SlideShare ist ein Scribd-Unternehmen logo

Operationalizing Threat Intelligence to Battle Persistent Actors

Als PPTX, PDF herunterladen
ThreatConnect
ThreatConnect

We have all heard that threat intelligence can help level the battlefield against advanced persistent threats whether criminal or nation state attackers. But what is Threat Intelligence? How does it fit into your organization’s security operations? And how can you develop your own Threat Intelligence? In this presentation you'll learn: - How to leverage Threat Intelligence to identify potential adversaries and take appropriate action - How to develop Threat Intelligence using the Diamond Model - How ThreatConnect investigated Chinese state-sponsored threats using the Diamond Model - How to operationalize Threat Intelligence using Splunk and ThreatConnect

Technologie
1 von 41
1All material confidential and proprietary December 2015 OPERATIONALIZING THREAT INTELLIGENCE TO BATTLE PERSISTENT ACTORS © 2015 ThreatConnect, Inc. All Rights Reserved
2All material confidential and proprietary Monzy Andy © 2015 ThreatConnect, Inc. All Rights Reserved INTROS
3All material confidential and proprietary© 2015 ThreatConnect, Inc. All Rights Reserved AGENDA • Threat intel: Brief definition and “Why the heck should I care?” • How to develop threat intelligence using the Diamond Model • Use case: How ThreatConnect investigated Chinese state- sponsored threats using the Diamond Model • Demo: How to operationalize threat intelligence using Splunk and ThreatConnect
4All material confidential and proprietary THREAT INTELLIGENCE What it should be. © 2015 ThreatConnect, Inc. All Rights Reserved
5All material confidential and proprietary© 2015 ThreatConnect, Inc. All Rights Reserved NO!AN INDICATOR FEED? THREAT INTELLIGENCE is knowledge of your adversaries that is useful for defense.
6All material confidential and proprietary© 2015 ThreatConnect, Inc. All Rights Reserved THREAT INTELLIGENCE DEFINED In the slightly more verbose terms, threat intelligence is the applicable knowledge of a threat’s capabilities, infrastructure, motives, goals, and resources. Why do I care? Intelligence will drive security. Your knowledge of threats consistently translates into your organization’s ability to take action KNOW YOUR ENEMY KNOWLEDGE IS POWER
7All material confidential and proprietary WHAT DOES INTELLIGENCE-DRIVEN SECURITY MEAN? © 2015 ThreatConnect, Inc. All Rights Reserved • You’re mitigating issues across teams and sensors • Feedback loops: not just “red” feeding “blue” • Security becomes more proactive • Not an end state, but a modus operandi Awesome, how do I start? … It’s easier than you think.
8All material confidential and proprietary A METHODOLOGY IS NEEDED © 2015 ThreatConnect, Inc. All Rights Reserved • Simple framework • Ask questions to move from reactive to proactive state • Grow knowledge & understanding of relevant threats • Drive decisions for mitigation THE DIAMOND MODEL OF INTRUSION ANALYSIS:
9All material confidential and proprietary PUTTING THE METHODOLOGY TO WORK A Use Case © 2015 ThreatConnect, Inc. All Rights Reserved
10All material confidential and proprietary© 2015 ThreatConnect, Inc. All Rights Reserved An md5sum discovered during investigation d19ba12127f48a4341ce643c819052f6 1
11All material confidential and proprietary© 2015 ThreatConnect, Inc. All Rights Reserved An md5sum discovered during investigation d19ba12127f48a4341ce643c819052f6 1 2 Malware domains in C2 greensky27.vicp.net
12All material confidential and proprietary© 2015 ThreatConnect, Inc. All Rights Reserved 1 2 3 C2 contains IP addresses Clusters of IPs in ASNs in: Kunming, China; Bangkok, Thailand; Seoul, South Korea; etc. Malware domains in C2 greensky27.vicp.net An md5sum discovered during investigation d19ba12127f48a4341ce643c819052f6
13All material confidential and proprietary© 2015 ThreatConnect, Inc. All Rights Reserved An md5sum discovered during investigation a2378fd84cebe4b58c372d1c9b923542 3 Malware domains in C2 greensky27[.]vicp[.]net aseannew[.]8866[.]org myanmartech[.]vicp[.]net philnews[.]oicp[.]net thailand[.]vicp[.]net 4 C2 contains IP addresses Clusters of IPs in ASNs in: Kunming, China; Bangkok, Thailand; Seoul, South Korea; etc.
14All material confidential and proprietary© 2015 ThreatConnect, Inc. All Rights Reserved 35 Domains all used by common malware family NAIKON An md5sum discovered during investigation a2378fd84cebe4b58c372d1c9b923542 Malware domains in C2 greensky27[.]vicp[.]net aseannew[.]8866[.]org myanmartech[.]vicp[.]net philnews[.]oicp[.]net thailand[.]vicp[.]net 4 C2 contains IP addresses Clusters of IPs in ASNs in: Kunming, China; Bangkok, Thailand; Seoul, South Korea; etc.
