Many times we see a threat score systems that might be match what you are looking for. Seth Bromberger manager of information security at PG&E has a more generic threat scoring system that can be used by any organization.
This system divides into broad categories like insiders, script kiddies, nation-states, terrorist groups and forces of nature, among others.
Each threat can be assigned a 0(no capability) or a 5(most capable threat).
Capability is judged through attacker's institutional knowledge, technical proficiency, group size and funding, and levels of access.
read more at: http://searchsecurity.techtarget.com/magazineContent/Researcher-Puts-Quantitative-Measurement-on-Information-Security-Threats
Sunday, April 24, 2016
Sunday, April 17, 2016
Choosing Right Data Sharing Architecture
Most of the time organization want to share data but have hard time to choosing the proper sharing architecture for them. Here are some steps that will help them make the decide on the right sharing architecture:
1. Survey the Architecture Landscape: educate the user about what are the possible architecture: Centralized, Distributed, or Hybrid. Each one offers functionality like federated query or decision support.
2. Refine the Requirements: When requirements are vague try to ask the customer to narrow down the requirements. This can be done by telling the customer that based on your requirement you architecture will give you this result and create some use cases. These use case result will help customer understand what each architecture will give them.
3. Analyze the Dependencies: Once the requirements and outcomes are derived, we would need the understand the dependency of the systems. By analyzing the structure and components of the system this will give the customer an understanding of the complexity the system offers. And with increased complexity comes increased cost of choosing this architecture.
4. Recommend an Architecture: Based on the customer requirement and budget list of at three architecture for the customers and specify what each one offers.
By following these 4 steps, organization can choose the architecture solution that will best suit their enterprise instead of investing in an architecture that costs more and does not give desired results.
Read More:https://gcn.com/articles/2012/07/17/4-steps-architecture-analysis.aspx
1. Survey the Architecture Landscape: educate the user about what are the possible architecture: Centralized, Distributed, or Hybrid. Each one offers functionality like federated query or decision support.
2. Refine the Requirements: When requirements are vague try to ask the customer to narrow down the requirements. This can be done by telling the customer that based on your requirement you architecture will give you this result and create some use cases. These use case result will help customer understand what each architecture will give them.
3. Analyze the Dependencies: Once the requirements and outcomes are derived, we would need the understand the dependency of the systems. By analyzing the structure and components of the system this will give the customer an understanding of the complexity the system offers. And with increased complexity comes increased cost of choosing this architecture.
4. Recommend an Architecture: Based on the customer requirement and budget list of at three architecture for the customers and specify what each one offers.
By following these 4 steps, organization can choose the architecture solution that will best suit their enterprise instead of investing in an architecture that costs more and does not give desired results.
Read More:https://gcn.com/articles/2012/07/17/4-steps-architecture-analysis.aspx
Sunday, April 10, 2016
Different types of NIDS
NIDS: Network Intrusion Detection system are threat catching type software that is installed on server that are the gateway between your internal system and the world wide web. These threat identifying rules/software is crucial line of defense in identifying the good guys vs bad guys. Here are some of the NIDS system on the market:
SNORT: This is the oldest NIDS system and has nearly 40,000 users and It supports Window and many types of Linux systems. However, it does not support by default multi-core machines without special configuration.
SURICATA: This younger NIDS system that works with SNORT ruleset and is funded through government. It is known for its efficiency and works will with Emerging Threats ruleset. Its mostly suited to give best performance when its run on multi-core systems.
SAGAN: open source system that runs under the nix operating system(Linux, OpenBSD, FreeBSD). Its written in C which allows it give high performance log and event analysis. Sagan structure and rules work similar to Snort IDS/IPS system so that Sagan can correlate logs from Snort IDS/IPS systems and write the findings Snort IDS/IPS databases. Sagan is also compatible with all Snort consoles. Sagan also offers automatic firewall support via Snortsam, GeoIp detection/alerting and much more.
Read more: https://github.com/Snorby/snorby/wiki/Snort-vs-Suricata-vs-Sagan
SNORT: This is the oldest NIDS system and has nearly 40,000 users and It supports Window and many types of Linux systems. However, it does not support by default multi-core machines without special configuration.
