SlideShare a Scribd company logo

Managing Indicator Deprecation in ThreatConnect

ThreatConnect
ThreatConnect

The document discusses managing indicator deprecation in ThreatConnect. It explains that indicator deprecation is a system for automatically lowering an indicator's confidence rating over time based on configurable rules. This helps reflect an indicator's staleness and can automatically delete old indicators. The document provides examples of setting deprecation rules for different indicator types and sources, and best practices used by ThreatConnect's research team.

Technology
1 of 22
Download to read offline
SPRING CLEANING Managing Indicator Deprecation in ThreatConnect Alex Valdivia ThreatConnect Research Team March 21, 2017
© 2017 ThreatConnect, Inc. All Rights Reserved. Google Image Search: Roomba Time Lapse
© 2017 ThreatConnect, Inc. All Rights Reserved. Table of Contents Threat Ratings, Confidence, and Deprecation • Threat and Confidence Ratings • Indicator Deprecation Why? • 3 Reasons for Indicator Deprecation • Scenario: VXVault Source How? • Deprecation Rule Configuration • Deprecation Rule Approaches • Additional Considerations and Best Practices Resources Questions 3
© 2017 ThreatConnect, Inc. All Rights Reserved. Threat Ratings, Confidence, and Deprecation 4
© 2017 ThreatConnect, Inc. All Rights Reserved. Threat and Confidence Ratings Threat Ratings • Threat Level of Indicator • Scale of 0-5 Skulls Confidence Ratings • Confidence in Threat Rating • Percentage scale of 0-100
© 2017 ThreatConnect, Inc. All Rights Reserved. Threat Rating Best Practices Threat Rating Factors 1. Capability 2. Determination 3. Progression Threat Rating Scale 0 Skulls Unknown 1 Skull Suspicious 2 Skulls Low 3 Skulls Moderate 4 Skulls High 5 Skulls Critical 6 Blog: https://www.threatconnect.com/blog/best-practices-indicator-rating-and-confidence/
© 2017 ThreatConnect, Inc. All Rights Reserved. Confidence Rating Best Practices Confidence Rating Factors 1. Confirmation 2. Plausibility 3. Consistency Confidence Rating Scale 0 Unknown 1 Discredited 2-29 Improbable 30-49 Doubtful 50-69 Possible 70-89 Probable 90-100 Confirmed 7 Blog: https://www.threatconnect.com/blog/best-practices-indicator-rating-and-confidence/
© 2017 ThreatConnect, Inc. All Rights Reserved. Indicator Deprecation • System for automatically lowering confidence rating of indicators over time. • Does not affect threat rating. • Rules customizable by indicator type. • Enabled at Org, Source, and Community level. • Requires Org Admin or Director role. Interval: 10 Days Confidence Amount: 10
© 2017 ThreatConnect, Inc. All Rights Reserved. But Why? 9
© 2017 ThreatConnect, Inc. All Rights Reserved. 3 Reasons for Indicator Deprecation 1. Lower confidence to reflect indicator’s “staleness” 2. Automatically delete indicators you no longer care about 3. Your analysts don’t know about this feature and you want them to think they’re slowly losing their minds 10
© 2017 ThreatConnect, Inc. All Rights Reserved. Scenario: VXVault Source 11 ● Open Source URL Feed ● 100 URLs per Day ● Default Rating: 3 Skulls ● Default Confidence: 80%
© 2017 ThreatConnect, Inc. All Rights Reserved. Scenario: VXVault Source - No Deprecation 12 Day 1 100 URLs Day 2 200 URLs New URL Old URL Day 90 9K URLs
© 2017 ThreatConnect, Inc. All Rights Reserved. Scenario: VXVault Source - With Deprecation 13 Day 1 100 URLs Day 2 200 URLs Day 90 9K URLs X X X X X
© 2017 ThreatConnect, Inc. All Rights Reserved. But How? 14
© 2017 ThreatConnect, Inc. All Rights Reserved. Deprecation Rule Configuration - Org 15
© 2017 ThreatConnect, Inc. All Rights Reserved. Deprecation Rule Configuration - Source/Community 16
© 2017 ThreatConnect, Inc. All Rights Reserved. Deprecation Rule Configuration ● Indicator Type ○ 10 Types ● Interval ○ Days ● Confidence Amount ○ 1-100 ● Percentage ○ Based on current confidence rating ● Recurring ● Delete At Minimum (Zero) ● Update Chart Upon Deletion 17
© 2017 ThreatConnect, Inc. All Rights Reserved. Deprecation Rule Approaches Arbitrary Starting Confidence - Control Deprecation Rate • Appropriate for manually created indicators, indicators shared by other users. • I want to lower the confidence of Hosts by 10 every 10 days, and delete when confidence reaches zero. Known Starting Confidence - Control Timing of Confidence Changes, Deletions • Appropriate for ThreatConnect Sources, HTTP Scraper, TAXII, API Integrations. • I want URL indicators to be deleted in 60 days. • I want the confidence of IP Addresses to change from Probable to Possible in 10 days. 18
© 2017 ThreatConnect, Inc. All Rights Reserved. Deprecation Rules: Additional Considerations Not All Indicators Are Created Equal • URLs vs IP Addresses vs Domains • Pyramid of Pain...ish Not All Feeds Are Created Equal • Malware Domain Feed • Phishing URL Feed • Scanning IP Feed 19 SlowerDeprecation FasterDeprecation No Deprecation >
© 2017 ThreatConnect, Inc. All Rights Reserved. Deprecation Rules: Research Team Best Practices 20 Indicator Types Probable > Possible Deletion Interval (Days) Deprecation Amount Address, ASN, CIDR 55 days Yes 11 6 URL, Host 110 days No 11 3 Email Address 225 days No 30 4 File, Mutex, Registry Key, User Agent N/A N/A N/A N/A Our team commonly uses the settings below for deprecation rules in ThreatConnect sources collecting data from open source feeds. Do keep in mind, this is not a one-size-fits-all solution!
© 2017 ThreatConnect, Inc. All Rights Reserved. Resources ● ThreatConnect Blog: Best Practices: Indicator Rating and Confidence ● ThreatConnect KnowledgeBase: Configuring Indicator Confidence Deprecation ● This slide deck! ● ThreatConnect Customer Success Representative 21
© 2017 ThreatConnect, Inc. All Rights Reserved. Thank You THREATCONNECT.COM

