SlideShare a Scribd company logo

Threat Hunting Presentation

Cristian Garcia G.
Cristian Garcia G.

The document discusses threat hunting and incident response. It describes building a threat hunting program and threat response platform with key components like visibility, proactivity, and response. It discusses investigating incidents, making judgments on observables from various data sources, and taking targeted mitigation actions. The goal is to integrate security tools and orchestrate threat research and response through a centralized threat response platform.

Technology
1 of 62
Download to read offline
#CLUS Del enfoque reactivo al enfoque proactivo, aprendiendo a cazar al enemigo! Miguel Garro CISM, CEH, SFCP Cybersecurity Consulting Systems Engineer Perú, Ecuador, Bolivia.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS • Severity & Frequency of Cyber Threats • Building Threat Hunting Program • Threat Response Platform • Architecture & Components • Uses cases Agenda 2
Severity & Frequency of Cyber Threats 2:05
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 4BRKSEC-2109 Threat Hunting Goals
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 5BRKSEC-2109 Many solutions claim to block 99% of threats But what about the of threats they’re missing?
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 6BRKSEC-2109 Visibility Proactivity Response What to consider
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 7BRKSEC-2109 “[Threat hunting is] the process of proactively and iteratively searching … to detect and isolate advanced threats that evade existing security solutions.” - SQRRL DATA INC., “A FRAMEWORK FOR THREAT HUNTING”, 2016
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 8BRKSEC-2109 ThreatHuntMaturity
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 9BRKSEC-2109 ThreatHuntLifeCycle ThreatHuntLifeCycle
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 10BRKSEC-2109 Determining what to hunt for and how often 1Choose your favorite attack model
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 11BRKSEC-2109 Determining what to hunt for and how often 2Identify most concerning activities
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 12BRKSEC-2109 Determining what to hunt for and how often 3 Build your threat hunting calendar
Threat Hunting: Case Study
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 14BRKSEC-2109 Creating a Hypothesis You have found activity in reports from your SEIM showing FCAJMVXRD.COM as a location accessed by hosts on your network. You need to understand • What is this domain • What is the risk to your environment • What other sites may be related to this domain.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 15BRKSEC-2109 Investigate
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 16BRKSEC-2109 WHOIS databases store the registered users or assignees of an Internet resou rce, such as a domain name, IP address block, or autonomous system Investigate with raw data & intelligence
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 17BRKSEC-2109 Uncover TTP’s (Tactics, Techniques & Procedures) Threat Grid integration provides a deep understanding of all malware samples that are associated with this domain and how the malware was identified as malicious
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 18BRKSEC-2109 Determining activity to identify this domain as malicious. Each of these items are a ranking mechanism used by Investigate and the TALOS team to identify the domain as a bad actor. Enrich & Harden
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Recon Weapon Delivery Exploitation Installation C&C Action ThreatHunt
Threat Response Platform
Architecture & Components 2:29
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 22BRKSEC-2109 “How did it happen and what more do I need to know?” Goals Age: 32 Work: Biography: Security events requiring deeper investigation come to me. I focus on finding the proper security data and determine what happened: Why, When, and then come up with recommendations for future prevention. The Incident Responder 0 9 Challenges SOC Data Center Desk Security Investigator Experience (Years): 10
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 23BRKSEC-2109 Incident Responder Internal Monitoring Threat Intelligence How do I fix it ? What happened ? Method Repair
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 24BRKSEC-2109 Internal Monitoring Threat Intelligence Incident Responder
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 25BRKSEC-2109 Internal Monitoring Threat Intelligence Incident Responder Open Source Feeds Curated Feeds Aggregation From Vendors Alienvault, ThreatQ, Recorded Future, *CERT, Bulletins, Etc. Etc Identification Phases – “I see a potential threat”
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 26BRKSEC-2109 Internal Monitoring Threat Intelligence Incident Responder Open Source Feeds Curated Feeds Aggregation From Vendors Alienvault, ThreatQ, Recorded Future, *CERT, Bulletins, Etc. Etc Server Logs Flow Data Firewall Events Proxy Logs WAF Logs IDS Logs Identification Phases – “Did it affect us?”
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 27BRKSEC-2109 Me Policy and Enforcement Incident Responder Identification Phases – “Lets’ Block it, or Triage it.”
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 28BRKSEC-2109 Policy and Enforcement Incident Responder Identification Phases – “Lets’ Block it, or Triage it.” How many Changes need to happen in this phase? How will those changes work together?
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 29BRKSEC-2109 IR Team EPP NGIPS DNS Security Etc File Analysis Domain reputation IP reputation Etc EPP logs NGIPS logs DNS logs Etc Threat Response Platform
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 30BRKSEC-2109 IR Team File Analysis Domain reputation IP reputation Etc EPP logs NGIPS logs DNS logs Etc EPP NGIPS DNS Security Etc
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 31BRKSEC-2109 Threat Response Platform Integrating security for faster defense Open APIs · Developer Environment · Services Best of Breed Portfolio EndpointNetwork Cloud Leading Threat Intelligence Cisco Threat Response Deploy Policy InvestigateDetect Remediate 3rd Parties+280 security tech partners
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 32BRKSEC-2109 Threat Response Platform Module-driven integration platform to orchestrate threat research and response. Intuitive relationship graphs built based on event telemetry from multiple 3rd party modules
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 33BRKSEC-2109 Advanced Malware Protection Cloud-managed endpoint security combining prevention, detection, and response in a single agent. Deep endpoint visibility to aid investigations. Robust remediation capabilities.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 34BRKSEC-2109 Next Generation Sandboxing Global Malware Threat Intelligence platform (wikipedia of malware). Automated sample analysis platform and 3rd party integrations. API driven, streamlined User Interface.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 35BRKSEC-2109 DNS Security Cloud-delivered DNS security with millions of classified domains. Adversary infrastructure and relationship maps between domains, IPs, and ASNs. Custom domain blocking/whitelisting.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 36BRKSEC-2109 Threat Response Platform • Need to be an integrated architecture. • Brings together threat intelligence and localized security context • Reduces complexity by • enriching observables automatically across multiple sources • collating results into an intuitive format in one location • Help identify malicious observables and speed up incident response. • Helps incident responders understand threats on their network by gathering and combining threat intelligence available from 3rd parties.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 37 Can investigate & mitigate from Threat Response Platform.
Threat Response: Concept
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 39BRKSEC-2109 Core Threat Response Terminology and Concepts • Modules • Observables • Investigate UI • Judgements • Verdicts • Sightings • Indicators • Targets • Snapshots • Casebooks