15All material confidential and proprietary 3 Malware domains in C2 greensky27[.]vicp[.]net aseannew[.]8866[.]org myanmartech[.]vicp[.]net philnews[.]oicp[.]net thailand[.]vicp[.]net 4 5 Common targeting themes Southeast Asian decoy docs, most likely delivered in spearphishing attempts © 2015 ThreatConnect, Inc. All Rights Reserved 6 Domains all used by common malware family NAIKON An md5sum discovered during investigation a2378fd84cebe4b58c372d1c9b923542 C2 contains IP addresses Clusters of IPs in ASNs in: Kunming, China; Bangkok, Thailand; Seoul, South Korea; etc.
16All material confidential and proprietary STACK UP YOUR DIAMONDS C2 callbacks © 2015 ThreatConnect, Inc. All Rights Reserved
17All material confidential and proprietary INTELLIGENCE-DRIVEN SECURITY: BLOCK THE IPS? IPs are fleeting. Adversaries are focused. Diamonds are forever. © 2015 ThreatConnect, Inc. All Rights Reserved
18All material confidential and proprietary CONFLICT WITHIN THE SOUTH CHINA SEA WHO’S BEHIND NAIKON? Background • ⅓ of the world's oil / $5 trillion in global trade, energy-rich area • Multi-national dispute over territorial claims • China claims the most of the region; has been the most assertive • China’s cyber efforts support a robust political, economic, and military effort © 2015 ThreatConnect, Inc. All Rights Reserved
19All material confidential and proprietary THE PURPOSE OF INTELLIGENCE IS TO DRIVE DECISION ADVANTAGE © 2015 ThreatConnect, Inc. All Rights Reserved ● What kind of decisions are you trying to make? ● Who is making those decisions? ● What processes need to be in place to support those decisions? ● How does the intelligence need to be delivered to be actionable?
20All material confidential and proprietary TI Team SOC Team IR Team ISAC/ISAO SIEM IPS/IDS End-Point Protection Firewalls/UTM Intelligence Feeds Network Controls Vulnerability Scanner Web Proxy Public Community Private Community CISO/CIO C-Suite/Board CONNECTED ON ONE PLATFORM
Copyright © 2015 Splunk Inc. Operationalizing Threat intelligence Demo
COLLECT DATA FROM ANYWHERE SEARCH AND ANALYZE EVERYTHING GAIN REAL-TIME OPERATIONAL INTELLIGENCE The Power of Splunk 22
Why Splunk? FAST TIME-TO-VALUE ONE PLATFORM, MULTIPLE USE CASES VISIBILITY ACROSS STACK, NOT JUST SILOS ASK ANY QUESTION OF DATA ANY DATA, SOURCE OR DEPLOYMENT MODEL 23
Turning Machine Data into Operational Intelligence INDEX ANY MACHINE DATA: ANY SOURCE, TYPE, VOLUME Online Services Web Services Servers Security GPS Location Storage Desktops Networks Packaged Applications Custom ApplicationsMessaging Telecoms Online Shopping Cart Web Clickstreams Databases Energy Meters Call Detail Records Smartphones and Devices RFID On- Premises Private Cloud Public Cloud GAIN REAL-TIME VISIBILITY Application Delivery Security and Compliance IT Operations Business Analytics Internet of Things 24
IT Operations Application Delivery Developer Platform (REST API, SDKs) Business Analytics Industrial Data and Internet of Things Delivers Value Across IT and the Business Business Analytics Industrial Data and Internet of Things Security, Compliance, and Fraud
IT Operations Application Delivery Developer Platform (REST API, SDKs) Business Analytics Industrial Data and Internet of Things Delivers Value Across IT and the Business Security, Compliance, and Fraud 26
Splunk for Security 27 SECURITY APPS & ADD-ONS SPLUNK ENTERPRISE SECURITY SIEM Security Analytics Fraud Platform for Security Services SPLUNK USER BEHAVIOR ANALYTICS Wire data Windows = SIEM integration RDBMS (any) data
28 Developing Threat Intelligence - 3 Take Aways Disruptive Security Operations Track your adversary – not just alerts Enrich event data to develop context Develop your own threat intelligence 28
Demo Scenarios Enrich alerts with intel from ThreatConnect Execute the Diamond Model in Splunk Enterprise Security Create new threat intel using Splunk Enterprise Security 29
Demo 30
Backup Demo Slides 31
32
33
34
35
36
Demo Review Enrich alerts with intel from ThreatConnect Execute the Diamond Model in Splunk Enterprise Security Create new threat intel using Splunk Enterprise Security 37
Developing Threat Intelligence - 3 Take Aways Disruptive Security Operations Track your adversary – not just alerts Enrich event data to develop context Develop your own threat intelligence 38
39 Traditional SIEMSplunk Next Steps • https://www.splunk.com Download Splunk • https://splunkbase.splunk.com/app/1893/ Splunk app for ThreatConnect • http://docs.splunk.com • https://answers.splunk.com/ Getting started and help
Thank You Questions? monzy@splunk.com @monzymerza
41All material confidential and proprietary • Download the full CAMERASHY report for free on www.threatconnect.com • Indicators shared in the common community & available to all Splunk users THANK YOU! The following incidents are associated to the Naikon Threat: 20150730A: Satanserv Naikon Related APT 20150619A: cmcsan Naikon APT 20150617D: battale307 Naikon APT 20150619A: cmcsan Naikon APT © 2015 ThreatConnect, Inc. All Rights Reserved

