搜索
安全威胁情报体系的建设与应用什么是安全威胁情报3当前信息安全防护体系面临困境难以从海量的安全事件发现真正的攻击行为,IDS、SOC等传统安全产品使用效率低下某一点确认的安全事件不能及时在组织内及时有效地进行共享,组织内部难以有效协同不同类型、不同厂商的安全设备之间的漏洞、威胁信息不通用,不利于大型网络的维护管理斯诺登等事件揭示的NSA对我国的攻击手段,目前的手段难以有效识别发现,亟需对现有安全体系进行升级应用安全威胁情报技术建设安全威胁情报平台4攻防速度之争!5速度!速度!还是速度!AttackBeginsSystemIntrusionAttackerSurveillanceCover-upCompleteAccessProbeLeapFrogAttacksCompleteTargetAnalysisTIMEAttackSet-upDiscovery/PersistenceMaintainfootholdCover-upStartsAttackForecastPhysicalSecurityContainment&EradicationSystemReactionDamageIdentificationRecoveryDefenderDiscoveryMonitoring&ControlsImpactAnalysisResponseThreatAnalysisAttackIdentifiedIncidentReportingNeedtocollapsefreetimeATTACKERFREETIMETIMESource:NERCHILFReport,June2010()6安全威胁情报是?一些“热”词:SecurityIntelligence安全,安全情报ThreatIntelligence威胁情报SecurityThreatIntelligence安全威胁情报CyberThreatInformationSharing网络威胁信息共享IntelligenceAware情报感知IntelligenceDriven情报驱动Intelligence-AwareSecurityControl基于情报感知的安全控制ContextAware情境感知信誉库7•OSINT•DellSecureWorks•RSANetWitnessLive/VerisigniDefense•SymantecDeepsight•McAfeeThreatIntelligence•SANS•CVEs,CWEs,OSVDB(Vulns)•iSightPartners•ThreatStream•OpenDNS•MAPP企业外部的安全威胁情报源(含开源及商业)•IBMQRadar•PaloAltoWildfire•Crowdstrike•AlienVaultOTX•RecordedFuture•TeamCymru•ISACs/US-CERT•FireEye/Mandiant•Vorstack•CyberUnited•NorseIPViking/Darklist8企业内部的安全威胁情报源(提供安全情境)•Directoryuserinformation(personale-mail,access,userprivilege,start/enddate)•Proxyinformation(content)•DLP&businessunitrisk(tradesecrets/IPsensitivedocs)•ITCasehistory/tickettracking•Malwaredetection/AValerts•Sensitivebusinessroles•Applicationusage&consumptionevents(in-house)•Databaseusage/accessmonitoring(privileged)•Entitlements/accessoutliers(in-house)•Userbehaviorassociationbasedongeography,frequency,uniqueness,andprivilege9情报平台Threatintelligenceplatforms(TIPS)•预计至2018,50%的一线组织和MSSPs将会使用以MRTI为基础的TIP平台(目前不到5%)10安全威胁情报应用示例之RSANetWitnessLiveLivegathersthebestadvancedthreatintelligenceandcontentintheglobalsecuritycommunityLiveManagerprovidesconfigurablemanagerwithadashboardAggregates&consolidatesonlythemostpertinentinformationTransparentintegrationwithcustomer’sliveandrecordednetworktraffic11安全威胁情报应用示例之RSANetWitnessLive•RSAFraudactionDomains•RSAFraudactionIP•NWAPTAttachments•NWAPTIP•NWAPTDomains•NWSuspiciousIPIntel•NWCriminalVPNEntryDomains•NWCriminalVPNEntryIP•NWCriminalVPNExitIP•NWCriminalVPNExitDomains•NWCriminalSOCKSnodes•NWCriminalSOCKSUserIP’s•NWInsiderThreatDomains•NWInsiderThreatIP•APTFilenames•PalevoTrackerIP•PalevoTrackerDomains•QakBotC2Domains•CriticalIntelligenceDomains-SCADA•CriticalIntelligenceIP’s-SCADA•DynamicDNSDomains•TORExitNodes•TORNodes•eFaxsites(dataleakage)•iDefenseThreatIndicators•ISECExposureBlacklistDomains12安全威胁情报应用示例之RSANetWitnessLive13安全威胁情报应用示例之IBMQradarSIP•Bridgessilos•Highlyscalable•Flexible&adaptable•Easydeployment•Rapidtimetovalue•Operationalefficiency•Proactivethreatmanagement•Identifiescriticalanomalies•Rapid,extensiveimpactanalysis14安全威胁情报应用示例之IBMQRadarSIPContextandCorrelationDriveDeepestInsightExtensiveDataSourcesDeepIntelligenceExceptionallyAccurateandActionableInsight+=SuspectedIncidentsEventCorrelationActivityBaselining&AnomalyDetection•Logs•Flows•IPReputation•GeoLocation•UserActivity•DatabaseActivity•ApplicationActivity•NetworkActivityOffenseIdentification•Credibility•Severity•RelevanceDatabaseActivityServers&MainframesUsers&IdentitiesVulnerabilityInfoConfigurationInfoSecurityDevicesNetwork&VirtualActivityApplicationActivity15安全威胁情报应用示例之IBMQRadarSIP•Turnkeylogmanagement•SMEtoEnterprise•UpgradeabletoenterpriseSIEM•Integratedlog,threat,risk&compliancemgmt.•Sophisticatedeventanalytics•Assetprofilingandflowanalytics•Offensemanagementandworkflow•Predictivethreatmodeling&simulation•Scalableconfigurationmonitoringandaudit•AdvancedthreatvisualizationandimpactanalysisSIEMLogManagementRisk&ConfigurationManagementNetworkActivity&AnomalyDetectionNetworkandApplicationVisibility•Networkanalytics•Behavioralanomalydetection•FullyintegratedwithSIEM•Layer7applicationmonitoring•Contentcapturefordeepinsight•PhysicalandvirtualenvironmentsFullyIntegratedSecurityIntelligence16安全威胁情报应用示例之McAfeeThreatIntelligence安全威胁情报体系的建设18•STIX-StructuredThreatInformationeXpression•TAXII-TrustedAutomatedeXchangeofIndicatorInformation•CybOX-CyberObservableeXpression•MAEC-MalwareAttributeEnumerationandCharacterization•OpenIOC-OpensourcedschemafromMandiant•IODEF-IncidentObjectDescriptionExchangeFormat•CIF-CollectiveIntelligenceFramework•IDXWG-IncidentDataeXchangeWorkingGroup标准是最好的建设参考19主要协议和标准比较20STIX标准要点浅析21STIX标准要点浅析22TAXII标准要点浅析23TAXII标准要点浅析24TAXII标准要点浅析25美国联邦政府标准NIST800-150Draft要点浅析26美国联邦政府标准NIST800-150Draft浅析27美国联邦政府标准NIST800-150Draft浅析28美国联邦政府标准NIST800-150Draft浅析•IPaddressesanddomainnames•URLsinvolvedwithattacks•SimpleMailTransportProtocol(SMTP)headers,emailaddresses,subjectlines,andcontentsofemailsusedinphishingattacks•Malwaresamplesandartifacts•AdversaryTactics,Techniques,andProcedures(andeffectiveness)•Responseandmitigationstrategies•Exploitcode•Intrusionsignaturesorpatterns•Packetcaptureso