Shared knowledge about cyber threats for more IT security

Cybercriminals often share information about potential vulnerabilities with each other. On the other hand, companies and organizations are lone fighters in the fight against timely detection of cyber threats. But companies and organizations can also share IT security knowledge and thus gain an advantage. Get ahead of the attacker quickly. A good network helps detect cyber attacks at an early stage.

What is cyber threat intelligence?

Cyber ​​Threat Intelligence (CTI) is the collection of information about potential cyber threats. The main focus here is on the early detection of specific threats, which are either too new to be identified by existing security tools (such as zero-day attacks) or specifically targeted at a particular company or industry (such as state-funded or industrial APTs). ). For this purpose, many different data sources are usually collected, which provide information about current attacks. The so-called Indicators of Adjustment (IOC) are then collected in databases and evaluated by analysts.

Source: ConSecur

Detecting threats using the MISP and IOC database

The IOC database was developed by ConSecur GmbH using the open source tool MISP, in which the latest indicators from a large number of different feeds are loaded daily using various self-developed scripts. The accumulated knowledge allows critical threats to be understood and categorized in order to respond at an early stage.

ConSecur uses the knowledge collected in the database to improve its services. On the other hand, the information collected and processed is subsequently made available to our analysts. This allows us to improve our analysis overall by having a larger set of information and allows analysts to look up information about the analysis card more effectively. In this way, the malicious domain detected by SIEM is quickly converted to IP, additional known malware files associated with the domain and, when suspicious, even a known attacker group that can be assigned to the malware campaign. As a result, not only can the customer be more accurately informed of the threat, but other methods can also be developed to specifically protect the company from the attacks of the now-identified actor.

Data from a threat intelligence solution from the MISP can be daily forwarded directly to customer SIEM systems via internal programming interfaces (APIs). This improves threat detection and thus protects the company. In emergency situations, threat indicators for attacks currently occurring on the client can also be loaded interactively so you can ensure very specific protection.

Why the MISP as a threat intelligence platform?

MISP is an IOC collection, sharing and enrichment solution that has become the de facto standard program in the threat intelligence industry. This was developed in close cooperation with NATO and various emergency response teams. Particular mention should be made of the Luxembourg Computer Incident Response Center (CIRCL), which provides many of the standard IOC feeds in the MISP suite. MISP offers wide expansion options and can be easily modified and adaptable to our needs, among other things due to its easy-to-use Python API.

Do you know your cyber threats? We show you how to gain a lot of knowledge about threats.

Find out more at www.consecur.de

Leave a Comment