SlideShare a Scribd company logo

Taking the Attacker Eviction Red Pill [updated]

Download as PPTX, PDF
Frode Hommedal
Frode Hommedal

This presentation is about how you can structure your analysis to increase the chances of success when attempting to evict an advanced attacker. It's my thoughts on how to think when deciding how and when to respond and attempt to evict a mission driven attacker from your infrastructure. This is a continuation of my previous work on the Cyber Threat Intelligence Matrix.

Technology
1 of 45
Attacker Eviction Frode Hommedal Taking the RED PILL Telenor CERT
Taking the Attacker Eviction RED PILLv1.5
Strategies for structuring your reasoning when countering sustained intrusions
“APT”
Frode Hommedal Telenor CERT @FrodeHommedal no.linkedin.com/in/hommedal frodehommedal.no
Intrusion Basics
Incident Response PICERL: Prepare Identify Contain Eradicate Recover Lessons Learned NIST: Preparation Detect & Analyze Contain & Eradicate & Recover Post IncidentActivities Bottom Line: Eventually you will try to get the attacker off your network
Incident Response PICERL: Prepare Identify Contain Eradicate Recover Lessons Learned NIST: Preparation Detect & Analyze Contain & Eradicate & Recover Post IncidentActivities Bottom Line: Eventually you will try to get the attacker off your network
Lots of uncertainty
Incident Response when facing an APT threat Best Practice: Scope before you start responding. Common Misstep: Acting too soon, giving your adversary time to adapt.
Incident Response when facing an APT threat Best Practice: Scope before you start responding. Common Misstep: Acting too soon, giving your adversary time to adapt. «TOO EARLY» «PREEMPTIVELY» «PREEMPTIVE»
Acting “too soon”
So when is not too soon? What factors into that decision?
APT Basics
Intrusion Patterns of “APT” threats Sting Operation: Also called “smash and grab”. A direct attack to get a specific piece of information. Persistent Infiltration: A long running campaign against you, where your adversary will gain and sustain unauthorized access to your infrastructure for a long period of time. Response: When responding, you should take into consideration what kind of pattern you are seeing.
The Structure of an APT infiltration Access: An APT infiltration is all about access.They work a lot to gain and sustain access. Extract: The purpose of gaining access is to find and extract useful information (or abuse your infrastructure). Deliver: All of this is done to deliver on goals set for the attacker’s mission.
“Red flank”“Yellow flank”
The eviction process should not really be about evicting the attackers but rather keeping them out and preventing them from effortlessly re-entering “Red flank”
It also shouldn’t be about cleaning networks but rather mitigating risk as effectively as possible “Yellow flank”
Basic Models
DwellTime The time an attacker has stayed undetected in your network. Short: Hours to day. Good changes of catching up with the attacker. Medium: Days to weeks.You may catch up if you have a capable and enabled team. Long: Months to years. Depending on the attacker your chances are in all fairness pretty slim without a full purge or migration.
DwellTime The time an attacker has stayed undetected in your network. Short: Hours to day. Good changes of catching up with the attacker. Medium: Days to weeks.You may catch up if you have a capable and enabled team. Long: Months to years. Depending on the attacker your chances are in all fairness pretty slim without a full purge or migration.
Intrusion Patterns of APT threats Sting Operation: Also called “smash and grab”. A direct attack to get a specific piece of information. Persistent Infiltration: A long running campaign against you, where your adversary will gain and sustain unauthorized access to your infrastructure for a long period of time. Response: When responding, you should take into consideration what kind of pattern you are seeing.
TheThreatType Matrix ThreatType: Strategic |Tactical | Operational Capability: Low | Medium | High Strategic: You are a high priority and long term target for your adversary Tactical: You are a short/medium term target for a specific reason Operational: You are a target because the attacker wants infrastructure
TheThreatType Matrix ThreatType: Strategic |Tactical | Operational Capability: Low | Medium | High Strategic: You are a high priority and long term target for your adversary Tactical: You are a short/medium term target for a specific reason Operational: You are a target because the attacker wants infrastructure
