WEBVTT 1 00:00:00.000 --> 00:00:01.200 In this lesson, 2 00:00:01.200 --> 00:00:03.930 we will learn about indicator of compromise 3 00:00:03.930 --> 00:00:05.790 or IoC sharing. 4 00:00:05.790 --> 00:00:08.700 IoC sharing is the exchange of data 5 00:00:08.700 --> 00:00:11.760 related to potential security threats. 6 00:00:11.760 --> 00:00:14.280 This includes malicious IP addresses 7 00:00:14.280 --> 00:00:17.820 or file hashes shared between organizations 8 00:00:17.820 --> 00:00:22.260 to improve individual detection and response efforts. 9 00:00:22.260 --> 00:00:25.110 Indicator of compromise sharing concepts 10 00:00:25.110 --> 00:00:29.580 include structured threat information expression or STIX, 11 00:00:29.580 --> 00:00:31.530 trusted automated exchange 12 00:00:31.530 --> 00:00:34.380 of intelligence information or TAXI 13 00:00:34.380 --> 00:00:38.490 and automated indicators sharing, or AIS. 14 00:00:38.490 --> 00:00:41.340 STIX is a standardized language used 15 00:00:41.340 --> 00:00:43.800 to represent threat information. 16 00:00:43.800 --> 00:00:46.050 TAXI provides the protocol 17 00:00:46.050 --> 00:00:50.130 for sharing threat information securely and efficiently. 18 00:00:50.130 --> 00:00:53.580 And AIS, a US government initiative, 19 00:00:53.580 --> 00:00:57.630 enables the real-time sharing of cyber threat indicators 20 00:00:57.630 --> 00:01:00.360 between public and private sectors. 21 00:01:00.360 --> 00:01:01.620 Let's learn more about 22 00:01:01.620 --> 00:01:04.920 structured threat information expression or STIX, 23 00:01:04.920 --> 00:01:08.610 trusted automated exchange of intelligence information 24 00:01:08.610 --> 00:01:13.290 or TAXI and automated indicators sharing or AIS. 25 00:01:13.290 --> 00:01:14.370 First, we have 26 00:01:14.370 --> 00:01:18.090 structured threat information expression or STIX. 27 00:01:18.090 --> 00:01:21.960 STIX is a standardized language used to represent 28 00:01:21.960 --> 00:01:25.740 and communicate cyber threat information in a consistent 29 00:01:25.740 --> 00:01:27.360 and structured format. 30 00:01:27.360 --> 00:01:31.230 It was developed by the cybersecurity community to ensure 31 00:01:31.230 --> 00:01:35.010 that threat data, such as indicators of compromise, 32 00:01:35.010 --> 00:01:39.540 vulnerabilities, and attacker tactics could easily be shared 33 00:01:39.540 --> 00:01:44.160 and understood between different organizations and systems. 34 00:01:44.160 --> 00:01:46.710 For enterprises, STIX is important 35 00:01:46.710 --> 00:01:51.510 because it is a common language to describe complex threats, 36 00:01:51.510 --> 00:01:54.870 reducing confusion and improving the efficiency 37 00:01:54.870 --> 00:01:56.850 of security operations. 38 00:01:56.850 --> 00:01:58.500 When integrated into 39 00:01:58.500 --> 00:02:01.320 an organization security infrastructure, 40 00:02:01.320 --> 00:02:03.491 STIX helps improve collaboration 41 00:02:03.491 --> 00:02:06.660 between teams and external partners, 42 00:02:06.660 --> 00:02:07.740 making it easier 43 00:02:07.740 --> 00:02:11.010 to stay updated on the latest threat intelligence 44 00:02:11.010 --> 00:02:14.820 and to defend against attacks more effectively. 