A Cyber-Threat Intelligence Program – How to develop one and why it matters

(1)

A Cyber-Threat Intelligence Program – How to develop one and why it matters

Trevor Cunningham 2015

Master (120 credits)

Master of Science in Information Security

Luleå University of Technology

Department of Computer science, Electrical and Space engineering

(2)

Abstract

Purpose

The purpose of this project was the research, design and building of a Cyber-Threat Intelligence Program. This Cyber-Threat Intelligence Program would be used as an early notification vehicle and catalyst to security harden systems.

Reporting on threats, vulnerabilities, risks and mitigation strategies, the Cyber-Threat Intelligence Program would look to move away from a reactive and towards a pro-active security posture.

In addition, the project aims to utilise only open and free information sources.

Background

Cyber-attacks including data breaches are an increasing challenge for nations and organisations. They are not only increasing in frequency but also in complexity.

All of these cyber-attacks bring associated costs, not limited to compensation to customers, loss of revenue and stock price, public relations damage and can severely restrict the working operations of the organisation.

Results

The main results of this project were in the research, design and building of a Cyber-Threat Intelligence Program.

27 sources were found and ranked, along with the building of a Threat Score -Card.

(3)

(4)

Abbreviations

ADR – Action Design Research BI – Business Intelligence CTI – Cyber-Threat Intelligence DSR – Design Science Research PCI – Payment Card Industry

SME – Small to Medium Sized Enterprises

(5)

(6)

1.0 INTRODUCTION

1.1. Problem Description

Today, a high percentage of organisation’s rely on some type of IS system to operate successfully. From large multi-nationals to small/medium sized enterprises (SME’s), IS systems play pivotal roles and offer many advantages; from hosting websites to provide information and interaction with customers, taking and processing online orders and/or payments, storing customer details in large data warehouses to automating previously manual tasks and much more.

These IS systems offer organisations the opportunity and ability to function efficiently, reducing costs, increasing profit and improving customer satisfaction.

However, all these opportunities do come with associated risks and some of these risks, if realised, can be devastating to the organisations involved. From the loss of Payment Card Information (PCI), payment/ transaction systems being compromised or taken offline, health and safety issues occurring etc. (Fiat Chrysler recently recalled over 8,000 jeeps due to a security flaw that could be carried out remotely), many organisations have found to their cost the importance of securing these IT systems.

Organisations therefore have to balance the potential advantages of employing these IS systems with the associated risks. The current trend, shows however, that organisations will not only be continuing their use of these IS systems but will have to increase this use, developing and testing new methods to win customers and stay competitive.

This increasing use of IS systems, coupled with an increasing number of cyber-attacks, and specifically data breaches occurring year or year (CERT-UK 2014 states the number of attacks have reached an unprecedented level), has lead to one of the key challenges facing security practitioners today;

the need to develop a comprehensive security program that not only deploys the more traditional reactive security measures (SIEM’s, Patch Management Programs and Disaster Recovery Plans etc.) but in addition, deploys proactive security measures (i.e. a Cyber Threat Intelligence P rogram.)

Traditionally, IS security practitioners have concentrated on developing a Patch Management Program to use as the primary tool to secure IS systems. While an efficient Patch Management Program still plays an important part in securing IS systems, IS Security Experts are in agreement that it alone is not enough and a mix of reactive and pro-active security measures need to be deployed to secure IS systems.

One of the main reasons Patch Management Programs alone are failing to secure IS systems is because of the sheer number of threats and vulnerabilities being uncovered, added with increased

sophistication of attacks taking place. (Please see 2.4.2 and 2.4.3 for further information)

As reported in Secunia’s ‘Annual Vulnerability Review’ [26], a total of 15,435 vulnerabilities were identified in 2014 in 3,870 applications from 500 vendors. This represents an 18 percent increase compared to the previous year, and a 55 percent increase over five years.

(9)

2

With so many threats and vulnerabilities being uncovered, vendors along with end-users are finding it difficult to patch in time. Vendors need to create increasing numbers of patches, and end -users in-turn have to deploy this increased number of patches. The work-load involved in the process of creating and deploying these patches should not be underestimated, as it includes repetitive rounds of research, testing and deployment.

With this in mind, it is not surprising we are seeing an increased number of ‘Zero-day’ vulnerabilities. A zero-day is vulnerability in software that the vendor does not currently know about. Attackers then start to exploit this vulnerability, and when this becomes known to the vendor, the vendor then rushes to fix (patch) the vulnerability. This means the vendor has ‘ze ro-days’ to fix the vulnerability (as it is already publicly known about and is being exploited in the wild.)

Therefore, what is needed is the development of more proactive security measures that close the gap between when a threat or vulnerability has been discovered, to when mitigation has occurred i.e. a patch has been installed, or a work-around deployed i.e. disabling the affected product, or uninstalling the related software add-in etc.

As described in the following paper, one of the most talked about proactive security measures is the development of a Cyber-Threat Intelligence Program. Security Experts believe that developing a Cyber- Threat Intelligence Program can help organisations stay secure, by staying ahead of the curve with regard to threats and vulnerabilities to their systems.

If organisations know what threats and vulnerabilities exist, and receive this information in a timely manner, adequate mitigation steps can be taken to stay secure, reducing the reliance on a vendor creating and releasing a security patch.

So what is stopping organisations developing a Cyber Threat Intelligence Program? The answer to that is discussed in the following Literature Review, but research suggests that cost plays a primary factor.

Most large vendors do offer ‘Threat Intelligence’ on a paid-for subscription basis, however, the cost of these would be outside the limits of most Small to Medium Enterprises.

So with this in mind, the principle aim of this project is therefore to research, design and building of a Cyber-Threat Intelligence Program which relies on free open source data. This will allow organisations with smaller budgets to utilise such intelligence to stay secure.

During my initial research I found that most of the discussions by Security Experts on Cyber Threat Intelligence Programs stated the benefits of deploying such a program, but none described in detail how to develop the program itself. With this in mind, it helped me define my research question; how would one build a Cyber-Threat Intelligence Program.

It is this question that the following paper seeks to address.

1.2 Relevance of Research

There are several large IT firms offering products which they say offer organisations access to Cyber- Threat Intelligence. These products are out-of-scope for this research project, as this project aims to research and utilise sources of CTI which are free and open source.

(10)

3

This will be a primary distinction between this project and others in similar areas.

With this in mind, it was initially thought that the CTI Program developed by this research will be more suitable to SME’s and smaller enterprises, who lack the necessary budget to purchase access to these 3^rd party vendor CTI programs. However, large enterprises can also utilise the CTI Program being developed if they wish.

