SlideShare a Scribd company logo

Threat intelligence Primary Tradecraft and Research

Fidelis Cybersecurity
Fidelis Cybersecurity

Join Fidelis Threat Intelligence experts, Danny Pickens and Aamil Karimi for a live webinar as they present their findings from a series of data sets and dive into the implications for enterprise organizations, breaking down how security experts can apply threat intelligence insight to their real world defensible strategies.

Technology
1 of 23
Download to read offline
Threat Intelligence Tradecraft and Research Danny Pickens, Director of Threat Research Aamil Karimi, Sr Intelligence Analyst
© Fidelis Cybersecurity Provide indications and warning (I & W) Used in the identification and prevention of vulnerabilities from being exploited, as well as informing operations of potential attacks. Provisioning of intelligence to support an understanding of the threat landscape. Perform situation development Determining top threats to the organization and providing countermeasures. Support organizational and asset protection Threat Intelligence is the planning, collection, analysis and dissemination of information and countermeasures concerning threat and vulnerabilities provided to enhance the decision- making process. Intelligence Defined
© Fidelis Cybersecurity Types of Intelligence Basic Intelligence: largely deals with past events and bringing them to present [describes / explains / evaluates / tracks] Current Intelligence: situationally designed to get relevant intelligence outbound to decision makers [describes / explains / evaluates current events] Estimative Intelligence: used to prepare decision makers for future threats / events [predictive / more strategic]
© Fidelis Cybersecurity The Process Planning and Requirements Collection Analysis and Production Dissemination and Integration Intelligence Cycle
© Fidelis Cybersecurity Threat Actor ID Threat Actors Group of attackers or an individual actor that has the means, and opportunity to conduct an attack. Other Considerations Composition and Strength: can we determine if the threat agent is a group or individual, and if a group, do we have association Tactics: do we have intelligence on historical courses of action Logistics: what does their infrastructure look like; command and control servers; potential nation-state sponsored or well funded Effectiveness: are their previously or historically identified successful attacks; how effective were they • Which threat actors target Banking & FinServe within North America? • What are their tools, tactics and courses of action? • Sources which collect against threat actors. • High-fidelity / vetted sources. • Include TTPs and intent Collection Requirements Production Requirements Stakeholder: Red Team Product: Finished Intelligence: brief and long form format detailing actor history and known COAs Cadence: Upon request Intelligence Requirements
© Fidelis Cybersecurity Threat Actor ID: FIN7 FIN7 FIN7 is an advanced financially motivated group that has been conducting operations since as early as 2015. The group is often combined with the Carbanak Gang due to the shared usage of the Carbanak malware family, but this fact has been disputed due to different TTPs utilized by the groups. The group has historically targeted retail and hospitality companies utilizing specially crafted spear-phishing campaigns for their initial infection. Once inside of a victim’s network, the actors utilize APT-like behaviors to maintain and expand their foothold until they have the information or ability to complete their goals. The group has utilized point-of-sale malware in many of their operations as well, scraping credit card data from unsuspecting customers of their targets. The structure and origination of the group has been heavily debated in the security industry. In some of their most recent campaigns the use of the Cyrillic charset has been used, which may indicate Russian or Eastern European origin. The group appears to be very organized in their operations, and the scale and speed at which they adapt and change their TTPs indicates that FIN7 could be a large-scale cybercrime ring. The group has also been identified running many large campaigns at once indicating possible separation, or operating cells within the group itself. Key Judgements • FIN7 is a highly advanced financially motivated group utilizing APT-like techniques • FIN7 activity will continue and potentially increase based on 2016 & 2017 activity • FIN7 will continue to evolve and change their TTPs to evade and elude detection techniques in order to maintain footholds within networks • Which threat actors target Banking & FinServe within North America? • What are their tools, tactics and courses of action? • Sources which collect against threat actors. • High-fidelity / vetted sources. • Include TTPs and intent Collection Requirements Production Requirements Stakeholder: Red Team Product: Finished Intelligence: brief and long form format detailing actor history and known COAs Cadence: Upon request Intelligence Requirements
© Fidelis Cybersecurity Threat Actor TTPs and COAs Courses of Action Threat actor courses of action can be described as attack patterns or kill chains. Based off of historical patterns, and actor means and intent, the threat modeler can develop templates for anticipated courses of action that will be undertaken to meet the attacker’s objective. • Which threat actors target Banking & FinServe within North America? • What are their tools, tactics and courses of action? • Sources which collect against threat actors. • High-fidelity / vetted sources. • Include TTPs and intent Collection Requirements Production Requirements Stakeholder: Red Team Product: Finished Intelligence: brief and long form format detailing actor history and known COAs Cadence: Upon request Intelligence Requirements
