没有合适的资源?快使用搜索试试~ 我知道了~
SANS2017情报调查报告.pdf
1.该资源内容由用户上传,如若侵权请联系客服进行举报
2.虚拟产品一经售出概不退款(资源遇到问题,请及时私信上传者)
2.虚拟产品一经售出概不退款(资源遇到问题,请及时私信上传者)
版权申诉
0 下载量 182 浏览量
2022-01-02
22:23:03
上传
评论
收藏 2.97MB PDF 举报
温馨提示
试读
21页
SANS2017情报调查报告.pdf
资源推荐
资源详情
资源评论
Interested in learning
more about security?
SANS Institute
InfoSec Reading Room
This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.
Cyber Threat Intelligence Uses, Successes and
Failures: The SANS 2017 CTI Survey
Respondents' biggest challenges to effective implementation of cyber threat intelligence (CTI) are lack of
trained staff, funding, time to implement new processes, and technical capability to integrate CTI, as well as
limited management support. Those challenges indicate a need for more training and easier, more intuitive
tools and processes to support the use of CTI in today's networks. These and other trends and best practices
are covered in this report.
Copyright SANS Institute
Author Retains Full Rights
©2017 SANS™ Institute
A SANS Survey
Written by Dave Shackleford
Advisor: Robert M. Lee
March 2017
Sponsored by
Anomali, Arbor Networks, DomainTools, LookingGlass Cyber Solutions,
Rapid7, and ThreatConnect
Cyber Threat Intelligence Uses,
Successes and Failures:
The SANS 2017 CTI Survey
Over the past year, Yahoo revealed the largest data breaches in history,
1
and nation-state hacking activity was suspected in tampering with the U.S.
presidential election.
2
More vulnerabilities are being found (and exploited) in
mobile and Internet of Things (IoT) platforms, and the rst true IoT botnet (Mirai)
became a threat that was operationalized to take down Deutsche Telecom, KCOM
and Irish telco Eir in December 2016. The attacks continue to spread through
dierent types of IoT devices and target more businesses, types of routers, and
other devices they can use to wreak havoc on the businesses they target.
3
Malware is more sophisticated in avoiding detection, and ransomware has
become the top threat aecting organizations,
4
according to the SANS 2016
Threat Landscape Survey. IT security teams are struggling just to keep up, as
they have throughout Internet history, let alone get ahead of the attackers.
Cyber threat intelligence (CTI) shows promise in making these types of threats
easier to detect and respond to, according to our recently conducted survey on
cyber threat intelligence. In this, our third survey on CTI, 60% of organizations
overall are using CTI, while another 25% plan to. As we might expect, small
organizations with fewer than 2,000 employees are less likely to plan to use CTI.
Of those using CTI, 78% felt that it had improved their security and response
capabilities, up from 64% in our 2016 CTI survey.
CTI adopters are also facing challenges. In this survey, their biggest challenges to the eective
implementation of CTI are a lack of trained sta, lack of funding, lack of time to implement
new processes, and lack of technical capability to integrate CTI, as well as limited management
support. Those challenges indicate a need for more training, as well as easier, more intuitive
tools and processes to support the ever-growing use of CTI in today’s networks.
These and other trends and best practices are covered in this report.
SANS ANALYST PROGRAM
Cyber Threat Intelligence Uses, Successes and Failures: The SANS 2017 CTI Survey
1
Executive Summary
1
www.nytimes.com/2016/12/14/technology/yahoo-hack.html?_r=0
2
www.bbc.com/news/world-us-canada-38538002
3
www.theregister.co.uk/2016/12/02/broadband_mirai_takedown_analysis
4
“Exploits at the Endpoint: SANS 2016 Threat Landscape Survey,”
www.sans.org/reading-room/whitepapers/rewalls/exploits-endpoint-2016-threat-landscape-survey-37157
5
www.sans.org/course/cyber-threat-intelligence
CTI Dened
The SANS CTI Forensics course denes CTI as the “collection, classication,
and exploitation of knowledge about adversaries.”
