SlideShare a Scribd company logo

Advanced Threat Hunting - BotConf 2017

Download as PPTX, PDF
ThreatConnect
ThreatConnect

The document discusses advanced threat hunting techniques. It describes the research team and threat intelligence definitions. It discusses the intelligence process and relationship between data, information, and intelligence. It addresses problems like limited resources, time and small team size. It promotes organizing signatures with revision control and automating processes. It also discusses prioritization techniques like scoring and meetings. Key takeaways include separating analysis by signature type, prioritization meetings, and contributing open source changes.

Technology
1 of 43
Advanced Threat Hunting botconf December 8, 2017 1
© 2018 ThreatConnect, Inc. All Rights Reserved. Who Am I? Director of Research Innovation Research Team ThreatConnect, Inc. 2
© 2018 ThreatConnect, Inc. All Rights Reserved. Threat Intelligence A Few Definitions Tactical Technical Operational Strategic 3
© 2018 ThreatConnect, Inc. All Rights Reserved. Threat Intelligence A Few Definitions Tactical Technical Operational Strategic 4
© 2018 ThreatConnect, Inc. All Rights Reserved. 5 The Intelligence Process Source: Joint Intelligence / Joint Publication 2-0 (Joint Chiefs of Staff)
© 2018 ThreatConnect, Inc. All Rights Reserved. 6 The Intelligence Process Relationship of Data, Information, and Intelligence Source: Joint Intelligence / Joint Publication 2-0 (Joint Chiefs of Staff)
© 2018 ThreatConnect, Inc. All Rights Reserved. David Bianco’s “Pyramid of Pain” 7
© 2018 ThreatConnect, Inc. All Rights Reserved. The Pyramid of Pain Mirrored 8
© 2018 ThreatConnect, Inc. All Rights Reserved. Small Teams We are a team of ten people Problem Definition, Part 1 9
© 2018 ThreatConnect, Inc. All Rights Reserved. Limited Resources Paid data feeds Large data volume Signal to noise Limited tool capacity Problem Definition, Part 2 10
© 2018 ThreatConnect, Inc. All Rights Reserved. 11 Limited Time Analysts must spend time analyzing, not moving data around Problem Definition, Part 3
© 2018 ThreatConnect, Inc. All Rights Reserved. 12
© 2018 ThreatConnect, Inc. All Rights Reserved. Doing It Wrong Maintaining team YARA rules: 1. On a file server 2. Some person’s laptop 3. Lots of people’s laptops 13
© 2018 ThreatConnect, Inc. All Rights Reserved. Doing It Wrong Wasting analyst’s time: 1. Downloading files 2. Uploading files 3. Waiting for AMAs to finish 14
© 2018 ThreatConnect, Inc. All Rights Reserved. 15
© 2018 ThreatConnect, Inc. All Rights Reserved. Doing It Right • Use revision control • We use git! • Deployment scripts • Sync with threat intel platform 16
© 2018 ThreatConnect, Inc. All Rights Reserved. YARA Rule rule Nemucod_JS_Ransom { meta: priority = "Medium" confidence = "High" sandbox_restricted = true strings: a$ = "If you do not pay in 3 days YOU LOOSE ALL YOUR FILES" nocase wide ascii b$ = " + "php4ts.dll";" wide ascii c$ = ""To restore your files you have to pay "" wide ascii condition: any of them and new_file } 17
© 2018 ThreatConnect, Inc. All Rights Reserved. Associations for the Win 18
© 2018 ThreatConnect, Inc. All Rights Reserved. plyara 19 • PLY (Python Lex Yacc) • Parser handles VirusTotal and vanilla rules • Takes a ruleset file as input • Outputs a python dictionary
© 2018 ThreatConnect, Inc. All Rights Reserved. plyara https://github.com/8u1a/plyara 20
© 2018 ThreatConnect, Inc. All Rights Reserved. 21 Netflix Open Connect Appliance: https://openconnect.netflix.com/en/software/ Send Improvements Upstream!
