Collaborative Cyber Threat Intelligence: Detecting and Responding to Advanced Cyber Attacks at the National Level by Florian Skopik

Author:Florian Skopik
Language: eng
Format: azw3, pdf
Publisher: CRC Press
Published: 2017-10-16T04:00:00+00:00

Figure 5.7 Simple schematic of NDN architecture.

Concerning the latter, both target groups have similar (browser-based) web access to their respective MISP environments. Specialists in the respective partner organizations can use this channel to log on to the appropriate MISP instantiation and review the threat information that is in store. On top of this, NDN encompasses specific technical interfaces that facilitate automation. Here the following applies:

The platform for private partners is equipped with an API32 through which native security solutions can be integrated with the NDN’s threat information feed. Partners can for instance use this to automatically feed detection signatures into their SIEM solutions, similar to the setup seen in the telco community (see previous section). The extent to which such integration is indeed established is currently left at the discretion of each partner.

The MISP instance maintained for government bodies can interface directly with IDS sensors in governmental ICT networks. These sensors are offered by the NCSC but installed and maintained by the government agencies themselves. They interact with the NCSC’s MISP environment (see Figure 5.7) on a bidirectional basis. Specifically, IDS sensors are automatically fed with detection signatures (deduced from threat information), and the IDS reports so called “sightings” (i.e., actual “hits” on a particular threat indicator) back to the centralized CTI platform. Such “sightings” alert the NCSC of potential incidents and strengthen its overall situational awareness.

This differentiated setup stems from the fact that the NCSC is itself part of the national government, and as such is considered the same legal entity as other government bodies.33 Having said this, the NCSC would like to extend the NDN with threat information (voluntarily) supplied by private partners. The aforementioned API was in fact already prepared for such collection. At present, however, the interaction with private partners is largely one-way. This will be addressed further in the “lessons learned” section.

Participation in NDN is strictly voluntary, for both private organizations and the government. In its daily practice, NDN is operated by a dedicated team of analysts. For governance purposes, the community established a formal steering committee comprised of the NCSC itself and a selection of public and private partners. This steering committee serves to govern the NDN road map (e.g., platform functionality, member expansion) and resolve any operational or organizational issues.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.