SURICATA: This younger NIDS system that works with SNORT ruleset and is funded through government. It is known for its efficiency and works will with Emerging Threats ruleset. Its mostly suited to give best performance when its run on multi-core systems.
SAGAN: open source system that runs under the nix operating system(Linux, OpenBSD, FreeBSD). Its written in C which allows it give high performance log and event analysis. Sagan structure and rules work similar to Snort IDS/IPS system so that Sagan can correlate logs from Snort IDS/IPS systems and write the findings Snort IDS/IPS databases. Sagan is also compatible with all Snort consoles. Sagan also offers automatic firewall support via Snortsam, GeoIp detection/alerting and much more.
Read more: https://github.com/Snorby/snorby/wiki/Snort-vs-Suricata-vs-Sagan
Sunday, April 3, 2016
YARA oh YARA!
YARA is is robust tool that is used to find suspicious file/directories in your systems and is compatible with per-base regular expression.
There are two sections in a YARA rule Strings and conditions.
There three different types of strings:
- Hexadecimal Strings: usage of hexadecimal to describe the string. By using hexadecimal you can also use wildcard operator (?) and jumps(where the pattern in know and the length of pattern)
-Text Strings: text strings from ASCII which are used to make the criteria.
-Regular Expression: YARA uses its own regular expression engine similar to PCRE.
Conditions: Returns a Boolean value based on the criteria specified in String section.
YARA can be integrated with:
- PEiD to check what packer was used to make the malicious exe file.
- PE(Portable Executable) files which will allow it look for certain string in an http send and request.
- WMI tool that will allow YARA to scan more than one process.
Read more : http://resources.infosecinstitute.com/yara-simple-effective-way-dissecting-malware/
There are two sections in a YARA rule Strings and conditions.
There three different types of strings:
- Hexadecimal Strings: usage of hexadecimal to describe the string. By using hexadecimal you can also use wildcard operator (?) and jumps(where the pattern in know and the length of pattern)
-Text Strings: text strings from ASCII which are used to make the criteria.
-Regular Expression: YARA uses its own regular expression engine similar to PCRE.
Conditions: Returns a Boolean value based on the criteria specified in String section.
YARA can be integrated with:
- PEiD to check what packer was used to make the malicious exe file.
- PE(Portable Executable) files which will allow it look for certain string in an http send and request.
- WMI tool that will allow YARA to scan more than one process.
Read more : http://resources.infosecinstitute.com/yara-simple-effective-way-dissecting-malware/
Sunday, March 27, 2016
What is FAIR?
FAIR is a risk assessment tool that creates a threat model based on past experiences, current trends, and value of current assets. It is able to identify the risk by using penetration testing and security exercises that have the same on par with today's threat and deliver a well versed risk analysis.
Here are some other features of FAIR:
-Intelligence Gathering: in the form of human and non-human
-Business Process Mapping:identify critical business process to be used in threat modeling/planning
-Asset Mapping: value of current asset and cost to replace it
-Vulnerability and Exposure Analysis: finding a list of vulnerabilities from various points and identifying the countermeasures
-Threat Modeling: identify the threat and its success rate to attack the asset.
-Data Flow Protection Analysis: Analysis of all communication : data, voice, image, and physical to find any incorrect data flow.
-Risk Modeling: Based on the risk liability and frequency assign a quantitative value to that risk
-What-If Modeling: Analyzing future landscape of organization (like merger) in order to aid organization decision making.
Read More: http://www.optimalrisk.com/Cyber-Security/FAIR-Methodology
Here are some other features of FAIR:
-Intelligence Gathering: in the form of human and non-human
-Business Process Mapping:identify critical business process to be used in threat modeling/planning
-Asset Mapping: value of current asset and cost to replace it
-Vulnerability and Exposure Analysis: finding a list of vulnerabilities from various points and identifying the countermeasures
-Threat Modeling: identify the threat and its success rate to attack the asset.
-Data Flow Protection Analysis: Analysis of all communication : data, voice, image, and physical to find any incorrect data flow.
