WEBVTT 1 00:00:00.060 --> 00:00:01.320 In this lesson, 2 00:00:01.320 --> 00:00:04.710 we will learn about Threat Intelligence Sources. 3 00:00:04.710 --> 00:00:07.350 Threat intelligence sources are external 4 00:00:07.350 --> 00:00:10.020 or internal information streams 5 00:00:10.020 --> 00:00:13.170 that provide insights into emerging threats, 6 00:00:13.170 --> 00:00:15.870 vulnerabilities and attacker tactics. 7 00:00:15.870 --> 00:00:18.930 Threat intelligence source concepts include 8 00:00:18.930 --> 00:00:22.320 threat intelligence feeds, common vulnerabilities 9 00:00:22.320 --> 00:00:27.030 and exposures, or CDE details, bounty programs, 10 00:00:27.030 --> 00:00:30.720 as well as third-party reports and logs. 11 00:00:30.720 --> 00:00:34.500 Threat intelligence feeds deliver real-time data 12 00:00:34.500 --> 00:00:37.230 on potential security risks. 13 00:00:37.230 --> 00:00:41.160 Next, a CVE is a standardized identifier 14 00:00:41.160 --> 00:00:45.780 for a publicly known vulnerability in software or hardware. 15 00:00:45.780 --> 00:00:50.250 Next, bug bounty programs encourage security researchers 16 00:00:50.250 --> 00:00:53.160 to identify and report vulnerabilities 17 00:00:53.160 --> 00:00:55.290 to application owners. 18 00:00:55.290 --> 00:00:58.260 And finally, third-party reports and logs 19 00:00:58.260 --> 00:01:00.990 offer additional context and data 20 00:01:00.990 --> 00:01:03.900 on specific threats or incidents. 21 00:01:03.900 --> 00:01:07.050 Let's learn more about threat intelligence feeds, 22 00:01:07.050 --> 00:01:09.390 common vulnerabilities and exposures, 23 00:01:09.390 --> 00:01:12.930 or CVE details, bounty programs, 24 00:01:12.930 --> 00:01:16.560 as well as third-party reports and logs. 25 00:01:16.560 --> 00:01:20.070 First, we have threat intelligence feeds. 26 00:01:20.070 --> 00:01:23.970 Threat intelligence feeds are real-time streams of data 27 00:01:23.970 --> 00:01:25.620 that provide organizations 28 00:01:25.620 --> 00:01:28.680 with insights into emerging threats. 29 00:01:28.680 --> 00:01:32.490 These feeds often include indicators of compromise, 30 00:01:32.490 --> 00:01:37.410 such as malicious IP addresses, URLs, file hashes, 31 00:01:37.410 --> 00:01:40.290 and domains used by attackers. 32 00:01:40.290 --> 00:01:42.270 Public threat intelligence feeds 33 00:01:42.270 --> 00:01:45.780 like the ones provided by open source platforms 34 00:01:45.780 --> 00:01:49.860 like Alien Vaults, Open Threat Exchange, or OTX 35 00:01:49.860 --> 00:01:54.090 are freely available and are widely used by security teams 36 00:01:54.090 --> 00:01:57.270 to stay up-to-date on the latest threats. 37 00:01:57.270 --> 00:02:00.390 Private threat intelligence feeds on the other hand, 38 00:02:00.390 --> 00:02:02.700 often available through paid services 39 00:02:02.700 --> 00:02:06.300 from cybersecurity firms offer more targeted 40 00:02:06.300 --> 00:02:08.010 and in-depth data. 41 00:02:08.010 --> 00:02:11.970 These private feeds typically include tailored intelligence 42 00:02:11.970 --> 00:02:15.510 about specific industries or geographies. 