Empfohlen

Intelligence driven defense webinar
Intelligence driven defense webinarIntelligence driven defense webinar
Intelligence driven defense webinar
ThreatConnect
 
Save Time and Act Faster with Playbooks
Save Time and Act Faster with PlaybooksSave Time and Act Faster with Playbooks
Save Time and Act Faster with Playbooks
ThreatConnect
 
The Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence WebinarThe Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence Webinar
ThreatConnect
 
Advanced Threat Hunting - Botconf 2017
Advanced Threat Hunting - Botconf 2017Advanced Threat Hunting - Botconf 2017
Advanced Threat Hunting - Botconf 2017
Kevin Finley
 
Maltego Webinar Slides
Maltego Webinar SlidesMaltego Webinar Slides
Maltego Webinar Slides
ThreatConnect
 
Dollars and Sense of Sharing Threat Intelligence
Dollars and Sense of Sharing Threat IntelligenceDollars and Sense of Sharing Threat Intelligence
Dollars and Sense of Sharing Threat Intelligence
ThreatConnect
 
The Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat IntelligenceThe Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat Intelligence
ThreatConnect
 
Managing Indicator Deprecation in ThreatConnect
Managing Indicator Deprecation in ThreatConnectManaging Indicator Deprecation in ThreatConnect
Managing Indicator Deprecation in ThreatConnect
ThreatConnect
 

Empfohlen

Intelligence driven defense webinar
Intelligence driven defense webinarIntelligence driven defense webinar
Intelligence driven defense webinar
ThreatConnect
 
Save Time and Act Faster with Playbooks
Save Time and Act Faster with PlaybooksSave Time and Act Faster with Playbooks
Save Time and Act Faster with Playbooks
ThreatConnect
 
The Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence WebinarThe Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence Webinar
ThreatConnect
 
Advanced Threat Hunting - Botconf 2017
Advanced Threat Hunting - Botconf 2017Advanced Threat Hunting - Botconf 2017
Advanced Threat Hunting - Botconf 2017
Kevin Finley
 
Maltego Webinar Slides
Maltego Webinar SlidesMaltego Webinar Slides
Maltego Webinar Slides
ThreatConnect
 
