SlideShare a Scribd company logo

07 - Indicators and Intelligence00.pptx a presentation

Download as PPTX, PDF
S
ssuser18349f1

The document discusses threat intelligence and its significance in understanding adversaries and their operational techniques, emphasizing the need to assess organizational risk through vulnerabilities, impact, and potential threats. It categorizes threat intelligence into strategic, operational, tactical, and technical, detailing each type's purpose and acquisition methods. Additionally, it highlights the importance of standardization in sharing indicators of compromise and introduces various frameworks like Cybox, STIX, and OpenIOC for effective threat intelligence sharing.

Engineering
1 of 17
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Threat Intelligence • Information about adversaries  Intelligence gathered about adversaries  Threat landscape • Need to understand how adversaries operate • Broad -> Specific  Broad to understand their techniques, useful for hunting + anomaly based searches  Specific to understand exactly what they look like, useful for signatures • Learn the tools, techniques, and infrastructure of adversaries • Threat landscapes vary between organizations  Even by the same adversary Incident Response 1
Understand your risk • To begin to understand the threat, you need to characterize your org’s risk • Risk == Vulnerability + Impact + Threat • Vulnerability  What exposure does your system have?  Any known weaknesses that could be leveraged? • Impact  What happens if you are compromised?  Not something that can be changed by the organization, often just a factor of what what the organization is/has • Threat Incident Response 2
Risk – the threat • Why would an adversary want to compromise the org? • Does the adversary want to compromise the org?  Do they gain anything?  What do they gain? • What capabilities does the adversary have? • Does the adversary have the technical capability for successful compromise? • Do identified vulnerabilities align with an adversary’s capabilities? Incident Response 3
Threat Intelligence • The idea is to have more risks in the known knowns category  Ideally, as few unknown unknowns as possible • Can come from many different sources  News report about an attack on a flaw  -to-  Learning how an adversary is targeting a competing organization • The UK’s National Cyber Security Centre divides threat intelligence into four categories  Strategic  Operational  Tactical  Technical Incident Response 4
Strategic Intelligence • High level • Typically acquired at the board or high senior manager level • Not technical information • Typically about an attack’s potential  Financial impact  Impact on business decisions • Example:  A report states a foreign government hacks into foreign companies with direct competitors in their own nation  Your organization is identified as a competitor Incident Response 5
Operational Intelligence • Information about a specific incoming attack • Typically acquired by high level security staff • Rarely available  Typically only a government has access to such information  No legal way for private companies to access this info on their own • Rare cases the info may be available  Public actors (hacktivists)  Link cyber attacks to real world events Incident Response 6
Tactical Intelligence • Information about how adversaries are conducting their attacks • TTPs – Tactics, Techniques, and Procedures • Typically acquired by defenders and incident responders • Example:  Learning an adversary is using psexec to move laterally  Block remote logins by admins and/or log and monitor this activity • Typically obtained through:  Talking with other defenders about what they’re seeing  Purchasing a threat feed of this information  White papers Incident Response 7
Technical Intelligence • Deeply technical data consumed through technical methods • Example:  Feed of malicious IP addresses  Feed of malicious domain names  Feed of malicious software hashes • Often a short timeline – attackers can change IP addresses • Often feeds monitoring and alerting solutions Incident Response 8
Threat Intelligence Feeds • Feed of indicators or artifacts from a third party • Often focus on one indicator area  IP addresses  Domains  Hashes • Real-time  Automatically updates with the latest available threat information • Some free feeds, many paid feeds • Six main data source types – ideally cover as many as possible  Open Source  Customer telemetry  Honeypots  Scanning/crawling  Malware processing  Human intelligence Incident Response 9
Indicator of Compromise (IOC) • Identifies characteristics of malware  Host-based and network-based characteristics • Can be used to identify the presence of malware on a compromised host • IOCs are typically created by reversing malware • Professional responders typically have large IOC lists collected from previous intrusions they have worked • IOCs can save you time when analyzing multiple hosts  Even if you only have one IOC for one piece of malware you found • Various ”standard” languages to share indicators and threat intelligence Incident Response 10
Standard sharing languages • Standardization is important!  Makes sharing easier  Makes working with multiple data sources easier • Different logs often refer to the same thing by different names  Logged on  Login success  Accepted password  Account Logon • Sharing between different systems within the organization • Sharing with other organizations • Need a common language to speak Incident Response 11
CybOX • Cybox.mitre.org • Cyber Observable eXpression • Standardized schema for describing observable events  Event logging  Malware characterization  Intrusion detection  Incident response  Attack pattern characterization • Standard structure and content • …has been rolled into STIX the past few years Incident Response 12
STIX • Stix.mitre.org • Structured Threat Information eXpression • Community driven • Standardized language to represent structured threat information • Some examples:  Malware Indicator for File Hash  File Hash Reputation  Incident Essentials – Who, What, When  Affected Asset list  Command and Control IP List Incident Response 13
YARA • Tool used to help identify and classify malware  “Pattern matching swiss knife for malware researchers (and everyone else)” • Create descriptions based on patterns • Each rule has a set of strings and Boolean logic • Any file containing one of the three strings is reported as a silent_banker match Incident Response 14
OpenIOC • Openioc.org • Open framework for threat intelligence sharing • Originally designed for Mandiant’s products  Has since been standardized and open sourced • IOCs are stored as XML • IOC is made up of three major parts  IOC Metadata  Author of the IOC, Name of the IOC, description, etc.  References  Investigation name, case number, comments, etc  Definition  The content of the IOC itself – artifacts, MD5 hash, registry path, etc. Incident Response 15
OpenIOC • IOC Editor  Allows users to work with indicators in XML format  Manage the fields within the IOCs  Edit the IOCs • IOC Finder  Search for IOCs on a single host  Can be used to test new OICs  Can be used to find malware on hosts  IOC hit reporting in various formats, including HTML and text  Reports for single or multiple hosts Incident Response 16
Lab - OpenIOC Incident Response 17