The RiskType Matrix RiskType: Strategic |Tactical | Operational Impact: Low | Medium | High Strategic: Affects your org’s long term strategic goals Tactical: Affects your org’s current and near future execution Operational: Affects your org’s (IT) operation
The RiskType Matrix RiskType: Strategic |Tactical | Operational Impact: Low | Medium | High Strategic: Affects your org’s long term strategic goals Tactical: Affects your org’s current and near future execution Operational: Affects your org’s (IT) operation
The RiskType Matrix RiskType: Strategic |Tactical | Operational Impact: Low | Medium | High Strategic: Affects your org’s long term strategic goals Tactical: Affects your org’s current and near future execution Operational: Affects your org’s (IT) operation
The CyberThreat Intelligence Matrix Mapping your knowledge gaps. Depth of knowledge: Footprint | Arsenal |Tradecraft Stages of attack: Prep. | Intrusion | Execution Presentation: https://www.slideshare.net/Frod eHommedal/the-cyber-threat- intelligence-matrix Essay: https://www.mnemonic.no/secu rity-report/making-your-move
The CyberThreat Intelligence Matrix Mapping your knowledge gaps. Depth of knowledge: Footprint | Arsenal |Tradecraft Stages of attack: Prep. | Intrusion | Execution Presentation: https://www.slideshare.net/Frod eHommedal/the-cyber-threat- intelligence-matrix Essay: https://www.mnemonic.no/secu rity-report/making-your-move
The CyberThreat Intelligence Matrix Mapping your knowledge gaps. Depth of knowledge: Footprint | Arsenal |Tradecraft Stages of attack: Prep. | Intrusion | Execution Presentation: https://www.slideshare.net/Frod eHommedal/the-cyber-threat- intelligence-matrix Essay: https://www.mnemonic.no/secu rity-report/making-your-move
The CyberThreat Intelligence Matrix Mapping your knowledge gaps. Depth of knowledge: Footprint | Arsenal |Tradecraft Stages of attack: Prep. | Intrusion | Execution Presentation: https://www.slideshare.net/Frod eHommedal/the-cyber-threat- intelligence-matrix Essay: https://www.mnemonic.no/secu rity-report/making-your-move
The CyberThreat Intelligence Matrix Mapping your knowledge gaps. Depth of knowledge: Footprint | Arsenal |Tradecraft Stages of attack: Prep. | Intrusion | Execution Presentation: https://www.slideshare.net/Frod eHommedal/the-cyber-threat- intelligence-matrix Essay: https://www.mnemonic.no/secu rity-report/making-your-move
The CyberThreat Intelligence Matrix Mapping your knowledge gaps. Depth of knowledge: Footprint | Arsenal |Tradecraft Stages of attack: Prep. | Intrusion | Execution Presentation: https://www.slideshare.net/Frod eHommedal/the-cyber-threat- intelligence-matrix Essay: https://www.mnemonic.no/secu rity-report/making-your-move
The CyberThreat Intelligence Matrix Mapping your knowledge gaps. Depth of knowledge: Footprint | Arsenal |Tradecraft Stages of attack: Prep. | Intrusion | Execution Presentation: https://www.slideshare.net/Frod eHommedal/the-cyber-threat- intelligence-matrix Essay: https://www.mnemonic.no/secu rity-report/making-your-move
Threat Metrics to help you navigate CTI Matric: Identifying knowledge gaps. ThreatType Matric: Identifying type of threat. RiskType Matric: Identifying type of risk. Intrusion Pattern: Identifying type of infiltration. DwellTime: Identifying length of infiltration.
Thank You
Bonus
Response Patterns
Response Patterns for your consideration Ignore: Ignorance or actively ignoring. Disrupt: Continuous remediation. Engage: A game of chess heavily reliant on intelligence and a high operational tempo. Clean: Scope, shut down and clean. Migrate: Build new and migrate.
Response Patterns for your consideration Ignore: Ignorance or actively ignoring. Disrupt: Continuous remediation. Engage: A game of chess heavily reliant on intelligence and a high operational tempo. Clean: Scope, shut down and clean. Migrate: Build new and migrate.
Response Patterns for your consideration Ignore: Ignorance or actively ignoring. Disrupt: Continuous remediation. Engage: A game of chess heavily reliant on intelligence and a high operational tempo. Clean: Scope, shut down and clean. Migrate: Build new and migrate.
Response Patterns for your consideration Ignore: Ignorance or actively ignoring. Disrupt: Continuous remediation. Engage: A game of chess heavily reliant on intelligence and a high operational tempo. Clean: Scope, shut down and clean. Migrate: Build new and migrate.
Thank You (again)

