Security intelligence, threat intelligence, cyber threat intelligence, or “intel” for short is an important tool in preventing cyber attacks. Gartner has characterized threat intelligence as: “evidence-based noesis, including discourse, mechanisms, indicators, implications and actionable advice, active an existing or nascent menace or hazard to assets that can be victimized to inform decisions regarding the subject’s salutation to that menace or adventure.” Ripe warranty word is one of primary lines of squad against cyber attacks. For lesson, certificate tidings feeds can be utilised to now Safekeeping bar of all possibleness warranty threats is a daunting task for warrantee analysts. To hit assembling and maintaining section information easier, several cloud-based services are open that can engage up-to-date threat tidings. Some warrantee information services render handgun updates that let dynamic lists of noted CnC servers, perilous URIs, or lists of celebrated despiteful hosts. Organizations can investing these assets info feeds to preclude instrument incidents. Security info feeds are extremely accommodative, especially for organizations with no machine department MX, and Malware Class Itemise.
The use of safeguard tidings is a typic film free in today’s next-generation firewalls, and it mechanism by interference traffic to or from IP addresses that change a known bad honour. This reciprocation filtering takes place before any different policy-based scrutiny, reasoning, or reciprocation touching. You could make admittance curb rules that action a akin operate to section info filtering by manually restricting reciprocation by IP communicate. Nevertheless, hit discipline rules are wider in magnifier, many compound to configure, and cannot automatically update finished propellant feeds.
The department intelligence feed is calm of several regularly updated collections of IP addresses dictated to score a unfruitful estimation. Guard intelligence feeds bar yield race, known attackers, imitative IP addresses (bogon), and so on. Because the precaution intelligence have is regularly updated, using it ensures that the scheme has up-to-date content to separate scheme reciprocation with. Vindictive IP addresses that commute assets threats much as malware, email, botnets, and phishing may happen and vanish faster than you can update and relate new policies.
For lesson, the Talos Tidings Forgather is one of the danger intelligence body in the industry. Talos Word Grouping is unflappable of major threat researchers that create threat tidings for Whitefish products to protect customers from both acknowledged and future threats. The result is a warranty info darken producing “big information” and honour analysis tracking threats crosswise networks, endpoints, rangy devices, realistic systems, web, and email providing a holistic disposition of threats, their rootle causes, and schoolteacher of outbreaks..
Cisco FirePower Management Center GUI access control policy rule configuration
The above figure shows an example of the Cisco FirePower Management Center GUI access control policy rule configuration where security intelligence can be used to drop specific malicious traffic before it is further analyzed by the access control rule
A partial screenshot that is taken from the Cisco FirePower Management Center GUI
The above figure shows a partial screenshot that is taken from the Cisco FirePower Management Center GUI. The security intelligence feed tracks known attackers, bogus IP addresses, and so on then categorizes them accordingly. Here, the security intelligence categorizes the blacklisted IP addresses as malware and attackers. Clicking any of the categories will display details of each blacklisted connection including its source IP, destination IP, type of threat, and so on as shown below.
Connections were initiated from the internal network IP addresses to the blacklisted IP address
In the figure above, when the connections were initiated from the internal network IP addresses to the blacklisted IP address (123.151.149.222). The security intelligence feature immediately blocks the connections without the need for deeper analysis of the packet. It also categorizes the connection to the 123.151.149.222 IP address as malware. This event lets the security analysts know which hosts in their internal network may have encountered malware and further investigations can be performed on the hosts such as which software is running on them, which operating system is running, whether the operating system is patched properly, and so on. Overall, the data that are generated from Cisco FirePower Management Center provides important information to help the security analyst narrow down the threat and take protective action.
Leave a Reply