To successfully counteract and prevent attacks, it helps to know when you’re being targeted in the first place.
cognitix Threat Defender enhances its IPS capabilities with Indicators of Compromise (IoC) feeds to identify a range of possible attacks. This threat intelligence is used in conjunction with behavior-based rules and inline real-time correlation to prevent these attacks. Threat Defender introduces a paradigm shift by applying IoCs in real time to the security policies.
IoC consist of one or several artifacts (e.g. IP addresses, domain names) that provide a reliable indication that certain security incidents have occurred. To achieve this reliability, an IoC places observables (measurable events and stateful properties) in their relevant context (e.g. time range).
IoCs are powerful tools to determine whether a network has been subjected to a security incident. They help to identify and implement suitable countermeasures.
As IoCs can be shared within the community, resources are pooled to document and publicize threats. This increases the effectiveness of IoCs in detecting and mitigating zero-day attacks.
cognitix Threat Defender integrates IoC feeds in its set of IPS categories. The IoC feeds are included in firewall rules and in correlation scenarios. These scan the network traffic for the indicators in real time. If an IoC is discovered, the affected devices are isolated immediately using dynamic network objects. Threat Defender reacts to threats while they are still in progress, disrupting the kill chain before it is too late.
Rules and correlation scenarios can also be defined in advance using the IoC information. This supports a proactive posture to prevent attacks before they actually take place.
Context is essential to provide meaningful cyber threat intelligence. For example, you need to know which user or service caused the IoC and also to collect timestamps, geolocation data and other metadata. Without this data, it is impossible to identify and eliminate false positives and investigate suspected attacks in detail.
An activated logging function exports detailed information from the syslog to external services to facilitate the documentation and sharing of IoC information.