45 00:02:14.820 --> 00:02:17.730 In practice, STIX is often integrated 46 00:02:17.730 --> 00:02:21.810 with other security tools such as security information 47 00:02:21.810 --> 00:02:24.840 and event management or SIEM systems 48 00:02:24.840 --> 00:02:28.470 or threat intelligence platforms or TIPs. 49 00:02:28.470 --> 00:02:31.680 These tools can automatically generate, read, 50 00:02:31.680 --> 00:02:35.520 and process STIX, formatted data to identify 51 00:02:35.520 --> 00:02:38.160 and respond to security incidents. 52 00:02:38.160 --> 00:02:41.670 For example, a SIEM can take STIX data 53 00:02:41.670 --> 00:02:45.810 from external sources and correlate it with internal logs 54 00:02:45.810 --> 00:02:48.510 to identify suspicious behavior. 55 00:02:48.510 --> 00:02:51.300 So in a financial services company, 56 00:02:51.300 --> 00:02:55.650 cyber threat data about phishing campaigns can be formatted 57 00:02:55.650 --> 00:02:58.950 using STIX and shared between banks. 58 00:02:58.950 --> 00:03:03.750 This shared information using the standardized STIX format 59 00:03:03.750 --> 00:03:07.320 allows each bank to quickly understand the threat 60 00:03:07.320 --> 00:03:09.660 and implement preventative measures. 61 00:03:09.660 --> 00:03:13.140 Second, we have the trusted automated exchange 62 00:03:13.140 --> 00:03:16.290 of intelligence information or TAXI. 63 00:03:16.290 --> 00:03:20.100 TAXI is a protocol that facilitates the secure exchange 64 00:03:20.100 --> 00:03:23.520 of cyber threat intelligence over the internet. 65 00:03:23.520 --> 00:03:24.810 TAXI was designed 66 00:03:24.810 --> 00:03:27.840 to standardize the way threat data is shared, 67 00:03:27.840 --> 00:03:31.337 ensuring that sensitive information is exchanged efficiently 68 00:03:31.337 --> 00:03:34.710 and securely between organizations. 69 00:03:34.710 --> 00:03:38.160 For enterprise, TAXI enables the automated sharing 70 00:03:38.160 --> 00:03:42.390 of threat information without requiring manual effort, 71 00:03:42.390 --> 00:03:45.060 which can greatly speed up the detection 72 00:03:45.060 --> 00:03:47.310 and mitigation of threats. 73 00:03:47.310 --> 00:03:48.720 By using TAXI, 74 00:03:48.720 --> 00:03:51.420 companies can receive realtime updates 75 00:03:51.420 --> 00:03:55.470 about emerging threats, allowing them to respond faster 76 00:03:55.470 --> 00:03:58.890 and protect their networks more effectively. 77 00:03:58.890 --> 00:04:02.280 TAXI can be integrated into an organization's 78 00:04:02.280 --> 00:04:06.360 threat intelligence infrastructure through security tools 79 00:04:06.360 --> 00:04:09.030 such as threat intelligence platforms 80 00:04:09.030 --> 00:04:12.330 or SIEM systems that are TAXI compliant. 81 00:04:12.330 --> 00:04:14.910 These tools can automate the retrieval 82 00:04:14.910 --> 00:04:19.380 of threat intelligence from external sources using TAXI 83 00:04:19.380 --> 00:04:24.380 to pull in new IoC's or other relevant threat data. 84 00:04:24.450 --> 00:04:29.370 For example, in healthcare, an organization might use TAXI 85 00:04:29.370 --> 00:04:33.090 to share information about new ransomware strains 86 00:04:33.090 --> 00:04:36.960 targeting hospitals with other institutions in the sector. 87 00:04:36.960 --> 00:04:38.520 This timely exchange 88 00:04:38.520 --> 00:04:41.610 of threat intelligence allows each organization 89 00:04:41.610 --> 00:04:43.470 to update their defenses 90 00:04:43.470 --> 00:04:46.500 and reduce the risk of being compromised. 