More Related Content

PPTX
07 - Indicators and Intelligence .pptx new
ssuser18349f1
 
PDF
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Falgun Rathod
 
PPTX
Chapter I Introduction To Cyber Intelligence.pptx
Rahul Borate
 
PPTX
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
Sean Whalen
 
PPTX
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
EC-Council
 
PPTX
What is Threat Hunting? - Panda Security
Panda Security
 
PPTX
Web hacking 1.0
Q Fadlan
 
PDF
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
Sam Bowne
 
07 - Indicators and Intelligence .pptx new
ssuser18349f1
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Falgun Rathod
 
Chapter I Introduction To Cyber Intelligence.pptx
Rahul Borate
 
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
Sean Whalen
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
EC-Council
 
What is Threat Hunting? - Panda Security
Panda Security
 
Web hacking 1.0
Q Fadlan
 
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
Sam Bowne
 

Similar to 07 - Indicators and Intelligence00.pptx a presentation (20)

PPTX
How to build a cyber threat intelligence program
Mark Arena
 
PPTX
Join the hunt: Threat hunting for proactive cyber defense.pptx
Infosec
 
PDF
Threat Modeling to Reduce Software Security Risk
Security Innovation
 
PPTX
Cyber Threat Hunting Workshop
Digit Oktavianto
 
PDF
Threat Intelligence 101 - Steve Lodin - Submitted
Steve Lodin
 
PDF
Caccia alle Minacce: Intelligence e Hunting nel cyberspace
Speck&Tech
 
PDF
Cyber Threat Hunting Workshop.pdf
ssuser4237d4
 
PDF
Cyber Threat Hunting Workshop.pdf
ssuser4237d4
 
PDF
ISACA Ethical Hacking Presentation 10/2011
Xavier Mertens
 
PPTX
How To Turbo-Charge Incident Response With Threat Intelligence
Resilient Systems
 
PPTX
STIX2-TAXII2_Update
Cyber Threat Intelligence Network (CTIN)
 
PDF
CNIT 152: 4 Starting the Investigation & 5 Leads
Sam Bowne
 
PDF
How To Turbo-Charge Incident Response With Threat Intelligence
Resilient Systems
 
PDF
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
Core Security
 
PPT
Ethical Hacking
Rohan Raj
 
PPTX
Cyber Week 8.pptx.......................
salmannawaz6566504
 
PPTX
Cyber threat-hunting---part-2-25062021-095909pm
MuhammadJalalShah1
 
PPTX
computer security principles and practice chapter 8
kemetex
 
PPTX
Advanced Persistent Threats (APTs) - Information Security Management
Mayur Nanotkar
 
PPTX
Session Slide
Muralidharan Radhakrishnan
 
How to build a cyber threat intelligence program
Mark Arena
 
Join the hunt: Threat hunting for proactive cyber defense.pptx
Infosec
 
Threat Modeling to Reduce Software Security Risk
Security Innovation
 
Cyber Threat Hunting Workshop
Digit Oktavianto
 
Threat Intelligence 101 - Steve Lodin - Submitted
Steve Lodin
 
Caccia alle Minacce: Intelligence e Hunting nel cyberspace
Speck&Tech
 
Cyber Threat Hunting Workshop.pdf
ssuser4237d4
 
Cyber Threat Hunting Workshop.pdf
ssuser4237d4
 
ISACA Ethical Hacking Presentation 10/2011
Xavier Mertens
 
How To Turbo-Charge Incident Response With Threat Intelligence
Resilient Systems
 
STIX2-TAXII2_Update
Cyber Threat Intelligence Network (CTIN)
 
CNIT 152: 4 Starting the Investigation & 5 Leads
Sam Bowne
 
How To Turbo-Charge Incident Response With Threat Intelligence
Resilient Systems
 
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
Core Security
 
Ethical Hacking
Rohan Raj
 
Cyber Week 8.pptx.......................
salmannawaz6566504
 
Cyber threat-hunting---part-2-25062021-095909pm
MuhammadJalalShah1
 
computer security principles and practice chapter 8
kemetex
 
Advanced Persistent Threats (APTs) - Information Security Management
Mayur Nanotkar
 
Session Slide
Muralidharan Radhakrishnan
 
Ad

Recently uploaded (20)

PDF
Model Code of Practice - Construction Work - 21102022 .pdf
AinieButt1
 
PDF
Mohammad Mahdi Farshadian CV - Prospective PhD Student 2026
Educational Group Mohammad Farshadian
 
PPTX
FINAL REVIEW FOR COPD DIANOSIS FOR PULMONARY DISEASE.pptx
rubeshbme
 
PPT
introduction to datamining and warehousing
ssuser4ab3a2
 
PPTX
additive manufacturing of ss316l using mig welding
premcdr7799
 
PDF
July 2025 - Top 10 Read Articles in International Journal of Software Enginee...
sebastianku31
 
PPTX
Lecture Notes Electrical Wiring System Components
eedgecbhojpur
 
PPTX
UNIT 4 Total Quality Management .pptx
gokuld13012005
 
PDF
Digital Logic Computer Design lecture notes
CHINNASUNKAIAH1
 
PPT
Introduction, IoT Design Methodology, Case Study on IoT System for Weather Mo...
MariaRufina4
 
PDF
The CXO Playbook 2025 – Future-Ready Strategies for C-Suite Leaders Cerebrai...
Cerebraix Technologies
 
PDF
R24 SURVEYING LAB MANUAL for civil enggi
MNANDITHACIVILSTAFF
 
PDF
Mitigating Risks through Effective Management for Enhancing Organizational Pe...
IJAEMSJORNAL
 
PPTX
Sustainable Sites - Green Building Construction
mhdumerali
 
DOCX
573137875-Attendance-Management-System-original
AYUSHMANAV
 
PPTX
M Tech Sem 1 Civil Engineering Environmental Sciences.pptx
ShriNRPrasad
 
PPTX
OOP with Java - Java Introduction (Basics)
Rashmi T V
 
PPT
Mechanical Engineering MATERIALS Selection
arsalanahmad705384
 
PPTX
bas. eng. economics group 4 presentation 1.pptx
kiribakimoses1993
 
PPTX
CARTOGRAPHY AND GEOINFORMATION VISUALIZATION chapter1 NPTE (2).pptx
abhi1361yadav
 
Model Code of Practice - Construction Work - 21102022 .pdf
AinieButt1
 
Mohammad Mahdi Farshadian CV - Prospective PhD Student 2026
Educational Group Mohammad Farshadian
 
FINAL REVIEW FOR COPD DIANOSIS FOR PULMONARY DISEASE.pptx
rubeshbme
 
introduction to datamining and warehousing
ssuser4ab3a2
 
additive manufacturing of ss316l using mig welding
premcdr7799
 
July 2025 - Top 10 Read Articles in International Journal of Software Enginee...
sebastianku31
 
Lecture Notes Electrical Wiring System Components
eedgecbhojpur
 
UNIT 4 Total Quality Management .pptx
gokuld13012005
 
Digital Logic Computer Design lecture notes
CHINNASUNKAIAH1
 
Introduction, IoT Design Methodology, Case Study on IoT System for Weather Mo...
MariaRufina4
 
The CXO Playbook 2025 – Future-Ready Strategies for C-Suite Leaders Cerebrai...
Cerebraix Technologies
 
R24 SURVEYING LAB MANUAL for civil enggi
MNANDITHACIVILSTAFF
 
Mitigating Risks through Effective Management for Enhancing Organizational Pe...
IJAEMSJORNAL
 
Sustainable Sites - Green Building Construction
mhdumerali
 
573137875-Attendance-Management-System-original
AYUSHMANAV
 
M Tech Sem 1 Civil Engineering Environmental Sciences.pptx
ShriNRPrasad
 
OOP with Java - Java Introduction (Basics)
Rashmi T V
 
Mechanical Engineering MATERIALS Selection
arsalanahmad705384
 
bas. eng. economics group 4 presentation 1.pptx
kiribakimoses1993
 
CARTOGRAPHY AND GEOINFORMATION VISUALIZATION chapter1 NPTE (2).pptx
abhi1361yadav
 
Ad

07 - Indicators and Intelligence00.pptx a presentation

  • 1. Threat Intelligence • Information about adversaries  Intelligence gathered about adversaries  Threat landscape • Need to understand how adversaries operate • Broad -> Specific  Broad to understand their techniques, useful for hunting + anomaly based searches  Specific to understand exactly what they look like, useful for signatures • Learn the tools, techniques, and infrastructure of adversaries • Threat landscapes vary between organizations  Even by the same adversary Incident Response 1
  • 2. Understand your risk • To begin to understand the threat, you need to characterize your org’s risk • Risk == Vulnerability + Impact + Threat • Vulnerability  What exposure does your system have?  Any known weaknesses that could be leveraged? • Impact  What happens if you are compromised?  Not something that can be changed by the organization, often just a factor of what what the organization is/has • Threat Incident Response 2
  • 3. Risk – the threat • Why would an adversary want to compromise the org? • Does the adversary want to compromise the org?  Do they gain anything?  What do they gain? • What capabilities does the adversary have? • Does the adversary have the technical capability for successful compromise? • Do identified vulnerabilities align with an adversary’s capabilities? Incident Response 3
  • 4. Threat Intelligence • The idea is to have more risks in the known knowns category  Ideally, as few unknown unknowns as possible • Can come from many different sources  News report about an attack on a flaw  -to-  Learning how an adversary is targeting a competing organization • The UK’s National Cyber Security Centre divides threat intelligence into four categories  Strategic  Operational  Tactical  Technical Incident Response 4
  • 5. Strategic Intelligence • High level • Typically acquired at the board or high senior manager level • Not technical information • Typically about an attack’s potential  Financial impact  Impact on business decisions • Example:  A report states a foreign government hacks into foreign companies with direct competitors in their own nation  Your organization is identified as a competitor Incident Response 5
  • 6. Operational Intelligence • Information about a specific incoming attack • Typically acquired by high level security staff • Rarely available  Typically only a government has access to such information  No legal way for private companies to access this info on their own • Rare cases the info may be available  Public actors (hacktivists)  Link cyber attacks to real world events Incident Response 6
  • 7. Tactical Intelligence • Information about how adversaries are conducting their attacks • TTPs – Tactics, Techniques, and Procedures • Typically acquired by defenders and incident responders • Example:  Learning an adversary is using psexec to move laterally  Block remote logins by admins and/or log and monitor this activity • Typically obtained through:  Talking with other defenders about what they’re seeing  Purchasing a threat feed of this information  White papers Incident Response 7
  • 8. Technical Intelligence • Deeply technical data consumed through technical methods • Example:  Feed of malicious IP addresses  Feed of malicious domain names  Feed of malicious software hashes • Often a short timeline – attackers can change IP addresses • Often feeds monitoring and alerting solutions Incident Response 8
  • 9. Threat Intelligence Feeds • Feed of indicators or artifacts from a third party • Often focus on one indicator area  IP addresses  Domains  Hashes • Real-time  Automatically updates with the latest available threat information • Some free feeds, many paid feeds • Six main data source types – ideally cover as many as possible  Open Source  Customer telemetry  Honeypots  Scanning/crawling  Malware processing  Human intelligence Incident Response 9
  • 10. Indicator of Compromise (IOC) • Identifies characteristics of malware  Host-based and network-based characteristics • Can be used to identify the presence of malware on a compromised host • IOCs are typically created by reversing malware • Professional responders typically have large IOC lists collected from previous intrusions they have worked • IOCs can save you time when analyzing multiple hosts  Even if you only have one IOC for one piece of malware you found • Various ”standard” languages to share indicators and threat intelligence Incident Response 10
  • 11. Standard sharing languages • Standardization is important!  Makes sharing easier  Makes working with multiple data sources easier • Different logs often refer to the same thing by different names  Logged on  Login success  Accepted password  Account Logon • Sharing between different systems within the organization • Sharing with other organizations • Need a common language to speak Incident Response 11
  • 12. CybOX • Cybox.mitre.org • Cyber Observable eXpression • Standardized schema for describing observable events  Event logging  Malware characterization  Intrusion detection  Incident response  Attack pattern characterization • Standard structure and content • …has been rolled into STIX the past few years Incident Response 12
  • 13. STIX • Stix.mitre.org • Structured Threat Information eXpression • Community driven • Standardized language to represent structured threat information • Some examples:  Malware Indicator for File Hash  File Hash Reputation  Incident Essentials – Who, What, When  Affected Asset list  Command and Control IP List Incident Response 13
  • 14. YARA • Tool used to help identify and classify malware  “Pattern matching swiss knife for malware researchers (and everyone else)” • Create descriptions based on patterns • Each rule has a set of strings and Boolean logic • Any file containing one of the three strings is reported as a silent_banker match Incident Response 14
  • 15. OpenIOC • Openioc.org • Open framework for threat intelligence sharing • Originally designed for Mandiant’s products  Has since been standardized and open sourced • IOCs are stored as XML • IOC is made up of three major parts  IOC Metadata  Author of the IOC, Name of the IOC, description, etc.  References  Investigation name, case number, comments, etc  Definition  The content of the IOC itself – artifacts, MD5 hash, registry path, etc. Incident Response 15
  • 16. OpenIOC • IOC Editor  Allows users to work with indicators in XML format  Manage the fields within the IOCs  Edit the IOCs • IOC Finder  Search for IOCs on a single host  Can be used to test new OICs  Can be used to find malware on hosts  IOC hit reporting in various formats, including HTML and text  Reports for single or multiple hosts Incident Response 16