Recommended

Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)Frode Hommedal
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsMark Arena
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKKatie Nickels
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat IntelligenceDeepak Kumar (D3)
 

Recommended

Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)Frode Hommedal
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsMark Arena
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKKatie Nickels
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat IntelligenceDeepak Kumar (D3)
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERAErik Van Buggenhout
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
State of the ATT&CK
State of the ATT&CKState of the ATT&CK
State of the ATT&CKMITRE ATT&CK
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKMITRE ATT&CK
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber worldAkash Sarode
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE - ATT&CKcon
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework👀 Joe Gray
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Threat intelligence notes
Threat intelligence notesThreat intelligence notes
Threat intelligence notesAmgad Magdy
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE - ATT&CKcon
 
Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixJorge Orchilles
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
Cyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to InsightCyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to InsightDeep Shankar Yadav
 
SecurityOperations
SecurityOperationsSecurityOperations
SecurityOperationsAntonio (Tony) Robinson
 
Using the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modelingUsing the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modelingEric Jernigan MSIA, CISSP, CISM, CRISC
 

More Related Content

What's hot

Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERAErik Van Buggenhout
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
State of the ATT&CK
State of the ATT&CKState of the ATT&CK
State of the ATT&CKMITRE ATT&CK
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKMITRE ATT&CK
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber worldAkash Sarode
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE - ATT&CKcon
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Threat intelligence notes
Threat intelligence notesThreat intelligence notes
Threat intelligence notesAmgad Magdy
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE - ATT&CKcon
 
Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixJorge Orchilles
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
Cyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to InsightCyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to InsightDeep Shankar Yadav
 

What's hot (20)

Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
State of the ATT&CK
State of the ATT&CKState of the ATT&CK
State of the ATT&CK
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
 
Threat intelligence notes
Threat intelligence notesThreat intelligence notes
Threat intelligence notes
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
 
Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 Matrix
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
 
Cyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to InsightCyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to Insight
 

Similar to Taking the Attacker Eviction Red Pill [updated]

Adaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber AttacksAdaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber AttacksJermund Ottermo
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfslametarrokhim1
 
ITD BSides PDX Slides
ITD BSides PDX SlidesITD BSides PDX Slides
ITD BSides PDX SlidesEricGoldstrom
 
[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defenceOWASP EEE
 
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...Morakinyo Animasaun
 
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013beltface
 
RED-TEAM_Conclave
RED-TEAM_ConclaveRED-TEAM_Conclave
RED-TEAM_ConclaveNSConclave
 
The TTPs of hard hat incident response
The TTPs of hard hat incident responseThe TTPs of hard hat incident response
The TTPs of hard hat incident responseHinne Hettema
 
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...CODE BLUE
 
201408 fire eye korea user event press roundtable
201408 fire eye korea user event press roundtable201408 fire eye korea user event press roundtable
201408 fire eye korea user event press roundtableJunSeok Seo
 
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team EngagementUsing IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team EngagementJoe Vest
 
Top_20_Incident_Responder_Interview_Questions_and_Answers_1.pdf
Top_20_Incident_Responder_Interview_Questions_and_Answers_1.pdfTop_20_Incident_Responder_Interview_Questions_and_Answers_1.pdf
Top_20_Incident_Responder_Interview_Questions_and_Answers_1.pdfinfosec train
 