91 00:04:46.500 --> 00:04:50.670 Third and last, we have automated indicators sharing. 92 00:04:50.670 --> 00:04:55.110 AIS is a program initiated by the US Department 93 00:04:55.110 --> 00:04:59.341 of Homeland Security that facilitates the real-time exchange 94 00:04:59.341 --> 00:05:02.670 of cyber threat indicators between public 95 00:05:02.670 --> 00:05:05.303 and private sector organizations. 96 00:05:05.303 --> 00:05:09.870 AIS is designed to improve national cybersecurity 97 00:05:09.870 --> 00:05:13.440 by allowing organizations to share IoC's 98 00:05:13.440 --> 00:05:16.920 such as malicious IP addresses, file hashes, 99 00:05:16.920 --> 00:05:20.310 or domain names at machine speed. 100 00:05:20.310 --> 00:05:24.690 For enterprise, participating in AIS is important 101 00:05:24.690 --> 00:05:26.490 because it provides access 102 00:05:26.490 --> 00:05:28.770 to up-to-date threat information 103 00:05:28.770 --> 00:05:30.678 from a wide range of sources, 104 00:05:30.678 --> 00:05:35.280 including government agencies and other private companies. 105 00:05:35.280 --> 00:05:37.170 This allows organizations 106 00:05:37.170 --> 00:05:40.890 to proactively defend against the latest threats 107 00:05:40.890 --> 00:05:43.170 and helps to create a more unified 108 00:05:43.170 --> 00:05:46.148 and resilient cybersecurity ecosystem. 109 00:05:46.148 --> 00:05:49.980 AIS can be integrated into an organization's 110 00:05:49.980 --> 00:05:51.930 threat intelligence workflow 111 00:05:51.930 --> 00:05:53.970 through security automation tools 112 00:05:53.970 --> 00:05:57.570 and platforms that support AIS feeds. 113 00:05:57.570 --> 00:06:01.260 For example, a SIEM or threat intelligence platform 114 00:06:01.260 --> 00:06:04.680 might be configured to receive AIS data 115 00:06:04.680 --> 00:06:06.930 and automatically cross-reference it 116 00:06:06.930 --> 00:06:11.670 with internal security logs to identify potential threats. 117 00:06:11.670 --> 00:06:15.450 So let's consider a critical infrastructure company 118 00:06:15.450 --> 00:06:19.980 such as an energy provider using automated indicator sharing 119 00:06:19.980 --> 00:06:23.580 to receive real-time updates about cyber threats 120 00:06:23.580 --> 00:06:25.590 targeting the energy sector. 121 00:06:25.590 --> 00:06:28.950 By swiftly identifying relevant threat indicators 122 00:06:28.950 --> 00:06:30.750 shared through AIS, 123 00:06:30.750 --> 00:06:33.060 the company can enhance its defenses 124 00:06:33.060 --> 00:06:37.110 and prevent potential disruption to essential services. 125 00:06:37.110 --> 00:06:39.510 Now let's do a demo showcasing 126 00:06:39.510 --> 00:06:42.630 how to retrieve threat intelligence data 127 00:06:42.630 --> 00:06:44.880 from Alien Vault OTX 128 00:06:44.880 --> 00:06:47.850 in a structured format that can be easily read 129 00:06:47.850 --> 00:06:51.390 and integrated into security workflows. 130 00:06:51.390 --> 00:06:55.890 While we pull threat intelligence data from Alien Vault OTX, 131 00:06:55.890 --> 00:06:59.250 we will focus on retrieving the data in a structured 132 00:06:59.250 --> 00:07:00.960 and a readable format. 