1.3 Methodology

Action Design Research (ADR) will be used during this research project. After discussions with my project supervisor Maung Sein, it was felt that ADR was most suitable for this project.

ADR provides the necessary flexibility needed to complete such a project, in that the actual artefact gets built during the project stages. This building of the artefact allows the implementation in a real -world context to be studied, and for the artefact to be modified whe re needed to achieve the desired outcome.

This continuous loop of building, intervention and evaluation allows new design principles to emerge.

The recording of the projects outcomes in ADR also allows results and outcomes to be re -used in future research projects.

1.4 Organisation Interaction

This project was carried out in conjunction with an insurance company. This company offers insurance products, such as life, home and automobile insurance to customers. This organisation wants to try and develop its own CTI Program utilising free and open source information where possible, before

considering if it is necessary to purchase access to CTI information from one of the large IT vendors.

2.0 LITERATURE REVIEW

2.1 Defining Cyber-Threats and Cyber-Attacks

Today there seems no consensus on defining ‘cyber-threats’ or ‘cyber-attacks’, with many people using these terms interchangeably. [18] After President Obama’s 2013 State of the Union address, in which he announced wide ranging Cyber-Security measures, the US government tried to clarify its

definition of Cyber-Threats with this broader definition of Cyber-Threats:

‘Cyber-threats cover a wide range of malicious activities that can occur through cyberspace. Such threats include web site defacement, espionage, theft of intellectual property, denial of service attacks, and destructive malware.’ – [1]

(11)

4

Oxford dictionaries offer subtle differences in their definition of Cyber-Threats and Cyber-Attacks:

 ‘Cyber Threats’ – The possibility of malicious attempts to damage or disrupt a computer network or system’. [19]

 ‘Cyber Attacks - An attempt by hackers to damage or destroy a computer network or system.’

[19]

These definitions suggest that a Cyber-Threat is the possibility of some type of malicious cyber-activity taking place, whereas a Cyber-Attack is when such an activity becomes realised. These ‘Cyber-Threats’

and subsequent ‘Cyber-Attacks’ are currently one of the most talked about phenhomenons in the IT industry and also the general media (news.) [2]

On what seems a weekly occurrence, more cyber-attacks are being reported which affect all parts of society. [3]

Some examples include:

1. Nation States critical infrastructure being attacked, such as telecommunications networks, transport networks, power stations and water treatments plants etc.

2. Large organisations being attacked, with the loss of company and customer data.

3. SME’s (Small and Medium sized enterprises) being attacked, and also such attacks being used as stepping stones to launch further attacks much larger organisations. [4, 7]

2.2 What is Cyber Threat Intelligence (CTI)

During my research I found defining ‘Cyber Threat Intelligence’ to be a challenge, and it lead to some ambiguity. [5] The main debate seemed to be on what constituted ‘Intelligence’.

For example, some authors suggested that much of today’s ‘Intelligence’ was in-fact just (raw)

information. The table below shows what some believe to be the difference between information and intelligence:

Table 1.

INFORMATION INTELLIGENCE

Raw, unfiltered data Processed, sorted, and distilled information Unevaluated when delivered Evaluated and interpreted by trained expert

analysts

Aggregated from virtually every source Aggregated from reliable sources and cross correlated for accuracy

May be true, false, misleading, incomplete, relevant, or irrelevant

Accurate, timely, complete (as possible), assessed for relevancy

(12)

5

[5]

As you can see, information is suggested as data in raw form whereas intelligence is data that has been processed in some way.

What has become apparent is that what many organisations today are offering seems to be Cyber Threat Information and not Cyber Threat Intelligence. [2]

2.3 Types of Attacks and Attackers

There are many different types of cyber-attacks with most falling in to two categories:

1. Untargeted attacks, such as Phishing emails, water-holing, ransomware and scanning. [20]

2. Targeted attacks, such as Spear-Phishing or Distributed Denial of Service attacks. [20]

Security experts have stated that you can place cyber hackers into one of following main categories:

1. Cyber-Criminals

These cyber criminals are mainly focused on monetary gain. Such attackers leverage tools such as ransomware and phishing/spear-phishing emails etc. to stealing/obtain user and payment card information etc. [9]

2. Industrial Competitors and Foreign Intelligence Services

These attackers wish to gain economic advantages for their companies or countries. [9]

3. Hacker Activists or Hacktivists

These attackers can be politically or cause motivated. Their aims can be to embarrass larger organisation and governments with whom they disagree. The most well-known activist group would be Anonymous. [9]

4. Hackers

These attackers see it as fun or a hobby to try and break, disrupt or steal data etc. [9]

5. Insiders or Employee’s

These attackers can, deliberately or accidentally, steal or leak information and data on their employer. [9]

6. Nation-States

States such as China and North Korea have been accused of using cyber-attacks for espionage. The aim being to steal sensitive information on governments and policies, defense weapons and also the infiltration of critical infrastructure such as

telecommunications, transport and power networks etc. Other countries, such as the US and Israel, have also been accused of such actions particularl y in the case of the Stuxnet Attack.

[8]

(13)

6

2.4 Current Trends

I analysed the current trends with regard to the primary aims of attackers, the number of attacks tacking place, the rising costs of attacks and increased sophistication of attacks.

2.4.1 Aims of Attackers

The current trend with regard to the primary aims of attackers suggests that they fall under three categories.

Figure 1, below, shows that in the US in 2012, 70% of targeted attacks were aimed at realising some type of financial fraud.

46% of attacks were trying to disrupt the operations of the targeted organization, and 55% of targeted attacks were aimed at stealing customer data.

FIGURE 1 – Goal of Targeted Attacks 2012, www.statista.com

2.4.2 Attacks and Costs Increasing

Cyber-attacks, and specifically data breaches, are increasing year or year with record associated costs.

[9]

(14)

7

Number of reported incidents of malicious cyber activity targeting US Department of Defence’s system from 2000 to 2009.

Calendar year

Number of reported incidents of malicious cyber activity

Percent increase from previous year

2000 1415 N/A

2001 3651 158.02%

2002 4352 19.2%

2003 9919 127.92%

2004 16,110 62.42%

2005 23,031 42.96%

2006 30,215 31.19%

2007 43,880 45.23%

2008 54,640 24.52%

2009 71,661 31.15%

Figure 2 – Malicious Attacks Increasing.

The number of data breach occurrences also reached a record high in 2014. [9] This has led to increased concern and focus on information security. Senior management, including Board Level, now feel pressured to ensure their organisations keep data secure.

