AWS re:Inforce 2024
Cyber Threat Intelligence Sharing on Aws Tdr305

Title: AWS re:Inforce 2024 - Cyber threat intelligence sharing on AWS (TDR305)

Insights:

  • Definition and Importance of Cyber Threat Intelligence (CTI): CTI involves collecting and evaluating threat information to inform cyber defense. It includes actor attribution, tactics, techniques, procedures, motives, and targets. The primary benefit is staying ahead of potential threats by sharing information about known vulnerabilities and attacks, allowing for proactive measures.
  • Trust Communities: These are essential for building a common threat picture. They are typically formed around sectors with similar assets and vulnerabilities, such as the financial services sector. Trust communities enable sector-specific and context-specific sharing of CTI, which helps prioritize and action defensive measures in near real-time.
  • CTI Lifecycle: The lifecycle includes terrain planning (understanding assets), collection and situational awareness (visibility based on assets and threats), processing and analysis (turning data into intelligence), sharing (internal and external), and action (making intelligence actionable).
  • Regulatory Context: Various global regulations encourage or mandate CTI sharing. Examples include the EU's DORA and NIST 2, Australia's SOCI, and the US's CISA. These regulations aim to foster collaboration and collective defense.
  • Australian Case Study: The Australian Cyber Security Centre's CETIS program is a platform for industry and government to share CTI at machine speed, improving the resilience of Australia's digital economy. It uses industry-standard formats like MISP, STIX, and TAXII for interoperability.
  • AWS's Role in CTI: AWS uses its large network footprint to gather threat intelligence through tools like Madpot and Sonaris. These tools help capture and study attacker methods, which inform AWS security services like GuardDuty, Shield, and Inspector.
  • Implementing CTI on AWS: Deploying a threat intelligence platform like OpenCTI on AWS involves integrating with trust communities, automating firewall rules, and using services like AWS Network Firewall, Route 53 Resolver DNS Firewall, and GuardDuty for detection and prevention.
  • Centralizing Logs with Security Lake: Amazon Security Lake centralizes, organizes, and normalizes security data from various sources, making it easier to analyze and act upon. It supports the open cybersecurity schema framework (OCSF) for better integration with other tools.
  • Advanced Analytics and Automation: Using tools like Amazon SageMaker Notebooks for threat hunting and machine learning can enhance detection and response capabilities. Continuous improvement through red and blue team exercises helps refine detection analytics and improve defenses.

Quotes:

  • "Cyber threat intelligence is threat information that has been collected and evaluated. So it's evidence-based data that you can use to inform your cyber defense."
  • "One of the main benefits of cyber threat intelligence is that it allows you to stay ahead of potential threats."
  • "Security is everyone's responsibility and security is job zero. It really is a team sport."
  • "No single organization can mitigate these threats on their own."
  • "The ultimate goal of cyber threat intelligence is when a new attack happens, it is analyzed, it is profiled, it is turned into wisdom, it is turned into cyber threat intelligence."
  • "Our scale gives us some pretty unparalleled visibility into certain activities on the internet in real time."
  • "Security is a team sport and threat-informed collective defense is the goal."
  • "The more you can automate the better and it's gonna move you from a reactive state to a proactive state and help foster that collaborative defense."
Critical Security Mechanisms to Guard Your Cloud Environment Sec221 SCybersecurity W Pwc Compliance Generative Ai Cost Optimization Grc226 S