Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Anatomy of Upstream
Intelligence
(Article 2 of 3)
by Tyson Macaulay
Introduction
In a world where threats can change minute to
T his article reviews the anatomy of
Upstream Intelligence (UI) and
security. It provides a description of the minute, and security posture changes at the same
major elements and activities within a
carrier or service-provider network that rate, open source information ranging in age from
generate UI. UI is not something that is
discovered intact. It is often seeded from hours to days or weeks only begins to address the
disjointed threat intelligence fragments
that evolve and grow in clarity through enterprise needs for cyber threat intelligence.
the combination and correlation of
quantitative indicators (a more detailed domain name system [DNS] servers, or Closed-Source
discussion of this process will be web-hosting sites) are published by Closed-source information is not
available in article 4 of this series). various security vendors, as well as publicly available and is associated with
UI may be seeded from open source unaffiliated/not-for-profit sites information security operations,
information, closed-source information, dedicated to security, such as the Spam intelligence gathering, “softer” business,
or developed “from scratch.” The and Open Relay Blocking System and professional relationships,
scratch approach requires more effort (SORBS) or SpamHaus. [1, 2] Open particularly among carriers and service
and resources and is usually a source intelligence also includes the providers, of which there are
by-product of an investigation into signatures and profiles of known approximately 1600 worldwide. [4]
active, but unrecognized attacks and malware, available from a source like These carriers and service-providers
zero-day exploits. the US Computer Emergency Readiness share intelligence about compromised
This article begins with a Team (US-CERT). [3] The quality of open devices and networks on a practical and
discussion on the usual seed sources of source security information is as diverse symbiotic basis at the engineering level,
UI, as well as the application of the as the available suppliers. In the end, a even while they may be harsh
network elements that husband and lot of excellent information is available competitors at the management level.
nurture the seed base into usable UI. on an open source basis, but one thing Customer complaints are another
can also be generally counted on—the form of closed-source information;
Open-Source best and most up-to-date security and persons or businesses attempting to
Open-source threat intelligence threat information reaches open- cope with degraded network service will
information is freely available on the sources last. In a world where threats usually contact carrier or service
Internet through groups with open can change minute to minute, and provider because they figure (wrongly)
memberships or simply posted to security posture changes at the same that the degradation they are
websites. Lists of suspected “bad” rate, open source information ranging in experiencing is related to a network
Internet protocol (IPs) addresses age from hours to days or weeks only problem. Such support calls frequently
(such as spammers, distributed denial- begins to address the enterprise needs reveal severely compromised machines,
of-service [DDOS] attackers, nefarious for cyber threat intelligence. much to the surprise of their owners