Seven key points! Understand the "Threat Information Blue Report" released by Weibu Online and China Academy of Information and Communications Technology

On December 3, 2021, the Security Research Institute of the China Academy of Information and Communications Technology and Beijing Weibu Online Technology Co., Ltd. jointly researched and compiled the "2020 Cybersecurity Threat Information Research Report (2021)". This report is rich in content and is divided into four aspects: threat information industry research, 2020 threat research, industry implementation research, and industry development discussion. It combines macro and micro perspectives, focusing on both the present and the future. It is a detailed and rich threat information industry research report.

As the co-researcher and compiler of the 2020 Cybersecurity Threat Information Research Report (2021), Weibo Online hopes that readers can not only obtain the information they need from the report, but also gain a comprehensive and in-depth understanding of China's threat information industry after reading the report. Therefore, Weibo Online has extracted seven key points from the report to help readers quickly grasp the key points of the report and facilitate subsequent in-depth reading.

Knowledge point 1: Quickly understand "threat information"

The English name of cybersecurity threat information is Threat Intelligence (TI). The research object of threat information is "threat", including known and unknown network threats that are about to emerge. After summarizing relevant research at home and abroad, CAICT and Weibo Online summarized and analyzed multiple definitions and believed that the core connotation of cybersecurity threat information is as follows:

First, cybersecurity threat information comes from the research, summarization, and conclusion of past cybersecurity threats, and acts on known cyber threats or upcoming unknown cyber threats;

Second, the value of cybersecurity threat information is to provide machine-readable or human-readable tactical and strategic information to enterprises or objects affected by relevant cyber threats and assist them in decision-making. Therefore, cybersecurity threat information needs to include background, mechanisms, indicators and other content that can assist in decision-making.

In short, network security threat information is information data extracted for the study of network threats and used to discover threats, understand threats, and track threats.

Knowledge point 2: What are the advantages of using threat information for network security protection?

CAICT and Weibu Online believe that based on the PPDR security protection model theory, the advantages of network security protection of threat information are mainly reflected in the following aspects:

(1) Detection: Network security threat information can assist users in troubleshooting related assets, risks, and attack surfaces, allowing users to quickly understand the current attack situation of the network.

(2) Defense: Take proactive defense measures to accurately attack network threats. The indicators of compromise (IOC) such as malicious IP addresses, domain names/websites, and malware hash values ​​provided by threat information can be directly used to protect network security systems and devices.

(3) Response: Cybersecurity threat information can help provide a more complete security incident response plan.

(4) Prediction: Establish a security early warning mechanism, continuously collect information and data on new network threats, and effectively predict possible threats based on the weak links of the current network environment to help enterprises better deal with unknown threats.

In summary, the use of network security threat information will effectively improve the accuracy of alarms, reduce the number of invalid alarms, greatly reduce the workload of security operators, enable them to focus on real threats, and improve work efficiency. It is of great significance to the network security construction and operation of user organizations such as government departments, enterprises, institutions, and social organizations.

Knowledge point 3: In what aspects is the value of threat information reflected?

After extensive research, the China Academy of Information and Communications Technology and Weibo Online believe that network security threat information is currently mainly used in the fields of enterprise network security protection, public security protection, national security protection, etc. The corresponding application value is mainly reflected in three aspects: enhancing the company's active defense capabilities, helping to combat cybercrime, and protecting the country's cyberspace security.

First of all, threat information can enhance the company's ability to perceive network threats, allowing the company's security protection to shift from passive to active.

Secondly, threat information can enable investigation, analysis and record retention of cybercrime, information sharing, prevention and early warning of cybercrime, which can effectively combat cybercrime, improve the network environment and help maintain public security in cyberspace.

Finally, threat information can assist and guide the network security protection work of related industries, thereby ensuring the security of key infrastructure, core data security and core business continuity of various industries, thereby protecting national security.

Knowledge Point 4: What is the situation of domestic and international cyber threats in 2020?

After a year of observation, CAICT and Weibo Online have found that the domestic and international cybersecurity situation in 2020 is more severe than ever before. Ransomware, which has always been active on the PC side, has surged throughout 2020 and caused serious damage. Ransomware began to use cloud infrastructure based on the dark web to leak data in batches, threatening the blackmailed organization and forcing it to pay the ransom as soon as possible; with the increase in the infection rate of mobile devices worldwide, the possibility of IoT devices being infected has also greatly increased; hackers' interest in common attack surfaces such as supply chains, virtual private networks, and vulnerabilities continues, and there has begun to be a phenomenon of disguising themselves as communication tool clients such as Zoom and Slack to attack; in addition, hackers and black industry organizations continue to operate on the dark web, and have been monitored to use the dark web to buy and sell leaked data and cloud infrastructure; in 2020, hundreds of APT attacks were exposed, and more than 40 countries and regions suffered APT attacks to varying degrees.

