SlideShare a Scribd company logo

How I Learned to Stop Information Sharing and Love the DIKW

Download as PPTX, PDF
S
Sounil Yu

A briefing that proposes ways to improve our cybersecurity defenses by sharing understanding and knowledge instead of just information.

1 of 8
How I Learned to Stop Information Sharing and Love the DIKW*Withapologies toStanley Kubrick SOUNIL YU
Alignment of Two Pyramids What are we sharing now? What should we be sharing instead? @sounilyu 2June 2016 Wisdom Knowledge Data Information Joining of wholes Formation of a whole Connection of parts Gathering of parts Explanation Why Instruction How To Descriptive What Raw sensor information Future Past Novelty Experience DIKW Pyramid http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html David Bianco’s Pyramid of Pain (with color modifications) TTPs Network/Host Artifacts Hash Values IP Addresses Tools Domain Names
Decoupled Security Stack @sounilyu 3June 2016 Actions Decisions Analytics Sensors Sensing: raw telemetry, netflow, logs, external threat intel Sense making: correlation, machine learning, heuristics Decision making: orchestration, courses of action, recipes for action Acting: actuators, block, stop, start, delete, quarantine What we share DIKW Pyramid Wisdom Knowledge Data Information Joining of wholes Formation of a whole Connection of parts Gathering of parts Explanation Why Instruction How To Descriptive What Raw sensor information Future Past Novelty Experience
Dangers of Sharing the Wrong Things and Automagically Applying Them Incorrectly @sounilyu 4June 2016 Originating Organization Receiving Organization Actions Decisions Analytics Sensors Actions Decisions Analytics Sensors Not shared Not shared Dangerous CURRENT STATE What we share
Dangers of Sharing the Wrong Things and Automagically Applying Them Incorrectly @sounilyu 5June 2016 Originating Organization Receiving Organization Actions Decisions Analytics Sensors Actions Decisions Analytics Sensors Optimal Shared/Collective Sensor Grid (e.g., Passive DNS) FUTURE STATE Originating Organization Receiving Organization Actions Decisions Analytics Sensors Actions Decisions Analytics Sensors Not shared Not shared Dangerous CURRENT STATE What we share
Analytics Sharing Example: The ThreatHunting Project (www.threathunting.net,also byDavid Bianco) @sounilyu 6June 2016 How we share Procedures Indexed by Goal 0-day Exploits • EMET Log Mining Attacker tools in use • Suspicious Process Creation • Windows Service Analysis • Psexec Windows Events BIOS/Firmware tampering • RAM Dumping Command and Control (C2) • C2 via Dynamic DNS • Finding the Unknown with HTTP URIs Compromise of Internet-Facing Service • Internet-Facing HTTP Request Analysis • Checking How Outsiders See You • RDP External Access • Finding Known-Bad in Antivirus Logs • Finding Webshells • Webshell Behavior • . . . Finding Web Shells Purpose • Identify web shells (stand-alone|injected) Data Required • Web server logs (apache, IIS, etc.) Collection Considerations • Collect from all webservers, and ensure that parameters are collected. • POST data should be collected. • For apache consider using mod_security or mod_dumpio • For IIS use Failed Request Tracing / Custom Logging Analysis Techniques: • Stack counting • String matching Description • Stack by page hits -- pages with few hits are a typical sign • Add more fidelity by combining views from below (none if the above is giving higher fidelity, one, two or all): • No referer from client • Stack by unique visits per IP -- most only visit the webshell (no other page hits, no js, no images, etc.) • this isn't true of injected webshells (where they are injected into an existing page) • Stack by UA uniqueness. This is not always rock solid, but good, because many webshells have client software that sets the UA and many don't change the default • Look for parameters passed to image files (e.g., /bad.png?zz=ls) • More specific to inject webshells that inject into an existing page: • Stack by parameter counts per page -- webshells that create new params on an existing page • Again, you can look if referer is missing, UA uniqueness . . . Procedures Indexed by Data Anti-Virus Logs • Finding Known-Bad in Antivirus Logs Bro NSM Logs • RDP External Access • C2 via Dynamic DNS • Finding the Unknown with HTTP URIs DNS Query Logs • C2 via Dynamic DNS Host Dumps (RAM, Registry, Process, etc) • NTFS Extended Attribute Analysis • Search for Rogue Listeners • Autoruns Analysis • Windows Driver Analysis • Windows Prefetch Cache Analysis • Windows Service Analysis HTTP Proxy Logs • Beacon Detection • User Agent Analysis • . . .