© Fidelis Cybersecurity Threat Actor TTPs and COAs: FIN7 FIN7: Intent • Financial Motivation • Data Theft FIN7: Malware • PowerSource • TextMate • Carbanak • HalfBaked FIN7: Techniques • PowerShell - FIN7 uses a PowerShell script to launch shellcode that retrieves an additional payload. • Remote File Copy - FIN7 uses a PowerShell script to launch shellcode that retrieves an additional payload. • Scheduled Task - FIN7 malware has created scheduled tasks to establish persistence. • Registry Run Keys / Start Folder - FIN7 malware has created a Registry Run key pointing to its malicious LNK file to establish persistence. • Masquerading - FIN7 has created a scheduled task named “AdobeFlashSync” to establish persistence. • Application Shimming - FIN7 has used application shim databases for persistence. • Dynamic Data Exchange - FIN7 spear phishing campaigns have included malicious Word documents with DDE execution. • Mshta - FIN7 has used mshta.exe to execute VBScript to execute malicious code on victim systems. • Which threat actors target Banking & FinServe within North America? • What are their tools, tactics and courses of action? • Sources which collect against threat actors. • High-fidelity / vetted sources. • Include TTPs and intent Collection Requirements Production Requirements Stakeholder: Red Team Product: Finished Intelligence: brief and long form format detailing actor history and known COAs Cadence: Upon request Intelligence Requirements
© Fidelis Cybersecurity Threat Actor TTPs and COAs: FIN7 Recon • Specially crafted emails in a spear-phishing campaign with attached documents Lure • Documents contained embedded .LNK files with text to entice users to run the object Exploit Executed • Embedded .LNK objects kick off JavaScript chain pulled from a word document object using wscript.exe Inject Through Backdoor • File dropped on disk at %HOMEPATH%md5.txt to be run with wscript.exe Establish Command and Control • JavaScript runs to decode the components and schedules a task to maintain persistence in some cases • Once JavaScript has been decoded, a PowerShell script is decoded and placed on disk at %HOMEPATH%(Randomly generated GUID) along with the JavaScript bot components • PowerShell script is run and spawns a second PowerShell process • Second PowerShell decodes and decompresses a hardcoded DLL in memory and reflectively injects the library into its own process Explore and Move • Malware scrapes known directories for usernames and encrypted passwords on disk before decrypting the passwords • Code encrypts the data with a simple obfuscation technique and stores the information at %APPDATA%%USERNAME%.ini Data Theft • The file is uploaded to one of the hardcoded C2 servers
Fidelis Telemetry and Intelligence Support to Countermeasures
© Fidelis Cybersecurity Fidelis Total Detections Q1 2019 11 27% 73% All Other, 1533926 Sample of Events Investigated, 557071
© Fidelis Cybersecurity Event Data Continue to Show Attempts Using Older Methods • Event data between 31 December 2018 – 31 March 2019 continue to show: o “Old” vulnerabilities and tactics/tools [two (2) years or older] still popular means of entry or exploitation o Top five (5) CVEs and vulnerabilities observed to be targeted 1. CVE-2017-8570 2. CVE-2017-0143 3. CVE-2018-11776 4. CVE-2017-11882 5. CVE-2009-3129 12
© Fidelis Cybersecurity Events of Interest Q1 2019 13 H-W0rm/Houdini, 328426 59% njRAT/njW0rm, 143389 26% 1% 3% 4% 3% 4% 0% 0% H-W0rm/Houdini, 328426 njRAT/njW0rm, 143389 PlugX, 5294 CVE-2017, 14278 Conficker, 23176 Andromeda, 17082 Agent, 23177 CVE-2018, 1113 CVEs Prior to 2017, 560
© Fidelis Cybersecurity Intelligence Support to Telemetry Observations • Focus of intelligence will be partly influenced by major current trends, but also by relevant threats to customers and customer verticals o Relevance based off alert data and telemetry in order to prioritize intelligence requirements, collection, analysis, and countermeasures to drive content and countermeasures • TRT Intelligence continues to track down instances or observations of threat actors or campaigns actively promoting, leveraging, and weaponizing “old” exploits and vulnerabilities as observed from Fidelis Q1 telemetry and event data o Confirmation would assist in driving intelligence collection requirements as well as allow focused content and use-case creation and detections and countermeasures to serve clients’ security postures. 14
© Fidelis Cybersecurity Dark Web and External Observation • Tried-and-True exploits will continue to be effective against popular vulnerabilities from prior years o Recorded Future’s 2018 Top 10 Most Exploited Vulnerabilities 1. 7/10 vulnerabilities from 2017 and earlier 2. 2/5 vulnerabilities from Fidelis Q1 2019 data appear on Recorded Future’s list o August 2018 – updated RIG Exploit Kit observed being leased, still capable of targeting multiple pre- 2017 vulnerabilities o February 2019 – rewritten and refreshed exploit for DirtyCow vulnerability (CVE-2016-5195) offered for sale o March 2019 – list of popular RATs posted with download links; includes several well-known and older trojans. 15
© Fidelis Cybersecurity Dark Web and External Observations 16 Reputable Chinese-language vendor leasing RIG EK with multiple pre-2018 exploit, Aug 2018 Russian actor selling refreshed exploit for DirtyCow vulnerability, Feb 2019 Post identifying list of older RATs as still popular as of March 2019
© Fidelis Cybersecurity Identifying Relevant Signals and Focus • “Noise” and media may distract from relevant issues • Newest and latest 0-days and threat actor updates may become distraction • “Flavor of the Week” hype can be misleading o Supermicro controversy (2018) o Skyfall and Solace CPU vulnerability “hoax” (2018) • Understanding and focusing on relevant threat groups, campaigns, and tactics o Assessing risks starts with prioritization 17
TRT Way-Forward inApplying Risk Metrics to Known Threats
© Fidelis Cybersecurity Assessing Risks from anActor Standpoint • Applying metrics and attributes to technical risks, tactics, and behaviors well established within the community o MITRE ATT&CK Matrix o LM Cyber Kill Chain o CVSS • Threat intelligence goes beyond patterns and behavior observed within a network or at an endpoint. o Fully-developed threat intelligence analysis applied to actors also accounts for qualitative aspects 1. Social and external influences 2. Motivation and internal influences 3. Operational influences and intent 19
© Fidelis Cybersecurity Assessing Risks from anActor Standpoint 20 Grizzly Steppe (APT28 + APT29) AnonymousAshiyane Digital Security Team 50
© Fidelis Cybersecurity Assessing Future Threat Activity • Probability and effects of assessed threat actor future operations and tactics • Most Dangerous/Likely Course of Action (MDCOA, MLCOA) o MDCOA – tactics, techniques, or actions taken by a threat actor that could result in a worst-case scenario outcome o MLCOA – the expected and probable tactics, techniques, or actions taken by a threat actor 21
Questions trt@fidelissecurity.com
References and Citation • https://www.anomali.com/blog/njrat-trojan-alive-and-kicking-a-cool-overview-into-its-day-to-day-operati • https://react-etc.net/entry/skyfall-and-solace-vulnerabilities • https://www.recordedfuture.com/top-vulnerabilities-2018/