Recommended

전자지급결제서비스 동향 및 시사점(금융보안연구원)
전자지급결제서비스 동향 및 시사점(금융보안연구원)전자지급결제서비스 동향 및 시사점(금융보안연구원)
전자지급결제서비스 동향 및 시사점(금융보안연구원)
메가트렌드랩 megatrendlab
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE - ATT&CKcon
 
엘라스틱서치 실무 가이드_202204.pdf
엘라스틱서치 실무 가이드_202204.pdf엘라스틱서치 실무 가이드_202204.pdf
엘라스틱서치 실무 가이드_202204.pdf
한 경만
 
YEDI VITTHITHE ADI KOSTHAAM
YEDI VITTHITHE ADI KOSTHAAMYEDI VITTHITHE ADI KOSTHAAM
YEDI VITTHITHE ADI KOSTHAAM
Shalem Arasavelli
 
Sandbox Evasion Cheat Sheet
Sandbox Evasion Cheat SheetSandbox Evasion Cheat Sheet
Sandbox Evasion Cheat Sheet
Thomas Roccia
 
Threat Hunting with Splunk
Threat Hunting with Splunk Threat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018
Christopher Korban
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 

Recommended

전자지급결제서비스 동향 및 시사점(금융보안연구원)
전자지급결제서비스 동향 및 시사점(금융보안연구원)전자지급결제서비스 동향 및 시사점(금융보안연구원)
전자지급결제서비스 동향 및 시사점(금융보안연구원)
메가트렌드랩 megatrendlab
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE - ATT&CKcon
 
엘라스틱서치 실무 가이드_202204.pdf
엘라스틱서치 실무 가이드_202204.pdf엘라스틱서치 실무 가이드_202204.pdf
엘라스틱서치 실무 가이드_202204.pdf
한 경만
 
YEDI VITTHITHE ADI KOSTHAAM
YEDI VITTHITHE ADI KOSTHAAMYEDI VITTHITHE ADI KOSTHAAM
YEDI VITTHITHE ADI KOSTHAAM
Shalem Arasavelli
 
Sandbox Evasion Cheat Sheet
Sandbox Evasion Cheat SheetSandbox Evasion Cheat Sheet
Sandbox Evasion Cheat Sheet
Thomas Roccia
 
Threat Hunting with Splunk
Threat Hunting with Splunk Threat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018
Christopher Korban
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
네이버 오픈세미나 백엔드_아키텍쳐
네이버 오픈세미나 백엔드_아키텍쳐네이버 오픈세미나 백엔드_아키텍쳐
네이버 오픈세미나 백엔드_아키텍쳐
NAVER D2
 
Caching solutions with Redis
Caching solutions with RedisCaching solutions with Redis
Caching solutions with Redis
George Platon
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Sounil Yu
 
CSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatCSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoat
Surachai Chatchalermpun
 
Agile Mumbai 2022 - Ashwinee Singh | Agile in AI or AI in Agile?
Agile Mumbai 2022 - Ashwinee Singh | Agile in AI or AI in Agile?Agile Mumbai 2022 - Ashwinee Singh | Agile in AI or AI in Agile?
Agile Mumbai 2022 - Ashwinee Singh | Agile in AI or AI in Agile?
AgileNetwork
 
