华为安全沙龙-安全威胁情报体系的建设与应用 for HW.ppt

NG的NG？ 情境/情报感知？ 以SECaaS模式为核心的网络安全情报中心 安全威胁情报的发展方向 人读 机读 简单 丰富 非实时 实时 孤立 共享 应用结构化的 indicators of compromise（IOC ） 参考STIX定义安全威胁情报元模型，并对关键指标进行标准化 内部、外部可共享的IOCs 情报数据尽量多样化，不应仅是信誉库 应用威胁情报开展情境分析 SOC等分析型优先，逐步推动防护设备支持 自动化共享和分析处置 对于企业应用实践的建议 讨论！ NUKE同学的手抄报 也可以关注网站 /author/nuke * 99% of breaches led to compromise within “days” or less with 85% leading to data exfiltration in the same time 85% of breaches took “weeks” or more to discover 84% of data records were stolen as a result of stolen login credential * * OSINT 中情局 公开资源情报计划 Open source intelligence * Cybox 从管理监控属性角度描述事件，如注册表创建，文件删除，访问某个端口 Maec 从攻击，行为模式描述恶意代码的语言 Structured Threat Information eXpression (STIX) effort, which is driven by Mitre. STIX is primarily intended as a concrete strawman for ongoing collaborative development of a structured threat information expression language among a community of relevant experts (source: STIX FAQ v0.3). In other words, its goal is to enable people and organizations to share threat information in order to detect these threats and then build defenses collaboratively (see the Cyber Observable eXpression Web page for details). Trusted Automated eXchange of Indicator Information (TAXII) effort, also by Mitre, that seeks to create a set of protocols and representations that enable the representation and automation-supported sharing of behavioral cyber threat indicators (source: STIX whitepaper). It is a companion effort to STIX. OpenIOC, which is a vendor-developed standard for sharing the data that is useful for discovering threats — known as indicators of compromise (IOCs)4 — that are already present on an organizations network. It is an extensible XML schema for the description of technical characteristics that identify a known threat, an attackers methodology, or other evidence of compromise (see the OpenIOC website for details). Incident Object Description Exchange Format (IODEF), which is an older effort that has been revived and extended to support structured cybersecuri