当前位置:   article > 正文

ivr cti_简而言之,网络威胁情报(CTI)— 2

ivr cti_简而言之,网络威胁情报(CTI)— 2

ivr cti

A. Threat Modelling

A. 威胁建模

Threat modeling is a procedure by which potential threats, for example, basic vulnerabilities can be distinguished, specified, and organized — all from a hypothetical attacker’s perspective. The motivation behind threat modeling is to give safeguards a precise examination of the plausible attacker’s profile, the in all likelihood attack vectors, and the assets.

威胁建模是一个过程,通过该过程可以从假设的攻击者的角度区分,指定和组织潜在的威胁,例如基本漏洞。 威胁建模的动机是对安全措施进行精确检查,以合理地检查合理的攻击者的个人资料,所有可能的攻击媒介以及资产。

Threat modeling is an iterative procedure that begins amid the early periods of the plan and proceeds all through the application lifecycle. There two reasons. Applications are usually dynamic and they need to be enhanced and adapted. So while the application is getting evolving, the threat modeling process should be repeated. The other reason is, it almost impossible to describe all cyber threats with a one-time process. Figure 4 shows the threat modeling process using a six-stage process.

威胁建模是一个迭代过程,从计划的早期开始,一直持续到整个应用程序生命周期。 有两个原因。 应用程序通常是动态的,需要对其进行增强和调整。 因此,在应用程序不断发展的同时,应重复进行威胁建模过程。 另一个原因是,几乎不可能一次完成描述所有网络威胁的过程。 图4显示了使用六个阶段的威胁建模过程。

Even though many threat modeling methodologies are available for implementation, only the most well-known ones are mentioned in this article.

尽管有许多威胁建模方法可用于实施,但本文仅提及最知名的方法。

STRIDE: The STRIDE approach to threat modeling was introduced in 1999 at Microsoft. The STRIDE acronym is framed from the principal letter of the following six categories;

STRIDE: STRIDE威胁建模方法于1999年由Microsoft引入。 STRIDE的首字母缩写由以下六个类别的主要字母构成;

● spoofing identity

●欺骗身份

● tampering with data

●篡改数据

● repudiation

●拒绝

● information disclosure

●信息公开

● denial of service

●拒绝服务

● elevation of privilege

●特权提升

PASTA: The Process for Attack Simulation and Threat Analysis (PASTA) is a threat modeling methodology with 7 stages building up to the impact of a threat.

PASTA:攻击模拟和威胁分析过程(PASTA)是一种威胁建模方法,它分为7个阶段,以应对威胁的影响。

TRIKE: Trike is an open-source threat modeling methodology that was developed for enhancing the efficiency and effectiveness of existing threat modeling methodologies.

TRIKE: Trike是一种开源威胁建模方法,旨在提高现有威胁建模方法的效率和有效性。

VAST: VAST stands for Visual, Agile, and Simple Threat modeling. VAST is a threat modeling methodology that defeats a large number of the deficiencies — especially adaptability — intrinsic in past methodologies.

VAST: VAST代表可视化,敏捷和简单威胁建模。 VAST是一种威胁建模方法,可以克服过去方法中固有的许多缺陷,尤其是适应性。

AS/NZS 4360:2004, CVSS, and OCTAVE are some other alternative threat models.

AS / NZS 4360:2004,CVSS和OCTAVE是其他一些替代威胁模型。

B. Intrusion Analysis

B. 入侵分析

When intrusions happen, it’s basic that an intensive and efficient analysis and examination of the assault is directed to decide the nature of the threat and the extent of data lost, stolen, or harmed amid the attack. The first step of performing analysis is taking an event record as generated by the sources. Network packet traces, OS audit trails, and event logs could be the sources. Intrusion analysis can be performed with different techniques. These approaches could be either anomaly-based or signature-based.

当发生入侵时,针对攻击进行深入而有效的分析和检查,以决定威胁的性质以及攻击过程中数据丢失,被盗或被破坏的程度,这是基本的要求。 执行分析的第一步是获取由源生成的事件记录。 网络数据包跟踪,操作系统审核跟踪和事件日志可能是源。 可以使用不同的技术来执行入侵分析。 这些方法可以基于异常或基于签名。

Misuse detection effectively conflicts with potential insider threats to vulnerable data. In this method. In misuse detection, all behaviors are described as normal other than the one which is described as abnormal. This approach uses a pattern-matcher which can compare attack signatures with attack data and produce a warning if there is a match.