Showing the latest data breaches by company and number of records stolen

(15)

8

Figure 2 – Data Breaches Increasing.

In a recent report by CERT-UK, 81% of large organisations reported that they had suffered some type of security breach in 2014.

The average cost of security breaches in 2014 in the UK in British Sterling was between £600,000 and

£1.5 million. However, it is not just large organisations that are feeling the affect of cyber-attacks. Small to medium organisations who suffered a security breach found the cost to be between £65k and £115k.

[11]

The cost of data breaches had also increased. In the ‘2014 Cost of Data Breach Study: Global Analysis’

survey, the average cost of data breach was found to be $3.5 million and 15% more as per 2013. [12]

These are not the only costs associated with cyber-attacks and data breaches. There is also the cost of investing in security to be taken in to account. On average, large organisations are spending 11% and smaller organisations 15% of their entire budgets on implementing security measures. [11]

This is adding to the increased pressure on budgets which are still trying to recover from the economic downturn of the past few years.

All of this pressure, in turn, has led to more emphasis being placed on developing proactive security measures, rather than relying solely on traditional reactive security measures.

Proactive security measures rely on having actionable and timely threat intelligence information available that allows organisations to put security measures in place to:

1. Prevent attacks taking place in the first instance, and also

2. helping to search for any signs of undetected attacks already in progress. [10]

In addition to the associated security preventive costs, successful cyber-attacks and data breaches also bring different and sometimes intangible costs to bear on organisations. Organisations can suffer damage to reputation, loss of customer confidence, public relations, stock price decrease and increased legal costs in fines and compensation. [9]

2.4.3 Increased Sophistication of Attacks

‘Fundamentally, cybercriminals, nation-states and hacker activists waging these attacks are growing increasingly sophisticated and more effective in their efforts to steal and sabotage .’ – [13]

(16)

9

Figure 3 – Showing Increased Damage by Increasing Sophisticated Attacks

As the quotation and Figure 3 suggest, attacks are becoming increasing sophisticated. A report in 2012 by Gartner, it was suggested that these advanced attacks are by-passing traditional security controls and are also going undetected for longer periods than previous attacks. [13]

2.5 Is Cyber-Threat Intelligence Relevant?

‘The Internet has become so integral to economic and national life that government, business, and individual users are targets for ever-more frequent and threatening attacks.’ – [8]

As the quotation above suggests, Cyber (Internet) Security is now critical to our way of life. Nearly everything and anything is connected, interacts or relies on the Internet or some type of computer network, from our national defence and critical infrastructure (power, transport, energy, health services etc.), to our daily employment, to our TV’s and fridges etc.

The more we rely on the Internet or computer networks, the greater we fee l the damage if we suffer cyber-attacks. This is one of the main reasons we need cyber security, and in turn, cyber threat intelligence. [8]

Security experts now firmly believe that intelligence and information sharing is one of five critical activities that you need to undertake if you are going to be relatively secure i n a cyber context – the

(17)

10

others being governance (leadership from the top and commitment to doing this properly), tools and techniques, standards and policies, and staff training. [14]

In 2012, Holland of Forrester Research stated that if organisations and governments must utilize Threat Intelligence with regard to Information Security to protect against the changing threatscape. [15]

Holland went on to suggest that without intelligence, we cannot proactively protect against cyber attacks because we do not understand:

1) the motivations and the methods of our attackers;

2) the existing weaknesses and vulnerabilities of our extended IT networks; or 3) how long the enemy has been inside our defences. [3]

In his report, he suggests intelligence gathering and processing is a continuous cycle:

Figure 4 – The Continuous Threat Cycle

Holland also suggest using both free and subscription based intelligence feeds is possible to build a comprehensive Cyber Threat Intelligence Program. [3]

In another academic report in 2013, on understanding and overcoming cyber security anti-patterns, four main themes were developed. One concerned cyber threat intelligence and suggested that

(18)

11

organisations that dynamically build and apply cyber threat intelligence are the exception and that those who do not find that advanced threats are detected too late or not at all. [15]

2.6 Literature Review Conclusion

There is broad agreement within the IT/IS industry that:

1) Cyber attacks (including data breaches) are becoming more frequent 2) Cyber attackers in general are now using more advanced techniques

3) Cyber threat intelligence is increasingly vital to defend against such attacks [14]

In a recent survey, 69% of respondents said they plan to invest in threat intelligence in the coming year.

[9]

These are the reasons I believe my research to be worthwhile. I intend to analysis and utilize the free open source threat intelligence feeds, to create a comprehensive Threat Intelligence Program.

There are several subscription based feeds which are offered by large IT organisations, being S ymantec, McAfee, Trend Micro, FireEye, Sophos, Kaspersky, IBM, Cisco and QinetiQ. These organisations gather intelligence on attacks and the hacking community etc., and sell their findings on (and often as real-time feeds.) [14] However, due to the cost, small and medium organisations which do not have the budget to subscribe to such feeds are left to find another solution.

The solution seems to lie in the ‘open source’ and ‘free’ intelligence that is available.

(19)

12

(20)

13

3.0 METHODOLOGY

The method of research I propose to use in this thesis study is that of Action Design Research (ADR.) ADR is a research method that was built to address short-comings in Design Science Research (DSR). [20]

DSR is a common research technique that takes a technological view of the IT artefact but it pays little attention to the effect the organisational setting can play on said artefact. [20] In DR research, the design of the IT artefact is the central component.

One downside is that as the actual artefact is rarely built and tested in real-life (i.e. in an organisation), therefore leaving just a descriptive paper of how the artefact could be build and also leaving out any experience of real-world effects on such artefact if it were to built. [3]

ADR was proposed to bridge this short-coming by actually building the artefact during the research.

ADR is therefore a complete research technique, whereby maintaining the technological view of the artefact as per DR but also addressing the effects of the organisational context in terms of the design, building and use of the IT artefact.

In addition, the actual building of the artefact allows:

1. The chance for an organisation to solving of a real-life problem.

2. The artefact to be re-used in similar organisations to address their need/s 3. For the evaluations of results that can be used in future research. [20]

Figure 1 is an illustration of the stages and principles that make up the ADR method.

(21)

14 Figure 1 – ADR Principles and Stages

3.1 Stage 1 – Problem Formulation

In the initial stage of my methodology, I will identify the problem that this thesis paper will address.

As stated in my previous Literature Review, the aim of this thesis is to show how to develop a Cyber Threat Intelligence Program, and in turn, show why they matter.