DIY guide to runbooks, incident reports, and incident response
DIY guide to runbooks, incident reports, and incident responseDIY guide to runbooks, incident reports, and incident response
DIY guide to runbooks, incident reports, and incident response
Nathan Case
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
Atomic design in React
Atomic design in ReactAtomic design in React
Atomic design in React
Hamid Feizabadi
 
Embulk, an open-source plugin-based parallel bulk data loader
Embulk, an open-source plugin-based parallel bulk data loaderEmbulk, an open-source plugin-based parallel bulk data loader
Embulk, an open-source plugin-based parallel bulk data loader
Sadayuki Furuhashi
 
Competencias del Agile Coach
Competencias del Agile CoachCompetencias del Agile Coach
Competencias del Agile Coach
José Morales
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: Reloaded
Sounil Yu
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
Nutan Kumar Panda
 
LAST Conference 2016 Agile Landscape Presentation v1
LAST Conference 2016 Agile Landscape Presentation v1LAST Conference 2016 Agile Landscape Presentation v1
LAST Conference 2016 Agile Landscape Presentation v1
Chris Webb
 
網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-Area網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-Area
Orange Tsai
 
No estimates - 10 new principles for testing
No estimates - 10 new principles for testingNo estimates - 10 new principles for testing
No estimates - 10 new principles for testing
Vasco Duarte
 
Role based access control
Role based access controlRole based access control
Role based access control
Peter Edwards
 
Rapid Threat Model Prototyping methodology
Rapid Threat Model Prototyping methodologyRapid Threat Model Prototyping methodology
Rapid Threat Model Prototyping methodology
Geoffrey Hill
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
DefconRussia
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
DefconRussia
 
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
DefconRussia
 
DIY Education in Cyber Security
DIY Education in Cyber SecurityDIY Education in Cyber Security
DIY Education in Cyber Security
Kelly Shortridge
 

More Related Content

What's hot

네이버 오픈세미나 백엔드_아키텍쳐
네이버 오픈세미나 백엔드_아키텍쳐네이버 오픈세미나 백엔드_아키텍쳐
네이버 오픈세미나 백엔드_아키텍쳐
NAVER D2
 
Caching solutions with Redis
Caching solutions with RedisCaching solutions with Redis
Caching solutions with Redis
George Platon
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Sounil Yu
 
CSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatCSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoat
Surachai Chatchalermpun
 
Agile Mumbai 2022 - Ashwinee Singh | Agile in AI or AI in Agile?
Agile Mumbai 2022 - Ashwinee Singh | Agile in AI or AI in Agile?Agile Mumbai 2022 - Ashwinee Singh | Agile in AI or AI in Agile?
Agile Mumbai 2022 - Ashwinee Singh | Agile in AI or AI in Agile?
AgileNetwork
 
DIY guide to runbooks, incident reports, and incident response
DIY guide to runbooks, incident reports, and incident responseDIY guide to runbooks, incident reports, and incident response
DIY guide to runbooks, incident reports, and incident response
Nathan Case
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
Atomic design in React
Atomic design in ReactAtomic design in React
Atomic design in React
Hamid Feizabadi
 
Embulk, an open-source plugin-based parallel bulk data loader
Embulk, an open-source plugin-based parallel bulk data loaderEmbulk, an open-source plugin-based parallel bulk data loader
Embulk, an open-source plugin-based parallel bulk data loader
Sadayuki Furuhashi
 
Competencias del Agile Coach
Competencias del Agile CoachCompetencias del Agile Coach
Competencias del Agile Coach
José Morales
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: Reloaded
Sounil Yu
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
Nutan Kumar Panda
 
LAST Conference 2016 Agile Landscape Presentation v1
LAST Conference 2016 Agile Landscape Presentation v1LAST Conference 2016 Agile Landscape Presentation v1
LAST Conference 2016 Agile Landscape Presentation v1
Chris Webb
 
網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-Area網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-Area
Orange Tsai
 
No estimates - 10 new principles for testing
No estimates - 10 new principles for testingNo estimates - 10 new principles for testing
No estimates - 10 new principles for testing
Vasco Duarte
 
Role based access control
Role based access controlRole based access control
Role based access control
Peter Edwards
 
Rapid Threat Model Prototyping methodology
Rapid Threat Model Prototyping methodologyRapid Threat Model Prototyping methodology
Rapid Threat Model Prototyping methodology
Geoffrey Hill
 

What's hot (18)

네이버 오픈세미나 백엔드_아키텍쳐
네이버 오픈세미나 백엔드_아키텍쳐네이버 오픈세미나 백엔드_아키텍쳐
네이버 오픈세미나 백엔드_아키텍쳐
 
Caching solutions with Redis
Caching solutions with RedisCaching solutions with Redis
Caching solutions with Redis
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
 
CSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatCSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoat
 
Agile Mumbai 2022 - Ashwinee Singh | Agile in AI or AI in Agile?
Agile Mumbai 2022 - Ashwinee Singh | Agile in AI or AI in Agile?Agile Mumbai 2022 - Ashwinee Singh | Agile in AI or AI in Agile?
Agile Mumbai 2022 - Ashwinee Singh | Agile in AI or AI in Agile?
 