滥用检测有效地与对易受攻击数据的潜在内部威胁相冲突。 用这种方法。 在滥用检测中,除了被描述为异常的行为之外,所有行为都被描述为正常行为。 这种方法使用模式匹配器,该模式匹配器可以将攻击特征与攻击数据进行比较,并在匹配时产生警告。

Anomaly detection is the identification of items, events, or perceptions which do not comply with normal patterns or other items in a dataset. Anomaly detection techniques can be divided into 3 categories; unsupervised anomaly detection supervised anomaly detection semi-supervised anomaly detection.

异常检测是对不符合正常模式或数据集中其他项目的项目,事件或感知的识别。 异常检测技术可以分为3类: 无监督异常检测有监督异常检测半监督异常检测。

CTI Tools and Standards

CTI工具和标准

A. Traffic Light Protocol (TLP)

A. 交通灯协议(TLP)

TLP is an information-sharing model that was created by the UK Government’s National Infrastructure Security Coordination Centre (NISCC, now Centre for Protection of National Infrastructure — CPNI) in the early 2000s for labeling and handling shared sensitive information. TLP has 4 different categories named by traffic lights which are red, amber, green and white and all colors have different meanings;

TLP是一种信息共享模型,由英国政府的国家基础设施安全协调中心(NISCC,现为国家基础设施保护中心-CPNI)在2000年代初创建,用于标记和处理共享的敏感信息。 TLP有四个以交通信号灯命名的类别,分别是红色,琥珀色,绿色和白色,所有颜色都有不同的含义;

RED/(TLP:RED): Non-disclosable information and restricted to representatives present at the meeting only. Sources may use TLP:RED when information cannot be effectively acted upon by additional parties and could lead to impacts on a party’s privacy, reputation, or operations if misused.

红色/(TLP:红色):不可披露的信息,仅限于出席会议的代表。 如果其他各方无法有效地采取行动,则消息源可以使用TLP:RED,并且如果滥用这些信息,可能会对一方的隐私权,声誉或运营造成影响。

AMBER/TLP:AMBER: Limited disclosure and restricted to the members of the community who need to know to take action. Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved.

AMBER / TLP:AMBER:披露有限,仅限于需要知道采取行动的社区成员。 当信息需要有效地采取行动而受到支持时,如果在所涉及的组织外部共享,则源可能会使用TLP:AMBER,但会给隐私,声誉或运营带来风险。

GREEN/TLP:GREEN: Community-wide. Information in this category can be circulated widely within a particular community and the organizations which take part in that community. However, the information may not be published or posted publicly on the Internet, nor released outside of the community of participating organizations. Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector.

GREEN / TLP:GREEN:整个社区。 此类信息可以在特定社区和参与该社区的组织中广泛传播。 但是,该信息不得在Internet上公开发布或发布,也不得在参与组织的社区之外发布。 当信息对所有参与组织以及更广泛的社区或行业内的同行的意识有用时,来源可以使用TLP:GREEN。

WHITE/TLP:WHITE: Unlimited; public information. Subject to standard copyright rules, WHITE information may be distributed freely, without restriction. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, by applicable rules and procedures for public release.

白/ TLP:白:无限; 公共信息。 根据标准版权规则,可以不受限制地自由分发WHITE信息。 根据适用的公开发布规则和程序,当信息的滥用风险极小或没有可预见的风险时,消息源可以使用TLP:WHITE。

B. Managed Incident Lightweight Exchange (MILE)

B. 托管事件轻量交换(MILE)

The Managed Incident Lightweight Exchange (MILE) Working Group develops standards for exchanging incident data. The group described a package of standards such as Incident Object Description and Exchange Format (IODEF), IODEF for Structured Cyber Security Information (IODEFSCI), and Real-time Inter-network Defense (RID).

轻量级托管事件交换(MILE)工作组制定了交换事件数据的标准。 该小组描述了一系列标准,例如事件对象描述和交换格式(IODEF),用于结构化网络安全信息的IODEF(IODEFSCI)和实时网络间防御(RID)。

1) Incident Object Description and Exchange Format (IODEF): IODEF describes an information framework to represent computer and network security incidents. To do this IODEF has over 30 classes and subclasses including Contact, Monetary Impact, Time, Operating System, and Application.

1) 事件对象描述和交换格式(IODEF): IODEF描述了一种表示计算机和网络安全事件的信息框架。 为此,IODEF有30多个类和子类,包括联系,货币影响,时间,操作系统和应用程序。

2) IODEF for Structured Cybersecurity Information” (IODEF-SCI): IODEF-SCI is an extended version of IODEF. The accompanying standards are proposed to be incorporated into IODEF-SCI, Common Attack Pattern Enumeration and Classification (CAPEC), Common Event Expression (CEE), Common Platform Enumeration (CPE), Common Vulnerability and Exposures (CVE), Common Vulnerability Reporting Format (CVRF), Common Vulnerability Scoring System (CVSS), Common Weakness Enumeration (CWE), Common Weakness Scoring System (CWSS), Open Checklist Interactive Language (OCIL), Open Vulnerability and Assessment Language (OVAL), Extensible Configuration Checklist Description Format (XCCDF), Distributed Audit Service (XDAS) and ISO/IEC 19770.

2) IODEF,用于结构化网络安全信息”(IODEF-SCI): IODEF-SCI是IODEF的扩展版本。 提议将随附的标准合并到IODEF-SCI,通用攻击模式枚举和分类(CAPEC),通用事件表达(CEE),通用平台枚举(CPE),通用漏洞和披露(CVE),通用漏洞报告格式( CVRF),通用漏洞评分系统(CVSS),通用弱点枚举(CWE),通用弱点评分系统(CWSS),开放清单交互式语言(OCIL),开放漏洞和评估语言(OVAL),可扩展配置清单描述格式(XCCDF) ),分布式审核服务(XDAS)和ISO / IEC 19770。

3) Real-time Inter-network Defense (RID): RID defines a protocol to facilitate sharing computer and network security incidents which is a standard for communicating for cyber threat intelligence. Five massage types are used by RID which are Request, Acknowledgement, Result, Report, and Query. Policy Class in RID allows different policies.

3) 实时网络间防御(RID): RID定义了促进共享计算机和网络安全事件的协议,该协议是网络威胁情报通信的标准。 RID使用五种消息类型,分别是请求,确认,结果,报告和查询。 RID中的策略类允许不同的策略。

C. Open Indicators of Compromise (OpenIOC) Framework

C. 公开威胁指标(OpenIOC)框架

OpenIOC gives a standard arrangement and terms for portraying the artifacts encountered during an investigation. It was presented by Mandiant in 2011. OpenIOC contains definitions for specific technical details including over 500 indicator terms. It is easy to add new items. A specific malware sample or family can be described using Boolean logic.

OpenIOC给出了描述调查过程中遇到的工件的标准安排和术语。 它由Mandiant在2011年提出。OpenIOC包含特定技术细节的定义,包括500多个指标术语。 添加新项目很容易。 可以使用布尔逻辑描述特定的恶意软件样本或家族。

D. Vocabulary for Event Recording and Incident Sharing (VERIS)

D. 用于事件记录和事件共享(VERIS)的词汇表

VERIS is a framework to define and share an incident which was proposed by Verizon in 2010. Its purpose is to provide a common language for describing security incidents in a structured and repeatable manner. VERIS is to collect, classify, analyze, compare, and share information security incident data. There are five sections in VERIS schema; Incident tracking, Victim demographics, Incident description, Discovery & response, and Impact assessment. There are multiple elements (with specific data types and variables names) in each section.

VERIS是Verizon在2010年提出的定义和共享事件的框架。其目的是提供一种通用的语言,以结构化和可重复的方式描述安全事件。 VERIS旨在收集,分类,分析,比较和共享信息安全事件数据。 VERIS模式中有五个部分。 事件跟踪,受害人的人口统计信息,事件描述,发现和响应以及影响评估。 每个部分中都有多个元素(具有特定的数据类型和变量名称)。

E. Open Threat Exchange (OTX)

E. 开放威胁交换(OTX)

OTX was created AlienVault for sharing threat data in 2012. OTX is open to the global community. It delivers community-generated threat data, enables collaborative research, and automates the process of updating your security infrastructure with threat data. To collect cyber threat intelligence OTX uses a centralized system. OTX Threat.