Recommended

Insider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis ElevateInsider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis ElevateFidelis Cybersecurity
 
Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Fidelis Cybersecurity
 
The State of Threat Detection 2019
The State of Threat Detection 2019The State of Threat Detection 2019
The State of Threat Detection 2019Fidelis Cybersecurity
 
Part 1: Identifying Insider Threats with Fidelis EDR Technology
Part 1: Identifying Insider Threats with Fidelis EDR Technology Part 1: Identifying Insider Threats with Fidelis EDR Technology
Part 1: Identifying Insider Threats with Fidelis EDR Technology Fidelis Cybersecurity
 
You can't detect what you can't see illuminating the entire kill chain
You can't detect what you can't see illuminating the entire kill chainYou can't detect what you can't see illuminating the entire kill chain
You can't detect what you can't see illuminating the entire kill chainFidelis Cybersecurity
 
Extend Network Visibility and Secure Applications and Data in Azure
Extend Network Visibility and Secure Applications and Data in AzureExtend Network Visibility and Secure Applications and Data in Azure
Extend Network Visibility and Secure Applications and Data in AzureFidelis Cybersecurity
 
Putting Cyber Attackers on the Defensive
Putting Cyber Attackers on the DefensivePutting Cyber Attackers on the Defensive
Putting Cyber Attackers on the DefensiveFidelis Cybersecurity
 
Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration Fidelis Cybersecurity
 

Recommended

Insider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis ElevateInsider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis ElevateFidelis Cybersecurity
 
Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Fidelis Cybersecurity
 
The State of Threat Detection 2019
The State of Threat Detection 2019The State of Threat Detection 2019
The State of Threat Detection 2019Fidelis Cybersecurity
 
Part 1: Identifying Insider Threats with Fidelis EDR Technology
Part 1: Identifying Insider Threats with Fidelis EDR Technology Part 1: Identifying Insider Threats with Fidelis EDR Technology
Part 1: Identifying Insider Threats with Fidelis EDR Technology Fidelis Cybersecurity
 
You can't detect what you can't see illuminating the entire kill chain
You can't detect what you can't see illuminating the entire kill chainYou can't detect what you can't see illuminating the entire kill chain
You can't detect what you can't see illuminating the entire kill chainFidelis Cybersecurity
 
Extend Network Visibility and Secure Applications and Data in Azure
Extend Network Visibility and Secure Applications and Data in AzureExtend Network Visibility and Secure Applications and Data in Azure
Extend Network Visibility and Secure Applications and Data in AzureFidelis Cybersecurity
 
Putting Cyber Attackers on the Defensive
Putting Cyber Attackers on the DefensivePutting Cyber Attackers on the Defensive
Putting Cyber Attackers on the DefensiveFidelis Cybersecurity
 
Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration Fidelis Cybersecurity
 
Applying intelligent deception to detect sophisticated cyber attacks
Applying intelligent deception to detect sophisticated cyber attacksApplying intelligent deception to detect sophisticated cyber attacks
Applying intelligent deception to detect sophisticated cyber attacksFidelis Cybersecurity
 
Extending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWSExtending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWSFidelis Cybersecurity
 
Secure Your Data with Fidelis Network® for DLP
Secure Your Data with Fidelis Network® for DLPSecure Your Data with Fidelis Network® for DLP
Secure Your Data with Fidelis Network® for DLPFidelis Cybersecurity
 
Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...
Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...
Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...Outpost24
 
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...SaraPia5
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Critical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyCritical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyFidelis Cybersecurity
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceTom K
 
The Cost of Doing Nothing: A Ransomware Backup Story
The Cost of Doing Nothing: A Ransomware Backup StoryThe Cost of Doing Nothing: A Ransomware Backup Story
The Cost of Doing Nothing: A Ransomware Backup StoryQuest
 
Evidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five ControlsEvidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five ControlsPriyanka Aash
 
Session 7.3 Implementing threat intelligence systems - Moving from chaos to s...
Session 7.3 Implementing threat intelligence systems - Moving from chaos to s...Session 7.3 Implementing threat intelligence systems - Moving from chaos to s...
Session 7.3 Implementing threat intelligence systems - Moving from chaos to s...Puneet Kukreja
 
Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.marketingunitrends
 
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and PracticeMeet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and PracticeDragos, Inc.
 
