SlideShare a Scribd company logo

Advanced Threat Hunting - Botconf 2017

Download as PPTX, PDF
K
Kevin Finley

The document discusses advanced threat hunting techniques. It covers defining threat intelligence and the intelligence process. It discusses the challenges of small teams with limited resources and time. It provides examples of doing threat hunting wrong and right, such as using revision control and deployment scripts. It also discusses prioritization techniques, automation, and key performance indicators. The presentation provides examples of sources of samples and success stories. Key lessons are to organize signatures, automate systems, separate queues by type, hold prioritization meetings, and contribute to open source.

Technology
1 of 43
Advanced Threat Hunting botconf December 8, 2017 1
© 2018 ThreatConnect, Inc. All Rights Reserved. Who Am I? Director of Research Innovation Research Team ThreatConnect, Inc. 2
© 2018 ThreatConnect, Inc. All Rights Reserved. Threat Intelligence A Few Definitions Tactical Technical Operational Strategic 3
© 2018 ThreatConnect, Inc. All Rights Reserved. Threat Intelligence A Few Definitions Tactical Technical Operational Strategic 4
© 2018 ThreatConnect, Inc. All Rights Reserved. 5 The Intelligence Process Source: Joint Intelligence / Joint Publication 2-0 (Joint Chiefs of Staff)
© 2018 ThreatConnect, Inc. All Rights Reserved. 6 The Intelligence Process Relationship of Data, Information, and Intelligence Source: Joint Intelligence / Joint Publication 2-0 (Joint Chiefs of Staff)
© 2018 ThreatConnect, Inc. All Rights Reserved. David Bianco’s “Pyramid of Pain” 7
© 2018 ThreatConnect, Inc. All Rights Reserved. The Pyramid of Pain Mirrored 8
© 2018 ThreatConnect, Inc. All Rights Reserved. Small Teams We are a team of ten people Problem Definition, Part 1 9
© 2018 ThreatConnect, Inc. All Rights Reserved. Limited Resources Paid data feeds Large data volume Signal to noise Limited tool capacity Problem Definition, Part 2 10
© 2018 ThreatConnect, Inc. All Rights Reserved. 11 Limited Time Analysts must spend time analyzing, not moving data around Problem Definition, Part 3
© 2018 ThreatConnect, Inc. All Rights Reserved. 12
© 2018 ThreatConnect, Inc. All Rights Reserved. Doing It Wrong Maintaining team YARA rules: 1. On a file server 2. Some person’s laptop 3. Lots of people’s laptops 13
© 2018 ThreatConnect, Inc. All Rights Reserved. Doing It Wrong Wasting analyst’s time: 1. Downloading files 2. Uploading files 3. Waiting for AMAs to finish 14
© 2018 ThreatConnect, Inc. All Rights Reserved. 15
© 2018 ThreatConnect, Inc. All Rights Reserved. Doing It Right • Use revision control • We use git! • Deployment scripts • Sync with threat intel platform 16
© 2018 ThreatConnect, Inc. All Rights Reserved. YARA Rule rule Nemucod_JS_Ransom { meta: priority = "Medium" confidence = "High" sandbox_restricted = true strings: a$ = "If you do not pay in 3 days YOU LOOSE ALL YOUR FILES" nocase wide ascii b$ = " + "php4ts.dll";" wide ascii c$ = ""To restore your files you have to pay "" wide ascii condition: any of them and new_file } 17
© 2018 ThreatConnect, Inc. All Rights Reserved. Associations for the Win 18
© 2018 ThreatConnect, Inc. All Rights Reserved. plyara 19 • PLY (Python Lex Yacc) • Parser handles VirusTotal and vanilla rules • Takes a ruleset file as input • Outputs a python dictionary
© 2018 ThreatConnect, Inc. All Rights Reserved. plyara https://github.com/8u1a/plyara 20
© 2018 ThreatConnect, Inc. All Rights Reserved. 21 Netflix Open Connect Appliance: https://openconnect.netflix.com/en/software/ Send Improvements Upstream!
© 2018 ThreatConnect, Inc. All Rights Reserved. 22 Netflix Open Connect Appliance: https://openconnect.netflix.com/en/software/ Send Improvements Upstream!
© 2018 ThreatConnect, Inc. All Rights Reserved. Demo: plyara 23
© 2018 ThreatConnect, Inc. All Rights Reserved. Jupyter Notebook Programming Cells Somewhere between REPL and monolithic script https://jupyter.org/ 24
© 2018 ThreatConnect, Inc. All Rights Reserved. Prioritization 25
© 2018 ThreatConnect, Inc. All Rights Reserved. Lottery Queue 26
© 2018 ThreatConnect, Inc. All Rights Reserved. 27 Scoring
© 2018 ThreatConnect, Inc. All Rights Reserved. Non-Intuitive Ordering High Priority / High Confidence High Priority / Medium Confidence Medium Priority / High Confidence Medium Priority / Medium Confidence High Priority / Low Confidence Medium Priority / Low Confidence Low Priority / Low Confidence 28
© 2018 ThreatConnect, Inc. All Rights Reserved. Non-Intuitive Ordering 29 High Priority / High Confidence High Priority / Medium Confidence Medium Priority / High Confidence Medium Priority / Medium Confidence High Priority / Low Confidence Medium Priority / Low Confidence Low Priority / Low Confidence
© 2018 ThreatConnect, Inc. All Rights Reserved. Prioritization Meetings 30
© 2018 ThreatConnect, Inc. All Rights Reserved. Automate AMAs • Cuckoo Sandbox • Joe Sandbox Cloud • VxStream • VMRay • Lastline • ThreatGrid • ReversingLabs • Your AMA Here! 31
© 2018 ThreatConnect, Inc. All Rights Reserved. Future Work • Data claimed • Dataset analyzed • Intelligence published • Blog published • New account created • New customer Business Value (BV) 32
© 2018 ThreatConnect, Inc. All Rights Reserved. Happy Bean Counters Budgets • Maximize collection -> exploitation • Collect metrics on utilization • Establish KPIs • AMAs at maximum capacity 33
© 2018 ThreatConnect, Inc. All Rights Reserved. Key Performance Indicators Speaking to Management A Key Performance Indicator is a measurable value that demonstrates how effectively a company is achieving key business objectives. 34
© 2018 ThreatConnect, Inc. All Rights Reserved. Sources of Samples 35 • Carved from Network Capture (Use Bro!!) • Incoming email attachments • Endpoint collections (AV and otherwise)
© 2018 ThreatConnect, Inc. All Rights Reserved. Sources of Samples • Carved from Network Capture (Use Bro!!) • Incoming email attachments • Endpoint collections (AV and otherwise) • Supply chain (CCleaner!!!!!!!!!!) 36
© 2018 ThreatConnect, Inc. All Rights Reserved. 37 https://threatconnect.com/blog/ kasperagent-malware-campaign/ Success Stories
© 2018 ThreatConnect, Inc. All Rights Reserved. 38
© 2018 ThreatConnect, Inc. All Rights Reserved. 39 Success Stories
© 2018 ThreatConnect, Inc. All Rights Reserved. Success Stories 40 Success Stories
© 2018 ThreatConnect, Inc. All Rights Reserved. • Organize signatures in revision control • Automate between systems in tool chain • Separate queues by signature type • Attack Pattern • Malware family / Adversary • Periodic prioritization meetings • SEND YOUR OPEN SOURCE CHANGES UPSTREAM!!!!! Key Takeaways and Lessons Learned 41
© 2018 ThreatConnect, Inc. All Rights Reserved. 42
© 2018 ThreatConnect, Inc. All Rights Reserved. Thank You threatconnect.com/blog @ThreatConnect @MalwareUtkonos