Analytics Sharing Example: Cyber Analytic Repository (MITRE) @sounilyu 7June 2016 CAR-2014-07-001: Search Path Interception Hypothesis: As described in ATT&CK, one method of escalation is intercepting the search path for services, so that legitimate services point to the binary inserted at an intercepted location. This can be done where there are spaces in the path and it is unquoted. Instantiation: Eventtype=process_start parent_image_path="*system32services.exe" command_line!=" "*" command_line="* *" | rex field=image_path ".(?<img_exe>.*) | rex field=img_exe "(?<img_base>.*)..*" | where NOT like(lower(command_line ), lower("%"+img_exe+"%")) AND like(lower(command_line),lower("%"+img_base+"%")) | table _time hostname ppid pid parent_image_path image_path command_line img_exe ATT&CK Framework How we share
A community for sharing sense-making @sounilyu 8June 2016 Organization A I can find intrusions by looking for search path interception in XYZ way Eventtype=process_start parent_image_path="*system32ser vices.exe" command_line!=""*" command_line="**"| rex field=image_path".(?<img_exe>.*)| rex field=img_exe "(?<img_base>.*)..*" Organization A Cyber Analytic Repository Existing Sharing Communities 5444ff573794d853d24fbce00548227b module.832.13cc55060.9a0000.dll hxxp://speedtest[.]netcologne[.]de/test_100mb.bin Byproducts and Indicators Shared Cyber Analytic Repository A. Analytic Method Eventtype=process_start parent_image_path="*system32services.exe" command_line!=" "*" command_line="* *"| rex field=image_path ".(?<img_exe>.*)| rex field=img_exe "(?<img_base>.*)..*" B. Efficacy of Analytic Method Regression Test Results: 1 TP, 0 FPs over 50K transactions over 1 month C. Cost/Toxicity of Analytic Method Low cost query completing in 25 msec D. Context of True Positives True Positives found in Human Resource systems E. Resilient Security Design Patterns Containment and malware detonation solutions in use Organization B Eventtype=process_start parent_image_path="*system32ser vices.exe" command_line!=" "*" command_line="**"| rex field=image_path".(?<img_exe>.*)| rex field=img_exe "(?<img_base>.*)..*" Organization B Cyber Analytic Repository Byproducts and Indicators 436b772438826e2410ef2a45015bc936 costura.aforge.video.dll hxxp://speedtest[.]reliableservers[.]com/100MBtest.bin ① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ STEPS 1. Someone discovers a new method for finding badness 2. The new method for discovering that badness is captured as a machine consumable query 3. The byproducts of that method are discovered as indicators 4. Indicators are shared through existing sharing channels 5. The analytic method is stored in the local Cyber Analytic Repository 6. The new method is offered to community. Included with that new method are four other pieces of information: b. Regression tests showing efficacy of this new method in terms of true positives and false positives against historical data c. The cost or toxicity of running the new method d. The functional context of the systems where the new method is effective e. The security design for the relevant systems 7. Members consume new method 8. Based on risk tolerance for efficacy and toxicity, members run new method to discover their own indicators, which may also be shared through existing channels 9. Results and improved methods are shared back to community A. Improved Analytic Method Eventtype=process_start parent_image_path="*system32services.exe" command_line!=" "*" command_line="* *"| rex field=image_path ".(?<img_exe>.*)| rex field=img_exe "(?<img_base>.*)..*" | where NOT like(lower(command_line ), lower("%"+img_exe+"%")) AND lower("%"+img_base+"%")) B. Efficacy of Analytic Method Regression Test Results: 1 TP, 1 FPs over 100K transactions over 2 weeks C. Cost/Toxicity of Analytic Method Medium cost query completing in 34 sec D. Context of True Positives True Positives found in Human Resource systems E. Resilient Security Design Patterns Antivirus and IDS/IPS in use Putting It All Together

