WEBVTT

0:00:03.460000 --> 0:00:05.840000
 Hello everyone and welcome.

0:00:05.840000 --> 0:00:09.480000
 In this video we're going to be taking
 a look at threat intelligence feeds

0:00:09.480000 --> 0:00:17.100000
 and platforms, you know, part of the
 larger SOC tools or core SOC tools

0:00:17.100000 --> 0:00:19.240000
 that you typically find.

0:00:19.240000 --> 0:00:22.380000
 But, you know, I'm also going to cover
 or explain threat intelligence

0:00:22.380000 --> 0:00:26.080000
 feed because they're quite important
 in addition to platforms.

0:00:26.080000 --> 0:00:31.240000
 So, you know, sort of given you up
 to this point of giving you a brief

0:00:31.240000 --> 0:00:35.200000
 description of, you know, cyber threat
 intelligence or threat intelligence.

0:00:35.200000 --> 0:00:38.720000
 But let's go through it again just
 to contextualize everything.

0:00:38.720000 --> 0:00:44.020000
 So, threat intelligence are also known
 as cyber threat intelligence in

0:00:44.020000 --> 0:00:47.800000
 a SOC or in security operations.

0:00:47.800000 --> 0:00:51.280000
 You know, cyber threat intelligence
 is, you know, frequently, I would

0:00:51.280000 --> 0:00:57.560000
 say more also than it's for, you know,
 than the actual name of this particular

0:00:57.560000 --> 0:01:03.840000
 term or process is, you know, known through
 or in the form of its abbreviation,

0:01:03.840000 --> 0:01:09.720000
 which is CTI, involves the collection, analysis
 and dissemination of information

0:01:09.720000 --> 0:01:14.900000
 regarding potential or current threats
 targeting an organization.

0:01:14.900000 --> 0:01:19.300000
 This intelligence encompasses details
 about threat actors, their tactics,

0:01:19.300000 --> 0:01:24.500000
 techniques and procedures abbreviated
 as DTPs and indicators of compromise

0:01:24.500000 --> 0:01:31.540000
 abbreviated as IOCs, therefore, or consequently,
 enable enabling organizations

0:01:31.540000 --> 0:01:35.300000
 to proactively defend
 against cyber threats.

0:01:35.300000 --> 0:01:39.780000
 So, threat intelligence is essentially,
 you know, going on the offense.

0:01:39.780000 --> 0:01:45.140000
 It's a more proactive SOC service in that
 you're actively trying to identify

0:01:45.140000 --> 0:01:50.660000
 who your, who the potential threat
 actor is, who is most likely going

0:01:50.660000 --> 0:01:54.420000
 to, you know, be targeting your organization
 based on various factors,

0:01:54.420000 --> 0:01:59.920000
 like the, your geographical location
 or the geographical location of the

0:01:59.920000 --> 0:02:05.400000
 organization, the industry or sector
 that, you know, your company or the

0:02:05.400000 --> 0:02:08.240000
 company that you work
 for, operates in, etc.

0:02:08.240000 --> 0:02:12.340000
 So, what are some of the key components
 of threat intelligence?

0:02:12.340000 --> 0:02:15.620000
 Well, I've just mentioned a couple of
 them, but firstly, we have indicators

0:02:15.620000 --> 0:02:19.460000
 of compromise, arguably the most important,
 you know, for baseline threat

0:02:19.460000 --> 0:02:24.860000
 intelligence. So, what are indicators of,
 you know, what are these indicators

0:02:24.860000 --> 0:02:27.740000
 of compromise or IOCs, as they know?

0:02:27.740000 --> 0:02:32.380000
 Well, these are artifacts such as malicious
 IP addresses, domain names,

0:02:32.380000 --> 0:02:36.540000
 file ashes or email headers that
 signal potential breaches.

0:02:36.540000 --> 0:02:40.120000
 Then we have TTPs, you know, tactics,
 techniques and procedures.

0:02:40.120000 --> 0:02:43.380000
 This is generally speaking
 referred to as trade craft.

0:02:43.380000 --> 0:02:47.880000
 These provide an insight into the methodology
 employed by threat actors

0:02:47.880000 --> 0:02:51.520000
 aiding in the anticipation and
 mitigation of future attacks.

0:02:51.520000 --> 0:02:55.180000
 So, TTPs essentially tell you if you're
 familiar with the, the MIT ATT

0:02:55.180000 --> 0:02:58.520000
&CK framework, don't worry if you aren't,
 we have a whole course on threat

0:02:58.520000 --> 0:03:02.780000
 intelligence and threat hunting, we will
 go over this, but they essentially

0:03:02.780000 --> 0:03:08.840000
 outline what a particular threat actor
 does, the actions that they take

0:03:08.840000 --> 0:03:13.080000
 in a particular phase of the attack
 and what type of procedures or what

0:03:13.080000 --> 0:03:18.280000
 tools and techniques they sort of
 employ to achieve their objective.