Recommended

Forcepoint: Technická opatření pro ochranu osobních údajů (a citlivých dat) z...
Forcepoint: Technická opatření pro ochranu osobních údajů (a citlivých dat) z...Forcepoint: Technická opatření pro ochranu osobních údajů (a citlivých dat) z...
Forcepoint: Technická opatření pro ochranu osobních údajů (a citlivých dat) z...MarketingArrowECS_CZ
 
Hexis HawkEye G Machine Speed Defense: RSA 2015
Hexis HawkEye G Machine Speed Defense: RSA 2015Hexis HawkEye G Machine Speed Defense: RSA 2015
Hexis HawkEye G Machine Speed Defense: RSA 2015barbara bogue
 
Fluency® - www.fluencysecurity.com
Fluency® - www.fluencysecurity.com Fluency® - www.fluencysecurity.com
Fluency® - www.fluencysecurity.com Collin Miles
 
Automating Splunk at Large Scale with Cloudify
Automating Splunk at Large Scale with CloudifyAutomating Splunk at Large Scale with Cloudify
Automating Splunk at Large Scale with CloudifyCloudify Community
 
Talend introduction v1
Talend introduction v1Talend introduction v1
Talend introduction v1Softnix Technology
 
Softnix Security Data Lake
Softnix Security Data Lake Softnix Security Data Lake
Softnix Security Data Lake Softnix Technology
 
Keynote session – Mitigate risks and stay compliant with Chris Bridgland and ...
Keynote session – Mitigate risks and stay compliant with Chris Bridgland and ...Keynote session – Mitigate risks and stay compliant with Chris Bridgland and ...
Keynote session – Mitigate risks and stay compliant with Chris Bridgland and ...Veritas Technologies LLC
 
Information Map around the world in 80 clicks
Information Map around the world in 80 clicksInformation Map around the world in 80 clicks
Information Map around the world in 80 clicksVeritas Technologies LLC
 

Recommended

Forcepoint: Technická opatření pro ochranu osobních údajů (a citlivých dat) z...
Forcepoint: Technická opatření pro ochranu osobních údajů (a citlivých dat) z...Forcepoint: Technická opatření pro ochranu osobních údajů (a citlivých dat) z...
Forcepoint: Technická opatření pro ochranu osobních údajů (a citlivých dat) z...MarketingArrowECS_CZ
 
Hexis HawkEye G Machine Speed Defense: RSA 2015
Hexis HawkEye G Machine Speed Defense: RSA 2015Hexis HawkEye G Machine Speed Defense: RSA 2015
Hexis HawkEye G Machine Speed Defense: RSA 2015barbara bogue
 