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 40BRKSEC-2109 Modules Cisco Threat Response uses integration modules to integrate with Cisco security products and 3rd party tools. Integration modules can provide enrichment and response capabilities.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 41BRKSEC-2109 Observables Cisco Threat Response supports the quick investigation of cyber Observables, which might be domain names, IP addresses, file hashes, PKI certificate serial numbers, and even specific devices or users. The first thing that Cisco Threat Response does with an observable is determine its disposition, by aggregating what is known about that observable from the various enrichment modules configured. The disposition tells the Incident Responder whether the observable is: Clean (explicitly whitelisted) Malicious (explicitly blacklisted) Suspicious (potentially harmful) Unknown (not currently associated with a known disposition) Unknown observables are not enriched.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 42BRKSEC-2109 It is designed to allow an incident responder to copy and paste the contents of an email, or a log message, or an incident ticket into its main search form. Cisco Threat Response will then extract all of the Observables from the supplied text. Investigate UI Once the investigation is begun, either via the form shown above or via a pivot into Cisco Threat Response from another product, the UI will show the results of that investigation.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 43BRKSEC-2109 Judgments A Judgment associates a disposition with a cyber observable at a point in time, and is valid for an explicit span of time. Judgments can optionally be related to Indicators, providing further insight as to why a specific disposition was associated with that observable. Judgments are given by configured data source modules, and are shown associated with those data sources, along with more information including the reason.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 44BRKSEC-2109 Verdicts A Verdict indicates the most recent and most relevant disposition for a given cyber observable, as well as the Judgement from which the verdict was derived. Cisco Threat Response considers a clean verdict to be more reliable than a malicious verdict. The order of precedence for verdicts is as follows: • Clean • Malicious • Suspicious • Common • Unknown When an observable has multiple dispositions, Cisco Threat Response shows the one that appears first in the above list.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 45BRKSEC-2109 Sightings A Sighting is a record of the appearance of a cyber observable at a given date and time. Sightings can optionally be related to Indicators, providing threat intelligence context about the observable.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 46BRKSEC-2109 Indicators An Indicator describes a pattern of behavior or a set of conditions which indicate malicious behavior. Some indicators are more indicative than others of malicious behavior, so knowing exactly which bad behaviors an observable are exhibiting can help an incident responder decide what to do next. Cisco Threat Response uses a large collection of malware indicators from the AMP Global Intelligence threat archive, Threat Grid, and other sources.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 47BRKSEC-2109 Targets A Target represents the device, identity, or resource that a threat has targeted. A Target is identified by one or more Observables. When known, a type, operating system, and other metadata is recorded as well. Targets are always part of a local Sighting.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 48BRKSEC-2109 Snapshots A snapshot saves the current investigation and graph for subsequent retrieval and analysis. A unique identifier is created upon snapshot creation. Users can provide a name for the snapshot as well as a description. Snapshots can be shared among users in the same organization, to communicate the state of an investigation at a point in time.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 49BRKSEC-2109 Casebooks Built with APIs hosted in and data stored in Cisco Threat Response. Available via • Cisco Threat Response Investigate UI • Other integrated Cisco products and tools • Any web page at all via browser plugin, including • other Cisco products, integrated or not • existing external Threat Intel sources • existing 3rd party tools Allow you to: • gather observables in groups (aka cases). • assign the case a name and a description • take and save notes on the case • add other observables at any time • immediately see verdicts and take actions • Seamlessly work a case across multiple tools § even from different vendors • Share cases between staff
How to use
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 51BRKSEC-2109 My team can • answer questions faster about observables. • block and unblock domains from Cisco Threat Response. • block and unblock file executions from Cisco Threat Response. • hunt for an observable associated with a known actor and immediately see organizational impact. • save a point in time snapshot of our investigations for further analysis. • document our analysis in a cloud casebook from all integrated or web-accessible tools, via an API. • Integrate Cisco Threat Response easily into existing processes and custom tools
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 52 Answer questions faster about observables. • Unknown disposition. • See how it affects organization. • Get details of program executing.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 53 Can block and unblock domains from Cisco Threat Response. • Execute block from Cisco Threat Response. • Block is effected in Cisco Umbrella. • API integration to block and unblock.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 54BRKSEC-2109 Can integrate Cisco Threat Response easily into existing processes and custom tools Cisco Threat Response is designed to integrate with other security products through URLs that enable you to build powerful security workflows. The examples below assume a Cisco Threat Response install located at https://visibility.amp.cisco.com You can perform an Investigation by passing a search string to the q parameter that comes after the #/investigate part of the URL. Multiple search items are allowed, just separate them with a space character. Be sure to properly URL encode this argument. https://visibility.amp.cisco.com/#/investigate?q=domain.com https://visibility.amp.cisco.com/#/investigate?q=google.com%0A8.8.8.8%0A6732417baa49b873d72747c0ef46f8d1 You can search for Indicators, Judgements, and Sightings on the Explore pages. Similar to the Investigate page, pass a search query to the q parameter to search these threat objects. https://visibility.amp.cisco.com/#/explore/indicators?q=rat https://visibility.amp.cisco.com/#/explore/judgements?q=rat%20ip https://visibility.amp.cisco.com/#/explore/sightings?q=662472b8378274eda5cc848536cba2db1d27f8ad
See in action
BRKSEC-2109 Uses cases
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 57BRKSEC-2109 Threats Phishing DDoS APT Ransomware Trojan Botnet Wiper Attack Data/IP Theft Monetary Theft Data Manipulation/ Destruction Spyware/Malware Man in the Middle Drive by Download Malvertising Unpatched Software Rogue Software Intelligence that works across the threat lifecycle Cisco IP/Domain/URL Hash/Artifacts Learn Adversary Models Hunt Threats (TTP/Tools) Process Telemetry Develop Engines (ML) Network NGFW/NGIPS Secure SD-WAN WSA/ESA Cloud Umbrella Endpoint AMP for Endpoints Access Policy Segmentation ISE DNA / Trustsec Stealthwatch Revoke App Cloudlock Quarantine File AMP for Endpoints Logs/Syslog AD, Servers Firewall, Proxy Host to Host Communications Stealthwatch App/Workload Usage Cloudlock Tetration System Behavior AMP for Endpoints SIEM Cisco partner Telemetry Intelligence Enforcement Detection Investigation Remediation Incident Response Threat Response Global Internet Analysis Umbrella Investigate Global File Analysis Threat Grid
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 58BRKSEC-2109 Examples of the customer value via integrations NETFLOW WITH ENCRYPTED TRAFFIC ANALYTICS Cisco Secure SD-WAN Cisco Switches and Access Points Cisco Network Traffic Security Analytics Event Visibility Decreased Time to Detect HASH • ARTIFACT DOMAIN • IP • URL Cisco Endpoint Protection Cisco Secure Internet Gateway Cisco NGFW/ NGIPS Threat Intel/Enforcement Increased Prevention Cisco Talos QUARANTINE VIA HOST IP CONTAIN VIA SGT Cisco pxGrid Automated Policy Decreased Time to Remediate Cisco Identity and Network Access Control Cisco NGFW/ NGIPS Cisco Network Traffic Security Analytics Cisco pxGrid IOC BEHAVIORS • FILE TRAJECTORY Cisco Web Security Cisco Email Security Context Awareness Decreased Time to Investigate Cisco Advanced Threat
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 59BRKSEC-2109 Integration and automation is a top priority Multiple tools Block IP, URL, Domain, Hash Block Hash Block Domain Network Endpoint Cloud SIEM Umbrella Investigate Investigate Remediate Sightings Sightings Sightings 4 Plays Events from each play Multiple tools • Attack detection across multiple technologies from different vendors • SIEM integration • Manual correlation of threat intelligence with context information • Coordination and collaboration among several responders • Remediation through multiple, inconsistent consoles Difficult Time-Consuming Error-Prone
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 60BRKSEC-2109 Cisco Security Automated Policy Context Awareness Event Visibility Threat Intel/Enforcement Integrated Architecture Enterprise Mobility Management Network Traffic Security Analytics Cloud Workload Protection Web Security Email Security Advanced Threat Secure SD-WAN / Routers Identity and Network Access Control Secure Internet Gateway Switches and Access Points Next-Gen FW/IPS Cloud Access Security Cisco Threat Intelligence Cisco Platform Exchange Cisco Threat Response
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 61BRKSEC-2109 Enterprise Mobility Management Network Traffic Security Analytics Cloud Workload Protection Web Security Email Security Advanced Threat Secure SD-WAN / Routers Identity and Network Access Control Secure Internet Gateway Switches and Access Points Next-Gen FW/IPS Cloud Access Security Threat Response
Thank you #CLUS