Dollars and Sense of Sharing Threat Intelligence
Dollars and Sense of Sharing Threat IntelligenceDollars and Sense of Sharing Threat Intelligence
Dollars and Sense of Sharing Threat Intelligence
ThreatConnect
 
The Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat IntelligenceThe Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat Intelligence
ThreatConnect
 
Managing Indicator Deprecation in ThreatConnect
Managing Indicator Deprecation in ThreatConnectManaging Indicator Deprecation in ThreatConnect
Managing Indicator Deprecation in ThreatConnect
ThreatConnect
 
Dreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligenceDreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat Intelligence
Priyanka Aash
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Episode IV: A New Scope
Episode IV: A New ScopeEpisode IV: A New Scope
Episode IV: A New Scope
ThreatConnect
 
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metrics
Mark Arena
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
CrowdStrike
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 
Threat Intelligence Workshop
Threat Intelligence WorkshopThreat Intelligence Workshop
Threat Intelligence Workshop
Priyanka Aash
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Katie Nickels
 
Threat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingThreat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty Training
Priyanka Aash
 
Ransomware: Why Are Backup Vendors Trying To Scare You?
Ransomware: Why Are Backup Vendors Trying To Scare You?Ransomware: Why Are Backup Vendors Trying To Scare You?
Ransomware: Why Are Backup Vendors Trying To Scare You?
marketingunitrends
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
Hostway|HOSTING
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
Ben Boyd
 
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
AlienVault
 
Threat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk ProgramsThreat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk Programs
Rahul Neel Mani
 
Cyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to InsightCyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to Insight
Deep Shankar Yadav
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
Dhruv Majumdar
 
IOCs Are Dead—Long Live IOCs!
IOCs Are Dead—Long Live IOCs!IOCs Are Dead—Long Live IOCs!
IOCs Are Dead—Long Live IOCs!
Priyanka Aash
 
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Black Duck by Synopsys
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE - ATT&CKcon
 
6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence
Sirius
 
Threat modeling the security of the enterprise
Threat modeling the security of the enterpriseThreat modeling the security of the enterprise
Threat modeling the security of the enterprise
Rafal Los
 

Weitere ähnliche Inhalte

Was ist angesagt?

Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
CrowdStrike
 
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Black Duck by Synopsys
 

Was ist angesagt? (20)

Dreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligenceDreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat Intelligence
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Episode IV: A New Scope
Episode IV: A New ScopeEpisode IV: A New Scope
Episode IV: A New Scope
 
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metrics
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
Threat Intelligence Workshop
Threat Intelligence WorkshopThreat Intelligence Workshop
Threat Intelligence Workshop
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
 
Threat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingThreat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty Training
 
Ransomware: Why Are Backup Vendors Trying To Scare You?
Ransomware: Why Are Backup Vendors Trying To Scare You?Ransomware: Why Are Backup Vendors Trying To Scare You?
Ransomware: Why Are Backup Vendors Trying To Scare You?
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
 
Threat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk ProgramsThreat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk Programs
 
Cyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to InsightCyber Threat Intelligence | Information to Insight
Cyber Threat Intelligence | Information to Insight
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 
IOCs Are Dead—Long Live IOCs!
IOCs Are Dead—Long Live IOCs!IOCs Are Dead—Long Live IOCs!
IOCs Are Dead—Long Live IOCs!
 
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
 
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
 

Andere mochten auch

6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence
Sirius
 

Andere mochten auch (6)

6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence
 
Threat modeling the security of the enterprise
Threat modeling the security of the enterpriseThreat modeling the security of the enterprise
Threat modeling the security of the enterprise
 
4 Rules for Successful Threat Intelligence Teams
4 Rules for Successful Threat Intelligence Teams4 Rules for Successful Threat Intelligence Teams
4 Rules for Successful Threat Intelligence Teams
 
Crowd-Sourced Threat Intelligence
Crowd-Sourced Threat IntelligenceCrowd-Sourced Threat Intelligence
Crowd-Sourced Threat Intelligence
 
TOTEM: Threat Observation, Tracking, and Evaluation Model
TOTEM: Threat Observation, Tracking, and Evaluation ModelTOTEM: Threat Observation, Tracking, and Evaluation Model
TOTEM: Threat Observation, Tracking, and Evaluation Model
 