Recommended

Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecurityDistributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Sounil Yu
 
Cyber Defense Matrix: Revolutions
Cyber Defense Matrix: RevolutionsCyber Defense Matrix: Revolutions
Cyber Defense Matrix: Revolutions
Sounil Yu
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditing
Piyush Jain
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionals
Krishna Srikanth Manda
 
New Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecurityNew Paradigms for the Next Era of Security
New Paradigms for the Next Era of Security
Sounil Yu
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: Reloaded
Sounil Yu
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
CAS
 

Recommended

Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecurityDistributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Sounil Yu
 
Cyber Defense Matrix: Revolutions
Cyber Defense Matrix: RevolutionsCyber Defense Matrix: Revolutions
Cyber Defense Matrix: Revolutions
Sounil Yu
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditing
Piyush Jain
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionals
Krishna Srikanth Manda
 
New Paradigms for the Next Era of Security
New Paradigms for the Next Era of SecurityNew Paradigms for the Next Era of Security
New Paradigms for the Next Era of Security
Sounil Yu
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: Reloaded
Sounil Yu
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
CAS
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
Priyanka Aash
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation finalRizwan S
 
SOAR and SIEM.pptx
SOAR and SIEM.pptxSOAR and SIEM.pptx
SOAR and SIEM.pptx
Ajit Wadhawan
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
Shah Sheikh
 
Network Architecture Review Checklist
Network Architecture Review ChecklistNetwork Architecture Review Checklist
Network Architecture Review Checklist
Eberly Wilson
 
Splunk Overview
Splunk OverviewSplunk Overview
Splunk OverviewSplunk
 
dlux - Splunk Technical Overview
dlux - Splunk Technical Overviewdlux - Splunk Technical Overview
dlux - Splunk Technical Overview
David Lutz
 
SOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOCSOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOC
Priyanka Aash
 
Osint presentation nov 2019
Osint presentation nov 2019Osint presentation nov 2019
Osint presentation nov 2019
Priyanka Aash
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
Muhammad Sahputra
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Log
chuckbt
 
The Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSThe Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOS
Priyanka Aash
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
JustinBrown267905
 
IBM Qradar
IBM QradarIBM Qradar
IBM Qradar
Coenraad Smith
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
 
Incident handling.final
Incident handling.finalIncident handling.final
Incident handling.final
ahmad abdelhafeez
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Sounil Yu
 
Information Security Awareness, Petronas Marketing Sudan
Information Security Awareness, Petronas Marketing SudanInformation Security Awareness, Petronas Marketing Sudan
Information Security Awareness, Petronas Marketing Sudan
Ahmed Musaad
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
Ahmad Haghighi
 
Cybersecurity Framework - Introduction
Cybersecurity Framework - IntroductionCybersecurity Framework - Introduction
Cybersecurity Framework - Introduction
Muhammad Akbar Yasin
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
DaveEdwards12
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Priyanka Aash
 

More Related Content

What's hot

From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
Priyanka Aash
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation finalRizwan S
 
SOAR and SIEM.pptx
SOAR and SIEM.pptxSOAR and SIEM.pptx
SOAR and SIEM.pptx
Ajit Wadhawan
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
Shah Sheikh
 