43 00:02:15.510 --> 00:02:18.120 An example of private threat intelligence 44 00:02:18.120 --> 00:02:21.660 is information sharing within information sharing 45 00:02:21.660 --> 00:02:24.540 and analysis centers, or ISACs, 46 00:02:24.540 --> 00:02:27.630 which generally require a membership fee. 47 00:02:27.630 --> 00:02:30.720 ISACs, like the financial services ISAC 48 00:02:30.720 --> 00:02:32.940 or the Healthcare ISAC, 49 00:02:32.940 --> 00:02:36.360 allow organizations within specific sectors 50 00:02:36.360 --> 00:02:40.260 to share threat data specific to their industry, 51 00:02:40.260 --> 00:02:43.680 enabling faster and more coordinated responses 52 00:02:43.680 --> 00:02:45.570 to emerging threats. 53 00:02:45.570 --> 00:02:47.910 Using threat intelligence feeds, 54 00:02:47.910 --> 00:02:50.850 organizations can enhance their defenses 55 00:02:50.850 --> 00:02:53.400 by incorporating up-to-date threat data 56 00:02:53.400 --> 00:02:55.980 into their security operations. 57 00:02:55.980 --> 00:03:00.300 For example, security teams can configure their firewalls, 58 00:03:00.300 --> 00:03:04.200 intrusion detection systems, and security information 59 00:03:04.200 --> 00:03:08.730 and event management, or SIM tools to automatically block 60 00:03:08.730 --> 00:03:11.040 or alert on any traffic 61 00:03:11.040 --> 00:03:14.370 associated with malicious indicators. 62 00:03:14.370 --> 00:03:17.130 Threat intelligence can even be ingested 63 00:03:17.130 --> 00:03:19.590 into these security devices 64 00:03:19.590 --> 00:03:22.260 through automated feeds, using formats 65 00:03:22.260 --> 00:03:25.080 like the Structured Threat Information eXpression, 66 00:03:25.080 --> 00:03:27.240 or STIX, and over 67 00:03:27.240 --> 00:03:31.230 the Trusted Automated eXchange of Indicator Information 68 00:03:31.230 --> 00:03:33.300 or TAXII protocol. 69 00:03:33.300 --> 00:03:36.540 For example, if a threat feed identifies 70 00:03:36.540 --> 00:03:40.470 specific IP addresses linked to ransomware command 71 00:03:40.470 --> 00:03:42.150 and control servers, 72 00:03:42.150 --> 00:03:45.390 organizations can configure their firewalls 73 00:03:45.390 --> 00:03:49.440 to block traffic to and from those IP addresses. 74 00:03:49.440 --> 00:03:52.350 So these feeds helps security teams 75 00:03:52.350 --> 00:03:56.100 respond to emerging threats in real-time, 76 00:03:56.100 --> 00:04:00.960 providing a proactive layer of defense against cyber attack. 77 00:04:00.960 --> 00:04:03.720 Second, we have common vulnerabilities 78 00:04:03.720 --> 00:04:06.373 and exposures or CVEs. 79 00:04:06.373 --> 00:04:09.660 A CVE is a standardized identifier 80 00:04:09.660 --> 00:04:13.230 used to catalog publicly known vulnerabilities. 81 00:04:13.230 --> 00:04:17.880 Each CVE entry contains details about the vulnerability 82 00:04:17.880 --> 00:04:21.600 such as its identifier, which is CVE, 83 00:04:21.600 --> 00:04:23.730 followed by the year it was discovered, 84 00:04:23.730 --> 00:04:27.510 followed by a serial number, a brief description, 85 00:04:27.510 --> 00:04:29.820 the affected systems or software, 86 00:04:29.820 --> 00:04:33.960 and links to further technical details or patches. 87 00:04:33.960 --> 00:04:37.440 CVEs are maintained by the MITRE Corporation 88 00:04:37.440 --> 00:04:41.100 and are widely used by organizations to prioritize 89 00:04:41.100 --> 00:04:44.460 and address known security weaknesses. 