel to deal with risks. However, the traditional information security protection system has the following disadvantages:

• it is difficult to find real attacks from massive security events;

• the security events identified at a certain point cannot be shared in time and effectively within the organization, which makes it difficult to effectively cooperate within the organization;

The vulnerability and threat information between different types of security devices of different manufacturers are not common, which is not conducive to the maintenance and management of large networks;

The international attack means revealed by Snowden incident are difficult to identify and find through current means, so it is urgent to upgrade the existing security system.


Advantages of information security protection based on Threat Intelligence

Gartner, the world's first and most authoritative information consulting and research institution, first released the "Threat Intelligence Market Guide" in 2014, with nearly 50 companies on the list. In this report, Gartner released its forecast for the threat intelligence market for the first time:

 By 2020, 15% of large enterprises will use

 commercial threatintelligence  (TI) services to

 inform their security strategies, which is anincrease from today's less than 1%。

Nearly 1 / 5 of the application rate means that there are enough suppliers and practitioners to grow into the backbone of the market.

Perfect security is neither possible nor practical. Our ultimate goal is not to avoid accidents, but to improve our ability to avoid business losses through rapid detection and recovery of network attacks. Accurate and comprehensive Threat Intelligence can greatly expand the space-time boundary of threat defense, which is the key to the implementation of active defense strategy. At the same time, it is also the need for the transformation of the role of attack and defense. Network attackers and security teams are a pair of contradictions, especially with the improvement of the technology of attack and defense confrontation, which often change from one to the other. After an attacker launches an attack, there are three possible situations in the defense system:

By using Threat Intelligence, defenders can transform from "a" situation to "C" situation, and realize the role transformation from passive to active, from no data to data.


Construction and application of security system based on Threat Intelligence


The technical system of Threat Intelligence

At the technical level, the hierarchical structure of Threat Intelligence Center is divided into intelligence collection, intelligence analysis storage and intelligence output.

Original collection of Threat Intelligence

• public free or paid access to Threat Intelligence centers;

Collect Internet intelligence information through Honeynet system;

• acquisition through purchase, information exchange, manual acquisition, etc.

Different threat information processing and storage

In order to transform the multi-source heterogeneous Threat Intelligence into standard format intelligence for subsequent use, a data conversion program is used to automatically transform the intelligence data of different tools / languages into a unified storage format (refer to Stix standard), so as to reduce the ambiguity and conflict in each source intelligence. And through static mapping code processing, conversion errors are found.

Threat Intelligence output

• portal interface

Users can query different types of threat information according to conditions;

• API interface

The machine readable intelligence data is output to the security platform through API interface for intelligence consumption.

Extraction of network security information elements based on Threat Intelligence

The collected threat intelligence should include the following points:

Figure 1 Threat Intelligence points

With threat intelligence data, it can help to assess the severity of the current security threats and present them in a visual way.

Analysis and presentation of network security information elements based on Threat Intelligence

As shown in the figure below, security events are aggregated in a certain dimension (such as time, IP address, type, etc.) through situation awareness platform. Threat intelligence query based on IP address is conducted for the aggregated time, and then specific models are applied and presented.

Figure 2 information element query and presentation


Future outlook

Although the application of threat intelligence only plays a small part of its ability, there is no doubt that the insight gained from "Threat Intelligence" opens the door for a new application mode. If we can effectively and comprehensively use the technical points of threat intelligence, we can provide a new security perspective and a broader security vision for security practitioners. With the increasing dependence of various industries on information technology, information risk is becoming more and more prominent, and the protection demand for personal information, business information and competitive information is also increasing. In the new situation, we can build a comprehensive Threat Intelligence Analysis Model Based on Threat Intelligence, which is in line with our own characteristics, objectively and truly reflects the existing security problems and trend, which will revolutionize our working methods and tools.

Please click "..." at the top right of the screen

Long press QR code to download Lvmeng cloud app