Network Architecture Review Checklist
Network Architecture Review ChecklistNetwork Architecture Review Checklist
Network Architecture Review Checklist
Eberly Wilson
 
Splunk Overview
Splunk OverviewSplunk Overview
Splunk OverviewSplunk
 
dlux - Splunk Technical Overview
dlux - Splunk Technical Overviewdlux - Splunk Technical Overview
dlux - Splunk Technical Overview
David Lutz
 
SOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOCSOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOC
Priyanka Aash
 
Osint presentation nov 2019
Osint presentation nov 2019Osint presentation nov 2019
Osint presentation nov 2019
Priyanka Aash
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
Muhammad Sahputra
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Log
chuckbt
 
The Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSThe Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOS
Priyanka Aash
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
JustinBrown267905
 
IBM Qradar
IBM QradarIBM Qradar
IBM Qradar
Coenraad Smith
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
 
Incident handling.final
Incident handling.finalIncident handling.final
Incident handling.final
ahmad abdelhafeez
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Sounil Yu
 
Information Security Awareness, Petronas Marketing Sudan
Information Security Awareness, Petronas Marketing SudanInformation Security Awareness, Petronas Marketing Sudan
Information Security Awareness, Petronas Marketing Sudan
Ahmed Musaad
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
Ahmad Haghighi
 
Cybersecurity Framework - Introduction
Cybersecurity Framework - IntroductionCybersecurity Framework - Introduction
Cybersecurity Framework - Introduction
Muhammad Akbar Yasin
 

What's hot (20)

From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation final
 
SOAR and SIEM.pptx
SOAR and SIEM.pptxSOAR and SIEM.pptx
SOAR and SIEM.pptx
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
 
Network Architecture Review Checklist
Network Architecture Review ChecklistNetwork Architecture Review Checklist
Network Architecture Review Checklist
 
Splunk Overview
Splunk OverviewSplunk Overview
Splunk Overview
 
dlux - Splunk Technical Overview
dlux - Splunk Technical Overviewdlux - Splunk Technical Overview
dlux - Splunk Technical Overview
 
SOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOCSOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOC
 
Osint presentation nov 2019
Osint presentation nov 2019Osint presentation nov 2019
Osint presentation nov 2019
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Log
 
The Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSThe Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOS
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
 
IBM Qradar
IBM QradarIBM Qradar
IBM Qradar
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
Incident handling.final
Incident handling.finalIncident handling.final
Incident handling.final
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
 
Information Security Awareness, Petronas Marketing Sudan
Information Security Awareness, Petronas Marketing SudanInformation Security Awareness, Petronas Marketing Sudan
Information Security Awareness, Petronas Marketing Sudan
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 
Cybersecurity Framework - Introduction
Cybersecurity Framework - IntroductionCybersecurity Framework - Introduction
Cybersecurity Framework - Introduction
 

Similar to How I Learned to Stop Information Sharing and Love the DIKW

Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
DaveEdwards12
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Priyanka Aash
 
Sherlock Homepage - A detective story about running large web services - WebN...
Sherlock Homepage - A detective story about running large web services - WebN...Sherlock Homepage - A detective story about running large web services - WebN...
Sherlock Homepage - A detective story about running large web services - WebN...
Maarten Balliauw
 
How to scraping content from web for location-based mobile app.
How to scraping content from web for location-based mobile app.How to scraping content from web for location-based mobile app.
How to scraping content from web for location-based mobile app.Diep Nguyen
 
Workshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityWorkshop: Big Data Visualization for Security
Workshop: Big Data Visualization for Security
Raffael Marty
 
陸永祥/全球網路攝影機帶來的機會與挑戰
陸永祥/全球網路攝影機帶來的機會與挑戰陸永祥/全球網路攝影機帶來的機會與挑戰
陸永祥/全球網路攝影機帶來的機會與挑戰
台灣資料科學年會
 
Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212
Florian Roth
 
Monitoring as an entry point for collaboration
Monitoring as an entry point for collaborationMonitoring as an entry point for collaboration
Monitoring as an entry point for collaboration
Julien Pivotto
 
How we evolved data pipeline at Celtra and what we learned along the way
How we evolved data pipeline at Celtra and what we learned along the wayHow we evolved data pipeline at Celtra and what we learned along the way
How we evolved data pipeline at Celtra and what we learned along the way
Grega Kespret
 
DEVNET-1140 InterCloud Mapreduce and Spark Workload Migration and Sharing: Fi...
DEVNET-1140 InterCloud Mapreduce and Spark Workload Migration and Sharing: Fi...DEVNET-1140 InterCloud Mapreduce and Spark Workload Migration and Sharing: Fi...
DEVNET-1140 InterCloud Mapreduce and Spark Workload Migration and Sharing: Fi...
Cisco DevNet
 
Stay clear of the bugs: Troubleshooting Applications in Microsoft Azure
Stay clear of the bugs: Troubleshooting Applications in Microsoft AzureStay clear of the bugs: Troubleshooting Applications in Microsoft Azure
Stay clear of the bugs: Troubleshooting Applications in Microsoft Azure
HARMAN Services
 
Early Lessons from Building Sensor.Network: An Open Data Exchange for the Web...
Early Lessons from Building Sensor.Network: An Open Data Exchange for the Web...Early Lessons from Building Sensor.Network: An Open Data Exchange for the Web...
Early Lessons from Building Sensor.Network: An Open Data Exchange for the Web...
benaam
 
The Enterprise Guide to Building a Data Mesh - Introducing SpecMesh
The Enterprise Guide to Building a Data Mesh - Introducing SpecMeshThe Enterprise Guide to Building a Data Mesh - Introducing SpecMesh
The Enterprise Guide to Building a Data Mesh - Introducing SpecMesh
IanFurlong4
 
Sherlock Homepage - A detective story about running large web services (VISUG...
Sherlock Homepage - A detective story about running large web services (VISUG...Sherlock Homepage - A detective story about running large web services (VISUG...
Sherlock Homepage - A detective story about running large web services (VISUG...
Maarten Balliauw
 
Sherlock Homepage (Maarten Balliauw)
Sherlock Homepage (Maarten Balliauw)Sherlock Homepage (Maarten Balliauw)
Sherlock Homepage (Maarten Balliauw)
Visug
 
1,2,3 … Testing : Is this thing on(line)? with Mike Martin
1,2,3 … Testing : Is this thing on(line)? with Mike Martin1,2,3 … Testing : Is this thing on(line)? with Mike Martin
1,2,3 … Testing : Is this thing on(line)? with Mike Martin
NETUserGroupBern
 
Jeremy cabral search marketing summit - scraping data-driven content (1)
Jeremy cabral search marketing summit - scraping data-driven content (1)Jeremy cabral search marketing summit - scraping data-driven content (1)
Jeremy cabral search marketing summit - scraping data-driven content (1)
Jeremy Cabral
 
Analytics&IoT
Analytics&IoTAnalytics&IoT
Analytics&IoT
Selvaraj Kesavan
 

Similar to How I Learned to Stop Information Sharing and Love the DIKW (20)

Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
Sherlock Homepage - A detective story about running large web services - WebN...
Sherlock Homepage - A detective story about running large web services - WebN...Sherlock Homepage - A detective story about running large web services - WebN...
Sherlock Homepage - A detective story about running large web services - WebN...
 
How to scraping content from web for location-based mobile app.
How to scraping content from web for location-based mobile app.How to scraping content from web for location-based mobile app.
How to scraping content from web for location-based mobile app.
 
Workshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityWorkshop: Big Data Visualization for Security
Workshop: Big Data Visualization for Security
 
陸永祥/全球網路攝影機帶來的機會與挑戰
陸永祥/全球網路攝影機帶來的機會與挑戰陸永祥/全球網路攝影機帶來的機會與挑戰
陸永祥/全球網路攝影機帶來的機會與挑戰
 
Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212
 
Monitoring as an entry point for collaboration
Monitoring as an entry point for collaborationMonitoring as an entry point for collaboration
Monitoring as an entry point for collaboration
 
How we evolved data pipeline at Celtra and what we learned along the way
How we evolved data pipeline at Celtra and what we learned along the wayHow we evolved data pipeline at Celtra and what we learned along the way
How we evolved data pipeline at Celtra and what we learned along the way
 
DEVNET-1140 InterCloud Mapreduce and Spark Workload Migration and Sharing: Fi...
DEVNET-1140 InterCloud Mapreduce and Spark Workload Migration and Sharing: Fi...DEVNET-1140 InterCloud Mapreduce and Spark Workload Migration and Sharing: Fi...
DEVNET-1140 InterCloud Mapreduce and Spark Workload Migration and Sharing: Fi...
 
Stay clear of the bugs: Troubleshooting Applications in Microsoft Azure
Stay clear of the bugs: Troubleshooting Applications in Microsoft AzureStay clear of the bugs: Troubleshooting Applications in Microsoft Azure
Stay clear of the bugs: Troubleshooting Applications in Microsoft Azure
 
Diadem 1.0
Diadem 1.0Diadem 1.0
Diadem 1.0
 
Early Lessons from Building Sensor.Network: An Open Data Exchange for the Web...
Early Lessons from Building Sensor.Network: An Open Data Exchange for the Web...Early Lessons from Building Sensor.Network: An Open Data Exchange for the Web...
Early Lessons from Building Sensor.Network: An Open Data Exchange for the Web...
 
Dm4
Dm4Dm4
Dm4
 
The Enterprise Guide to Building a Data Mesh - Introducing SpecMesh
The Enterprise Guide to Building a Data Mesh - Introducing SpecMeshThe Enterprise Guide to Building a Data Mesh - Introducing SpecMesh
The Enterprise Guide to Building a Data Mesh - Introducing SpecMesh
 
Sherlock Homepage - A detective story about running large web services (VISUG...
Sherlock Homepage - A detective story about running large web services (VISUG...Sherlock Homepage - A detective story about running large web services (VISUG...
Sherlock Homepage - A detective story about running large web services (VISUG...
 
Sherlock Homepage (Maarten Balliauw)
Sherlock Homepage (Maarten Balliauw)Sherlock Homepage (Maarten Balliauw)
Sherlock Homepage (Maarten Balliauw)
 
1,2,3 … Testing : Is this thing on(line)? with Mike Martin
1,2,3 … Testing : Is this thing on(line)? with Mike Martin1,2,3 … Testing : Is this thing on(line)? with Mike Martin
1,2,3 … Testing : Is this thing on(line)? with Mike Martin
 
Jeremy cabral search marketing summit - scraping data-driven content (1)
Jeremy cabral search marketing summit - scraping data-driven content (1)Jeremy cabral search marketing summit - scraping data-driven content (1)
Jeremy cabral search marketing summit - scraping data-driven content (1)
 
Analytics&IoT
Analytics&IoTAnalytics&IoT
Analytics&IoT
 

Recently uploaded

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
UiPathCommunity
 
Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.
ViralQR
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
Vlad Stirbu
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 

Recently uploaded (20)