0:03:18.280000 --> 0:03:23.740000
 And understanding the particular TTPs
 of a threat actor that you've profiled

0:03:23.740000 --> 0:03:27.500000
 as, you know, being quite likely to
 target an organization like the one

0:03:27.500000 --> 0:03:31.100000
 you work for, knowing that information
 allows you, as the description

0:03:31.100000 --> 0:03:36.020000
 points out here, sort of aids you in
 anticipation and mitigation of future

0:03:36.020000 --> 0:03:39.580000
 attacks. So, if you know what to expect,
 you're able to implement those

0:03:39.580000 --> 0:03:44.720000
 mitigations and defenses beforehand in
 anticipation of a potential attack.

0:03:44.720000 --> 0:03:47.760000
 You then have threat actor profiles.

0:03:47.760000 --> 0:03:52.160000
 I should also point out that this is
 also done generally speaking without,

0:03:52.160000 --> 0:03:58.220000
 you know, being specific to the TTPs
 or the IOCs of a threat actor, you're

0:03:58.220000 --> 0:04:02.320000
 really just finding out threat intelligence
 is finding out the latest

0:04:02.320000 --> 0:04:06.960000
 information you can about, you know, the
 latest attacks, the latest techniques,

0:04:06.960000 --> 0:04:15.480000
 but then when you sort of specialize,
 you're now likely to target the

0:04:15.480000 --> 0:04:18.780000
 organization that you're working for
 based on the criteria that I outlined

0:04:18.780000 --> 0:04:23.480000
 earlier. Another component is the threat
 actor profiles or profiling,

0:04:23.480000 --> 0:04:28.020000
 which I just mentioned, but I wanted
 to sort of segue into that, you know,

0:04:28.020000 --> 0:04:32.660000
 gradually. This is information about
 adversaries, including their motives,

0:04:32.660000 --> 0:04:36.340000
 capabilities, and of course,
 historical activities.

0:04:36.340000 --> 0:04:40.200000
 So that brings us to the threat intelligence
 feeds and platforms.

0:04:40.200000 --> 0:04:46.140000
 So, the bottom line is that in order to
 effectively harness threat intelligence,

0:04:46.140000 --> 0:04:50.480000
 organizations utilize threat intelligence
 feeds and threat intelligence

0:04:50.480000 --> 0:04:55.720000
 platforms. Threat intelligence platforms
 are commonly referred to by the

0:04:55.720000 --> 0:05:00.600000
 abbreviated name, which is TIPs or a TIP.


0:05:00.600000 --> 0:05:05.060000
 But before we get into the threat intelligence
 platforms, let's take a

0:05:05.060000 --> 0:05:08.360000
 closer look at threat intelligence
 feeds and, you know, what they mean

0:05:08.360000 --> 0:05:10.960000
 and how they're typically
 used within a SOC.

0:05:10.960000 --> 0:05:15.280000
 So threat intelligence feeds are continuous
 streams of data providing

0:05:15.280000 --> 0:05:18.740000
 real-time information about
 emerging threats.

0:05:18.740000 --> 0:05:21.040000
 And they can be sourced
 from commercial vendors.

0:05:21.040000 --> 0:05:24.220000
 They typically are, you know, sourced
 from commercial vendors.

0:05:24.220000 --> 0:05:28.100000
 There's also some open source communities
 or industry-specific sharing

0:05:28.100000 --> 0:05:34.060000
 groups. So this is where, you know,
 from the perspective of a consumer,

0:05:34.060000 --> 0:05:39.080000
 one of these feeds, you know, you know,
 if it's commercial or open source,

0:05:39.080000 --> 0:05:42.440000
 you're pretty much tuned into this.

0:05:42.440000 --> 0:05:48.140000
 Let's just call it a group or a location
 where the latest info on emerging

0:05:48.140000 --> 0:05:54.460000
 threats is shared, you know, either
 in the form of Ahir, the IOCs, or

0:05:54.460000 --> 0:05:59.660000
 a particular threat actor or a new threat
 actor has been identified, so

0:05:59.660000 --> 0:06:00.560000
 on and so forth.

0:06:00.560000 --> 0:06:04.260000
 And the bottom line is that integrating
 these feeds into security systems

0:06:04.260000 --> 0:06:08.940000
 and answers and organizations' ability
 to detect and respond to threats

0:06:08.940000 --> 0:06:13.840000
 promptly. That brings us to threat
 intelligence platforms or TIPs.

0:06:13.840000 --> 0:06:18.280000
 TIPs are specialized solutions designed
 to aggregate, analyze and manage

0:06:18.280000 --> 0:06:21.720000
 threat intelligence data
 from multiple sources.

0:06:21.720000 --> 0:06:23.480000
 That's sort of the key here.

