ThreatConnect Learning Exercises

Similar documents
Introduction. Logging in. WebMail User Guide

This document contains information that will help you to create and send graphically-rich and compelling HTML s through the Create Wizard.

Bill Analyser User Guide

USM Anywhere AlienApps Guide

BYU-Idaho Online Knowledgebase

Webmail 7.0 is an online client which runs in your web browser. Webmail 7.0 allows you to access your , contact list, and calendar from

Houghton Mifflin Harcourt and its logo are trademarks of Houghton Mifflin Harcourt Publishing Company.

Getting Around. Welcome Quest. My Fundraising Tools

The Vectra App for Splunk. Table of Contents. Overview... 2 Getting started Setup... 4 Using the Vectra App for Splunk... 4

USER GUIDE. Accessing the User Interface. Login Page Resetting your Password. Logging In

CUMULUS WEB CLIENT USER ASSISTANCE 2014, CANTO GMBH. ALL RIGHTS RESERVED. Welcome!

Fulfillment User Guide FULFILLMENT

AHC SharePoint 2010 Intro to Content Administration

Workflows. Overview: Workflows

Kona ALL ABOUT FILES

Site Manager. Helpdesk/Ticketing

CompClass Solo User Guide for Instructors

Canvas Workshop: Getting Started Help Guide

Cisco Threat Awareness Service - Quick Start Guide. Last Updated: 16/06/16

Checkbox Quick Start Guide

SCOUT SUSPENSE TRACKER Version 10.0

VERINT EFM 7.1 Release Overview

Luxor CRM 2.0. Getting Started Guide

TurnItIn How Do I Set Up My Turnitin Assignment? How Do I Give Feedback to My Students in Turnitin?...109

RITIS Training Module 4 Script

Office365 at Triton College

Engagement Portal. Physician Engagement User Guide Press Ganey Associates, Inc.

Microsoft Office SharePoint. Reference Guide for Contributors

Daily Preview...42 How do I use the Daily Preview tool to test my campaigns?...43

elp (Blackboard) Blackboard Spaces

OUTLOOK HOW DO I? 2013

Workflows. Overview: Workflows

Workflows. Overview: Workflows. The following topics describe how to use workflows:

OU Campus VERSION 10

Power & Water Customer Collaboration Documentum: Navigation and Working With Files. Basics

Training Manual and Help File

Getting started with Inspirometer A basic guide to managing feedback

Blackboard QuickStart Guide for Students

Preface...6. Introduction to InspectTech Software...6. What to Look For in Version Glossary...9. InspectTech Basic Features...

Microsoft Yammer Users Guide

User Guide. Last Updated June 201 6

SiteAdvisor Enterprise

DSS User Guide. End User Guide. - i -

Test Information and Distribution Engine

User Guide. Copyright 2015 Cody Consulting Group, Inc. All Rights Reserved. Patent Pending. CodySoft User Guide V3.0

Microsoft Word 2010 Introduction to Mail Merge

RSA NetWitness Suite Respond in Minutes, Not Months

PALANTIR CYBERMESH INTRODUCTION

BeetleEye Application User Documentation

SharePoint. Team Site End User Guide. Table of Contents

Training Manual for Researchers. How to Create an Online Human Ethics Application

2016 TRTA Content Managers Resource Guide How to update and edit your local unit website. Roy Varney, TRTA Multimedia Specialist

User Guide. Kronodoc Kronodoc Oy. Intelligent methods for process improvement and project execution

Goucher College Online Course Sites: Basic Navigation in Canvas

QQWebAgent and QQMarketing Dashboard Quick Start Guide

Livelink Training Manual

Act! Marketing Automation

Solar Campaign Google Guide. PART 1 Google Drive

Novetta Cyber Analytics

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Compliance Document Manager User Guide

1. Enter your User ID or Address associated with your Chalk & Wire account.

CRM Insights. User s Guide

SharePoint 2013 Site Owner

BM Solutions Mortgage Portal. Document upload - Case tracking - Secure messaging Mobile technology. User Guide 15 January 2018 V3.

To request a new selection, navigate to the GAIL resources website at and click the Request Help button at the top of the page.