Fluency® - www.fluencysecurity.com
Fluency® - www.fluencysecurity.com Fluency® - www.fluencysecurity.com
Fluency® - www.fluencysecurity.com Collin Miles
 
Automating Splunk at Large Scale with Cloudify
Automating Splunk at Large Scale with CloudifyAutomating Splunk at Large Scale with Cloudify
Automating Splunk at Large Scale with CloudifyCloudify Community
 
Talend introduction v1
Talend introduction v1Talend introduction v1
Talend introduction v1Softnix Technology
 
Softnix Security Data Lake
Softnix Security Data Lake Softnix Security Data Lake
Softnix Security Data Lake Softnix Technology
 
Keynote session – Mitigate risks and stay compliant with Chris Bridgland and ...
Keynote session – Mitigate risks and stay compliant with Chris Bridgland and ...Keynote session – Mitigate risks and stay compliant with Chris Bridgland and ...
Keynote session – Mitigate risks and stay compliant with Chris Bridgland and ...Veritas Technologies LLC
 
Information Map around the world in 80 clicks
Information Map around the world in 80 clicksInformation Map around the world in 80 clicks
Information Map around the world in 80 clicksVeritas Technologies LLC
 
VeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence ServicesVeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence ServicesTechBiz Forense Digital
 
October 2014 Webinar: Cybersecurity Threat Detection
October 2014 Webinar: Cybersecurity Threat DetectionOctober 2014 Webinar: Cybersecurity Threat Detection
October 2014 Webinar: Cybersecurity Threat DetectionSqrrl
 
David Noy – Realising the true potential of software-defined storage
David Noy – Realising the true potential of software-defined storageDavid Noy – Realising the true potential of software-defined storage
David Noy – Realising the true potential of software-defined storageVeritas Technologies LLC
 
Jason Tooley – Welcome to Vision Solution Day EMEA
Jason Tooley – Welcome to Vision Solution Day EMEAJason Tooley – Welcome to Vision Solution Day EMEA
Jason Tooley – Welcome to Vision Solution Day EMEAVeritas Technologies LLC
 
Rama Kolappan – The multi-cloud geared for the digital business
Rama Kolappan – The multi-cloud geared for the digital businessRama Kolappan – The multi-cloud geared for the digital business
Rama Kolappan – The multi-cloud geared for the digital businessVeritas Technologies LLC
 
Webinar: Three Reasons Storage Security is Failing and How to Fix It
Webinar: Three Reasons Storage Security is Failing and How to Fix ItWebinar: Three Reasons Storage Security is Failing and How to Fix It
Webinar: Three Reasons Storage Security is Failing and How to Fix ItStorage Switzerland
 
Peter Grimmond – Harnessing the power of data
Peter Grimmond – Harnessing the power of dataPeter Grimmond – Harnessing the power of data
Peter Grimmond – Harnessing the power of dataVeritas Technologies LLC
 
Cloud Access Security Brokers - What's all the Hype
Cloud Access Security Brokers - What's all the HypeCloud Access Security Brokers - What's all the Hype
Cloud Access Security Brokers - What's all the HypeJoAnna Cheshire
 
Big Data Governance in a Post-GDPR World (GPSCT310) - AWS re:Invent 2018
Big Data Governance in a Post-GDPR World (GPSCT310) - AWS re:Invent 2018Big Data Governance in a Post-GDPR World (GPSCT310) - AWS re:Invent 2018
Big Data Governance in a Post-GDPR World (GPSCT310) - AWS re:Invent 2018Amazon Web Services
 
Deep Learning in Security - Examples, Infrastructure, Challenges, and Suggest...
Deep Learning in Security - Examples, Infrastructure, Challenges, and Suggest...Deep Learning in Security - Examples, Infrastructure, Challenges, and Suggest...
Deep Learning in Security - Examples, Infrastructure, Challenges, and Suggest...DataWorks Summit
 
The Definitive CASB Business Case Kit - Presentation
The Definitive CASB Business Case Kit - PresentationThe Definitive CASB Business Case Kit - Presentation
The Definitive CASB Business Case Kit - PresentationNetskope
 
Transforming Cybersecurity to Protect Our Citizens, Infrastructure & Economy
Transforming Cybersecurity to Protect Our Citizens, Infrastructure & EconomyTransforming Cybersecurity to Protect Our Citizens, Infrastructure & Economy
Transforming Cybersecurity to Protect Our Citizens, Infrastructure & Economyscoopnewsgroup
 
Cure for the Common Cloud: How Healthcare can Safely Enable the Cloud
Cure for the Common Cloud: How Healthcare can Safely Enable the CloudCure for the Common Cloud: How Healthcare can Safely Enable the Cloud
Cure for the Common Cloud: How Healthcare can Safely Enable the CloudNetskope
 
Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...
Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...
Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...Jason Trost
 
How To Drive Value with Security Data
How To Drive Value with Security DataHow To Drive Value with Security Data
How To Drive Value with Security DataRaffael Marty
 
Lastline RSAC 2018 Highlights
Lastline RSAC 2018 HighlightsLastline RSAC 2018 Highlights
Lastline RSAC 2018 HighlightsLastline, Inc.
 