DIY guide to runbooks, incident reports, and incident response
DIY guide to runbooks, incident reports, and incident responseDIY guide to runbooks, incident reports, and incident response
DIY guide to runbooks, incident reports, and incident response
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
Atomic design in React
Atomic design in ReactAtomic design in React
Atomic design in React
 
Embulk, an open-source plugin-based parallel bulk data loader
Embulk, an open-source plugin-based parallel bulk data loaderEmbulk, an open-source plugin-based parallel bulk data loader
Embulk, an open-source plugin-based parallel bulk data loader
 
Competencias del Agile Coach
Competencias del Agile CoachCompetencias del Agile Coach
Competencias del Agile Coach
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: Reloaded
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
 
LAST Conference 2016 Agile Landscape Presentation v1
LAST Conference 2016 Agile Landscape Presentation v1LAST Conference 2016 Agile Landscape Presentation v1
LAST Conference 2016 Agile Landscape Presentation v1
 
網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-Area網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-Area
 
No estimates - 10 new principles for testing
No estimates - 10 new principles for testingNo estimates - 10 new principles for testing
No estimates - 10 new principles for testing
 
Role based access control
Role based access controlRole based access control
Role based access control
 
Rapid Threat Model Prototyping methodology
Rapid Threat Model Prototyping methodologyRapid Threat Model Prototyping methodology
Rapid Threat Model Prototyping methodology
 

Viewers also liked

[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
DefconRussia
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
DefconRussia
 
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
DefconRussia
 
DIY Education in Cyber Security
DIY Education in Cyber SecurityDIY Education in Cyber Security
DIY Education in Cyber Security
Kelly Shortridge
 
The Art of Explanation: Behavioral models of infosec
The Art of Explanation: Behavioral models of infosecThe Art of Explanation: Behavioral models of infosec
The Art of Explanation: Behavioral models of infosec
Kelly Shortridge
 
How to Become an InfoSec Autodidact
How to Become an InfoSec AutodidactHow to Become an InfoSec Autodidact
How to Become an InfoSec Autodidact
Kelly Shortridge
 
Know Thyself: Optimizing Team Decision-Making
Know Thyself: Optimizing Team Decision-MakingKnow Thyself: Optimizing Team Decision-Making
Know Thyself: Optimizing Team Decision-Making
Kelly Shortridge
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
DefconRussia
 
It walks, It talks and it will conduct economic espionage by Greg Carpenter
It walks, It talks and it will conduct economic espionage by Greg CarpenterIt walks, It talks and it will conduct economic espionage by Greg Carpenter
It walks, It talks and it will conduct economic espionage by Greg Carpenter
EC-Council
 
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
BeyondTrust
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON
 
Should I Patch My ICS?
Should I Patch My ICS?Should I Patch My ICS?
Should I Patch My ICS?
Digital Bond
 
State of the Net
State of the NetState of the Net
State of the Net
Mikko Hypponen
 
Softcat Splunk Discovery Day Manchester, March 2017
Softcat Splunk Discovery Day Manchester, March 2017Softcat Splunk Discovery Day Manchester, March 2017
Softcat Splunk Discovery Day Manchester, March 2017
Splunk
 
Building a Security Information and Event Management platform at Travis Per...
Building a Security Information and Event Management platform at Travis Per... Building a Security Information and Event Management platform at Travis Per...
Building a Security Information and Event Management platform at Travis Per...
Splunk
 
Linux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network SecurityLinux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network Security
Thomas Graf
 
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
CTruncer
 
Volatile Memory: Behavioral Game Theory in Defensive Security
Volatile Memory: Behavioral Game Theory in Defensive SecurityVolatile Memory: Behavioral Game Theory in Defensive Security
Volatile Memory: Behavioral Game Theory in Defensive Security
Kelly Shortridge
 
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CanSecWest
 
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_markCSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CanSecWest
 

Viewers also liked (20)

[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
 
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
 
DIY Education in Cyber Security
DIY Education in Cyber SecurityDIY Education in Cyber Security
DIY Education in Cyber Security
 
The Art of Explanation: Behavioral models of infosec
The Art of Explanation: Behavioral models of infosecThe Art of Explanation: Behavioral models of infosec
The Art of Explanation: Behavioral models of infosec
 