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
 
Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 

How I Learned to Stop Information Sharing and Love the DIKW

  • 1. How I Learned to Stop Information Sharing and Love the DIKW*Withapologies toStanley Kubrick SOUNIL YU
  • 2. Alignment of Two Pyramids What are we sharing now? What should we be sharing instead? @sounilyu 2June 2016 Wisdom Knowledge Data Information Joining of wholes Formation of a whole Connection of parts Gathering of parts Explanation Why Instruction How To Descriptive What Raw sensor information Future Past Novelty Experience DIKW Pyramid http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html David Bianco’s Pyramid of Pain (with color modifications) TTPs Network/Host Artifacts Hash Values IP Addresses Tools Domain Names
  • 3. Decoupled Security Stack @sounilyu 3June 2016 Actions Decisions Analytics Sensors Sensing: raw telemetry, netflow, logs, external threat intel Sense making: correlation, machine learning, heuristics Decision making: orchestration, courses of action, recipes for action Acting: actuators, block, stop, start, delete, quarantine What we share DIKW Pyramid Wisdom Knowledge Data Information Joining of wholes Formation of a whole Connection of parts Gathering of parts Explanation Why Instruction How To Descriptive What Raw sensor information Future Past Novelty Experience
  • 4. Dangers of Sharing the Wrong Things and Automagically Applying Them Incorrectly @sounilyu 4June 2016 Originating Organization Receiving Organization Actions Decisions Analytics Sensors Actions Decisions Analytics Sensors Not shared Not shared Dangerous CURRENT STATE What we share
  • 5. Dangers of Sharing the Wrong Things and Automagically Applying Them Incorrectly @sounilyu 5June 2016 Originating Organization Receiving Organization Actions Decisions Analytics Sensors Actions Decisions Analytics Sensors Optimal Shared/Collective Sensor Grid (e.g., Passive DNS) FUTURE STATE Originating Organization Receiving Organization Actions Decisions Analytics Sensors Actions Decisions Analytics Sensors Not shared Not shared Dangerous CURRENT STATE What we share
  • 6. Analytics Sharing Example: The ThreatHunting Project (www.threathunting.net,also byDavid Bianco) @sounilyu 6June 2016 How we share Procedures Indexed by Goal 0-day Exploits • EMET Log Mining Attacker tools in use • Suspicious Process Creation • Windows Service Analysis • Psexec Windows Events BIOS/Firmware tampering • RAM Dumping Command and Control (C2) • C2 via Dynamic DNS • Finding the Unknown with HTTP URIs Compromise of Internet-Facing Service • Internet-Facing HTTP Request Analysis • Checking How Outsiders See You • RDP External Access • Finding Known-Bad in Antivirus Logs • Finding Webshells • Webshell Behavior • . . . Finding Web Shells Purpose • Identify web shells (stand-alone|injected) Data Required • Web server logs (apache, IIS, etc.) Collection Considerations • Collect from all webservers, and ensure that parameters are collected. • POST data should be collected. • For apache consider using mod_security or mod_dumpio • For IIS use Failed Request Tracing / Custom Logging Analysis Techniques: • Stack counting • String matching Description • Stack by page hits -- pages with few hits are a typical sign • Add more fidelity by combining views from below (none if the above is giving higher fidelity, one, two or all): • No referer from client • Stack by unique visits per IP -- most only visit the webshell (no other page hits, no js, no images, etc.) • this isn't true of injected webshells (where they are injected into an existing page) • Stack by UA uniqueness. This is not always rock solid, but good, because many webshells have client software that sets the UA and many don't change the default • Look for parameters passed to image files (e.g., /bad.png?zz=ls) • More specific to inject webshells that inject into an existing page: • Stack by parameter counts per page -- webshells that create new params on an existing page • Again, you can look if referer is missing, UA uniqueness . . . Procedures Indexed by Data Anti-Virus Logs • Finding Known-Bad in Antivirus Logs Bro NSM Logs • RDP External Access • C2 via Dynamic DNS • Finding the Unknown with HTTP URIs DNS Query Logs • C2 via Dynamic DNS Host Dumps (RAM, Registry, Process, etc) • NTFS Extended Attribute Analysis • Search for Rogue Listeners • Autoruns Analysis • Windows Driver Analysis • Windows Prefetch Cache Analysis • Windows Service Analysis HTTP Proxy Logs • Beacon Detection • User Agent Analysis • . . .
