Please enable JavaScript.

Coggle requires JavaScript to display documents.

Threat Intelligence and Sharing Platform - Coggle Diagram

- - - - IDS can be network-based (NIDS), monitoring traffic across a network, or host-based (HIDS), focusing on activities on individual devices.
        
        Host-based IPS (HIPS) is software installed directly on individual devices such as servers or workstations.
        It monitors all traffic originating from or destined for that specific host, including system logs, file integrity, user login activities, running processes, and application behavior.
        HIPS can detect attacks that originate from within the network, such as insider threats or local exploits, and can determine whether an attack was successful by analyzing system call paths.
        It is particularly useful for protecting critical assets and can operate independently of the underlying operating system, although its functionality may vary depending on the OS.
        However, HIPS can introduce performance overhead on the host system and requires individual deployment and management on each device, which can be costly and complex in large environments. Can see traffic after decryption on the host
        File system monitors:
        Logfile analysis:
        Connection analysis:
        Kernel based detection:
        Examples - Cisco Security Agent (CSA), OSSEC, Fail2Ban
        Detects insider threats, zero-day exploits via behavior, full context of local activity to protect File integrity, registry changes, local exploits
        
        Network-based IPS (NIPS) is deployed at strategic points within the network, such as at the perimeter behind a firewall or at key internal segments, to monitor all raw network packets traffic flowing through those points
        It inspects individual packets in real time for known attack patterns or anomalies, enabling it to detect and block threats across the entire network. Deployed inline at network boundaries (e.g., behind firewalls)
        NIPS offers high detection efficiency and can protect multiple hosts simultaneously, reducing the need for per-device software.
        It is effective at identifying external attacks and can be configured to handle encrypted traffic if decryption is enabled. Limited visibility if traffic is encrypted.
        However, it cannot detect local, host-specific activities, such as an attacker physically accessing a machine, and its effectiveness can be limited by network topology, especially in large or segmented networks where traffic may bypass a single sensor.
        Examples - Fidelis Network IPS, Hillstone Networks, Palo Alto Networks IPS to protect Network-level attacks like DDoS, port scans, worm propagation
    - - Import Info level Logs from Files, Apps, DBs, Security Products, N/W Devices and Other sources like Bluecoat-webproxy-raw, juniper-junos-pulse-firewall-regex, regex-cisco_wsa, NXGF-Regex-Palo Alto (Firewall)
        
        Log Source Filtering for noise to ensure correlating proper data (not useless noise) - saves licensing and log injestion costs
        
        Optimize Alarm Triggers - security context of logs - based on scenarios and use cases are turned on and triggering correctly - increases confidence level
        
        Post tuning, Create specific alarms, violations and alerts with pattern and activity to address high priority issues
        
        Alarm to a Security Orchestration, Automation, and Response (SOAR) platform (to remediate say compromised accounts in seconds for phishing etc.)- automate cybersecurity operations by integrating, coordinating, and executing responses across various security tools and systems.
        
        Alarm and Correlation is set, enable Playbooks (say compromised M365 account) for automated remediation
        
        Benefits:
        
        Reduce Dwell Time
        
        Reduce Human Resources
        
        Reduce Mundane Tasks
        
        Increase Higher value operations
        
        Analyze Data
        
        Consider migrating SIEM in cloud (e.g. Securonix) - faster time-to-value
- - - - Collection - A Collection is an interface to a logical repository of CTI objects provided by a TAXII Server that allows a producer to host a set of CTI data that can be requested by consumers: TAXII Clients and Servers exchange information in a request-response model.
        TAXII Server <-Request / Response-> TAXII Client
      - Channel - Maintained by a TAXII Server, a Channel allows producers to push data to many consumers and consumers to receive data from many producers:
        TAXII Clients exchange information with other TAXII Clients in a publish-subscribe model.
        Note: The TAXII 2.1 specification reserves the keywords required for Channels but does not specify Channel services. Channels and their services will be defined in a later version of TAXII.
        Producer -> Publish to Taxi Server -> Subscribed by Multiple Consumers