Top 20 Incident Responder Interview Questions and Answers (1).pdf
Top 20 Incident Responder Interview Questions and Answers (1).pdfTop 20 Incident Responder Interview Questions and Answers (1).pdf
Top 20 Incident Responder Interview Questions and Answers (1).pdfShivamSharma909
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalPriyanka Aash
 
sophos-four-key-tips-from-incident-response-experts.pdf
sophos-four-key-tips-from-incident-response-experts.pdfsophos-four-key-tips-from-incident-response-experts.pdf
sophos-four-key-tips-from-incident-response-experts.pdfDennis Reyes
 

Similar to Taking the Attacker Eviction Red Pill [updated] (20)

SecurityOperations
SecurityOperationsSecurityOperations
SecurityOperations
 
Using the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modelingUsing the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modeling
 
Adaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber AttacksAdaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber Attacks
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdf
 
ITD BSides PDX Slides
ITD BSides PDX SlidesITD BSides PDX Slides
ITD BSides PDX Slides
 
Threat Hunters
Threat HuntersThreat Hunters
Threat Hunters
 
[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence
 
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...
Be Prepared: Emerging Cyber Security Threats, Vulnerabilities and Risks on Ca...
 
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
 
RED-TEAM_Conclave
RED-TEAM_ConclaveRED-TEAM_Conclave
RED-TEAM_Conclave
 
The TTPs of hard hat incident response
The TTPs of hard hat incident responseThe TTPs of hard hat incident response
The TTPs of hard hat incident response
 
Red Team P1.pdf
Red Team P1.pdfRed Team P1.pdf
Red Team P1.pdf
 
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
 
201408 fire eye korea user event press roundtable
201408 fire eye korea user event press roundtable201408 fire eye korea user event press roundtable
201408 fire eye korea user event press roundtable
 
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team EngagementUsing IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
 
Top_20_Incident_Responder_Interview_Questions_and_Answers_1.pdf
Top_20_Incident_Responder_Interview_Questions_and_Answers_1.pdfTop_20_Incident_Responder_Interview_Questions_and_Answers_1.pdf
Top_20_Incident_Responder_Interview_Questions_and_Answers_1.pdf
 
Top 20 Incident Responder Interview Questions and Answers (1).pdf
Top 20 Incident Responder Interview Questions and Answers (1).pdfTop 20 Incident Responder Interview Questions and Answers (1).pdf
Top 20 Incident Responder Interview Questions and Answers (1).pdf
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
 
sophos-four-key-tips-from-incident-response-experts.pdf
sophos-four-key-tips-from-incident-response-experts.pdfsophos-four-key-tips-from-incident-response-experts.pdf
sophos-four-key-tips-from-incident-response-experts.pdf
 

Recently uploaded

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 

Recently uploaded (20)

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 

Taking the Attacker Eviction Red Pill [updated]

