Downloaded 67 times
![Utilize Your Threat Models
▪ Tactics – High level Approach to achieve the goals
▪ Techniques – One step down, How the goals will be
achieved ?
▪ Procedure – Granular view into the steps taken to
achieve the goal
[indicators Life Cycle] [Diamond Model]
[TTP]
1 2 3
4
[Data vs Intelligence]
Data is simply set of key: value pairs making up
information
Information is collected to answer Yes/No questions
Report
Reveal
MatureUtilize
Vet & Operationalize
Passive CoA
• Detection
• Mitigation
Intrusion
Analysis
Data
10.25.0.1
Informati
on
c2 node
Indicator
• Organizations must know what their threats are to
accurately collect & use “threat intelligence”
• Threat Capability + Intent
[Intelligence Requirements]
5](https://image.slidesharecdn.com/dc416-ctiandthreathunting-2019-190419134213/75/Effective-Threat-Hunting-with-Tactical-Threat-Intelligence-5-2048.jpg)
More Related Content
Similar to Effective Threat Hunting with Tactical Threat Intelligence
![Vibe Coding vs. Spec-Driven Development [Free Meetup]](https://cdn.slidesharecdn.com/ss_thumbnails/vibecodingvsspecdrivendevelopment-251209105622-43f455e7-thumbnail.jpg?width=640&height=640&fit=bounds)
Effective Threat Hunting with Tactical Threat Intelligence
- 1. Effective Threat Huntingwith Tactical Threat Intelligence Dhruv Majumdar Technical Lead & Sr. Security Analyst ElevatedPrompt Solutions April 18, 2019 | Toronto, ON
- 2. Agenda ▪ $Whoami ▪ WhyDoes CTI Matter? ▪ UtilizeYourThreat Models ▪ Ex. TTP as a flow ▪ Sliding Scale of Cyber Security ▪ StructureYourTeam ▪ Course of ActionsThat Can BeTaken By Defenders – Disrupt ▪ How Do We Get Better? ▪ Lets Understand Attribution ▪ References
- 3. whoami ▪ Dhruv Majumdar– Technical lead and Sr. Security Analyst for ElevatedPrompt Solutions ▪ Career ▪ Speaker – BSides|Van -2019, Bsides|Edmonton – 2018 ▪ Hobbies – Photography – Breaking stuff Disclaimer: Please note that all opinions expressed are my own. All content is owned by ElevatedPrompt Solutions Inc and cannot be copied, distributed or repurposed without prior consent
- 4. Why Does CTIMatter? CyberThreat Intelligence (CTI) can simply be put as follows: “Analyzed information about the hostile intent , capability and opportunity of an adversary that satisfy an objective.” Focus on Policy Maker Concern Conscious EffortTo Avoid Biases UseOutside ExpertsWhen Needed Don’t try to be a Perfectionist Structured Analytical Techniques (SATs) Threat Intelligence Life-Cycle
- 5. Utilize Your ThreatModels ▪ Tactics – High level Approach to achieve the goals ▪ Techniques – One step down, How the goals will be achieved ? ▪ Procedure – Granular view into the steps taken to achieve the goal [indicators Life Cycle] [Diamond Model] [TTP] 1 2 3 4 [Data vs Intelligence] Data is simply set of key: value pairs making up information Information is collected to answer Yes/No questions Report Reveal MatureUtilize Vet & Operationalize Passive CoA • Detection • Mitigation Intrusion Analysis Data 10.25.0.1 Informati on c2 node Indicator • Organizations must know what their threats are to accurately collect & use “threat intelligence” • Threat Capability + Intent [Intelligence Requirements] 5
- 6. Example Of TTPas a flow NEODYMIUM
- 7. Sliding Scale ofCyber Security ARCHITECTURE PASSIVE DEFENSE ACTIVE DEFENSE INTELLIGENCE OFFENSE ARCHITECTURE •supply chain •architecting the network •maintaining •patching PASSIVEDEFENCE •firewalls •IPS •AV •Tuning Defense •Placement of Technology •visibility and collection ACTIVE DEFENCE •Threat Hunting •Incident Response •NSM •Malware RE INTELLIGENCE •Threat Research •Red team Emulation •Hypothesis generation •Team Restructuring OFFENSE •Legal counter measure •hack-back •but very poor of ROI •Probably illegal
- 8. Structure your Team Intelligence Team(CTI) SOC Incident Response Infrastructur e / IT Business Intelligence Vulnerability Management CyberThreat Intelligence Process • Determine Requirement • Analyze Internal Information • Enrich the information • Validate the information • Store the information • Share the information
- 9. CoA That Canbe Taken by Defenders – Disrupt weblabyrinth - A system that creates a bogus web structure to entrap and delay web scanners HoneyPots HoneyTokens – triggering Alerts when a specific file is accessed, etc robot.txt C2 termination when contains a specific file Rate limit - For ongoing longer sessions User A/C Limitations 2 Factor Auth Local Admin Privileges Encrypted Hard drives Disrupt>
- 10. How Do WeGet Better? Lets Jump into someThreat Hunting
- 11.