90 00:04:44.460 --> 00:04:46.890 The format of a CVE entry 91 00:04:46.890 --> 00:04:51.000 includes the year it was identified, and a serial number, 92 00:04:51.000 --> 00:04:54.480 which helps in tracking vulnerabilities in databases 93 00:04:54.480 --> 00:04:58.432 like the National Vulnerability Database or NVD, 94 00:04:58.432 --> 00:05:03.423 for example, CVE-2021-34527, 95 00:05:04.373 --> 00:05:06.960 also known as PrintNightmare, 96 00:05:06.960 --> 00:05:10.560 is a vulnerability in the Windows Print Spooler Service, 97 00:05:10.560 --> 00:05:13.050 which allowed remote code execution 98 00:05:13.050 --> 00:05:16.800 and required immediate patching by organizations. 99 00:05:16.800 --> 00:05:21.300 CVE details are extremely valuable for security teams 100 00:05:21.300 --> 00:05:25.890 as they also provide severity scores for vulnerabilities. 101 00:05:25.890 --> 00:05:27.720 This enables organizations 102 00:05:27.720 --> 00:05:31.020 to prioritize their patch management efforts, 103 00:05:31.020 --> 00:05:33.570 severity scores, such as those 104 00:05:33.570 --> 00:05:36.810 provided by the Common Vulnerability Scoring System 105 00:05:36.810 --> 00:05:40.926 or CVSS range from 0.0, 106 00:05:40.926 --> 00:05:42.870 representing no risk 107 00:05:42.870 --> 00:05:47.010 to 10.0 representing critical risk. 108 00:05:47.010 --> 00:05:48.750 By consulting CVEs 109 00:05:48.750 --> 00:05:51.660 and associated CVSS scores, 110 00:05:51.660 --> 00:05:55.590 security teams can quickly assess which vulnerabilities 111 00:05:55.590 --> 00:05:58.320 pose the highest risk to their environment, 112 00:05:58.320 --> 00:06:00.630 and should be addressed first. 113 00:06:00.630 --> 00:06:03.810 Third, we have bug bounty programs. 114 00:06:03.810 --> 00:06:05.850 Bug bounty programs encourage 115 00:06:05.850 --> 00:06:10.020 independent security researchers to identify and report 116 00:06:10.020 --> 00:06:14.640 vulnerabilities in software or systems to the vendor. 117 00:06:14.640 --> 00:06:18.600 Companies or organizations running bug bounty programs 118 00:06:18.600 --> 00:06:21.570 offer financial rewards to researchers 119 00:06:21.570 --> 00:06:24.720 who responsibly disclose security flaws 120 00:06:24.720 --> 00:06:27.720 rather than exploit them maliciously. 121 00:06:27.720 --> 00:06:30.750 This process of responsible disclosure 122 00:06:30.750 --> 00:06:32.820 involves reporting the vulnerability 123 00:06:32.820 --> 00:06:37.590 directly to the organization, allowing them to fix the issue 124 00:06:37.590 --> 00:06:40.440 before the details are made public. 125 00:06:40.440 --> 00:06:43.560 Platforms like HackerOne and Bugcrowd 126 00:06:43.560 --> 00:06:46.980 facilitate these programs providing researchers 127 00:06:46.980 --> 00:06:49.890 with opportunities to submit vulnerabilities 128 00:06:49.890 --> 00:06:52.740 in exchange for monetary reward. 129 00:06:52.740 --> 00:06:55.140 The amount of money that can be earned 130 00:06:55.140 --> 00:06:58.260 in a bug bounty program varies widely 131 00:06:58.260 --> 00:07:01.020 depending on the severity of the bug 132 00:07:01.020 --> 00:07:04.080 and the organization running the program. 133 00:07:04.080 --> 00:07:07.440 For example, some companies offer rewards 134 00:07:07.440 --> 00:07:11.580 ranging from $500 for low severity bugs 135 00:07:11.580 --> 00:07:16.200 to over $100,000 for critical vulnerabilities. 