Recommended

OFFENSIVE IDS
OFFENSIVE IDSOFFENSIVE IDS
OFFENSIVE IDSSylvain Martinez
 
The Duqu 2.0: Technical Details
The Duqu 2.0: Technical DetailsThe Duqu 2.0: Technical Details
The Duqu 2.0: Technical DetailsKaspersky
 
Mobile Security Assessment
Mobile Security AssessmentMobile Security Assessment
Mobile Security AssessmentSylvain Martinez
 
Talk1 esc7 muscl-dataprotection_v1_2
Talk1 esc7 muscl-dataprotection_v1_2Talk1 esc7 muscl-dataprotection_v1_2
Talk1 esc7 muscl-dataprotection_v1_2Sylvain Martinez
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chainSymantec Brasil
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】Hacks in Taiwan (HITCON)
 
Talk1 esc3 muscl-standards and regulation_v1_1
Talk1 esc3 muscl-standards and regulation_v1_1Talk1 esc3 muscl-standards and regulation_v1_1
Talk1 esc3 muscl-standards and regulation_v1_1Sylvain Martinez
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

Recommended

OFFENSIVE IDS
OFFENSIVE IDSOFFENSIVE IDS
OFFENSIVE IDSSylvain Martinez
 
The Duqu 2.0: Technical Details
The Duqu 2.0: Technical DetailsThe Duqu 2.0: Technical Details
The Duqu 2.0: Technical DetailsKaspersky
 
Mobile Security Assessment
Mobile Security AssessmentMobile Security Assessment
Mobile Security AssessmentSylvain Martinez
 
Talk1 esc7 muscl-dataprotection_v1_2
Talk1 esc7 muscl-dataprotection_v1_2Talk1 esc7 muscl-dataprotection_v1_2
Talk1 esc7 muscl-dataprotection_v1_2Sylvain Martinez
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chainSymantec Brasil
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】Hacks in Taiwan (HITCON)
 
Talk1 esc3 muscl-standards and regulation_v1_1
Talk1 esc3 muscl-standards and regulation_v1_1Talk1 esc3 muscl-standards and regulation_v1_1
Talk1 esc3 muscl-standards and regulation_v1_1Sylvain Martinez
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
Cyber Kill Chain vs. Cyber Criminals
Cyber Kill Chain vs. Cyber CriminalsCyber Kill Chain vs. Cyber Criminals
Cyber Kill Chain vs. Cyber CriminalsDavid Sweigert
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromPROIDEA
 
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack FrameworkDragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack FrameworkDragos, Inc.
 
The Art of CTF
The Art of CTFThe Art of CTF
The Art of CTFSylvain Martinez
 
2019 CYBER SECURITY TRENDS REPORT REVIEW
2019 CYBER SECURITY TRENDS REPORT REVIEW2019 CYBER SECURITY TRENDS REPORT REVIEW
2019 CYBER SECURITY TRENDS REPORT REVIEWSylvain Martinez
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
 
INCIDENT RESPONSE CONCEPTS
INCIDENT RESPONSE CONCEPTSINCIDENT RESPONSE CONCEPTS
INCIDENT RESPONSE CONCEPTSSylvain Martinez
 
Understanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopUnderstanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopDavid Sweigert
 
The Internal Signs of Compromise
The Internal Signs of CompromiseThe Internal Signs of Compromise
The Internal Signs of CompromiseFireEye, Inc.
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3Shawn Croswell
 
Atelier Technique CISCO ACSS 2018
Atelier Technique CISCO ACSS 2018Atelier Technique CISCO ACSS 2018
Atelier Technique CISCO ACSS 2018African Cyber Security Summit
 
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...JamieWilliams130
 
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Shah Sheikh
 
Endpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyeEndpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyePrime Infoserv
 
The State of Threat Detection 2019
The State of Threat Detection 2019The State of Threat Detection 2019
The State of Threat Detection 2019Fidelis Cybersecurity
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscapeyohansurya2
 
INCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEWINCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEWSylvain Martinez
 
One Technique, Two Techniques, Red Technique, Blue Technique
One Technique, Two Techniques, Red Technique, Blue TechniqueOne Technique, Two Techniques, Red Technique, Blue Technique
One Technique, Two Techniques, Red Technique, Blue TechniqueDaniel Weiss
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceTom K
 
Dragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos, Inc.
 
Firepower ngfw internet
Firepower ngfw internetFirepower ngfw internet
Firepower ngfw internetRony Melo
 
8 Ocak 2015 SOME Etkinligi - Cisco Next Generation Security
8 Ocak 2015 SOME Etkinligi - Cisco Next Generation Security8 Ocak 2015 SOME Etkinligi - Cisco Next Generation Security
8 Ocak 2015 SOME Etkinligi - Cisco Next Generation SecurityBGA Cyber Security
 

More Related Content

What's hot

Cyber Kill Chain vs. Cyber Criminals
Cyber Kill Chain vs. Cyber CriminalsCyber Kill Chain vs. Cyber Criminals
Cyber Kill Chain vs. Cyber CriminalsDavid Sweigert
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromPROIDEA
 
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack FrameworkDragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack FrameworkDragos, Inc.
 
