how to use threat intelligence

Posted by millikan at 2020-03-30

Threat Intelligence has been popular in China for several years. There seem to be few topics about how to use Threat Intelligence and what specific scenarios to use it. Now I would like to talk about this aspect according to my personal knowledge. Please correct the incomplete and accurate parts.

Sometimes intelligence and threat intelligence are easily equated, but they are not. Threat Intelligence (related to attackers), vulnerability intelligence (related to vulnerable points), asset intelligence (information about internal IT business assets and people) belong to the category of intelligence, but their functions and production maintenance methods are different, so they need to be clearly distinguished. They are all information needed for security analysis. Assets and vulnerabilities have been valued for many years, and even security construction is considered to be around assets and vulnerabilities. With the continuous evolution of attack defense confrontation in reality, we have to enter the stage of active security construction (or adaptive security architecture ASA). We need to pay more attention to threats, let Threat Intelligence lead the security construction, further improve the ability of detection, analysis, prediction and prevention, and find the deficiencies in defense, and give targeted improvement. This dynamic and balanced concept of safety has become a widely accepted guiding ideology of safety construction.

To get back to the point, let's talk about the types of threat intelligence. Based on the overall application scenario, we can divide intelligence into three categories: Tactical Intelligence Based on automatic detection and analysis, operational intelligence for the purpose of security response analysis, and strategic intelligence to guide the overall security investment strategy.

Tactical intelligence

The function of tactical intelligence is to find out the threat events and to confirm or prioritize the alarms. Common lost detection intelligence (CNC Intelligence) and IP intelligence belong to this category. They are machine readable intelligence, which can be directly used by equipment to automatically complete the above-mentioned security work.

Trap detection intelligence, that is, the remote command used by the attacker to control the victim host and the intelligence of the control server. The IOC of intelligence is often in the form of domain name, IP, URL (sometimes also including SSL certificate, hash and other forms). This IOC can be pushed to different security devices, such as NGFW, IPS, Siem, etc., for detection, detection and even real-time interception. This kind of intelligence will basically provide richer contextual information such as hazard level, attack group, malicious family, etc., to help determine event priority and guide subsequent security response activities. Using this kind of intelligence is the most simple, timely and effective way to discover the worm that has penetrated into the organization of apt gangs and Trojans.

IP intelligence is a collection of information about the related attributes of IP host accessing internet server. Many attributes can help the server to defend the attack, confirm the alarm and sort the priority. For example, by using the host IP information scanned continuously on the Internet, the enterprise asset information can be prevented from being mastered by hackers (most of the time, hackers open SMB ports to those hosts, and those hosts may have struts 2 The vulnerability is more clear than the network management of the enterprise); the IP information used for automatic attacks on the Internet can be used to prioritize web attacks; the IP information used for IDC host or end-user host can be used for attack confirmation, suspicious behavior detection or spam interception; and the gateway IP, proxy IP, etc. also have different functions. There are many related scenarios Not one by one.

Operational intelligence

Operation level intelligence is used by security analysts or security event responders to analyze known important security events (alarm confirmation, attack influence range, attack chain, attack purpose, technical and tactical methods, etc.) or use known attacker's technical and tactical techniques to actively search for attack related clues. The first type of activity is part of the event response activity, and the second type of activity has a tall name "safe hunting".

Security analysis in event response activities requires local logs, traffic and terminal information, asset intelligence information related to enterprises, and operational Threat Intelligence. In this case, the specific form of intelligence is often threat intelligence platform, which is an application tool for analysts. There is a domain name or IP related to the attack event. Using this platform, it is possible to find more attack events and details related to the attacker, and to have more understanding of the attack purpose, technology and tactics. Through a sample, we can see more relevant samples, and also have more types, popularity and behavior characteristics of the samples on the host The same platform can be used to continuously track the changes of network infrastructure used by relevant attackers, find out whether relevant assets have been used by attackers, and so on.

Safe hunting is a process of discovering unknown threat events based on known technology and tactics (TTP: technology, tools, process) and obtaining further information related to hacker's technology and tactics. The process of safari requires specific internal logs, traffic or terminal data and corresponding analysis tools, as well as security analysts with rich skills and tactics. This kind of information is often obtained through analysis reports based on security incidents or specific technical and tactical methods database. There has been more progress in this field in the world, including various open source or limited range sources that can provide such information, while there are relatively few domestic security incident reports. Because of such problems, some of the most valuable t cannot be published publicly TP level analysis content.

Strategic Intelligence

Threat Intelligence at the strategic level is used by the organization's security managers, such as CSOs. How much an organization invests in security and what direction it should invest in often needs to be agreed at the highest level. But faced with a problem, how to let the business managers who are not clear about the specific attack and defense technology get enough information to determine the relevant security investment strategies? At this time, if CSO has strategic intelligence, it will become a powerful weapon. It includes what kind of organization will attack, what kind of harm the attack may cause, the attacker's tactical ability and the controlled resources, etc. of course, it also includes specific attack examples. With such information, the decision-making on security investment is no longer blind, but more in line with the business situation and real threats faced by the organization.


The three types of threat intelligence are used to support security operation and maintenance personnel, security analysts and security managers. But it is impossible to cover all of these types of use scenarios in a short article, and this is also an innovative field. More application scenarios and methods will emerge constantly, hoping to hear more voices and tell you what you meet and think about.

Recommend reading more

Network security refers to the protection of network system hardware, software and data in the system, not to be damaged, changed, leaked due to accidental or malicious reasons, system connection

1. Introduction to DDoS: 1.1 definition of DDoS: what is DDoS? Distributed denial of service (DDoS: distributed D

The concept of situation awareness was first proposed by the US air force to analyze air combat environment information, quickly judge the current and future situation, so as to make correct response and improve air combat capability

This article is from security guest ( 1

Recently, I was reading the book "spring actual combat" (the Fourth Edition). It happened that there was a module to send email in the company's project. After reading the source code, I found that spring