Leaveraging Third Party Intelligence to protect your organization

While Having a good traditional secure architecture is important and also very important to have Third Party intellegence to foster security of your organization.
Gone are the days reactive security handling protect your organization. Being proactive is highly needed and critical.

Below are few ways to initiate threat intelligence for your organization to start with.
Verify your organization’s risk to the critical active threats as early as you are aware.

Requirement for third party Intel to figure out below threats

1) SPAM campaigns distributing Malware
2) Phishing campaigns.

3) Active and Critical Threats
4) Zero-day Threats

===============================================================
http://spamalysis.wordpress.com/ – It contains SPAM threat emails everyday.
Fulfils (1) and (2) Requirements
Frequency: 0-4 posts / day
Strategy:
Subscribe the email address to this blog
Create a case for each blog post and follow SPAM Handling Process

http://blog.dynamoo.com/ – It contains SPAM threat emails everyday.
Fulfils (1) and (2) Requirements
Frequency: 1-4 Posts / day
Strategy:
Subscribe the email address to this blog
Create a case for each blog post and follow SPAM Handling Process

http://blog.fireeye.com/research/ – Fireeye is actively researching on Internet Threats. The blog contains summary of threat research
Fulfils (3) and (4) Requirements
Frequency: 1-4 posts / month
Strategy:
Subscribe the email address to this blog
Review every blogpost feed received,
If any IOC can be obtained from the blogpost create a case and work. Otherwise Ignore

http://contagiodump.blogspot.com/ – Analysis of Malware samples of actively distributed
Fulfils (1), (3) requirements
Frequency: 2-6 posts / month
Strategy:
Subscribe the email address to this blog
Create a case for each malware sample analysis post and identify IOC from analysis and identify infected machines

http://isc.sans.org/ – SANS blog of Incident Handlers (A MUST be aware)
Fulfils (3) and (4) Requirements
Freqency: 0-2 posts/day
Strategy:
Configure one of your monitoring screen to this blog post or atleast your threat intelligence team member to look into daily.

http://www.shadowserver.org – Threat research intelligence (botnets and malware)
Third party intelligence Report of compromised devices on our network
Frequency:

Compromized Host Report – Daily
C&C Report – Weekly
More reports to review if required – http://www.shadowserver.org/wiki/pmwiki.php/Services/Reports
Strategy:

Get Subscription with it
More info: http://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork
To request a free subscription to The Shadowserver Foundation’s ASN/netblock reporting service, send an email from your organization’s email account to admin ** shadowserver.org
Please provide the following information:
• Full Name (and we need to have a real person, not just an organizational contact)
• Organization
• Networks of responsibility by ASN or CIDR (ASN is always better) – Do not list your ISP’s AS or networks, list only your own that you directly control)
• Email address(es) of the report recipients
• Phone number of contact
• Contact information for verification – Examples of this would be alternative contact information, other responsible groups in your organization, network validation links, etc.
C&C Report
o We can run against GP to identify infected hosts weekly.
o Feed Informer (I believe if this can be done)

Note: If we could contact member of shadowserver.org research group and get his feed of their communications, it would be highly helpful that fulfils Requirement (4) i.e.,Zero-day threats.

Be Aware and stay protected. 🙂

Advertisements

About wikihead

A Seeker. Information Security Professional, Pursuing Life with Ayurveda.
This entry was posted in Articles, security, Security Management, Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s