SlideShare a Scribd company logo

The Cyber Threat Intelligence Matrix

Download as PPTX, PDF
Frode Hommedal
Frode Hommedal

As we get to know what life in the digital domain is like, one of the revelations we've had is that many large and plenty of smaller organisations are targets of espionage, of the nefarious APT. During the last decade, it has become gospel to wait, watch, analyse and learn if you detect such an attacker in your infrastructure. Why? Because you get one chance to do the eviction of the attacker right. And if you fail, all your efforts will eventually have been for nothing. But for how long should you wait and watch? When have you watched long enough? When have you learned enough? And how do you make that decision? That is the challenge I hope the Cyber Threat Intelligence Matrix can help you face in a more structured manner.

Technology
1 of 40
The Cyber Threat Intelligence Matrix
Alternative title: Have your FAT PIE and eat it too…
The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. About Me >> Frode Hommedal - Currently @ Telenor, Norway’s biggest telco. - Head of Incident Response and Security Analytics. - Formerly @ NorCERT, the national CSIRT of Norway. >> APT fighter and CSIRT modeler - Roughly 10 years of CSIRT and SOC experience. - Background from hardware and software development. - Would very much like to help advance the infosec curriculum.
The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. About this talk >> «How can TI help IR?» I was asked this by a friend and conference director earlier this year. >> «Let me think about it…» The CTI Matrix is the result of me pondering that question for a while, wanting to give a non-obvious answer. Warning: It’s work in progress.
The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. Warning! >> This talk is about incident response And specifically decision making regarding attacker eviction / “cleanup”. >> This talk is for incident responders But I hope it will be useful no matter what kind of security work you do.
The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. Definitions >> Incident response: I will be talking about responding to high risk threat driven incidents where you’re fighting a motivated and mission driven attacker that has had a foothold within your infrastructure for a while. >> Threat intelligence: I will be using this about evidence based knowledge about your adversary, that your adversary would prefer to or benefit from keeping secret, and that is actionable or beneficial to decision making during incident response.
The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. Press release quote «We live in a time where the technological and geopolitical realities have made covert digital infiltration of critical infrastructure commonplace. Responding to such intrusions requires a lot of effort, and there will be a period during the response where you need to observer, analyze and learn before it is possible to take effective actions to successfully evict the attacker from your infrastructure. But knowing whether you are ready to evict an attacker or not, and more importantly, ready to keep the attacker from re-entering your infra-structure at will, is difficult. This is why I started developing the Cyber Threat Intelligence Matrix, and it is for those kinds of situations I hope it can prove to be useful in the future.»
The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. A challenging IR lesson We’ve accepted that we need to observe and learn before we try to evict an attacker. But for how long? When are we ready to take action?
The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. Problem statement How do we utilize threat intelligence to make informed decisions regarding attacker eviction during incident response?
The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. Proposed solution >> The Cyber Threat Intelligence Matrix The model I will present during this talk, where we map out what we know about an adversary to better understand our readiness to evict them. >> Making the complex accessible Distilling complex knowledge into a simpler representation to promote an informed dialog and decision making process between analysts and mgmt.
The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. Wanted end state >> Less uncertainty regarding eviction Using the CTI Matrix, we should be able to make the decision to evict an attacker with less uncertainty regarding our ability to keep them out. >> Bigger potential for improved accuracy Using the CTI Matrix, we should be able to improve our accuracy over time, reducing the uncertainty of our ability to keep them out even more.
The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. Assertion >> The goal of eviction isn’t “cleanup” Perhaps a bit counterintuitive, but I’ll assert that the goal of evicting an attacker from your infrastructure isn’t to clean up your network. >> It’s to reclaim control and deny re-entry Evicting before you have control is pointless. But evicting before you can deny re- entry is almost equally pointless. That is a point that can be easy to miss.
The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. Eviction is really the ”easy” part.
The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. It’s denying your adversary re-entry that’s “the crux”.
