CONTROLLING YOUR OWN BATTLESPACE From Threat Response Teams To Threat Intelligence Teams
Agenda Motivations The Intelligence Process The Cyber Kill Chain Approach Indicators of Compromise Information Sharing Takeaways
Today s Threat Landscape Organized attackers Increasing volume Sophisticated Remediation is broken Limited correlation across disjointed security technologies Must prevent attacks across perimeter, cloud and endpoint Limited security expertise CSO challenges
Information Overload Detection-focused Alert Overload Manual Response Required Enterprise Network UTM/ Blades Anti-APT for Email APTs DNS protection for outbound DNS Anti-APT for HTTP APTs DNS protection cloud Internet Anti-APT cloud Endpoint AV Network AV DNS Alert Endpoint Alert Web Alert SMTP Alert SMTP Alert SMTP Alert SMTP Alert Web Alert DNS Alert DNS Alert SMTP Alert APT Web Alert Web Alert AV Alert AV Alert Web Alert DNS Alert SMTP Alert Endpoint Alert Vendor 1 Vendor 2 Internet Connection Vendor 3 Vendor 4 Malware Intelligence
Cyber Kill Chain Chapter I Relationship of Data, Information, and Intelligence Operational Environment Data Information Intelligence Collection Processing and Exploitation Analysis and Production Figure I-1. Relationship of Data, Information, and Intelligence
Cyber Kill Chain Recon Weaponize Deliver Exploit Install C2 Action
The Intelligence Process Chapter I The Intelligence Process Evaluation Dissemination and Integration Planning and Direction Analysis and Production Mission Collection Processing and Exploitation and Feedback Figure I-3. The Intelligence Process
The Intelligence Process The Nature of Intelligence The Paradox of Warning Friendly intelligence determines adversary intention. Friendly intelligence detects indications. Friendly intelligence provides warning. Adversary adopts different course of action. Friendly forces react to adversary activity. Adversary intelligence provides warning. Adversary intelligence detects indications. Adversary intelligence determines friendly intention. Figure I-8. The Paradox of Warning
-consuming and problematic if sufficient tracking isn t in place, thus it is imperative that indicators ect to these processes are valid and applicable to the problem set in question. If attention is not paid Indicators of Compromise his point, analysts may find themselves applying these techniques to threat actors for which they not designed, or to benign activity altogether. Report Revealed Leverage Analyze Utilized Discover Mature Figure 1: Indicat or life cycle stat es and transitions I nt r usion K ill Chain
Indicators of Compromise
Information Sharing Expressing Relationships in STIX l33t007@badassin.com Initial Compromise Spear Phishing Email Indicator Observable Sender: John Smith Subject: Press Release Electronic Address Leet Pamina Republic Army Unit 31459 Associated Actor Observed TTP Observed TTP Observed TTP Establish Foothold Malware Behavior Escalate Privilege WEBC2 Uses Tool Indicator Uses Tool cachedump MD5: d8bb32a7465f55c368230bb52d52d885 lslsass Observable Targets Khaffeine Bronxistan Perturbia Blahniks... Leverages Infrastructure C2 Servers Observed TTP Observed TTP IP Range: 172.24.0.0-112.25.255.255 Internal Reconnaissance Attack Pattern Exfiltration Uses Tool ipconfig net view net group domain admins GETMAIL
rganizations contributing to the STIX Information Sharing
Takeaways Move onus of security ops from reactionary to proactive (Incident Response to Threat Intelligence) Place and tune your defensive sensors appropriately Use the intelligence feedback loop Don t do it alone