Threat Intelligence overview

Threat Intelligence™ (TI) is an add-on feature which enriches assets with additional information to improve detection of malware and anomalies

Threat Intelligence (TI) constantly monitors operational technology (OT) / Internet of Things (IoT) threat and vulnerability intelligence. This improves malware anomaly detection. This includes managing packet rules, Yara rules, Structured Threat Information Expression (STIX) indicators and vulnerabilities.

Threat Intelligence permits new content to be:

Added
Edited
Deleted

It also lets existing content to be enabled, or disabled.

In order to identify malicious events, TI continuously analyzes network traffic and asset configuration details, and compares them with:

Industry-standard packet rules
YARA rules
Indicators of compromise
Vulnerability assessments
Mapping content (Common Platform Enumeration (CPE))

TI packages can be controlled at a modular level to:

Disable or enable individual rules
Manually add rules to investigate and deliver customer alerts

TI is a subscription service that is curated and proprietary. You can use it with Nozomi Networks products, or with 3rd party software. This subscription lets you receive an automatic, and continuous flow of updated threat intelligence information into Guardian sensors to detect the most up-to-date methods of attack. You can manage TI content from:

Vantage
A Guardian sensor
A Central Management Console (CMC) sensor

This makes it easy to propagate TI contents to an unlimited number of Nozomi Networks sensors.

You can set TI contents to update automatically, or you can upload a local file to manually update the Nozomi Networks sensors. This lets you operate the system in a fully air-gapped environment.

Management

To provide detailed threat information, the TI screen lets you manage:

Packet rules
YARA rules
STIX indicators
Vulnerabilities

Packet rules

Packet rules are executed on every packet. If a match is detected, they raise an alert of type SIGN:PACKET-RULE.

For more details on how to format packet rules, see the Packet Rules Reference.

YARA rules

Protocols like hypertext transfer protocol (HTTP) or server message block (SMB) execute YARA rules on every file transferred over the network. When a match is detected, an alert of type SIGN:MALWARE-DETECTED is raised. YARA rules conform to the specifications found at YARA Rules.

STIX indicators

The information that STIX indicators contain:

Malicious internet protocol (IP) addresses
uniform resource locator (URL)s
Malware signatures, or
Malicious domain name server (DNS) domains.

This information enriches existing alerts, and raises new ones.

Vulnerabilities

Vulnerabilities are assigned to each node, depending on the installed hardware and operating system, and the software identified in the traffic. The Nozomi Networks solution leverages Common Vulnerabilities and Exposures (CVE), a dictionary that provides definitions for publicly disclosed cybersecurity vulnerabilities and exposures.