War Stories on Powering Incident Response with Intelligence

Transcription

1 War Stories on Powering Incident Response with Intelligence

2 Indicators What are They Good For? It depends Atomic Indicators must be high confidence to be useful 2

3 Herd Immunity Patient zero dies so others can live Source: 3

4 Indicator Assessment Not all indicators are equal 4

5 Indicator Enrichment Enrichment builds context 5 Source:

6 Detection in depth 1. Reconnaissance 2. Weaponization 3. Delivery 4. Exploitation 5. Installation 6. Command and Control 7. Actions on Objective Source: 6

7 War Stories static RC4 key 7 Sources:

8 Threat Intelligence

9 Threat Intelligence Combination of: Behavior tracking / TTPs Analytics Malware detonation Deception Machine Learning 9

10 Behavior Tracking / TTPs Source: 10

11 Behavior Analytics Require: Transposability platform independent Composability simple and modular Sharability environment independent Compositions: Scale Reuse 11

12 Malware Detonation Many options to choose from: Integrated Third party 12

13 Deception Infrastructure 13

14 Deception Use Case Active Directory * Human attackers lured to decoys by unstructured data (files, , docs) Decoys with desired interaction services and applications to engage attack. * Phish/ Drive-by Attack Social Engineer Open Exploit Attacks rarely land on desired asset, lateral movement is next step. Malware lured to decoys with structured data (apps, browsers) Automation discovers, creates, deploys and maintains realistic deception layers. Active response with automated workflow and investigation. * - breadcrumb 14

15 End Goals for Deception Research Security Intelligence Zero-Day Capture Malware & Tools Attribution/Mitigation Increase Attack Surface Detect & Defend Post-Breach Visibility Few False Positives Automation/Scale Enterprise-Wide Use Low Risk/Friction Highly Skilled Security Researchers Cyber Stakeout Tier-1 Security Analysts Accurate Alarm System 15

16 War Stories tools directory 16

17 Machine Learning Source: 17

18 Detection in Depth Applied 18

19 Detection in Depth Applied 19

20 Detection in Depth Applied 20

21 TI Platforms 21

22 Hive / Cortex Source: 22

23 Normalize Data Stix CIF

24 Enrich Data 24 Source:

25 Enrich Data 25 Source:

26 Enrich Data 26 Source:

27 War Stories php injects 27

28 Threat Intelligence New indicators from enrichments TI Automation Indicators prioritized based on confidence score Indicators enriched using analyzers 28

29 Applied Threat Intelligence Allows correlating indicators into useful patterns to enable analysts to make faster decisions during IR and avoid false positives. 29

30 Conclusions Context is key Analytics scale Detect in depth Normalize data 30

31 Thank You!

32 References Threat Intelligence at Microsoft A look Inside 32