IBM DataPower Gateway - Common Use Cases
IBM DataPower Gateway - Common Use CasesIBM DataPower Gateway - Common Use Cases
IBM DataPower Gateway - Common Use Cases
 

Ähnlich wie Operationalizing Threat Intelligence to Battle Persistent Actors

Cyber Security at CTX15, London
Cyber Security at CTX15, LondonCyber Security at CTX15, London
Cyber Security at CTX15, London
John Palfreyman
 
IoT Security: Problems, Challenges and Solutions
IoT Security: Problems, Challenges and SolutionsIoT Security: Problems, Challenges and Solutions
IoT Security: Problems, Challenges and Solutions
Liwei Ren任力偉
 
Reducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained EnvironmentsReducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained Environments
Denim Group
 
Federal Webinar: Leverage IT Operations Monitoring and Log Data to Reduce Ins...
Federal Webinar: Leverage IT Operations Monitoring and Log Data to Reduce Ins...Federal Webinar: Leverage IT Operations Monitoring and Log Data to Reduce Ins...
Federal Webinar: Leverage IT Operations Monitoring and Log Data to Reduce Ins...
SolarWinds
 
End to End Security - Check Point
End to End Security - Check PointEnd to End Security - Check Point
End to End Security - Check Point
Harry Gunns
 
Art Hathaway - Artificial Intelligence - Real Threat Prevention
Art Hathaway - Artificial Intelligence - Real Threat PreventionArt Hathaway - Artificial Intelligence - Real Threat Prevention
Art Hathaway - Artificial Intelligence - Real Threat Prevention
centralohioissa
 
iotsecurity-171108154118.pdf
iotsecurity-171108154118.pdfiotsecurity-171108154118.pdf
iotsecurity-171108154118.pdf
KerimBozkanli
 
Content is King - Symantec
Content is King - SymantecContent is King - Symantec
Content is King - Symantec
Harry Gunns
 

Ähnlich wie Operationalizing Threat Intelligence to Battle Persistent Actors (20)

Sqrrl 2.0 Launch Webinar
Sqrrl 2.0 Launch WebinarSqrrl 2.0 Launch Webinar
Sqrrl 2.0 Launch Webinar
 
Cyber Security in the market place: HP CTO Day
Cyber Security in the market place: HP CTO DayCyber Security in the market place: HP CTO Day
Cyber Security in the market place: HP CTO Day
 
Using Digital Threat Intelligence Management (DTIM) to Combat Threats
Using Digital Threat Intelligence Management (DTIM) to Combat ThreatsUsing Digital Threat Intelligence Management (DTIM) to Combat Threats
Using Digital Threat Intelligence Management (DTIM) to Combat Threats
 
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
 
IoT Security
IoT SecurityIoT Security
IoT Security
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016
 
CrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas AttackCrowdCasts Monthly: When Pandas Attack
CrowdCasts Monthly: When Pandas Attack
 
106 Threat defense and information security development trends
106 Threat defense and information security development trends106 Threat defense and information security development trends
106 Threat defense and information security development trends
 
Cyber Security at CTX15, London
Cyber Security at CTX15, LondonCyber Security at CTX15, London
Cyber Security at CTX15, London
 
Tomorrow Starts Here - Security Everywhere
Tomorrow Starts Here - Security Everywhere Tomorrow Starts Here - Security Everywhere
Tomorrow Starts Here - Security Everywhere
 
IoT Security: Problems, Challenges and Solutions
IoT Security: Problems, Challenges and SolutionsIoT Security: Problems, Challenges and Solutions
IoT Security: Problems, Challenges and Solutions
 
Reducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained EnvironmentsReducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained Environments
 
Cyren cybersecurity of things
Cyren cybersecurity of thingsCyren cybersecurity of things
Cyren cybersecurity of things
 
Federal Webinar: Leverage IT Operations Monitoring and Log Data to Reduce Ins...
Federal Webinar: Leverage IT Operations Monitoring and Log Data to Reduce Ins...Federal Webinar: Leverage IT Operations Monitoring and Log Data to Reduce Ins...
Federal Webinar: Leverage IT Operations Monitoring and Log Data to Reduce Ins...
 
