The document outlines strategies for enhancing incident response (IR) using threat intelligence, emphasizing its importance in preparation, mitigation, assessment, and management throughout the IR process. It discusses how organizations can leverage actionable context from threat intelligence to improve decision-making and streamline response times. Additionally, it highlights the role of various experts and technologies in integrating threat intelligence into existing IR frameworks.

1. How To Turbo-Charge
Incident Response With
Threat Intelligence

2. Page 2
Agenda
• Introductions
• What is threat intelligence?
• Why does threat intelligence matter?
• How threat intelligence can turbo-charge IR
• Demo: IR management with integrated threat intelligence

3. Page 3
Introductions: Today’s Speakers
• Ted Julian, Chief Marketing Officer, Co3 Systems
• Matt Hartley, Vice President of Product Management,
iSIGHT Partners
• Tim Armstrong, Security Incident Response Specialist, Co3
Systems

4. Page 4
End-to-End IR: Before, During, and After
PREPARE
Improve Organizational
Readiness
• Appoint team members
• Fine-tune response SOPs
• Escalate from existing systems
• Run simulations (firedrills / table
tops)
MITIGATE
Document Results &
Improve Performance
• Generate reports for management,
auditors, and authorities
• Conduct post-mortem
• Update SOPs
• Track evidence
• Evaluate historical performance
• Educate the organization
ASSESS
Identify and Evaluate
Incidents
• Assign appropriate team members
• Evaluate precursors and indicators
• Correlate threat intelligence
• Track incidents, maintain logbook
• Prioritize activities based on criticality
• Generate assessment summaries
MANAGE
Contain, Eradicate, and
Recover
• Generate real-time IR plan
• Coordinate team response
• Choose appropriate containment
strategy
• Isolate and remediate cause
• Instruct evidence gathering and
handling
• Log evidence

5. Page 5
About iSIGHT Partners
200+ experts, 16 Countries, 24 Languages, 1 Mission
Global Reach ThreatScape® Products
Research: Identify threats,
groups; determine/capture
motivation and intent
Analysis: Fuse knowledge across
methods, campaigns, affiliations,
historical context
Dissemination: Deliver high-
fidelity, high-impact, contextual,
actionable insights
Proven Intelligence Methodology
Cyber Crime Cyber
Espionage
Denial-of-
Service
Enterprise
Hacktivism Industrial Control
Systems
Mobile Vulnerability
and Exploitation

6. Page 6
ThreatScape® Cyber Threat Intelligence Threat Data
• Bad IP Address • Bad IP Address
• Actor Group
• Motivation
• Primary Targets
• Ability to Execute
• Ranking
• Last Hop Geo
Location
• Additional IPs, Domains
• Malware Used
• Lures
Threat Intelligence VS. Threat Data
Context Matters
• Vulnerabilities Targeted
• Historic Campaigns
• Successful Compromises

7. Page 7
What is Threat Intelligence?
Name: uxsue.exe
Identifier: Gameover Zeus
Extension: exe
Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Size: 329216
Packer: ['MinGW GCC 3.x']
MD5sum: 045b793b2a47fbea0d341424262c8c5b
Sha1: 5ca6943f557489b510bd0fe8825a7a68ef00af53
Sha256: 8a4036289762a4414382fee8463d2bc7892cd5cab8fb6995eb94706d47e781dd
Fuzzy: 6144:ka23d0lraSurrtt/xue1obsXD8J3Ej+rbC80tsX9GR:kFd0lWzrrtxdowT8U8hYR
MIME:
Compiled: 2012-10-10 17:33:25
Malware Payload Indicators:
Gameover Zeus is a frequently used Trojan in financial cybercrime
Basic Context:
Exploitation Vector:
hxxp://26.azofficemovers.com/links/persons_jobs.php
Unique Threat-focused Information:
We believe the following actors are either members of or are close
associates with the petr0vich group: …
Bottom Line:
Zeus Malware Author Probably Working with Gameover Zeus Operators,
but Current Level of Involvement Remains Uncertain
Contextual Analysis:
…the primary Zeus author partnered with the "petr0vich group,"
which most likely controls Gameover Zeus, to develop custom Zeus
versions…. his continued participation will probably help fuel further
innovative developments to Zeus.
Knowledge and context, not just data
Technical Threat

8. Page 8
ThreatScape API
Threat Fusion Center
SecurityOperations Center
Incident Response
ProcessIntegration TechnologyIntegration
Analytics
GRC
SIEM/IDS
Network/Host Protection
Configuration/Patch
Management
ThreatScape® Intelligence
ThreatScape®
API