As figure 1 shows, the Problem Formulation stage relies on the following two principles:

1. Practice Inspired Research

My research should look to address the class of problems where the problem that has been identified in this research would reside. [20] For example, ADR looks to use ‘field problems’

to create knowledge, rather than the traditional method of solving theoretical puzzles when creating such knowledge. [20]

By addressing the problem at the area where technological and organisational domains meet, in this thesis I would therefore look to create knowledge that can not only solve s the issues encountered by my employer, but also issues that other similar organisations encounter with similar problems i.e. I will show how to create a Cyber Threat Intelligence Program that can be used by any Small / Medium sized Enterprises (SME’s.)

(22)

15 2. Theory Ingrained Artefact

When creating my artefact in this thesis project, it should carry traces of a theory i.e. the theory should help structure the problem, help with the solution and help guide the design of the artefact. [20]

3.2 Stage 2 – Building, Intervention and Evaluation

The three stages of Building, Intervention and Evaluation (BIE) are interwoven in this stage. As I build the artefact, I will evaluate at how it operates within the organisation, intervene i.e. change and modify its implementation, and re-evaluate. This will be a continual cycle until I have an artefact that addresses the identified problems.

By constantly building, testing, evaluating and re-designing etc. Innovations can be discovered in this stage, either IT innovations or those found due to the interaction of my employe r. [20]

In Stage 2, there are two design principles that can be followed:

1/ IT Dominant BIE

This design principle, as the name suggests, is driven by the IT artefact. This principle empathizes creating an IT innovation artefact at the outset. [20]

The artefact is built in interaction with the practitioners that will use it, so in this project, it will be the Vulnerability Management Team. This initial BIE phase will see the artefact measured with regard to its interaction with the practitioner’s (Vulnerability Management Team) and also the organisation (current employer.)

After several cycles of the BIE are completed, and no more are needed, this mature artefact is then introduced to the wider organisational unit to see how it performs.

Figure 2, below, shows the process involved in the IT Dominant BIE.

(23)

16 FIGURE 2 (IT Dominant BIE)

2/ Organisation Dominant BIE

This phase is the opposite of IT Dominant BIE. Organisation Dominant BIE, as the name suggests, is where interaction with the organisation creates the innovation. [20] For example, the artefact is implemented into the organisation early in the BIE process and the

‘end-users’ (in this thesis, the technology owners i.e. Cisco, Oracle and Microsoft who receive the Threat and Vulnerability alerts) are encouraged to assess the artefact and its precise aim.

This feedback is used to re-assess the design principles, then rebuilding and further assessments are carried out. This cycle is again repeated until no further re -designs are needed.

Figure 3, below, shows the process involved in the Organisation Dominant BIE.

(24)

17 FIGURE 3 (Organisation Dominant BIE)

I will use the IT dominant BIE in this thesis. I believe that this will also allow my proposal to be re -used in other organisations as it is not specifically ‘tied’ in to my current employer.

Figure 1, above, shows that there are three principles on which Stage 2 is built: reciprocal shaping, mutually influential roles, and authentic and concurrent evaluation.

Reciprocal Shaping:

This principle shows how the interaction between the researcher (me) and the artefact in question will influence the design of the artefact. The interaction will take place within an organisational setting (my employer) which will also influence the design of the artefact.

Mutually Influential Roles:

This principle shows how the researcher (me), practitioner’s (Vulnerability Management Team) and End- Users (Technology Owners and Management) communicate and interact with each other to drive the design and implementation of the artefact.

Authentic and Concurrent Evaluation:

This is a key principle of ADR, in that evaluation is not just sought at after the building process, but that there is continued evaluation carried out through-out the BIE phases. [20]

For example, traditional research can involve carrying out evaluation after building the artefact.

However, in ADR, evaluation is formal and informal and carried out whenever it is necessary during the design, building, re-design and re-building phases. [20]

It is common that early evaluation during the design and building phases helps shape the actual artefact re-design and re-building (alpha), whereas later evaluation tends to focus on the outcomes of the final versions/implementations of the artefact (beta.) [20]

(25)

18

3.3 Stage 3 - Reflection and Learning

ADR focuses on continued reflection and learning of the design, building, re -design and re-building phases. As this cycle repeats, results are also measured against the actual goals of the overall project.

There is only one principle, Guided Emergence, which is covered in Stage 3. Guided Emergence refers to how the overall process is followed to produce the end artefact. For example, an initial design is created to address the stated goal of the thesis and stated problem.

The artefact is the re-designed, and this re-design is driven after the evaluation of its performance in the organisation. This design, building, re-design and re-building cycle is also driven by the evaluation from the researcher, practitioners and end-users interaction with the artefact. [20]

3.4 Stage 4 – Formalization of Learning

In Stage 4, I will outline the thesis project achievements focusing on what artefact has been developed and what has been achieved.

The outcomes of the project can be thought of as ‘design principles’. [20]

One principle, Generalized Outcomes, is followed in Stage 4. Generalized Outcomes refers to

generalizing the problem, generalizing the solution/s, and stating what design principles were created from the design solution stated. [20]

What this thesis project aims to achieve is the building of a mode rn day Cyber-Threat Intelligence Program which encourages pro-active security measures.

(26)

19

3.5 Methodology Conclusion

I think that ADR is the ideal methodology for this thesis project to follow. The process allows me to design and build, evaluate and then re-design and re-build.

This is accommodating to my research as it is a step in to the unknown. There are many different open- source feeds for Cyber-Threat Intelligence, none being the industry standard.

Using ADR will allow me to try each one and to evaluate its outputs. Then I can look at merging their outputs to provide a comprehensive Cyber Threat Intelligence Output.

I feel using ADR for this project gives me the flexibility that I need, as I have not used these feeds and blogs and exchanges before so it can be trial and error.

Having my thesis supervisor and leading ADR academic, Maung Sein, to give advice and guidance should help me complete this project successfully.

(27)

20

(28)

21

4.0 ROLES AND RESPONSIBILITIES

Role Responsibility Title

Project Sponsor To sign off on the different sections and phases of the project.

Without sign off, the next section / phase of the project could not proceed.

Security Governance Manager

Researcher To research design options, source options and options on how to rate our CTI feeds etc.

IT Vulnerability Engineer Security Governance Team Member X 1

Practitioners To test the options put forward, give feedback and support where necessary.

