最大限度地利用网络威胁情报

Getting the Most Out of Cyber Threat Intelligence How security practitioners can apply structured analysis and move from putting out fires to fighting the arsonists. Today’s security environment is complex, ever changing, and sometimes even political. Many organizations struggle to keep current about the cyber threats they face. This is due to a number of issues, ranging from the failure to adapt security recommendations to the specific needs of an organization, to an over focus on malware instead of the human adversary.
获取最大的网络威胁情报如何安全从业人员可以从灭火战斗的纵火者运用结构化分析和移动。今天
Adding to the struggle is the fact that every organization is different. For example, inside an industry vertical, you may find political or regional differences beyond just technical ones. There may be differences in how one division within an organization approaches security in comparison to other divisions within the company. These division-based differences can be the result of varying organizational missions or business units. Each disparity impacts the organization’s overarching threat model, and its understanding of its threat landscape.
每一个组织都是不同的,这是斗争的另一个事实。例如,在一个行业垂直,你可能会发现政治或地区差异,不仅仅是技术性的。组织内部的一个部门与公司内部其他部门的安全性相比,可能存在差异。这些基于分工的差异可能是不同组织任务或业务单位的结果。每个差异都影响组织。
Over the years defenders have taken a tool-centric approach. But technology alone won’t stop a well-focused and funded human adversary. While technology is great at synthesizing data, limiting the attack space, and making human analysts more efficient, at the end of the day, it is a human adversary vs. human defender contest – and it must be treated as such.

多年来,捍卫者采取了以工具为中心的方针。但是技术本身并不能阻止一个专注和资金雄厚的对手。虽然技术在合成数据、限制攻击空间、使人类分析人员更高效方面非常有用,但在最后,它还是人类的对手和人类防御者的较量——必须加以处理。
Even organizations that appreciate the value of threat intelligence can be misled in their application of it. For example, insight into threats can be limited by a vendor-centric approach to how threat intelligence is consumed. And while processing reports created by external parties and leveraging threat data are a valuable way to gather information on adversaries, capabilities and infrastructure, the information gathered should complement a larger internal effort by the security team, not replace it. Put another way, when security practitioners use information obtained through technology and threat intelligence feeds incorrectly, the result is reactive, Whack-a-Mole security, not a deeper understanding of adversary tradecraft.
即使是那些意识到威胁情报价值的组织,也可能在他们的应用中被误导。例如,对威胁的洞察可以通过以供应商为中心的方法来理解威胁情报是如何被消耗的。虽然处理外部各方创建的报告和利用威胁数据是收集敌方、能力和基础设施信息的一种宝贵方式,但收集的信息应该补充安全团队更大的内部努力,而不是取代它。另一方面,当安全人员通过技术和威胁情报饲料,不正确地获得的信息,结果是无功,打地鼠安全,不深入了解对手谍报。
The Power of AnalysisTo truly be successful in threat intelligence organizations must empower and train their human defenders in analytical approaches so they become good analysts. This means understanding complex scenarios and thinking about them more critically. Simply put, good analysts should look at the world a little differently.
网络钓鱼仿冒对象日趋分散,钓鱼网站制作的低成本和钓鱼产业链的成熟,造成了钓鱼网站的分散化和热点轮动的特点,让钓鱼网站的处理难以集中化,给反钓鱼工作增加新难度。
动力分析,真正成功的威胁情报组织必须赋予和培养他们的人的防守,使他们成为优秀的分析师的分析方法。这意味着要理解复杂的场景并更仔细地思考它们。简而言之,优秀的分析师应该对世界有点不同。
Join Dark Reading LIVE for two days of practical cyber defense discussions from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.
加入黑暗阅读现场两天的实际网络防御讨论从行业
While there is significant value in learning how to use a tool in certain environments (and some great vendor-neutral courses to show you how), the real value is in structured analysis training. Becoming a good analyst requires much more than knowing which tool to use and when. When faced with complex scenarios, it is vital that the security community thinks critically and evaluate various options. This requires practitioners to develop skills that expand into complicated topics such as adversary intrusion, campaign analysis, adversary tradecraft, and moving from relying on indicators to leveraging behavioral analytics. 
虽然在某些环境中学习如何使用工具(以及一些重要的供应商中立课程来向您展示)有很大的价值,但真正的价值在于结构化分析培训。成为一个好的分析师需要的不仅仅是知道使用哪种工具以及何时。当面对复杂的场景时,安全社区必须批判性地思考并评估各种选项。这要求从业人员发展技能,扩展到如对抗入侵,竞选对手谍报分析复杂的问题,并从依靠指标,利用行为分析。
Security practitioners must also tie together individual intrusions and look at them as long-term campaigns being run against organizations, as opposed to one-off attacks. There are a lot of security efforts where every intrusion is treated as a separate entity, when realistically we might be dealing with an entire campaign from an adversary.
安全从业人员还必须将个人入侵捆绑在一起,将其视为针对组织运行的长期活动,而不是一次性攻击。有很多的安全努力,每一个入侵被视为一个单独的实体,在现实中,我们可能会处理整个战役的对手。
This is not a new concept in of itself. Richard Betjlich was advocating for this approach in the early 2000’s. Today, amazing strides in defense are being made in organizations that are attempting to tie intrusions together successfully in order to reduce risk. Sharing knowledge and analysis of an adversary campaign between tactical and strategic level players is essential to getting – and staying – ahead of adversaries.
这本身不是一个新概念。Richard Betjlich是提倡这种做法早
《中国互联网定向广告用户信息保护行业框架标准》的影响力前瞻
While technical training and labs are important, to truly understand the human threat requires that practitioners hone their analysis skills and change their perspective. By that I mean, responders and security operations teams must develop intelligent analysis skills across data sets in a way that gives them a deeper understanding of security from tactical, operational, and strategic approaches. Analysis-based cyber threat intelligence will allow security practitioners to move from putting out fires to fighting the arsonists.  
虽然技术培训和实验室很重要,但要真正了解人类的威胁,需要从业者磨练他们的分析技能,改变他们的观点。我的意思是,应答者和安全操作团队必须通过数据集开发智能分析技能,使他们从战术、操作和战略方法上对安全性有更深入的理解。分析网络威胁的情报将允许安全人员从灭火战斗的纵火犯。
The ideal training should also help develop an operational view into how a threat program can mature. From a strategic level, it should arm practitioners with insight into adversaries at a level that C-suite and boards of directors can appreciate and leverage to protect the overall organization.
理想的培训还应该有助于发展一个操作方案,以了解威胁计划如何能够成熟。从战略的层面,它应该与洞察对手在一个水平,高管和董事会可以欣赏和杠杆臂保护整体组织从业人员。
Bottom line: When organizations understand their own environments, can confidently and accurately identify what constitutes a threat to them, and can think critically about the information they receive, only then will threat intelligence becomes an extremely useful addition to security. 
底线:当组织了解他们自己的环境时,能够自信地、准确地识别构成对他们构成威胁的因素,并能对他们所接收到的信息进行批判性的思考,只有这样,威胁情报才能成为安全的极其有用的补充。
Related Content:
相关内容:
Best and Worst Security Functions to Outsource
最好和最差的安全功能外包
Unstructured Data: The Threat You Cannot See
非结构化数据:你看不到的威胁
Security Analytics: Making the Leap from Data Lake to Meaningful Insight
安全分析:从数据湖到有意义的洞察力的飞跃
 
使用盗版,不花钱享受了好东西,仿佛是捡了便宜,然而给我们一时快感的盗版会严重伤害我们自己的未来,因为创造力会受到压制,进而会影响到我们的生产力和生活水平。

猜您喜欢

能源互联网、现货市场及电力大数据的现状与误区
地理位置泄漏个人信息引来窃贼
Security-Frontline-安全前线
下个顶薪或将到你:扣篮王需证明 唐斯毫无悬念
GUTSCHEIN-MAKER MEADOWSMITH
十招进行有效的信息安全意识教育