Keeping Up with the Adversary: Creating a Threat-Based Cyber Team

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

SESSION ID:SESSION ID:
#RSAC
Anthony Talamantes
Keeping Up with the Adversary:
Creating a Threat-Based Cyber Team
AIR-R03
...

#RSAC
Where We Were
2
Ground Up Approach
Continuous Monitoring
— Anti-Virus
— IPS/IDS
— Blackhole/Sinkhole
— Sandboxes
— A...

#RSAC
APL Targeted by Nation State – Case Study
3
Malware evolution
Persistence in Registry
Enumerate running processes
An...

#RSAC
Peer Collaboration - Nation State Compromise
4
Never Let a Good Incident Go to Waste
Extensive use of cloud and SSL
...

#RSAC
How Would Our Defenses Perform?
5
Ground Up Approach
Continuous Monitoring
— Anti-Virus
— IPS/IDS
— Blackhole/Sinkho...

#RSAC
Philosophy Change
6
Red Queen Hypothesis
proposes that organisms must constantly adapt,
evolve, and proliferate not ...

#RSAC
New Philosophy
7
Top Down Approach
Threat identification
Target advanced tactics, techniques and
procedures of adver...

#RSAC
Cyber Threat Team Construct
8
• Scripting
• Content Creation
• Compound Correlation
• Enrichment
• Orchestration
• H...

#RSAC
Defensive Cyber ConOps
9
• Pivoting on artifacts
• Procedural
• Closing steps
• Ad-hoc hunting
• Behaviors of compro...

#RSAC
Putting it All Together
Building the Team

#RSAC
Overview
11
Adopt a framework for addressing threats
Gap Analysis
Automate low hanging fruit
Shift our focus
Build c...

#RSAC
Framework – Threats / Countermeasures
12
• Fully understand the threat and viability
• Identify gaps and understand ...

#RSAC
Gap Analysis and Actions
13
Staff
Repurposed talent and expanded roles (DevOps, Purple Team)
Visibility
Email header...

#RSAC
Automation / Orchestration
14
Ingest
Reports contain context for use case development
(TTPs, strings for YARA, etc.)...

#RSAC
Focus Shift – Passive to Active Defense
15
Events Use Cases
Passive: Appliance Generated Alerts
Active: Context Rich...

#RSAC
Use Case Development Areas
16
• Spoofed email
• Email sender
• X-headers
• Email infra mismatch
• Multiple sender in...

#RSAC
Use Case: Windows Persistence (WMI)
Permanent WMI
WMI service polls for WMI queries
WMI executes code (Consumer) whe...

#RSAC
Execution of ActiveScriptEventConsumer
Use Case: VBScript being called (as defined in Consumer) when an action occur...

#RSAC
Use Case: Windows Persistence (WMI)
Execution of CommandLineEventConsumer
Use Case: Powershell being called (as defi...

#RSAC
WMI Event Subscription – Artifacts
20
__CLASS : __EventFilter
__RELPATH : __EventFilter.Name="DoBadOnScheduleFilter"...

#RSAC
Success Stories
21
Heartbleed
Legacy NT sysadmin tool usage
Poweliks
Mshta spawning processes
DMZ Incident
SQL injec...

#RSAC
Challenges

#RSAC
Management Challenges
23
Where are we getting these new teams?
Leverage existing talent in Cyber Operations & IT
Cre...

#RSAC
Philosophical Challenges
What is behavioral monitoring anyways?
Mitigation and Detection
Threat Intelligence
False p...

#RSAC
Technical Challenges
We didn’t have the visibility we needed
Host, Network, Process
Managing larger data sets
Skill ...

#RSAC
Summary
Adversary is evolving & we must mature and evolve
The Analysts
The Process
Define threat and targeting
Ident...

#RSAC

Share Slideshare

LinkedIn
Facebook
Twitter

Embed

Size (px)

Show related Slideshows at end

WordPress Shortcode

Link

Share
Email

窺探職場上所需之資安專業技術與能力 Tdohconf by jack51706 4489 views
勒索軟體態勢與應措 by jack51706 684 views
台科大網路鑑識課程封包分析及中繼站追蹤 by jack51706 3622 views
Tdohconf 2017-ncku by jack51706 2082 views
A Case Study in Attacking KeePass by Will Schroeder 10479 views
PuppetConf 2017: Inviting Windows t... by Puppet 785 views

View on Slideshare

1 of 27 Ad

View on Slideshare

1 of 27 Ad