Online security (Daniel Beazer)
Online security (Daniel Beazer)Online security (Daniel Beazer)
Online security (Daniel Beazer)
 
End to End Security - Check Point
End to End Security - Check PointEnd to End Security - Check Point
End to End Security - Check Point
 
Art Hathaway - Artificial Intelligence - Real Threat Prevention
Art Hathaway - Artificial Intelligence - Real Threat PreventionArt Hathaway - Artificial Intelligence - Real Threat Prevention
Art Hathaway - Artificial Intelligence - Real Threat Prevention
 
iotsecurity-171108154118.pdf
iotsecurity-171108154118.pdfiotsecurity-171108154118.pdf
iotsecurity-171108154118.pdf
 
06 - VMUGIT - Lecce 2018 - Rodolfo Rotondo, VMware
06 - VMUGIT - Lecce 2018 - Rodolfo Rotondo, VMware06 - VMUGIT - Lecce 2018 - Rodolfo Rotondo, VMware
06 - VMUGIT - Lecce 2018 - Rodolfo Rotondo, VMware
 
Content is King - Symantec
Content is King - SymantecContent is King - Symantec
Content is King - Symantec
 

Mehr von ThreatConnect

Advanced Threat Hunting - BotConf 2017
Advanced Threat Hunting - BotConf 2017Advanced Threat Hunting - BotConf 2017
Advanced Threat Hunting - BotConf 2017
ThreatConnect
 
Open Source Malware Lab
Open Source Malware LabOpen Source Malware Lab
Open Source Malware Lab
ThreatConnect
 

Mehr von ThreatConnect (6)

Advanced Threat Hunting - BotConf 2017
Advanced Threat Hunting - BotConf 2017Advanced Threat Hunting - BotConf 2017
Advanced Threat Hunting - BotConf 2017
 
Does a Bear Leak in the Woods?
Does a Bear Leak in the Woods?Does a Bear Leak in the Woods?
Does a Bear Leak in the Woods?
 
Threat Intelligence is a Journey; Not a Destination
Threat Intelligence is a Journey; Not a DestinationThreat Intelligence is a Journey; Not a Destination
Threat Intelligence is a Journey; Not a Destination
 
Open Source Malware Lab
Open Source Malware LabOpen Source Malware Lab
Open Source Malware Lab
 
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
 
Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!
Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!
Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!
 

Kürzlich hochgeladen

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Kürzlich hochgeladen (20)

