Chapter 20 Notes
FireEye
FireEye is another security company that offers services to help enterprises secure their networks. FireEye uses a three-pronged approach combining security intelligence, security expertise, and technology. FireEye offers SIEM and SOAR with the Helix Security Platform, which uses behavioral analysis and advanced threat detection and is supported by the FireEye Mandiant worldwide threat intelligence network. Helix is cloud-hosted security operations platform that combines diverse security tools and threat intelligence into a single platform. The FireEye Security System blocks attacks across web and email threat vectors, and latent malware that resides on file shares. It can block advanced malware that easily bypasses traditional signature-based defenses and compromises the majority of enterprise networks. It addresses all stages of an attack lifecycle with a signature-less engine utilizing stateful attack analysis to detect zero-day threats.
Automated Indicator Sharing
The U.S. Department of Homeland Security (DHS) offers a free service called Automated Indicator Sharing (AIS). AIS enables the real-time exchange of cyber threat indicators (e.g., malicious IP addresses, the sender address of a phishing email, etc.) between the U.S. Federal Government and the private sector. AIS creates an ecosystem where, as soon as a threat is recognized, it is immediately shared with the community to help them protect their networks from that particular threat.
Common Vulnerabilities and Exposures (CVE) Database
The United States government sponsored the MITRE Corporation to create and maintain a catalog of known security threats called Common Vulnerabilities and Exposures (CVE). The CVE serves as a dictionary of common names (i.e., CVE Identifiers) for publicly known cybersecurity vulnerabilities. The MITRE Corporation defines unique CVE Identifiers for publicly known information-security vulnerabilities to make it easier to share data.
Cisco Talos
The goal of Talos is to help protect enterprise users, data, and infrastructure from active adversaries. The Talos team collects information about active, existing, and emerging threats. Talos then provides comprehensive protection against these attacks and malware to its subscribers. Talos maintains the security incident detection rule sets for the Snort.org, ClamAV, and SpamCop network security tools.
Threat Intelligence Communication Standards
These standards enable the exchange of cyber threat intelligence (CTI) in an automated, consistent, and machine readable format. Three common threat intelligence sharing standards include the following: -Structured Threat Information Expression (STIX) - This is a set of specifications for exchanging cyber threat information between organizations. The Cyber Observable Expression (CybOX) standard has been incorporated into STIX. -Trusted Automated Exchange of Indicator Information (TAXII) - This is the specification for an application layer protocol that allows the communication of CTI over HTTPS. TAXII is designed to support STIX. -CybOX - This is a set of standardized schema for specifying, capturing, characterizing, and communicating events and properties of network operations that supports many cybersecurity functions.-
Threat Intelligence Platforms
centralizes the collection of threat data from numerous data sources and formats. There are three major types of threat intelligence data: -The first is indicators of compromise (IOC). -The second is tools, techniques, and procedures (TTP). -The third is reputation information about internet destinations or domains The attack-related information gathered from honeypots can then be shared with threat intelligence platform subscribers
International Information Systems Security Certification Consortium (ISC2)
is a network security organization that provides vendor neutral education products and career services.
Structured Threat Information Expression (STIX) is a set of specifications for exchanging cyberthreat information between organizations.
is a set of specifications for exchanging cyberthreat information between organizations.
Cyber Observable Expression (CybOX)
is a set of standardized schema that specifies, captures, characterizes, and communicates events and properties of network operations and that supports many cybersecurity functions.
Trusted Automated Exchange of Indicator Information (TAXII)
is a specification for an application layer protocol that allows the communication of CTI over HTTPS and is designed to support STIX.
The Malware Information Sharing Platform (MISP)
is an open source platform for sharing indicators of compromise for newly discovered threats. MISP is supported by the European Union and is used by over 6,000 organizations globally. MISP enables automated sharing of IOCs between people and machines by using STIX and other export formats
One of the primary functions of the SysAdmin, Audit, Network, Security (SANS) Institute
is the maintenance of the Internet Storm Center early warning system.