Modern Security the way Equifax Should Have
Modern Security the way Equifax Should HaveModern Security the way Equifax Should Have
Modern Security the way Equifax Should HaveEric Vanderburg
 
Netskope Overview
Netskope OverviewNetskope Overview
Netskope OverviewNetskope
 
Accelerate your Cloud journey with security and compliance by design - Margo ...
Accelerate your Cloud journey with security and compliance by design - Margo ...Accelerate your Cloud journey with security and compliance by design - Margo ...
Accelerate your Cloud journey with security and compliance by design - Margo ...Net4All
 
Tackling the GDPR Dell EMC Index Engines Webinar
Tackling the GDPR Dell EMC Index Engines WebinarTackling the GDPR Dell EMC Index Engines Webinar
Tackling the GDPR Dell EMC Index Engines WebinarIndex Engines Inc.
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsSBWebinars
 
Infosecurity - CDMX 2018
Infosecurity - CDMX 2018Infosecurity - CDMX 2018
Infosecurity - CDMX 2018Miguel Hernández y López
 

More Related Content

What's hot

VeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence ServicesVeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence ServicesTechBiz Forense Digital
 
October 2014 Webinar: Cybersecurity Threat Detection
October 2014 Webinar: Cybersecurity Threat DetectionOctober 2014 Webinar: Cybersecurity Threat Detection
October 2014 Webinar: Cybersecurity Threat DetectionSqrrl
 
David Noy – Realising the true potential of software-defined storage
David Noy – Realising the true potential of software-defined storageDavid Noy – Realising the true potential of software-defined storage
David Noy – Realising the true potential of software-defined storageVeritas Technologies LLC
 
Jason Tooley – Welcome to Vision Solution Day EMEA
Jason Tooley – Welcome to Vision Solution Day EMEAJason Tooley – Welcome to Vision Solution Day EMEA
Jason Tooley – Welcome to Vision Solution Day EMEAVeritas Technologies LLC
 
Rama Kolappan – The multi-cloud geared for the digital business
Rama Kolappan – The multi-cloud geared for the digital businessRama Kolappan – The multi-cloud geared for the digital business
Rama Kolappan – The multi-cloud geared for the digital businessVeritas Technologies LLC
 
Webinar: Three Reasons Storage Security is Failing and How to Fix It
Webinar: Three Reasons Storage Security is Failing and How to Fix ItWebinar: Three Reasons Storage Security is Failing and How to Fix It
Webinar: Three Reasons Storage Security is Failing and How to Fix ItStorage Switzerland
 
Peter Grimmond – Harnessing the power of data
Peter Grimmond – Harnessing the power of dataPeter Grimmond – Harnessing the power of data
Peter Grimmond – Harnessing the power of dataVeritas Technologies LLC
 
Cloud Access Security Brokers - What's all the Hype
Cloud Access Security Brokers - What's all the HypeCloud Access Security Brokers - What's all the Hype
Cloud Access Security Brokers - What's all the HypeJoAnna Cheshire
 
Big Data Governance in a Post-GDPR World (GPSCT310) - AWS re:Invent 2018
Big Data Governance in a Post-GDPR World (GPSCT310) - AWS re:Invent 2018Big Data Governance in a Post-GDPR World (GPSCT310) - AWS re:Invent 2018
Big Data Governance in a Post-GDPR World (GPSCT310) - AWS re:Invent 2018Amazon Web Services
 
Deep Learning in Security - Examples, Infrastructure, Challenges, and Suggest...
Deep Learning in Security - Examples, Infrastructure, Challenges, and Suggest...Deep Learning in Security - Examples, Infrastructure, Challenges, and Suggest...
Deep Learning in Security - Examples, Infrastructure, Challenges, and Suggest...DataWorks Summit
 
The Definitive CASB Business Case Kit - Presentation
The Definitive CASB Business Case Kit - PresentationThe Definitive CASB Business Case Kit - Presentation
The Definitive CASB Business Case Kit - PresentationNetskope
 
Transforming Cybersecurity to Protect Our Citizens, Infrastructure & Economy
Transforming Cybersecurity to Protect Our Citizens, Infrastructure & EconomyTransforming Cybersecurity to Protect Our Citizens, Infrastructure & Economy
Transforming Cybersecurity to Protect Our Citizens, Infrastructure & Economyscoopnewsgroup
 
Cure for the Common Cloud: How Healthcare can Safely Enable the Cloud
Cure for the Common Cloud: How Healthcare can Safely Enable the CloudCure for the Common Cloud: How Healthcare can Safely Enable the Cloud
Cure for the Common Cloud: How Healthcare can Safely Enable the CloudNetskope
 
Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...
Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...
Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...Jason Trost
 
How To Drive Value with Security Data
How To Drive Value with Security DataHow To Drive Value with Security Data
How To Drive Value with Security DataRaffael Marty
 
Lastline RSAC 2018 Highlights
Lastline RSAC 2018 HighlightsLastline RSAC 2018 Highlights
Lastline RSAC 2018 HighlightsLastline, Inc.
 