How to Become an InfoSec Autodidact
How to Become an InfoSec AutodidactHow to Become an InfoSec Autodidact
How to Become an InfoSec Autodidact
 
Know Thyself: Optimizing Team Decision-Making
Know Thyself: Optimizing Team Decision-MakingKnow Thyself: Optimizing Team Decision-Making
Know Thyself: Optimizing Team Decision-Making
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
 
It walks, It talks and it will conduct economic espionage by Greg Carpenter
It walks, It talks and it will conduct economic espionage by Greg CarpenterIt walks, It talks and it will conduct economic espionage by Greg Carpenter
It walks, It talks and it will conduct economic espionage by Greg Carpenter
 
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
 
Should I Patch My ICS?
Should I Patch My ICS?Should I Patch My ICS?
Should I Patch My ICS?
 
State of the Net
State of the NetState of the Net
State of the Net
 
Softcat Splunk Discovery Day Manchester, March 2017
Softcat Splunk Discovery Day Manchester, March 2017Softcat Splunk Discovery Day Manchester, March 2017
Softcat Splunk Discovery Day Manchester, March 2017
 
Building a Security Information and Event Management platform at Travis Per...
Building a Security Information and Event Management platform at Travis Per... Building a Security Information and Event Management platform at Travis Per...
Building a Security Information and Event Management platform at Travis Per...
 
Linux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network SecurityLinux Native, HTTP Aware Network Security
Linux Native, HTTP Aware Network Security
 
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
 
Volatile Memory: Behavioral Game Theory in Defensive Security
Volatile Memory: Behavioral Game Theory in Defensive SecurityVolatile Memory: Behavioral Game Theory in Defensive Security
Volatile Memory: Behavioral Game Theory in Defensive Security
 
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
 
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_markCSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
 

Similar to Managing Indicator Deprecation in ThreatConnect

Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017
Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017
Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017
Splunk
 
How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS
How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS
How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS
Amazon Web Services
 
How to improve resilience and respond better to Cyber Attacks with ISO 22301?
How to improve resilience and respond better to Cyber Attacks with ISO 22301?How to improve resilience and respond better to Cyber Attacks with ISO 22301?
How to improve resilience and respond better to Cyber Attacks with ISO 22301?
PECB
 
Centrally Protect Your AWS Resources with Amazon GuardDuty - AWS Online Tech ...
Centrally Protect Your AWS Resources with Amazon GuardDuty - AWS Online Tech ...Centrally Protect Your AWS Resources with Amazon GuardDuty - AWS Online Tech ...
Centrally Protect Your AWS Resources with Amazon GuardDuty - AWS Online Tech ...
Amazon Web Services
 
ABD310 big data aws and security no notes
ABD310 big data aws and security no notesABD310 big data aws and security no notes
ABD310 big data aws and security no notes
Amazon Web Services
 
Building the Largest Repo for Serverless Compliance-as-Code - SID205 - re:Inv...
Building the Largest Repo for Serverless Compliance-as-Code - SID205 - re:Inv...Building the Largest Repo for Serverless Compliance-as-Code - SID205 - re:Inv...
Building the Largest Repo for Serverless Compliance-as-Code - SID205 - re:Inv...
Amazon Web Services
 
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon Web Services
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
Andre Van Klaveren
 
SID331_Architecting Security and Governance Across a Multi-Account Strategy
SID331_Architecting Security and Governance Across a Multi-Account StrategySID331_Architecting Security and Governance Across a Multi-Account Strategy
SID331_Architecting Security and Governance Across a Multi-Account Strategy
Amazon Web Services
 
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
Amazon Web Services
 
Understanding AWS Secrets Manager - AWS Online Tech Talks
Understanding AWS Secrets Manager - AWS Online Tech TalksUnderstanding AWS Secrets Manager - AWS Online Tech Talks
Understanding AWS Secrets Manager - AWS Online Tech Talks
Amazon Web Services
 
Speed and security for your PHP application
Speed and security for your PHP applicationSpeed and security for your PHP application
Speed and security for your PHP application
Zend by Rogue Wave Software
 
DNS Security, is it enough?
DNS Security, is it enough? DNS Security, is it enough?
DNS Security, is it enough?
Zscaler
 
Amazon Macie Demo
Amazon Macie DemoAmazon Macie Demo
Amazon Macie Demo
Amazon Web Services
 
How to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less timeHow to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less time
Rogue Wave Software
 
NEW LAUNCH! Introduction to Amazon GuardDuty - SID218 - re:Invent 2017
NEW LAUNCH! Introduction to Amazon GuardDuty - SID218 - re:Invent 2017NEW LAUNCH! Introduction to Amazon GuardDuty - SID218 - re:Invent 2017
NEW LAUNCH! Introduction to Amazon GuardDuty - SID218 - re:Invent 2017
Amazon Web Services
 
