Search

US-20260129069-A1 - LARGE-SCALE EXCHANGE OF CYBER THREAT INTELLIGENCE VIA ROUTING PROTOCOLS

US20260129069A1US 20260129069 A1US20260129069 A1US 20260129069A1US-20260129069-A1

Abstract

The techniques described herein provide a transport mechanism for large-scale exchange of cyber threat intelligence between entities and/or within an entity. Cyber threats evolve rapidly, and entities face challenges in efficiently sharing threat intelligence at “network speed” and applying mitigations across their networks. Existing techniques lack scalability, real-time updates, and coordination among organizations. Moreover, there is no existing technique for large-scale exchange of cyber threat intelligence. Additionally identifying threat data is often performed manually and is subjective. The techniques described herein provide mechanisms that leverage BGP or other routing protocols to facilitate large-scale threat intelligence exchange and mitigation across entities in real-time. The techniques described herein enable entities, including cloud providers, internet service providers, and others, to collaboratively mitigate cyber threats by disseminating real-time confirmed and actionable threat intelligence across their networks.

Inventors

  • Omar Santos

Assignees

  • CISCO TECHNOLOGY, INC.

Dates

Publication Date
20260507
Application Date
20241105

Claims (20)

  1. 1 . A method of large-scale exchange of cyber threat intelligence, comprising: receiving, from one or more sources, threat intelligence information; determining, based on the threat intelligence information, threat data indicating a cyber threat or a security risk; generating a message using a routing protocol that includes the threat data as an extension of the routing protocol; and sending the message to one or more routers to enable the one or more routers to perform an action based on the threat data.
  2. 2 . The method of claim 1 , wherein determining the threat data is performed automatically and comprises: identifying, using a model, a portion of the threat intelligence information associated with an environment; generating, based on the portion of the threat intelligence information, a score indicating a risk or a threat associated with the portion of the threat intelligence information to the environment; and based on determining the score is above a threshold, generating the message.
  3. 3 . The method of claim 1 , wherein the method is performed by one of a firewall or a controller of an entity.
  4. 4 . The method of claim 3 , wherein the entity includes at least one of a service provider, an internet service provider, a vendor, or a government entity.
  5. 5 . The method of claim 1 , further comprising: defining respective categories for each respective indicator of compromise; assigning, based on the routing protocol, unique values to each of the respective categories; associating the unique values with one or more updates associated with the routing protocol; and storing the associations in a memory, wherein generating the message is based at least in part on accessing one or more of the unique values associated with the threat data.
  6. 6 . The method of claim 1 , wherein the method is implemented by a controller of a service provider and the threat data is generated by the controller or a service offered by the service provider.
  7. 7 . The method of claim 1 , wherein the one or more sources include at least one of: a third-party entity; an open-source entity; or an internal service of an entity.
  8. 8 . The method of claim 1 , wherein the message is sent from a first entity and the one or more routers are associated with at least one of: an environment of the first entity; one or more second entities associated with the first entity; or one or more users associated with the first entity or the one or more second entities.
  9. 9 . A system comprising: one or more processors; and one or more computer-readable media storing instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising: receiving, from one or more sources, threat intelligence information; determining, based on the threat intelligence information, threat data indicating a cyber threat or a security risk; generating a message using a routing protocol that includes the threat data as an extension of the routing protocol; and sending the message to one or more routers to enable the one or more routers to perform an action based on the threat data.
  10. 10 . The system of claim 9 , wherein determining the threat data is performed automatically and comprises: identifying, using a model, a portion of the threat intelligence information associated with an environment; generating, based on the portion of the threat intelligence information, a score indicating a risk or a threat associated with the portion of the threat intelligence information to the environment; and based on determining the score is above a threshold, generating the message.
  11. 11 . The system of claim 9 , wherein the system is performed by a firewall or a controller of an entity.
  12. 12 . The system of claim 11 , wherein the entity includes at least one of a service provider, an internet service provider, a vendor, or a government entity.
  13. 13 . The system of claim 9 , the operations further comprising: defining respective categories for each respective indicator of compromise; assigning, based on the routing protocol, unique values to each of the respective categories; associating the unique values with one or more updates associated with the routing protocol; and storing the associations in a memory, wherein generating the message is based at least in part on accessing one or more of the unique values associated with the threat data.
  14. 14 . The system of claim 9 , wherein the system is performed by a controller of a service provider and the threat data is generated by the controller or a service offered by the service provider.
  15. 15 . The system of claim 9 , wherein the one or more sources include at least one of: a third-party entity; an open-source entity; or an internal service of an entity.
  16. 16 . The system of claim 9 , wherein the message is sent from a first entity and the one or more routers are associated with at least one of: a service network of the first entity; one or more second entities associated with the first entity; or one or more users associated with the first entity or the one or more second entities.
  17. 17 . One or more non-transitory computer-readable media maintaining instructions that, when executed by one or more processors of a network device or a controller, program the one or more processors to perform operations comprising: receiving, from one or more sources, threat intelligence information; determining, based on the threat intelligence information, threat data indicating a cyber threat or a security risk; generating a message using a routing protocol that includes the threat data as an extension of the routing protocol; and sending the message to one or more routers to enable the one or more routers to perform an action based on the threat data.
  18. 18 . The one or more non-transitory computer-readable media of claim 17 , the operations further comprising: defining respective categories for each respective indicator of compromise; assigning, based on the routing protocol, unique values to each of the respective categories; associating the unique values with one or more updates associated with the routing protocol; and storing the associations in a memory.
  19. 19 . The one or more non-transitory computer-readable media of claim 17 , wherein the one or more sources include at least one of: a third-party entity; an open-source entity; or an internal service of an entity.
  20. 20 . The one or more non-transitory computer-readable media of claim 17 , wherein determining the threat data is performed automatically and comprises: identifying, using a model, a portion of the threat intelligence information associated with an environment; generating, based on the portion of the threat intelligence information, a score indicating a risk or a threat associated with the portion of the threat intelligence information to the environment; and based on determining the score is above a threshold, generating the message.