ACTIVE CAMPUS PORTAL ADVANCED (SHAREPOINT BASICS)

Anomali ThreatStream IBM Resilient App

Salesforce Enterprise Edition Upgrade Guide

Enhanced Threat Detection, Investigation, and Response

MANNATECH. Presents. MyMannapages SELF-GUIDED CERTIFICATION

Canvas Instructor Quickstart Guide

Table of Contents Tutorials for Faculty... 3 Creating a News Item... 3 Syllabus... 3 Uploading Your Syllabus... 3 Update Your Syllabus

Platinum Planner. Instructor User Guide

Remedy ITSM Quick Start Guide

Outlook 2003 Tips, Tricks for Managing Your

An Overview of Webmail

ishipdocs User Guide

MS2. Modern Traffic Analytics ms2soft.com

EXPLORING COURSE TOOLS

, and opens up a panel that is a very powerful search tool. For more advanced search information please see this section in Tips & Tricks.

Integrated, Intelligence driven Cyber Threat Hunting

Creating an Online Course

TurnkeyMail 7.x Help. Logging in to TurnkeyMail

User Guide. Version

Migrating SharePoint From 2007 to 2010

Canvas Instructor Quickstart Guide

Using Your New Webmail

Halo Administrator GUIDE

CANVAS BY INSTRUCTURE IOS GUIDE

Oracle Eloqua Campaigns

Courseload 2.0 Documentation

Use this document to quickly review the steps needed to get the most out of your Gmail account.

Getting Started with University Gmail

RELEASE NOTES. Overview: Introducing ForeSee CX Suite

A QUICK GUIDE TO USING WORDPRESS

User Manual. For JH CONNECT. Jesus House Intranet Application. Version

Quick Reference Guide» unit train

Creating Actuals Journals Using NUFinancials

EQUELLA. Searching User Guide. Version 6.4

Transcription:

ThreatConnect Learning Exercises The following exercises will teach you some of the important features within the ThreatConnect platform. You will learn various ways of adding intelligence data into ThreatConnect, as well as ways of collaborating to enrich Indicators. This training exercise is broken up into two modules: 1. Module 1 Operation KallySky will teach you how to import highly structured intelligence derived from the ThreatConnect Intelligence Research Team (TC-IRT) as part of the Adversary Intelligence: Behind the Keyboard blog post. 2. Module 2 Phishing Attempts will require you to submit a suspicious spam email into ThreatConnect for automated processing.

September 2015 V 1.0 Module 1 Operation KallySky Overview In May of 2015, ThreatConnect published a blog post entitled Adversary Intelligence: Behind the Keyboard that detailed the operations of a cyber-actor known as KallySky. ThreatConnect posted the intelligence contained within that blog entry to the Common Community for widespread distribution. Module 1 will walk you through importing, associating, and enriching that intelligence as the original ThreatConnect authors modeled it. Objectives Module 1 explains the following tasks in order to recreate the data associated with the KallySky Adversary: Importing structured intelligence containing Indicators related to KallySky Viewing all Indicators associated with KallySky via pivots Enriching relevant Indicators from the KallySky post

Lesson 1 Importing Structured Intelligence ThreatConnect allows for a number of ways to aggregate structured and unstructured data, both manually and automatically. This objective will teach you to use the Structured Import feature to upload a ThreatConnectformatted comma-separated values (CSV) file containing KallySky Indicators and some of their context. Lesson 1 assumes the following: You are logged into ThreatConnect with an account that has appropriate permissions in a designated Organization or Community. Your instructor has already created the KallySky Adversary in your Organization or Community, and it has no Indicators associated with it. You have been given the sample of KallySky-structured CSV data, or a subset of it, as appropriate.

1. From the top navigation bar at the right of the screen, click the IMPORT (Up Arrow) tab, and select Indicators from the drop-down menu. The Import Indicators screen will appear (Figure 1). Figure 1: Selecting Import Note: You can use the Unstructured Import option to import a PDF or other document type, or click the CREATE (+) tab to manually add a single item. 2. Click the Structured CSV box, and the screen will display various tabs and options, with the default IMPORT tab highlighted (Figure 2).