2019 CYBER SECURITY TRENDS REPORT REVIEW
2019 CYBER SECURITY TRENDS REPORT REVIEW2019 CYBER SECURITY TRENDS REPORT REVIEW
2019 CYBER SECURITY TRENDS REPORT REVIEWSylvain Martinez
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
 
INCIDENT RESPONSE CONCEPTS
INCIDENT RESPONSE CONCEPTSINCIDENT RESPONSE CONCEPTS
INCIDENT RESPONSE CONCEPTSSylvain Martinez
 
Understanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopUnderstanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopDavid Sweigert
 
The Internal Signs of Compromise
The Internal Signs of CompromiseThe Internal Signs of Compromise
The Internal Signs of CompromiseFireEye, Inc.
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3Shawn Croswell
 
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...JamieWilliams130
 
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Shah Sheikh
 
Endpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyeEndpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyePrime Infoserv
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscapeyohansurya2
 
INCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEWINCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEWSylvain Martinez
 
One Technique, Two Techniques, Red Technique, Blue Technique
One Technique, Two Techniques, Red Technique, Blue TechniqueOne Technique, Two Techniques, Red Technique, Blue Technique
One Technique, Two Techniques, Red Technique, Blue TechniqueDaniel Weiss
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceTom K
 
Dragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos, Inc.
 

What's hot (20)

Cyber Kill Chain vs. Cyber Criminals
Cyber Kill Chain vs. Cyber CriminalsCyber Kill Chain vs. Cyber Criminals
Cyber Kill Chain vs. Cyber Criminals
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin Nystrom
 
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack FrameworkDragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
 
The Art of CTF
The Art of CTFThe Art of CTF
The Art of CTF
 
2019 CYBER SECURITY TRENDS REPORT REVIEW
2019 CYBER SECURITY TRENDS REPORT REVIEW2019 CYBER SECURITY TRENDS REPORT REVIEW
2019 CYBER SECURITY TRENDS REPORT REVIEW
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
 
INCIDENT RESPONSE CONCEPTS
INCIDENT RESPONSE CONCEPTSINCIDENT RESPONSE CONCEPTS
INCIDENT RESPONSE CONCEPTS
 
Understanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopUnderstanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loop
 
The Internal Signs of Compromise
The Internal Signs of CompromiseThe Internal Signs of Compromise
The Internal Signs of Compromise
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3
 
Atelier Technique CISCO ACSS 2018
Atelier Technique CISCO ACSS 2018Atelier Technique CISCO ACSS 2018
Atelier Technique CISCO ACSS 2018
 
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
 
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
 
Endpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyeEndpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEye
 
The State of Threat Detection 2019
The State of Threat Detection 2019The State of Threat Detection 2019
The State of Threat Detection 2019
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscape
 
INCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEWINCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEW
 
One Technique, Two Techniques, Red Technique, Blue Technique
One Technique, Two Techniques, Red Technique, Blue TechniqueOne Technique, Two Techniques, Red Technique, Blue Technique
One Technique, Two Techniques, Red Technique, Blue Technique
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General Audience
 
Dragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations Center
 

Similar to Threat Hunting Presentation

Firepower ngfw internet
Firepower ngfw internetFirepower ngfw internet
Firepower ngfw internetRony Melo
 
8 Ocak 2015 SOME Etkinligi - Cisco Next Generation Security
8 Ocak 2015 SOME Etkinligi - Cisco Next Generation Security8 Ocak 2015 SOME Etkinligi - Cisco Next Generation Security
8 Ocak 2015 SOME Etkinligi - Cisco Next Generation SecurityBGA Cyber Security
 
Security and Virtualization in the Data Center
Security and Virtualization in the Data CenterSecurity and Virtualization in the Data Center
Security and Virtualization in the Data CenterCisco Canada
 
[Cisco Connect 2018 - Vietnam] Eric rennie sw cisco_connect
[Cisco Connect 2018 - Vietnam] Eric rennie sw cisco_connect[Cisco Connect 2018 - Vietnam] Eric rennie sw cisco_connect
[Cisco Connect 2018 - Vietnam] Eric rennie sw cisco_connectNur Shiqim Chok
 
Next Generation Security
Next Generation SecurityNext Generation Security
Next Generation SecurityCisco Canada
 
BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...
BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...
BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...BGA Cyber Security
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security SessionSplunk
 
Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsBehind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsCisco Canada
 
#ITSitioEnRSA - Presentacion de Jeef Reed de Cisco
#ITSitioEnRSA - Presentacion de Jeef Reed de Cisco #ITSitioEnRSA - Presentacion de Jeef Reed de Cisco
#ITSitioEnRSA - Presentacion de Jeef Reed de Cisco ITSitio.com
 
Scalar Security Roadshow - Ottawa Presentation
Scalar Security Roadshow - Ottawa PresentationScalar Security Roadshow - Ottawa Presentation
Scalar Security Roadshow - Ottawa PresentationScalar Decisions
 
Scalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver PresentationScalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver PresentationScalar Decisions
 
Scalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary PresentationScalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary PresentationScalar Decisions
 
What i learned at gartner summit 2019
What i learned at gartner summit 2019What i learned at gartner summit 2019
What i learned at gartner summit 2019Ulf Mattsson
 
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...PROIDEA
 
Putting firepower into the next generation firewall
Putting firepower into the next generation firewallPutting firepower into the next generation firewall
Putting firepower into the next generation firewallCisco Canada
 
TechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSecTechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSecRobb Boyd
 

Similar to Threat Hunting Presentation (20)

Firepower ngfw internet
Firepower ngfw internetFirepower ngfw internet
Firepower ngfw internet
 
8 Ocak 2015 SOME Etkinligi - Cisco Next Generation Security
8 Ocak 2015 SOME Etkinligi - Cisco Next Generation Security8 Ocak 2015 SOME Etkinligi - Cisco Next Generation Security
8 Ocak 2015 SOME Etkinligi - Cisco Next Generation Security
 
Cisco SecureX.pdf
Cisco SecureX.pdfCisco SecureX.pdf
Cisco SecureX.pdf
 
Meraki SD-WAN.pdf
Meraki SD-WAN.pdfMeraki SD-WAN.pdf
Meraki SD-WAN.pdf
 
Security and Virtualization in the Data Center
Security and Virtualization in the Data CenterSecurity and Virtualization in the Data Center
Security and Virtualization in the Data Center
 
[Cisco Connect 2018 - Vietnam] Eric rennie sw cisco_connect
[Cisco Connect 2018 - Vietnam] Eric rennie sw cisco_connect[Cisco Connect 2018 - Vietnam] Eric rennie sw cisco_connect
[Cisco Connect 2018 - Vietnam] Eric rennie sw cisco_connect
 
