The HCINT supports a variety of incident detection and response use cases, also empower organization to make fast, confident decision in defending against new and emerging cyber threats.
· Huge database of IOCs, attack signatures, malware signatures, security events, threat information is stored and maintained.
· Collect intelligence and threat data in real time, timely update mining trends, cyberattacks in the world.
· Correlate between the properties of malicious code, network attack campaign.
· Allows threat information sharing between agencies and organizations that maintain the Threat Intelligence system.
· Allows sharing of information about threats and threats with different security products SIEM, Anti-virus, IDS/IPS....
· Provides the ability to search and look up information about threats and threats that can affect the system as mentioned, including: security vulnerabilities, attack groups, cyberattack campaigns, advanced malware, IP, domain, URL, file, hash...
· Maintaining intelligence, aggregated data from hacking forums, dark web, black market trading... allows access to the underground information sources, which contain a lot of sensitive information.
· Data is stored in a structured way, allowing for simple searching, and can be customized in some cases.
· Allows exporting data in many formats to include in other defense systems such as OpenIOC, CSV, XML, JSON, STIX, IDS...
· The strength allows information interaction via API, there are 2 types of APIs that allow interaction including basic API including IOC information, attack campaigns, event interactions; The other is an advanced API that allows you to get additional IOC information from other Threat Intelligences.
· Events, IOC are clearly classified, allow tagging, MITRE ATT&CK integration.
· Maintain a database of information about buying and selling leakage data, sensitive information that is exposed on different channels.
· The ability to automate Threat hunting as new or recurring critical data sources become available
Benefits gained from HCINT
HCINT not only provides continuous monitoring of Threat Intelligence data sources, but also expands the capabilities of integrating OSINT sources to provide clear information, supporting monitoring, processing and investigation. Delivers more accurate attack signature detection results.
· Integrate defense solutions, providing knowledge that enhances early alerting and prevention capabilities.
· Share knowledge with different organizations to enhance security for the country and the world.
· Significant time reduction in information security incident investigation and response thanks to in-depth information.
· Periodic threat hunting is done effectively by automation workflow or manual searching.
· Timely alert when there is a risk of data leakage, brand damage.
· Alerts when organizational sensitive keywords appear on different security channels and platforms.
· Reduce the false positive rate in the implementation of information security assurance.
· Periodically report on the latest trends, threats, and vulnerabilities relevant to the organization.
HCINT extensive threat source
The core strength of a Threat Intelligence system is the ability to efficiently aggregate extensive information, data, and share information. HCINT persistence data sources include:
· Threat Intelligence data sources are shared from security organizations, NCSC Centers, reputable individuals in the field of security, and private data sources.
· IOC sources (IP, domain, hash, url, file...) from nearly hundred sources around the world for other security solutions to enhance the ability to identify attacks in the system.
· Knowledge data sources acquired during incident response, monitoring for various HPT systems.
· Knowledge data sources through conducting research, analyzing incidents, new campaigns, complex attack chains occurring in the world such as new advanced malware, new attack exploitation techniques, 0-day vulnerabilities…
· Information and knowledge shared via social networks such as Twitter, Facebook, Telegram...
· Black market data sources such as from Dark web, onion sites, hacking forum...
· Support API and standard data to perform sharing such as (STIX/TAXII, JSON, Text...).
Continuously monitor sources of CVEs, new vulnerabilities, MITRE ATT&CK, APT groups, latest security news and emerging attack groups and campaigns.
Implementation model