Description

TECHNICAL FIELD The present disclosure relates generally to the field of computer networking, and more particularly to utilizing a routing protocol as a transport mechanism for large-scale exchange of cyber threat information in real-time and across entities. BACKGROUND Networks such as service networks, enterprise networks, cloud providers, etc. often face cyber threats and may utilize threat intelligence feeds to identify threat data, such as indicators of behaviors (e.g., such as indicators of compromise (IoCs), indicators of attack, etc.) indicating a security threat. Current distribution mechanisms for indicators of behavior generally utilize a transport protocol (e.g., trusted automated exchange of intelligence information (TAXII)) to distribute a PDF that points to a potential threat source and is limited to small-scale distributions. However, cyber threats continue to evolve rapidly, and service providers and other entities face challenges in efficiently sharing threat intelligence at “network speed” and applying mitigating action across their networks. Thus, when a large-scale cyber threat (e.g., such as a global security incident) existing distribution mechanisms for threat intelligence information lack scalability, real-time updates, and coordination among entities, resulting in increased time and duration of the cyber threat before mitigation can occur at a large scale. Accordingly, there is a need for an authoritative and centralized way to provide large-scale exchange of threat intelligence in real-time within and across entities. BRIEF DESCRIPTION OF THE DRAWINGS The detailed description is set forth below with reference to the accompanying figures. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. The use of the same reference numbers in different figures indicates similar or identical items. The systems depicted in the accompanying figures are not to scale and components within the figures may be depicted not to scale with each other. FIG. 1 illustrates a system-architecture diagram of an environment in which a system can provide a large-scale exchange of cyber threat intelligence in real-time. FIG. 2 illustrates a component diagram of an example network controller described in FIG. 1. FIGS. 3A and 3B illustrate example embodiments of disseminating threat data according to the system described in FIGS. 1 and 2. FIG. 4 illustrates an example embodiment of disseminating threat data according to the system described the system described in FIGS. 1-3. FIG. 5 illustrates a flow diagram for distributing threat intelligence via a routing protocol, according to the techniques described in FIGS. 1-4. FIG. 6 illustrates a flow diagram for performing categorization associated with a routing protocol according to the techniques described in FIGS. 1-5. FIG. 7 is a computer architecture diagram showing an illustrative computer hardware architecture for implementing a device that can be utilized to implement aspects of the various technologies presented herein. DESCRIPTION OF EXAMPLE EMBODIMENTS Overview The present disclosure relates generally to the field of computer networking, and more particularly to providing a transport mechanism to enable large-scale exchange of cyber threat intelligence within and across entities in real-time. A method to perform the techniques described herein may include receiving, from one or more sources, threat intelligence information. Additionally, the method may include determining, based on the threat intelligence information, threat data indicating a cyber threat or a security risk. The method may include generating a message using a routing protocol that includes the threat data as an extension of the routing protocol. Further, the method may include sending the message to one or more routers to enable the one or more routers to perform an action based on the threat data. Additionally, any techniques described herein may be performed by a system and/or device having non-transitory computer-readable media storing computer-executable instructions that, when executed by one or more processors, performs the method(s) described above and/or one or more non-transitory computer-readable media storing computer-readable instructions that, when executed by one or more processors, cause the one or more processors to perform the method(s) described herein. Example Embodiments Computer networks are generally a group of computers or other devices that are communicatively connected and use one or more communication protocols to exchange data, such as by using packet switching. For instance, computer networking can refer to connected computing devices (such as laptops, desktops, servers, smartphones, and tablets) as well as an ever-expanding array of Internet-of-Things (IoT) devices (such as cameras, door locks, doorbells, refrigerators, audio/visual systems, thermostats, and various sensors) that communicat