Threat Intelligence Platforms
Threat Intelligence Platforms (TIPs) are an emerging technology discipline that helps organizations aggregate, correlate and analyze threat data from multiple sources in real time to support defensive actions. TIPs have evolved to address the growing amount of data generated by a variety of internal and external resources (such as system logs and threat intelligence feeds) and help security teams identify the threats that are relevant to their organization. By importing threat data from multiple sources and formats, correlating that data and then exporting it into an organization’s existing security systems or ticketing systems, a TIP automates proactive threat management and mitigation. A true TIP differs from typical enterprise security products in that it is a system that can be programmed by outside developers, in particular, users of the platform. TIPs can also use APIs to gather data to generate configuration analysis, WHOIS information, reverse IP lookup, website content analysis, name servers and SSL certificates.
The traditional approach to enterprise security involves security teams using a variety of processes and tools to conduct incident response, network defense and threat analysis. Integration between these teams and the sharing of threat data is often a manual process that relies on email, spreadsheets or a portal ticketing system. This approach does not scale as the team and enterprise grows and the number of threats and events increases. With attack sources changing by the minute, hour and day, scalability and efficiency is difficult. The tools used by large Security Operations Centers (SOCs), for example, produce hundreds of millions of events per day, from endpoint and network alerts to log events, making it difficult to filter down to a manageable number of suspicious events for triage.
Threat intelligence platforms make it possible for organizations to gain an advantage over the adversary by detecting the presence of threat actors, blocking and tackling their attacks or degrading their infrastructure. Using threat intelligence, businesses and government agencies can also identify the threat sources and data that are the most useful and relevant to their own environment, potentially reducing the costs associated with unnecessary commercial threat feeds.
Tactical use cases for threat intelligence include security planning, monitoring and detection, incident response, threat discovery and threat assessment. A TIP also drives smarter practices back into SIEMs, intrusion detection and other security tools because of the finely curated, relevant and widely sourced threat intelligence that a TIP produces.
An advantage held by TIPs is the ability to share threat intelligence with other stakeholders and communities. Adversaries typically coordinate their efforts across forums and platforms. A TIP provides a common habitat, which makes it possible for security teams to share threat information among their own trusted circles, interface with security and intelligence experts and receive guidance on implementing coordinated counter-measures. Full-featured TIPs enable security analysts to simultaneously coordinate these tactical and strategic activities with incident response, security operations, and risk management teams while aggregating data from trusted communities.
Compare of products in the category Threat Intelligence Platforms
Own feed providers / feed prep analytics centers |
Normalization, feed deduplication |
Number of feed suppliers out of the box |
CSV files |
JSON files |
HTTP-feed |
|
STIX / TAXII Standards Support |
Unstructured text data |
The ability to enrich data from external sources (for example, WHOis, PassiveDNS, VirusTotal, etc.) |
Connecting additional feed providers |
Search for matches in SIEM events |
Direct incident response through integration with third-party information security systems |
Responding to incidents using complex algorithms (playbooks) |
REST API Integration Capability |
Manual adjustment of “weight” parameters for feed’s |
Ability to build a graph of links between feed’s objects and internal artifacts |
|
|
|
|
|||||||||||||
|
|
|
|
|||||||||||||
100+
|
20-100
|
100+
|
100+
|
|||||||||||||
|
|
|
|
|||||||||||||
|
|
|
|
|||||||||||||
|
|
|
|
|||||||||||||
|
|
|
|
|||||||||||||
|
|
|
|
|||||||||||||
|
|
|
|
|||||||||||||
|
|
|
|
|||||||||||||
|
|
|
|
|||||||||||||
|
|
|
|
|||||||||||||
|
|
|
|
|||||||||||||
|
|
|
|
|||||||||||||
|
|
|
|
|||||||||||||
|
|
|
|
|||||||||||||
|
|
|
|
Suppliers Threat Intelligence Platforms
Vendors Threat Intelligence Platforms
F.A.Q. about Threat Intelligence Platforms
What is a threat?
A threat is the ability of an entity to gain access to or interfere with the usual planned activities of an information network.
What is an APT?
An advanced persistent threat (APT) is a stealthy computer network threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state sponsored groups conducting large-scale targeted intrusions for specific goals.
What is phishing?
Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication. Typically carried out by email spoofing or instant messaging, it often directs users to enter personal information at a fake website which matches the look and feel of the legitimate site.
Phishing is an example of social engineering techniques being used to deceive users. Users are often lured by communications purporting to be from trusted parties such as social web sites, auction sites, banks, online payment processors or IT administrators.
What is malware?
Malware (a portmanteau for malicious software) is any software intentionally designed to cause damage to a computer, server, client or computer network (in contrast, software that causes unintentional harm due to some deficiency is typically described as a software bug). A wide variety of malware types exist, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, rogue software and scareware.
Programs are also considered malware if they secretly act against the interests of the computer user. For example, at one point, Sony music compact discs silently installed a rootkit on purchasers' computers with the intention of preventing illicit copying, but which also reported on users' listening habits, and unintentionally created extra security vulnerabilities.
A range of antivirus software, firewalls and other strategies are used to help protect against the introduction of malware, to help detect it if it is already present and to recover from malware-associated malicious activity and attacks.
What is a botnet?
A botnet is a number of Internet-connected devices, each of which is running one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam and allows the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.
What is a DDoS-attack?
A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. Such an attack is often the result of multiple compromised systems (for example, a botnet) flooding the targeted system with traffic. A botnet is a network of zombie computers programmed to receive commands without the owners' knowledge. When a server is overloaded with connections, new connections can no longer be accepted. The major advantages to an attacker of using a distributed denial-of-service attack are that multiple machines can generate more attack traffic than one machine, multiple attack machines are harder to turn off than one attack machine and that the behavior of each attack machine can be stealthier, making it harder to track and shut down. These attacker advantages cause challenges for defense mechanisms. For example, merely purchasing more incoming bandwidth than the current volume of the attack might not help, because the attacker might be able to simply add more attack machines. This, ultimately, will end up completely crashing a website for periods of time.
What is ransomware?
Ransomware is a type of malware from cryptovirology that threatens to publish the victim's data, or perpetually block access to it, unless a ransom is paid. While some simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion, in which it encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as Ukash or Bitcoin and other cryptocurrency are used for the ransoms, making tracing and prosecuting the perpetrators difficult.
Ransomware attacks are typically carried out using a Trojan that is disguised as a legitimate file that the user is tricked into downloading or opening when it arrives as an email attachment. However, one high-profile example, the "WannaCry worm", travelled automatically between computers without user interaction.
Denial-of-service attack
Wikipedia
https://en.wikipedia.org/wiki/Denial-of-service_attack#DDoS_extortion