OTX在2012年创建了AlienVault,用于共享威胁数据。OTX向全球社区开放。 它提供社区生成的威胁数据,实现协作研究,并自动使用威胁数据更新安全基础结构的过程。 为了收集网络威胁情报,OTX使用集中式系统。 OTX威胁。

F. Collective Intelligence Framework (CIF)

F. 集体情报框架(CIF)

CIF was introduced by the Research and Education Network Information Sharing and Analysis Center (REN-ISAC) in 2009 which is a client/server system for sharing threat intelligence data. It uses information for identification (incident response), detection (IDS) and mitigation (null route). CIF data contains information on the type of threat, severity of an attack, and the confidence of the data. It also has labeling data and access control features.

CIF由研究和教育网络信息共享和分析中心(REN-ISAC)于2009年推出,该中心是用于共享威胁情报数据的客户端/服务器系统。 它使用信息进行标识(事件响应),检测(IDS)和缓解(无效路由)。 CIF数据包含有关威胁类型,攻击严重性和数据可信度的信息。 它还具有标签数据和访问控制功能。

G. MITRE Standards

G. 迈特标准

MITRE has developed some standards for different needs of cyber threat intelligence management systems.

MITRE已针对网络威胁情报管理系统的不同需求开发了一些标准。

1) Cyber Observable eXpression (CybOX): CybOX is an institutionalized diagram for the determination, capture, characterization, and correspondence of occasions or stateful properties that are noticeable in all framework and network operations. It provides over 70 defined objects that can be used to define measurable events or stateful properties. CybOX supports a wide range of relevant cybersecurity domains including Threat assessment and characterization (detailed attack patterns), Malware characterization, Operational event management, Logging, Cyber situational awareness, Incident response, Indicator sharing, Digital forensics.

1) 网络可观察到的表达(CybOX): CybOX是一种系统化的图表,用于确定,捕获,表征和对应场合或有状态的属性,这些在所有框架和网络操作中都值得注意。 它提供了70多个定义的对象,可用于定义可测量的事件或有状态的属性。 CybOX支持广泛的相关网络安全领域,包括威胁评估和表征(详细的攻击模式),恶意软件表征,运营事件管理,日志记录,网络态势感知,事件响应,指标共享,数字取证。

2) Structured Threat Information Expression (STIX): STIX is another standard for defining threat information including threat details with the context of the threat which was first presented in 2012. It uses cases such as Analyzing Cyber Threats, Specifying Indicator Patterns for Cyber Threats, Managing Cyber Threat Prevention and Response Activities, Sharing Cyber Threat Information. STIX provides a unifying architecture (shown in figure — 5) tying together a diverse set of cyber threat information along with:

2) 结构化威胁信息表达(STIX): STIX是另一种用于定义威胁信息的标准,其中包括在2012年首次提出的威胁上下文中的威胁详细信息。它使用了诸如分析网络威胁,指定网络威胁指标模式,管理网络威胁预防和响应活动,共享网络威胁信息。 STIX提供了一个统一的体系结构(如图5所示),将各种网络威胁信息与以下各项结合在一起:

● Cyber Observables (e.g., a registry key is created, network traffic occurs to specific IP addresses, email from a specific address is observed, etc.).

●Cyber​​ Observables(例如,创建注册表项,对特定IP地址进行网络通信,观察来自特定地址的电子邮件等)。

● Indicators (potential observables with attached meaning and context).

●指标(附有含义和上下文的潜在可观察物)。

● Incidents (instances of specific adversary actions).

●突发事件(特定对手行动的情况)。

● Adversary Tactics, Techniques, and Procedures (including attack patterns, malware, exploits, kill chains, tools, infrastructure, victim targeting, etc.).

●对抗策略,技术和程序(包括攻击模式,恶意软件,漏洞利用,杀伤链,工具,基础设施,以受害者为目标等)。

● Exploit Targets (e.g., vulnerabilities, weaknesses, or configurations).

●利用目标(例如漏洞,弱点或配置)。

● Courses of Action (e.g., incident response or vulnerability/ weakness remedies).