In addition, the 2020 coronavirus pandemic has also had a certain impact on the network environment, especially in terms of cyber attacks. The number of attacks related to the coronavirus pandemic has increased significantly, and the means of attack have become more diverse. The medical industry has been greatly affected. Mobile office-related information infrastructure and remote communication tools are the hardest hit areas. Topics related to the coronavirus pandemic and coronavirus have become the preferred bait for attackers.

Knowledge Point 5: What are the key areas of focus for threat information in this report?

Based on my country's specific national conditions and network security needs, the following directions can be used as reference for the application of threat information in China:

First, combine detection technology. In the security product development stage, combine threat information with traffic analysis and terminal detection technology to implement detection and response products based on network security threat information and deploy them in the corresponding network environment of the user organization.

Second, establish a sharing mechanism. For user organizations with many branches, establish a local threat information management platform, build a network threat information database and threat information sharing mechanism, and improve network threat mining research and development and application capabilities.

The third is to link security equipment. Linking other network security equipment, such as IDS/firewalls, log big data platforms, etc., with the existing disposal knowledge base and work order system to build a closed-loop disposal process, and improve the overall detection and response capabilities of user organizations' network security.

Knowledge Point 6: What are the key industries where threat information in this report is targeted?

Threat information is applied to a wide range of industries, including finance, the Internet, smart manufacturing, government institutions, real estate, medical care, education, etc. In response to the industries and needs targeted by this report, Weibo Online provides application cases of leading representative enterprises in the industrial and information-related industries. In the end, China Academy of Information and Communications Technology selected four typical application cases, including electronic information manufacturers, basic telecommunications enterprises, network video platforms, and cloud computing service providers.

In these cases, threat information is effectively linked with enterprise network security systems and equipment such as firewalls, big data platforms, and ELK log systems, or empowers threat perception devices to discover internal threats, detect external threats, and identify asset risks, demonstrating the good effect of threat information in activating enterprise network security operations and improving the overall network security level of the enterprises in the cases.

For a full list of cases, please view the full report.

Knowledge Point 7: How should government and enterprise units promote the implementation and development of threat information in the future?

The successive introduction of laws and regulations such as the Cybersecurity Law, the Data Security Law, and the Basic Infrastructure Regulations have further clarified the importance of cybersecurity to national security and demonstrated my country's determination to protect the security of cyberspace. With the specific and clear requirements of the Information Security Protection 2.0 for the cybersecurity threat information capabilities of information systems, the construction of threat information is imperative. The China Academy of Information and Communications Technology believes that government departments, enterprises, institutions, social organizations and other institutions, as the end users of threat information, should strengthen the awareness of security subject responsibility, improve the security self-assessment system, and improve the internal security defense system.

First, it is driven by both policies and the market. User organizations should clarify the network security construction goals, key contents and safeguard measures according to their actual business needs and the main security threats they face, and refer to relevant requirements of national policies, regulations, standards, etc., and comprehensively evaluate product performance based on multiple factors such as the coverage, accuracy, availability, scalability and professionalism of network security threat information. Driven by both policy compliance and market demand, we will plan and design a feasible network security defense system construction plan.

Second, strictly regulate the selection criteria of threat information. In terms of selecting sources of cybersecurity threat information, we should attach equal importance to the quantity and quality of threat information, ensure that the information is rich and comprehensive, and avoid a large amount of low-confidence information from drowning out serious security incidents; in terms of selecting multi-source threat information, we should enhance the differences between threat information from different sources, integrate multi-source threat information through the network threat information management system, and optimize the accuracy and coverage of threat information.

The third is to integrate it into the security system to speed up the deployment. We should accelerate the deployment of the threat information system, make full use of existing security capabilities, link existing security systems and equipment, combine event response, automated orchestration and threat information systems, and effectively integrate threat information capabilities into the existing security architecture. We should build threat information detection systems, threat information databases, threat information local management platforms, threat information online query platforms and other systems, make full use of threat information to improve security operations, and build a solid network security defense system.