5
This includes, in
particular, information about adversaries’ tactics in order to detect and block
them. As one of the course’s primary authors describes it, “CTI is analyzed
information about the intent, opportunity and capability of cyber threats.”
actively use CTI, with another
25% planning to
utilize in-house sta combined
with service providers to
conduct CTI
rate awareness of attack
patterns and indicators of
compromise (IoCs) as their most
in-demand skills for leveraging
CTI in detection and response
have a dedicated team that
focuses on CTI
—the vast majority—operate
from the cyber security teams
CTI Teams and Skills
60
%
47
%
47
%
65
%
44
%
Exploits on removable
media forced us to
implement controls
banning their use in our
info system. Without
credible CTI and
use cases, we would
not have known to
implement the control
in our organization.
—2017 CTI
survey respondent
Who’s Using CTI
SANS ANALYST PROGRAM
Cyber Threat Intelligence Uses, Successes and Failures: The SANS 2017 CTI Survey
2
Of the 600 respondents to take this survey, 60% utilize CTI for detection and response,
while another 25% plan to the future. The remaining 15% have no plans to adopt CTI
practices.
Who Took This Survey
Respondents represented a broad range of industries. The top verticals included
government, banking and nance, technology, and cyber security, with a mix of others
that include education, healthcare, manufacturing and telecommunications. Thirty-
eight percent of respondents worked in organizations with 2,000–50,000 employees,
and 19% were in organizations larger than 50,000. Forty-three percent of organizations
represented have 2,000 employees or fewer. See Figure 1.
The majority of organizations have operations in the United States (over 75%), with 40%
operating in Europe and 34% in Asia. A mix of organizations has operations in Canada,
Australia/New Zealand, the Middle East, South America and Africa, too. The U.S. housed
the headquarters of 67%, with 13% based in Europe and 7% headquartered in Asia.
The roles of respondents also varied widely. Security administrators or analysts made up
25% of the sample (far fewer than last year), with another 13% in security management
and executive roles (CSO and CISO). Over 16% were in IT operations or IT management,
and many other roles were listed, including security architects, security researchers,
CTI analysts and more. This year, 6% of respondents carry the title of “cyber threat
intelligence analyst” or a similar title, compared to 1% who held such a role in 2016.
6
What is the size of the workforce at your organization,
including employees, contractors and consultants?
10,001–15,000
1,001–2,000
Fewer than 100
15,001–50,000
2,001–5,000
101–1,000
50,001–100,000
More than 100,000
5,001–10,000
Figure 1. Workforce Size
20%
15%
10%
5%
0%
6
”The SANS State of Cyber Threat Intelligence Survey: CTI Important and Maturing,”
www.sans.org/reading-room/whitepapers/analyst/state-cyber-threat-intelligence-survey-cti-important-maturing-37177
Who’s Using CTI (CONTINUED)
SANS ANALYST PROGRAM
Cyber Threat Intelligence Uses, Successes and Failures: The SANS 2017 CTI Survey
3
Using Threat Intelligence
As security teams become more comfortable with leveraging CTI, many are
constantly seeking new and varied sources of threat data. This year’s survey
reveals a signicant shift toward developing internal threat intelligence,
as well. Currently, 8% of teams are producing raw threat intelligence, with
another 7% producing nished reports on their own.
The majority are still consuming data from elsewhere, though, with roughly
40% consuming raw data and 47% consuming nished intelligence reports
from vendors and other sources. Many are also producing and consuming
both, as shown in Figure 2.
Raw CTI data creation and consumption are critical for organizations to cultivate, as
these data are the most usable in correlation and analysis. This can be incredibly time-
consuming, however. Consuming “nished” threat intelligence reports from outside
sources is most denitely the easiest way to obtain this threat data and potentially put
it to use.
Raw Threat Intelligence
Indicators of compromise and other potential
identiers of malicious behavior that can be used
to look for threats or apply preventive, detective or
responsive actions
Finished Intelligence Report
Threat intelligence data that has been analyzed
in context with other information and applied
specically to the organization and its use cases
Indicate whether your organization produces or consumes cyber threat intelligence (CTI)
in terms of raw data and/or nished threat intelligence reports.
Raw threat data Finished threat
intelligence reports
Figure 2. CTI Production/Consumption
100%
80%
60%
40%
20%
0%
Produce Consume Both
剩余20页未读,继续阅读
资源评论
mYlEaVeiSmVp
- 粉丝: 1944
- 资源: 19万+
下载权益
C知道特权
VIP文章
课程特权
开通VIP
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功