●行动方针(例如,事件响应或漏洞/弱点补救措施)。

● Cyber Attack Campaigns (sets of Incidents and/or TTP with a shared intent).

●网络攻击活动(具有共同意图的一组事件和/或TTP)。

● Cyber Threat Actors (identification and/or characterization of the adversary.

●网络威胁参与者(识别和/或表征对手)。

Image for post
Figure 5 — STIX Architecture 图5 — STIX体系结构

3) Trusted Automated eXchange of Indicator Information (TAXII): TAXII is a set of services and message exchanges for exchanging cyber threat information. It utilizes a standardized cyber threat information representation and defines a supporting exchange framework. Multiple sharing models are supported by TAXII such as hub and spoke, peer to peer, source/subscriber. Four core services support the model like discovery, feed management, inbox, and poll. XML and HTTP are used by TAXII for transporting messages and their context. TAXII also has been adopted as part of the Microsoft Active Protections Program (MAPP).

3) 可靠的指标信息自动交换(TAXII): TAXII是用于交换网络威胁信息的一组服务和消息交换。 它利用标准化的网络威胁信息表示形式并定义了一个支持性的交换框架。 TAXII支持多种共享模型,例如集线器和分支,对等,源/订户。 四个核心服务支持该模型,例如发现,提要管理,收件箱和轮询。 TAXII使用XML和HTTP来传输消息及其上下文。 TAXII也已被采纳为Microsoft主动保护计划(MAPP)的一部分。

Even though CybOX, STIX, TAXII are the most known standards by The MITRE Corporation, there are some others such as Common Attack Pattern Enumeration and Classification (CAPEC), and MAEC (Malware Attribute Enumeration and Classification).

尽管CybOX,STIX,TAXII是MITER Corporation最知名的标准,但还有其他一些标准,例如通用攻击模式枚举和分类(CAPEC)和MAEC(恶意软件属性枚举和分类)。

Image for post
Photo by Thomas Jensen on Unsplash
Thomas JensenUnsplash拍摄的照片

Open Source Intelligence (OSINT)

开源情报(OSINT)

Open Source Intelligence, better known as OSINT, is a technology that refers publicly available and open sources of information (as opposed to covert or secret sources) used in connection with intelligence. OSINT is information that comes from public and open sources. A large amount of actionable and predictable intelligence is obtained from public and non-classified sources. It means that the information collected is available not only to the public for consumption, but also to the entire intelligence community.

开源情报(又称为OSINT)是一种技术,它引用与情报有关的可公开获得的开放信息来源(与秘密或秘密来源相对)。 OSINT是来自公共和开放源的信息。 从公共和非机密来源可获得大量可操作且可预测的情报。 这意味着收集到的信息不仅可供公众使用,而且可供整个情报界使用。

Open-source information is available to the public in the form of resources and websites that can be located and found via online search engines, which greatly facilitates the collection of open-source information. Open source is considered more accessible than traditional methods of gathering information, as it does not require specific techniques, tools, or skills to access the information.

开源信息以资源和网站的形式提供给公众,可以通过在线搜索引擎找到和找到这些信息,这极大地促进了开源信息的收集。 与传统的信息收集方法相比,开源被认为更易于访问,因为它不需要特定的技术,工具或技能来访问信息。

Image for post
OSINT and Tactical Coordination
OSINT与战术协调

Data protection laws such as the GDPR have only strengthened the use of appropriate OSINT systems. All information collected during the search is available openly and without a search warrant or subpoena.

诸如GDPR之类的数据保护法律仅加强了对适当OSINT系统的使用。 在搜索过程中收集的所有信息都可以公开获得,没有搜查令或传票。

Although similar intelligence technologies have existed for hundreds of years, OSINT has gained momentum in recent years due to the rise of the Internet and the proliferation of open sources.

尽管类似的智能技术已经存在了数百年,但是由于互联网的兴起和开放源代码的普及,OSINT在最近几年获得了发展势头。

The use of publicly available information to gather information carries risks compared to the use of human resources on the ground, particularly in hostile countries, or the use of spy satellites. OSINT can be used in a wide range of situations, such as cyber-attacks, cyber espionage, and cyber operations.