133 00:07:00.960 --> 00:07:03.540 Instead of using the TAXI protocol, 134 00:07:03.540 --> 00:07:06.660 which Alien Vault OTX does not support 135 00:07:06.660 --> 00:07:09.900 in the standard 2.0 configuration, 136 00:07:09.900 --> 00:07:12.180 we will access the threat intelligence 137 00:07:12.180 --> 00:07:14.970 through Alien Vault's REST API. 138 00:07:14.970 --> 00:07:18.570 This will allow us to interact directly with OTX 139 00:07:18.570 --> 00:07:23.040 and pull indicators of compromise such as IP addresses, 140 00:07:23.040 --> 00:07:26.250 URL's, domains, and file hashes, 141 00:07:26.250 --> 00:07:29.970 which are used for detecting and mitigating threats. 142 00:07:29.970 --> 00:07:32.100 By using REST API calls 143 00:07:32.100 --> 00:07:36.270 and specific headers for authentication, we will be able 144 00:07:36.270 --> 00:07:39.180 to securely retrieve data that will be ready 145 00:07:39.180 --> 00:07:43.890 for integration into security analysis workflows. 146 00:07:43.890 --> 00:07:46.260 Let's start here in the command line 147 00:07:46.260 --> 00:07:48.693 by creating a REST environment. 148 00:07:57.120 --> 00:07:59.703 Now let's activate that environment. 149 00:08:02.507 --> 00:08:04.020 Within our environment 150 00:08:04.020 --> 00:08:06.270 and the script that we're going to write, 151 00:08:06.270 --> 00:08:10.260 we're going to want the requests module, so let's go ahead 152 00:08:10.260 --> 00:08:12.453 and install it in this environment. 153 00:08:14.850 --> 00:08:18.030 To make our output more user-friendly, 154 00:08:18.030 --> 00:08:21.390 we will employ several formatting techniques. 155 00:08:21.390 --> 00:08:24.870 Here, we will use JSON Pretty Printing, 156 00:08:24.870 --> 00:08:28.920 a method that organizes data in a hierarchical structure 157 00:08:28.920 --> 00:08:33.000 with indentation making it much easier to read. 158 00:08:33.000 --> 00:08:35.370 This is particularly helpful when dealing 159 00:08:35.370 --> 00:08:40.050 with large data sets as it enables analysts to quickly scan 160 00:08:40.050 --> 00:08:42.947 for relevant information without getting overwhelmed 161 00:08:42.947 --> 00:08:46.230 by raw unformatted text. 162 00:08:46.230 --> 00:08:50.130 For ease and ongoing analysis, we'll save our output 163 00:08:50.130 --> 00:08:52.080 to a file for storage. 164 00:08:52.080 --> 00:08:55.470 Saving the data as a JSON formatted file 165 00:08:55.470 --> 00:08:57.600 also provides a structured format 166 00:08:57.600 --> 00:09:00.060 that can be accessed by other tools 167 00:09:00.060 --> 00:09:02.310 or imported into visualization 168 00:09:02.310 --> 00:09:07.310 and analysis platforms, adding flexibility to our workflow. 169 00:09:07.317 --> 00:09:10.170 Now let's create a script that will pull data 170 00:09:10.170 --> 00:09:13.800 and format it in a JSON format. 171 00:09:13.800 --> 00:09:18.783 We'll call our script Discover_Rest.py. 172 00:09:23.970 --> 00:09:25.650 I've got the script over here 173 00:09:25.650 --> 00:09:27.390 on the right side of the screen. 174 00:09:27.390 --> 00:09:31.440 I'll just highlight it and put it into our file. 175 00:09:31.440 --> 00:09:35.580 You can see that we are going to need an API key 176 00:09:35.580 --> 00:09:39.840 for Alien Vault OTX, which I do have created 177 00:09:39.840 --> 00:09:42.150 and I'm logged into right now. 178 00:09:42.150 --> 00:09:47.150 I'll grab the key and we'll put it straight into the script. 179 00:09:50.730 --> 00:09:53.373 Now let's save the script. 180 00:09:56.730 --> 00:10:00.540 Okay, next, all we need to do is run it 181 00:10:00.540 --> 00:10:04.877 and we'll run it with the python3 discover_rest.py command. 