9. Page 9
IR Suffers From A Lack Of Intelligence
• “75% said they conduct forensic investigations to ‘find and investigate incidents
after the fact.’”
- SANS Survey of Digital Forensics and Incident Response, July 2013
• “60% … agree that their company at some point in time failed to stop a material
security exploit because of insufficient or outdated threat intelligence.”
• “49% said it can take within a week to more than a month to identify a compromise.”
- Ponemon Institute Live Threat Intelligence Impact Report 2013
• Forty percent of respondents say their security products do not support the import
of threat intelligence from other sources.
- Ponemon Institute Threat Intelligence & Incident Response Report, February 2014
• “In 66% of cases (up from 56% last year), breaches remained undiscovered for
years, and in 22% of cases, it took months to fully contain the incident.”
- 2013 Verizon Data Breach Investigations Report

10. Page 10
Incident Response Needs Threat Intel
PREPARE
• Who has attacked you in
the past?
• How have they attacked
you?
• What are those attackers
known to be interested
in?
Ensure alignment
with real threats and
actors
MITIGATE
• How are threats
evolving?
• How should you update
your preventive and
detective controls?
• Can you eliminate the
target?
• Should you add some
new partners /
resources?
• Should you update /
expand training?
Inform mitigation
and preparation
based on real threats
and actors
ASSESS
• Who is behind the attack?
• How are they attacking?
• What might they ultimately
be after?
• Time is of the essence
Prioritize an informed
response
MANAGE
• What items in the IR
plan are most
important?
• Law enforcement? The
FBI? Who do you need
to call?
Accelerate a decisive
response

11. POLL

12. Page 12
Data Capture Analysis Link Analysis Case Prep /
Resolution
Detect
RespondRecover
Prepare
Traditional approaches: where does intelligence fit?
Incident
Report
Notification
Event Driven
Basic Investigative Framework
Basic
IR
Framework
Intelligence enhances every
stage of IR by providing
situational awareness,
context, and attribution
- where does it fit?

13. Page 13
Investigations enhanced by intelligence
Intelligence
Proactive
Informed by knowledge of threat sources, activities, methods, and historical context
Look for:
• different
indicators
• other activity
Look in different
places
Consider:
• adversary
intent
• previous
activity
• alternative
targeting
• additional
information
Fusion of sources
Consider:
• affiliations
• adversary
intent
• previous
activity
• alternative
targeting
Historical links
Proactive,
detective, and
preventative
measures
Training and
exercises
Business impact
analysis
Reporting
Data Capture Analysis Link Analysis Case Prep /
Resolution
Incident
Report
Notification
Event Driven
Enhanced Investigative Framework

14. POLL

15. Page 15
Connecting People and Technology at a Time of Crisis

16. Page 16
Threat Intel With Incident Artifacts in Co3
• Artifacts are attributes of an incident that can indicate the presence
and nature of a threat.
• Artifacts can be anything from a suspected malware file, to the IP
address of a foreign server.
• Co3 supports multiple artifact types:
• URL’s
• IP addresses
• Malware hashes
• DNS names
• Log files
• Emails
• Malware samples
• Registry keys
• Username
• Port
• Process name

17. Page 17
Threat Intelligence
• Actionable context about the nature of the incident based
on its associated artifacts. This insight can include:
• Actor(s)
• Means
• Methods
• Initial threat intelligence feeds include:
• iSIGHT Partners
• Abuse.ch
• AlienVault
• SANS
• Campaign
• Historical context
• Impacts
• MalwarePatrol

18. Page 18
Enabling Actionable, Intelligent, Efficient Response
Co Investigate
Incident Artifacts
Threat Intel
Detailed Threat Info
• Which actors
• What methods
• What impacts
Correlated Threat Context
• Who else
• How else
• Why you
Accelerated Response
• Automatic discovery
• Enhanced collaboration
• Workforce enablement,
enhancement

19. DEMO

20. QUESTIONS

21. One Alewife Center, Suite 450
Cambridge, MA 02140
PHONE 617.206.3900
WWW.CO3SYS.COM
“We’re doing IR in one-tenth of the time.”
DIRECTOR OF SECURITY & RISK, USA FUNDS
“It’s the best purchase we ever made.”
CSO, F500 HEATHCARE PROVIDER
Matt Hartley
Vice President of Product Management
mhartley@isightpartners.com
571.287.7700
“One of the hottest products at RSA…”
NETWORK WORLD
“Co3 has done better than a home-run...it has
knocked one out of the park.”
SC MAGAZINE