136 00:07:16.200 --> 00:07:20.910 In 2019, Apple expanded its bug bounty program 137 00:07:20.910 --> 00:07:25.350 and began offering rewards of up to $1 million 138 00:07:25.350 --> 00:07:29.400 for discovering critical vulnerabilities in iOS, 139 00:07:29.400 --> 00:07:31.650 particularly those that could lead 140 00:07:31.650 --> 00:07:34.740 to a zero-click remote code execution 141 00:07:34.740 --> 00:07:37.470 without any user interaction. 142 00:07:37.470 --> 00:07:39.480 Rewards like this are offered 143 00:07:39.480 --> 00:07:44.190 because bug bounty programs benefit the vendor organization 144 00:07:44.190 --> 00:07:48.930 by giving them access to a global pool of security talent, 145 00:07:48.930 --> 00:07:51.690 helping them uncover security issues 146 00:07:51.690 --> 00:07:54.690 that internal teams may overlook. 147 00:07:54.690 --> 00:07:59.670 Fourth and last, we have third-party reports and logs. 148 00:07:59.670 --> 00:08:01.590 Third-party reports and logs 149 00:08:01.590 --> 00:08:04.620 are additional sources of threat intelligence 150 00:08:04.620 --> 00:08:07.200 that provide context and analysis 151 00:08:07.200 --> 00:08:11.910 on specific cybersecurity incidents or vulnerabilities. 152 00:08:11.910 --> 00:08:16.560 These reports are often generated by cybersecurity firms, 153 00:08:16.560 --> 00:08:20.250 government agencies, or research organizations, 154 00:08:20.250 --> 00:08:23.910 and offer deep insights into ongoing threats 155 00:08:23.910 --> 00:08:26.340 or new attack techniques. 156 00:08:26.340 --> 00:08:28.680 For example, annual reports 157 00:08:28.680 --> 00:08:32.370 like the Verizon Data Breach Investigations Report 158 00:08:32.370 --> 00:08:34.560 provide comprehensive analysis 159 00:08:34.560 --> 00:08:37.050 on the state of cyber threats, 160 00:08:37.050 --> 00:08:40.560 helping organizations understand the latest trends 161 00:08:40.560 --> 00:08:43.320 in attacks and vulnerabilities. 162 00:08:43.320 --> 00:08:47.340 These reports aggregate data from thousands of incidents, 163 00:08:47.340 --> 00:08:51.360 providing valuable insights that organizations can use 164 00:08:51.360 --> 00:08:53.820 to refine their defenses. 165 00:08:53.820 --> 00:08:56.700 Next, third-party logs such as those 166 00:08:56.700 --> 00:08:59.910 provided by managed security service providers 167 00:08:59.910 --> 00:09:03.630 or cloud services offer valuable information 168 00:09:03.630 --> 00:09:07.410 about security events within an organization. 169 00:09:07.410 --> 00:09:09.900 These logs can even be integrated 170 00:09:09.900 --> 00:09:13.950 into an organization's SIM for continuous monitoring 171 00:09:13.950 --> 00:09:15.750 and threat detection. 172 00:09:15.750 --> 00:09:19.860 For example, cloud providers like Amazon Web Services 173 00:09:19.860 --> 00:09:23.700 or AWS, provide detailed access logs 174 00:09:23.700 --> 00:09:26.040 that allow organizations to monitor 175 00:09:26.040 --> 00:09:30.090 who access specific resources and when. 176 00:09:30.090 --> 00:09:32.130 By combining internal logs 177 00:09:32.130 --> 00:09:34.500 with third-party logs and reports, 178 00:09:34.500 --> 00:09:38.160 organizations can gain a more comprehensive view 179 00:09:38.160 --> 00:09:40.560 of their security posture, 180 00:09:40.560 --> 00:09:44.520 allowing them to respond more effectively to threats. 