© 2018 ThreatConnect, Inc. All Rights Reserved. 22 Netflix Open Connect Appliance: https://openconnect.netflix.com/en/software/ Send Improvements Upstream!
© 2018 ThreatConnect, Inc. All Rights Reserved. Demo: plyara 23
© 2018 ThreatConnect, Inc. All Rights Reserved. Jupyter Notebook Programming Cells Somewhere between REPL and monolithic script https://jupyter.org/ 24
© 2018 ThreatConnect, Inc. All Rights Reserved. Prioritization 25
© 2018 ThreatConnect, Inc. All Rights Reserved. Lottery Queue 26
© 2018 ThreatConnect, Inc. All Rights Reserved. 27 Scoring
© 2018 ThreatConnect, Inc. All Rights Reserved. Non-Intuitive Ordering High Priority / High Confidence High Priority / Medium Confidence Medium Priority / High Confidence Medium Priority / Medium Confidence High Priority / Low Confidence Medium Priority / Low Confidence Low Priority / Low Confidence 28
© 2018 ThreatConnect, Inc. All Rights Reserved. Non-Intuitive Ordering 29 High Priority / High Confidence High Priority / Medium Confidence Medium Priority / High Confidence Medium Priority / Medium Confidence High Priority / Low Confidence Medium Priority / Low Confidence Low Priority / Low Confidence
© 2018 ThreatConnect, Inc. All Rights Reserved. Prioritization Meetings 30
© 2018 ThreatConnect, Inc. All Rights Reserved. Automate AMAs • Cuckoo Sandbox • Joe Sandbox Cloud • VxStream • VMRay • Lastline • ThreatGrid • ReversingLabs • Your AMA Here! 31
© 2018 ThreatConnect, Inc. All Rights Reserved. Future Work • Data claimed • Dataset analyzed • Intelligence published • Blog published • New account created • New customer Business Value (BV) 32
© 2018 ThreatConnect, Inc. All Rights Reserved. Happy Bean Counters Budgets • Maximize collection -> exploitation • Collect metrics on utilization • Establish KPIs • AMAs at maximum capacity 33
© 2018 ThreatConnect, Inc. All Rights Reserved. Key Performance Indicators Speaking to Management A Key Performance Indicator is a measurable value that demonstrates how effectively a company is achieving key business objectives. 34
© 2018 ThreatConnect, Inc. All Rights Reserved. Sources of Samples 35 • Carved from Network Capture (Use Bro!!) • Incoming email attachments • Endpoint collections (AV and otherwise)
© 2018 ThreatConnect, Inc. All Rights Reserved. Sources of Samples • Carved from Network Capture (Use Bro!!) • Incoming email attachments • Endpoint collections (AV and otherwise) • Supply chain (CCleaner!!!!!!!!!!) 36
© 2018 ThreatConnect, Inc. All Rights Reserved. 37 https://threatconnect.com/blog/ kasperagent-malware-campaign/ Success Stories
© 2018 ThreatConnect, Inc. All Rights Reserved. 38
© 2018 ThreatConnect, Inc. All Rights Reserved. 39 Success Stories
© 2018 ThreatConnect, Inc. All Rights Reserved. Success Stories 40 Success Stories
© 2018 ThreatConnect, Inc. All Rights Reserved. • Organize signatures in revision control • Automate between systems in tool chain • Separate queues by signature type • Attack Pattern • Malware family / Adversary • Periodic prioritization meetings • SEND YOUR OPEN SOURCE CHANGES UPSTREAM!!!!! Key Takeaways and Lessons Learned 41
© 2018 ThreatConnect, Inc. All Rights Reserved. 42
© 2018 ThreatConnect, Inc. All Rights Reserved. Thank You threatconnect.com/blog @ThreatConnect @MalwareUtkonos

Recommended

Managing Indicator Deprecation in ThreatConnect
Managing Indicator Deprecation in ThreatConnectManaging Indicator Deprecation in ThreatConnect
Managing Indicator Deprecation in ThreatConnect
ThreatConnect
 
Intelligence driven defense webinar
Intelligence driven defense webinarIntelligence driven defense webinar
Intelligence driven defense webinar
ThreatConnect
 
Save Time and Act Faster with Playbooks
Save Time and Act Faster with PlaybooksSave Time and Act Faster with Playbooks
Save Time and Act Faster with Playbooks
ThreatConnect
 
Operationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent ActorsOperationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent Actors
ThreatConnect
 
Episode IV: A New Scope
Episode IV: A New ScopeEpisode IV: A New Scope
Episode IV: A New Scope
ThreatConnect
 
Open Source Malware Lab
Open Source Malware LabOpen Source Malware Lab
Open Source Malware Lab
ThreatConnect
 
Maltego Webinar Slides
Maltego Webinar SlidesMaltego Webinar Slides
Maltego Webinar Slides
ThreatConnect
 
The Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence WebinarThe Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence Webinar
ThreatConnect
 

Recommended

Managing Indicator Deprecation in ThreatConnect
Managing Indicator Deprecation in ThreatConnectManaging Indicator Deprecation in ThreatConnect
Managing Indicator Deprecation in ThreatConnect
ThreatConnect
 
Intelligence driven defense webinar
Intelligence driven defense webinarIntelligence driven defense webinar
Intelligence driven defense webinar
ThreatConnect
 
Save Time and Act Faster with Playbooks
Save Time and Act Faster with PlaybooksSave Time and Act Faster with Playbooks
Save Time and Act Faster with Playbooks
ThreatConnect
 
Operationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent ActorsOperationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent Actors
ThreatConnect
 
Episode IV: A New Scope
Episode IV: A New ScopeEpisode IV: A New Scope
Episode IV: A New Scope
ThreatConnect
 
Open Source Malware Lab
Open Source Malware LabOpen Source Malware Lab
Open Source Malware Lab
ThreatConnect
 
Maltego Webinar Slides
Maltego Webinar SlidesMaltego Webinar Slides
Maltego Webinar Slides
ThreatConnect
 
The Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence WebinarThe Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence Webinar
ThreatConnect
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Dollars and Sense of Sharing Threat Intelligence
Dollars and Sense of Sharing Threat IntelligenceDollars and Sense of Sharing Threat Intelligence
Dollars and Sense of Sharing Threat Intelligence
ThreatConnect
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
CrowdStrike
 
The Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat IntelligenceThe Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat Intelligence
ThreatConnect
 
SACON - Threat Hunting Workshop (Shomiron Das Gupta)
SACON - Threat Hunting Workshop (Shomiron Das Gupta)SACON - Threat Hunting Workshop (Shomiron Das Gupta)
SACON - Threat Hunting Workshop (Shomiron Das Gupta)
Priyanka Aash
 
Building a Threat Hunting Practice in the Cloud
Building a Threat Hunting Practice in the CloudBuilding a Threat Hunting Practice in the Cloud
Building a Threat Hunting Practice in the Cloud
ProtectWise
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
Hostway|HOSTING
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
Ben Boyd
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
Vishal Kumar
 
Dreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligenceDreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat Intelligence
Priyanka Aash
 
Sqrrl 2.0 Launch Webinar
Sqrrl 2.0 Launch WebinarSqrrl 2.0 Launch Webinar
Sqrrl 2.0 Launch Webinar
Sqrrl
 
Abstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat HuntingAbstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat Hunting
chrissanders88
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
Leveraging Threat Intelligence to Guide Your Hunts
Leveraging Threat Intelligence to Guide Your HuntsLeveraging Threat Intelligence to Guide Your Hunts
Leveraging Threat Intelligence to Guide Your Hunts
Sqrrl
 
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
ThreatConnect
 
Threat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the BasicsThreat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the Basics
Cybereason
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
Morane Decriem
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Katie Nickels
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
Dhruv Majumdar
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
SBWebinars
 
Infosecurity - CDMX 2018
Infosecurity - CDMX 2018Infosecurity - CDMX 2018
Infosecurity - CDMX 2018
Miguel Hernández y López
 