  • 1. Attacker Eviction Frode Hommedal Taking the RED PILL Telenor CERT
  • 2. Taking the Attacker Eviction RED PILLv1.5
  • 3. Strategies for structuring your reasoning when countering sustained intrusions
  • 7. Incident Response PICERL: Prepare Identify Contain Eradicate Recover Lessons Learned NIST: Preparation Detect & Analyze Contain & Eradicate & Recover Post IncidentActivities Bottom Line: Eventually you will try to get the attacker off your network
  • 8. Incident Response PICERL: Prepare Identify Contain Eradicate Recover Lessons Learned NIST: Preparation Detect & Analyze Contain & Eradicate & Recover Post IncidentActivities Bottom Line: Eventually you will try to get the attacker off your network
  • 10. Incident Response when facing an APT threat Best Practice: Scope before you start responding. Common Misstep: Acting too soon, giving your adversary time to adapt.
  • 11. Incident Response when facing an APT threat Best Practice: Scope before you start responding. Common Misstep: Acting too soon, giving your adversary time to adapt. «TOO EARLY» «PREEMPTIVELY» «PREEMPTIVE»
  • 13.
  • 14. So when is not too soon? What factors into that decision?
  • 16. Intrusion Patterns of “APT” threats Sting Operation: Also called “smash and grab”. A direct attack to get a specific piece of information. Persistent Infiltration: A long running campaign against you, where your adversary will gain and sustain unauthorized access to your infrastructure for a long period of time. Response: When responding, you should take into consideration what kind of pattern you are seeing.
  • 17. The Structure of an APT infiltration Access: An APT infiltration is all about access.They work a lot to gain and sustain access. Extract: The purpose of gaining access is to find and extract useful information (or abuse your infrastructure). Deliver: All of this is done to deliver on goals set for the attacker’s mission.
  • 19. The eviction process should not really be about evicting the attackers but rather keeping them out and preventing them from effortlessly re-entering “Red flank”
  • 20. It also shouldn’t be about cleaning networks but rather mitigating risk as effectively as possible “Yellow flank”
  • 22. DwellTime The time an attacker has stayed undetected in your network. Short: Hours to day. Good changes of catching up with the attacker. Medium: Days to weeks.You may catch up if you have a capable and enabled team. Long: Months to years. Depending on the attacker your chances are in all fairness pretty slim without a full purge or migration.
  • 23. DwellTime The time an attacker has stayed undetected in your network. Short: Hours to day. Good changes of catching up with the attacker. Medium: Days to weeks.You may catch up if you have a capable and enabled team. Long: Months to years. Depending on the attacker your chances are in all fairness pretty slim without a full purge or migration.
  • 24. Intrusion Patterns of APT threats Sting Operation: Also called “smash and grab”. A direct attack to get a specific piece of information. Persistent Infiltration: A long running campaign against you, where your adversary will gain and sustain unauthorized access to your infrastructure for a long period of time. Response: When responding, you should take into consideration what kind of pattern you are seeing.
  • 25. TheThreatType Matrix ThreatType: Strategic |Tactical | Operational Capability: Low | Medium | High Strategic: You are a high priority and long term target for your adversary Tactical: You are a short/medium term target for a specific reason Operational: You are a target because the attacker wants infrastructure
  • 26. TheThreatType Matrix ThreatType: Strategic |Tactical | Operational Capability: Low | Medium | High Strategic: You are a high priority and long term target for your adversary Tactical: You are a short/medium term target for a specific reason Operational: You are a target because the attacker wants infrastructure
  • 27. The RiskType Matrix RiskType: Strategic |Tactical | Operational Impact: Low | Medium | High Strategic: Affects your org’s long term strategic goals Tactical: Affects your org’s current and near future execution Operational: Affects your org’s (IT) operation
  • 28. The RiskType Matrix RiskType: Strategic |Tactical | Operational Impact: Low | Medium | High Strategic: Affects your org’s long term strategic goals Tactical: Affects your org’s current and near future execution Operational: Affects your org’s (IT) operation
  • 29. The RiskType Matrix RiskType: Strategic |Tactical | Operational Impact: Low | Medium | High Strategic: Affects your org’s long term strategic goals Tactical: Affects your org’s current and near future execution Operational: Affects your org’s (IT) operation
