threat intelligence and threat

Posted by fierce at 2020-02-27

The previous review of 2017 Threat Intelligence and threat received some feedback. Many friends came to me to talk about the details of the article, but complained that I would keep half of it.

In fact, there is really nothing to keep, but a lot of data are put out, as long as you have the heart, it is not difficult to see and understand some facts. Here, according to the article, from the perspective of the end user, put some personal conclusions. As for its usefulness, different people have different opinions.

Build global open source intelligence collection and response capability, especially make good use of time difference. For example, wannacry's earliest overseas report with IOCS (a hash) appeared at 8:40 a.m. on May 12 (local time), which is the Friday night in China. If you make good use of this time difference, many enterprises can already decide their lives and deaths;

Since open source intelligence is so valuable, how to use it? Part of the analysis of ET Pro is the most, from routine to source, proper is the best practice;

It's true that the industry is the hottest, but the price performance ratio that hot spots can bring to the end users may not be the highest. For example, the issue of DGA has been hotly discussed for some time, but from the perspective of a wider range of threat data, the proportion of DGA domain names is not as large as expected. But we all know that if we want to solve the problem of DGA without reverse algorithm, we need to invest a lot of energy. Is this input-output ratio worth it? Or to solve the hidden problems behind DGA in a different way, the cost may be smaller, but the revenue may not be reduced - of course, if you want to form the ability of continuous capture and reverse algorithm, it is more energy-consuming for ordinary users. Therefore, if there are already safety manufacturers in the process, it is better to buy directly, and the cost performance may be higher instead;

According to the family, the amount of blackmail software disclosed is slowing down, but from the damage caused, at least from the frequency of reporting, it is significantly higher than that in 2016. This is likely to mean that extortion has begun to move towards the stage of intensive cultivation. Extortion is no longer a way of fishing by casting nets, but will gradually start to move towards a fixed-point and directional routine. I have written a popular science article about blackmail before. I think blackmail will gradually become apt (there are already similar cases).

Botnet is still rampant, but it seems that DDoS is no longer an important release outlet of Botnet (refer to the DDoS report of green alliance 2017h1, the total DDoS traffic does not rise or fall in 2017h1). According to the analysis of various miria variants in 2017, the acquisition cost of single IP resource is still very low. So, where will the traffic generated by botnet go? Crawler is a destination I know and see at present (unfortunately, there is no clear data support).

The trend of the suffix distribution of malicious domain names is worth guessing. Com takes the first place in the suffix proportion with an advantage of more than 50%, and. Net takes the second place. The third and later suffixes I didn't write but drew are worth pondering: the third., the fourth. Org, the fifth. Ru, the sixth. Info, the seventh. Com. Au What is there to think about this? Well, as an end user, flipping through your own DNS resolution logs may bring some new ideas.

In two more sentences, what's the use of summing up these ideas and data sources?

In fact, when I first started to summarize, I didn't think much about how other people would use it. I used it completely to supplement my routine, and the combination of my method and practice is roughly as follows. This is not going to be discussed in detail.

According to one of the analysis cases listed in this routine (I'm sorry for so many unscrupulous mosaics).  

In fact, after carefully considering the details, I will find that the formula I summarized is not a high-level technology formula, because I prefer the integration and reuse of information. Intelligence is fastidious, and no intelligence team can be superior in all aspects (please tell me whose boss has given you so many organizations to do so). On the premise of maintaining your fastest ability, make good use of other resources faster than you, and then integrate them into your scene, which is the greatest value.

OK, that's all. I think I can put together enough articles to publish.

I wanted to add the ransomware data mentioned last time, but I haven't slept enough recently, so I had a rest earlier.

(in the end, I won't be able to make any more appreciation. After the IOS appreciation is sealed, an article can't even make up a pancake.)