Figure 2: Importing the File 3. Click on the Owner drop-down menu, and select your target Organization or Community. The KallySky Adversary should have been already created in this Owner. 4. Click the +Import File button, browse to the provided CSV file, and then click the Next button. The VALIDATE tab will be highlighted (Figure 3). Figure 3: Viewing the Valid Indicators

5. The Validate screen displays a list of Valid Indicators, which you can view to confirm the contents of your original file. (The platform should not have found any Invalid Indicators.) Click the Next button, and the CONFIRM tab will be highlighted (Figure 4). Note: One of the strengths of using the Structured CSV import feature is that it allows for granularity in the Threat Rating and Confidence value of each Indicator. Figure 4: Confirming the Contents 6. The Confirm screen displays which Indicators will be added and which ones already exist in this Owner. There should be no collisions with existing Indicators, but it is okay if there are. ThreatConnect will detail which facets of each indicator will be modified if they are re-imported. Click the Next button and the LABELS tab will be highlighted (Figure 5).

Figure 5: Adding a Security Label 7. On the Labels screen, you can add Security Labels and Tags to help classify the data. Security Labels are useful for determining how to handle information. Click on the Choose Security Labels drop-down menu, and click the TLP WHITE checkbox. Per the United States Computer Emergency Readiness Team s (US-CERT) Traffic Light Protocol (TLP) guidelines, this is the appropriate Security Label since these Indicators are openly distributed. 8. Tags are useful for quickly finding other similar or related data. In the Tags panel, click in the text box to enter a Tag that will describe the data, and then click the Plus (+) button to add the Tag. Repeat for each additional Tag. Alternatively, click on one (or more) of the already-existing Tags under the Common Tags header, and the platform will add it to your list. Note that the data within your Owner determines the Common Tags, so these may differ from those displayed in Figure 5. Add the following tags: KallySky, Your Name, and Training. Click the Next button and the SAVE tab will be highlighted (Figure 6).

Figure 6: Creating the Association 9. On the Save screen, you will be able to save your Indicators in ThreatConnect. However, before taking this step, associate the Indicators with KallySky in order to establish for future analysts the relationship between these Indicators and the KallySky Adversary. ThreatConnect recommends that you always associate Indicators to a Group in ThreatConnect to provide additional context. Click the +New Association button, and the Select an Association pop-up screen will appear (Figure 7): Figure 7: Selecting an Association

10. On the Select an Association pop-up screen, you can create an association between the imported Indicators and other entities defined in your ThreatConnect Owner. These entities can be Incidents, Threats, or any other that ThreatConnect uses to group related Indicators. Click on the Select Type drop-down menu and select Adversary, and then click in the textbox to search for KallySky. The KallySky Adversary will appear in the results table. 11. Click the checkbox next to the KallySky Adversary and click the Save button. The KallySky Adversary will appear in the Associations table. 12. Click the Save button to commit all of your Indicators and their relevant contextual information to ThreatConnect. Congratulations! You have imported data into ThreatConnect! Lesson 2 Viewing Indicators via Pivots Associations play a vital role in ThreatConnect because they allow analysts to discover relationships via pivots. If two entities are connected via an association, then you can pivot from one to the other. By associating your indicators to the KallySky Adversary, you can find all KallySky Indicators by pivoting from that Adversary. Lesson 2 assumes the following: The KallySky Adversary has been created in the designated Organization or Community. Indicators have been created and associated to the above KallySky Adversary. 1. From the top navigation bar at the right of the screen, click the BROWSE tab, and the screen will display a list of entities in ThreatConnect known as the Filter Options, which can be filtered in a number of ways, including pivots (Figure 8).

Figure 8: The Browse Screen 2. To ensure that your filters are configured properly, click the My Connections drop-down menu, and verify that the box next to the Organization or Community from where you imported your KallySky Indicators is checked (Figure 9). This tells ThreatConnect to filter results on the Browse screen to include only those that exist in the selected Owner. Figure 9: Confirming Your Connections

3. Click the Adversaries filter button and the Adversaries Browse table for your selected Owner will be displayed (Figure 10). Figure 10: Filtering an Adversary 4. In the Filter input, type KallySky and click the magnifying glass button. ThreatConnect will search for all Adversaries with KallySky in the name: 5. Click on the KallySky Adversary row, and the Details/Pivot pop-up screen will appear, displaying some information about the KallySky Adversary (Figure 11). Note: Your screen may look different from the one depicted in Figure 11, depending on the enrichments added in your Owner.