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 

Operationalizing Threat Intelligence to Battle Persistent Actors

  • 1. 1All material confidential and proprietary December 2015 OPERATIONALIZING THREAT INTELLIGENCE TO BATTLE PERSISTENT ACTORS © 2015 ThreatConnect, Inc. All Rights Reserved
  • 2. 2All material confidential and proprietary Monzy Andy © 2015 ThreatConnect, Inc. All Rights Reserved INTROS
  • 3. 3All material confidential and proprietary© 2015 ThreatConnect, Inc. All Rights Reserved AGENDA • Threat intel: Brief definition and “Why the heck should I care?” • How to develop threat intelligence using the Diamond Model • Use case: How ThreatConnect investigated Chinese state- sponsored threats using the Diamond Model • Demo: How to operationalize threat intelligence using Splunk and ThreatConnect
  • 4. 4All material confidential and proprietary THREAT INTELLIGENCE What it should be. © 2015 ThreatConnect, Inc. All Rights Reserved
  • 5. 5All material confidential and proprietary© 2015 ThreatConnect, Inc. All Rights Reserved NO!AN INDICATOR FEED? THREAT INTELLIGENCE is knowledge of your adversaries that is useful for defense.
  • 6. 6All material confidential and proprietary© 2015 ThreatConnect, Inc. All Rights Reserved THREAT INTELLIGENCE DEFINED In the slightly more verbose terms, threat intelligence is the applicable knowledge of a threat’s capabilities, infrastructure, motives, goals, and resources. Why do I care? Intelligence will drive security. Your knowledge of threats consistently translates into your organization’s ability to take action KNOW YOUR ENEMY KNOWLEDGE IS POWER
  • 7. 7All material confidential and proprietary WHAT DOES INTELLIGENCE-DRIVEN SECURITY MEAN? © 2015 ThreatConnect, Inc. All Rights Reserved • You’re mitigating issues across teams and sensors • Feedback loops: not just “red” feeding “blue” • Security becomes more proactive • Not an end state, but a modus operandi Awesome, how do I start? … It’s easier than you think.
  • 8. 8All material confidential and proprietary A METHODOLOGY IS NEEDED © 2015 ThreatConnect, Inc. All Rights Reserved • Simple framework • Ask questions to move from reactive to proactive state • Grow knowledge & understanding of relevant threats • Drive decisions for mitigation THE DIAMOND MODEL OF INTRUSION ANALYSIS:
  • 9. 9All material confidential and proprietary PUTTING THE METHODOLOGY TO WORK A Use Case © 2015 ThreatConnect, Inc. All Rights Reserved
  • 10. 10All material confidential and proprietary© 2015 ThreatConnect, Inc. All Rights Reserved An md5sum discovered during investigation d19ba12127f48a4341ce643c819052f6 1
  • 11. 11All material confidential and proprietary© 2015 ThreatConnect, Inc. All Rights Reserved An md5sum discovered during investigation d19ba12127f48a4341ce643c819052f6 1 2 Malware domains in C2 greensky27.vicp.net
  • 12. 12All material confidential and proprietary© 2015 ThreatConnect, Inc. All Rights Reserved 1 2 3 C2 contains IP addresses Clusters of IPs in ASNs in: Kunming, China; Bangkok, Thailand; Seoul, South Korea; etc. Malware domains in C2 greensky27.vicp.net An md5sum discovered during investigation d19ba12127f48a4341ce643c819052f6
  • 13. 13All material confidential and proprietary© 2015 ThreatConnect, Inc. All Rights Reserved An md5sum discovered during investigation a2378fd84cebe4b58c372d1c9b923542 3 Malware domains in C2 greensky27[.]vicp[.]net aseannew[.]8866[.]org myanmartech[.]vicp[.]net philnews[.]oicp[.]net thailand[.]vicp[.]net 4 C2 contains IP addresses Clusters of IPs in ASNs in: Kunming, China; Bangkok, Thailand; Seoul, South Korea; etc.
  • 14. 14All material confidential and proprietary© 2015 ThreatConnect, Inc. All Rights Reserved 35 Domains all used by common malware family NAIKON An md5sum discovered during investigation a2378fd84cebe4b58c372d1c9b923542 Malware domains in C2 greensky27[.]vicp[.]net aseannew[.]8866[.]org myanmartech[.]vicp[.]net philnews[.]oicp[.]net thailand[.]vicp[.]net 4 C2 contains IP addresses Clusters of IPs in ASNs in: Kunming, China; Bangkok, Thailand; Seoul, South Korea; etc.
  • 15. 15All material confidential and proprietary 3 Malware domains in C2 greensky27[.]vicp[.]net aseannew[.]8866[.]org myanmartech[.]vicp[.]net philnews[.]oicp[.]net thailand[.]vicp[.]net 4 5 Common targeting themes Southeast Asian decoy docs, most likely delivered in spearphishing attempts © 2015 ThreatConnect, Inc. All Rights Reserved 6 Domains all used by common malware family NAIKON An md5sum discovered during investigation a2378fd84cebe4b58c372d1c9b923542 C2 contains IP addresses Clusters of IPs in ASNs in: Kunming, China; Bangkok, Thailand; Seoul, South Korea; etc.
