CONTROLLING YOUR OWN BATTLESPACE. From Threat Response Teams To Threat Intelligence Teams

Similar documents
Designing an Adaptive Defense Security Architecture. George Chiorescu FireEye

Building Resilience in a Digital Enterprise

RSA NetWitness Suite Respond in Minutes, Not Months

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

Cyber Threat Intelligence Standards - A high-level overview

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

How Breaches Really Happen

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Incident Scale

THREAT INTEL AND CONTENT CURATION: ORGANIZING THE PATH TO SUCCESSFUL DETECTION

Cyber Threat Intelligence Debbie Janeczek May 24, 2017

AUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response

RSA INCIDENT RESPONSE SERVICES

Cisco Cyber Range. Paul Qiu Senior Solutions Architect

RSA INCIDENT RESPONSE SERVICES

Reducing cyber risks in the era of digital transformation

HOLISTIC NETWORK PROTECTION: INNOVATIONS IN SOFTWARE DEFINED NETWORKS

Managed Enterprise Phishing Protection. Comprehensive protection delivered 24/7 by anti-phishing experts

4/13/2018. Certified Analyst Program Infosheet

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

ANATOMY OF AN ATTACK!

The Kill Chain for the Advanced Persistent Threat

A Common Cyber Threat Framework: A Foundation for Communication

Why Should You Care About Control System Cybersecurity. Tim Conway ICS.SANS.ORG

Sandboxing and the SOC

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture

Top 10 most important IT priorities over the next 12 months. (Percent of respondents, N=633, ten responses accepted)

The Mechanics of Cyber Threat Information Sharing

Deep Instinct v2.1 Extension for QRadar

Why we need Intelligent Security? Juha Launonen Sourcefire, Inc.

BUILDING AND MAINTAINING SOC

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

Live Adversary Simulation: Red and Blue Team Tactics

CTI Capability Maturity Model Marco Lourenco

Reducing the Cost of Incident Response

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

ATTIVO NETWORKS THREATDEFEND PLATFORM INTEGRATION WITH CISCO SYSTEMS PROTECTS THE NETWORK

Threat Hunting in Modern Networks. David Biser

align security instill confidence

Using Smart Cards to Protect Against Advanced Persistent Threat

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Pieter Wigleven Windows Technical Specialist

Next-generation Endpoint Security and Cybereason

An Operational Cyber Security Perspective on Emerging Challenges. Michael Misumi CIO Johns Hopkins University Applied Physics Lab (JHU/APL)

NEXT GENERATION SECURITY OPERATIONS CENTER

Traditional Security Solutions Have Reached Their Limit

Cloud and Cyber Security Expo 2019

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

Building a Threat-Based Cyber Team

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Operationalizing the Three Principles of Advanced Threat Detection

Panelists. Moderator: Dr. John H. Saunders, MITRE Corporation

2015 NTX-ISSA Cyber Security Conference (Spring) Advanced Persistent Threat (APT) Life Cycle Management

THE ACCENTURE CYBER DEFENSE SOLUTION

Fidelis Overview. ISC 2 DoD and Industry Forum. Rapid Detection and Automated Incident Response DoD & Commercial Active Defense Use Cases

Train as you Fight: Are you ready for the Red Team?

The New Era of Cognitive Security

SOLUTION BRIEF ASSESSING DECEPTION TECHNOLOGY FOR A PROACTIVE DEFENSE

A YEAR OF PURPLE. By Ryan Shepherd

CLICK TO EDIT MASTER TITLE RECENT STYLE APT CAMPAIGN TARGETING ENERGY SECTOR ASSETS

Understanding Targeted Attacks. Sean Mason VP, Incident Response

AppDefense Cb Defense Configuration Guide. AppDefense Appendix Cb Defense Integration Configuration Guide

Penetration Testing! The Nitty Gritty. Jeremy Conway Partner/CTO

Integrating Okta and Preempt Detecting and Preventing Threats With Greater Visibility and Proactive Enforcement

PRODUCT OVERVIEW. Extend your security intelligence from local network to global cyberspace

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

to protect the well-being of citizens. Fairfax is also home to some Fortune 500 and large

DDoS MITIGATION BEST PRACTICES

Hunting Threats In your Enterprise

MCAFEE INTEGRATED THREAT DEFENSE SOLUTION

CYBER THREAT INTEL: A STATE OF MIND. Internal Audit, Risk, Business & Technology Consulting

SentinelOne Technical Brief

CYBER HUNTING. 4 th Annual Interdisciplinary Cyber Crime Conference Michigan State University March 3, Dr. Nicole Beebe, Ph.D.