Application Security in a DevOps World
Application Security in a DevOps WorldApplication Security in a DevOps World
Application Security in a DevOps World
CA Technologies
 
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3M
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3MDEV332_Using AWS to Achieve Both Autonomy and Governance at 3M
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3M
Amazon Web Services
 
Using AWS to Achieve Both Autonomy and Governance at 3M
Using AWS to Achieve Both Autonomy and Governance at 3MUsing AWS to Achieve Both Autonomy and Governance at 3M
Using AWS to Achieve Both Autonomy and Governance at 3M
Casey Lee
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike
 

Similar to Managing Indicator Deprecation in ThreatConnect (20)

Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017
Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017
Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017
 
How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS
How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS
How BrightEdge Achieves End-to-End Security Visibility with Splunk and AWS
 
How to improve resilience and respond better to Cyber Attacks with ISO 22301?
How to improve resilience and respond better to Cyber Attacks with ISO 22301?How to improve resilience and respond better to Cyber Attacks with ISO 22301?
How to improve resilience and respond better to Cyber Attacks with ISO 22301?
 
Centrally Protect Your AWS Resources with Amazon GuardDuty - AWS Online Tech ...
Centrally Protect Your AWS Resources with Amazon GuardDuty - AWS Online Tech ...Centrally Protect Your AWS Resources with Amazon GuardDuty - AWS Online Tech ...
Centrally Protect Your AWS Resources with Amazon GuardDuty - AWS Online Tech ...
 
ABD310 big data aws and security no notes
ABD310 big data aws and security no notesABD310 big data aws and security no notes
ABD310 big data aws and security no notes
 
Building the Largest Repo for Serverless Compliance-as-Code - SID205 - re:Inv...
Building the Largest Repo for Serverless Compliance-as-Code - SID205 - re:Inv...Building the Largest Repo for Serverless Compliance-as-Code - SID205 - re:Inv...
Building the Largest Repo for Serverless Compliance-as-Code - SID205 - re:Inv...
 
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksOWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
 
SID331_Architecting Security and Governance Across a Multi-Account Strategy
SID331_Architecting Security and Governance Across a Multi-Account StrategySID331_Architecting Security and Governance Across a Multi-Account Strategy
SID331_Architecting Security and Governance Across a Multi-Account Strategy
 
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
 
Understanding AWS Secrets Manager - AWS Online Tech Talks
Understanding AWS Secrets Manager - AWS Online Tech TalksUnderstanding AWS Secrets Manager - AWS Online Tech Talks
Understanding AWS Secrets Manager - AWS Online Tech Talks
 
Speed and security for your PHP application
Speed and security for your PHP applicationSpeed and security for your PHP application
Speed and security for your PHP application
 
DNS Security, is it enough?
DNS Security, is it enough? DNS Security, is it enough?
DNS Security, is it enough?
 
Amazon Macie Demo
Amazon Macie DemoAmazon Macie Demo
Amazon Macie Demo
 
How to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less timeHow to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less time
 
NEW LAUNCH! Introduction to Amazon GuardDuty - SID218 - re:Invent 2017
NEW LAUNCH! Introduction to Amazon GuardDuty - SID218 - re:Invent 2017NEW LAUNCH! Introduction to Amazon GuardDuty - SID218 - re:Invent 2017
NEW LAUNCH! Introduction to Amazon GuardDuty - SID218 - re:Invent 2017
 
Application Security in a DevOps World
Application Security in a DevOps WorldApplication Security in a DevOps World
Application Security in a DevOps World
 
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3M
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3MDEV332_Using AWS to Achieve Both Autonomy and Governance at 3M
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3M
 
Using AWS to Achieve Both Autonomy and Governance at 3M
Using AWS to Achieve Both Autonomy and Governance at 3MUsing AWS to Achieve Both Autonomy and Governance at 3M
Using AWS to Achieve Both Autonomy and Governance at 3M
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
 

More from ThreatConnect

Advanced Threat Hunting - BotConf 2017
Advanced Threat Hunting - BotConf 2017Advanced Threat Hunting - BotConf 2017
Advanced Threat Hunting - BotConf 2017
ThreatConnect
 
Save Time and Act Faster with Playbooks
Save Time and Act Faster with PlaybooksSave Time and Act Faster with Playbooks
Save Time and Act Faster with Playbooks
ThreatConnect
 
Intelligence driven defense webinar
Intelligence driven defense webinarIntelligence driven defense webinar
Intelligence driven defense webinar
ThreatConnect
 
Does a Bear Leak in the Woods?
Does a Bear Leak in the Woods?Does a Bear Leak in the Woods?
Does a Bear Leak in the Woods?
ThreatConnect
 
Operationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent ActorsOperationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent Actors
ThreatConnect
 
