CySA+
  • Introduction
  • Exam Objectives
    • Quiz
      • Threat and Vulnerability Management Competency
        • Questions
  • 1.0 Threat and Vulnerability Management
    • 1.1 Explain the importance of threat data and intelligence
      • Page 1
      • Intelligence Sources
      • Confidence Levels
      • Indicator Management
        • Trusted Automated eXchange of Indicator Information (TAXII)
        • OpenIoC
      • Threat classification
        • Known threat vs. unknown threat
        • Zero-day
        • Advanced persistent threat
      • Open-source intelligence
      • Proprietary / closed-source intelligence
      • Timeliness, Relevancy, Accuracy
    • 1.2 Given a scenario, utilise threat intelligence to support organisational security
    • 1.3 Given a scenario, perform vulnerability management activities
    • 1.4 Given a scenario, analyse the output from common vulnerability assessment tools
    • 1.5 Explain the threats and vulnerabilities associated with specialised technology
    • 1.6 Explain the threats and vulnerabilities associated with operating in the cloud
    • 1.7 Given a scenario, implement controls to mitigate attacks and software vulnerabilities
  • 2.0 Software and Systems Security
    • 2.2 Explain software assurance best practices
    • 2.1 Given a scenario, apply security solutions for infrastructure management
    • 2.3 Explain hardware assurance best practices
Powered by GitBook
On this page
  1. 1.0 Threat and Vulnerability Management
  2. 1.1 Explain the importance of threat data and intelligence
  3. Indicator Management

OpenIoC

Source: github.com/mandiant/OpenIOC_1.1

PreviousTrusted Automated eXchange of Indicator Information (TAXII)NextThreat classification

Last updated 2 years ago

OpenIOC uses XML-formatted documents. Each entry comprises meta-information such as author, category information, confidence level, and usage license, plus a description and a definition. The definition is built from logical statements defining detection rules, such as DNS host name or a string pattern for a filename.

Malware Information Sharing Project (MISP) provides a server platform for CTI sharing as well as a file format. MISP servers can import and export STIX CDOs over TAXII.

It also supports OpenIOC definitions.

A number of sites maintain extensive lists of open-source threat information sources:

  • provides a list:

  • The Open Threat Exchange operated by AlienVault is part of a global community of security professionals and threat researchers:

  • The MISP Threat Sharing project provides standardized threat feeds from many sources: , with community-driven collections.

  • Threatfeeds.io hosts a list of open-source threat intelligence feeds with details of when they were added and modified, who maintains them, and other useful information: threatfeeds.io

Government sites:

  • The U.S. Cybersecurity and Infrastructure Security Agency (CISA) site:

  • The U.S. Department of Defense Cyber Crime Center site:

  • The CISA's Automated Indicator Sharing (AIS) program,

  • Infomation Sharing and Analysis Organizations program,

Vendor websites:

  • Microsoft's threat intelligence blog:

  • Cisco's threat security site

  • Cisco Talos reputation lookup tool,

Public sources:

The SANS Internet Storm Center:

VirusShare contains details about malware uploaded to VirusTotal:

Spamhaus focuses on block lists, including spam via the Spamhaus Block List (SBL)

https://www.misp-project.org/
Senki.org
www.senki.org/operators-security-toolkit/open-source-threat-intelligence-feeds/
www.alienvault.com/open-threat-exchange
www.misp-project.org/feeds/
www.us-cert.gov
www.dc3.mil
www.dhs.gov/cisa/automated-indicator-sharing-ais
www.dhs.gov/cisa/information-sharing-and-analysis-organizations-isaos
www.microsoft.com/security/blog/tag/threat-intelligence/
tools.cisco.com/security/center/home.x
talosintelligence.com
isc.sans.org
virusshare.com
www.spamhaus.org