Threat Intelligence overview
Threat Intelligence™ (TI) is an add-on feature which enriches assets with additional information to improve detection of malware and anomalies
Threat Intelligence (TI) constantly monitors operational technology (OT) / Internet of Things (IoT) threat and vulnerability intelligence. This improves malware anomaly detection. This includes managing packet rules, Yara rules, Structured Threat Information Expression (STIX) indicators and vulnerabilities.
- Added
- Edited
- Deleted
- Industry-standard packet rules
- YARA rules
- Indicators of compromise
- Vulnerability assessments
- Mapping content (Common Platform Enumeration (CPE))
TI packages can be controlled at a modular level to:
- Disable or enable individual rules
- Manually add rules to investigate and deliver customer alerts
- Vantage
- A Guardian sensor
- A Central Management Console (CMC) sensor
This makes it easy to propagate TI contents to an unlimited number of Nozomi Networks sensors.
You can set TI contents to update automatically, or you can upload a local file to manually update the Nozomi Networks sensors. This lets you operate the system in a fully air-gapped environment.
Management
Packet rules
Packet rules are executed on every packet. If a match is detected, they raise an alert of type SIGN:PACKET-RULE.
For more details on how to format packet rules, see the Packet Rules Reference.
For more details on how to format packet rules, see the Packet Rules Reference.
YARA rules
Protocols like hypertext transfer protocol (HTTP) or server message block (SMB) execute YARA rules on every file transferred over the network. When a match is detected, an alert of type SIGN:MALWARE-DETECTED is raised. YARA rules conform to the specifications found at YARA Rules.
STIX indicators
- Malicious internet protocol (IP) addresses
- uniform resource locator (URL)s
- Malware signatures, or
- Malicious domain name server (DNS) domains.
This information enriches existing alerts, and raises new ones.
Vulnerabilities
Vulnerabilities are assigned to each node, depending on the installed hardware and operating system, and the software identified in the traffic. The Nozomi Networks solution leverages Common Vulnerabilities and Exposures (CVE), a dictionary that provides definitions for publicly disclosed cybersecurity vulnerabilities and exposures.