181 00:09:44.520 --> 00:09:47.310 Before we wrap up, let's do a demonstration 182 00:09:47.310 --> 00:09:51.000 highlighting how to integrate a threat intelligence feed 183 00:09:51.000 --> 00:09:53.910 into a SIM such as a Splunk. 184 00:09:53.910 --> 00:09:58.380 On this Kali Linux machine, I have Splunk installed 185 00:09:58.380 --> 00:10:03.380 and I have created separately an OTX account and API key 186 00:10:04.080 --> 00:10:08.190 so that I can pull the OTX threat intelligence feed. 187 00:10:08.190 --> 00:10:10.440 Let's take a look at what I've created. 188 00:10:10.440 --> 00:10:14.490 I am logged into otx.alienvault.com, 189 00:10:14.490 --> 00:10:18.540 and in my settings, I can see that there's an OTX key, 190 00:10:18.540 --> 00:10:23.100 which will be used for the API from Splunk to OTX. 191 00:10:23.100 --> 00:10:25.920 Next, here in my Splunk dashboard, 192 00:10:25.920 --> 00:10:29.640 I need to create an add-on for threat intelligence. 193 00:10:29.640 --> 00:10:33.060 To do that, I'm going to go to Find more apps 194 00:10:33.060 --> 00:10:34.620 on the left-hand side. 195 00:10:34.620 --> 00:10:37.050 Here in the Find more apps, 196 00:10:37.050 --> 00:10:40.500 I'm going to search for open threat. 197 00:10:40.500 --> 00:10:43.890 There are two applications that are already installed. 198 00:10:43.890 --> 00:10:46.650 Those are the ones that I would want to download. 199 00:10:46.650 --> 00:10:48.870 Add-on for Open Threat Exchange 200 00:10:48.870 --> 00:10:52.290 and supporting add-on for Open Threat Exchange. 201 00:10:52.290 --> 00:10:55.020 As I mentioned, I've already installed these. 202 00:10:55.020 --> 00:10:57.780 I just disabled them for this demonstration, 203 00:10:57.780 --> 00:11:01.410 so my next step is to go to those applications 204 00:11:01.410 --> 00:11:03.030 and re-enable them. 205 00:11:03.030 --> 00:11:05.400 If this was being done for the first time, 206 00:11:05.400 --> 00:11:07.440 you would just install them here. 207 00:11:07.440 --> 00:11:11.160 I'm going to go to Apps, Manage apps, 208 00:11:11.160 --> 00:11:15.870 and I'm going to enable those two applications, 209 00:11:15.870 --> 00:11:18.780 the supporting add-on for Open Threat Exchange 210 00:11:18.780 --> 00:11:21.840 and the add-on for Open Threat Exchange. 211 00:11:21.840 --> 00:11:25.500 Now, with both of those enabled, I'm going to go back 212 00:11:25.500 --> 00:11:29.610 to my home page on Splunk and refresh it. 213 00:11:29.610 --> 00:11:31.800 You'll see that I now have an add-on 214 00:11:31.800 --> 00:11:33.810 for Open Threat Exchange. 215 00:11:33.810 --> 00:11:35.250 Let's open it up. 216 00:11:35.250 --> 00:11:38.310 Here is where I will create my new input 217 00:11:38.310 --> 00:11:42.210 with my OTX API key, but before doing that, 218 00:11:42.210 --> 00:11:46.110 I need to create an index so I can manage and query 219 00:11:46.110 --> 00:11:49.560 threat intelligence from the OTX feed. 220 00:11:49.560 --> 00:11:53.190 So I'm going to go to Settings, under Data, 221 00:11:53.190 --> 00:11:55.500 I'll select Indexes. 222 00:11:55.500 --> 00:11:59.100 Here I want to create a new index. 223 00:11:59.100 --> 00:12:04.100 I'm going to call my index threat_intel. 224 00:12:04.620 --> 00:12:07.320 All these default configurations are okay, 225 00:12:07.320 --> 00:12:12.320 and now I've created an index called threat_intel. 