Security Governance Team Member X 3

End Users Understand the technology areas, understanding of the types of threats and how they related to our security posture in their area

Subject Matter Experts X 5

(29)

22

(30)

23

5.0 RESULTS

5.1 ADR Stage 1 – Problem Formulation

The initial stage of our project was spent defining the problem that we hope to address. Whilst the aim of the project was to develop a Cyber-Threat Intelligence Program, I wanted to record the specific problems that our team was encounter on a daily basis.

The key issues and problems that were highlighted during this first meeting were:

Issue / Problem

Description

P.1 Information is a company’s most valuable asset, and therefore, protecting a company’s information should be the primary focus of Information Security.

P.2 In general, there is an increasing number of Cyber-Attacks taking place. As already covered in the literature review, these attacks are growing in sophistication and also associated costs.

P.3 There is increased pressure from management to stay ahead of the curve i.e. be more proactive, than reactive. How do we do this? It means not only having a Vulnerability and Patch Management Process in place, but also have an ‘early response vehicle’ that helps identify risk and vulnerabilities.

P.4 We current rely on vendor websites for updates to software. At times we also receive news bulletins from such vendors, however these are sporadic.

P.5 We do not have a budget so do not have the ability to sign up to Cyber-Threat companies which charge for their information/alerts.

Therefore, we need to utilise as many open-source and free resources as possible.

Which sources should we use? How do we know which ones are ‘best’?

The initial meeting helped me to define the issues and problems which a Cyber-Threat Program would aim to alleviate.

During our second meeting, we again had a ‘brain-storming’ session to try to identify any further issues or problems which we had perhaps overlooked in our previous meeting.

From this second meeting, the following three problems where noted:

(31)

24 Problem Description

P.6 There needs to a formal way of rating Cyber-Threat Intelligence. How will we do this, and what criteria will be used in the ratings.

P.7 How will we share such ratings and Cyber-Threat Intelligence information with stakeholders? Do we build a website, email distribution or some other method?

P.8 There is continued alarm with Google’s Project Zero. In July, 2014, Google announced it was setting up a new team of security experts who would be tasked with finding vulnerabilities in systems and software (not just Google software or systems, but any software and systems.)

When this team finds such vulnerabilities, it notifies the owner/producer of the software or system. The idea being that the owner/producer of the software or system creates a patch or some other mitigation step.

Once this has taken place, Google will announce details of the vulnerability and patch/mitigation.

However, if 90 days passes without a patch or mitigation being released, Google has decided to release the information of the vulnerability.

This will increase the number of zero-days that we encounter. The critical aspect we have found when dealing with zero-day exploits is that information and the situation can change rapidly.

Vulnerabilities can quickly become exploitable, and this in turn increases the pressure to find a suitable mitigation step. Monitoring of zero day information is critical, and should be part of the Cyber-Threat Intelligence Program.

During our third meeting, it was decided that there was clearly, two main goals from the issues and problems listed above.

Goals Description

G.1 Identification and rating of open source and free Cyber-Threat Intelligence

G.2 Creating a formal and consistent way to rate Cyber-Threat Intelligence from the feeds.

(32)

25

5.1.1 Theoretical Basis

The theoretical basis of this project is that although there are several papers and blogs which have looked at building a Cyber-Threat Intelligence programs, they are centred on deploying honeypots and analysing results, sharing log file information and firewall rules etc.as a way of sharing Cyber-Threat Intelligence.

They have also focused on which standards and methods to use to share such data i.e. OpenIOC – Open Indicators of Compromise framework, VERIS – Vocabulary for Event Recording and Incident Sharing, CybOX – Cyber Observable eXpression, TAXII – Trusted Automated eXchange of Indicator Information and STIX – Structured threat Information Expression.

As already stated in the literature review, although these methods are relevant, this project is different in that it aims to build a Cyber-Threat Intelligence Program without the need for such technical

knowledge. It also aims to utilise solely open source and free sources.

This project aimed at the small to medium sized enterprises, who perhaps do not have SOC’s (Security Operation Centres) and who most probably have limited IT personnel. These SME’s will not have the expertise to share such information to these standards, or do not deploy Intrusion Detection Systems etc. but who still wish to monitor for Cyber-Threat Intelligence which can help them provide simple mitigation steps.

These SME’s will, however, may wish to pass on such relevant Cyber-Threat Intelligence information to their 3^rd party IT support. It is these 3^rd party IT support experts who will deploy the more advanced mitigation steps.

(33)

26

5.2 ADR Stage 2 - Building, Intervention & Evaluation (BIE) 5.2.1 Identifying Sources

Following on from stage one, we felt that one of the most time consuming parts of the project would be Goal One:

G.1 Identification and rating of open source and free Cyber-Threat Intelligence

We had another brain-storming meeting and looked at how we could possibly measure each source we identified.

The criteria that we decided to use was:

Criteria Description and Reason C.1 Timeliness

As stated in the literature review, timeliness is critical to the overall quality of Cyber- Threat Intelligence.

The longer it takes for us to be notified of a threat or attack, the value of such alerts decreases.

During such delays, the window of opportunity for our systems to be attacked increases. This is not what we want.

C.2 Relevance

Relevance is another key component to Cyber-Threat Intelligence. If we find that alerts are consistently irrelevant, we are just wasting valuable time which could be spent elsewhere.

We see relevance with regard to:

Is the alert truly Cyber-Intelligence? i.e. is it InfoSec related and therefore does it help us defend our systems?

Is the information accurate, in that it can be cross-referenced against other trusted resources?

(34)

27 For both criteria, we decided to rank as either:

TIMELINESS

HIGH MEDIUM LOW NOT APPLICABLE

Alerts are received within 2 days (48 hours) of the disclosure of a vulnerability or attack etc.

The ideal scenario would be to receive alerts in real-time, however, this is perhaps too much to ask for free services.

If we ever move to a subscription based alerting service, we would like to drive down the 48 hour period.

Alerts are received within 4 days (96 hours) of the disclosure of a vulnerability or attack etc.

Alerts with this timeframe can be helpful, especially if attacks in the wild have not yet taken place.

Alerts are received within 7 (168 hours) of the disclosure of a vulnerability or attack etc.

Alerts in this timeframe are less useful.

However, they can still be of

Alerts received after 7 days are not within a timeframe we would wish, however, they can be used for informational purposes.

(35)

28

RELEVANCE

HIGH MEDIUM LOW NOT APPLICABLE

Alerts received are of high relevance with regard to Information Security.

Alerts are excellently presented, and any resources/references from trusted sources.

Further research may not be needed to clarify the alert details.

Alerts received are of medium relevance with regard to Information Security.