Modern Security the way Equifax Should Have
Modern Security the way Equifax Should HaveModern Security the way Equifax Should Have
Modern Security the way Equifax Should HaveEric Vanderburg
 
Netskope Overview
Netskope OverviewNetskope Overview
Netskope OverviewNetskope
 
Accelerate your Cloud journey with security and compliance by design - Margo ...
Accelerate your Cloud journey with security and compliance by design - Margo ...Accelerate your Cloud journey with security and compliance by design - Margo ...
Accelerate your Cloud journey with security and compliance by design - Margo ...Net4All
 
Tackling the GDPR Dell EMC Index Engines Webinar
Tackling the GDPR Dell EMC Index Engines WebinarTackling the GDPR Dell EMC Index Engines Webinar
Tackling the GDPR Dell EMC Index Engines WebinarIndex Engines Inc.
 

What's hot (20)

VeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence ServicesVeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence Services
 
October 2014 Webinar: Cybersecurity Threat Detection
October 2014 Webinar: Cybersecurity Threat DetectionOctober 2014 Webinar: Cybersecurity Threat Detection
October 2014 Webinar: Cybersecurity Threat Detection
 
David Noy – Realising the true potential of software-defined storage
David Noy – Realising the true potential of software-defined storageDavid Noy – Realising the true potential of software-defined storage
David Noy – Realising the true potential of software-defined storage
 
Jason Tooley – Welcome to Vision Solution Day EMEA
Jason Tooley – Welcome to Vision Solution Day EMEAJason Tooley – Welcome to Vision Solution Day EMEA
Jason Tooley – Welcome to Vision Solution Day EMEA
 
Rama Kolappan – The multi-cloud geared for the digital business
Rama Kolappan – The multi-cloud geared for the digital businessRama Kolappan – The multi-cloud geared for the digital business
Rama Kolappan – The multi-cloud geared for the digital business
 
Webinar: Three Reasons Storage Security is Failing and How to Fix It
Webinar: Three Reasons Storage Security is Failing and How to Fix ItWebinar: Three Reasons Storage Security is Failing and How to Fix It
Webinar: Three Reasons Storage Security is Failing and How to Fix It
 
Peter Grimmond – Harnessing the power of data
Peter Grimmond – Harnessing the power of dataPeter Grimmond – Harnessing the power of data
Peter Grimmond – Harnessing the power of data
 
Cloud Access Security Brokers - What's all the Hype
Cloud Access Security Brokers - What's all the HypeCloud Access Security Brokers - What's all the Hype
Cloud Access Security Brokers - What's all the Hype
 
Big Data Governance in a Post-GDPR World (GPSCT310) - AWS re:Invent 2018
Big Data Governance in a Post-GDPR World (GPSCT310) - AWS re:Invent 2018Big Data Governance in a Post-GDPR World (GPSCT310) - AWS re:Invent 2018
Big Data Governance in a Post-GDPR World (GPSCT310) - AWS re:Invent 2018
 
Deep Learning in Security - Examples, Infrastructure, Challenges, and Suggest...
Deep Learning in Security - Examples, Infrastructure, Challenges, and Suggest...Deep Learning in Security - Examples, Infrastructure, Challenges, and Suggest...
Deep Learning in Security - Examples, Infrastructure, Challenges, and Suggest...
 
The Definitive CASB Business Case Kit - Presentation
The Definitive CASB Business Case Kit - PresentationThe Definitive CASB Business Case Kit - Presentation
The Definitive CASB Business Case Kit - Presentation
 
Transforming Cybersecurity to Protect Our Citizens, Infrastructure & Economy
Transforming Cybersecurity to Protect Our Citizens, Infrastructure & EconomyTransforming Cybersecurity to Protect Our Citizens, Infrastructure & Economy
Transforming Cybersecurity to Protect Our Citizens, Infrastructure & Economy
 
Cure for the Common Cloud: How Healthcare can Safely Enable the Cloud
Cure for the Common Cloud: How Healthcare can Safely Enable the CloudCure for the Common Cloud: How Healthcare can Safely Enable the Cloud
Cure for the Common Cloud: How Healthcare can Safely Enable the Cloud
 
Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...
Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...
Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...
 
How To Drive Value with Security Data
How To Drive Value with Security DataHow To Drive Value with Security Data
How To Drive Value with Security Data
 
Lastline RSAC 2018 Highlights
Lastline RSAC 2018 HighlightsLastline RSAC 2018 Highlights
Lastline RSAC 2018 Highlights
 
Modern Security the way Equifax Should Have
Modern Security the way Equifax Should HaveModern Security the way Equifax Should Have
Modern Security the way Equifax Should Have
 
Netskope Overview
Netskope OverviewNetskope Overview
Netskope Overview
 
Accelerate your Cloud journey with security and compliance by design - Margo ...
Accelerate your Cloud journey with security and compliance by design - Margo ...Accelerate your Cloud journey with security and compliance by design - Margo ...
Accelerate your Cloud journey with security and compliance by design - Margo ...
 