The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. If you can’t deny re-entry you may be better off observing… (…while covertly mitigating damage as best you can)
The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. So when are you ready?
The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. And who gets to decide?
The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. (Probably crisis management)
The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. (Which means a lot of KISSing) Because they neither want, need nor understand your details.
The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. Now, how can we aid this decision making process?
The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. The CTI Matrix
The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. CTI Matrix layout FAT PIE .
The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. CTI Matrix layout >> x-axis: Attack stages Describes stages of an attack / intrusion. >> y-axis: Level of knowledge Describes levels of knowledge, and the effectiveness of acting upon it.
The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. CTI Matrix building blocks >> x-axis: Attack stages - The Cyber Kill Chain. (Mike Hutchins et al.) - Cyber Attack Lifecycle. (Mandiant) - (ATT&CK. (MITRE)) >> y-axis: Level of knowledge - The Pyramid of Pain. (David Bianco) - Detection Maturity Level. (Ryan Stillions) - («The Four Levels of War>>) - (Strong correlation with countermeasure effectiveness)
The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. The Cyber Kill Chain Courtesy of Lockheed Martin
The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. The Cyber Attack Life Cycle Courtesy of Mandiant
The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. The CTI Matrix >> x-axis: Attack stages Borrowing from the Cyber Kill Chain and similar models. >> Simplified to 3 stages: - Preparation: Stage 1 and 2 of KC. The attacker prepares the assault. - Intrusion: Stage 3 to 5 of KC. The attacker tries to breach your defenses. - Execution: Stage 6 and 7 of KC. The attacker operates in your infrastructure.
The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. The Pyramid of Pain Courtesy of David Bianco
The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. Detection Maturity Level Courtesy of Ryan Stillions
The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. The CTI Matrix >> y-axis : Level of knowledge Borrowing from the Pyramid of Pain and Detection Maturity Levels etc. Measures the level / quality of knowledge, and effectiveness when using it. >> Simplified to 3 levels: - Footprint: Specific traces of the attackers. PoP 1 to 4, DML 1 and 2. - Arsenal: Your adversary’s (technical) toolbox. PoP 5, DML 3. - Tradecraft: The way your adversary operates. PoP 6, DML 4 to 6.
The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. Inspiration Courtesy of Devon Kerr
The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. The CTI Matrix So finally: The FAT PIE of CTI If you dare say “but it says TAFPIE”, I will h*t you. I worked really hard for this backronyme…
The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. Prerequisites To populate the CTI Matrix you first need to classify your evidence using the more granular models. The CTI Matrix is not a replacement for those. It’s using the output.
The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. The CTI Matrix FAT PIE - Preparation - Intrusion - Execution - Tradecraft - Arsenal - Footprint Attack stages Knowledge quality
The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. The CTI Matrix >> Classify findings from DFIR - IMPORTANT: This is also threat intelligence. - Remember that you need the A- and T-line too. - If you can only fill the F-line, you’re flying blind. >> Classify findings from CTI - Your own hunting in external sources. - Intelligence shared from third parties. - Only include that what you assess to be of high relevance.
The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. The CTI Matrix >> Assess your total knowledge - What do you actually know? - Do your DFIR findings differ from the CTI findings? - Do you have obvious knowledge gaps? >> Assess your readiness to evict - How much knowledge are you able to act upon to deny and evict? - How much knowledge are you able to convert to re-entry prevention? - How much knowledge are you able to convert to re-entry detection?
The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. Using the CTI Matrix Converted to prevention Converted to detection Knowledge gaps Total knowledge
The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. «Ready to evict the attacker?» >> Must define ready The CTI Matrix helps you do that. Or can at least guide your thinking. >> Must measure progress towards “ready” The CTI Matrix helps you do that as well. But not without hard work. >> Should include resistance vs re-entry Successful eviction should be measured against successful resistance to re-entry.
The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. FIN Thank you for your attendance and interest.
The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. Destination Host Reachable >> Questions and comments? Ping me on twitter: @FrodeHommedal with #4SICS and/or #CTIM. >> I would love feedback I don’t have all the answers, and the CTI Matrix is work in progress. >> P.S. Good luck The best of luck defending critical infrastructure. You’re gonna need it.