-Risk Modeling: Based on the risk liability and frequency assign a quantitative value to that risk
-What-If Modeling: Analyzing future landscape of organization (like merger) in order to aid organization decision making.
Read More: http://www.optimalrisk.com/Cyber-Security/FAIR-Methodology
Sunday, March 20, 2016
Becoming a Cyber Intelligence Analyst
What is the role of Cyber Intelligence Analyst? What type of skills are needed? What should be provided by the analyst?
Analyst have dig thru a lot of information and noise to get intelligence. Once the intelligence is obtained they need to deliver a report. Usually a common method used is the Bottom Line Up Front(BLUF) which lets the readers find what the report is about in about 10 seconds. Also, in the report should be important details gathered from the intelligence system and lastly an opinion from the analyst.
Skills Needed:
-Technical Writing: this skill is developed over time
-Analysis Skill: This skill can be sharpened by being able to understand human psychology and being able to think like an attacker. and asking questions like: How will the attacker attack? what is the process? what is the goal? what are the tools?
Traits of Good Analyst:
Being a technical expert in your field and identify what Intel is good and what Intel is bad.
Have knowledge about your customers/organization.
Be able to grab info from other resources like blog, books, and threat feeds.
Analyst can use any source of information such as Firewall logs, Intrusion Detection System logs, digital forensic analysis, the reverse engineering of malware, open source Internet searches, honeypots, and more.
Able to process large amount of data think critically.
Source: http://www.tripwire.com/state-of-security/security-data-protection/developing-cyber-intelligence-analyst-skills/
Analyst have dig thru a lot of information and noise to get intelligence. Once the intelligence is obtained they need to deliver a report. Usually a common method used is the Bottom Line Up Front(BLUF) which lets the readers find what the report is about in about 10 seconds. Also, in the report should be important details gathered from the intelligence system and lastly an opinion from the analyst.
Skills Needed:
-Technical Writing: this skill is developed over time
-Analysis Skill: This skill can be sharpened by being able to understand human psychology and being able to think like an attacker. and asking questions like: How will the attacker attack? what is the process? what is the goal? what are the tools?
Traits of Good Analyst:
Being a technical expert in your field and identify what Intel is good and what Intel is bad.
Have knowledge about your customers/organization.
Be able to grab info from other resources like blog, books, and threat feeds.
Analyst can use any source of information such as Firewall logs, Intrusion Detection System logs, digital forensic analysis, the reverse engineering of malware, open source Internet searches, honeypots, and more.
Able to process large amount of data think critically.
Source: http://www.tripwire.com/state-of-security/security-data-protection/developing-cyber-intelligence-analyst-skills/
Sunday, March 13, 2016
Recorded Future Helping Organization in Cyber World
The web is complex and is divided into three layers:
One needs to look at these goals first for their Company first in order to avoid immediate issues:
- turn intelligence objectives into intelligent decisions
- Apply Open Source Intelligence(OSINT) to prioritize threats
- save time and money by using threat intelligence capabilities
Read more:
https://www.recordedfuture.com/finance-threat-intelligence-goals/
- World Wide Web: Surface layer, public, easily accessible
- Deep Web: Not searchable, dynamic, private, ephemeral
- Dark Web: Custom protocols, legal issues
One needs to look at these goals first for their Company first in order to avoid immediate issues:
- Direct risk (targeted or named; institutional vulnerabilities)
- Indirect risk (vendor, service, or technology dependencies)
- Actors, campaigns, tools, or tactics that targeted your company or sector
- Internal inquiry (leadership, corp communications, or technical areas)
- Affecting multiple companies in your sector
- Affecting a large company or leader in your sector
- Affecting a direct peer (by market size, holdings, or geography)
- Mass campaign (widespread, significant volume, or high level of success)
- Has, or expected to have, significant media attention (inquiries expected)
- New or significant actors, campaigns, tools, or tactics
- turn intelligence objectives into intelligent decisions
- Apply Open Source Intelligence(OSINT) to prioritize threats
- save time and money by using threat intelligence capabilities
Read more:
https://www.recordedfuture.com/finance-threat-intelligence-goals/
Subscribe to:
Posts (Atom)