Tackling the GDPR Dell EMC Index Engines Webinar
Tackling the GDPR Dell EMC Index Engines WebinarTackling the GDPR Dell EMC Index Engines Webinar
Tackling the GDPR Dell EMC Index Engines Webinar
 

Similar to Advanced Threat Hunting - Botconf 2017

Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsSBWebinars
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec
 
NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018
NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018 NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018
NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018 NETSCOUT
 
IoT Microcontrollers and Getting Started with Amazon FreeRTOS (IOT338-R1) - A...
IoT Microcontrollers and Getting Started with Amazon FreeRTOS (IOT338-R1) - A...IoT Microcontrollers and Getting Started with Amazon FreeRTOS (IOT338-R1) - A...
IoT Microcontrollers and Getting Started with Amazon FreeRTOS (IOT338-R1) - A...Amazon Web Services
 
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...Interset
 
Master the RETE algorithm
Master the RETE algorithmMaster the RETE algorithm
Master the RETE algorithmMasahiko Umeno
 
Pgatss slide deck june 7, 2018
Pgatss slide deck june 7, 2018Pgatss slide deck june 7, 2018
Pgatss slide deck june 7, 2018Greg Wartes, MCP
 
AI : Animal Like Abilities in Applied AI, What can go wrong?
AI : Animal Like Abilities in Applied AI, What can go wrong?AI : Animal Like Abilities in Applied AI, What can go wrong?
AI : Animal Like Abilities in Applied AI, What can go wrong?Jari Koister
 
AWS Startup Day Toronto - Sudip Chakrabarti- Building & Selling AI-Powered En...
AWS Startup Day Toronto - Sudip Chakrabarti- Building & Selling AI-Powered En...AWS Startup Day Toronto - Sudip Chakrabarti- Building & Selling AI-Powered En...
AWS Startup Day Toronto - Sudip Chakrabarti- Building & Selling AI-Powered En...Amazon Web Services
 
From zero to one - How we evolved our test automation processes and mindset i...
From zero to one - How we evolved our test automation processes and mindset i...From zero to one - How we evolved our test automation processes and mindset i...
From zero to one - How we evolved our test automation processes and mindset i...Jen-Chieh Ko
 
Making the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data VisibilityMaking the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data Visibilitydianadvo
 
Cloud Ramps Up at DOD--Here's What You Need to Know
Cloud Ramps Up at DOD--Here's What You Need to KnowCloud Ramps Up at DOD--Here's What You Need to Know
Cloud Ramps Up at DOD--Here's What You Need to KnowimmixGroup
 
Keeping Modern Applications Performing
Keeping Modern Applications PerformingKeeping Modern Applications Performing
Keeping Modern Applications PerformingLee Atchison
 
Ga society of cpa's 2018 coastal chapter
Ga society of cpa's 2018 coastal chapterGa society of cpa's 2018 coastal chapter
Ga society of cpa's 2018 coastal chapterGreg Wartes, MCP
 
QCon 2018 | Gimel | PayPal's Analytic Platform
QCon 2018 | Gimel | PayPal's Analytic PlatformQCon 2018 | Gimel | PayPal's Analytic Platform
QCon 2018 | Gimel | PayPal's Analytic PlatformDeepak Chandramouli
 
Automatizovaná bezpečnost – nadstandard nebo nutnost?
Automatizovaná bezpečnost – nadstandard nebo nutnost?Automatizovaná bezpečnost – nadstandard nebo nutnost?
Automatizovaná bezpečnost – nadstandard nebo nutnost?MarketingArrowECS_CZ
 
Scrapping for Pennies: How to implement security without a budget
Scrapping for Pennies: How to implement security without a budgetScrapping for Pennies: How to implement security without a budget
Scrapping for Pennies: How to implement security without a budgetRyan Wisniewski
 
DataWorks 2018: How Big Data and AI Saved the Day
DataWorks 2018: How Big Data and AI Saved the DayDataWorks 2018: How Big Data and AI Saved the Day
DataWorks 2018: How Big Data and AI Saved the DayInterset
 
Keynote - Chaos Engineering: Why breaking things should be practiced
Keynote - Chaos Engineering: Why breaking things should be practicedKeynote - Chaos Engineering: Why breaking things should be practiced
Keynote - Chaos Engineering: Why breaking things should be practicedAWS User Group Bengaluru
 

Similar to Advanced Threat Hunting - Botconf 2017 (20)

Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
 
Infosecurity - CDMX 2018
Infosecurity - CDMX 2018Infosecurity - CDMX 2018
Infosecurity - CDMX 2018
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
 
NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018
NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018 NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018
NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018
 
IoT Microcontrollers and Getting Started with Amazon FreeRTOS (IOT338-R1) - A...
IoT Microcontrollers and Getting Started with Amazon FreeRTOS (IOT338-R1) - A...IoT Microcontrollers and Getting Started with Amazon FreeRTOS (IOT338-R1) - A...
IoT Microcontrollers and Getting Started with Amazon FreeRTOS (IOT338-R1) - A...
 
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...
 
Master the RETE algorithm
Master the RETE algorithmMaster the RETE algorithm
Master the RETE algorithm
 
Pgatss slide deck june 7, 2018
Pgatss slide deck june 7, 2018Pgatss slide deck june 7, 2018
Pgatss slide deck june 7, 2018
 
AI : Animal Like Abilities in Applied AI, What can go wrong?
AI : Animal Like Abilities in Applied AI, What can go wrong?AI : Animal Like Abilities in Applied AI, What can go wrong?
AI : Animal Like Abilities in Applied AI, What can go wrong?
 
