Co Speaker: Cheryl Biswas
Talk Description:
How about this: a blue team talk given by red teamers. But here’s our rationale - your best defence right now is a strategic offence. The rules of the game have changed and we need to get defence up to speed.
We’ll show you what the key elements are in a good defence strategy; what you can and need to be using to full advantage. We’ll talk about the new “buzzwords” and how they apply: visibility; patterns; big data. There’s a whole lotta data to wrangle, and you aren’t seeing the whole picture if you aren’t doing things right. Threat intel is about getting the big picture as it applies to you. You’ll learn the importance of context and prioritization so that you can manipulate intel feeds to do your bidding. And then we’ll take things further and talk about hunting the adversary, using an update on proven methodologies.
We’ll show you how to understand your data, correlate threats and pin point attacks. Attendees will leave with a new understanding of the resources they have on hand, and how to leverage those into an Adaptive Proactive Defense Strategy.
6. Props to DarkReading
This started with a webinar for DarkReading on Threat
Intel and how to use it effectively. We received some
great feedback, a lot of interest, and built upon it for
HackFest.
Our Webinar:
https://webinar.darkreading.com/2492?keycode=SBX
&cid=smartbox_techweb_upcoming_webinars_8.500
000620
7. What We Will Cover
All. That. DATA
Logging towards Alerts
Threat Intel
Visibility
Context
Pinpointing an Attack
Kill Chains & OODA Loops
8. Terminology
IOC - Indicator of Compromise - Domain, IP
address, URL
IOA - Indicator of Attack
COA - Course of Action - What can we do to prevent,
mitigate, detect, EG - Implement a block on an
email address
TTP - Tactics, Techniques, and Procedures
38. Good Alerts
Give enough information to correlate
Understand all you can from the one log
Actionable
Standard procedures for each for IR team
Time is NOT on your side
50. Threat Report - Example 2
http://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-campaign-
evolves-adds-japan-target-list/
51. Threat Report - Example 2
C2 via blogs
Hard coded tags
http://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-campaign-
evolves-adds-japan-target-list/
65. Detecting an attack - Visibility & Patterns
Known Good
Alerts
Investigation
Lessons learned
http://www.scmagazine.com/five-tips-to-detect-contain-and-control-cyber-threats/article/467856/
68. Lockheed Martin Cyber Kill Chain
“The seven steps of the Lockheed Martin Cyber Kill
Chain® enhance visibility into an attack and
enrich an analyst’s understanding of an
adversary’s tactics, techniques and procedures.”
http://cyber.lockheedmartin.com/solutions/cyber-
kill-chain
69. Cyber Kill Chain
1. Reconnaissance
2.Weaponization
3.Delivery
4.Exploitation
5.Installation
6.Command & Control
7.Action on Objectives
81. Malicious Attachments
Send various types of malicious attachments via
multiple sources
How many emails does it take to block a sender?
What types of attachments generate alerts?