1 00:00:06,720 --> 00:00:08,450 - [Instructor] A threat intelligence platform 2 00:00:08,450 --> 00:00:11,320 centralizes the collection of threat data 3 00:00:11,320 --> 00:00:14,253 from numerous data sources and formats. 4 00:00:15,090 --> 00:00:19,160 The volume of threat intelligence data can be overwhelming. 5 00:00:19,160 --> 00:00:21,360 So the threat intelligence platform 6 00:00:21,360 --> 00:00:25,270 is designed to aggregate the data in one place. 7 00:00:25,270 --> 00:00:27,540 And most importantly, present the data 8 00:00:27,540 --> 00:00:30,780 in a comprehensive and usable format. 9 00:00:30,780 --> 00:00:32,270 The threat intelligence platform 10 00:00:32,270 --> 00:00:34,940 is an emerging technology discipline 11 00:00:34,940 --> 00:00:37,570 that helps organizations aggregate, 12 00:00:37,570 --> 00:00:40,090 correlate, and analyze threat data 13 00:00:40,090 --> 00:00:42,740 from multiple sources in real-time 14 00:00:42,740 --> 00:00:45,203 to support defensive actions. 15 00:00:46,190 --> 00:00:49,290 The threat intelligence platform or TIP 16 00:00:49,290 --> 00:00:52,060 is an emerging technology discipline 17 00:00:52,060 --> 00:00:54,320 that helps organizations aggregate, 18 00:00:54,320 --> 00:00:56,950 correlate, and analyze threat data 19 00:00:56,950 --> 00:00:59,800 from multiple sources in real-time 20 00:00:59,800 --> 00:01:02,113 to support defensive actions. 21 00:01:03,020 --> 00:01:05,390 TIPS have evolved to address 22 00:01:05,390 --> 00:01:07,740 the growing amount of data generated 23 00:01:07,740 --> 00:01:11,460 by a variety of internal and external resources, 24 00:01:11,460 --> 00:01:16,090 such as system logs and threat intelligence feeds, 25 00:01:16,090 --> 00:01:19,700 and help security teams to identify 26 00:01:19,700 --> 00:01:22,423 the threats that are relevant to their organization. 27 00:01:23,580 --> 00:01:25,040 By importing threat data 28 00:01:25,040 --> 00:01:27,730 from multiple sources and formats, 29 00:01:27,730 --> 00:01:30,730 correlating that data and then exporting it 30 00:01:30,730 --> 00:01:34,510 into an organization's existing security systems 31 00:01:34,510 --> 00:01:36,350 or ticketing systems, 32 00:01:36,350 --> 00:01:38,160 a TIP automates proactive 33 00:01:38,160 --> 00:01:40,423 threat management and mitigation. 34 00:01:41,520 --> 00:01:44,410 A true threat intelligence platform 35 00:01:44,410 --> 00:01:48,110 differs from typical enterprise security products 36 00:01:48,110 --> 00:01:51,740 in that it is a system that can be programmed 37 00:01:51,740 --> 00:01:56,740 by outside developers in particular users of the platform. 38 00:01:58,220 --> 00:02:02,660 TIPS can also use APIs to gather data 39 00:02:02,660 --> 00:02:05,080 to generate configuration analysis 40 00:02:05,080 --> 00:02:08,120 who is information reversed, IP lookup, 41 00:02:08,120 --> 00:02:09,960 website content analysis, 42 00:02:09,960 --> 00:02:13,573 name servers, and SSL certificates. 43 00:02:15,590 --> 00:02:18,050 Many different threat intelligence platforms 44 00:02:18,050 --> 00:02:21,410 and services are available in the market nowadays. 45 00:02:21,410 --> 00:02:23,410 Cyber threat intelligence focuses 46 00:02:23,410 --> 00:02:26,090 on providing actionable information 47 00:02:26,090 --> 00:02:29,203 on adversaries, including IOCs. 48 00:02:30,060 --> 00:02:32,700 Threat intelligence feeds help you 49 00:02:32,700 --> 00:02:36,230 prioritize signals from internal systems 50 00:02:36,230 --> 00:02:38,853 against unknown threats. 