AWS Startup Day Toronto - Sudip Chakrabarti- Building & Selling AI-Powered En...
AWS Startup Day Toronto - Sudip Chakrabarti- Building & Selling AI-Powered En...AWS Startup Day Toronto - Sudip Chakrabarti- Building & Selling AI-Powered En...
AWS Startup Day Toronto - Sudip Chakrabarti- Building & Selling AI-Powered En...
 
From zero to one - How we evolved our test automation processes and mindset i...
From zero to one - How we evolved our test automation processes and mindset i...From zero to one - How we evolved our test automation processes and mindset i...
From zero to one - How we evolved our test automation processes and mindset i...
 
Making the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data VisibilityMaking the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data Visibility
 
Cloud Ramps Up at DOD--Here's What You Need to Know
Cloud Ramps Up at DOD--Here's What You Need to KnowCloud Ramps Up at DOD--Here's What You Need to Know
Cloud Ramps Up at DOD--Here's What You Need to Know
 
Keeping Modern Applications Performing
Keeping Modern Applications PerformingKeeping Modern Applications Performing
Keeping Modern Applications Performing
 
Ga society of cpa's 2018 coastal chapter
Ga society of cpa's 2018 coastal chapterGa society of cpa's 2018 coastal chapter
Ga society of cpa's 2018 coastal chapter
 
QCon 2018 | Gimel | PayPal's Analytic Platform
QCon 2018 | Gimel | PayPal's Analytic PlatformQCon 2018 | Gimel | PayPal's Analytic Platform
QCon 2018 | Gimel | PayPal's Analytic Platform
 
Automatizovaná bezpečnost – nadstandard nebo nutnost?
Automatizovaná bezpečnost – nadstandard nebo nutnost?Automatizovaná bezpečnost – nadstandard nebo nutnost?
Automatizovaná bezpečnost – nadstandard nebo nutnost?
 
Scrapping for Pennies: How to implement security without a budget
Scrapping for Pennies: How to implement security without a budgetScrapping for Pennies: How to implement security without a budget
Scrapping for Pennies: How to implement security without a budget
 
DataWorks 2018: How Big Data and AI Saved the Day
DataWorks 2018: How Big Data and AI Saved the DayDataWorks 2018: How Big Data and AI Saved the Day
DataWorks 2018: How Big Data and AI Saved the Day
 
Keynote - Chaos Engineering: Why breaking things should be practiced
Keynote - Chaos Engineering: Why breaking things should be practicedKeynote - Chaos Engineering: Why breaking things should be practiced
Keynote - Chaos Engineering: Why breaking things should be practiced
 