226 00:12:13.170 --> 00:12:17.460 Now back to my new application add-on 227 00:12:17.460 --> 00:12:19.860 for Open Threat Exchange. 228 00:12:19.860 --> 00:12:24.030 Now I'm going to be able to create that new input. 229 00:12:24.030 --> 00:12:25.020 I'll give it a name, 230 00:12:25.020 --> 00:12:30.020 and the name I'm going to give it is OTX Threat Feed. 231 00:12:30.150 --> 00:12:31.620 I'm going to have it refresh 232 00:12:31.620 --> 00:12:36.570 or look for new updates every 6,000 seconds or 10 minutes, 233 00:12:36.570 --> 00:12:38.760 and I want to assign it an index 234 00:12:38.760 --> 00:12:43.710 that I just created threat_intel. 235 00:12:43.710 --> 00:12:47.700 Now I need to give it that API key that I created earlier. 236 00:12:47.700 --> 00:12:50.880 I'll copy it and paste it in. 237 00:12:50.880 --> 00:12:53.250 Once my API key is in place, 238 00:12:53.250 --> 00:12:56.010 I'll go ahead and add this new input. 239 00:12:56.010 --> 00:12:56.850 There we go. 240 00:12:56.850 --> 00:13:00.300 I've created my OTX threat feed. 241 00:13:00.300 --> 00:13:04.320 Now we're receiving threat intelligence into Splunk. 242 00:13:04.320 --> 00:13:07.740 At this point, we could create dashboards to alert us 243 00:13:07.740 --> 00:13:12.000 to top malicious IP addresses from the OTX feed, 244 00:13:12.000 --> 00:13:15.510 or maybe blocked or flagged traffic from Splunk 245 00:13:15.510 --> 00:13:17.850 using the threat feed data. 246 00:13:17.850 --> 00:13:19.980 During the security X exam, 247 00:13:19.980 --> 00:13:23.100 I do not expect you to have to configure a SIM 248 00:13:23.100 --> 00:13:25.260 to ingest threat intelligence. 249 00:13:25.260 --> 00:13:27.810 So don't memorize these steps, 250 00:13:27.810 --> 00:13:32.010 but it is valuable to understand that it can be done 251 00:13:32.010 --> 00:13:34.260 and what the benefits are. 252 00:13:34.260 --> 00:13:37.500 This is the end of our demonstration. 253 00:13:37.500 --> 00:13:39.660 So remember, 254 00:13:39.660 --> 00:13:43.110 threat intelligence sources provide crucial insights 255 00:13:43.110 --> 00:13:47.370 into emerging cybersecurity threats, vulnerabilities, 256 00:13:47.370 --> 00:13:49.380 and attacker tactics. 257 00:13:49.380 --> 00:13:52.920 These sources include threat intelligence feeds, 258 00:13:52.920 --> 00:13:55.110 common vulnerabilities and exposures, 259 00:13:55.110 --> 00:13:58.980 or CVE details, bug bounty programs, 260 00:13:58.980 --> 00:14:01.770 and third-party reports and logs. 261 00:14:01.770 --> 00:14:05.250 Threat intelligence feeds deliver real-time data 262 00:14:05.250 --> 00:14:10.250 on potential security risks while CVEs help organizations 263 00:14:10.560 --> 00:14:12.690 track down vulnerabilities 264 00:14:12.690 --> 00:14:15.720 by assigning standardized identifiers. 265 00:14:15.720 --> 00:14:19.380 Next, bug bounty programs provide incentive 266 00:14:19.380 --> 00:14:22.710 for security researchers to discover and report 267 00:14:22.710 --> 00:14:27.330 vulnerabilities to vendors, often for financial reward. 268 00:14:27.330 --> 00:14:32.100 Last third-party reports and logs offer detailed analysis 269 00:14:32.100 --> 00:14:35.460 and additional data on specific incidents 270 00:14:35.460 --> 00:14:37.740 helping organizations improve 271 00:14:37.740 --> 00:14:40.503 their overall security posture.