Provide a brief background and history of Cyber Threat Intelligence: CTI is a term often associated with marketing phrases such as NextGen, AI, and machine learning. The idea here is to cover the concept at a high-level, dispel any marketing lingo association, and clearly define what CTI is.
Discuss the differences between the different types of types of intelligence - strategic, operational and tactical: Now that we know what CTI really is and what it is not, we will cover the different types of CTI, why they are useful, and where they are typically consumed in the decision making hierarchy.
Review the Security Onion platform and where it fits into the intelligence-driven security operation: This section will briefly cover the Security Onion platform. While Security Onion is not directly a CTI platform, it can help in operationalizing and creating tactical intelligence via its rich and robust threat data integrations. Furthermore, Security Onion can provide the security professional on a budget a robust platform for conducting intelligence driven security operations.
Overview of the lab environment that facilitates the attack scenario: This section covers the lab I created for simulating a small business corporate network. This lab is where the attack scenarios and intrusion detection and analysis occurred.
Cover the attack scenario and review of the intrusion to understand attacker techniques, tools, and procedures: Based on the intrusion detection analysis provided, I demonstrate how a security analysts can start to describe adversary TTPs, and how a security organization can benefit from adopting a CTI-driven operation.
Cover how Security Onion can enable the intelligence-driven security operation: Based on the attack scenario and the associated intrusion analysis, I demonstrate how Security Onion can enable the CTI driven security operation.
Visibility on the network a tactical cti-based approach
1. 1SANS Technology Institute - Candidate for Master of Science Degree 1
Visibility on the Network:
A Tactical CTI-Based Approach
Alfredo Hickman
May, 2018
GIAC GCIA, GPEN, GCIH, GSEC
2. SANS Technology Institute - Candidate for Master of Science Degree 2
• Provide a brief background of Cyber Threat
Intelligence and a description of the various types of
intelligence.
• Review Security Onion and where it fits in to the
intelligence-driven security operation
• Overview of the lab environment, the attack scenario,
and Security Onion
• Cover the intrusion analysis to understanding attacker
techniques, tools, and procedures
• Cover how Security Onion enables the intelligence-
driven security operation
Objectives
3. SANS Technology Institute - Candidate for Master of Science Degree 3
• What is Cyber Threat Intelligence
• What are the origins of Cyber Threat Intelligence
• What is not Cyber Threat Intelligence
• How using CTI can help security operations
Cyber Threat Intelligence: A Brief
Background
4. SANS Technology Institute - Candidate for Master of Science Degree 4
• Strategic intelligence
• Macro components and implications
• National and geopolitically centric
• Informs strategy and policy
• Operational intelligence
• Middle-range components and implications
• Campaign centric
• High-level TTPs
• Actor attribution
Strategic, Operational, and
Tactical: What’s the Difference?
5. SANS Technology Institute - Candidate for Master of Science Degree 5
Strategic, Operational, and
Tactical: What’s the Difference?
• Tactical intelligence
• Micro components and implications
• Operationally centric
• Informs techniques and tactics
6. SANS Technology Institute - Candidate for Master of Science Degree 6
The Security Onion Platform:
Where Does it Fit in?
• Security Onion: How does it fit into the
intelligence-driven security operation
• Can be used to consume and produce tactical CTI
• Is a free and comprehensive network security
monitor, security analytics, and intrusion detection
and analysis platform
• Can aid in the contextualization and analysis of
security events, and atomic data such as IOCS,
IOAs, IPs, and file hashes
7. SANS Technology Institute - Candidate for Master of Science Degree 7
Lab Environment and Attack
Scenario
• Cyber Kill Chain® Based attack scenario
9. SANS Technology Institute - Candidate for Master of Science Degree 9
CTI-Enabled Security Onion
Setup
10. SANS Technology Institute - Candidate for Master of Science Degree 10
Intrusion Detection and Analysis:
Understanding Attacker Techniques, Tools, and
Procedures
• Reconnaissance detection
11. SANS Technology Institute - Candidate for Master of Science Degree 11
Intrusion Detection and Analysis:
Understanding Attacker Techniques, Tools, and
Procedures
• System exploitation detection
12. SANS Technology Institute - Candidate for Master of Science Degree 12
Intrusion Detection and Analysis:
Understanding Attacker Techniques, Tools, and
Procedures
• Data exfiltration detection
13. SANS Technology Institute - Candidate for Master of Science Degree 13
How SO Enables the Intelligence-
Driven Security Operation
14. SANS Technology Institute - Candidate for Master of Science Degree 14
How SO Enables the Intelligence-
Driven Security Operation
15. SANS Technology Institute - Candidate for Master of Science Degree 15
Summary
• Security Onion and where it fits in the
intelligence-driven security operation
• How to setup a CTI-enabled Security
Onion instance
• Lab environment, attack scenario, and
intrusion analysis
• How Security Onion enables the
intelligence-driven security operation