Next Generation Security
Next Generation SecurityNext Generation Security
Next Generation Security
 
BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...
BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...
BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session
 
Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsBehind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced Threats
 
CA_Module_2.pdf
CA_Module_2.pdfCA_Module_2.pdf
CA_Module_2.pdf
 
#ITSitioEnRSA - Presentacion de Jeef Reed de Cisco
#ITSitioEnRSA - Presentacion de Jeef Reed de Cisco #ITSitioEnRSA - Presentacion de Jeef Reed de Cisco
#ITSitioEnRSA - Presentacion de Jeef Reed de Cisco
 
Scalar Security Roadshow - Ottawa Presentation
Scalar Security Roadshow - Ottawa PresentationScalar Security Roadshow - Ottawa Presentation
Scalar Security Roadshow - Ottawa Presentation
 
Scalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver PresentationScalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver Presentation
 
ENSA_Module_3.pptx
ENSA_Module_3.pptxENSA_Module_3.pptx
ENSA_Module_3.pptx
 
Scalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary PresentationScalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary Presentation
 
What i learned at gartner summit 2019
What i learned at gartner summit 2019What i learned at gartner summit 2019
What i learned at gartner summit 2019
 
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operat...
 
Putting firepower into the next generation firewall
Putting firepower into the next generation firewallPutting firepower into the next generation firewall
Putting firepower into the next generation firewall
 
TechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSecTechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSec
 

More from Cristian Garcia G.

Making App Security and Delivery Ridiculously Easy
Making App Security and Delivery Ridiculously EasyMaking App Security and Delivery Ridiculously Easy
Making App Security and Delivery Ridiculously EasyCristian Garcia G.
 
Ciberseguridad Alineada al Negocio
Ciberseguridad Alineada al NegocioCiberseguridad Alineada al Negocio
Ciberseguridad Alineada al NegocioCristian Garcia G.
 
Reducción efectiva del riesgo de ciberseguridad
Reducción efectiva del riesgo de ciberseguridadReducción efectiva del riesgo de ciberseguridad
Reducción efectiva del riesgo de ciberseguridadCristian Garcia G.
 
Operación Segura : SOC y alineación del riesgo con el impacto para el negocio.
Operación Segura : SOC y alineación del riesgo con el impacto para el negocio. Operación Segura : SOC y alineación del riesgo con el impacto para el negocio.
Operación Segura : SOC y alineación del riesgo con el impacto para el negocio. Cristian Garcia G.
 
Ciberseguridad en el mundo de la IA
Ciberseguridad en el mundo de la IACiberseguridad en el mundo de la IA
Ciberseguridad en el mundo de la IACristian Garcia G.
 
Optimización en la detección de amenazas utilizando analítica (IA/UEBA)
Optimización en la detección de amenazas utilizando analítica (IA/UEBA)Optimización en la detección de amenazas utilizando analítica (IA/UEBA)
Optimización en la detección de amenazas utilizando analítica (IA/UEBA)Cristian Garcia G.
 
Protección de los datos en la era Post-Datacenter
Protección de los datos en la era Post-DatacenterProtección de los datos en la era Post-Datacenter
Protección de los datos en la era Post-DatacenterCristian Garcia G.
 
La Ciberseguridad como pilar fundamental del Desarrollo Tecnológico
La Ciberseguridad como pilar fundamental del Desarrollo TecnológicoLa Ciberseguridad como pilar fundamental del Desarrollo Tecnológico
La Ciberseguridad como pilar fundamental del Desarrollo TecnológicoCristian Garcia G.
 
Simplificando la seguridad en entornos de nube híbridos con el Security Fabri...
Simplificando la seguridad en entornos de nube híbridos con el Security Fabri...Simplificando la seguridad en entornos de nube híbridos con el Security Fabri...
Simplificando la seguridad en entornos de nube híbridos con el Security Fabri...Cristian Garcia G.
 
Cómo la gestión de privilegios puede blindar su negocio contra ransomware y o...
Cómo la gestión de privilegios puede blindar su negocio contra ransomware y o...Cómo la gestión de privilegios puede blindar su negocio contra ransomware y o...
Cómo la gestión de privilegios puede blindar su negocio contra ransomware y o...Cristian Garcia G.
 
Un enfoque práctico para implementar confianza cero en el trabajo híbrido
Un enfoque práctico para implementar confianza cero en el trabajo híbridoUn enfoque práctico para implementar confianza cero en el trabajo híbrido
Un enfoque práctico para implementar confianza cero en el trabajo híbridoCristian Garcia G.
 
La crisis de identidad que se avecina
La crisis de identidad que se avecinaLa crisis de identidad que se avecina
La crisis de identidad que se avecinaCristian Garcia G.
 
Simplifica y Vencerás : La seguridad debe ser simple para garantizar el éxito
Simplifica y Vencerás : La seguridad debe ser simple para garantizar el éxitoSimplifica y Vencerás : La seguridad debe ser simple para garantizar el éxito
Simplifica y Vencerás : La seguridad debe ser simple para garantizar el éxitoCristian Garcia G.
 
Porqué enfocarnos en el DEX (Experiencia Digital del Empleado) - Cómo la tecn...
Porqué enfocarnos en el DEX (Experiencia Digital del Empleado) - Cómo la tecn...Porqué enfocarnos en el DEX (Experiencia Digital del Empleado) - Cómo la tecn...
Porqué enfocarnos en el DEX (Experiencia Digital del Empleado) - Cómo la tecn...Cristian Garcia G.
 
Stay ahead of the Threats: Automate and Simplify SecOps to revolutionize the SOC
Stay ahead of the Threats: Automate and Simplify SecOps to revolutionize the SOCStay ahead of the Threats: Automate and Simplify SecOps to revolutionize the SOC
Stay ahead of the Threats: Automate and Simplify SecOps to revolutionize the SOCCristian Garcia G.
 
La evolución de IBM Qradar Suite
La evolución de IBM Qradar SuiteLa evolución de IBM Qradar Suite
La evolución de IBM Qradar SuiteCristian Garcia G.
 
Ciberseguridad en GTD, SecureSoft en GTD
Ciberseguridad en GTD, SecureSoft en GTD Ciberseguridad en GTD, SecureSoft en GTD
Ciberseguridad en GTD, SecureSoft en GTD Cristian Garcia G.
 
Time is Money… and More.- Nuestras Capacidades Regionales de Detección y Resp...
Time is Money… and More.- Nuestras Capacidades Regionales de Detección y Resp...Time is Money… and More.- Nuestras Capacidades Regionales de Detección y Resp...
Time is Money… and More.- Nuestras Capacidades Regionales de Detección y Resp...Cristian Garcia G.
 