Cyber security series advanced persistent threats
Cyber security series advanced persistent threats Cyber security series advanced persistent threats
Cyber security series advanced persistent threats Jim Kaplan CIA CFE
 
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...APNIC
 
Detect Unknown Threats, Reduce Dwell Time, Accelerate Response
Detect Unknown Threats, Reduce Dwell Time, Accelerate ResponseDetect Unknown Threats, Reduce Dwell Time, Accelerate Response
Detect Unknown Threats, Reduce Dwell Time, Accelerate ResponseRahul Neel Mani
 
Webinar: Backup vs. Ransomware - 5 Requirements for Backup Success
Webinar: Backup vs. Ransomware - 5 Requirements for Backup SuccessWebinar: Backup vs. Ransomware - 5 Requirements for Backup Success
Webinar: Backup vs. Ransomware - 5 Requirements for Backup SuccessStorage Switzerland
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditorsmdagrossa
 
Ransomware: Why Are Backup Vendors Trying To Scare You?
Ransomware: Why Are Backup Vendors Trying To Scare You?Ransomware: Why Are Backup Vendors Trying To Scare You?
Ransomware: Why Are Backup Vendors Trying To Scare You?marketingunitrends
 
Outpost24 webinar: best practice for external attack surface management
Outpost24 webinar: best practice for external attack surface managementOutpost24 webinar: best practice for external attack surface management
Outpost24 webinar: best practice for external attack surface managementOutpost24
 
Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeAaron White
 
C4I cyber secuirty by Eric Eifert - Keynote 9.pptx
C4I cyber secuirty by Eric Eifert - Keynote 9.pptxC4I cyber secuirty by Eric Eifert - Keynote 9.pptx
C4I cyber secuirty by Eric Eifert - Keynote 9.pptxbakhtinasiriav
 

More Related Content

What's hot

Applying intelligent deception to detect sophisticated cyber attacks
Applying intelligent deception to detect sophisticated cyber attacksApplying intelligent deception to detect sophisticated cyber attacks
Applying intelligent deception to detect sophisticated cyber attacksFidelis Cybersecurity
 
Extending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWSExtending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWSFidelis Cybersecurity
 
Secure Your Data with Fidelis Network® for DLP
Secure Your Data with Fidelis Network® for DLPSecure Your Data with Fidelis Network® for DLP
Secure Your Data with Fidelis Network® for DLPFidelis Cybersecurity
 
Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...
Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...
Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...Outpost24
 
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...SaraPia5
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Critical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyCritical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyFidelis Cybersecurity
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceTom K
 
The Cost of Doing Nothing: A Ransomware Backup Story
The Cost of Doing Nothing: A Ransomware Backup StoryThe Cost of Doing Nothing: A Ransomware Backup Story
The Cost of Doing Nothing: A Ransomware Backup StoryQuest
 
Evidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five ControlsEvidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five ControlsPriyanka Aash
 
Session 7.3 Implementing threat intelligence systems - Moving from chaos to s...
Session 7.3 Implementing threat intelligence systems - Moving from chaos to s...Session 7.3 Implementing threat intelligence systems - Moving from chaos to s...
Session 7.3 Implementing threat intelligence systems - Moving from chaos to s...Puneet Kukreja
 
Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.marketingunitrends
 
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and PracticeMeet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and PracticeDragos, Inc.
 
Cyber security series advanced persistent threats
Cyber security series advanced persistent threats Cyber security series advanced persistent threats
Cyber security series advanced persistent threats Jim Kaplan CIA CFE
 
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...APNIC
 
Detect Unknown Threats, Reduce Dwell Time, Accelerate Response
Detect Unknown Threats, Reduce Dwell Time, Accelerate ResponseDetect Unknown Threats, Reduce Dwell Time, Accelerate Response
Detect Unknown Threats, Reduce Dwell Time, Accelerate ResponseRahul Neel Mani
 
Webinar: Backup vs. Ransomware - 5 Requirements for Backup Success
Webinar: Backup vs. Ransomware - 5 Requirements for Backup SuccessWebinar: Backup vs. Ransomware - 5 Requirements for Backup Success
Webinar: Backup vs. Ransomware - 5 Requirements for Backup SuccessStorage Switzerland
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditorsmdagrossa
 
Ransomware: Why Are Backup Vendors Trying To Scare You?
Ransomware: Why Are Backup Vendors Trying To Scare You?Ransomware: Why Are Backup Vendors Trying To Scare You?
Ransomware: Why Are Backup Vendors Trying To Scare You?marketingunitrends
 