Recommended

Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsMark Arena
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityPanda Security
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligencePrachi Mishra
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat IntelligenceNTT Innovation Institute Inc.
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshopArpan Raval
 

Recommended

Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsMark Arena
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityPanda Security
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligencePrachi Mishra
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat IntelligenceNTT Innovation Institute Inc.
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshopArpan Raval
 
Cyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feedsCyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feedsIain Dickson
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceMITRE - ATT&CKcon
 
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...MITRE ATT&CK
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte
 
6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat IntelligenceSirius
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE - ATT&CKcon
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
ATT&CKcon Intro
ATT&CKcon IntroATT&CKcon Intro
ATT&CKcon IntroMITRE ATT&CK
 
Cyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to InsightCyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to InsightDeep Shankar Yadav
 
Automating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections CollectorAutomating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections CollectorMITRE ATT&CK
 
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghCyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghOWASP Delhi
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...MITRE ATT&CK
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamMITRE ATT&CK
 
Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)Frode Hommedal
 
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pillThe Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pillFrode Hommedal
 

More Related Content

What's hot

Cyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feedsCyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feedsIain Dickson
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceMITRE - ATT&CKcon
 
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...MITRE ATT&CK
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte
 
6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat IntelligenceSirius
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE - ATT&CKcon
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Cyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to InsightCyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to InsightDeep Shankar Yadav
 
Automating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections CollectorAutomating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections CollectorMITRE ATT&CK
 
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghCyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghOWASP Delhi
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...MITRE ATT&CK
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamMITRE ATT&CK
 

What's hot (20)

Cyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feedsCyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feeds
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
 
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
 
6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
ATT&CKcon Intro
ATT&CKcon IntroATT&CKcon Intro
ATT&CKcon Intro
 
Cyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to InsightCyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to Insight
 
Automating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections CollectorAutomating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections Collector
 
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghCyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
 

Viewers also liked

Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)Frode Hommedal
 
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pillThe Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pillFrode Hommedal
 
Data-Driven Threat Intelligence: Useful Methods and Measurements for Handling...
Data-Driven Threat Intelligence: Useful Methods and Measurements for Handling...Data-Driven Threat Intelligence: Useful Methods and Measurements for Handling...
Data-Driven Threat Intelligence: Useful Methods and Measurements for Handling...Alex Pinto
 
The Internet is on fire – don't just stand there, grab a bucket!
The Internet is on fire – don't just stand there, grab a bucket!The Internet is on fire – don't just stand there, grab a bucket!
The Internet is on fire – don't just stand there, grab a bucket!Frode Hommedal
 
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017Carol Smith
 
Towards a Threat Hunting Automation Maturity Model
Towards a Threat Hunting Automation Maturity ModelTowards a Threat Hunting Automation Maturity Model
Towards a Threat Hunting Automation Maturity ModelAlex Pinto
 
Incident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksIncident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksResilient Systems
 
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Santiago Bassett
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationRaffael Marty
 
MOLOCH: Search for Full Packet Capture (OA Cyber Summit)
MOLOCH: Search for Full Packet Capture (OA Cyber Summit)MOLOCH: Search for Full Packet Capture (OA Cyber Summit)
MOLOCH: Search for Full Packet Capture (OA Cyber Summit)Open Analytics
 
Workshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with VolatilityWorkshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with VolatilityAndrew Case
 
Cyber after Snowden (OA Cyber Summit)
Cyber after Snowden (OA Cyber Summit)Cyber after Snowden (OA Cyber Summit)
Cyber after Snowden (OA Cyber Summit)Open Analytics
 