More Related Content

What's hot

Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Dollars and Sense of Sharing Threat Intelligence
Dollars and Sense of Sharing Threat IntelligenceDollars and Sense of Sharing Threat Intelligence
Dollars and Sense of Sharing Threat Intelligence
ThreatConnect
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
CrowdStrike
 
The Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat IntelligenceThe Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat Intelligence
ThreatConnect
 
SACON - Threat Hunting Workshop (Shomiron Das Gupta)
SACON - Threat Hunting Workshop (Shomiron Das Gupta)SACON - Threat Hunting Workshop (Shomiron Das Gupta)
SACON - Threat Hunting Workshop (Shomiron Das Gupta)
Priyanka Aash
 
Building a Threat Hunting Practice in the Cloud
Building a Threat Hunting Practice in the CloudBuilding a Threat Hunting Practice in the Cloud
Building a Threat Hunting Practice in the Cloud
ProtectWise
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
Hostway|HOSTING
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
Ben Boyd
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
Vishal Kumar
 
Dreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligenceDreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat Intelligence
Priyanka Aash
 
Sqrrl 2.0 Launch Webinar
Sqrrl 2.0 Launch WebinarSqrrl 2.0 Launch Webinar
Sqrrl 2.0 Launch Webinar
Sqrrl
 
Abstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat HuntingAbstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat Hunting
chrissanders88
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
Leveraging Threat Intelligence to Guide Your Hunts
Leveraging Threat Intelligence to Guide Your HuntsLeveraging Threat Intelligence to Guide Your Hunts
Leveraging Threat Intelligence to Guide Your Hunts
Sqrrl
 
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
ThreatConnect
 
Threat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the BasicsThreat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the Basics
Cybereason
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
Morane Decriem
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Katie Nickels
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
Dhruv Majumdar
 

What's hot (20)

Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Dollars and Sense of Sharing Threat Intelligence
Dollars and Sense of Sharing Threat IntelligenceDollars and Sense of Sharing Threat Intelligence
Dollars and Sense of Sharing Threat Intelligence
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
 
The Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat IntelligenceThe Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat Intelligence
 
SACON - Threat Hunting Workshop (Shomiron Das Gupta)
SACON - Threat Hunting Workshop (Shomiron Das Gupta)SACON - Threat Hunting Workshop (Shomiron Das Gupta)
SACON - Threat Hunting Workshop (Shomiron Das Gupta)
 
Building a Threat Hunting Practice in the Cloud
Building a Threat Hunting Practice in the CloudBuilding a Threat Hunting Practice in the Cloud
Building a Threat Hunting Practice in the Cloud
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
 
Dreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligenceDreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat Intelligence
 
Sqrrl 2.0 Launch Webinar
Sqrrl 2.0 Launch WebinarSqrrl 2.0 Launch Webinar
Sqrrl 2.0 Launch Webinar
 
Abstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat HuntingAbstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat Hunting
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
Leveraging Threat Intelligence to Guide Your Hunts
Leveraging Threat Intelligence to Guide Your HuntsLeveraging Threat Intelligence to Guide Your Hunts
Leveraging Threat Intelligence to Guide Your Hunts
 
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
 
Threat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the BasicsThreat Hunting 102: Beyond the Basics
Threat Hunting 102: Beyond the Basics
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 

Similar to Advanced Threat Hunting - BotConf 2017

Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
SBWebinars
 
Infosecurity - CDMX 2018
Infosecurity - CDMX 2018Infosecurity - CDMX 2018
Infosecurity - CDMX 2018
Miguel Hernández y López
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec
 
NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018
NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018 NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018
NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018
NETSCOUT
 
IoT Microcontrollers and Getting Started with Amazon FreeRTOS (IOT338-R1) - A...
IoT Microcontrollers and Getting Started with Amazon FreeRTOS (IOT338-R1) - A...IoT Microcontrollers and Getting Started with Amazon FreeRTOS (IOT338-R1) - A...
IoT Microcontrollers and Getting Started with Amazon FreeRTOS (IOT338-R1) - A...
Amazon Web Services
 