与在实地使用人力资源(特别是在敌对国家)或使用间谍卫星相比,使用公开可用的信息收集信息会带来风险。 OSINT可用于各种情况,例如网络攻击,网络间谍活动和网络运营。

OSINT collecting is generally cheaper than other intelligence sources. While there are a number of open-source tools for use in the intelligence community, one of them is the search engine, Google, as most people call it. Conducting social engineering attacks on targets is also seen as a form of active information gathering.

OSINT收集通常比其他情报来源便宜。 尽管在情报界有许多开放源代码工具可供使用,但其中一个就是大多数人所说的搜索引擎Google。 对目标进行社会工程攻击也被视为一种主动收集信息的形式。

One of the biggest problems security experts face is that users accidentally disclose sensitive assets and information on the Internet. This is why it is so important to use open source intelligence for security purposes, as it gives you the ability to find, fix, and remove sensitive information using the same tools and techniques that threat actors use to exploit it.

安全专家面临的最大问题之一是用户不小心在Internet上泄露了敏感资产和信息。 这就是为什么出于安全目的使用开源情报如此重要的原因,因为它使您能够使用威胁者用来利用它的相同工具和技术来查找,修复和删除敏感信息。

Whether you are looking for information about a terrorist attack, drug trafficking, or a criminal investigation, it is important to understand what open-source intelligence services really are and how they work including its collection, use, and use, as well as the tools and techniques that can be used to capture and analyze it.

无论您是要查找有关恐怖袭击,毒品贩运还是刑事调查的信息,了解开源情报服务的真正含义以及它们如何工作(包括其收集,使用和使用以及工具)都非常重要。以及可以用来捕获和分析它的技术。

Collecting relevant information for cybersecurity investigations is a difficult task, especially when operating with limited information about adversaries. OSINT is non-sensitive intelligence used by analysts to answer classified, non-classified, and proprietary intelligence requirements in previous intelligence disciplines.

收集相关信息以进行网络安全调查是一项艰巨的任务,尤其是在使用有关敌人的有限信息进行操作时。 OSINT是分析人员用来回答以前的情报学科中已分类,未分类和专有情报要求的非敏感情报。

OSINT tools play an important role in the search for information, and they will be helpful not only for the user to know the importance of using these tools, but also to understand what is available on the market. Keep an eye on open source information — a compelling perspective from the perspective of an analyst or researcher.

OSINT工具在搜索信息中起着重要作用,不仅对用户了解使用这些工具的重要性,而且对了解市场上可用的工具也将有所帮助。 密切关注开源信息-从分析师或研究人员的角度来看令人信服的观点。

Some of the most used OSINT Tools are listed below. Check them up!

下面列出了一些最常用的OSINT工具。 检查他们!

https://www.zoomeye.org/

https://www.zoomeye.org/

https://censys.io/

https://censys.io/

https://mailshunt.com/

https://mailshunt.com/

http://www.skymem.info/

http://www.skymem.info/

https://mailtester.com/

https://mailtester.com/

https://www.threatcrowd.org/

https://www.threatcrowd.org/

https://findsubdomains.com/

https://findsubdomains.com/

https://hackertarget.com

https://hackertarget.com

https://spyonweb.com/

https://spyonweb.com/

Cited Sources

被引来源

● L. Kohnfelder, P. Garg, “Threats to Our Products”, Microsoft, 2016.

●L. Kohnfelder,P。Garg,“对我们产品的威胁”,微软,2016年。

● A. Shostack, “STRIDE Chart”, Microsoft, 2007.

●A. Shostack,“步幅表”,微软,2007年。

● T. UcedaVelez, M. Morana, “Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis”, Wiley, 2015.

●T. UcedaVelez,M。Morana,“风险中心威胁建模:攻击模拟和威胁分析过程”,Wiley,2015年。

● M. Eddington, B. Larcom, E. Saitta, “Trike v1 Methodology Document”, 2005.

●M. Eddington,B。Larcom,E。Saitta,“ Trike v1方法论文档”,2005年。

● A. Agarwal et al., “VAST Methodology: Visual, Agile, and Simple Threat Modeling”, Prescott Valley, 2016.

●A. Agarwal等人,“ VAST方法论:视觉,敏捷和简单威胁建模”,普雷斯科特山谷,2016年。

● P. A. Diaz-Gomez, D. F. Hougen, “Misuse Detection: An Iterative Process vs. A Genetic Algorithm Approach”.