More from Cristian Garcia G. (20)

Making App Security and Delivery Ridiculously Easy
Making App Security and Delivery Ridiculously EasyMaking App Security and Delivery Ridiculously Easy
Making App Security and Delivery Ridiculously Easy
 
Ciberseguridad Alineada al Negocio
Ciberseguridad Alineada al NegocioCiberseguridad Alineada al Negocio
Ciberseguridad Alineada al Negocio
 
Reducción efectiva del riesgo de ciberseguridad
Reducción efectiva del riesgo de ciberseguridadReducción efectiva del riesgo de ciberseguridad
Reducción efectiva del riesgo de ciberseguridad
 
Operación Segura : SOC y alineación del riesgo con el impacto para el negocio.
Operación Segura : SOC y alineación del riesgo con el impacto para el negocio. Operación Segura : SOC y alineación del riesgo con el impacto para el negocio.
Operación Segura : SOC y alineación del riesgo con el impacto para el negocio.
 
Ciberseguridad en el mundo de la IA
Ciberseguridad en el mundo de la IACiberseguridad en el mundo de la IA
Ciberseguridad en el mundo de la IA
 
Symantec Enterprise Cloud
Symantec Enterprise CloudSymantec Enterprise Cloud
Symantec Enterprise Cloud
 
Optimización en la detección de amenazas utilizando analítica (IA/UEBA)
Optimización en la detección de amenazas utilizando analítica (IA/UEBA)Optimización en la detección de amenazas utilizando analítica (IA/UEBA)
Optimización en la detección de amenazas utilizando analítica (IA/UEBA)
 
Protección de los datos en la era Post-Datacenter
Protección de los datos en la era Post-DatacenterProtección de los datos en la era Post-Datacenter
Protección de los datos en la era Post-Datacenter
 
La Ciberseguridad como pilar fundamental del Desarrollo Tecnológico
La Ciberseguridad como pilar fundamental del Desarrollo TecnológicoLa Ciberseguridad como pilar fundamental del Desarrollo Tecnológico
La Ciberseguridad como pilar fundamental del Desarrollo Tecnológico
 
Simplificando la seguridad en entornos de nube híbridos con el Security Fabri...
Simplificando la seguridad en entornos de nube híbridos con el Security Fabri...Simplificando la seguridad en entornos de nube híbridos con el Security Fabri...
Simplificando la seguridad en entornos de nube híbridos con el Security Fabri...
 
Gestión de la Exposición
Gestión de la ExposiciónGestión de la Exposición
Gestión de la Exposición
 
Cómo la gestión de privilegios puede blindar su negocio contra ransomware y o...
Cómo la gestión de privilegios puede blindar su negocio contra ransomware y o...Cómo la gestión de privilegios puede blindar su negocio contra ransomware y o...
Cómo la gestión de privilegios puede blindar su negocio contra ransomware y o...
 
Un enfoque práctico para implementar confianza cero en el trabajo híbrido
Un enfoque práctico para implementar confianza cero en el trabajo híbridoUn enfoque práctico para implementar confianza cero en el trabajo híbrido
Un enfoque práctico para implementar confianza cero en el trabajo híbrido
 
La crisis de identidad que se avecina
La crisis de identidad que se avecinaLa crisis de identidad que se avecina
La crisis de identidad que se avecina
 
Simplifica y Vencerás : La seguridad debe ser simple para garantizar el éxito
Simplifica y Vencerás : La seguridad debe ser simple para garantizar el éxitoSimplifica y Vencerás : La seguridad debe ser simple para garantizar el éxito
Simplifica y Vencerás : La seguridad debe ser simple para garantizar el éxito
 
Porqué enfocarnos en el DEX (Experiencia Digital del Empleado) - Cómo la tecn...
Porqué enfocarnos en el DEX (Experiencia Digital del Empleado) - Cómo la tecn...Porqué enfocarnos en el DEX (Experiencia Digital del Empleado) - Cómo la tecn...
Porqué enfocarnos en el DEX (Experiencia Digital del Empleado) - Cómo la tecn...
 
Stay ahead of the Threats: Automate and Simplify SecOps to revolutionize the SOC
Stay ahead of the Threats: Automate and Simplify SecOps to revolutionize the SOCStay ahead of the Threats: Automate and Simplify SecOps to revolutionize the SOC
Stay ahead of the Threats: Automate and Simplify SecOps to revolutionize the SOC
 
La evolución de IBM Qradar Suite
La evolución de IBM Qradar SuiteLa evolución de IBM Qradar Suite
La evolución de IBM Qradar Suite
 
Ciberseguridad en GTD, SecureSoft en GTD
Ciberseguridad en GTD, SecureSoft en GTD Ciberseguridad en GTD, SecureSoft en GTD
Ciberseguridad en GTD, SecureSoft en GTD
 
Time is Money… and More.- Nuestras Capacidades Regionales de Detección y Resp...
Time is Money… and More.- Nuestras Capacidades Regionales de Detección y Resp...Time is Money… and More.- Nuestras Capacidades Regionales de Detección y Resp...
Time is Money… and More.- Nuestras Capacidades Regionales de Detección y Resp...
 

Recently uploaded

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 

Recently uploaded (20)