  • 30. The CyberThreat Intelligence Matrix Mapping your knowledge gaps. Depth of knowledge: Footprint | Arsenal |Tradecraft Stages of attack: Prep. | Intrusion | Execution Presentation: https://www.slideshare.net/Frod eHommedal/the-cyber-threat- intelligence-matrix Essay: https://www.mnemonic.no/secu rity-report/making-your-move
  • 31. The CyberThreat Intelligence Matrix Mapping your knowledge gaps. Depth of knowledge: Footprint | Arsenal |Tradecraft Stages of attack: Prep. | Intrusion | Execution Presentation: https://www.slideshare.net/Frod eHommedal/the-cyber-threat- intelligence-matrix Essay: https://www.mnemonic.no/secu rity-report/making-your-move
  • 32. The CyberThreat Intelligence Matrix Mapping your knowledge gaps. Depth of knowledge: Footprint | Arsenal |Tradecraft Stages of attack: Prep. | Intrusion | Execution Presentation: https://www.slideshare.net/Frod eHommedal/the-cyber-threat- intelligence-matrix Essay: https://www.mnemonic.no/secu rity-report/making-your-move
  • 33. The CyberThreat Intelligence Matrix Mapping your knowledge gaps. Depth of knowledge: Footprint | Arsenal |Tradecraft Stages of attack: Prep. | Intrusion | Execution Presentation: https://www.slideshare.net/Frod eHommedal/the-cyber-threat- intelligence-matrix Essay: https://www.mnemonic.no/secu rity-report/making-your-move
  • 34. The CyberThreat Intelligence Matrix Mapping your knowledge gaps. Depth of knowledge: Footprint | Arsenal |Tradecraft Stages of attack: Prep. | Intrusion | Execution Presentation: https://www.slideshare.net/Frod eHommedal/the-cyber-threat- intelligence-matrix Essay: https://www.mnemonic.no/secu rity-report/making-your-move
  • 35. The CyberThreat Intelligence Matrix Mapping your knowledge gaps. Depth of knowledge: Footprint | Arsenal |Tradecraft Stages of attack: Prep. | Intrusion | Execution Presentation: https://www.slideshare.net/Frod eHommedal/the-cyber-threat- intelligence-matrix Essay: https://www.mnemonic.no/secu rity-report/making-your-move
  • 36. The CyberThreat Intelligence Matrix Mapping your knowledge gaps. Depth of knowledge: Footprint | Arsenal |Tradecraft Stages of attack: Prep. | Intrusion | Execution Presentation: https://www.slideshare.net/Frod eHommedal/the-cyber-threat- intelligence-matrix Essay: https://www.mnemonic.no/secu rity-report/making-your-move
  • 37. Threat Metrics to help you navigate CTI Matric: Identifying knowledge gaps. ThreatType Matric: Identifying type of threat. RiskType Matric: Identifying type of risk. Intrusion Pattern: Identifying type of infiltration. DwellTime: Identifying length of infiltration.
  • 39. Bonus
  • 41. Response Patterns for your consideration Ignore: Ignorance or actively ignoring. Disrupt: Continuous remediation. Engage: A game of chess heavily reliant on intelligence and a high operational tempo. Clean: Scope, shut down and clean. Migrate: Build new and migrate.
  • 42. Response Patterns for your consideration Ignore: Ignorance or actively ignoring. Disrupt: Continuous remediation. Engage: A game of chess heavily reliant on intelligence and a high operational tempo. Clean: Scope, shut down and clean. Migrate: Build new and migrate.
  • 43. Response Patterns for your consideration Ignore: Ignorance or actively ignoring. Disrupt: Continuous remediation. Engage: A game of chess heavily reliant on intelligence and a high operational tempo. Clean: Scope, shut down and clean. Migrate: Build new and migrate.
  • 44. Response Patterns for your consideration Ignore: Ignorance or actively ignoring. Disrupt: Continuous remediation. Engage: A game of chess heavily reliant on intelligence and a high operational tempo. Clean: Scope, shut down and clean. Migrate: Build new and migrate.

Editor's Notes

  1. This talk is about models. Models to help you structure your thinking when you plan your response to an APT breach.
  2. An intruder who intends and will fight to keep access to your network even if you try to kick them out.
  3. Telenor CERT. NorCERT. APT. Analyst turned strategist and architect.
  4. For ransomware you want the time between detection and eviction (cleanup) to be as short as possible. With APT, counterintuitively enough, this might not be what you want.
  5. You’re not cleaning up garbage. You’re (literally) chasing rats. Highly intelligent and organized rodents with malicious intent. This makes it all very fluid and unpredictable.
  6. Turns out there’s a lot of uncertainty to deal with when responding to a targeted and advanced APT breach
  7. ”Purge” is sometimes called “nuke and pave”. Or maybe it’s “scorched earth”?