Threat Intelligence is a Journey; Not a Destination
Threat Intelligence is a Journey; Not a DestinationThreat Intelligence is a Journey; Not a Destination
Threat Intelligence is a Journey; Not a Destination
ThreatConnect
 
Episode IV: A New Scope
Episode IV: A New ScopeEpisode IV: A New Scope
Episode IV: A New Scope
ThreatConnect
 
Open Source Malware Lab
Open Source Malware LabOpen Source Malware Lab
Open Source Malware Lab
ThreatConnect
 
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
ThreatConnect
 
Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!
Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!
Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!
ThreatConnect
 
Maltego Webinar Slides
Maltego Webinar SlidesMaltego Webinar Slides
Maltego Webinar Slides
ThreatConnect
 
The Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence WebinarThe Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence Webinar
ThreatConnect
 
Dollars and Sense of Sharing Threat Intelligence
Dollars and Sense of Sharing Threat IntelligenceDollars and Sense of Sharing Threat Intelligence
Dollars and Sense of Sharing Threat Intelligence
ThreatConnect
 
The Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat IntelligenceThe Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat Intelligence
ThreatConnect
 

More from ThreatConnect (14)

Advanced Threat Hunting - BotConf 2017
Advanced Threat Hunting - BotConf 2017Advanced Threat Hunting - BotConf 2017
Advanced Threat Hunting - BotConf 2017
 
Save Time and Act Faster with Playbooks
Save Time and Act Faster with PlaybooksSave Time and Act Faster with Playbooks
Save Time and Act Faster with Playbooks
 
Intelligence driven defense webinar
Intelligence driven defense webinarIntelligence driven defense webinar
Intelligence driven defense webinar
 
Does a Bear Leak in the Woods?
Does a Bear Leak in the Woods?Does a Bear Leak in the Woods?
Does a Bear Leak in the Woods?
 
Operationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent ActorsOperationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent Actors
 
Threat Intelligence is a Journey; Not a Destination
Threat Intelligence is a Journey; Not a DestinationThreat Intelligence is a Journey; Not a Destination
Threat Intelligence is a Journey; Not a Destination
 
Episode IV: A New Scope
Episode IV: A New ScopeEpisode IV: A New Scope
Episode IV: A New Scope
 
Open Source Malware Lab
Open Source Malware LabOpen Source Malware Lab
Open Source Malware Lab
 
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
 
Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!
Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!
Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!
 
Maltego Webinar Slides
Maltego Webinar SlidesMaltego Webinar Slides
Maltego Webinar Slides
 
The Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence WebinarThe Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence Webinar
 
Dollars and Sense of Sharing Threat Intelligence
Dollars and Sense of Sharing Threat IntelligenceDollars and Sense of Sharing Threat Intelligence
Dollars and Sense of Sharing Threat Intelligence
 
The Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat IntelligenceThe Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat Intelligence
 

Recently uploaded

Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
fredae14
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
Wouter Lemaire
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
Project Management Semester Long Project - Acuity
Project Management Semester Long Project - AcuityProject Management Semester Long Project - Acuity
Project Management Semester Long Project - Acuity
jpupo2018
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Wask
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 

Recently uploaded (20)

Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
Project Management Semester Long Project - Acuity
Project Management Semester Long Project - AcuityProject Management Semester Long Project - Acuity
Project Management Semester Long Project - Acuity
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 

Managing Indicator Deprecation in ThreatConnect

  • 1. SPRING CLEANING Managing Indicator Deprecation in ThreatConnect Alex Valdivia ThreatConnect Research Team March 21, 2017
  • 2. © 2017 ThreatConnect, Inc. All Rights Reserved. Google Image Search: Roomba Time Lapse
  • 3. © 2017 ThreatConnect, Inc. All Rights Reserved. Table of Contents Threat Ratings, Confidence, and Deprecation • Threat and Confidence Ratings • Indicator Deprecation Why? • 3 Reasons for Indicator Deprecation • Scenario: VXVault Source How? • Deprecation Rule Configuration • Deprecation Rule Approaches • Additional Considerations and Best Practices Resources Questions 3
  • 4. © 2017 ThreatConnect, Inc. All Rights Reserved. Threat Ratings, Confidence, and Deprecation 4
  • 5. © 2017 ThreatConnect, Inc. All Rights Reserved. Threat and Confidence Ratings Threat Ratings • Threat Level of Indicator • Scale of 0-5 Skulls Confidence Ratings • Confidence in Threat Rating • Percentage scale of 0-100
  • 6. © 2017 ThreatConnect, Inc. All Rights Reserved. Threat Rating Best Practices Threat Rating Factors 1. Capability 2. Determination 3. Progression Threat Rating Scale 0 Skulls Unknown 1 Skull Suspicious 2 Skulls Low 3 Skulls Moderate 4 Skulls High 5 Skulls Critical 6 Blog: https://www.threatconnect.com/blog/best-practices-indicator-rating-and-confidence/
  • 7. © 2017 ThreatConnect, Inc. All Rights Reserved. Confidence Rating Best Practices Confidence Rating Factors 1. Confirmation 2. Plausibility 3. Consistency Confidence Rating Scale 0 Unknown 1 Discredited 2-29 Improbable 30-49 Doubtful 50-69 Possible 70-89 Probable 90-100 Confirmed 7 Blog: https://www.threatconnect.com/blog/best-practices-indicator-rating-and-confidence/
  • 8. © 2017 ThreatConnect, Inc. All Rights Reserved. Indicator Deprecation • System for automatically lowering confidence rating of indicators over time. • Does not affect threat rating. • Rules customizable by indicator type. • Enabled at Org, Source, and Community level. • Requires Org Admin or Director role. Interval: 10 Days Confidence Amount: 10
  • 9. © 2017 ThreatConnect, Inc. All Rights Reserved. But Why? 9
  • 10. © 2017 ThreatConnect, Inc. All Rights Reserved. 3 Reasons for Indicator Deprecation 1. Lower confidence to reflect indicator’s “staleness” 2. Automatically delete indicators you no longer care about 3. Your analysts don’t know about this feature and you want them to think they’re slowly losing their minds 10
  • 11. © 2017 ThreatConnect, Inc. All Rights Reserved. Scenario: VXVault Source 11 ● Open Source URL Feed ● 100 URLs per Day ● Default Rating: 3 Skulls ● Default Confidence: 80%
  • 12. © 2017 ThreatConnect, Inc. All Rights Reserved. Scenario: VXVault Source - No Deprecation 12 Day 1 100 URLs Day 2 200 URLs New URL Old URL Day 90 9K URLs
  • 13. © 2017 ThreatConnect, Inc. All Rights Reserved. Scenario: VXVault Source - With Deprecation 13 Day 1 100 URLs Day 2 200 URLs Day 90 9K URLs X X X X X
  • 14. © 2017 ThreatConnect, Inc. All Rights Reserved. But How? 14
  • 15. © 2017 ThreatConnect, Inc. All Rights Reserved. Deprecation Rule Configuration - Org 15
  • 16. © 2017 ThreatConnect, Inc. All Rights Reserved. Deprecation Rule Configuration - Source/Community 16
  • 17. © 2017 ThreatConnect, Inc. All Rights Reserved. Deprecation Rule Configuration ● Indicator Type ○ 10 Types ● Interval ○ Days ● Confidence Amount ○ 1-100 ● Percentage ○ Based on current confidence rating ● Recurring ● Delete At Minimum (Zero) ● Update Chart Upon Deletion 17
  • 18. © 2017 ThreatConnect, Inc. All Rights Reserved. Deprecation Rule Approaches Arbitrary Starting Confidence - Control Deprecation Rate • Appropriate for manually created indicators, indicators shared by other users. • I want to lower the confidence of Hosts by 10 every 10 days, and delete when confidence reaches zero. Known Starting Confidence - Control Timing of Confidence Changes, Deletions • Appropriate for ThreatConnect Sources, HTTP Scraper, TAXII, API Integrations. • I want URL indicators to be deleted in 60 days. • I want the confidence of IP Addresses to change from Probable to Possible in 10 days. 18
  • 19. © 2017 ThreatConnect, Inc. All Rights Reserved. Deprecation Rules: Additional Considerations Not All Indicators Are Created Equal • URLs vs IP Addresses vs Domains • Pyramid of Pain...ish Not All Feeds Are Created Equal • Malware Domain Feed • Phishing URL Feed • Scanning IP Feed 19 SlowerDeprecation FasterDeprecation No Deprecation >
  • 20. © 2017 ThreatConnect, Inc. All Rights Reserved. Deprecation Rules: Research Team Best Practices 20 Indicator Types Probable > Possible Deletion Interval (Days) Deprecation Amount Address, ASN, CIDR 55 days Yes 11 6 URL, Host 110 days No 11 3 Email Address 225 days No 30 4 File, Mutex, Registry Key, User Agent N/A N/A N/A N/A Our team commonly uses the settings below for deprecation rules in ThreatConnect sources collecting data from open source feeds. Do keep in mind, this is not a one-size-fits-all solution!
  • 21. © 2017 ThreatConnect, Inc. All Rights Reserved. Resources ● ThreatConnect Blog: Best Practices: Indicator Rating and Confidence ● ThreatConnect KnowledgeBase: Configuring Indicator Confidence Deprecation ● This slide deck! ● ThreatConnect Customer Success Representative 21
  • 22. © 2017 ThreatConnect, Inc. All Rights Reserved. Thank You THREATCONNECT.COM