- 12.
- 13.
- 14. TTP, IOC &Attribution Infrastructure hosting the Payload generator VBA Script Execution Injecting into Rundll32 CactusTorch Fileless Threat Abuses .NET to Infect Victims Reported by McAfee IOC: User-Agent:Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.40 IP: x.x.x.x : 443 TTP & IOC
- 15. Lets Understand Attribution LetsJump into someThreat Modelling
- 16.
- 17.
- 18. Reference • https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/cactustorch-fileless-threat-abuses-net-to-infect-victims/ • https://medium.com/@vysec.private/payload-generation-with-cactustorch-d61b84ad207d •https://threatconnect.com/tag/diamond-model-of-intrusion-analysis/ • https://securityaffairs.co/wordpress/54451/apt/promethium-neodymium-apts.html • https://www.misp-project.org/
- 19. Conclusion • Massive shortageof Cybersecurity Professionals • Demand for experienced Threat hunters & CTI/OTI How to get started? SOF ELK - https://github.com/philhagen/sof-elk Security Onion - https://github.com/Security-Onion-Solutions/security-onion Hunting ELK - https://github.com/Cyb3rWard0g/HELK @neondhruv https://www.linkedin.com/in/neondhruv/
Editor's Notes
- #5 Cyber Threat Intelligence
- #6 Point 5 The UK Signal Intelligence Agency (GCHQ) has the capability & opportunity to pose a significant threat to the Canadian Intelligence Operations. However there is no hostile intent. So they are not a threat ATM. The Term ATM is very important for Threat Intelligence. Time plays a huge role is determining an Intelligence data is valid or not on that specific engagement.
- #7 PROMETHIUM
- #8 Passive Defense - Provide protection without constant human interaction Active Defense – Analysts monitor for, respond to & learn from Adversaries interact to the network Intelligence Team - Collecting Data, exploiting it & Producing IOC ROI – Return on investment
- #9 VERIS FRAMEWORK – vocabulary for event sharing, recording & incident sharing - DBIR (Data breach investigation report) - Four A’s - Action - Assets - Actors - Attribute - By "internal information" do you mean analyze incidents internally and derive intelligence out of that on what threats are getting past your defenses the most? Would you also analyze external trending threats that are relevant to your industry/external facing assets to know where to focus your defensive efforts on? Eg. Oracle Web Logic Vuln being exploited against all externally facing assets by auto-exploit bots, then focus should be shifted to that if you have oracle web logic servers exposed to the internet?
- #10 CoA : Course of Action
- #14 CactusTorch
- #15 One fileless threat, CactusTorch, uses the DotNetToJScript technique, which loads and executes malicious .NET assemblies straight from memory. These assemblies are the smallest unit of deployment of an application, such as a .dll or .exe. As with other fileless attack techniques, DotNetToJScript does not write any part of the malicious .NET assembly on a computer’s hard drive; hence traditional file scanners fail to detect these attacks. CactusTorch, can execute custom shellcode on Windows systems.
- #17 Time for a Live Demo
- #18 Leverage MISP to Track Internal Threat Intelligence Data and map blind spots as well as gather intelligence information as to what kind of threat actors are behind your organization