SANS:2018年网络要挟情报现状调研陈述51CTO博客 - 众发娱乐


2019-01-03 10:40:30 | 作者: 青寒 | 标签: 网络,要挟,情报 | 浏览: 401


  • “We will monitor threat feeds and escalate [a] certain vulnerability remediation priority based on active exploitation campaigns in the wild. These feeds include vendor threat feeds or just security news.”

  • “We utilize several intelligence feeds to augment our perimeter firewall capabilities.”

  • “Pulled info on threat actors, source IPs, domains and [fed] them into EDR [endpoint detection and response] for [blacklists] and traffic reports from them.”

  • “We have alerting set up in our SIEM that correlates event searches against our subscribed threat intelligence feeds. From there we conduct our investigations and take whatever actions [are] deemed an appropriate response. The response is typically blocking malicious activities and hunting for further indicators of compromise across the enterprise environment.”

  • “As CTI raw data, we gathered ransomware IPs, domain names, file hashes from CTI providers as a service and integrated those valuable data [points into] our SIEM, malware analysis appliance, firewall and IPS. Then, when traffic occurs from our [network] to those
    blacklisted IPs or when an email is received with a file attached with a hash of Wcry files, alarms are sent to related security teams. If the system is in blocking mode, we block that traffic.”

  • 8)CTI都跟谁集成?如前所述,仍是跟SIEM集成为最多挑选。




    According to John Pescatore, SANS’director of emerging technologies, increasing automation and adding more staff are not the approaches organizations should take. He says, “The real successes in cyber security have been where skills are continually upgraded, staff growth is moderate and next-generation cyber security tools are used to act as ‘force multipliers’ that enable limited staff to keep up with the speed of both threats and business demands.”