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...
Interset
 
Master the RETE algorithm
Master the RETE algorithmMaster the RETE algorithm
Master the RETE algorithm
Masahiko Umeno
 
Pgatss slide deck june 7, 2018
Pgatss slide deck june 7, 2018Pgatss slide deck june 7, 2018
Pgatss slide deck june 7, 2018
Greg Wartes, MCP
 
AI : Animal Like Abilities in Applied AI, What can go wrong?
AI : Animal Like Abilities in Applied AI, What can go wrong?AI : Animal Like Abilities in Applied AI, What can go wrong?
AI : Animal Like Abilities in Applied AI, What can go wrong?
Jari Koister
 
AWS Startup Day Toronto - Sudip Chakrabarti- Building & Selling AI-Powered En...
AWS Startup Day Toronto - Sudip Chakrabarti- Building & Selling AI-Powered En...AWS Startup Day Toronto - Sudip Chakrabarti- Building & Selling AI-Powered En...
AWS Startup Day Toronto - Sudip Chakrabarti- Building & Selling AI-Powered En...
Amazon Web Services
 
From zero to one - How we evolved our test automation processes and mindset i...
From zero to one - How we evolved our test automation processes and mindset i...From zero to one - How we evolved our test automation processes and mindset i...
From zero to one - How we evolved our test automation processes and mindset i...
Jen-Chieh Ko
 
Making the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data VisibilityMaking the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data Visibility
dianadvo
 
Cloud Ramps Up at DOD--Here's What You Need to Know
Cloud Ramps Up at DOD--Here's What You Need to KnowCloud Ramps Up at DOD--Here's What You Need to Know
Cloud Ramps Up at DOD--Here's What You Need to Know
immixGroup
 
Keeping Modern Applications Performing
Keeping Modern Applications PerformingKeeping Modern Applications Performing
Keeping Modern Applications Performing
Lee Atchison
 
Ga society of cpa's 2018 coastal chapter
Ga society of cpa's 2018 coastal chapterGa society of cpa's 2018 coastal chapter
Ga society of cpa's 2018 coastal chapter
Greg Wartes, MCP
 
QCon 2018 | Gimel | PayPal's Analytic Platform
QCon 2018 | Gimel | PayPal's Analytic PlatformQCon 2018 | Gimel | PayPal's Analytic Platform
QCon 2018 | Gimel | PayPal's Analytic Platform
Deepak Chandramouli
 
Automatizovaná bezpečnost – nadstandard nebo nutnost?
Automatizovaná bezpečnost – nadstandard nebo nutnost?Automatizovaná bezpečnost – nadstandard nebo nutnost?
Automatizovaná bezpečnost – nadstandard nebo nutnost?
MarketingArrowECS_CZ
 
Scrapping for Pennies: How to implement security without a budget
Scrapping for Pennies: How to implement security without a budgetScrapping for Pennies: How to implement security without a budget
Scrapping for Pennies: How to implement security without a budget
Ryan Wisniewski
 
DataWorks 2018: How Big Data and AI Saved the Day
DataWorks 2018: How Big Data and AI Saved the DayDataWorks 2018: How Big Data and AI Saved the Day
DataWorks 2018: How Big Data and AI Saved the Day
Interset
 
Keynote - Chaos Engineering: Why breaking things should be practiced
Keynote - Chaos Engineering: Why breaking things should be practicedKeynote - Chaos Engineering: Why breaking things should be practiced
Keynote - Chaos Engineering: Why breaking things should be practiced
AWS User Group Bengaluru
 

Similar to Advanced Threat Hunting - BotConf 2017 (20)

Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
 
Infosecurity - CDMX 2018
Infosecurity - CDMX 2018Infosecurity - CDMX 2018
Infosecurity - CDMX 2018
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
 
NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018
NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018 NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018
NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018
 
IoT Microcontrollers and Getting Started with Amazon FreeRTOS (IOT338-R1) - A...
IoT Microcontrollers and Getting Started with Amazon FreeRTOS (IOT338-R1) - A...IoT Microcontrollers and Getting Started with Amazon FreeRTOS (IOT338-R1) - A...
IoT Microcontrollers and Getting Started with Amazon FreeRTOS (IOT338-R1) - A...
 