0:06:23.480000 --> 0:06:28.280000
 And they enable organizations to contextualize
 threat information, automate

0:06:28.280000 --> 0:06:30.820000
 responses, and facilitate collaboration.

0:06:30.820000 --> 0:06:34.440000
 That's, you know, quite, I should say,
 not quite significantly useful,

0:06:34.440000 --> 0:06:39.020000
 the collaboration features, but they've,
 you know, helped facilitate collaboration

0:06:39.020000 --> 0:06:40.660000
 among security teams.

0:06:40.660000 --> 0:06:44.780000
 So what are some of these, you know,
 what are some of the common or some

0:06:44.780000 --> 0:06:48.100000
 of the best, at least in my opinion,
 threat intelligence platforms?

0:06:48.100000 --> 0:06:51.660000
 Well, I've sort of listed them out
 in this slide, as well as the next

0:06:51.660000 --> 0:06:56.840000
 slide. They're not sorted in order of,
 you know, importance or how I rank

0:06:56.840000 --> 0:07:00.600000
 them. I've just added the ones that I
 think are the best or the ones I've

0:07:00.600000 --> 0:07:03.660000
 seen most widely deployed.

0:07:03.660000 --> 0:07:08.320000
 And, you know, ones that, you know,
 actually have benefited the teams

0:07:08.320000 --> 0:07:10.580000
 in which they've been deployed.

0:07:10.580000 --> 0:07:15.880000
 So a, we have recorded future, recorded
 future utilizes machine learning

0:07:15.880000 --> 0:07:19.400000
 and natural language processing to collect
 and organize data from various

0:07:19.400000 --> 0:07:23.980000
 sources, including the open
 web and the dark web.

0:07:23.980000 --> 0:07:28.360000
 The platform offers real-time threat
 intelligence aiding organizations

0:07:28.360000 --> 0:07:31.240000
 in providing defense measures.

0:07:31.240000 --> 0:07:33.400000
 And then we have a normally
 threat stream.

0:07:33.400000 --> 0:07:38.060000
 A normally threat stream aggregates
 threat data from various sources,

0:07:38.060000 --> 0:07:42.080000
 utilizing machine learning to rank
 threats based on severity.

0:07:42.080000 --> 0:07:46.080000
 And it integrates with multiple security
 systems, including seams and

0:07:46.080000 --> 0:07:49.460000
 firewalls to automate threat
 detection and response.

0:07:49.460000 --> 0:07:52.580000
 So you know, you can start to see the
 power of the threat intelligence

0:07:52.580000 --> 0:07:56.280000
 platform. We then have some of the more
 common ones that you may be familiar

0:07:56.280000 --> 0:08:00.220000
 with starting off with
 Mandiant Advantage.

0:08:00.220000 --> 0:08:05.360000
 So Mandiant Advantage offers a free
 version providing dashboards, threat

0:08:05.360000 --> 0:08:09.300000
 actor and vulnerability data and OSINT
 indicators and it's suitable for

0:08:09.300000 --> 0:08:13.940000
 organizations seeking basic threat intelligence
 capabilities without significant

0:08:13.940000 --> 0:08:18.300000
 investment. You then have, you know,
 two open source options, which are,

0:08:18.300000 --> 0:08:21.060000
 you know, really amazing.

0:08:21.060000 --> 0:08:25.720000
 That is the infamous MISP
 or MISP threat sharing.

0:08:25.720000 --> 0:08:29.900000
 MISP is an open source platform for collecting,
 storing and sharing cybersecurity

0:08:29.900000 --> 0:08:33.700000
 indicators and, you know, malware
 analysis for malware analysis.

0:08:33.700000 --> 0:08:37.860000
 It supports multiple data formats and
 facilitates collaboration among

0:08:37.860000 --> 0:08:42.620000
 organizations to enhance threat
 detection and response.

0:08:42.620000 --> 0:08:48.540000
 We then have sort of this open CTI.

0:08:48.540000 --> 0:08:52.780000
 Open CTI, as the name as its name suggests,
 is an open source platform

0:08:52.780000 --> 0:08:57.940000
 that structures, stores and visualizes
 technical and non-technical information

0:08:57.940000 --> 0:08:59.820000
 about cyber threats.

0:08:59.820000 --> 0:09:05.560000
 It integrates with other tools like MISP
 and the Hive to provide a comprehensive

0:09:05.560000 --> 0:09:08.180000
 threat intelligence solution.

0:09:08.180000 --> 0:09:12.540000
 All right, so that was threat intelligence
 feeds and threat intelligence

0:09:12.540000 --> 0:09:16.780000
 platforms. It's really not much to add
 at this point in time, as I said,

0:09:16.780000 --> 0:09:23.720000
 a lot of the specialization specific
 aspects of incident response.

0:09:23.720000 --> 0:09:27.060000
 In any case, that's going to be it
 for this video and I will be seeing

0:09:27.060000 --> 0:09:28.660000
 you in the next video.