Outpost24 webinar: best practice for external attack surface management
Outpost24 webinar: best practice for external attack surface managementOutpost24 webinar: best practice for external attack surface management
Outpost24 webinar: best practice for external attack surface managementOutpost24
 

What's hot (20)

Applying intelligent deception to detect sophisticated cyber attacks
Applying intelligent deception to detect sophisticated cyber attacksApplying intelligent deception to detect sophisticated cyber attacks
Applying intelligent deception to detect sophisticated cyber attacks
 
Extending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWSExtending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWS
 
Secure Your Data with Fidelis Network® for DLP
Secure Your Data with Fidelis Network® for DLPSecure Your Data with Fidelis Network® for DLP
Secure Your Data with Fidelis Network® for DLP
 
Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...
Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...
Outpost24 webinar: The state of ransomware in 2021 and how to limit your expo...
 
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
TIC-TOC: Ransomware: Help your Customers be Prepared with Dominique Singer an...
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
Critical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyCritical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You Buy
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General Audience
 
The Cost of Doing Nothing: A Ransomware Backup Story
The Cost of Doing Nothing: A Ransomware Backup StoryThe Cost of Doing Nothing: A Ransomware Backup Story
The Cost of Doing Nothing: A Ransomware Backup Story
 
Evidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five ControlsEvidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five Controls
 
Session 7.3 Implementing threat intelligence systems - Moving from chaos to s...
Session 7.3 Implementing threat intelligence systems - Moving from chaos to s...Session 7.3 Implementing threat intelligence systems - Moving from chaos to s...
Session 7.3 Implementing threat intelligence systems - Moving from chaos to s...
 
Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.
 
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and PracticeMeet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
 
Cyber security series advanced persistent threats
Cyber security series advanced persistent threats Cyber security series advanced persistent threats
Cyber security series advanced persistent threats
 
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
 
Detect Unknown Threats, Reduce Dwell Time, Accelerate Response
Detect Unknown Threats, Reduce Dwell Time, Accelerate ResponseDetect Unknown Threats, Reduce Dwell Time, Accelerate Response
Detect Unknown Threats, Reduce Dwell Time, Accelerate Response
 
Webinar: Backup vs. Ransomware - 5 Requirements for Backup Success
Webinar: Backup vs. Ransomware - 5 Requirements for Backup SuccessWebinar: Backup vs. Ransomware - 5 Requirements for Backup Success
Webinar: Backup vs. Ransomware - 5 Requirements for Backup Success
 
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal AuditorsION-E Defense In Depth Presentation for The Institiute of Internal Auditors
ION-E Defense In Depth Presentation for The Institiute of Internal Auditors
 
Ransomware: Why Are Backup Vendors Trying To Scare You?
Ransomware: Why Are Backup Vendors Trying To Scare You?Ransomware: Why Are Backup Vendors Trying To Scare You?
Ransomware: Why Are Backup Vendors Trying To Scare You?
 
Outpost24 webinar: best practice for external attack surface management
Outpost24 webinar: best practice for external attack surface managementOutpost24 webinar: best practice for external attack surface management
Outpost24 webinar: best practice for external attack surface management
 

Similar to Threat intelligence Primary Tradecraft and Research

Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeAaron White
 
C4I cyber secuirty by Eric Eifert - Keynote 9.pptx
C4I cyber secuirty by Eric Eifert - Keynote 9.pptxC4I cyber secuirty by Eric Eifert - Keynote 9.pptx
C4I cyber secuirty by Eric Eifert - Keynote 9.pptxbakhtinasiriav
 
RonaldG.MillerCISSPv2
RonaldG.MillerCISSPv2RonaldG.MillerCISSPv2
RonaldG.MillerCISSPv2Ron Miller
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalPriyanka Aash
 
Reducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained EnvironmentsReducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained EnvironmentsDenim Group
 
Guide to high volume data sources for SIEM
Guide to high volume data sources for SIEMGuide to high volume data sources for SIEM
Guide to high volume data sources for SIEMJoseph DeFever
 
Utilizing cyber intelligence to combat cyber adversaries (OA Cyber Summit)
Utilizing cyber intelligence to combat cyber adversaries (OA Cyber Summit)Utilizing cyber intelligence to combat cyber adversaries (OA Cyber Summit)
Utilizing cyber intelligence to combat cyber adversaries (OA Cyber Summit)Open Analytics
 
2016 ISSA Conference Threat Intelligence Keynote philA
2016 ISSA Conference Threat Intelligence Keynote philA2016 ISSA Conference Threat Intelligence Keynote philA
2016 ISSA Conference Threat Intelligence Keynote philAPhil Agcaoili
 
PCI DSS Compliance and Security: Harmony or Discord?
PCI DSS Compliance and Security: Harmony or Discord?PCI DSS Compliance and Security: Harmony or Discord?
PCI DSS Compliance and Security: Harmony or Discord?Lumension
 
Anatomy of a cyber attack
Anatomy of a cyber attackAnatomy of a cyber attack
Anatomy of a cyber attackMark Silver
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'aFahmi Albaheth
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceMarlabs
 