  • 16. 16All material confidential and proprietary STACK UP YOUR DIAMONDS C2 callbacks © 2015 ThreatConnect, Inc. All Rights Reserved
  • 17. 17All material confidential and proprietary INTELLIGENCE-DRIVEN SECURITY: BLOCK THE IPS? IPs are fleeting. Adversaries are focused. Diamonds are forever. © 2015 ThreatConnect, Inc. All Rights Reserved
  • 18. 18All material confidential and proprietary CONFLICT WITHIN THE SOUTH CHINA SEA WHO’S BEHIND NAIKON? Background • ⅓ of the world's oil / $5 trillion in global trade, energy-rich area • Multi-national dispute over territorial claims • China claims the most of the region; has been the most assertive • China’s cyber efforts support a robust political, economic, and military effort © 2015 ThreatConnect, Inc. All Rights Reserved
  • 19. 19All material confidential and proprietary THE PURPOSE OF INTELLIGENCE IS TO DRIVE DECISION ADVANTAGE © 2015 ThreatConnect, Inc. All Rights Reserved ● What kind of decisions are you trying to make? ● Who is making those decisions? ● What processes need to be in place to support those decisions? ● How does the intelligence need to be delivered to be actionable?
  • 20. 20All material confidential and proprietary TI Team SOC Team IR Team ISAC/ISAO SIEM IPS/IDS End-Point Protection Firewalls/UTM Intelligence Feeds Network Controls Vulnerability Scanner Web Proxy Public Community Private Community CISO/CIO C-Suite/Board CONNECTED ON ONE PLATFORM
  • 21. Copyright © 2015 Splunk Inc. Operationalizing Threat intelligence Demo
  • 22. COLLECT DATA FROM ANYWHERE SEARCH AND ANALYZE EVERYTHING GAIN REAL-TIME OPERATIONAL INTELLIGENCE The Power of Splunk 22
  • 23. Why Splunk? FAST TIME-TO-VALUE ONE PLATFORM, MULTIPLE USE CASES VISIBILITY ACROSS STACK, NOT JUST SILOS ASK ANY QUESTION OF DATA ANY DATA, SOURCE OR DEPLOYMENT MODEL 23
  • 24. Turning Machine Data into Operational Intelligence INDEX ANY MACHINE DATA: ANY SOURCE, TYPE, VOLUME Online Services Web Services Servers Security GPS Location Storage Desktops Networks Packaged Applications Custom ApplicationsMessaging Telecoms Online Shopping Cart Web Clickstreams Databases Energy Meters Call Detail Records Smartphones and Devices RFID On- Premises Private Cloud Public Cloud GAIN REAL-TIME VISIBILITY Application Delivery Security and Compliance IT Operations Business Analytics Internet of Things 24
  • 25. IT Operations Application Delivery Developer Platform (REST API, SDKs) Business Analytics Industrial Data and Internet of Things Delivers Value Across IT and the Business Business Analytics Industrial Data and Internet of Things Security, Compliance, and Fraud
  • 26. IT Operations Application Delivery Developer Platform (REST API, SDKs) Business Analytics Industrial Data and Internet of Things Delivers Value Across IT and the Business Security, Compliance, and Fraud 26
  • 27. Splunk for Security 27 SECURITY APPS & ADD-ONS SPLUNK ENTERPRISE SECURITY SIEM Security Analytics Fraud Platform for Security Services SPLUNK USER BEHAVIOR ANALYTICS Wire data Windows = SIEM integration RDBMS (any) data
  • 28. 28 Developing Threat Intelligence - 3 Take Aways Disruptive Security Operations Track your adversary – not just alerts Enrich event data to develop context Develop your own threat intelligence 28
  • 29. Demo Scenarios Enrich alerts with intel from ThreatConnect Execute the Diamond Model in Splunk Enterprise Security Create new threat intel using Splunk Enterprise Security 29
  • 32. 32
  • 33. 33
  • 34. 34
  • 35. 35
  • 36. 36
  • 37. Demo Review Enrich alerts with intel from ThreatConnect Execute the Diamond Model in Splunk Enterprise Security Create new threat intel using Splunk Enterprise Security 37
  • 38. Developing Threat Intelligence - 3 Take Aways Disruptive Security Operations Track your adversary – not just alerts Enrich event data to develop context Develop your own threat intelligence 38
  • 39. 39 Traditional SIEMSplunk Next Steps • https://www.splunk.com Download Splunk • https://splunkbase.splunk.com/app/1893/ Splunk app for ThreatConnect • http://docs.splunk.com • https://answers.splunk.com/ Getting started and help
  • 41. 41All material confidential and proprietary • Download the full CAMERASHY report for free on www.threatconnect.com • Indicators shared in the common community & available to all Splunk users THANK YOU! The following incidents are associated to the Naikon Threat: 20150730A: Satanserv Naikon Related APT 20150619A: cmcsan Naikon APT 20150617D: battale307 Naikon APT 20150619A: cmcsan Naikon APT © 2015 ThreatConnect, Inc. All Rights Reserved