Recently uploaded

Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

Advanced Threat Hunting - Botconf 2017

  • 2. © 2018 ThreatConnect, Inc. All Rights Reserved. Who Am I? Director of Research Innovation Research Team ThreatConnect, Inc. 2
  • 3. © 2018 ThreatConnect, Inc. All Rights Reserved. Threat Intelligence A Few Definitions Tactical Technical Operational Strategic 3
  • 4. © 2018 ThreatConnect, Inc. All Rights Reserved. Threat Intelligence A Few Definitions Tactical Technical Operational Strategic 4
  • 5. © 2018 ThreatConnect, Inc. All Rights Reserved. 5 The Intelligence Process Source: Joint Intelligence / Joint Publication 2-0 (Joint Chiefs of Staff)
  • 6. © 2018 ThreatConnect, Inc. All Rights Reserved. 6 The Intelligence Process Relationship of Data, Information, and Intelligence Source: Joint Intelligence / Joint Publication 2-0 (Joint Chiefs of Staff)
  • 7. © 2018 ThreatConnect, Inc. All Rights Reserved. David Bianco’s “Pyramid of Pain” 7
  • 8. © 2018 ThreatConnect, Inc. All Rights Reserved. The Pyramid of Pain Mirrored 8
  • 9. © 2018 ThreatConnect, Inc. All Rights Reserved. Small Teams We are a team of ten people Problem Definition, Part 1 9
  • 10. © 2018 ThreatConnect, Inc. All Rights Reserved. Limited Resources Paid data feeds Large data volume Signal to noise Limited tool capacity Problem Definition, Part 2 10
  • 11. © 2018 ThreatConnect, Inc. All Rights Reserved. 11 Limited Time Analysts must spend time analyzing, not moving data around Problem Definition, Part 3
  • 12. © 2018 ThreatConnect, Inc. All Rights Reserved. 12
  • 13. © 2018 ThreatConnect, Inc. All Rights Reserved. Doing It Wrong Maintaining team YARA rules: 1. On a file server 2. Some person’s laptop 3. Lots of people’s laptops 13
  • 14. © 2018 ThreatConnect, Inc. All Rights Reserved. Doing It Wrong Wasting analyst’s time: 1. Downloading files 2. Uploading files 3. Waiting for AMAs to finish 14
  • 15. © 2018 ThreatConnect, Inc. All Rights Reserved. 15
  • 16. © 2018 ThreatConnect, Inc. All Rights Reserved. Doing It Right • Use revision control • We use git! • Deployment scripts • Sync with threat intel platform 16
  • 17. © 2018 ThreatConnect, Inc. All Rights Reserved. YARA Rule rule Nemucod_JS_Ransom { meta: priority = "Medium" confidence = "High" sandbox_restricted = true strings: a$ = "If you do not pay in 3 days YOU LOOSE ALL YOUR FILES" nocase wide ascii b$ = " + "php4ts.dll";" wide ascii c$ = ""To restore your files you have to pay "" wide ascii condition: any of them and new_file } 17
  • 18. © 2018 ThreatConnect, Inc. All Rights Reserved. Associations for the Win 18
  • 19. © 2018 ThreatConnect, Inc. All Rights Reserved. plyara 19 • PLY (Python Lex Yacc) • Parser handles VirusTotal and vanilla rules • Takes a ruleset file as input • Outputs a python dictionary
  • 20. © 2018 ThreatConnect, Inc. All Rights Reserved. plyara https://github.com/8u1a/plyara 20
  • 21. © 2018 ThreatConnect, Inc. All Rights Reserved. 21 Netflix Open Connect Appliance: https://openconnect.netflix.com/en/software/ Send Improvements Upstream!
  • 22. © 2018 ThreatConnect, Inc. All Rights Reserved. 22 Netflix Open Connect Appliance: https://openconnect.netflix.com/en/software/ Send Improvements Upstream!
  • 23. © 2018 ThreatConnect, Inc. All Rights Reserved. Demo: plyara 23
  • 24. © 2018 ThreatConnect, Inc. All Rights Reserved. Jupyter Notebook Programming Cells Somewhere between REPL and monolithic script https://jupyter.org/ 24
  • 25. © 2018 ThreatConnect, Inc. All Rights Reserved. Prioritization 25
  • 26. © 2018 ThreatConnect, Inc. All Rights Reserved. Lottery Queue 26
  • 27. © 2018 ThreatConnect, Inc. All Rights Reserved. 27 Scoring
  • 28. © 2018 ThreatConnect, Inc. All Rights Reserved. Non-Intuitive Ordering High Priority / High Confidence High Priority / Medium Confidence Medium Priority / High Confidence Medium Priority / Medium Confidence High Priority / Low Confidence Medium Priority / Low Confidence Low Priority / Low Confidence 28
  • 29. © 2018 ThreatConnect, Inc. All Rights Reserved. Non-Intuitive Ordering 29 High Priority / High Confidence High Priority / Medium Confidence Medium Priority / High Confidence Medium Priority / Medium Confidence High Priority / Low Confidence Medium Priority / Low Confidence Low Priority / Low Confidence
  • 30. © 2018 ThreatConnect, Inc. All Rights Reserved. Prioritization Meetings 30
  • 31. © 2018 ThreatConnect, Inc. All Rights Reserved. Automate AMAs • Cuckoo Sandbox • Joe Sandbox Cloud • VxStream • VMRay • Lastline • ThreatGrid • ReversingLabs • Your AMA Here! 31
  • 32. © 2018 ThreatConnect, Inc. All Rights Reserved. Future Work • Data claimed • Dataset analyzed • Intelligence published • Blog published • New account created • New customer Business Value (BV) 32
  • 33. © 2018 ThreatConnect, Inc. All Rights Reserved. Happy Bean Counters Budgets • Maximize collection -> exploitation • Collect metrics on utilization • Establish KPIs • AMAs at maximum capacity 33
  • 34. © 2018 ThreatConnect, Inc. All Rights Reserved. Key Performance Indicators Speaking to Management A Key Performance Indicator is a measurable value that demonstrates how effectively a company is achieving key business objectives. 34
  • 35. © 2018 ThreatConnect, Inc. All Rights Reserved. Sources of Samples 35 • Carved from Network Capture (Use Bro!!) • Incoming email attachments • Endpoint collections (AV and otherwise)
  • 36. © 2018 ThreatConnect, Inc. All Rights Reserved. Sources of Samples • Carved from Network Capture (Use Bro!!) • Incoming email attachments • Endpoint collections (AV and otherwise) • Supply chain (CCleaner!!!!!!!!!!) 36
  • 37. © 2018 ThreatConnect, Inc. All Rights Reserved. 37 https://threatconnect.com/blog/ kasperagent-malware-campaign/ Success Stories
  • 38. © 2018 ThreatConnect, Inc. All Rights Reserved. 38
  • 39. © 2018 ThreatConnect, Inc. All Rights Reserved. 39 Success Stories
  • 40. © 2018 ThreatConnect, Inc. All Rights Reserved. Success Stories 40 Success Stories
  • 41. © 2018 ThreatConnect, Inc. All Rights Reserved. • Organize signatures in revision control • Automate between systems in tool chain • Separate queues by signature type • Attack Pattern • Malware family / Adversary • Periodic prioritization meetings • SEND YOUR OPEN SOURCE CHANGES UPSTREAM!!!!! Key Takeaways and Lessons Learned 41
  • 42. © 2018 ThreatConnect, Inc. All Rights Reserved. 42
  • 43. © 2018 ThreatConnect, Inc. All Rights Reserved. Thank You threatconnect.com/blog @ThreatConnect @MalwareUtkonos