●PA Diaz-Gomez,DF Hougen,“滥用检测:迭代过程与遗传算法方法”。

● J. Fichera, “Network Intrusion Analysis”, Elsevier, 2006.

●J. Fichera,“网络入侵分析”,爱思唯尔,2006年。

● V. Chandola, A. Banerjee, V. Kumar, “Anomaly detection: A survey”, ACM Computing Surveys, 2009.

●V. Chandola,A。Banerjee,V。Kumar,“异常检测:一项调查”,ACM计算调查,2009年。

● E. Luiijf, A. Kernkamp, “Sharing Cyber Security Information”, GCCS, 2015.

●E. Luiijf,A。Kernkamp,“共享网络安全信息”,GCCS,2015年。

● D. Stikvoort, “ISTLP — Information Sharing Traffic Light Protocol”, NISCC (UK), 2009.

●D. Stikvoort,“ ISTLP —信息共享交通灯协议”,NISCC(英国),2009年。

● “Traffic Light Protocol (TLP) Definitions and Usage”, US-CERT, Retrieved from: https://www.us-cert.gov/tlp

●US-CERT的“交通灯协议(TLP)定义和用法”,取自: https : //www.us-cert.gov/tlp

● “Tools and Standards for Cyber Threat Intelligence Projects”, SANS Institute, 2013.

●“网络威胁情报项目的工具和标准”,SANS研究所,2013年。

● “Managed Incident Lightweight Exchange (mile)”, Retrieved from: https://datatracker.ietf.org/wg/mile/about/

●“托管事件轻量级交换(英里)”,取自: https : //datatracker.ietf.org/wg/mile/about/

● W. Gibb, D. Kerr, “OpenIOC: Back to the Basics”, FireEye, 2013, Retrieved from: https://www.fireeye.com/blog/threat-research/2013/10/openioc-basics.html

●W. Gibb,D。Kerr,“ OpenIOC:回归基础”,FireEye,2013年,摘自: https//www.fireeye.com/blog/threat-research/2013/10/openioc-basics.html

● “The Vocabulary for Event Recording and Incident Sharing”, Retrieved from: http://veriscommunity.net/

●“事件记录和事件共享的词汇表”,取自: http//veriscommunity.net/

● “AlienVault Open Threat Exchange”, AlientVault, Retrieved from: https://www.alienvault.com/open-threat-exchange

●“ AlienVault Open Threat Exchange”,AlientVault,取自: https ://www.alienvault.com/open-threat-exchange

● “Collective Intelligence Framework”, Csirt Gadgets, Retrieved from: http://csirtgadgets.org/

●“集体情报框架”,Csirt小工具,取自: http ://csirtgadgets.org/

● “Information Sharing Specifications for Cybersecurity”, US-CERT, Retrieved from: https://www.us-cert.gov/Information-Sharing-Specifications-Cybersecurity

●“ Cyber​​security的信息共享规范”,美国CERT,摘自: https : //www.us-cert.gov/Information-Sharing-Specifications-Cyber​​security

● “Cyber Observable eXpression — CybOX: A Structured Language for Cyber Observables”, The MITRE Corporation.

●MITRE公司的“网络可观察的表达-CybOX:网络可观察的结构化语言”。

● “Structured Threat Information eXpression — STIX: A Structured Language for Cyber Threat Intelligence Information”, The MITRE Corporation.

●MITER公司的“结构化威胁信息表达-STIX:网络威胁情报信息的结构化语言”。

● J. Connolly, M. Davidson, M. Richard, C. Skorupka, “The Trusted Automated eXchange of Indicator Information (TAXII™)”, The MITRE Corporation, 2012.

●J. Connolly,M。Davidson,M。Richard,C。Skorupka,“指标信息的可信自动交换(TAXII™)”,MITRE公司,2012年。

● “About STIX”, Retrieved from: http://stixproject.github.io/about/

●“关于STIX”,取自: http : //stixproject.github.io/about/

翻译自: https://medium.com/swlh/cyber-threat-intelligence-cti-in-a-nutshell-2-9230e8e59f66

ivr cti

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/笔触狂放9/article/detail/560657
推荐阅读
相关标签
  

闽ICP备14008679号