REAL-TIME THREAT INTELLIGENCE FOR TRUSTED RELATIONSHIPS
REAL-TIME THREAT INTELLIGENCE FOR TRUSTED RELATIONSHIPSREAL-TIME THREAT INTELLIGENCE FOR TRUSTED RELATIONSHIPS
REAL-TIME THREAT INTELLIGENCE FOR TRUSTED RELATIONSHIPSForgeRock
 
Understanding Cyber Threat Intelligence A Guide for Analysts.pdf
Understanding Cyber Threat Intelligence A Guide for Analysts.pdfUnderstanding Cyber Threat Intelligence A Guide for Analysts.pdf
Understanding Cyber Threat Intelligence A Guide for Analysts.pdfuzair
 
CISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docxCISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docxmccormicknadine86
 

Similar to Threat intelligence Primary Tradecraft and Research (20)

Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat Landscape
 
C4I cyber secuirty by Eric Eifert - Keynote 9.pptx
C4I cyber secuirty by Eric Eifert - Keynote 9.pptxC4I cyber secuirty by Eric Eifert - Keynote 9.pptx
C4I cyber secuirty by Eric Eifert - Keynote 9.pptx
 
ISACA ISSA Presentation
ISACA ISSA PresentationISACA ISSA Presentation
ISACA ISSA Presentation
 
SecurityOperations
SecurityOperationsSecurityOperations
SecurityOperations
 
RonaldG.MillerCISSPv2
RonaldG.MillerCISSPv2RonaldG.MillerCISSPv2
RonaldG.MillerCISSPv2
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
 
Reducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained EnvironmentsReducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained Environments
 
Guide to high volume data sources for SIEM
Guide to high volume data sources for SIEMGuide to high volume data sources for SIEM
Guide to high volume data sources for SIEM
 
Utilizing cyber intelligence to combat cyber adversaries (OA Cyber Summit)
Utilizing cyber intelligence to combat cyber adversaries (OA Cyber Summit)Utilizing cyber intelligence to combat cyber adversaries (OA Cyber Summit)
Utilizing cyber intelligence to combat cyber adversaries (OA Cyber Summit)
 
Managing security threats in today’s enterprise
Managing security threats in today’s enterpriseManaging security threats in today’s enterprise
Managing security threats in today’s enterprise
 
2016 ISSA Conference Threat Intelligence Keynote philA
2016 ISSA Conference Threat Intelligence Keynote philA2016 ISSA Conference Threat Intelligence Keynote philA
2016 ISSA Conference Threat Intelligence Keynote philA
 
PCI DSS Compliance and Security: Harmony or Discord?
PCI DSS Compliance and Security: Harmony or Discord?PCI DSS Compliance and Security: Harmony or Discord?
PCI DSS Compliance and Security: Harmony or Discord?
 
Anatomy of a cyber attack
Anatomy of a cyber attackAnatomy of a cyber attack
Anatomy of a cyber attack
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'a
 
CCA study group
CCA study groupCCA study group
CCA study group
 
Cybersecurity - Sam Maccherola
Cybersecurity - Sam MaccherolaCybersecurity - Sam Maccherola
Cybersecurity - Sam Maccherola
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
REAL-TIME THREAT INTELLIGENCE FOR TRUSTED RELATIONSHIPS
REAL-TIME THREAT INTELLIGENCE FOR TRUSTED RELATIONSHIPSREAL-TIME THREAT INTELLIGENCE FOR TRUSTED RELATIONSHIPS
REAL-TIME THREAT INTELLIGENCE FOR TRUSTED RELATIONSHIPS
 
Understanding Cyber Threat Intelligence A Guide for Analysts.pdf
Understanding Cyber Threat Intelligence A Guide for Analysts.pdfUnderstanding Cyber Threat Intelligence A Guide for Analysts.pdf
Understanding Cyber Threat Intelligence A Guide for Analysts.pdf
 
CISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docxCISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docx
 

