Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Utilizing OSINT in Threat Analytics and Incident Response

111 views

Published on

Validating potential incidents or indicators of compromise (IOCs) in today’s fast paced environment can be somewhat overwhelming and difficult. Sometimes a team does not believe they have all of the tools and resources to quickly and accurately identify, verify, and rectify a potential indicator in their environment in time. Sometimes these investigations are performed yet may leave out valuable key pieces of data that would benefit the prevention or hardening against future similar attacks. Everyone wants the expensive and shiny tool that vendors offer, but sometimes budgets do not always allow teams access to the latest and greatest, and honestly, not all tools are equal. Relying on one piece of data for IOC validation is a bad idea, even if that resource is the best in the industry. The approach is to use not only the tools you have, but to augment them with existing open source tools that will enrich your investigation, provide accuracy, and supplement your ability to quickly and accurately respond to valid threats in order to increase your security team’s effectiveness. The purpose of this presentation will be to walk users through the value of Open Source Intel and how to use the tools available effectively to help research and identify potential issues during an incident response engagement.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Utilizing OSINT in Threat Analytics and Incident Response

  1. 1. SLAITCONSULTING.com SECURITY SERVICES SLAIT Consulting Chris Beiring Utilizing OSINT in Threat Analytics & Incident Response
  2. 2. SLAITCONSULTING.com Overview • Things to Ponder • An OSINT Checklist • Reporting, Using OSINT, & Bridging the Gap • Resources and Repositories • Pulling everything together and enhancing your reports!
  3. 3. SLAITCONSULTING.com About me • Security Engineer for SLAIT Consulting, Many Hats, One Rabbit! • 6 years in Managed IT Services, 2 years in Cyber Security • Breaker & Fixer of many, many, many things. Tinkerer, H+ • (I've been told they call me Rabbit) • Father to a new baby girl (hopefully Star Wars sticks with this one) and a 6-Year-old future SOCOM Operator/Door Kicker.
  4. 4. SLAITCONSULTING.com •What is OSINT and how does it benefit me •Opensource VS Commercial •How difficult/easy it to begin developing/building •What is this going to cost me? Introduction
  5. 5. SLAITCONSULTING.com Things to Ponder •Who can use OSINT? •Why would you use OSINT? •Where could you use OSINT •When can you use OSINT? •How Can you use OSINT?
  6. 6. SLAITCONSULTING.com Recommended Preliminary OSINT Checklist • Versatility • Logging resources • Alternative Thinking
  7. 7. SLAITCONSULTING.com OSINT all the Things! •Remember, Quality In = Quality Out! •Routines are needed, but they also really hurt •Don’t Fall Prey! •Challenge yourself or Team •The way forward
  8. 8. SLAITCONSULTING.com Rapid Response Triage Light Protocol (RRTLP) •You have a Framework, right? •Do you have SLA’s? •The Process you have may already work. •My Process for Rapid Response Triage Light Protocol (RRTLP)
  9. 9. SLAITCONSULTING.com Threat Analysis and Incident Response using the Rapid Response Event Analysis process
  10. 10. SLAITCONSULTING.com Step 1 •Tagging •Historical occurrence reviews •Query internal Databases and/or Reporting Directories •Still unsure, Interrogate the team
  11. 11. SLAITCONSULTING.com Step 2 •Monitor •What does the data infer? •Live captures •Aggregate, Compile, & Parse •Carve & Condense •Histological Comparison Analysis
  12. 12. SLAITCONSULTING.com Step 3 •Requesting External OSINT Analysis •Cautiously review & ensure private data is not being publicized •Bad guys use Frameworks as well •Understand legalities of data being submitted •Classify your data points
  13. 13. SLAITCONSULTING.com Step 4 •Terminate Observation & Analysis •Initiate Containment & Remediation Protocols •Compile Report •Request Peer Review •Disseminate to stake holders
  14. 14. SLAITCONSULTING.com Step 5 •Engineer Tracking methodology •Monitor •Defend •Periodically Review •Train & Repeat