Figure 11: The Details/Pivot Pop-Up Screen 6. Click the Pivot button, and the screen will display a number of entities associated with the KallySky Adversary as a filter (Figure 12).

Figure 12: Pivot Results As you pivot, the Breadcrumb bar by the House icon on the upper-left corner of the screen updates itself, remembering past pivots, so that you can return to a previous Indicator in the pivoting history. The Browse screen now displays entities that meet the following criteria: Entities that are Indicators Entities that are in the Owner (or Owners) you selected from the My Connections drop-down menu Entities that have an association with the KallySky Adversary from which you pivoted

By default, Indicators is the selected entity type. You can click Activity, Documents, or other buttons in the Filter Options in order to change the criterion previously defined. For example, clicking Threats only displays Threats associated to KallySky in your selected Owner. It should also be noted that you can pivot off anything in the Browse screen, which is a very powerful tool for finding all Indicators that are tagged, for example, China, or for finding in what Incidents a particular Indicator has been involved. 7. ThreatConnect now displays a list of Indicators associated with KallySky. Click on one of the Indicators you added in Lesson 1, and the Details/Pivot pop-up screen will appear once more. Pivot again from this Indicator to find other entities associated to the Indicator. Chaining pivots in this manner can expedite analysis by allowing you to traverse related entities with ease. 8. Click the Details button on the Details/Pivot pop-up screen to view Indicators in depth (Figure 13). The Details Overview screen will be present you with further information about your Indicator. Your screen may look different from the one depicted in Figure 13, depending on what enrichments have been added:

Figure 13: Viewing Indicator Details Lesson 3 Enriching KallySky Indicators The Indicators imported in Lesson 1 already possessed a small amount of context. Lesson 3 will describe different kinds of enrichment in ThreatConnect and identify how to add additional context. Lesson 3 assumes the following: You have added KallySky Indicators to your designated Community or Organization via Structured Import as described in Lesson 1. You have the correct permissions within the designated Organization or Community. Note: In Figure 13, the Indicator has a Threat Rating of 3 skulls and a Confidence value of 71 points. This is an example, and your Indicators may have different values. The Tags applied during Structured Import are still present, and the top-left panel details the Indicator s Source and Description, which came from the source file as well. Source and Description are two examples of Attributes.

Attributes allow you to add structured or unstructured information to an entity to provide additional context. Attributes can be contextual, so that they are only available for entity types that make sense. For example, Source and Description could apply to anything in ThreatConnect. File Indicators, however, can have an Attribute that details the File s Signing Certificate details, which does not make sense for an Incident or an IP Address. ThreatConnect defines many Attribute types by default, but your Owner s Administrator can configure additional custom Attributes for your purposes. Viewing Attributes 1. To view an entity s Attributes, click on one of the Indicators you imported during Structured Import, and the Details/Pivot pop-up screen will appear. 2. Click the Details button, and the Details screen will display the Attributes panel at bottom-left (Figure 14). Figure 14: Attributes By default, your Indicator will always have a Source and a Description provided by the original analysis conducted. Indicators should always have a Source and Description populated to assist your fellow analysts in understanding what something is or why they should care about it.

Creating Attributes 1. To create a new Attribute for this Indicator, click on the +New button, and the Edit Attribute pop-up screen will appear (Figure 15). Figure 15: Creating an Attribute 2. Click on the Select a Type drop-down menu, and try different Attribute types to see what is available. Some Attributes, like Phase of Intrusion, have a pre-defined series of radio buttons, which allow you to pick from a single set of values. Others, like Additional Analysis and Context, allow for a free-form text entry. Choose Additional Analysis and Context, and enter some descriptive text into the presented text box. This text should be an example of something useful about the Indicator, since Attributes serve as answers to the questions that you would generally ask about an entity in ThreatConnect. 3. Click the Save button and other analysts will now be able to see this Attribute when viewing this Indicator.

Threat Rating and Confidence Value Indicators can be given a Threat Rating (0-5 skulls) and a Confidence value (0-100 points) to characterize their role and significance. For example, we may assign a malicious file a highly severe (Threat Rating of 5 out of 5 skulls) with a 100% certainty of that evaluation (100 out of 100 Confidence value points). However, a compromised website that serves that file to vulnerable victims may be less severe (Threat Rating of 2 out of 5 skulls) with less certainty (30 out of 100 Confidence value points). The top right of the Details Overview screen s Detail panel will display its current Threat Rating and Confidence value (Figure 16). Not only do these provide valuable insight to analysts when viewing the Details Overview screen, but also many automated integrations may take action (alerting, blocking, etc.) based on the values defined here. When viewing an Indicator that belongs to a Community, as in Figure 16, there will be two separate Threat Ratings and Confidence values, with one marked Yours, because members of a Community can each vote on a Threat Rating and Confidence value. These votes will be averaged and presented as the overall value of these rankings. Change the Threat Rating and Confidence value of your Indicators by clicking on the appropriate number of skulls or dragging the slider, respectively. Figure 16: Rating and Confidence

Comments and Linking ThreatConnect can capture dialogue associated with entities by using the Comments feature at the bottom right of any entity s Details Overview screen (Figure 17). Comments memorialize this dialogue and allow ThreatConnect to notify members that activity is buzzing around an entity. If any existing Comments surrounding an entity have been posted, they will be displayed below the text box in a threaded format. 1. Click inside the Add New Comment text box and enter the following message: This indicator is associated with the adversary known as. Figure 17: Adding a Comment 2. Click the Add Link button, and a pop-up screen will appear similar to the one used when creating an Association in Structured Import. Click on the Select Type drop-down menu, select Adversary, and then type KallySky in the search box. 3. Check the box next to the KallySky Adversary, and click the Add button. 4. Click the +Post button to submit your Comment. Your new Comment is now displayed below the text box, and it contains links on which analysts can click to immediately view the linked entity (Figure 18).

Figure 18: A Posted Comment This will create a link both inline, in the Comment, as well as a summary of linked items below the Comment as seen above in Figure 18. Comments may result in automated notifications for users, which are displayed from the DASHBOARD tab of the top navigation bar when first logging into ThreatConnect. Figure 19 illustrates a fully formed Comment detailing analysis conducted by a user named TCIRT-Jake. STOP! Take a SCREEN PRINT, and provide to your Instructor before continuing to Module #2.

Figure 19: TCIRT-Jake s Comment This is the end of Module 1. Please continue to Module 2.

Module 2 Phishing Emails Overview Phishing emails often masquerade as realistic emails and try to trick users into clicking on malicious links. These email occurrences represent a great opportunity for capturing threat-intelligence information in conjunction with the Diamond Model. Each email instance contains an Adversary (the email address), Infrastructure (the sender), and Victim (the recipient). The ThreatConnect platform not only allows users to model those entities and their associations, but it can automate much of the legwork involved. Objectives Module 2 will teach you how to perform the following tasks in ThreatConnect: Import and process a suspicious email Create relevant entities and associations Update analysis to include recent data Lesson 1 Automatically Ingesting a Suspicious Email ThreatConnect can ingest.eml or.msg files containing an occurrence of a suspicious email. You can ingest these emails into ThreatConnect both manually and via an automated mechanism. Lesson 1 will teach you how to ingest emails into ThreatConnect automatically. Lesson 1 assumes the following: Your Organization or Community to receive emails automatically. Your instructor has provided an email inbox address (e.g., threatconnectyourregistrationcode@inbox.threatconnect.com) to which you can forward a malicious email. You have identified an email sample for processing and analysis. Emails may present valuable intelligence about the Adversary s infrastructure or capabilities, and not just within the body of the email itself. Header information may contain IP Address Indicators (infrastructure) or mailer information (capabilities) that reveal some of the Adversary s behavior. In order to capture this information, a suspicious email must be created as an attachment. ThreatConnect can ingest emails that are

exported as an.msg file from Outlook (instructions), or an.eml file as used by many common mail providers such as Gmail (instructions). If you are unable to create a file based on your email sample, your instructor can provide one to you. ThreatConnect can receive suspicious emails as attachments to a phishing inbox. This inbox will open your attached email and parse the body and header for Indicators of interest. 1. Email your.eml or.msg file to the email address specified by your instructor, as seen in Figure 20. It may take a few minutes for ThreatConnect to receive and process your email. When it is finished, it will be displayed in the Browse screen as an Email Group. Figure 20: Email Attachment 2. Click the BROWSE tab, then click the Activity filter button, and select E-mails. Your email will display with the original email s subject in the Name column (Figure 21). Figure 21: Email Arrival Note: Your Browse screen must be configured properly with the correct Owner as explained in Module 1.