Recently uploaded

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

Threat intelligence Primary Tradecraft and Research

  • 1. Threat Intelligence Tradecraft and Research Danny Pickens, Director of Threat Research Aamil Karimi, Sr Intelligence Analyst
  • 2. © Fidelis Cybersecurity Provide indications and warning (I & W) Used in the identification and prevention of vulnerabilities from being exploited, as well as informing operations of potential attacks. Provisioning of intelligence to support an understanding of the threat landscape. Perform situation development Determining top threats to the organization and providing countermeasures. Support organizational and asset protection Threat Intelligence is the planning, collection, analysis and dissemination of information and countermeasures concerning threat and vulnerabilities provided to enhance the decision- making process. Intelligence Defined
  • 3. © Fidelis Cybersecurity Types of Intelligence Basic Intelligence: largely deals with past events and bringing them to present [describes / explains / evaluates / tracks] Current Intelligence: situationally designed to get relevant intelligence outbound to decision makers [describes / explains / evaluates current events] Estimative Intelligence: used to prepare decision makers for future threats / events [predictive / more strategic]
  • 4. © Fidelis Cybersecurity The Process Planning and Requirements Collection Analysis and Production Dissemination and Integration Intelligence Cycle
  • 5. © Fidelis Cybersecurity Threat Actor ID Threat Actors Group of attackers or an individual actor that has the means, and opportunity to conduct an attack. Other Considerations Composition and Strength: can we determine if the threat agent is a group or individual, and if a group, do we have association Tactics: do we have intelligence on historical courses of action Logistics: what does their infrastructure look like; command and control servers; potential nation-state sponsored or well funded Effectiveness: are their previously or historically identified successful attacks; how effective were they • Which threat actors target Banking & FinServe within North America? • What are their tools, tactics and courses of action? • Sources which collect against threat actors. • High-fidelity / vetted sources. • Include TTPs and intent Collection Requirements Production Requirements Stakeholder: Red Team Product: Finished Intelligence: brief and long form format detailing actor history and known COAs Cadence: Upon request Intelligence Requirements
  • 6. © Fidelis Cybersecurity Threat Actor ID: FIN7 FIN7 FIN7 is an advanced financially motivated group that has been conducting operations since as early as 2015. The group is often combined with the Carbanak Gang due to the shared usage of the Carbanak malware family, but this fact has been disputed due to different TTPs utilized by the groups. The group has historically targeted retail and hospitality companies utilizing specially crafted spear-phishing campaigns for their initial infection. Once inside of a victim’s network, the actors utilize APT-like behaviors to maintain and expand their foothold until they have the information or ability to complete their goals. The group has utilized point-of-sale malware in many of their operations as well, scraping credit card data from unsuspecting customers of their targets. The structure and origination of the group has been heavily debated in the security industry. In some of their most recent campaigns the use of the Cyrillic charset has been used, which may indicate Russian or Eastern European origin. The group appears to be very organized in their operations, and the scale and speed at which they adapt and change their TTPs indicates that FIN7 could be a large-scale cybercrime ring. The group has also been identified running many large campaigns at once indicating possible separation, or operating cells within the group itself. Key Judgements • FIN7 is a highly advanced financially motivated group utilizing APT-like techniques • FIN7 activity will continue and potentially increase based on 2016 & 2017 activity • FIN7 will continue to evolve and change their TTPs to evade and elude detection techniques in order to maintain footholds within networks • Which threat actors target Banking & FinServe within North America? • What are their tools, tactics and courses of action? • Sources which collect against threat actors. • High-fidelity / vetted sources. • Include TTPs and intent Collection Requirements Production Requirements Stakeholder: Red Team Product: Finished Intelligence: brief and long form format detailing actor history and known COAs Cadence: Upon request Intelligence Requirements
  • 7. © Fidelis Cybersecurity Threat Actor TTPs and COAs Courses of Action Threat actor courses of action can be described as attack patterns or kill chains. Based off of historical patterns, and actor means and intent, the threat modeler can develop templates for anticipated courses of action that will be undertaken to meet the attacker’s objective. • Which threat actors target Banking & FinServe within North America? • What are their tools, tactics and courses of action? • Sources which collect against threat actors. • High-fidelity / vetted sources. • Include TTPs and intent Collection Requirements Production Requirements Stakeholder: Red Team Product: Finished Intelligence: brief and long form format detailing actor history and known COAs Cadence: Upon request Intelligence Requirements
  • 8. © Fidelis Cybersecurity Threat Actor TTPs and COAs: FIN7 FIN7: Intent • Financial Motivation • Data Theft FIN7: Malware • PowerSource • TextMate • Carbanak • HalfBaked FIN7: Techniques • PowerShell - FIN7 uses a PowerShell script to launch shellcode that retrieves an additional payload. • Remote File Copy - FIN7 uses a PowerShell script to launch shellcode that retrieves an additional payload. • Scheduled Task - FIN7 malware has created scheduled tasks to establish persistence. • Registry Run Keys / Start Folder - FIN7 malware has created a Registry Run key pointing to its malicious LNK file to establish persistence. • Masquerading - FIN7 has created a scheduled task named “AdobeFlashSync” to establish persistence. • Application Shimming - FIN7 has used application shim databases for persistence. • Dynamic Data Exchange - FIN7 spear phishing campaigns have included malicious Word documents with DDE execution. • Mshta - FIN7 has used mshta.exe to execute VBScript to execute malicious code on victim systems. • Which threat actors target Banking & FinServe within North America? • What are their tools, tactics and courses of action? • Sources which collect against threat actors. • High-fidelity / vetted sources. • Include TTPs and intent Collection Requirements Production Requirements Stakeholder: Red Team Product: Finished Intelligence: brief and long form format detailing actor history and known COAs Cadence: Upon request Intelligence Requirements