51 00:02:40,270 --> 00:02:42,640 Cyber threat intelligence allows you 52 00:02:42,640 --> 00:02:47,260 to bring more focus to cybersecurity investigation. 53 00:02:47,260 --> 00:02:50,050 Because instead of blindly looking 54 00:02:50,050 --> 00:02:52,240 for new and abnormal events, 55 00:02:52,240 --> 00:02:57,240 you can search for specific indications of compromise, 56 00:02:57,360 --> 00:03:02,360 such as IP addresses, URLs, or exploit patterns. 57 00:03:04,560 --> 00:03:07,090 A number of standards are being developed 58 00:03:07,090 --> 00:03:10,493 for disseminating threat intelligence information. 59 00:03:11,990 --> 00:03:14,823 Here are a few examples. 60 00:03:15,690 --> 00:03:18,390 First, structured threat information 61 00:03:18,390 --> 00:03:20,930 expression or STIX, 62 00:03:20,930 --> 00:03:24,540 which is an express language designed 63 00:03:24,540 --> 00:03:28,630 for sharing of cyber attack information. 64 00:03:28,630 --> 00:03:31,280 STIX details can contain data, 65 00:03:31,280 --> 00:03:35,060 such as the IP address or domain names 66 00:03:35,060 --> 00:03:37,750 of command and control servers, 67 00:03:37,750 --> 00:03:41,930 often referred to C2 or C&C, 68 00:03:41,930 --> 00:03:44,350 as well as malware hashes and so on. 69 00:03:44,350 --> 00:03:47,610 STIX was originally developed by MITRE 70 00:03:47,610 --> 00:03:50,993 and is now maintained by OASIS. 71 00:03:54,350 --> 00:03:59,350 The trusted automated exchange of indicator information, 72 00:03:59,870 --> 00:04:03,880 or TAXII, is an open transport mechanism 73 00:04:03,880 --> 00:04:07,460 that standardizes the automated exchange 74 00:04:07,460 --> 00:04:10,330 of cyber threat information. 75 00:04:10,330 --> 00:04:13,460 TAXII was also originally developed 76 00:04:13,460 --> 00:04:17,093 by MITRE and is now maintained by OASIS. 77 00:04:20,380 --> 00:04:24,090 Cyber observable expression or CybOX 78 00:04:24,090 --> 00:04:26,760 is a free standardized scheme 79 00:04:26,760 --> 00:04:30,710 for specification, capture, 80 00:04:30,710 --> 00:04:33,830 characterization and communication of events 81 00:04:33,830 --> 00:04:38,160 of stateful properties that are observable 82 00:04:38,160 --> 00:04:39,963 in the operational domain. 83 00:04:41,090 --> 00:04:44,020 CybOX was originally developed by MITRE 84 00:04:44,020 --> 00:04:47,343 and is now also maintained by OASIS. 85 00:04:49,800 --> 00:04:53,600 Open indicators of compromise or OpenIOC 86 00:04:53,600 --> 00:04:55,900 is an open framework for sharing 87 00:04:55,900 --> 00:04:59,563 threat intelligence in a machine digestible format. 88 00:05:01,570 --> 00:05:06,570 And open command and control or OpenC2 89 00:05:06,680 --> 00:05:10,110 is a language for the command and control 90 00:05:10,110 --> 00:05:12,360 of cyber defense technologies. 91 00:05:12,360 --> 00:05:14,990 The OpenC2 forum was a community 92 00:05:14,990 --> 00:05:16,950 of cybersecurity stakeholders 93 00:05:16,950 --> 00:05:21,950 that was facilitated by the US National Security agency. 94 00:05:22,100 --> 00:05:24,450 OpenC2 is now an OASIS 95 00:05:24,450 --> 00:05:27,373 technical committee and specification.