threat intelligence: essay

Posted by fierce at 2020-03-20

It has not been updated for a long time. Last week, I updated an article with shame. Today, I forgot to push it.


1. New breath of Threat Intelligence

Like apt, threat intelligence is not a specific technology or a specific means, but a collection of actions, methods and even frameworks.

Therefore, the emergence of such things will always bring new breath to people. As long as the routines or methods are updated, there will be a bright new thing in front of them.

In the past, from rapid warming to gradual calmness, threat intelligence has presented three facts to people who have security demands:

No longer clinging to the ultimate defense ability

Traditional defense, whether it is to find problems by external means or to repair the short board after self-evaluation of the target, or even the deep defense and defense in depth that everyone tries to explore later, all pursue the ultimate in the defense level, or even tend to [absolutely right defense ability] in many schemes - for example, ah, forget it Feel it for yourself.

However, threat intelligence is a recognition of the fact that "attack precedes defense", and attempts to shorten the time window between attack and defense by means of intelligence.

The desire for the ability of quick flow of rules

Intelligence is different from rules, but as far as the current protection framework is concerned, the final landing can only be rules.

Most of the rules are feasible and universal, but there are also rules differences caused by the environment, so intelligence needs standard formats of various postures to cover the differences.

Based on the first point, the ability of rapid flow of such "rules" is one of the fundamental values of intelligence.

Dependence on and redefinition of human capabilities

The original pursuit of extreme defense or even absolute defense has created many "program parties"—— They can directly apply a lot of high standards and complex security framework regardless of the perspective and protection scenario of the attacker, which eventually makes a lot of scheme parties flow into the industry (this is the sequela brought by the third stage I mentioned in [four stages of domestic security industry talents]).

When we recognize the problems of "attack before defense" and "rules need to flow", the demand for talents will change.  

2. The routine

As a great tactical guide, the art of war of Sun Tzu tells us that "the prophet should not be taken from ghosts and gods, not be like things, not be tested in degrees, but be taken from people.".

Although we have been emphasizing "human confrontation", the positioning of the attack defense relationship brought about by threat intelligence has begun to make security more and more close to human confrontation. The reasons are inseparable (and mutually corroborated) with the three points mentioned above.  

People's confrontation can't be separated from "understanding the enemy and analyzing ourselves" - Sun Tzu also said that knowing oneself and knowing the enemy will win every battle. Then, the routine starts with a confidant and a confidant.

From the two dimensions of knowing one's own and knowing the other, many technical points that can be used for observation can be extended and listed simply:

If you carefully observe the technical points in the third level, you will soon find a problem. Confidants and knowing the other actually interact.

For example, the distribution (channel) in knowing the other may be related to the characteristics of the target, though only weakly. The means of knowing the other must be strongly related to the business (or assets or exposure) of the confidant.

The judgment of these correlations mainly comes from two aspects: Fantasy (historical experience) and continuous accumulation (ongoing lessons).

For example, historical experience tells me that in the past year, many Exps for operating systems or applications have been published on several exp dB or GitHub, and the recent lesson tells me that if you are willing to spread some red packets in some groups, you can also get some first-hand information of specific scenarios.

3. Put the routine together

By using fantasy and accumulation, the above mind can be continuously split, refined and related.

(scribbled, see what it means)

When we see it here, new questions arise - who we know, what we use, how we hit what we have, and even what we achieve. But that's all the picture can show.

So I found that I chose the wrong tool. Next, draw a line to express it in Excel.

4. How to know one's own and the other's

In short, it just seems that we know ourselves and the enemy, but in fact, we ignore the process of "knowing".

That is to say, it just shows the results, but doesn't explain how to achieve "knowledge".

This is a very crude illustration. However, it can explain the problem. That is to say, if all kinds of circulation links of the opponent are recorded, and in the process of these circulation, or in the end, the goal of our place is reached, and the injury is sorted out clearly (sorted by threat), then we can infer what kind of means to use to monitor—— Yes, although it is a horizontal table, it contains logic: the actions of the enemy, what is mapped to me, and how to do it.

And the difficulty in these processes is not monitoring itself, these monitoring methods have been quite mature. In fact, the difficulty lies in the link of recognition - recognition itself is not limited to the recognition of features, but more about the recognition of captured information, what kind of information is valuable and what kind of information can be converted into intelligence. In fact, when a loophole occurs, you can judge the value of the loophole, whether it needs to be converted and the idea of conversion by quietly observing the tearing situation for an hour or two in the circle of friends. These are not realized by automatic monitoring, but by more detailed scene requirements and relatively rich imagination.

In the final table, it is not difficult to find that I have written "enemy" in the front and "I" in the back, while the front is a scene constructed from the perspective of "enemy", which in fact has placed the position of the protagonist.

Today, the monitoring ability of the whole network is so mature, if we can build such a flow for each kind of threat, we can comb out every monitoring point needed by this flow. The more detailed the threat category is disassembled, the more detailed the monitoring points can be matched, and the more detailed the final scene can be disassembled. In this way, the recognition and inhibition ability of "I" is more in place.

5, tail

After talking for a long time, it turned out to be just a watch.

But looking at it, in today's unimaginable rich monitoring means, we get these reptiles, robots, honeypots When you wait for the results of the monitoring tool, you have a question - how do you use this data?

In fact, the essence is not that you don't know how to use the data, but that you didn't figure out why to get the data at first.

-----I'm the line between the text and the payment QR code-----