In current scenario there are many myths exist about the Threat Intelligence in cyber security. In this session we will cover the lesser known and practical implementation of threat intelligence along with thinking beyond the "IOC Way" to make the threat intelligence more effective.
8. “Strategic” Intelligence
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 8
Threat research
reports
Data breach
reports
Regulatory
announcements
Internal Business
strategies
Third party
outsourcing
9. “Tactical” Intelligence
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 9
Exploit alert
monitoring
Exploit researcher
blogs
Vulnerability
dashboards
Exploitability
mapping
17. Open Threat Intelligence steps
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 17
• Know “Your organisation” first
• Create Threat intel framework which suits you
• Open-source Feeds
• Open-source Platforms
• Open-source reports
• Community Tools
• Security communities
and Friends
20. DNS Intelligence
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 20
• Catch hold the DNS logs first
• Find out how the attackers are targeting your
network
• DNS as your best buddy while doing “Threat
Hunting”
28. Domain Squatting
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 28
• Intelligent way of monitoring phishing/spear-
phishing attacks
• Rich source of domain intelligence for your SOC
• Risk scoring based on below parameters
• Registered domain
• MX records
• Newly registered domain
33. Google Alerts In XML feeds
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 33
34. Google Alerts
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 34
• Intelligence gathering tool
• Vendor security intelligence gathering
• Your infrastructure vulnerability notification
• Integration with SOC for 24*7 monitoring
39. 5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 39
If you see “WORD” calling
“CMD” from the user who is
Known Phish Bait
40. People Intelligence
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 40
• Phishing simulation data is richest source of
human intelligence of your organization
• Identify your “broken link” in the “weakest link”
• Prioritize monitoring of risky users
41. Deception for Threat Intelligence
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 41
42. Deception for Threat Intelligence
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 42
Network
Decoy
Document
Decoy
Credential
Decoy
Recon
Outpost
Social
Decoy
45. Deception as a threat intel
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 45
• Know your attacker already inside your network
• Honey tokens for callbacks
• Setup your threat intel web bots
• Mimikatz hunting
50. Takeaways
5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 50
‣ Before you invest in any commercial provider, you must maximize
your own intrusions
‣ No threat intel is more relevant than what is occurring within your
own environment
‣ You don’t have the best technology and most expensive intel sources
to be effective
‣ You probably will never have a fusion center but you can make
threat intelligence work
‣ DIY / Open Source tools is perfectly acceptable
‣ Actionable intelligence must be timely
‣ Don’t spend so much time performing analysis that timeliness
suffers
52. 5/28/2017LESSER KNOWN THREATINTEL IMPLEMENTATION BY AVKASH K 52
Thanks and References
• Sun Tzu
• Google
• SANS
• Rick Holland
• Dave Herrald and Ryan Kovar
• Meme Generators