If you have trouble getting your email to automatically ingest, you may use ThreatConnect s email import feature following these instructions. Lesson 2 Creating Relevant Entities and Associations The above workflow for submitting an email to ThreatConnect can scale across a wide spectrum. An individual analyst could submit a single suspicious sample, or an entire company could be forwarding its traffic to it! When an email is submitted, it is a good idea to create the remaining pieces of the Diamond Model when appropriate. Lesson 2 will create and associate Infrastructure, Adversary, and Victim for this Email Group. Lesson 2 assumes the following: You have created an Email Group within your Organization or Community. Creating an Adversary Every email has a sender, and that is captured automatically within ThreatConnect. If it is able, ThreatConnect will automatically parse out the originating email address and create it as an Email Address Indicator. This Indicator will be associated with the original Email Group, and this is verified by conducting a pivot from your original Email Group (Figure 22).

Figure 22: Pivoting Off Your Email Note: There should be an Email Address Indicator based on this pivot, which reflects the original sender of the suspicious email. You will be using this email to create a new Adversary. If the sender email was not created automatically, go to the top navigation bar and click the CREATE (+) tab to add an Email Address Indicator representing the email s sender. 1. On the Details Overview screen of the sender s Email Address Indicator, give it a Threat Rating of 4 Skulls and a Confidence value of 100 points, as you learned in Module 1. 2. From the top navigation bar, click the CREATE (+) tab and select Adversary. The Create Adversary pop-up screen will appear (Figure 23.) Create an Adversary in your relevant Community or Organization, and use your name as part of the Adversary name (e.g., John Doe s Adversary ). Figure 23: Creating an Adversary 3. Click the Save button.

Creating Associations You can create new Associations with other entities, including your imported Email Group and the original sender address. 1. From your new Adversary s Details Overview screen, click the ASSOCIATIONS tab, and the Associations screen will appear (Figure 24). Figure 24: The Associations Screen 2. Click the +New Association button, and the Select an Association pop-up screen will appear (Figure 25). Similar to the Comments and Linking lesson from Module 1, this screen allows you to choose an entity type and associate Groups or Indicators with your Adversary. Click the Select Type drop-down menu and choose Email to associate the Adversary to the original Email Group. Click the Save button. Figure 25: Associating the Adversary to the Email Group

3. Click the Select Type drop-down menu once more, and choose EmailAdress to associate the Adversary to the sender s email from your sample (Figure 26). Click the Save button. Figure 26: Associating the Adversary to the Sender Address Creating Victims In the same manner that you crated an Adversary, you can create a Victim to show whom the email targeted. 1. From the top navigation bar, click the CREATE (+) tab, and select Victim. The Create Victim pop-up screen will appear (Figure 27). Figure 27: Creating a Victim

2. Enter the required information, making sure to select the same Organization or Community as your Owner. Enter your own name as the Victim name and the name of your class or training group as the Organization. 3. Click the Save button. 4. Once you have created a Victim, it will have its own Details screen similar to other Groups and Indicators. Victims have their own special details and context, such as Work Location, but feel free to populate any details you wish. 5. From the Details screen, click on the ASSETS tab and the Assets screen will appear (Figure 28). This screen allows ThreatConnect analysts to track specific accounts or Assets that have been targeted or compromised for each Victim. Figure 28: The Assets Screen 6. To add an Asset to this Victim, click the +New Asset button, and the Create Asset pop-up screen will appear (Figure 29).

Figure 29: Creating a Victim Asset 7. Click on the Select Type drop-down menu, and choose E-Mail Address. 8. Click in the Address box and enter your email address. 9. Click on the Address Type drop-down menu and make a selection. 10. Click the Save button. Associating Victims You will now learn how to associate your Victim to your Email from the Email Group itself. 1. From your Email s Details screen, click the ASSOCIATIONS tab and the Associations screen will appear (Refer to Figure 24). 2. Click the +New Association button, and the Select an Association pop-up screen will appear (Figure 30). Figure 30: Associating to a Victim Asset