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

Privilege Security & Next-Generation Technology. Morey J. Haber Chief Technology Officer

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

DEFENCE IN DEPTH HOW ANTIVIRUS, TRADITIONAL FIREWALLS, AND DNS FIREWALLS WORK TOGETHER

Eliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat

Sharing What Matters. Accelerating Incident Response and Threat Hunting by Sharing Behavioral Data

RiskSense Attack Surface Validation for IoT Systems

Triage & Collaboration. Improving a major bank s cyber threat security posture

BETTER Mobile Threat Defense (BMTD)

INCIDENT HANDLING & RESPONSE PROFESSIONAL VERSION 1

Validating the Security of the Borderless Infrastructure

3 Ways to Prevent and Protect Your Clients from a Cyber-Attack. George Anderson Product Marketing Director Business October 31 st 2017

ADVANCED THREAT HUNTING

WHITE PAPER. Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale

Seven Steps to Ease the Pain of Managing a SOC

ARC VIEW. Critical Industries Need Active Defense and Intelligence-driven Cybersecurity. Keywords. Summary. By Sid Snitkin

Make IR Effective with Risk Evaluation and Reporting

Threat Containment and Operations. Yong Kwang Kek, Director of Presales SE, APJ

Cyber Resiliency & Agility Call to Action

esendpoint Next-gen endpoint threat detection and response

Vectra Cognito Automating Security Operations with AI

CYBER SOLUTIONS & THREAT INTELLIGENCE

STANDARD INFORMATION SHARING FORMATS. Will Semple Head of Threat and Vulnerability Management New York Stock Exchange

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

Zero Trust on the Endpoint. Extending the Zero Trust Model from Network to Endpoint with Advanced Endpoint Protection

Transcription:

CONTROLLING YOUR OWN BATTLESPACE From Threat Response Teams To Threat Intelligence Teams

Agenda Motivations The Intelligence Process The Cyber Kill Chain Approach Indicators of Compromise Information Sharing Takeaways

Today s Threat Landscape Organized attackers Increasing volume Sophisticated Remediation is broken Limited correlation across disjointed security technologies Must prevent attacks across perimeter, cloud and endpoint Limited security expertise CSO challenges

Information Overload Detection-focused Alert Overload Manual Response Required Enterprise Network UTM/ Blades Anti-APT for Email APTs DNS protection for outbound DNS Anti-APT for HTTP APTs DNS protection cloud Internet Anti-APT cloud Endpoint AV Network AV DNS Alert Endpoint Alert Web Alert SMTP Alert SMTP Alert SMTP Alert SMTP Alert Web Alert DNS Alert DNS Alert SMTP Alert APT Web Alert Web Alert AV Alert AV Alert Web Alert DNS Alert SMTP Alert Endpoint Alert Vendor 1 Vendor 2 Internet Connection Vendor 3 Vendor 4 Malware Intelligence

Cyber Kill Chain Chapter I Relationship of Data, Information, and Intelligence Operational Environment Data Information Intelligence Collection Processing and Exploitation Analysis and Production Figure I-1. Relationship of Data, Information, and Intelligence

Cyber Kill Chain Recon Weaponize Deliver Exploit Install C2 Action

The Intelligence Process Chapter I The Intelligence Process Evaluation Dissemination and Integration Planning and Direction Analysis and Production Mission Collection Processing and Exploitation and Feedback Figure I-3. The Intelligence Process

The Intelligence Process The Nature of Intelligence The Paradox of Warning Friendly intelligence determines adversary intention. Friendly intelligence detects indications. Friendly intelligence provides warning. Adversary adopts different course of action. Friendly forces react to adversary activity. Adversary intelligence provides warning. Adversary intelligence detects indications. Adversary intelligence determines friendly intention. Figure I-8. The Paradox of Warning

-consuming and problematic if sufficient tracking isn t in place, thus it is imperative that indicators ect to these processes are valid and applicable to the problem set in question. If attention is not paid Indicators of Compromise his point, analysts may find themselves applying these techniques to threat actors for which they not designed, or to benign activity altogether. Report Revealed Leverage Analyze Utilized Discover Mature Figure 1: Indicat or life cycle stat es and transitions I nt r usion K ill Chain

Indicators of Compromise

Information Sharing Expressing Relationships in STIX l33t007@badassin.com Initial Compromise Spear Phishing Email Indicator Observable Sender: John Smith Subject: Press Release Electronic Address Leet Pamina Republic Army Unit 31459 Associated Actor Observed TTP Observed TTP Observed TTP Establish Foothold Malware Behavior Escalate Privilege WEBC2 Uses Tool Indicator Uses Tool cachedump MD5: d8bb32a7465f55c368230bb52d52d885 lslsass Observable Targets Khaffeine Bronxistan Perturbia Blahniks... Leverages Infrastructure C2 Servers Observed TTP Observed TTP IP Range: 172.24.0.0-112.25.255.255 Internal Reconnaissance Attack Pattern Exfiltration Uses Tool ipconfig net view net group domain admins GETMAIL

rganizations contributing to the STIX Information Sharing

Takeaways Move onus of security ops from reactionary to proactive (Incident Response to Threat Intelligence) Place and tune your defensive sensors appropriately Use the intelligence feedback loop Don t do it alone

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback