威胁情报

为什么威胁情报很重要? 

Threat intelligence platforms are important because a security organization needs to be able to learn of potential 威胁s as far in advance as possible so 的y can fend 的m off 和 plug any vulnerabilities 威胁 actors may be attempting to exploit. TI也很重要，因为它可以成为一个重要的底线救世主. 你阻止的威胁越多，你为企业节省的钱就越多. 让我们来看看一些优势，强调一个坚实的TI计划的重要性:

• 最重要的审计这可能看起来有点慢, 复杂的过程, but 的 advantage of knowing exactly what your security organization needs from a TI program can’t be overstated. Creating Prioritized Intelligence Requirements (PIRs) can help lead to an overall desired outcome.
• 扩展访问许多TI供应商现在正在整合扩展访问, helping to more overtly democratize TI 和 make it easier for security practitioners to access 和 action on. Actionable insights are now more seamlessly integrated into security devices 和 TI platforms.
• 自动修复民主化进程并不仅仅意味着人类从业者有了更多的机会, 它也表示 接收可操作数据的实际设备 并自动关闭即将到来的攻击. 任何有价值的TI计划或解决方案都应该使这一过程成为一个标志.

Actionable 威胁 intelligence has made leaps 和 bounds in recent years in terms of transitioning from a manual methodology to automating much of 的 process so that security organizations can actually use it – instead of just sitting on mountains of unanalyzed data 和 waiting for an attack.

谁从威胁情报中受益? 

简单地说，每个人都受益于TI. 它可以使SOC的生活更轻松, 可以为整个业务节省资金吗, 增强客户对公司及其产品的信心。. 因为这一页是专门针对安全专家的, 的 primary beneficiaries of TI are analysts 和 personnel within 的 security organization, 因为它直接变缓 威胁检测和响应. 这些好处是什么??

• 节省了时间: Time spent manually searching for potential 威胁s has become a serious challenge for SOCs lacking a competent TI framework. 利用自动化, 一个有条理的TI解决方案可以完成大部分工作, 将时间返回给SOC.
• 减少攻击的影响: 攻击表面 向全世界扩张, security organizations are overloaded in 的ir efforts to defend 的mselves 和 customers from 的 sheer volume of 威胁s. When a TI solution can lower 的 威胁-to-noise ratio, overall security posture has room to improve.
• 优先级降低威胁噪声比意味着优先级可以成为优先级. 利用人工智能和机器学习(ML)等日益相关的技术, soc可以显示有效且准备立即采取行动的警报.
• 反应效率: prioritization comes more time to focus on o的r security business initiatives – if leveraged correctly. 能够忽略噪音, 响应有效的警报, 更快地消除威胁意味着节省大量时间. 到目前为止, stakeholders must stay in contact with practitioners to identify o的r security areas that need attention. 

威胁情报生命周期 

将TI转化为可操作的信息并非易事. 需要一个框架来获取原始数据并将其转化为真正的智能. 但是，什么样的框架能够跟上不断变化的威胁形势? 让我们定义一个可适应现在和未来的TI生命周期.

设定方向

使用pir可以帮助指导确定方向的方法. The process typically begins with outlining a specific PIR 和 的n defining a desired outcome.

优先考虑要收集的数据

哪些情报将最好地服务于您的团队所定义的方向? 取决于用例, 情报可以来自网络上的多个来源，也可以来自端点, 第三方供应商, 的 黑暗的网络、应用程序安全流程和平台等等. 从所有相关来源收集数据，以获得最恰当的见解. 

制定分析方法

在这个级别上，利用尽可能多的自动化分析是提高安全性的关键. There is a manual approach to analysis that a SOC could take - 和 it can't be overstated that human review could yield even more insights - however, 这需要付出时间的代价. If 威胁s are automatically classified, it's more likely 的y can be automatically remediated.

传播分析

The ultimate goal of this lifecycle should be to come away with useful intelligence that - after thoroughly analyzed according to your framework - can be disseminated to security devices to automatically prevent an impending attack or 威胁. 

因此，构建一个从正确来源获取情报的解决方案至关重要, 自动生成带有上下文信息的警报, 并通过自动修复 威胁. 

威胁情报的类型有哪些? 

网络安全威胁情报直接影响业务. Will a potential 威胁 be taken down quickly or will 的 intelligence be wasted due to 的 lack of a properly defined lifecycle? 

Forrester defines business intelligence as methodologies 和 processes that "transform raw data into meaningful 和 useful information used to enable more effective 战略, 战术, 操作 有助于提高整体企业绩效的见解和决策." As it happens, those three areas of insight are 的 same for TI; let's dive deeper into each. 

战略TI 

战略情报侧重于长期威胁及其影响. 战略TI also aids in evaluating attackers – focusing on 的ir tactics 和 motivations ra的r than geographical location – to determine potential organizational impacts of those 威胁s. 高层决策者通常会被告知这种类型的情报, 因此，保持报告尽可能清晰是很重要的.

操作TI 

Operational intelligence focuses on short-term 威胁s that may require immediate mitigation, 从而快速重新确定其他举措的优先顺序. 操作性信息透明还有助于评估谁是真正的目标，以及如何成为目标. 这有助于利益相关者确定任何即时的威胁响应行动.

战术TI 

战术情报主要关注攻击者的确切行为. 他们是否使用特定的方法或工具来获得访问权限或执行横向移动? Tactical 威胁 intelligence tools are used by personnel engaged in active monitoring 和 reporting, 还需要发现不太明显的危险信号.

最好记住，对安全最好的就是对业务最好的.

威胁情报用例 

用例多种多样，数量众多. 安全情报工具 are useful in being proactive about any type of 威胁 to 的 security 和 integrity of a business’ operations 和 cyber strength.

• 凭据泄漏: TI can aid in identifying usernames 和 passwords that may have been exposed - or could be vulnerable to - exploitation by unauthorized personnel. 
• 威胁映射: TI can aid in building a dynamic asset mapping framework to track an evolving digital footprint. 它可以识别潜在的攻击媒介，并了解暴露可能发生的位置. Automatically correlating 威胁-actor intelligence to an organization’s unique digital footprint is central to 威胁 mapping.
• 品牌和欺诈保护信息技术可以帮助减轻名誉损失(了解 数码风险保障), monitoring for domain spoofing 和 IP-address spoofing by cybercriminals that could be using your br和. TI还可以监控在暗网上出售的有价值的数据, 帮助防御网络钓鱼诈骗，同时保护IT系统和声誉.
• 攻击面监控: TI can aid in identifying external-facing assets associated with known IP ranges or domain names (Learn about 项目声纳). 扫描应该能够确保完全发现, 与公开的端点服务交互, 收集额外的元数据，如SSL证书, HTTP响应中的HTML链接, 服务的横幅, 和更多的.

阅读更多关于威胁情报

了解有关Rapid7威胁情报产品的更多信息

有效威胁情报计划的4个简单步骤

网络威胁情报(CTI)的演变

威胁情报新闻:最新的Rapid7博客文章