  • 9. © Fidelis Cybersecurity Threat Actor TTPs and COAs: FIN7 Recon • Specially crafted emails in a spear-phishing campaign with attached documents Lure • Documents contained embedded .LNK files with text to entice users to run the object Exploit Executed • Embedded .LNK objects kick off JavaScript chain pulled from a word document object using wscript.exe Inject Through Backdoor • File dropped on disk at %HOMEPATH%md5.txt to be run with wscript.exe Establish Command and Control • JavaScript runs to decode the components and schedules a task to maintain persistence in some cases • Once JavaScript has been decoded, a PowerShell script is decoded and placed on disk at %HOMEPATH%(Randomly generated GUID) along with the JavaScript bot components • PowerShell script is run and spawns a second PowerShell process • Second PowerShell decodes and decompresses a hardcoded DLL in memory and reflectively injects the library into its own process Explore and Move • Malware scrapes known directories for usernames and encrypted passwords on disk before decrypting the passwords • Code encrypts the data with a simple obfuscation technique and stores the information at %APPDATA%%USERNAME%.ini Data Theft • The file is uploaded to one of the hardcoded C2 servers
  • 10. Fidelis Telemetry and Intelligence Support to Countermeasures
  • 11. © Fidelis Cybersecurity Fidelis Total Detections Q1 2019 11 27% 73% All Other, 1533926 Sample of Events Investigated, 557071
  • 12. © Fidelis Cybersecurity Event Data Continue to Show Attempts Using Older Methods • Event data between 31 December 2018 – 31 March 2019 continue to show: o “Old” vulnerabilities and tactics/tools [two (2) years or older] still popular means of entry or exploitation o Top five (5) CVEs and vulnerabilities observed to be targeted 1. CVE-2017-8570 2. CVE-2017-0143 3. CVE-2018-11776 4. CVE-2017-11882 5. CVE-2009-3129 12
  • 13. © Fidelis Cybersecurity Events of Interest Q1 2019 13 H-W0rm/Houdini, 328426 59% njRAT/njW0rm, 143389 26% 1% 3% 4% 3% 4% 0% 0% H-W0rm/Houdini, 328426 njRAT/njW0rm, 143389 PlugX, 5294 CVE-2017, 14278 Conficker, 23176 Andromeda, 17082 Agent, 23177 CVE-2018, 1113 CVEs Prior to 2017, 560
  • 14. © Fidelis Cybersecurity Intelligence Support to Telemetry Observations • Focus of intelligence will be partly influenced by major current trends, but also by relevant threats to customers and customer verticals o Relevance based off alert data and telemetry in order to prioritize intelligence requirements, collection, analysis, and countermeasures to drive content and countermeasures • TRT Intelligence continues to track down instances or observations of threat actors or campaigns actively promoting, leveraging, and weaponizing “old” exploits and vulnerabilities as observed from Fidelis Q1 telemetry and event data o Confirmation would assist in driving intelligence collection requirements as well as allow focused content and use-case creation and detections and countermeasures to serve clients’ security postures. 14
  • 15. © Fidelis Cybersecurity Dark Web and External Observation • Tried-and-True exploits will continue to be effective against popular vulnerabilities from prior years o Recorded Future’s 2018 Top 10 Most Exploited Vulnerabilities 1. 7/10 vulnerabilities from 2017 and earlier 2. 2/5 vulnerabilities from Fidelis Q1 2019 data appear on Recorded Future’s list o August 2018 – updated RIG Exploit Kit observed being leased, still capable of targeting multiple pre- 2017 vulnerabilities o February 2019 – rewritten and refreshed exploit for DirtyCow vulnerability (CVE-2016-5195) offered for sale o March 2019 – list of popular RATs posted with download links; includes several well-known and older trojans. 15
  • 16. © Fidelis Cybersecurity Dark Web and External Observations 16 Reputable Chinese-language vendor leasing RIG EK with multiple pre-2018 exploit, Aug 2018 Russian actor selling refreshed exploit for DirtyCow vulnerability, Feb 2019 Post identifying list of older RATs as still popular as of March 2019
  • 17. © Fidelis Cybersecurity Identifying Relevant Signals and Focus • “Noise” and media may distract from relevant issues • Newest and latest 0-days and threat actor updates may become distraction • “Flavor of the Week” hype can be misleading o Supermicro controversy (2018) o Skyfall and Solace CPU vulnerability “hoax” (2018) • Understanding and focusing on relevant threat groups, campaigns, and tactics o Assessing risks starts with prioritization 17
  • 18. TRT Way-Forward inApplying Risk Metrics to Known Threats
  • 19. © Fidelis Cybersecurity Assessing Risks from anActor Standpoint • Applying metrics and attributes to technical risks, tactics, and behaviors well established within the community o MITRE ATT&CK Matrix o LM Cyber Kill Chain o CVSS • Threat intelligence goes beyond patterns and behavior observed within a network or at an endpoint. o Fully-developed threat intelligence analysis applied to actors also accounts for qualitative aspects 1. Social and external influences 2. Motivation and internal influences 3. Operational influences and intent 19
  • 20. © Fidelis Cybersecurity Assessing Risks from anActor Standpoint 20 Grizzly Steppe (APT28 + APT29) AnonymousAshiyane Digital Security Team 50
  • 21. © Fidelis Cybersecurity Assessing Future Threat Activity • Probability and effects of assessed threat actor future operations and tactics • Most Dangerous/Likely Course of Action (MDCOA, MLCOA) o MDCOA – tactics, techniques, or actions taken by a threat actor that could result in a worst-case scenario outcome o MLCOA – the expected and probable tactics, techniques, or actions taken by a threat actor 21
  • 23. References and Citation • https://www.anomali.com/blog/njrat-trojan-alive-and-kicking-a-cool-overview-into-its-day-to-day-operati • https://react-etc.net/entry/skyfall-and-solace-vulnerabilities • https://www.recordedfuture.com/top-vulnerabilities-2018/