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...
 
Master the RETE algorithm
Master the RETE algorithmMaster the RETE algorithm
Master the RETE algorithm
 
Pgatss slide deck june 7, 2018
Pgatss slide deck june 7, 2018Pgatss slide deck june 7, 2018
Pgatss slide deck june 7, 2018
 
AI : Animal Like Abilities in Applied AI, What can go wrong?
AI : Animal Like Abilities in Applied AI, What can go wrong?AI : Animal Like Abilities in Applied AI, What can go wrong?
AI : Animal Like Abilities in Applied AI, What can go wrong?
 
AWS Startup Day Toronto - Sudip Chakrabarti- Building & Selling AI-Powered En...
AWS Startup Day Toronto - Sudip Chakrabarti- Building & Selling AI-Powered En...AWS Startup Day Toronto - Sudip Chakrabarti- Building & Selling AI-Powered En...
AWS Startup Day Toronto - Sudip Chakrabarti- Building & Selling AI-Powered En...
 
From zero to one - How we evolved our test automation processes and mindset i...
From zero to one - How we evolved our test automation processes and mindset i...From zero to one - How we evolved our test automation processes and mindset i...
From zero to one - How we evolved our test automation processes and mindset i...
 
Making the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data VisibilityMaking the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data Visibility
 
Cloud Ramps Up at DOD--Here's What You Need to Know
Cloud Ramps Up at DOD--Here's What You Need to KnowCloud Ramps Up at DOD--Here's What You Need to Know
Cloud Ramps Up at DOD--Here's What You Need to Know
 
Keeping Modern Applications Performing
Keeping Modern Applications PerformingKeeping Modern Applications Performing
Keeping Modern Applications Performing
 
Ga society of cpa's 2018 coastal chapter
Ga society of cpa's 2018 coastal chapterGa society of cpa's 2018 coastal chapter
Ga society of cpa's 2018 coastal chapter
 
QCon 2018 | Gimel | PayPal's Analytic Platform
QCon 2018 | Gimel | PayPal's Analytic PlatformQCon 2018 | Gimel | PayPal's Analytic Platform
QCon 2018 | Gimel | PayPal's Analytic Platform
 
Automatizovaná bezpečnost – nadstandard nebo nutnost?
Automatizovaná bezpečnost – nadstandard nebo nutnost?Automatizovaná bezpečnost – nadstandard nebo nutnost?
Automatizovaná bezpečnost – nadstandard nebo nutnost?
 
Scrapping for Pennies: How to implement security without a budget
Scrapping for Pennies: How to implement security without a budgetScrapping for Pennies: How to implement security without a budget
Scrapping for Pennies: How to implement security without a budget
 
DataWorks 2018: How Big Data and AI Saved the Day
DataWorks 2018: How Big Data and AI Saved the DayDataWorks 2018: How Big Data and AI Saved the Day
DataWorks 2018: How Big Data and AI Saved the Day
 
Keynote - Chaos Engineering: Why breaking things should be practiced
Keynote - Chaos Engineering: Why breaking things should be practicedKeynote - Chaos Engineering: Why breaking things should be practiced
Keynote - Chaos Engineering: Why breaking things should be practiced
 

Recently uploaded

Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Wask
 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
fredae14
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
Webinar: Designing a schema for a Data Warehouse
Webinar: Designing a schema for a Data WarehouseWebinar: Designing a schema for a Data Warehouse
Webinar: Designing a schema for a Data Warehouse
Federico Razzoli
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
Project Management Semester Long Project - Acuity
Project Management Semester Long Project - AcuityProject Management Semester Long Project - Acuity
Project Management Semester Long Project - Acuity
jpupo2018
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 

Recently uploaded (20)

Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
Webinar: Designing a schema for a Data Warehouse
Webinar: Designing a schema for a Data WarehouseWebinar: Designing a schema for a Data Warehouse
Webinar: Designing a schema for a Data Warehouse
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
Project Management Semester Long Project - Acuity
Project Management Semester Long Project - AcuityProject Management Semester Long Project - Acuity
Project Management Semester Long Project - Acuity
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 

Advanced Threat Hunting - BotConf 2017

  • 2. © 2018 ThreatConnect, Inc. All Rights Reserved. Who Am I? Director of Research Innovation Research Team ThreatConnect, Inc. 2
  • 3. © 2018 ThreatConnect, Inc. All Rights Reserved. Threat Intelligence A Few Definitions Tactical Technical Operational Strategic 3
  • 4. © 2018 ThreatConnect, Inc. All Rights Reserved. Threat Intelligence A Few Definitions Tactical Technical Operational Strategic 4
  • 5. © 2018 ThreatConnect, Inc. All Rights Reserved. 5 The Intelligence Process Source: Joint Intelligence / Joint Publication 2-0 (Joint Chiefs of Staff)
  • 6. © 2018 ThreatConnect, Inc. All Rights Reserved. 6 The Intelligence Process Relationship of Data, Information, and Intelligence Source: Joint Intelligence / Joint Publication 2-0 (Joint Chiefs of Staff)
  • 7. © 2018 ThreatConnect, Inc. All Rights Reserved. David Bianco’s “Pyramid of Pain” 7
  • 8. © 2018 ThreatConnect, Inc. All Rights Reserved. The Pyramid of Pain Mirrored 8
  • 9. © 2018 ThreatConnect, Inc. All Rights Reserved. Small Teams We are a team of ten people Problem Definition, Part 1 9
  • 10. © 2018 ThreatConnect, Inc. All Rights Reserved. Limited Resources Paid data feeds Large data volume Signal to noise Limited tool capacity Problem Definition, Part 2 10
  • 11. © 2018 ThreatConnect, Inc. All Rights Reserved. 11 Limited Time Analysts must spend time analyzing, not moving data around Problem Definition, Part 3
  • 12. © 2018 ThreatConnect, Inc. All Rights Reserved. 12
  • 13. © 2018 ThreatConnect, Inc. All Rights Reserved. Doing It Wrong Maintaining team YARA rules: 1. On a file server 2. Some person’s laptop 3. Lots of people’s laptops 13
  • 14. © 2018 ThreatConnect, Inc. All Rights Reserved. Doing It Wrong Wasting analyst’s time: 1. Downloading files 2. Uploading files 3. Waiting for AMAs to finish 14
  • 15. © 2018 ThreatConnect, Inc. All Rights Reserved. 15
  • 16. © 2018 ThreatConnect, Inc. All Rights Reserved. Doing It Right • Use revision control • We use git! • Deployment scripts • Sync with threat intel platform 16
  • 17. © 2018 ThreatConnect, Inc. All Rights Reserved. YARA Rule rule Nemucod_JS_Ransom { meta: priority = "Medium" confidence = "High" sandbox_restricted = true strings: a$ = "If you do not pay in 3 days YOU LOOSE ALL YOUR FILES" nocase wide ascii b$ = " + "php4ts.dll";" wide ascii c$ = ""To restore your files you have to pay "" wide ascii condition: any of them and new_file } 17
  • 18. © 2018 ThreatConnect, Inc. All Rights Reserved. Associations for the Win 18
  • 19. © 2018 ThreatConnect, Inc. All Rights Reserved. plyara 19 • PLY (Python Lex Yacc) • Parser handles VirusTotal and vanilla rules • Takes a ruleset file as input • Outputs a python dictionary
  • 20. © 2018 ThreatConnect, Inc. All Rights Reserved. plyara https://github.com/8u1a/plyara 20
  • 21. © 2018 ThreatConnect, Inc. All Rights Reserved. 21 Netflix Open Connect Appliance: https://openconnect.netflix.com/en/software/ Send Improvements Upstream!