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 

Threat Hunting Presentation

  • 1. #CLUS Del enfoque reactivo al enfoque proactivo, aprendiendo a cazar al enemigo! Miguel Garro CISM, CEH, SFCP Cybersecurity Consulting Systems Engineer Perú, Ecuador, Bolivia.
  • 2. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS • Severity & Frequency of Cyber Threats • Building Threat Hunting Program • Threat Response Platform • Architecture & Components • Uses cases Agenda 2
  • 3. Severity & Frequency of Cyber Threats 2:05
  • 4. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 4BRKSEC-2109 Threat Hunting Goals
  • 5. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 5BRKSEC-2109 Many solutions claim to block 99% of threats But what about the of threats they’re missing?
  • 6. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 6BRKSEC-2109 Visibility Proactivity Response What to consider
  • 7. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 7BRKSEC-2109 “[Threat hunting is] the process of proactively and iteratively searching … to detect and isolate advanced threats that evade existing security solutions.” - SQRRL DATA INC., “A FRAMEWORK FOR THREAT HUNTING”, 2016
  • 8. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 8BRKSEC-2109 ThreatHuntMaturity
  • 9. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 9BRKSEC-2109 ThreatHuntLifeCycle ThreatHuntLifeCycle
  • 10. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 10BRKSEC-2109 Determining what to hunt for and how often 1Choose your favorite attack model
  • 11. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 11BRKSEC-2109 Determining what to hunt for and how often 2Identify most concerning activities
  • 12. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 12BRKSEC-2109 Determining what to hunt for and how often 3 Build your threat hunting calendar
  • 14. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 14BRKSEC-2109 Creating a Hypothesis You have found activity in reports from your SEIM showing FCAJMVXRD.COM as a location accessed by hosts on your network. You need to understand • What is this domain • What is the risk to your environment • What other sites may be related to this domain.
  • 15. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 15BRKSEC-2109 Investigate
  • 16. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 16BRKSEC-2109 WHOIS databases store the registered users or assignees of an Internet resou rce, such as a domain name, IP address block, or autonomous system Investigate with raw data & intelligence
  • 17. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 17BRKSEC-2109 Uncover TTP’s (Tactics, Techniques & Procedures) Threat Grid integration provides a deep understanding of all malware samples that are associated with this domain and how the malware was identified as malicious
  • 18. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 18BRKSEC-2109 Determining activity to identify this domain as malicious. Each of these items are a ranking mechanism used by Investigate and the TALOS team to identify the domain as a bad actor. Enrich & Harden
  • 19. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Recon Weapon Delivery Exploitation Installation C&C Action ThreatHunt
  • 22. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 22BRKSEC-2109 “How did it happen and what more do I need to know?” Goals Age: 32 Work: Biography: Security events requiring deeper investigation come to me. I focus on finding the proper security data and determine what happened: Why, When, and then come up with recommendations for future prevention. The Incident Responder 0 9 Challenges SOC Data Center Desk Security Investigator Experience (Years): 10
  • 23. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 23BRKSEC-2109 Incident Responder Internal Monitoring Threat Intelligence How do I fix it ? What happened ? Method Repair
  • 24. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 24BRKSEC-2109 Internal Monitoring Threat Intelligence Incident Responder
  • 25. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 25BRKSEC-2109 Internal Monitoring Threat Intelligence Incident Responder Open Source Feeds Curated Feeds Aggregation From Vendors Alienvault, ThreatQ, Recorded Future, *CERT, Bulletins, Etc. Etc Identification Phases – “I see a potential threat”
  • 26. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 26BRKSEC-2109 Internal Monitoring Threat Intelligence Incident Responder Open Source Feeds Curated Feeds Aggregation From Vendors Alienvault, ThreatQ, Recorded Future, *CERT, Bulletins, Etc. Etc Server Logs Flow Data Firewall Events Proxy Logs WAF Logs IDS Logs Identification Phases – “Did it affect us?”
  • 27. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 27BRKSEC-2109 Me Policy and Enforcement Incident Responder Identification Phases – “Lets’ Block it, or Triage it.”
  • 28. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 28BRKSEC-2109 Policy and Enforcement Incident Responder Identification Phases – “Lets’ Block it, or Triage it.” How many Changes need to happen in this phase? How will those changes work together?
  • 29. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 29BRKSEC-2109 IR Team EPP NGIPS DNS Security Etc File Analysis Domain reputation IP reputation Etc EPP logs NGIPS logs DNS logs Etc Threat Response Platform
  • 30. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 30BRKSEC-2109 IR Team File Analysis Domain reputation IP reputation Etc EPP logs NGIPS logs DNS logs Etc EPP NGIPS DNS Security Etc
  • 31. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 31BRKSEC-2109 Threat Response Platform Integrating security for faster defense Open APIs · Developer Environment · Services Best of Breed Portfolio EndpointNetwork Cloud Leading Threat Intelligence Cisco Threat Response Deploy Policy InvestigateDetect Remediate 3rd Parties+280 security tech partners
  • 32. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 32BRKSEC-2109 Threat Response Platform Module-driven integration platform to orchestrate threat research and response. Intuitive relationship graphs built based on event telemetry from multiple 3rd party modules
  • 33. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 33BRKSEC-2109 Advanced Malware Protection Cloud-managed endpoint security combining prevention, detection, and response in a single agent. Deep endpoint visibility to aid investigations. Robust remediation capabilities.
  • 34. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 34BRKSEC-2109 Next Generation Sandboxing Global Malware Threat Intelligence platform (wikipedia of malware). Automated sample analysis platform and 3rd party integrations. API driven, streamlined User Interface.
  • 35. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 35BRKSEC-2109 DNS Security Cloud-delivered DNS security with millions of classified domains. Adversary infrastructure and relationship maps between domains, IPs, and ASNs. Custom domain blocking/whitelisting.
  • 36. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 36BRKSEC-2109 Threat Response Platform • Need to be an integrated architecture. • Brings together threat intelligence and localized security context • Reduces complexity by • enriching observables automatically across multiple sources • collating results into an intuitive format in one location • Help identify malicious observables and speed up incident response. • Helps incident responders understand threats on their network by gathering and combining threat intelligence available from 3rd parties.
  • 37. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 37 Can investigate & mitigate from Threat Response Platform.
  • 39. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 39BRKSEC-2109 Core Threat Response Terminology and Concepts • Modules • Observables • Investigate UI • Judgements • Verdicts • Sightings • Indicators • Targets • Snapshots • Casebooks
  • 40. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 40BRKSEC-2109 Modules Cisco Threat Response uses integration modules to integrate with Cisco security products and 3rd party tools. Integration modules can provide enrichment and response capabilities.
  • 41. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 41BRKSEC-2109 Observables Cisco Threat Response supports the quick investigation of cyber Observables, which might be domain names, IP addresses, file hashes, PKI certificate serial numbers, and even specific devices or users. The first thing that Cisco Threat Response does with an observable is determine its disposition, by aggregating what is known about that observable from the various enrichment modules configured. The disposition tells the Incident Responder whether the observable is: Clean (explicitly whitelisted) Malicious (explicitly blacklisted) Suspicious (potentially harmful) Unknown (not currently associated with a known disposition) Unknown observables are not enriched.
  • 42. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 42BRKSEC-2109 It is designed to allow an incident responder to copy and paste the contents of an email, or a log message, or an incident ticket into its main search form. Cisco Threat Response will then extract all of the Observables from the supplied text. Investigate UI Once the investigation is begun, either via the form shown above or via a pivot into Cisco Threat Response from another product, the UI will show the results of that investigation.