Big Data Visualization
Big Data VisualizationBig Data Visualization
Big Data VisualizationRaffael Marty
 
Introduction to Python for Security Professionals
Introduction to Python for Security ProfessionalsIntroduction to Python for Security Professionals
Introduction to Python for Security ProfessionalsAndrew McNicol
 
Workshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityWorkshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityRaffael Marty
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 

Viewers also liked (16)

Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)
 
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pillThe Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
 
Data-Driven Threat Intelligence: Useful Methods and Measurements for Handling...
Data-Driven Threat Intelligence: Useful Methods and Measurements for Handling...Data-Driven Threat Intelligence: Useful Methods and Measurements for Handling...
Data-Driven Threat Intelligence: Useful Methods and Measurements for Handling...
 
The Internet is on fire – don't just stand there, grab a bucket!
The Internet is on fire – don't just stand there, grab a bucket!The Internet is on fire – don't just stand there, grab a bucket!
The Internet is on fire – don't just stand there, grab a bucket!
 
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
 
Towards a Threat Hunting Automation Maturity Model
Towards a Threat Hunting Automation Maturity ModelTowards a Threat Hunting Automation Maturity Model
Towards a Threat Hunting Automation Maturity Model
 
Incident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksIncident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber Attacks
 
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
 
MOLOCH: Search for Full Packet Capture (OA Cyber Summit)
MOLOCH: Search for Full Packet Capture (OA Cyber Summit)MOLOCH: Search for Full Packet Capture (OA Cyber Summit)
MOLOCH: Search for Full Packet Capture (OA Cyber Summit)
 
Workshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with VolatilityWorkshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with Volatility
 
Cyber after Snowden (OA Cyber Summit)
Cyber after Snowden (OA Cyber Summit)Cyber after Snowden (OA Cyber Summit)
Cyber after Snowden (OA Cyber Summit)
 
Big Data Visualization
Big Data VisualizationBig Data Visualization
Big Data Visualization
 
Introduction to Python for Security Professionals
Introduction to Python for Security ProfessionalsIntroduction to Python for Security Professionals
Introduction to Python for Security Professionals
 
Workshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityWorkshop: Big Data Visualization for Security
Workshop: Big Data Visualization for Security
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 

Similar to The Cyber Threat Intelligence Matrix

Network security monitoring with open source tools
Network security monitoring with open source toolsNetwork security monitoring with open source tools
Network security monitoring with open source toolsterriert
 
huntpedia.pdf
huntpedia.pdfhuntpedia.pdf
huntpedia.pdfCecilSu
 
What is Crowdstrike.pptx
What is Crowdstrike.pptxWhat is Crowdstrike.pptx
What is Crowdstrike.pptxVictorLee67379
 
Huntpedia
HuntpediaHuntpedia
HuntpediaJc Sv
 
Hacking and its types
Hacking and its typesHacking and its types
Hacking and its typesRishab Gupta
 
Carbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down AttacksCarbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down AttacksMighty Guides, Inc.
 
[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defenceOWASP EEE
 
Cyber Hacking & Security - IEEE - Univ of Houston 2015-04
Cyber Hacking & Security - IEEE - Univ of Houston 2015-04Cyber Hacking & Security - IEEE - Univ of Houston 2015-04
Cyber Hacking & Security - IEEE - Univ of Houston 2015-04Kyle Lai
 
CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04Kyle Lai
 
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Harry McLaren
 
World of Watson 2016 - Information Insecurity
World of Watson 2016 - Information InsecurityWorld of Watson 2016 - Information Insecurity
World of Watson 2016 - Information InsecurityKeith Redman
 
ShadyRAT: Anatomy of targeted attack
ShadyRAT: Anatomy of targeted attackShadyRAT: Anatomy of targeted attack
ShadyRAT: Anatomy of targeted attackVladyslav Radetsky
 
MITRE ATT&CK framework and Managed XDR Position Paper
MITRE ATT&CK framework and Managed XDR Position PaperMITRE ATT&CK framework and Managed XDR Position Paper
MITRE ATT&CK framework and Managed XDR Position PaperMarc St-Pierre
 
Nominum Data Science Security Report, Fall 2016
Nominum Data Science Security Report, Fall 2016Nominum Data Science Security Report, Fall 2016
Nominum Data Science Security Report, Fall 2016Brian Metzger
 
Nominum 2016 Fall Data Revelations Security Report
Nominum 2016 Fall Data Revelations Security ReportNominum 2016 Fall Data Revelations Security Report
Nominum 2016 Fall Data Revelations Security ReportYuriy Yuzifovich
 

Similar to The Cyber Threat Intelligence Matrix (20)

Network security monitoring with open source tools
Network security monitoring with open source toolsNetwork security monitoring with open source tools
Network security monitoring with open source tools
 
huntpedia.pdf
huntpedia.pdfhuntpedia.pdf
huntpedia.pdf
 
What is Crowdstrike.pptx
What is Crowdstrike.pptxWhat is Crowdstrike.pptx
What is Crowdstrike.pptx
 
Huntpedia
HuntpediaHuntpedia
Huntpedia
 
Hacking and its types
Hacking and its typesHacking and its types
Hacking and its types
 
Carbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down AttacksCarbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down Attacks
 
[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence
 
Cyber Hacking & Security - IEEE - Univ of Houston 2015-04
Cyber Hacking & Security - IEEE - Univ of Houston 2015-04Cyber Hacking & Security - IEEE - Univ of Houston 2015-04
Cyber Hacking & Security - IEEE - Univ of Houston 2015-04
 
CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04
 
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
 
Insight live om It-sikkerhed- Peter Schjøtt
Insight live om It-sikkerhed- Peter SchjøttInsight live om It-sikkerhed- Peter Schjøtt
Insight live om It-sikkerhed- Peter Schjøtt
 
World of Watson 2016 - Information Insecurity
World of Watson 2016 - Information InsecurityWorld of Watson 2016 - Information Insecurity
World of Watson 2016 - Information Insecurity
 
OS17 Brochure
OS17 BrochureOS17 Brochure
OS17 Brochure
 
Network Security
Network SecurityNetwork Security
Network Security
 
Quantum Safety in Certified Cryptographic Modules
Quantum Safety in Certified Cryptographic ModulesQuantum Safety in Certified Cryptographic Modules
Quantum Safety in Certified Cryptographic Modules
 
ITrust Company Overview EN
ITrust Company Overview ENITrust Company Overview EN
ITrust Company Overview EN
 
ShadyRAT: Anatomy of targeted attack
ShadyRAT: Anatomy of targeted attackShadyRAT: Anatomy of targeted attack
ShadyRAT: Anatomy of targeted attack
 
MITRE ATT&CK framework and Managed XDR Position Paper
MITRE ATT&CK framework and Managed XDR Position PaperMITRE ATT&CK framework and Managed XDR Position Paper
MITRE ATT&CK framework and Managed XDR Position Paper
 
Nominum Data Science Security Report, Fall 2016
Nominum Data Science Security Report, Fall 2016Nominum Data Science Security Report, Fall 2016
Nominum Data Science Security Report, Fall 2016
 
Nominum 2016 Fall Data Revelations Security Report
Nominum 2016 Fall Data Revelations Security ReportNominum 2016 Fall Data Revelations Security Report
Nominum 2016 Fall Data Revelations Security Report
 

Recently uploaded

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 

Recently uploaded (20)

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 

The Cyber Threat Intelligence Matrix

  • 2. Alternative title: Have your FAT PIE and eat it too…
  • 3. The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. About Me >> Frode Hommedal - Currently @ Telenor, Norway’s biggest telco. - Head of Incident Response and Security Analytics. - Formerly @ NorCERT, the national CSIRT of Norway. >> APT fighter and CSIRT modeler - Roughly 10 years of CSIRT and SOC experience. - Background from hardware and software development. - Would very much like to help advance the infosec curriculum.
  • 4. The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. About this talk >> «How can TI help IR?» I was asked this by a friend and conference director earlier this year. >> «Let me think about it…» The CTI Matrix is the result of me pondering that question for a while, wanting to give a non-obvious answer. Warning: It’s work in progress.
  • 5. The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. Warning! >> This talk is about incident response And specifically decision making regarding attacker eviction / “cleanup”. >> This talk is for incident responders But I hope it will be useful no matter what kind of security work you do.
  • 6. The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. Definitions >> Incident response: I will be talking about responding to high risk threat driven incidents where you’re fighting a motivated and mission driven attacker that has had a foothold within your infrastructure for a while. >> Threat intelligence: I will be using this about evidence based knowledge about your adversary, that your adversary would prefer to or benefit from keeping secret, and that is actionable or beneficial to decision making during incident response.
  • 7. The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. Press release quote «We live in a time where the technological and geopolitical realities have made covert digital infiltration of critical infrastructure commonplace. Responding to such intrusions requires a lot of effort, and there will be a period during the response where you need to observer, analyze and learn before it is possible to take effective actions to successfully evict the attacker from your infrastructure. But knowing whether you are ready to evict an attacker or not, and more importantly, ready to keep the attacker from re-entering your infra-structure at will, is difficult. This is why I started developing the Cyber Threat Intelligence Matrix, and it is for those kinds of situations I hope it can prove to be useful in the future.»
  • 8. The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. A challenging IR lesson We’ve accepted that we need to observe and learn before we try to evict an attacker. But for how long? When are we ready to take action?
  • 9. The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. Problem statement How do we utilize threat intelligence to make informed decisions regarding attacker eviction during incident response?
  • 10. The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. Proposed solution >> The Cyber Threat Intelligence Matrix The model I will present during this talk, where we map out what we know about an adversary to better understand our readiness to evict them. >> Making the complex accessible Distilling complex knowledge into a simpler representation to promote an informed dialog and decision making process between analysts and mgmt.
  • 11. The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. Wanted end state >> Less uncertainty regarding eviction Using the CTI Matrix, we should be able to make the decision to evict an attacker with less uncertainty regarding our ability to keep them out. >> Bigger potential for improved accuracy Using the CTI Matrix, we should be able to improve our accuracy over time, reducing the uncertainty of our ability to keep them out even more.
  • 12. The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. Assertion >> The goal of eviction isn’t “cleanup” Perhaps a bit counterintuitive, but I’ll assert that the goal of evicting an attacker from your infrastructure isn’t to clean up your network. >> It’s to reclaim control and deny re-entry Evicting before you have control is pointless. But evicting before you can deny re- entry is almost equally pointless. That is a point that can be easy to miss.
  • 13. The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. Eviction is really the ”easy” part.
  • 14. The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. It’s denying your adversary re-entry that’s “the crux”.
  • 15. The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. If you can’t deny re-entry you may be better off observing… (…while covertly mitigating damage as best you can)
  • 16. The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. So when are you ready?
  • 17. The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. And who gets to decide?
  • 18. The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. (Probably crisis management)
  • 19. The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. (Which means a lot of KISSing) Because they neither want, need nor understand your details.
  • 20. The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. Now, how can we aid this decision making process?
  • 21. The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. The CTI Matrix
  • 22. The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. CTI Matrix layout FAT PIE .
  • 23. The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. CTI Matrix layout >> x-axis: Attack stages Describes stages of an attack / intrusion. >> y-axis: Level of knowledge Describes levels of knowledge, and the effectiveness of acting upon it.
  • 24. The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. CTI Matrix building blocks >> x-axis: Attack stages - The Cyber Kill Chain. (Mike Hutchins et al.) - Cyber Attack Lifecycle. (Mandiant) - (ATT&CK. (MITRE)) >> y-axis: Level of knowledge - The Pyramid of Pain. (David Bianco) - Detection Maturity Level. (Ryan Stillions) - («The Four Levels of War>>) - (Strong correlation with countermeasure effectiveness)
  • 25. The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. The Cyber Kill Chain Courtesy of Lockheed Martin
  • 26. The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. The Cyber Attack Life Cycle Courtesy of Mandiant
  • 27. The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. The CTI Matrix >> x-axis: Attack stages Borrowing from the Cyber Kill Chain and similar models. >> Simplified to 3 stages: - Preparation: Stage 1 and 2 of KC. The attacker prepares the assault. - Intrusion: Stage 3 to 5 of KC. The attacker tries to breach your defenses. - Execution: Stage 6 and 7 of KC. The attacker operates in your infrastructure.
  • 28. The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. The Pyramid of Pain Courtesy of David Bianco
  • 29. The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. Detection Maturity Level Courtesy of Ryan Stillions
  • 30. The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. The CTI Matrix >> y-axis : Level of knowledge Borrowing from the Pyramid of Pain and Detection Maturity Levels etc. Measures the level / quality of knowledge, and effectiveness when using it. >> Simplified to 3 levels: - Footprint: Specific traces of the attackers. PoP 1 to 4, DML 1 and 2. - Arsenal: Your adversary’s (technical) toolbox. PoP 5, DML 3. - Tradecraft: The way your adversary operates. PoP 6, DML 4 to 6.
  • 31. The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. Inspiration Courtesy of Devon Kerr
  • 32. The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. The CTI Matrix So finally: The FAT PIE of CTI If you dare say “but it says TAFPIE”, I will h*t you. I worked really hard for this backronyme…
  • 33. The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. Prerequisites To populate the CTI Matrix you first need to classify your evidence using the more granular models. The CTI Matrix is not a replacement for those. It’s using the output.
  • 34. The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. The CTI Matrix FAT PIE - Preparation - Intrusion - Execution - Tradecraft - Arsenal - Footprint Attack stages Knowledge quality
  • 35. The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. The CTI Matrix >> Classify findings from DFIR - IMPORTANT: This is also threat intelligence. - Remember that you need the A- and T-line too. - If you can only fill the F-line, you’re flying blind. >> Classify findings from CTI - Your own hunting in external sources. - Intelligence shared from third parties. - Only include that what you assess to be of high relevance.
  • 36. The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. The CTI Matrix >> Assess your total knowledge - What do you actually know? - Do your DFIR findings differ from the CTI findings? - Do you have obvious knowledge gaps? >> Assess your readiness to evict - How much knowledge are you able to act upon to deny and evict? - How much knowledge are you able to convert to re-entry prevention? - How much knowledge are you able to convert to re-entry detection?
  • 37. The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. Using the CTI Matrix Converted to prevention Converted to detection Knowledge gaps Total knowledge
  • 38. The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. «Ready to evict the attacker?» >> Must define ready The CTI Matrix helps you do that. Or can at least guide your thinking. >> Must measure progress towards “ready” The CTI Matrix helps you do that as well. But not without hard work. >> Should include resistance vs re-entry Successful eviction should be measured against successful resistance to re-entry.
  • 39. The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. FIN Thank you for your attendance and interest.
  • 40. The Cyber Threat Intelligence Matrix4SICS, Stockholm, October 27th 2016 ; Frode Hommedal , Telenor. Destination Host Reachable >> Questions and comments? Ping me on twitter: @FrodeHommedal with #4SICS and/or #CTIM. >> I would love feedback I don’t have all the answers, and the CTI Matrix is work in progress. >> P.S. Good luck The best of luck defending critical infrastructure. You’re gonna need it.