  • 22. © 2018 ThreatConnect, Inc. All Rights Reserved. 22 Netflix Open Connect Appliance: https://openconnect.netflix.com/en/software/ Send Improvements Upstream!
  • 23. © 2018 ThreatConnect, Inc. All Rights Reserved. Demo: plyara 23
  • 24. © 2018 ThreatConnect, Inc. All Rights Reserved. Jupyter Notebook Programming Cells Somewhere between REPL and monolithic script https://jupyter.org/ 24
  • 25. © 2018 ThreatConnect, Inc. All Rights Reserved. Prioritization 25
  • 26. © 2018 ThreatConnect, Inc. All Rights Reserved. Lottery Queue 26
  • 27. © 2018 ThreatConnect, Inc. All Rights Reserved. 27 Scoring
  • 28. © 2018 ThreatConnect, Inc. All Rights Reserved. Non-Intuitive Ordering High Priority / High Confidence High Priority / Medium Confidence Medium Priority / High Confidence Medium Priority / Medium Confidence High Priority / Low Confidence Medium Priority / Low Confidence Low Priority / Low Confidence 28
  • 29. © 2018 ThreatConnect, Inc. All Rights Reserved. Non-Intuitive Ordering 29 High Priority / High Confidence High Priority / Medium Confidence Medium Priority / High Confidence Medium Priority / Medium Confidence High Priority / Low Confidence Medium Priority / Low Confidence Low Priority / Low Confidence
  • 30. © 2018 ThreatConnect, Inc. All Rights Reserved. Prioritization Meetings 30
  • 31. © 2018 ThreatConnect, Inc. All Rights Reserved. Automate AMAs • Cuckoo Sandbox • Joe Sandbox Cloud • VxStream • VMRay • Lastline • ThreatGrid • ReversingLabs • Your AMA Here! 31
  • 32. © 2018 ThreatConnect, Inc. All Rights Reserved. Future Work • Data claimed • Dataset analyzed • Intelligence published • Blog published • New account created • New customer Business Value (BV) 32
  • 33. © 2018 ThreatConnect, Inc. All Rights Reserved. Happy Bean Counters Budgets • Maximize collection -> exploitation • Collect metrics on utilization • Establish KPIs • AMAs at maximum capacity 33
  • 34. © 2018 ThreatConnect, Inc. All Rights Reserved. Key Performance Indicators Speaking to Management A Key Performance Indicator is a measurable value that demonstrates how effectively a company is achieving key business objectives. 34
  • 35. © 2018 ThreatConnect, Inc. All Rights Reserved. Sources of Samples 35 • Carved from Network Capture (Use Bro!!) • Incoming email attachments • Endpoint collections (AV and otherwise)
  • 36. © 2018 ThreatConnect, Inc. All Rights Reserved. Sources of Samples • Carved from Network Capture (Use Bro!!) • Incoming email attachments • Endpoint collections (AV and otherwise) • Supply chain (CCleaner!!!!!!!!!!) 36
  • 37. © 2018 ThreatConnect, Inc. All Rights Reserved. 37 https://threatconnect.com/blog/ kasperagent-malware-campaign/ Success Stories
  • 38. © 2018 ThreatConnect, Inc. All Rights Reserved. 38
  • 39. © 2018 ThreatConnect, Inc. All Rights Reserved. 39 Success Stories
  • 40. © 2018 ThreatConnect, Inc. All Rights Reserved. Success Stories 40 Success Stories
  • 41. © 2018 ThreatConnect, Inc. All Rights Reserved. • Organize signatures in revision control • Automate between systems in tool chain • Separate queues by signature type • Attack Pattern • Malware family / Adversary • Periodic prioritization meetings • SEND YOUR OPEN SOURCE CHANGES UPSTREAM!!!!! Key Takeaways and Lessons Learned 41
  • 42. © 2018 ThreatConnect, Inc. All Rights Reserved. 42
  • 43. © 2018 ThreatConnect, Inc. All Rights Reserved. Thank You threatconnect.com/blog @ThreatConnect @MalwareUtkonos