Alerts are satisfactorily presents, and any resources/references come from a variety of sources (trusted i.e.

vendor security bulletins and questionable trusted i.e. anonymous message board post etc.

Further research may or may not be needed to clarify alert details.

Alerts received are of low relevance with regard to Information Security. They may relate to broader genres such as ‘IT’ or news on the latest technologies etc.

Alerts are not professionally

presented, and will also require additional confirmation of details in alert.

Further research on the alerts details will be needed.

Alerts are not relevant and may be discarded.

We felt that we were now able to address goal G.1, the ‘Identification and rating of open source and free Cyber-Threat Intelligence.’

However, when discussing the way forward in our weekly, we felt that before we undertook this task we would need to decide on how we wished to receive alerts and information. By deciding on how we wished to receive these alerts and information, we could then identify and rate open an d free Cyber- Threat Intelligence sources in a consistent manner. For example, we felt that we would wish to receive these alerts and information by either RSS feeds or by email.

5.2.2 What is RSS?

‘RSS (Rich Site Summary) is a format for delivering regularly changing web content. Many news-related sites, weblogs and other online publishers syndicate their content as an RSS Feed to whoever wants it.

Why RSS? Benefits and Reasons for using RSS

RSS solves a problem for people who regularly use the web. It allows you to easily stay informed by retrieving the latest content from the sites you are interested in. You save time by not needing to visit each site individually. You ensure your privacy, by not needing to join each site's email newsletter. ’ [23]

Our primary preference, however, was to receive alerts and information by RSS feeds. The collective reason given for this preference was that we felt that we receive enough emails through-out our

working day. There was an agreement that if possible, we did not wish to add to this as shifting through our current received emails is already time consuming.

(36)

29

However, if we discovered a Cyber-Threat Intelligence source which did not have the option of RSS feeds or email alerts, we would not discount this source.

5.2.3 Scoring for Sources

It was also felt that a numeric value should be assigned to the above high, medium, low and not applicable categories. Such scoring could help distinguish between the sources which were helping to harden our security posture to those which did not.

The following scoring mechanism was created:

For both Timeliness and Relevance

HIGH MEDIUM LOW NOT APPLICABLE

6 points 4 points 2 points 0 points

Over a one week period, the team was tasked to record any sources of information/alerts which they used in their daily jobs. These sources were passed to myself, and I created a list which I saved on our SharePoint site.

5.2.4 Initial Source List

Over the following week, the team was tasked to uncover new sources of information/alerts if possible.

The following is a list of sources which were identified:

AlienVault GovInfoSecurity

Arbor Atlas HackSurfer

BankInfoSecurity iSight Partners Composite Blocking List MalwareDomainList DataBreachToday Microsoft

DNS-BH Malware NakedSecurity

DSHIELD Secunia

Emerging Threats Spamhaus

FireEye TechRepublic

Forensic Artefacts TrendLabs GoogleSecurityBlog ZuesTracker

After visiting each website and signing up to applicable RSS feeds and emails alerts, a review of each source was undertaken after four weeks. It was felt that this four weeks period would enable a true reflection and review of each source could be taken.

(37)

30

5.2.5 Choosing RSS Feed Reader

Before analysis of the potential sources could take place, we had to choose an RSS reader to use. We felt that once this project was completed, we would allow users to select which ever RSS reader they felt most comfortable with.

During this project, I tested two RSS readers; being RSS Feed Reader which integrates with Chrome (www. http://feeder.co/) and also Feedly (https://feedly.com).

My personal preference was Feedly, as it was easy to navigate and I could login to it from any pc / laptop. This flexibility was great as I am often using different devices for my employment.

I would suggest users select an RSS feeder that they are personally comfortable with.

5.2.6 Source Findings

The following tables include the findings on the 22 sources identified above:

Name: AlienVault - www.alienvault.com

Source Number: 1

RSS Feed: http://feeds.feedblitz.com/alienvault-security-essentials

Description: A developer of security related products, focusing mainly on network security Timeliness: Medium

Relevance: Medium Score: 8 / 12

Additional Comments:

AlienVault seems focused on selling its products, rather than providing open and free data.

It does have a product called OSSIM (Open Source Security Information Management), which is aimed at network admins who are trying to detect and prevent intrusions to their networks.

This product does receive good reviews, however, it is more of an Intrusion Detection System and not primarily a Cyber-Threat Intelligence feed.

It is perhaps more suitable for a SME with an experienced technical support team.

(38)

31

Name: Arbor Atlas - www.arbornetworks.com

Source Number: 2

RSS Feed: http://www.arbornetworks.com/asert/feed/

Description: A network security and network monitoring vendor based in the USA. It claims to be used by 90% of ISP’s and has a strategic partnerships with Cisco, IBM and Juniper Networks.

Timeliness: Low Relevance: Medium

Score: 6 / 12 Additional

Comments:

Seems more relevant for large organisations which will pay for its subscription service, and its free alert service does not rate well against peers.

Name: BankInfoSecurity - www.bankinfosecurity.com

Source Number: 3

RSS Feed: http://www.bankinfosecurity.com/rssFeeds.php?type=main

Description:

BankInfoSecurity is owned by the Information Security Media Group, Corp.

(ISMG), which is a company specializing in coverage of information security, risk management, privacy and fraud.

Timeliness: High Relevance: Medium

Score: 10 / 12

BankInfoSecurity was highly rated by our team. It is professionally presented, and not only provides Cyber-Threat Intelligence, but also news and alerts on the latest vulnerabilities, news on latest technologies and news on education in InfoSec.

It seems to be updated daily, but only scored a medium with regard to relevance as it does focus on general InfoSec news whereas other sources did out perform with regard to focused Cyber-Threat Intelligence and specific vulnerability information.

(39)

32

Name: Composite Blocking List - http://cbl.abuseat.org/

Source Number: 4 RSS Feed: N/A

Description: Focuses on DNS-based blackhole lists and those suspected of e-mail spamming.

Timeliness: Does Not Apply Relevance: Does Not Apply

Comments:

Out of date and irrelevant. Last entry was 2014, 6 months ago.

Name: DataBreachToday - www.databreachtoday.com Source Number: 5

RSS Feed: http://www.databreachtoday.com/rssFeeds.php?type=main

Description:

BankInfoSecurity is owned by the Information Security Media Group Corp.

(ISMG), which is a company specializing in coverage of information security, risk management, privacy and fraud.

Timeliness: High Relevance: High

Score: 12 / 12

This website has the same owner as BankInfoSecurity.com, but has more focused articles on Cyber-Threat Intelligence.