3. Click on the Select Type drop-down menu and choose Victim 4. Click in the search box and enter the name of your new Victim. Note: if there are multiple Victims with your name, you can identify your Victim by the asset you added. 5. Check the box by your Victim s name, and click the Save button. Remaining Associations You can now finish creating the remaining Associations as necessary. Model the Associations in a way that allows analysts to pivot and discover relationships. For example, if your sender had sent multiple emails, a simple pivot would show multiple email groups! Likewise, a Victim that has been targeted many times will have a long list of Email Groups when pivoting from that Victim. Note that Associations are bidirectional: associating an Email Group to an Adversary is the same as associating an Adversary to an Email Group. Make sure to make the following associations: Email Group to Sender Address Adversary to Email Group (done in Creating Associations) Adversary to Email Address Indicator Representing Sender (done in Creating Associations) Email Group to Victim Asset (done in Creating Victims) You have now created the related Groups, Indicators, and Associations, as depicted in Figure 31. Figure 31: Relationships as Modeled

Lesson 3 Updating Analysis to Include Recent Data Visit the Details screen for your Email Group and view the SCORE tab (Figure 33). ThreatConnect has assigned a score to your email based on scoring rules defined by the System Administrator. These scoring rules add points for suspicious header fields, the inclusion of known bad Indicators, and more. After conducting some additional analysis, it is possible to obtain a more accurate score rating for your email. Now that you have added a Threat Rating to the Email Address Indicator representing the sender, your email score will change. Lesson 3 assumes the following: You have successfully imported an email from Lesson 1. You have successfully created the sender as an Email Address Indicator and given it a Threat Rating and Confidence value. Your ThreatConnect Instance has been configured with proper email-scoring rules.

1. From your Email Group Details screen, click the Update Analysis button and the Import Email screen will appear (Figure 32). This wizard will import an email as though you had imported it manually. Figure 32: Import Email Wizard 2. The Import screen details what ThreatConnect was able to parse out from the email header and body. Click the Next button, and the Score screen will appear (Figure 33). STOP! Take a SCREEN PRINT, and provide to your Instructor.

Figure 33: The Score Breakdown 3. The Score screen displays the updated Score Total for your Email Group and details the rules triggered to give it points. In this example, and from the Score Breakdown panel, the sender s Email Address Indicator was seen in multiple header fields and contributed 400 points to the score. This value is configured to be the product of the Indicator s Threat Rating (4 Skulls) and Confidence value (100 points). There are also rules that are not based on Indicators, such as certain header fields. This example also gives 300 points for originating in a Chinese time zone and 100 points for using a Chinese Email Client known as FoxMail. Click the Next button, and the Indicators screen will appear (Figure 34).

Figure 34: Adding a new Indicator from an Email Note: To prevent flooding the system with false positives, ThreatConnect will not automatically create all possible Indicators it recognizes when importing an email. Instead, you can use this wizard to select which Indicators provide valuable intelligence. ThreatConnect will create the Indicators and associate them to their parent Email Group. 4. The Indicators screen highlights all of the identified Indicators in the email s header and body. Note that these are based on regular expressions and, thus, may not be entirely accurate. The Indicators are color coded based on whether or not they exist in ThreatConnect: Indicators with a yellow background do not yet exist, while Indicators with a green or blue background exist in this or in another Owner,

respectively. Hover over a yellow-background Indicator and click the Add Indicator button. This will allow ThreatConnect to easily identify and parse Indicators that may warrant additional analysis or triage. Click the Next button and the Confirm screen will appear (Figure 35). Figure 35: Confirming the Analysis 5. On the Confirm screen, review the updated analysis of your email. The score may have changed, new Indicators may have been added, and so on. 6. Click the Save button to commit your changes. The Email Group s Details screen will reappear. 7. Click on the ASSOCIATIONS tab, and the Indicators you added from the wizard above will be displayed, since they have automatically been associated to this Email Group (Figure 36).

Figure 36: The Newly Associated and Created Indicator Of course, new Indicators are not given a Threat Rating or Confidence value by default! Further analysis is required to determine how malicious is the phishing URL. As the picture comes into focus, that URL will receive Tags, Attributes, and a Threat Rating/Confidence value to illustrate its role in an attack and then you can update the Email Group s score again to reflect what you have learned! ThreatConnect is a registered trademark of ThreatConnect, Inc. Gmail is a trademark of Google, Inc. Outlook is a registered trademark of the Microsoft Corporation.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback