SlideShare ist ein Scribd-Unternehmen logo

Advanced Threat Hunting - Botconf 2017

Als PPTX, PDF herunterladen
K
Kevin Finley

The document discusses advanced threat hunting techniques. It covers defining threat intelligence and the intelligence process. It discusses the challenges of small teams with limited resources and time. It provides examples of doing threat hunting wrong and right, such as using revision control and deployment scripts. It also discusses prioritization techniques, automation, and key performance indicators. The presentation provides examples of sources of samples and success stories. Key lessons are to organize signatures, automate systems, separate queues by type, hold prioritization meetings, and contribute to open source.

Technologie
1 von 43
Advanced Threat Hunting botconf December 8, 2017 1
© 2018 ThreatConnect, Inc. All Rights Reserved. Who Am I? Director of Research Innovation Research Team ThreatConnect, Inc. 2
© 2018 ThreatConnect, Inc. All Rights Reserved. Threat Intelligence A Few Definitions Tactical Technical Operational Strategic 3
© 2018 ThreatConnect, Inc. All Rights Reserved. Threat Intelligence A Few Definitions Tactical Technical Operational Strategic 4
© 2018 ThreatConnect, Inc. All Rights Reserved. 5 The Intelligence Process Source: Joint Intelligence / Joint Publication 2-0 (Joint Chiefs of Staff)
© 2018 ThreatConnect, Inc. All Rights Reserved. 6 The Intelligence Process Relationship of Data, Information, and Intelligence Source: Joint Intelligence / Joint Publication 2-0 (Joint Chiefs of Staff)
© 2018 ThreatConnect, Inc. All Rights Reserved. David Bianco’s “Pyramid of Pain” 7
© 2018 ThreatConnect, Inc. All Rights Reserved. The Pyramid of Pain Mirrored 8
© 2018 ThreatConnect, Inc. All Rights Reserved. Small Teams We are a team of ten people Problem Definition, Part 1 9
© 2018 ThreatConnect, Inc. All Rights Reserved. Limited Resources Paid data feeds Large data volume Signal to noise Limited tool capacity Problem Definition, Part 2 10
© 2018 ThreatConnect, Inc. All Rights Reserved. 11 Limited Time Analysts must spend time analyzing, not moving data around Problem Definition, Part 3
© 2018 ThreatConnect, Inc. All Rights Reserved. 12
© 2018 ThreatConnect, Inc. All Rights Reserved. Doing It Wrong Maintaining team YARA rules: 1. On a file server 2. Some person’s laptop 3. Lots of people’s laptops 13
© 2018 ThreatConnect, Inc. All Rights Reserved. Doing It Wrong Wasting analyst’s time: 1. Downloading files 2. Uploading files 3. Waiting for AMAs to finish 14
© 2018 ThreatConnect, Inc. All Rights Reserved. 15
© 2018 ThreatConnect, Inc. All Rights Reserved. Doing It Right • Use revision control • We use git! • Deployment scripts • Sync with threat intel platform 16
© 2018 ThreatConnect, Inc. All Rights Reserved. YARA Rule rule Nemucod_JS_Ransom { meta: priority = "Medium" confidence = "High" sandbox_restricted = true strings: a$ = "If you do not pay in 3 days YOU LOOSE ALL YOUR FILES" nocase wide ascii b$ = " + "php4ts.dll";" wide ascii c$ = ""To restore your files you have to pay "" wide ascii condition: any of them and new_file } 17
© 2018 ThreatConnect, Inc. All Rights Reserved. Associations for the Win 18
© 2018 ThreatConnect, Inc. All Rights Reserved. plyara 19 • PLY (Python Lex Yacc) • Parser handles VirusTotal and vanilla rules • Takes a ruleset file as input • Outputs a python dictionary
© 2018 ThreatConnect, Inc. All Rights Reserved. plyara https://github.com/8u1a/plyara 20
© 2018 ThreatConnect, Inc. All Rights Reserved. 21 Netflix Open Connect Appliance: https://openconnect.netflix.com/en/software/ Send Improvements Upstream!
© 2018 ThreatConnect, Inc. All Rights Reserved. 22 Netflix Open Connect Appliance: https://openconnect.netflix.com/en/software/ Send Improvements Upstream!
© 2018 ThreatConnect, Inc. All Rights Reserved. Demo: plyara 23
© 2018 ThreatConnect, Inc. All Rights Reserved. Jupyter Notebook Programming Cells Somewhere between REPL and monolithic script https://jupyter.org/ 24
© 2018 ThreatConnect, Inc. All Rights Reserved. Prioritization 25
© 2018 ThreatConnect, Inc. All Rights Reserved. Lottery Queue 26
© 2018 ThreatConnect, Inc. All Rights Reserved. 27 Scoring
© 2018 ThreatConnect, Inc. All Rights Reserved. Non-Intuitive Ordering High Priority / High Confidence High Priority / Medium Confidence Medium Priority / High Confidence Medium Priority / Medium Confidence High Priority / Low Confidence Medium Priority / Low Confidence Low Priority / Low Confidence 28
© 2018 ThreatConnect, Inc. All Rights Reserved. Non-Intuitive Ordering 29 High Priority / High Confidence High Priority / Medium Confidence Medium Priority / High Confidence Medium Priority / Medium Confidence High Priority / Low Confidence Medium Priority / Low Confidence Low Priority / Low Confidence
© 2018 ThreatConnect, Inc. All Rights Reserved. Prioritization Meetings 30
© 2018 ThreatConnect, Inc. All Rights Reserved. Automate AMAs • Cuckoo Sandbox • Joe Sandbox Cloud • VxStream • VMRay • Lastline • ThreatGrid • ReversingLabs • Your AMA Here! 31
© 2018 ThreatConnect, Inc. All Rights Reserved. Future Work • Data claimed • Dataset analyzed • Intelligence published • Blog published • New account created • New customer Business Value (BV) 32
© 2018 ThreatConnect, Inc. All Rights Reserved. Happy Bean Counters Budgets • Maximize collection -> exploitation • Collect metrics on utilization • Establish KPIs • AMAs at maximum capacity 33
© 2018 ThreatConnect, Inc. All Rights Reserved. Key Performance Indicators Speaking to Management A Key Performance Indicator is a measurable value that demonstrates how effectively a company is achieving key business objectives. 34
© 2018 ThreatConnect, Inc. All Rights Reserved. Sources of Samples 35 • Carved from Network Capture (Use Bro!!) • Incoming email attachments • Endpoint collections (AV and otherwise)
© 2018 ThreatConnect, Inc. All Rights Reserved. Sources of Samples • Carved from Network Capture (Use Bro!!) • Incoming email attachments • Endpoint collections (AV and otherwise) • Supply chain (CCleaner!!!!!!!!!!) 36
© 2018 ThreatConnect, Inc. All Rights Reserved. 37 https://threatconnect.com/blog/ kasperagent-malware-campaign/ Success Stories
© 2018 ThreatConnect, Inc. All Rights Reserved. 38
© 2018 ThreatConnect, Inc. All Rights Reserved. 39 Success Stories
© 2018 ThreatConnect, Inc. All Rights Reserved. Success Stories 40 Success Stories
© 2018 ThreatConnect, Inc. All Rights Reserved. • Organize signatures in revision control • Automate between systems in tool chain • Separate queues by signature type • Attack Pattern • Malware family / Adversary • Periodic prioritization meetings • SEND YOUR OPEN SOURCE CHANGES UPSTREAM!!!!! Key Takeaways and Lessons Learned 41
© 2018 ThreatConnect, Inc. All Rights Reserved. 42
© 2018 ThreatConnect, Inc. All Rights Reserved. Thank You threatconnect.com/blog @ThreatConnect @MalwareUtkonos

Empfohlen

Forcepoint: Technická opatření pro ochranu osobních údajů (a citlivých dat) z...
Forcepoint: Technická opatření pro ochranu osobních údajů (a citlivých dat) z...Forcepoint: Technická opatření pro ochranu osobních údajů (a citlivých dat) z...
Forcepoint: Technická opatření pro ochranu osobních údajů (a citlivých dat) z...MarketingArrowECS_CZ
 
Hexis HawkEye G Machine Speed Defense: RSA 2015
Hexis HawkEye G Machine Speed Defense: RSA 2015Hexis HawkEye G Machine Speed Defense: RSA 2015
Hexis HawkEye G Machine Speed Defense: RSA 2015barbara bogue
 
Fluency® - www.fluencysecurity.com
Fluency® - www.fluencysecurity.com Fluency® - www.fluencysecurity.com
Fluency® - www.fluencysecurity.com Collin Miles
 
Automating Splunk at Large Scale with Cloudify
Automating Splunk at Large Scale with CloudifyAutomating Splunk at Large Scale with Cloudify
Automating Splunk at Large Scale with CloudifyCloudify Community
 
Talend introduction v1
Talend introduction v1Talend introduction v1
Talend introduction v1Softnix Technology
 
Softnix Security Data Lake
Softnix Security Data Lake Softnix Security Data Lake
Softnix Security Data Lake Softnix Technology
 
Keynote session – Mitigate risks and stay compliant with Chris Bridgland and ...
Keynote session – Mitigate risks and stay compliant with Chris Bridgland and ...Keynote session – Mitigate risks and stay compliant with Chris Bridgland and ...
Keynote session – Mitigate risks and stay compliant with Chris Bridgland and ...Veritas Technologies LLC
 
Information Map around the world in 80 clicks
Information Map around the world in 80 clicksInformation Map around the world in 80 clicks
Information Map around the world in 80 clicksVeritas Technologies LLC
 

Empfohlen

Forcepoint: Technická opatření pro ochranu osobních údajů (a citlivých dat) z...
Forcepoint: Technická opatření pro ochranu osobních údajů (a citlivých dat) z...Forcepoint: Technická opatření pro ochranu osobních údajů (a citlivých dat) z...
Forcepoint: Technická opatření pro ochranu osobních údajů (a citlivých dat) z...MarketingArrowECS_CZ
 
Hexis HawkEye G Machine Speed Defense: RSA 2015
Hexis HawkEye G Machine Speed Defense: RSA 2015Hexis HawkEye G Machine Speed Defense: RSA 2015
Hexis HawkEye G Machine Speed Defense: RSA 2015barbara bogue
 
Fluency® - www.fluencysecurity.com
Fluency® - www.fluencysecurity.com Fluency® - www.fluencysecurity.com
Fluency® - www.fluencysecurity.com Collin Miles
 
Automating Splunk at Large Scale with Cloudify
Automating Splunk at Large Scale with CloudifyAutomating Splunk at Large Scale with Cloudify
Automating Splunk at Large Scale with CloudifyCloudify Community
 
Talend introduction v1
Talend introduction v1Talend introduction v1
Talend introduction v1Softnix Technology
 
Softnix Security Data Lake
Softnix Security Data Lake Softnix Security Data Lake
Softnix Security Data Lake Softnix Technology
 
Keynote session – Mitigate risks and stay compliant with Chris Bridgland and ...
Keynote session – Mitigate risks and stay compliant with Chris Bridgland and ...Keynote session – Mitigate risks and stay compliant with Chris Bridgland and ...
Keynote session – Mitigate risks and stay compliant with Chris Bridgland and ...Veritas Technologies LLC
 
Information Map around the world in 80 clicks
Information Map around the world in 80 clicksInformation Map around the world in 80 clicks
Information Map around the world in 80 clicksVeritas Technologies LLC
 
VeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence ServicesVeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence ServicesTechBiz Forense Digital
 
October 2014 Webinar: Cybersecurity Threat Detection
October 2014 Webinar: Cybersecurity Threat DetectionOctober 2014 Webinar: Cybersecurity Threat Detection
October 2014 Webinar: Cybersecurity Threat DetectionSqrrl
 
David Noy – Realising the true potential of software-defined storage
David Noy – Realising the true potential of software-defined storageDavid Noy – Realising the true potential of software-defined storage
David Noy – Realising the true potential of software-defined storageVeritas Technologies LLC
 
Jason Tooley – Welcome to Vision Solution Day EMEA
Jason Tooley – Welcome to Vision Solution Day EMEAJason Tooley – Welcome to Vision Solution Day EMEA
Jason Tooley – Welcome to Vision Solution Day EMEAVeritas Technologies LLC
 
Rama Kolappan – The multi-cloud geared for the digital business
Rama Kolappan – The multi-cloud geared for the digital businessRama Kolappan – The multi-cloud geared for the digital business
Rama Kolappan – The multi-cloud geared for the digital businessVeritas Technologies LLC
 
Webinar: Three Reasons Storage Security is Failing and How to Fix It
Webinar: Three Reasons Storage Security is Failing and How to Fix ItWebinar: Three Reasons Storage Security is Failing and How to Fix It
Webinar: Three Reasons Storage Security is Failing and How to Fix ItStorage Switzerland
 
Peter Grimmond – Harnessing the power of data
Peter Grimmond – Harnessing the power of dataPeter Grimmond – Harnessing the power of data
Peter Grimmond – Harnessing the power of dataVeritas Technologies LLC
 
Cloud Access Security Brokers - What's all the Hype
Cloud Access Security Brokers - What's all the HypeCloud Access Security Brokers - What's all the Hype
Cloud Access Security Brokers - What's all the HypeJoAnna Cheshire
 
Big Data Governance in a Post-GDPR World (GPSCT310) - AWS re:Invent 2018
Big Data Governance in a Post-GDPR World (GPSCT310) - AWS re:Invent 2018Big Data Governance in a Post-GDPR World (GPSCT310) - AWS re:Invent 2018
Big Data Governance in a Post-GDPR World (GPSCT310) - AWS re:Invent 2018Amazon Web Services
 
Deep Learning in Security - Examples, Infrastructure, Challenges, and Suggest...
Deep Learning in Security - Examples, Infrastructure, Challenges, and Suggest...Deep Learning in Security - Examples, Infrastructure, Challenges, and Suggest...
Deep Learning in Security - Examples, Infrastructure, Challenges, and Suggest...DataWorks Summit
 
The Definitive CASB Business Case Kit - Presentation
The Definitive CASB Business Case Kit - PresentationThe Definitive CASB Business Case Kit - Presentation
The Definitive CASB Business Case Kit - PresentationNetskope
 
Transforming Cybersecurity to Protect Our Citizens, Infrastructure & Economy
Transforming Cybersecurity to Protect Our Citizens, Infrastructure & EconomyTransforming Cybersecurity to Protect Our Citizens, Infrastructure & Economy
Transforming Cybersecurity to Protect Our Citizens, Infrastructure & Economyscoopnewsgroup
 
Cure for the Common Cloud: How Healthcare can Safely Enable the Cloud
Cure for the Common Cloud: How Healthcare can Safely Enable the CloudCure for the Common Cloud: How Healthcare can Safely Enable the Cloud
Cure for the Common Cloud: How Healthcare can Safely Enable the CloudNetskope
 
Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...
Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...
Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...Jason Trost
 
How To Drive Value with Security Data
How To Drive Value with Security DataHow To Drive Value with Security Data
How To Drive Value with Security DataRaffael Marty
 
Lastline RSAC 2018 Highlights
Lastline RSAC 2018 HighlightsLastline RSAC 2018 Highlights
Lastline RSAC 2018 HighlightsLastline, Inc.
 
Modern Security the way Equifax Should Have
Modern Security the way Equifax Should HaveModern Security the way Equifax Should Have
Modern Security the way Equifax Should HaveEric Vanderburg
 
Netskope Overview
Netskope OverviewNetskope Overview
Netskope OverviewNetskope
 
Accelerate your Cloud journey with security and compliance by design - Margo ...
Accelerate your Cloud journey with security and compliance by design - Margo ...Accelerate your Cloud journey with security and compliance by design - Margo ...
Accelerate your Cloud journey with security and compliance by design - Margo ...Net4All
 
Tackling the GDPR Dell EMC Index Engines Webinar
Tackling the GDPR Dell EMC Index Engines WebinarTackling the GDPR Dell EMC Index Engines Webinar
Tackling the GDPR Dell EMC Index Engines WebinarIndex Engines Inc.
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsSBWebinars
 
Infosecurity - CDMX 2018
Infosecurity - CDMX 2018Infosecurity - CDMX 2018
Infosecurity - CDMX 2018Miguel Hernández y López
 

Weitere ähnliche Inhalte

Was ist angesagt?

VeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence ServicesVeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence ServicesTechBiz Forense Digital
 
October 2014 Webinar: Cybersecurity Threat Detection
October 2014 Webinar: Cybersecurity Threat DetectionOctober 2014 Webinar: Cybersecurity Threat Detection
October 2014 Webinar: Cybersecurity Threat DetectionSqrrl
 
David Noy – Realising the true potential of software-defined storage
David Noy – Realising the true potential of software-defined storageDavid Noy – Realising the true potential of software-defined storage
David Noy – Realising the true potential of software-defined storageVeritas Technologies LLC
 
Jason Tooley – Welcome to Vision Solution Day EMEA
Jason Tooley – Welcome to Vision Solution Day EMEAJason Tooley – Welcome to Vision Solution Day EMEA
Jason Tooley – Welcome to Vision Solution Day EMEAVeritas Technologies LLC
 
Rama Kolappan – The multi-cloud geared for the digital business
Rama Kolappan – The multi-cloud geared for the digital businessRama Kolappan – The multi-cloud geared for the digital business
Rama Kolappan – The multi-cloud geared for the digital businessVeritas Technologies LLC
 
Webinar: Three Reasons Storage Security is Failing and How to Fix It
Webinar: Three Reasons Storage Security is Failing and How to Fix ItWebinar: Three Reasons Storage Security is Failing and How to Fix It
Webinar: Three Reasons Storage Security is Failing and How to Fix ItStorage Switzerland
 
Peter Grimmond – Harnessing the power of data
Peter Grimmond – Harnessing the power of dataPeter Grimmond – Harnessing the power of data
Peter Grimmond – Harnessing the power of dataVeritas Technologies LLC
 
Cloud Access Security Brokers - What's all the Hype
Cloud Access Security Brokers - What's all the HypeCloud Access Security Brokers - What's all the Hype
Cloud Access Security Brokers - What's all the HypeJoAnna Cheshire
 
Big Data Governance in a Post-GDPR World (GPSCT310) - AWS re:Invent 2018
Big Data Governance in a Post-GDPR World (GPSCT310) - AWS re:Invent 2018Big Data Governance in a Post-GDPR World (GPSCT310) - AWS re:Invent 2018
Big Data Governance in a Post-GDPR World (GPSCT310) - AWS re:Invent 2018Amazon Web Services
 
Deep Learning in Security - Examples, Infrastructure, Challenges, and Suggest...
Deep Learning in Security - Examples, Infrastructure, Challenges, and Suggest...Deep Learning in Security - Examples, Infrastructure, Challenges, and Suggest...
Deep Learning in Security - Examples, Infrastructure, Challenges, and Suggest...DataWorks Summit
 
The Definitive CASB Business Case Kit - Presentation
The Definitive CASB Business Case Kit - PresentationThe Definitive CASB Business Case Kit - Presentation
The Definitive CASB Business Case Kit - PresentationNetskope
 
Transforming Cybersecurity to Protect Our Citizens, Infrastructure & Economy
Transforming Cybersecurity to Protect Our Citizens, Infrastructure & EconomyTransforming Cybersecurity to Protect Our Citizens, Infrastructure & Economy
Transforming Cybersecurity to Protect Our Citizens, Infrastructure & Economyscoopnewsgroup
 
Cure for the Common Cloud: How Healthcare can Safely Enable the Cloud
Cure for the Common Cloud: How Healthcare can Safely Enable the CloudCure for the Common Cloud: How Healthcare can Safely Enable the Cloud
Cure for the Common Cloud: How Healthcare can Safely Enable the CloudNetskope
 
Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...
Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...
Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...Jason Trost
 
How To Drive Value with Security Data
How To Drive Value with Security DataHow To Drive Value with Security Data
How To Drive Value with Security DataRaffael Marty
 
Lastline RSAC 2018 Highlights
Lastline RSAC 2018 HighlightsLastline RSAC 2018 Highlights
Lastline RSAC 2018 HighlightsLastline, Inc.
 
Modern Security the way Equifax Should Have
Modern Security the way Equifax Should HaveModern Security the way Equifax Should Have
Modern Security the way Equifax Should HaveEric Vanderburg
 
Netskope Overview
Netskope OverviewNetskope Overview
Netskope OverviewNetskope
 
Accelerate your Cloud journey with security and compliance by design - Margo ...
Accelerate your Cloud journey with security and compliance by design - Margo ...Accelerate your Cloud journey with security and compliance by design - Margo ...
Accelerate your Cloud journey with security and compliance by design - Margo ...Net4All
 
Tackling the GDPR Dell EMC Index Engines Webinar
Tackling the GDPR Dell EMC Index Engines WebinarTackling the GDPR Dell EMC Index Engines Webinar
Tackling the GDPR Dell EMC Index Engines WebinarIndex Engines Inc.
 

Was ist angesagt? (20)

VeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence ServicesVeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence Services
 
October 2014 Webinar: Cybersecurity Threat Detection
October 2014 Webinar: Cybersecurity Threat DetectionOctober 2014 Webinar: Cybersecurity Threat Detection
October 2014 Webinar: Cybersecurity Threat Detection
 
David Noy – Realising the true potential of software-defined storage
David Noy – Realising the true potential of software-defined storageDavid Noy – Realising the true potential of software-defined storage
David Noy – Realising the true potential of software-defined storage
 
Jason Tooley – Welcome to Vision Solution Day EMEA
Jason Tooley – Welcome to Vision Solution Day EMEAJason Tooley – Welcome to Vision Solution Day EMEA
Jason Tooley – Welcome to Vision Solution Day EMEA
 
Rama Kolappan – The multi-cloud geared for the digital business
Rama Kolappan – The multi-cloud geared for the digital businessRama Kolappan – The multi-cloud geared for the digital business
Rama Kolappan – The multi-cloud geared for the digital business
 
Webinar: Three Reasons Storage Security is Failing and How to Fix It
Webinar: Three Reasons Storage Security is Failing and How to Fix ItWebinar: Three Reasons Storage Security is Failing and How to Fix It
Webinar: Three Reasons Storage Security is Failing and How to Fix It
 
Peter Grimmond – Harnessing the power of data
Peter Grimmond – Harnessing the power of dataPeter Grimmond – Harnessing the power of data
Peter Grimmond – Harnessing the power of data
 
Cloud Access Security Brokers - What's all the Hype
Cloud Access Security Brokers - What's all the HypeCloud Access Security Brokers - What's all the Hype
Cloud Access Security Brokers - What's all the Hype
 
Big Data Governance in a Post-GDPR World (GPSCT310) - AWS re:Invent 2018
Big Data Governance in a Post-GDPR World (GPSCT310) - AWS re:Invent 2018Big Data Governance in a Post-GDPR World (GPSCT310) - AWS re:Invent 2018
Big Data Governance in a Post-GDPR World (GPSCT310) - AWS re:Invent 2018
 
Deep Learning in Security - Examples, Infrastructure, Challenges, and Suggest...
Deep Learning in Security - Examples, Infrastructure, Challenges, and Suggest...Deep Learning in Security - Examples, Infrastructure, Challenges, and Suggest...
Deep Learning in Security - Examples, Infrastructure, Challenges, and Suggest...
 
The Definitive CASB Business Case Kit - Presentation
The Definitive CASB Business Case Kit - PresentationThe Definitive CASB Business Case Kit - Presentation
The Definitive CASB Business Case Kit - Presentation
 
Transforming Cybersecurity to Protect Our Citizens, Infrastructure & Economy
Transforming Cybersecurity to Protect Our Citizens, Infrastructure & EconomyTransforming Cybersecurity to Protect Our Citizens, Infrastructure & Economy
Transforming Cybersecurity to Protect Our Citizens, Infrastructure & Economy
 
Cure for the Common Cloud: How Healthcare can Safely Enable the Cloud
Cure for the Common Cloud: How Healthcare can Safely Enable the CloudCure for the Common Cloud: How Healthcare can Safely Enable the Cloud
Cure for the Common Cloud: How Healthcare can Safely Enable the Cloud
 
Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...
Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...
Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...
 
How To Drive Value with Security Data
How To Drive Value with Security DataHow To Drive Value with Security Data
How To Drive Value with Security Data
 
Lastline RSAC 2018 Highlights
Lastline RSAC 2018 HighlightsLastline RSAC 2018 Highlights
Lastline RSAC 2018 Highlights
 
Modern Security the way Equifax Should Have
Modern Security the way Equifax Should HaveModern Security the way Equifax Should Have
Modern Security the way Equifax Should Have
 
Netskope Overview
Netskope OverviewNetskope Overview
Netskope Overview
 
Accelerate your Cloud journey with security and compliance by design - Margo ...
Accelerate your Cloud journey with security and compliance by design - Margo ...Accelerate your Cloud journey with security and compliance by design - Margo ...
Accelerate your Cloud journey with security and compliance by design - Margo ...
 
Tackling the GDPR Dell EMC Index Engines Webinar
Tackling the GDPR Dell EMC Index Engines WebinarTackling the GDPR Dell EMC Index Engines Webinar
Tackling the GDPR Dell EMC Index Engines Webinar
 

Ähnlich wie Advanced Threat Hunting - Botconf 2017

Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsSBWebinars
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec
 
NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018
NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018 NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018
NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018 NETSCOUT
 
IoT Microcontrollers and Getting Started with Amazon FreeRTOS (IOT338-R1) - A...
IoT Microcontrollers and Getting Started with Amazon FreeRTOS (IOT338-R1) - A...IoT Microcontrollers and Getting Started with Amazon FreeRTOS (IOT338-R1) - A...
IoT Microcontrollers and Getting Started with Amazon FreeRTOS (IOT338-R1) - A...Amazon Web Services
 
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...Interset
 
Master the RETE algorithm
Master the RETE algorithmMaster the RETE algorithm
Master the RETE algorithmMasahiko Umeno
 
Pgatss slide deck june 7, 2018
Pgatss slide deck june 7, 2018Pgatss slide deck june 7, 2018
Pgatss slide deck june 7, 2018Greg Wartes, MCP
 
AI : Animal Like Abilities in Applied AI, What can go wrong?
AI : Animal Like Abilities in Applied AI, What can go wrong?AI : Animal Like Abilities in Applied AI, What can go wrong?
AI : Animal Like Abilities in Applied AI, What can go wrong?Jari Koister
 
AWS Startup Day Toronto - Sudip Chakrabarti- Building & Selling AI-Powered En...
AWS Startup Day Toronto - Sudip Chakrabarti- Building & Selling AI-Powered En...AWS Startup Day Toronto - Sudip Chakrabarti- Building & Selling AI-Powered En...
AWS Startup Day Toronto - Sudip Chakrabarti- Building & Selling AI-Powered En...Amazon Web Services
 
From zero to one - How we evolved our test automation processes and mindset i...
From zero to one - How we evolved our test automation processes and mindset i...From zero to one - How we evolved our test automation processes and mindset i...
From zero to one - How we evolved our test automation processes and mindset i...Jen-Chieh Ko
 
Making the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data VisibilityMaking the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data Visibilitydianadvo
 
Cloud Ramps Up at DOD--Here's What You Need to Know
Cloud Ramps Up at DOD--Here's What You Need to KnowCloud Ramps Up at DOD--Here's What You Need to Know
Cloud Ramps Up at DOD--Here's What You Need to KnowimmixGroup
 
Keeping Modern Applications Performing
Keeping Modern Applications PerformingKeeping Modern Applications Performing
Keeping Modern Applications PerformingLee Atchison
 
Ga society of cpa's 2018 coastal chapter
Ga society of cpa's 2018 coastal chapterGa society of cpa's 2018 coastal chapter
Ga society of cpa's 2018 coastal chapterGreg Wartes, MCP
 
QCon 2018 | Gimel | PayPal's Analytic Platform
QCon 2018 | Gimel | PayPal's Analytic PlatformQCon 2018 | Gimel | PayPal's Analytic Platform
QCon 2018 | Gimel | PayPal's Analytic PlatformDeepak Chandramouli
 
Automatizovaná bezpečnost – nadstandard nebo nutnost?
Automatizovaná bezpečnost – nadstandard nebo nutnost?Automatizovaná bezpečnost – nadstandard nebo nutnost?
Automatizovaná bezpečnost – nadstandard nebo nutnost?MarketingArrowECS_CZ
 
Scrapping for Pennies: How to implement security without a budget
Scrapping for Pennies: How to implement security without a budgetScrapping for Pennies: How to implement security without a budget
Scrapping for Pennies: How to implement security without a budgetRyan Wisniewski
 
DataWorks 2018: How Big Data and AI Saved the Day
DataWorks 2018: How Big Data and AI Saved the DayDataWorks 2018: How Big Data and AI Saved the Day
DataWorks 2018: How Big Data and AI Saved the DayInterset
 
Keynote - Chaos Engineering: Why breaking things should be practiced
Keynote - Chaos Engineering: Why breaking things should be practicedKeynote - Chaos Engineering: Why breaking things should be practiced
Keynote - Chaos Engineering: Why breaking things should be practicedAWS User Group Bengaluru
 

Ähnlich wie Advanced Threat Hunting - Botconf 2017 (20)

Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
 
Infosecurity - CDMX 2018
Infosecurity - CDMX 2018Infosecurity - CDMX 2018
Infosecurity - CDMX 2018
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
 
NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018
NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018 NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018
NETSCOUT Threat Intelligence Report: Findings Summary 1st half of 2018
 
IoT Microcontrollers and Getting Started with Amazon FreeRTOS (IOT338-R1) - A...
IoT Microcontrollers and Getting Started with Amazon FreeRTOS (IOT338-R1) - A...IoT Microcontrollers and Getting Started with Amazon FreeRTOS (IOT338-R1) - A...
IoT Microcontrollers and Getting Started with Amazon FreeRTOS (IOT338-R1) - A...
 
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...
 
Master the RETE algorithm
Master the RETE algorithmMaster the RETE algorithm
Master the RETE algorithm
 
Pgatss slide deck june 7, 2018
Pgatss slide deck june 7, 2018Pgatss slide deck june 7, 2018
Pgatss slide deck june 7, 2018
 
AI : Animal Like Abilities in Applied AI, What can go wrong?
AI : Animal Like Abilities in Applied AI, What can go wrong?AI : Animal Like Abilities in Applied AI, What can go wrong?
AI : Animal Like Abilities in Applied AI, What can go wrong?
 
AWS Startup Day Toronto - Sudip Chakrabarti- Building & Selling AI-Powered En...
AWS Startup Day Toronto - Sudip Chakrabarti- Building & Selling AI-Powered En...AWS Startup Day Toronto - Sudip Chakrabarti- Building & Selling AI-Powered En...
AWS Startup Day Toronto - Sudip Chakrabarti- Building & Selling AI-Powered En...
 
From zero to one - How we evolved our test automation processes and mindset i...
From zero to one - How we evolved our test automation processes and mindset i...From zero to one - How we evolved our test automation processes and mindset i...
From zero to one - How we evolved our test automation processes and mindset i...
 
Making the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data VisibilityMaking the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data Visibility
 
Cloud Ramps Up at DOD--Here's What You Need to Know
Cloud Ramps Up at DOD--Here's What You Need to KnowCloud Ramps Up at DOD--Here's What You Need to Know
Cloud Ramps Up at DOD--Here's What You Need to Know
 
Keeping Modern Applications Performing
Keeping Modern Applications PerformingKeeping Modern Applications Performing
Keeping Modern Applications Performing
 
Ga society of cpa's 2018 coastal chapter
Ga society of cpa's 2018 coastal chapterGa society of cpa's 2018 coastal chapter
Ga society of cpa's 2018 coastal chapter
 
QCon 2018 | Gimel | PayPal's Analytic Platform
QCon 2018 | Gimel | PayPal's Analytic PlatformQCon 2018 | Gimel | PayPal's Analytic Platform
QCon 2018 | Gimel | PayPal's Analytic Platform
 
Automatizovaná bezpečnost – nadstandard nebo nutnost?
Automatizovaná bezpečnost – nadstandard nebo nutnost?Automatizovaná bezpečnost – nadstandard nebo nutnost?
Automatizovaná bezpečnost – nadstandard nebo nutnost?
 
Scrapping for Pennies: How to implement security without a budget
Scrapping for Pennies: How to implement security without a budgetScrapping for Pennies: How to implement security without a budget
Scrapping for Pennies: How to implement security without a budget
 
DataWorks 2018: How Big Data and AI Saved the Day
DataWorks 2018: How Big Data and AI Saved the DayDataWorks 2018: How Big Data and AI Saved the Day
DataWorks 2018: How Big Data and AI Saved the Day
 
Keynote - Chaos Engineering: Why breaking things should be practiced
Keynote - Chaos Engineering: Why breaking things should be practicedKeynote - Chaos Engineering: Why breaking things should be practiced
Keynote - Chaos Engineering: Why breaking things should be practiced
 

Kürzlich hochgeladen

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 

Kürzlich hochgeladen (20)

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 

Advanced Threat Hunting - Botconf 2017

  • 2. © 2018 ThreatConnect, Inc. All Rights Reserved. Who Am I? Director of Research Innovation Research Team ThreatConnect, Inc. 2
  • 3. © 2018 ThreatConnect, Inc. All Rights Reserved. Threat Intelligence A Few Definitions Tactical Technical Operational Strategic 3
  • 4. © 2018 ThreatConnect, Inc. All Rights Reserved. Threat Intelligence A Few Definitions Tactical Technical Operational Strategic 4
  • 5. © 2018 ThreatConnect, Inc. All Rights Reserved. 5 The Intelligence Process Source: Joint Intelligence / Joint Publication 2-0 (Joint Chiefs of Staff)
  • 6. © 2018 ThreatConnect, Inc. All Rights Reserved. 6 The Intelligence Process Relationship of Data, Information, and Intelligence Source: Joint Intelligence / Joint Publication 2-0 (Joint Chiefs of Staff)
  • 7. © 2018 ThreatConnect, Inc. All Rights Reserved. David Bianco’s “Pyramid of Pain” 7
  • 8. © 2018 ThreatConnect, Inc. All Rights Reserved. The Pyramid of Pain Mirrored 8
  • 9. © 2018 ThreatConnect, Inc. All Rights Reserved. Small Teams We are a team of ten people Problem Definition, Part 1 9
  • 10. © 2018 ThreatConnect, Inc. All Rights Reserved. Limited Resources Paid data feeds Large data volume Signal to noise Limited tool capacity Problem Definition, Part 2 10
  • 11. © 2018 ThreatConnect, Inc. All Rights Reserved. 11 Limited Time Analysts must spend time analyzing, not moving data around Problem Definition, Part 3
  • 12. © 2018 ThreatConnect, Inc. All Rights Reserved. 12
  • 13. © 2018 ThreatConnect, Inc. All Rights Reserved. Doing It Wrong Maintaining team YARA rules: 1. On a file server 2. Some person’s laptop 3. Lots of people’s laptops 13
  • 14. © 2018 ThreatConnect, Inc. All Rights Reserved. Doing It Wrong Wasting analyst’s time: 1. Downloading files 2. Uploading files 3. Waiting for AMAs to finish 14
  • 15. © 2018 ThreatConnect, Inc. All Rights Reserved. 15
  • 16. © 2018 ThreatConnect, Inc. All Rights Reserved. Doing It Right • Use revision control • We use git! • Deployment scripts • Sync with threat intel platform 16
  • 17. © 2018 ThreatConnect, Inc. All Rights Reserved. YARA Rule rule Nemucod_JS_Ransom { meta: priority = "Medium" confidence = "High" sandbox_restricted = true strings: a$ = "If you do not pay in 3 days YOU LOOSE ALL YOUR FILES" nocase wide ascii b$ = " + "php4ts.dll";" wide ascii c$ = ""To restore your files you have to pay "" wide ascii condition: any of them and new_file } 17
  • 18. © 2018 ThreatConnect, Inc. All Rights Reserved. Associations for the Win 18
  • 19. © 2018 ThreatConnect, Inc. All Rights Reserved. plyara 19 • PLY (Python Lex Yacc) • Parser handles VirusTotal and vanilla rules • Takes a ruleset file as input • Outputs a python dictionary
  • 20. © 2018 ThreatConnect, Inc. All Rights Reserved. plyara https://github.com/8u1a/plyara 20
  • 21. © 2018 ThreatConnect, Inc. All Rights Reserved. 21 Netflix Open Connect Appliance: https://openconnect.netflix.com/en/software/ Send Improvements Upstream!
  • 22. © 2018 ThreatConnect, Inc. All Rights Reserved. 22 Netflix Open Connect Appliance: https://openconnect.netflix.com/en/software/ Send Improvements Upstream!
  • 23. © 2018 ThreatConnect, Inc. All Rights Reserved. Demo: plyara 23
  • 24. © 2018 ThreatConnect, Inc. All Rights Reserved. Jupyter Notebook Programming Cells Somewhere between REPL and monolithic script https://jupyter.org/ 24
  • 25. © 2018 ThreatConnect, Inc. All Rights Reserved. Prioritization 25
  • 26. © 2018 ThreatConnect, Inc. All Rights Reserved. Lottery Queue 26
  • 27. © 2018 ThreatConnect, Inc. All Rights Reserved. 27 Scoring
  • 28. © 2018 ThreatConnect, Inc. All Rights Reserved. Non-Intuitive Ordering High Priority / High Confidence High Priority / Medium Confidence Medium Priority / High Confidence Medium Priority / Medium Confidence High Priority / Low Confidence Medium Priority / Low Confidence Low Priority / Low Confidence 28
  • 29. © 2018 ThreatConnect, Inc. All Rights Reserved. Non-Intuitive Ordering 29 High Priority / High Confidence High Priority / Medium Confidence Medium Priority / High Confidence Medium Priority / Medium Confidence High Priority / Low Confidence Medium Priority / Low Confidence Low Priority / Low Confidence
  • 30. © 2018 ThreatConnect, Inc. All Rights Reserved. Prioritization Meetings 30
  • 31. © 2018 ThreatConnect, Inc. All Rights Reserved. Automate AMAs • Cuckoo Sandbox • Joe Sandbox Cloud • VxStream • VMRay • Lastline • ThreatGrid • ReversingLabs • Your AMA Here! 31
  • 32. © 2018 ThreatConnect, Inc. All Rights Reserved. Future Work • Data claimed • Dataset analyzed • Intelligence published • Blog published • New account created • New customer Business Value (BV) 32
  • 33. © 2018 ThreatConnect, Inc. All Rights Reserved. Happy Bean Counters Budgets • Maximize collection -> exploitation • Collect metrics on utilization • Establish KPIs • AMAs at maximum capacity 33
  • 34. © 2018 ThreatConnect, Inc. All Rights Reserved. Key Performance Indicators Speaking to Management A Key Performance Indicator is a measurable value that demonstrates how effectively a company is achieving key business objectives. 34
  • 35. © 2018 ThreatConnect, Inc. All Rights Reserved. Sources of Samples 35 • Carved from Network Capture (Use Bro!!) • Incoming email attachments • Endpoint collections (AV and otherwise)
  • 36. © 2018 ThreatConnect, Inc. All Rights Reserved. Sources of Samples • Carved from Network Capture (Use Bro!!) • Incoming email attachments • Endpoint collections (AV and otherwise) • Supply chain (CCleaner!!!!!!!!!!) 36
  • 37. © 2018 ThreatConnect, Inc. All Rights Reserved. 37 https://threatconnect.com/blog/ kasperagent-malware-campaign/ Success Stories
  • 38. © 2018 ThreatConnect, Inc. All Rights Reserved. 38
  • 39. © 2018 ThreatConnect, Inc. All Rights Reserved. 39 Success Stories
  • 40. © 2018 ThreatConnect, Inc. All Rights Reserved. Success Stories 40 Success Stories
  • 41. © 2018 ThreatConnect, Inc. All Rights Reserved. • Organize signatures in revision control • Automate between systems in tool chain • Separate queues by signature type • Attack Pattern • Malware family / Adversary • Periodic prioritization meetings • SEND YOUR OPEN SOURCE CHANGES UPSTREAM!!!!! Key Takeaways and Lessons Learned 41
  • 42. © 2018 ThreatConnect, Inc. All Rights Reserved. 42
  • 43. © 2018 ThreatConnect, Inc. All Rights Reserved. Thank You threatconnect.com/blog @ThreatConnect @MalwareUtkonos