A great source to use.

Name: DNS-BH Malware - http://www.malwaredomains.com/

Source Number: 6

RSS Feed: http://www.malwaredomains.com/feeds

(40)

33

Description: This website maintains a list of domains and URL’s that are used to distribute malware, Trojans, viruses and spyware etc.

Score: 10 / 12

This is a great website for those who have the ability to block domains and URL’s etc. Maybe more suitable for SME’s with a proxy server etc.

It is updated on a near daily basis. It scored medium as relevance as if you do not have the ability to block domains and URL’s, it can be an irrelevant source.

Name: DSHIELD - www.dshield.org Source Number: 7

RSS Feed: E-mail only - https://www.dshield.org/register.html

Description:

DSHIELD is a open source community based system that focuses on the sharing of firewall log data.

Receiving these log files, the community then tries to identify attack trends etc.

Timeliness: Medium Relevance: Low

Score: 6 / 12

Although this source scored a low score in itself, mainly due to it focusing solely on firewall log data, it is used as the data collection engine behind the SANS Internet Storm Center (ISC.)

We recommend using the Sans Centre directly.

Name: Emerging Threats - www.emergingthreats.net Source Number: 8

RSS Feed: http://www.emergingthreats.net/about-us/blog/rss.xml

(41)

34

Description: Emerging Threats was acquired by ProofPoint, and describes itself as a provider of commercial and open-source threat intelligence.

Timeliness: Low Relevance: Low Score: 4 / 12

This source focuses primarily on datasets which can be used with Intrusion Detection Systems such as SNORT. It provides new malware and vulnerability rules each day, however, it publishes very little (if any) Cyber-Threat Intelligence information.

Name: FireEye - www.fireeye.com

Source Number: 9

RSS Feed: Email Only - https://www.fireeye.com/company/fireeye-cyber-attack-alert- subscription.html

Description: FireEye is a large publicly listed USA based organisation. It provides products and services to over 2,500 companies world-wide.

Score: 12 / 12

FireEye does provide RSS feeds, but we found there were several to subscribe to and that it was more efficient to sign up to their email newsletter.

FireEye is often the first organisation to report Cyber-Threat Intelligence information such as attacks taking place, or uncovered vulnerabilities etc.

It scored a maximum 12 points due to it being timely, very professional, from a trusted and respected source, and we found their newsletters to be often first to report on breaking Cyber-Threat Intelligence news/feeds.

Name: Forensic Artefacts – www.forensicartefacts.com Source Number: 10

RSS Feed: Not Applicable

(42)

35

Description: ForensicArtefacts is a repository for useful information that forensic examiners may need to use during their investigations.

Timeliness: Not Applicable Relevance: Not Applicable

Comments:

This source is very specifically aimed at Forensic Examiners and that is too narrow a field to be considered a useful resource.

Name: GoogleSecurityBlog -

Source Number: 11

RSS Feed: http://feeds.feedburner.com/GoogleOnlineSecurityBlog

Description: This is a Google security blog which gives the latest information on InfoSec, general IS Security news and how to stay safe online etc.

Timeliness: Medium Relevance: Medium

Score: 8 / 12

This seems more of a ‘general’ blog from Google. Although some articles and feeds are related to Cyber-Threat Intelligence and the latest vulnerability exploits etc., many are on how to stay safe online such as safe browsing habits etc.

Name: GovInfoSecurity - http://www.govinfosecurity.com

Source Number: 12

RSS Feed: http://www.govinfosecurity.com/rssFeeds.php

Description:

GovInfoSecurity is owned by the Information Security Media Group Corp. (ISMG), which is a company specializing in coverage of information security, risk

management, privacy and fraud.

(43)

36 Score: 10 / 12

This website has the same owner as BankInfoSecurity.com and DataBreachToday.

All these website are similar, and we would suggest subscribing to DataBreachToday only.

Name: HackSurfer - http://www.hacksurfer.com/

Source Number: 13

RSS Feed: http://feeds.feedburner.com/Hacksurfer

Description:

HackSurfer is owned by SurfWatch Labs, whichis a commercial company offering

‘Security Risk Intelligence’ to enterprises and SME’s alike.

We recommend signing up the hacksurfer.com’s RSS feed, as this is the free and community based source.

Score: 12 / 12

This is a great source of information. We were in agreement that this is the one source you definitely did not want to miss out on.

It is updated daily, is community based, professionally presented, gives the latest information/data on Cyber-Security Intelligence and also vulnerabilities.

Name: iSight Partners - http://www.isightpartners.com

Source Number: 14

RSS Feed: http://www.isightpartners.com/blog/

Description: Describing itself as a ‘global network of security professionals’, iSight Partners offers consultancy and products with regard to Cyber-Threat Intelligence.

Timeliness: Low Relevance: High

Score: 8 / 12

(44)

37 Additional

Comments:

Although we found their data relevant, and their WhitePapers an excellent source of information, we were disappointed as often posted many days after events such as vulnerabilities being exploited by cyber-attacks.

Name: MalwareDomainList - http://www.malwaredomainlist.com/

Source Number: 15

RSS Feed: http://www.malwaredomainlist.com/hostslist/mdl.xml Description: MalwareDomainList

Timeliness: Medium Relevance: Low

Score: 6 / 12

As its name suggests, provides information on domain names and URL’s linked with Trojans, viruses and spamming etc.

Very specific, and narrow focused to be relevant.

Name: Microsoft Security Notifications - https://technet.microsoft.com/

Source Number: 16

RSS Feed: https://technet.microsoft.com/en-us/security/rss/bulletin

Description:

Microsoft provides monthly information on Patch Tuesday and also information on bulletin updates and revisions etc.

Due to most SME’s having Microsoft products, subscription is recommended.

Comments:

Not fully Cyber-Threat Intelligence, but worth subscribing to. Anyone involved in rating patches etc. should subscribe.

(45)

38

Name: NakedSecurity - https://nakedsecurity.sophos.com/

Source Number: 17

RSS Feed: https://nakedsecurity.sophos.com/feed/

Description:

This blog, by Sophos, is excellent.

Sophos itself is a vendor of security related products, but its NakedSecurityBlog is free and highly recommended to subscribe to.

Score: 12 / 12

Alerts were timely, often a matter of hours after an attack taking place etc.

Also professionally presented, from a reputable security company, and also does not push/selling its other related products.

Name: Secunia - http://secunia.com/

Source Number: 18

RSS Feed: http://secunia.com/blog_rss/blog.rss

Description:

Secunia is based in Copenhagen, Denmark and is a leader in Vulnerability Management.