  15. 15. SLAITCONSULTING.com Risk Analysis Confidence Formula •Better Confidence means better results •Confidence Rating Formula Review •Measuring yourself •Compare against historical ratings •Build an internal ratings chart
  16. 16. SLAITCONSULTING.com SHINY!
  17. 17. SLAITCONSULTING.com
  18. 18. SLAITCONSULTING.com Implementing OSINT into your Incident Response Analysis •WAIT! Didn’t we just discuss reporting? What the What? •Latticing & Bonding = Unquestionable Strength •Reinforcing existing Tactics & Procedure •Building now with the future in mind •How can you improve this process
  19. 19. SLAITCONSULTING.com Resources
  20. 20. SLAITCONSULTING.com My OSINT Master Repositories for Resources •Into the Ocean - https://start.me/p/MEXNOe/startpage •Personal Favorites – OSINT Framework, Bellingcat, i-intelligence, OSINT by Michael Bazzell •Build your Repo •Contributing
  21. 21. SLAITCONSULTING.com Threat Intelligence Platforms •OTX - https://otx.alienvault.com/ •Threatcrowd - https://www.threatcrowd.org/ •Risk IQ - https://community.riskiq.com/ •ThreatMiner - https://www.threatminer.org/
  22. 22. SLAITCONSULTING.com Automation Solutions •SPIDERFOOT - https://spiderfoot.net/ •Maltego CE - https://www.paterva.com/web7/buy/maltego- clients/maltego-ce.php •Sn1per - https://xerosecurity.com/
  23. 23. SLAITCONSULTING.com Tools Directory • https://www.kitploit.com • https://cybersponse.com/connectors/ • https://online.cameyo.com/public • http://xiaming.me/awesome-pcaptools/ • https://www.crunchbase.com/marketplace/ • https://bigdata-madesimple.com/top-50-open-source-web- crawlers-for-data-mining/
  24. 24. SLAITCONSULTING.com Enrichment •Intrigue - Intrigue.io •OpenSOC - http://opensoc.github.io/
  25. 25. SLAITCONSULTING.com Security Orchestration Automation & Remediation (SOAR) •Phantom - https://my.phantom.us/signup/ •Demisto - https://go.demisto.com/sign-up-for- demisto-free-edition?hsCtaTracking=bd8e650f- 9f65-4f4a-badd-cd021e81785a%7Cba2446a6-2532- 43fe-81c8-948a6d38231b
  26. 26. SLAITCONSULTING.com Security Playbooks • SOC Prime - https://tdm.socprime.com/login/ • Cyphon - https://www.cyphon.io/
  27. 27. SLAITCONSULTING.com Reporting • Paliscope - https://www.paliscope.com/ •Casefile - https://www.paterva.com/web7/buy/mal tego-clients/casefile.php
  28. 28. SLAITCONSULTING.com Pulling the Pieces Together •Blackhat’s, Red Team, Aggressors all OSINT •Be the Bad Guys Bad Guy •Nobody really wants to be a hero •Save time, look betterer, work smarterer! •Purposeful enrichment!
  29. 29. SLAITCONSULTING.com Q & A Session
  30. 30. SLAITCONSULTING.com Governance Prevention Response  Risk Assessment  Policy and Procedure  PCI Prep  HIPAA Gap Analysis  Audit Preparation Assistance  Security Organization Review  Security Checkup  Managed Firewall and Endpoint  Secure Infrastructure Design & Review  vISO Program  Awareness Training  Assessment  Vulnerability Scanning  Penetration Testing  Phishing Exercises  ThreatRecon  Pre-breach Preparation  ThreatManage  Breach Response  Cyber Forensics SLAIT Security Offerings
  31. 31. SLAITCONSULTING.com Some of SLAIT’s Technology Partners Innovative Solutions for Forward Thinking Companies
  32. 32. SLAITCONSULTING.com Contact Info Christopher M. Beiring (Buy-Ring) Christopher.beiring@slaitconsulting.com Twitter LinkedIn G+ The third-rate mind is only happy when it is thinking with the majority. The second-rate mind is only happy when it is thinking with the minority. The first- rate mind is only happy when it is thinking. —A. A. Milne
  33. 33. SLAITCONSULTING.com SUPER SECRET BONUS PRIZE RESOURCE TOOL EASTER EGG OF AWESOMNESS! Monitoring at work for others is what we do, but honestly how many of you actually continue these processes at home, on yourself or family? If you do, excellent, if you don’t, you should. Below is a tool I highly recommend for monitoring for breaches of you and your digital PII. Much like haveibeenpwned, however, free for consumers, it provides a management portal, provides richer fuller data, and allows monitoring for all of your accounts that you can verify. ENJOY! • https://spycloud.com

×