  • 7. Analytics Sharing Example: Cyber Analytic Repository (MITRE) @sounilyu 7June 2016 CAR-2014-07-001: Search Path Interception Hypothesis: As described in ATT&CK, one method of escalation is intercepting the search path for services, so that legitimate services point to the binary inserted at an intercepted location. This can be done where there are spaces in the path and it is unquoted. Instantiation: Eventtype=process_start parent_image_path="*system32services.exe" command_line!=" "*" command_line="* *" | rex field=image_path ".(?<img_exe>.*) | rex field=img_exe "(?<img_base>.*)..*" | where NOT like(lower(command_line ), lower("%"+img_exe+"%")) AND like(lower(command_line),lower("%"+img_base+"%")) | table _time hostname ppid pid parent_image_path image_path command_line img_exe ATT&CK Framework How we share
  • 8. A community for sharing sense-making @sounilyu 8June 2016 Organization A I can find intrusions by looking for search path interception in XYZ way Eventtype=process_start parent_image_path="*system32ser vices.exe" command_line!=""*" command_line="**"| rex field=image_path".(?<img_exe>.*)| rex field=img_exe "(?<img_base>.*)..*" Organization A Cyber Analytic Repository Existing Sharing Communities 5444ff573794d853d24fbce00548227b module.832.13cc55060.9a0000.dll hxxp://speedtest[.]netcologne[.]de/test_100mb.bin Byproducts and Indicators Shared Cyber Analytic Repository A. Analytic Method Eventtype=process_start parent_image_path="*system32services.exe" command_line!=" "*" command_line="* *"| rex field=image_path ".(?<img_exe>.*)| rex field=img_exe "(?<img_base>.*)..*" B. Efficacy of Analytic Method Regression Test Results: 1 TP, 0 FPs over 50K transactions over 1 month C. Cost/Toxicity of Analytic Method Low cost query completing in 25 msec D. Context of True Positives True Positives found in Human Resource systems E. Resilient Security Design Patterns Containment and malware detonation solutions in use Organization B Eventtype=process_start parent_image_path="*system32ser vices.exe" command_line!=" "*" command_line="**"| rex field=image_path".(?<img_exe>.*)| rex field=img_exe "(?<img_base>.*)..*" Organization B Cyber Analytic Repository Byproducts and Indicators 436b772438826e2410ef2a45015bc936 costura.aforge.video.dll hxxp://speedtest[.]reliableservers[.]com/100MBtest.bin ① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ STEPS 1. Someone discovers a new method for finding badness 2. The new method for discovering that badness is captured as a machine consumable query 3. The byproducts of that method are discovered as indicators 4. Indicators are shared through existing sharing channels 5. The analytic method is stored in the local Cyber Analytic Repository 6. The new method is offered to community. Included with that new method are four other pieces of information: b. Regression tests showing efficacy of this new method in terms of true positives and false positives against historical data c. The cost or toxicity of running the new method d. The functional context of the systems where the new method is effective e. The security design for the relevant systems 7. Members consume new method 8. Based on risk tolerance for efficacy and toxicity, members run new method to discover their own indicators, which may also be shared through existing channels 9. Results and improved methods are shared back to community A. Improved Analytic Method Eventtype=process_start parent_image_path="*system32services.exe" command_line!=" "*" command_line="* *"| rex field=image_path ".(?<img_exe>.*)| rex field=img_exe "(?<img_base>.*)..*" | where NOT like(lower(command_line ), lower("%"+img_exe+"%")) AND lower("%"+img_base+"%")) B. Efficacy of Analytic Method Regression Test Results: 1 TP, 1 FPs over 100K transactions over 2 weeks C. Cost/Toxicity of Analytic Method Medium cost query completing in 34 sec D. Context of True Positives True Positives found in Human Resource systems E. Resilient Security Design Patterns Antivirus and IDS/IPS in use Putting It All Together