They server many Fortune 500 companies and are a trusted, reputabl e organisation.

Score: 8 / 12

Although a leading InfoSec company, their blog and RSS was slightly disappointing.

Still worthwhile signing up to as their research is often cited, it seems more related to serving larger organisations than SME’s.

(46)

39 Their products seem to rival Qualys.

Name: Spamhaus Project - http://www.spamhaus.org/

Source Number: 19

RSS Feed: http://www.spamhaus.org/news/rss/

Description:

Based in Switzerland, Spamhaus describes itself as ‘an international nonprofit organization whose mission is to track the Internet's spam operations and sources, to provide dependable realtime anti-spam protection for Internet networks, to work with Law Enforcement Agencies to identify and pursue spam and malware gangs worldwide, and to lobby governments for effective anti -spam legislation.’

Timeliness: Low Relevance: Low Score: 4 / 12

Again, this is another source that focuses on a narrow field in InfoSec and does not send alerts on Cyber-Intelligence feeds etc.

I would recommend this source for those organisations that had IT support with Intrusion Detection Systems deployed.

For a source of purely Cyber-Threat Intelligence, it rated a low.

Name: TechRepublic - http://techrepublic.com

Source Number: 20

RSS Feed: http://techrepublic.com.feedsportal.com/c/35463/f/670841/index.rss

Description: TechRepublic, based in the USA, is a trade publication. It aims to give advice on tools and best practice documents for IT management.

Timeliness: High

Relevance: High Score: 12 / 12 Additional

Comments:

Although not specifically aimed at the Cyber-Threat Intelligence community, we found this an excellent source of information.

(47)

40

It was timely (usually updated daily) and although there were many entries on tools that IT professionals could utilize etc., there was also a wealth of

information on Cyber-Attacks, on-going Cyber-Attacks taking place and vulnerabilities which were recently uncovered in a multitude of systems.

Overall an excellent source.

Name: TrendLabs - http://blog.trendmicro.com/trendlabs-security-intelligence/

Source Number: 21

RSS Feed: http://feeds.trendmicro.com/Anti-MalwareBlog/

Description:

TrendLabs is part of TrendMicro, the global IT security company.

It is a leader in security for cloud and virtualization technologies, and customers include VMware, Amazon and Microsoft.

Score: 12 / 12

Obviously their paid for products are targeted at large organisations, however, their free feed is excellent.

Its layout is clear and concise, it is timely (usually updated daily) and their feeds are very focused on the current Cyber-Attacks taking place, vulnerabilities discovered and contain many details on available patches and mitigation steps.

A great source.

Name: Zeus Tracker - https://zeustracker.abuse.ch Source Number: 22

RSS Feed: https://zeustracker.abuse.ch/rss.php

Description:

This website looks to track the well-know Trojan, Zeus, which is widely used by Eastern European criminal gangs to steal online banking information among other things.

Timeliness: High

(48)

41 Relevance: High

Score: 12 / 12

Although this source focuses on a narrow Trojan, I believe it is a very relevant Cyber-Security feed.

It alerts on malicious domains and URL’s that IT administrators should be logging and be aware of.

Some of our users have received Phishing attempts which correlate with the information supplied in the Zeus feed.

5.2.7 Rating of Feed Information

The second goal of this project was:

G.2 Creating a formal and consistent way to rate Cyber-Threat Intelligence from the feeds.

For example, it is one thing receiving alerts and feeds on Cyber-Attacks/Attackers and vulnerabilities etc.

but how would we filter and distil this information before sending to relevant parties?

We decided that we needed to create a standard ‘Threat Scoring Document’. This Threat Scoring Document could be attached to alerts which we send to our technology partners and Subject Matter Experts, clearly outlining how we rate the attached threat.

We had a meeting in which we discussed how we could achieve such a rating document.

It was decided that the Threat intelligence should be evaluated on the basis of three categories: Risk,

Vulnerability and Impact. These factors are weighted from 1-10 and combined they provide the Threat Score for the incident in question.

Appendix A shows the full Threat Scoring Document. As you can see from Appendix A, by adding the scores from each of the three categories (Risk, Vulnerability and Impact) gives the total threat score, which can be used to determine the severity/threat rating according to the table below:

Score Severity Threat Rating Action

3-6 5 Negligible Monitor

7-12 4 Low Monitor

13-17 3 Medium Review controls for effectiveness/

prep for possible escalation or patch deployment

18-25 2 High Initiate vulnerability management

countermeasures

(49)

42

26-30 1 Extreme Activate Incident Response Team

5.2.8 Round Two – Updates to the Artefact

After a further two weeks of using the RSS feeds, emails and alerts, some new sources of information were uncovered. It is our belief that this will continue, and as the Cyber-Threat Intelligence Program matures, that we will uncover further sources of information and feeds etc.

The sources in question were:

Name: Bugtraq - http://www.securityfocus.com/archive/1

Source Number: 23

RSS Feed: http://www.securityfocus.com/rss/news.xml

Description: A long-standing electronic mailing list dedicated to Computer Security.

Score: 8 / 12

Being community driven and free, it meets our criteria. The only downside is it can contain a lot of irrelevant information i.e. on vulnerabilities and exploits of systems which you may not have, as there is no filter.

Name: Full Disclosure

Source Number: 24

RSS Feed: http://seclists.org/rss/fulldisclosure.rss

Description:

Described as ‘a public, vendor-neutral forum for detailed discussion of

vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community.’

Score: 12 / 12

(50)

43 Additional

Comments:

This is an excellent mailing list. Professionally presented, timely and full of information that can be used to harden security posture.

A great source.

Name: Symantec - http://www.symantec.com/

Source Number: 25

RSS Feed: Both: http://www.symantec.com/xml/rss/listings.jsp?lid=latestthreats30days and http://www.symantec.com/xml/rss/listings.jsp?lid=advisories

Description:

Symantec is the well known global security company.

It is a Fortune 500 company specializing in security and information management.

Score: 12 / 12

Symantec offers two feeds, one based on threats and one based on vulnerabilities.

Excellently presented, timely and all-round great source of information.

Name: ThreatPost - https://threatpost.com

Source Number: 26

RSS Feed: https://threatpost.com/feed

Description: Threatpost is the ‘Kaspersky Labs’ security news service. It is a leading source of information about IT and data security.

Score: 12 / 12

This site is excellent.

It has recently undergone a redesign, and is not much easier to navigate.

A Cyber-Threat Intelligence Program – How to develop one and why it matters