CSI6202 – Report on Contemporary Network Security Issues-Edith Cowan University
Threat intelligence is an intelligent technique for collecting and analysing information that will helpful for an organization to understand threats, possible attacks, mitigation strategies for preventing those attacks for an organization. Threat intelligence is helpful for taking important security related decisions with the deep analysis of the rooted data. It explains that attacker of the system, motivation, capabilities and the indicators compromising the system. It is evidence based knowledge extracted from the system by analysing the security of the system (Dalziel 2014).
Threat intelligence makes use of the advantages of machine learning for automatically colleting and processing data. The gathered data will be analysed with the existing data to derive knowledge. That knowledge will be useful for decision making process.
Threat intelligence analyses intelligently threats of an organization and creating actionable insights for organization as well as malicious activities. It is a force for an organization to identify, detect, and prevent organization from the attack. It is knowledge to prevent and mitigate attacks.
Importance of threat intelligence
The ever increasing technique and technologies are also increasing vulnerabilities for attackers to perform malicious activities. The cyber criminals find the loopholes at any level on latest techniques and technologies to perform malicious activities. Ever increasing cyber threats are posing challenges for cyber security industries.
Some industries capture threat data for analysis. Those are increasing burden for analyst due to large amount of data as well as lack of tools to process on those data.
Threat intelligence is an excellent solution for addressing the challenges of cyber threats. It uses machine learning techniques for automating the activities of cyber security.
Life cycle of threat intelligence
(Recorded future, 2020)
- Planning & direction
The phase defines objectives of an intelligence program. It is based on the following understanding such as
- Business process and information assets that need to be protected
- Impact of cyber threat of an information assets as well as processes of business
- Types of intelligence to be applied for protecting the resources
- Priorities of the resources needs to be protected
Objectives have the high level requirements of the organization.
The phase gathers information to achieve the objectives of the intelligence program. Information gathered through various methods such as
- Collecting metadata as well as logs from security devices and internal networks
- Subscription of threat data feeds to get constantly updated information on threats
- Open source blogs and news scan
The gathered data are either in finished form or raw data.
The phase transforms the gathered information into organization usable format
The phase includes human process for transforming processed information into intelligence to use decision making process. The intelligence can be delivered in variety formats in an understandable manner.
The phase delivers the finished intelligence output to the required destination.
- Feed back
The phase collects requirements regularly from each group and making changes related with the priorities and requirements change.
Threat intelligence platform collects various real-time threats from multiple sources. It aggregates, process and analyse those data using AI techniques. The extracted knowledge can be used by various security devices of the organization to detect vulnerabilities, malicious threat of organization.
It is an important part for ecosystem of data security. The system aggregates data from multiple sources, analyses those data to extract abnormal behaviour as well as attack (Sauerwein et al 2017). It is central place for collecting alerts and events. The system is expensive, difficult to resolve issues.
Working of SIEM
S-Security I-information and E-Event M-Management collects data from various sources of an organization such as servers, network devices, domain controllers. It stores, normalizes, aggregates as well as applies analytical tools for deriving trends, threats and enabling organization for investigating alerts.
It offers the following to the security team such as
- Forensics and reporting on security incidents
- Issues alert based on security rule set
The main features of SIEM are detecting threats, investigation and fast response time. It also has the following features such as monitoring, advanced threat detection, forensics, collection of log, normalization, issuing alerts, detecting security incident, workflow of threat response.
SIEM Vs threat intelligence
SIEM gathers security log from multiple sources such as DNS, Firewalls, active directory, servers etc. The security data are aggregated and processed. Security analyst analyses the processed data to monitor threats based on security rules.
Cyber threat intelligence is any data relating with cyber threats as well as attackers behind the malicious activities. It can be available in any forms based on the threat type under consideration such as
- Domain name spread malicious files
- IP address that part of botnet or used by an attackers
- Malware that exploit vulnerabilities for network
- Emails used for phishing
- I-Indicators O-of C-compromise –IOC for active threats
It correlates huge amount of security data (peta or tera bytes) with limited number of IOC
It gives alerts about threats
It replaces manual log correlation with automatic tools. It collects huge log data from sensor grids such as IT infrastructure, security solution of internal organization, mission critical application and so on
It collects security data from various sources, aggregates structures for better utilizing threat intelligence. It can handle millions of IOC and conducting both non cyber as well as cyber analysis.
It gives more accurate insights of threats in an organization
It uses machine learning techniques for automatically collecting, analysing data from various sources with more number of IOCs. It is useful for decision maker for making efficient decision on security
Lack of data storage required for showing patterns of threat over time
Imports logs those are budget friendly
Lacking of bi directional data flows for maximize efficiency to senor grid
Streamlining analyst work with tools
It allows to include more SIEM rules to reduce commodity issue
Automatic updation of sensor grid with threat intelligence enables faster detection as well as blocking
Faces scalability and performance issues
It can be integrated with existing SIEM to add more value to SIEM. It enhances the security performance of SIEM with increased accuracy and performance
Importance of threat intelligence for University
Description of university
The main campuses of the university are situated in Melbourne. It has three campuses including the main campus such as Sydney and Perth. The university has more than 2000 students, 500 faculties and 250 full time research staff and 100 part time research staffs. The university provides both wired as well as wireless connection in all the campuses. The students can access the university resources such as online learning portals from remote location through VPN. The university maintains student and faculty personal information, research related data.
