Part 1 Sharing Operational Threat Intelligence

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
3 hours 1 minute
Difficulty
Advanced
CEU/CPE
3
Video Transcription
00:04
Hello and welcome to Ma Jo three of the Advanced Cyber Threat Intelligence. Course this manager. We're going to talk about how information
00:12
can be shared within your C. T. I program
00:16
and as part of that discussion will be looking at
00:20
of several different tools in some websites.
00:24
And this will give the the analyst a little bit of a better overview
00:29
on some of the different ways in different methodologies that are
00:32
popular these days with doing cyber threat analysis. One of the big challenges for any kind of
00:40
delivery of this type of information is trying to make sure that you understand your audience.
00:46
There are producers of SETI I, and there are consumers of SETI I
00:51
and we as a producer, you want to make sure that what you're creating is an acceptable format
00:57
and is a consistent and its look and feel so that people doing the consumption of the intelligence haven't easier go of it.
01:06
It's, uh,
01:07
also critical to make sure that any kind of standard or 10 plates that are already in use within the organization are utilized.
01:15
You don't wanna have
01:18
reporting or other kinds of information sharing that that is in a different format from what is expected. It's always a good idea to, you know, do that little bit of research ahead of time to make sure that you're going to be consistent with what's already been done previously. So as we'll see, we've got several tools coming up that will
01:38
give the analyst a little bit of a better overview.
01:41
What's what's out there in the marketplace? Also, spend a little bit of time looking into what Yara rules are. What what sticks does as well aside, box in taxi.
01:52
Is there all complementary technologies which can help by being able to be integrated into the use with other tools?
02:00
And as we'll see there are rub
02:04
lots of different ways to use this, these various technologies to help the analyst with their with their goals and lastly, with we'll spend some time
02:12
touching on different reporting methods
02:15
and some different aspects of using this mechanism to get the right information in front of someone who's making a risk based decision. So were the big challenges these days is trying to decide whether or not the solution
02:29
four c g I should be hosted on premises
02:31
or using a cloud based solutions. There are certainly benefits to both.
02:38
For instance, the cloud based solution is certainly more flexible
02:42
because the analyst and others who need
02:44
this information can get to it from anywhere. There's an Internet connection. The vendor that that provides a solution is obviously taking care of all of the infrastructure on their end,
02:53
and that relieves that burden from from the organization. The downside, of course, might be some concerns about accessing the environment securely
03:02
and whether or not there are
03:06
vulnerabilities in your browser that might be exploited and so on. There are certainly some cyber security concerns that would be
03:13
I need to be addressed
03:15
in order for a typical love high security organization to feel comfortable with the club. A solution here. On the other hand,
03:22
hosting the
03:23
the tools on premises
03:25
gives more complete control over all security aspect because you're
03:30
using it within your security perimeter. Overall, this is also another reason why you might have,
03:38
you know, higher performance and Maur usability. If everything has hosted locally since you're not going over the Internet, that could be some small performance factors to consider their another advantage of on premises hosting is that
03:51
the people who are maintained, the infrastructure
03:54
red
03:55
doing in a holistic fashion. The assets that are being studied and analyzed by the C T I tools are right there in the same dead it data center as the
04:06
as the tools themselves. The downside, of course, would be having to maintain the infrastructure, which adds
04:13
some expect to the organization's bottom line, since you have to deal with staffing,
04:16
support contracts, buying hardware and software and so on. So they're a little bit of extra expense associated with on premises. But
04:26
the upside is that you get full control over it.
04:29
All right, So first, let's have a look at
04:31
Crowdstrike.
04:33
They have their ah Falcon platform that is pretty popular
04:39
and provides a
04:43
easy to use
04:45
tool that can be integrated into your environment.
04:48
Cloud based solution, as we see here,
04:53
and it can be integrated with your SIM device and so on.
04:58
They have an agent that goes on your your systems,
05:01
and you get anti virus
05:05
manage threat, hunting, threat, intelligence and some other capabilities.
05:10
If you do request a demo from Crowdstrike, they will contact you when you have to set that up with them.
05:15
You can also,
05:19
uh,
05:21
see a demo that's hosted twice a week.
05:25
There's a self guided product tour,
05:29
so you can join the weekly demo
05:30
or look at the product tour
05:33
and just kind of scroll through. All the leader faces and settings
05:38
tells you basically what the product does.
05:42
Using machine learning. Thio do some of its actions.
05:46
It can detect and block the malware and then, of course,
05:50
uh, doing other things like blocking exploits and
05:55
trying to maintain containment,
06:00
search capabilities and reporting capabilities. You get the basic idea here,
06:04
so there's definitely some things to look into
06:09
for a crowd strike. And if you get yourself a demo, uh,
06:13
you know, you have 30 days or so to play with that
06:15
and find out if it's a good fit for your organization.
06:19
Then we have alien vault.
06:21
They have their
06:25
they're us and anywhere, and USM appliance
06:29
U S M anywhere is intended
06:31
to be there.
06:35
Their cloud based solution
06:39
and then the appliance
06:42
is the locally hosted version of their tools.
06:46
So United Unified security management. That's what U. S M stands for.
06:50
And you cannot see an online demo. We're just kind of interesting, so we'll have a look at that here in a moment.
07:00
But much like the
07:02
Crowdstrike, they have some
07:04
reasonably interactive information on their website to show you what the interface looks like. Show you some of the different capabilities that they have,
07:15
like integration with your SIM device.
07:21
Let's go ahead. Look at the demo.
07:24
When you register for the demo, you automatically get logged in,
07:28
and they also give you the credentials if you want to return to look at it a little bit later.
07:33
Now this is the U. S M anywhere demo. You could also demo the
07:39
on premises appliance,
07:42
and they're both pretty useful. They look kind of similar and you get the typical kinds of dashboard friend events that you'd expect to see.
07:50
Looking at my different data sources, my different assets,
07:55
different numbers of vulnerabilities that have been discovered.
07:59
I can drill down and look at some of these things in more detail
08:07
is also a guided tour
08:09
available
08:11
that you can select if you want to dig in a little bit in a more directed way.
08:16
Otherwise,
08:18
using the online demos great way to to see what
08:22
the product can do and what kinds of information in it
08:26
provide your organization.
08:28
I can look at all of my different events,
08:33
seeing what kind of activities are going on in my organization,
08:37
and we get some pretty typical type of listings here.
08:43
Clicking on an item gives me more detail about it, of course,
08:46
so this is really useful.
08:48
And since the demo is free, you can poke around to your heart's content.
08:56
Looking at my listing of assets
09:03
we can see is there's ways to do some filtering
09:07
and searching
09:13
and several different
09:15
ways of generating. Reports believe the interface is restricted for the
09:20
the demo because the normal there'll be more reports here
09:26
available to the to the analyst
09:28
anyway. So that's a quick overview of Crowdstrike, an alien vault. I hope that that's at least piqued your interest a little bit into perhaps trying to demo of these products on your own and, uh, see what you can do with them.
Up Next
Advanced Cyber Threat Intelligence

The Cyber Threat Intelligence (CTI) course is taught by Cybrary SME, Dean Pompilio. It consists of 12 modules and provides a comprehensive introduction to CTI. The subject is an important one, and in addition to discussing tactics and methods, quite a bit of focus is placed on operational matters including the various CTI analyst roles.

Instructed By