182 00:10:10.890 --> 00:10:13.593 All right, it's running in the background right now. 183 00:10:16.320 --> 00:10:17.430 It ran the script, 184 00:10:17.430 --> 00:10:20.730 pulled the data from the Alien Vault OTX 185 00:10:20.730 --> 00:10:25.317 and saved the data in the OTX_indicators.JSON file. 186 00:10:28.134 --> 00:10:28.967 Let's take a look at it. 187 00:10:32.730 --> 00:10:33.750 There we go. 188 00:10:33.750 --> 00:10:36.750 As you can see, it's in JSON format 189 00:10:36.750 --> 00:10:41.750 and we can see things like malicious MD5 file hashes. 190 00:10:41.910 --> 00:10:45.310 If we scroll up, we'll see some domain names 191 00:10:46.800 --> 00:10:49.500 and if we scroll up a little bit farther, 192 00:10:49.500 --> 00:10:51.993 we'll probably see some IP addresses. 193 00:10:57.750 --> 00:10:58.740 There we go. 194 00:10:58.740 --> 00:11:01.500 There's some malicious IP addresses. 195 00:11:01.500 --> 00:11:06.500 So while Alien Vault OTX does not directly output data 196 00:11:06.870 --> 00:11:10.710 in STIX format via its API, tools and scripts 197 00:11:10.710 --> 00:11:15.030 can be adapted to reformat the data if STIX is required 198 00:11:15.030 --> 00:11:19.200 for integration into security operations and platforms 199 00:11:19.200 --> 00:11:21.180 that would depend on this structure. 200 00:11:21.180 --> 00:11:24.420 So all we would need to do to convert the data 201 00:11:24.420 --> 00:11:27.750 to a STIX format is write another script. 202 00:11:27.750 --> 00:11:31.710 This demonstration illustrated how to pull, format, 203 00:11:31.710 --> 00:11:34.500 and prepare threat intelligence data 204 00:11:34.500 --> 00:11:38.910 from a widely used source, providing a practical solution 205 00:11:38.910 --> 00:11:41.610 for integrating indicators of compromise 206 00:11:41.610 --> 00:11:44.340 into cybersecurity workflows. 207 00:11:44.340 --> 00:11:48.360 This approach can be further adapted to suit the needs 208 00:11:48.360 --> 00:11:51.120 of specific security infrastructures, 209 00:11:51.120 --> 00:11:53.610 making it a versatile solution 210 00:11:53.610 --> 00:11:56.280 for gathering actionable intelligence. 211 00:11:56.280 --> 00:12:00.390 So remember, indicator of compromise sharing 212 00:12:00.390 --> 00:12:02.850 is the exchange of data related to 213 00:12:02.850 --> 00:12:07.260 potential cybersecurity threats between organizations. 214 00:12:07.260 --> 00:12:11.340 This data can include things like malicious IP addresses, 215 00:12:11.340 --> 00:12:15.960 file hashes, or domain names, which help improve detection 216 00:12:15.960 --> 00:12:17.730 and response efforts. 217 00:12:17.730 --> 00:12:22.200 Key concepts in indicator of compromise sharing are STIX, 218 00:12:22.200 --> 00:12:24.450 TAXI and AIS. 219 00:12:24.450 --> 00:12:26.880 STIX is a standardized language 220 00:12:26.880 --> 00:12:30.810 used to represent threat information while TAXI 221 00:12:30.810 --> 00:12:34.740 provides a protocol for securely sharing the information. 222 00:12:34.740 --> 00:12:38.160 Finally, AIS, a government initiative, 223 00:12:38.160 --> 00:12:41.910 enables real-time sharing of cyber threat indicators 224 00:12:41.910 --> 00:12:44.370 between public and private sectors, 225 00:12:44.370 --> 00:12:48.033 enhancing overall cybersecurity defenses.