The most frequent target list of organization for cyber attackers are government, finance, corporate and so on. Nowadays, attackers are targeting educational institutions with the following target such as financial motivation and espionage.
Universities are performing research activities and connecting with valuable partners to innovate new things. The universities with well-known research background are the targets for most of the cyber attackers.
In the year 2018, department of justice U.S indicted that, Iranian state sponsored hackers performed cyber attackers on more than 300 universities across 22 countries including US for the purpose of espionage.
Universities are centralized place to store personal information of students, faculty. These make the cyber attackers to perform cyber attackers on those institutions. They perform exfiltration as well as ransomware attacks to damage resources. The attackers utilize those data to sell on dark web market places.
Educational institutions are more challenging to prevent from cyber-attacks.
Security challenges for Educational institution
According to the investigation report of Verizon’s on data breach, DOS and phishing are another common attacks for educational institution (LiQiang et al 2017). DOS attack make the resources of the educational institution unavailable to user. Phishing attack steals personal and confidential data from user. More number of malicious email are targeting for educational community such as students and faculty than any other industries.
Threat intelligence on university
Universities mainly participate on research activities are should be protected from security breaches. Cyber attackers with finance motivation are targeting such universities and perform cyber-attacks. Security team of university are having burden to protect the university from security risks. Threat intelligence makes use of human and financial efficiently to prevent resources from security breaches.
It offers following benefits for universities:
- Quick identification of cyber incidents
Threat intelligence has more number of IOCs and other security features to quickly identify possible security breaches, improve response time, and reduce damage size due to successful attacks.
- Strengthening existing security system
The existing security solutions such as firewall, IDS, email filters are working properly when they have updated security rules and updated IOCs. Threat intelligence offers huge IOCs and updated rule and updates the security system of an organization with those security parameters.
- Maximization of security resources utilization
It enables security team of an organization to access the accurate security risk. Organization can make decisions for security technologies based on the assessed risk.
Protecting personal information and research data
The main objective of the security breaches on educational sector is based on personal data of group of people and expensive research data. University is complex network with includes more devices, routers, switches, remote users and so on. It is difficult to protect universities only with traditional security systems.
Threat intelligence prevents university from security breaches with huge number of IOCs and suggesting accurate technologies for universities through acute analysis of security risks.
Local new Agency
The local news agency operates with 100 employees including 75 employees are working in the office. 25 of them are news reporters. The gathered information from remote locations will be forwarded to the main office. The reporters are connected with main office through wireless technology. The office is fully equipped with security systems. The reporters are also use their portable devices such as mobile phone, tablet or laptop to connect with office resources. Mobile devices are more vulnerable for security threats. The organization needs powerful security solution like threat intelligence.
Due to powerful security features of threat intelligence quickly monitors vulnerabilities, reduce the security breaches, suggests efficient security techniques and technologies.
Commercial/open source software for threat intelligence (advantages &disadvantages)
IBM X-Force Exchange
It is collaborative threat intelligence platform that supports security analyst to do research on security threat indicators for talking mitigation actions more quickly. It is has unlimited scalable feature (IBM X-Force 2020). It offers intelligence analysis on URL reputation, IP, malware, web application, spam and vulnerabilities. It adds internet data threats dynamically in to INM ORadar for improving the analytical capabilities of the intelligence platform. It enhances threat intelligence to the next level such as for worldwide platform. It allows to access internet threat data using simple interfaces. SOC analyst component keep track of most recent as well as dangerous threat. The platform follows ISO compliance in design and development. The platform is user-friendly. Collaboration with peers is much easier.
It has some of the issue that has to be improved. The artificial intelligence capabilities of the platform need to be more precise and contextualized to give proper feedback to IT department.
The intelligence framework is collection internet threat feeds, manages threats in an organization and alerts an organization. The frame work follows modular inputs to collects data from various sources, lookup searches, correlated the data and sends alerts and stores the threat data for future reference. It includes various audit dashboards to perform introspection into retrieval of threat intelligence, persistence, normalization and analysis (splunk, 2020).
The intelligence framework is one among five frameworks of Splunk Enterprise security. It is strong ingest as well as providing sense for random logs. It is flexible for creating custom rules for system logs. The query language is easy. Custom User interfaces can be created to visualize output. The interface is simple to share rules among others. Online help community feature is an advantage for this platform.
The platform has query builders. It is difficulty for non-technical users. The error message of query is more specific. It takes large installation. Search language of Splunk is more expensive when the user does not know about the language. It is expensive. The architecture is complex.
- Dalziel H (2014). How to Define and Build an Effective Cyber Threat Intelligence Capability. Elsevier Science & Technology Books, 2014.
- Sauerwein C, Sillaber C, Mussmann A, Breu R, Sauerwein C, Sillaber C, et al. (2017). Threat Intelligence Sharing Platforms?: An Exploratory Study of Software Vendors and Research Perspectives. 837–51.
- Li Qiang, Yang Zeming, Liu Baoxu, Jiang Zhengwei YJ (2017). Framework of Cyber Attack Attribution Based on Threat Intelligence. ICST Inst Comput Sci Soc Informatics Telecommun Eng. 2017;190:92–103.
- IBM X-Force Exchangewww.ibm.com, 2020
- https://www.splunk.com/, 2020