  • 43. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 43BRKSEC-2109 Judgments A Judgment associates a disposition with a cyber observable at a point in time, and is valid for an explicit span of time. Judgments can optionally be related to Indicators, providing further insight as to why a specific disposition was associated with that observable. Judgments are given by configured data source modules, and are shown associated with those data sources, along with more information including the reason.
  • 44. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 44BRKSEC-2109 Verdicts A Verdict indicates the most recent and most relevant disposition for a given cyber observable, as well as the Judgement from which the verdict was derived. Cisco Threat Response considers a clean verdict to be more reliable than a malicious verdict. The order of precedence for verdicts is as follows: • Clean • Malicious • Suspicious • Common • Unknown When an observable has multiple dispositions, Cisco Threat Response shows the one that appears first in the above list.
  • 45. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 45BRKSEC-2109 Sightings A Sighting is a record of the appearance of a cyber observable at a given date and time. Sightings can optionally be related to Indicators, providing threat intelligence context about the observable.
  • 46. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 46BRKSEC-2109 Indicators An Indicator describes a pattern of behavior or a set of conditions which indicate malicious behavior. Some indicators are more indicative than others of malicious behavior, so knowing exactly which bad behaviors an observable are exhibiting can help an incident responder decide what to do next. Cisco Threat Response uses a large collection of malware indicators from the AMP Global Intelligence threat archive, Threat Grid, and other sources.
  • 47. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 47BRKSEC-2109 Targets A Target represents the device, identity, or resource that a threat has targeted. A Target is identified by one or more Observables. When known, a type, operating system, and other metadata is recorded as well. Targets are always part of a local Sighting.
  • 48. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 48BRKSEC-2109 Snapshots A snapshot saves the current investigation and graph for subsequent retrieval and analysis. A unique identifier is created upon snapshot creation. Users can provide a name for the snapshot as well as a description. Snapshots can be shared among users in the same organization, to communicate the state of an investigation at a point in time.
  • 49. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 49BRKSEC-2109 Casebooks Built with APIs hosted in and data stored in Cisco Threat Response. Available via • Cisco Threat Response Investigate UI • Other integrated Cisco products and tools • Any web page at all via browser plugin, including • other Cisco products, integrated or not • existing external Threat Intel sources • existing 3rd party tools Allow you to: • gather observables in groups (aka cases). • assign the case a name and a description • take and save notes on the case • add other observables at any time • immediately see verdicts and take actions • Seamlessly work a case across multiple tools § even from different vendors • Share cases between staff
  • 51. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 51BRKSEC-2109 My team can • answer questions faster about observables. • block and unblock domains from Cisco Threat Response. • block and unblock file executions from Cisco Threat Response. • hunt for an observable associated with a known actor and immediately see organizational impact. • save a point in time snapshot of our investigations for further analysis. • document our analysis in a cloud casebook from all integrated or web-accessible tools, via an API. • Integrate Cisco Threat Response easily into existing processes and custom tools
  • 52. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 52 Answer questions faster about observables. • Unknown disposition. • See how it affects organization. • Get details of program executing.
  • 53. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 53 Can block and unblock domains from Cisco Threat Response. • Execute block from Cisco Threat Response. • Block is effected in Cisco Umbrella. • API integration to block and unblock.
  • 54. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 54BRKSEC-2109 Can integrate Cisco Threat Response easily into existing processes and custom tools Cisco Threat Response is designed to integrate with other security products through URLs that enable you to build powerful security workflows. The examples below assume a Cisco Threat Response install located at https://visibility.amp.cisco.com You can perform an Investigation by passing a search string to the q parameter that comes after the #/investigate part of the URL. Multiple search items are allowed, just separate them with a space character. Be sure to properly URL encode this argument. https://visibility.amp.cisco.com/#/investigate?q=domain.com https://visibility.amp.cisco.com/#/investigate?q=google.com%0A8.8.8.8%0A6732417baa49b873d72747c0ef46f8d1 You can search for Indicators, Judgements, and Sightings on the Explore pages. Similar to the Investigate page, pass a search query to the q parameter to search these threat objects. https://visibility.amp.cisco.com/#/explore/indicators?q=rat https://visibility.amp.cisco.com/#/explore/judgements?q=rat%20ip https://visibility.amp.cisco.com/#/explore/sightings?q=662472b8378274eda5cc848536cba2db1d27f8ad
  • 57. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 57BRKSEC-2109 Threats Phishing DDoS APT Ransomware Trojan Botnet Wiper Attack Data/IP Theft Monetary Theft Data Manipulation/ Destruction Spyware/Malware Man in the Middle Drive by Download Malvertising Unpatched Software Rogue Software Intelligence that works across the threat lifecycle Cisco IP/Domain/URL Hash/Artifacts Learn Adversary Models Hunt Threats (TTP/Tools) Process Telemetry Develop Engines (ML) Network NGFW/NGIPS Secure SD-WAN WSA/ESA Cloud Umbrella Endpoint AMP for Endpoints Access Policy Segmentation ISE DNA / Trustsec Stealthwatch Revoke App Cloudlock Quarantine File AMP for Endpoints Logs/Syslog AD, Servers Firewall, Proxy Host to Host Communications Stealthwatch App/Workload Usage Cloudlock Tetration System Behavior AMP for Endpoints SIEM Cisco partner Telemetry Intelligence Enforcement Detection Investigation Remediation Incident Response Threat Response Global Internet Analysis Umbrella Investigate Global File Analysis Threat Grid
  • 58. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 58BRKSEC-2109 Examples of the customer value via integrations NETFLOW WITH ENCRYPTED TRAFFIC ANALYTICS Cisco Secure SD-WAN Cisco Switches and Access Points Cisco Network Traffic Security Analytics Event Visibility Decreased Time to Detect HASH • ARTIFACT DOMAIN • IP • URL Cisco Endpoint Protection Cisco Secure Internet Gateway Cisco NGFW/ NGIPS Threat Intel/Enforcement Increased Prevention Cisco Talos QUARANTINE VIA HOST IP CONTAIN VIA SGT Cisco pxGrid Automated Policy Decreased Time to Remediate Cisco Identity and Network Access Control Cisco NGFW/ NGIPS Cisco Network Traffic Security Analytics Cisco pxGrid IOC BEHAVIORS • FILE TRAJECTORY Cisco Web Security Cisco Email Security Context Awareness Decreased Time to Investigate Cisco Advanced Threat
  • 59. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 59BRKSEC-2109 Integration and automation is a top priority Multiple tools Block IP, URL, Domain, Hash Block Hash Block Domain Network Endpoint Cloud SIEM Umbrella Investigate Investigate Remediate Sightings Sightings Sightings 4 Plays Events from each play Multiple tools • Attack detection across multiple technologies from different vendors • SIEM integration • Manual correlation of threat intelligence with context information • Coordination and collaboration among several responders • Remediation through multiple, inconsistent consoles Difficult Time-Consuming Error-Prone
  • 60. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 60BRKSEC-2109 Cisco Security Automated Policy Context Awareness Event Visibility Threat Intel/Enforcement Integrated Architecture Enterprise Mobility Management Network Traffic Security Analytics Cloud Workload Protection Web Security Email Security Advanced Threat Secure SD-WAN / Routers Identity and Network Access Control Secure Internet Gateway Switches and Access Points Next-Gen FW/IPS Cloud Access Security Cisco Threat Intelligence Cisco Platform Exchange Cisco Threat Response
  • 61. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS 61BRKSEC-2109 Enterprise Mobility Management Network Traffic Security Analytics Cloud Workload Protection Web Security Email Security Advanced Threat Secure SD-WAN / Routers Identity and Network Access Control Secure Internet Gateway Switches and Access Points Next-Gen FW/IPS Cloud Access Security Threat Response