SlideShare ist ein Scribd-Unternehmen logo

David Bianco - Enterprise Security Monitoring

•
•
B
bsidesaugusta
TechnologieDesign
1 von 31
PRESENTED BY: Š Mandiant Corporation. All rights reserved. Enterprise Security Monitoring Comprehensive Intel-Driven Detection David J. Bianco David.Bianco@mandiant.com BSIDES AUGUSTA 14 SEPTEMBER, 2013
© Mandiant Corporation. All rights reserved. First there was… 2
© Mandiant Corporation. All rights reserved. Then there was… 3
© Mandiant Corporation. All rights reserved. Now there is… 4 Enterprise Security Monitoring (ESM)
Š Mandiant Corporation. All rights reserved. Enterprise Security Monitoring 5 ESM
© Mandiant Corporation. All rights reserved.   Increased visibility across the entire organization   Get more value out of existing systems   Data aggregation is “hunter friendly”   Better organization around:   Detection platform coverage   Detection planning   General   Threat-specific   Prioritization of detection resources   Quicker, more accurate incident detection and response   Leverage your detection/response infra as an offensive capability Benefits of Enterprise Security Monitoring 6
Š Mandiant Corporation. All rights reserved. Intel Lifecycle 7 Research AnalyzeConclude
Š Mandiant Corporation. All rights reserved. Detection Process 8 Observe Compare Alert Validate
Š Mandiant Corporation. All rights reserved. Response Cycle 9 Contain InvestigateRemediate
Š Mandiant Corporation. All rights reserved. Intel-Driven Operations Process 10 Research AnalyzeConclude Observe Compare Alert Validate Contain InvestigateRemediate Indicators Alerts Intel DB Detect DB Respond DB Feedback Feedback
Š Mandiant Corporation. All rights reserved. Intel-Driven Detection 11 Enterprise Security Monitor Intel NSM / IDS Detection Processing Sigs Intel Analysts Alerts&Queries Firewalls Routers Switches OS Logs App Logs Proxy Logs Web Logs Antivirus HIDS/HIPS Other Enterprise Data
Š Mandiant Corporation. All rights reserved. What is an indicator? 12 A piece of information that points to a certain conclusion
© Mandiant Corporation. All rights reserved. What it is not 13 ≠
Š Mandiant Corporation. All rights reserved. Common Indicator Data Types 14 IPv4 Address Domain / FQDN Hash (MD5, SHA1) URL Transaction Element (User- Agent, MTA) File Name / Path Mutex Registry Value User Name Email Address
Š Mandiant Corporation. All rights reserved. Indicator Characteristics 15 Extractable Can I find this indicator in my data? Purposeful To what use will I put this indicator? Actionable If I find this indicator in my data, can I do something with that information?
© Mandiant Corporation. All rights reserved. Attribution •  Who/what is responsible for this activity? Detection •  If this event happens, I want to know about it. Profiling •  What are the targeting parameters for this threat? Prediction •  Given the current state, what can I expect from this threat in the future? Indicator Purposes 16
© Mandiant Corporation. All rights reserved. The Kill Chain 17 Reconaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives “a systematic process to target and engage an adversary to create desired effects.” Source: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Hutchins, Cloppert, Amin, http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf (Last checked August 2013)
Š Mandiant Corporation. All rights reserved. Mandiant Attack Lifecycle Diagram 18
Š Mandiant Corporation. All rights reserved. The Pyramid of Pain 19
© Mandiant Corporation. All rights reserved. I don’t have a cool name for this. “Bed of Nails”? 20 Reconaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives
© Mandiant Corporation. All rights reserved.   What scenarios do we need to be able to detect?   What are our options for detecting them?   What are the strengths and weaknesses of our detection program today?   What is our detection stance against specific actors?   What is our overall plan for detection across our enterprise? Intel-Driven Detection Planning 21
© Mandiant Corporation. All rights reserved. What scenarios do we need to be able to detect? 22 Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4-addr Weaponization • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr
© Mandiant Corporation. All rights reserved. Detection Options - Snort 23 Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4-addr Weaponization • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr
© Mandiant Corporation. All rights reserved. Detection Options - HIPS 24 Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4-addr Weaponization • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr
© Mandiant Corporation. All rights reserved. Detection Options - MIR 25 Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4-addr Weaponization • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr
© Mandiant Corporation. All rights reserved. Score Card: Use of Available Indicators 26 Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4-addr Weaponization • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr
© Mandiant Corporation. All rights reserved. Score Card: Pyramid Effectiveness of Indicators 27 Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4-addr Weaponization • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr
© Mandiant Corporation. All rights reserved. Score Card: Effectiveness Against APT-π 28 Reconaissance • URI – Domain Name • Address - ipv4-addr Weaponization Delivery • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr
Š Mandiant Corporation. All rights reserved. Enterprise Detection Plan 29
© Mandiant Corporation. All rights reserved.   NSM:IDS :: ESM:NSM   Collect and aggregate across your entire enterprise   Increased visibility   Maximum use of resources   Better for “hunting”   Organize intel for for better program insights   Big improvements in detection & response capabilities for minimal investment   Smart detection makes for frustrated adversaries! Summary 30
Š Mandiant Corporation. All rights reserved. Questions? 31 David J. Bianco David.Bianco@mandiant.com detect-respond.blogspot.com

Empfohlen

Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureHoney, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureShakacon
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentStefano Maccaglia
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
 
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...PROIDEA
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKKatie Nickels
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 

Empfohlen

Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureHoney, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureShakacon
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentStefano Maccaglia
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
 
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...PROIDEA
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKKatie Nickels
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
The New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise AssessmentThe New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise AssessmentInfocyte
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) MITRE ATT&CK
 
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...MITRE - ATT&CKcon
 
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE - ATT&CKcon
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudMITRE ATT&CK
 
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...MITRE - ATT&CKcon
 
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...Chi En (Ashley) Shen
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Confusion and deception new tools for data protection
Confusion and deception new tools for data protectionConfusion and deception new tools for data protection
Confusion and deception new tools for data protectionPriyanka Aash
 
Hunt down the evil of your infrastructure
Hunt down the evil of your infrastructureHunt down the evil of your infrastructure
Hunt down the evil of your infrastructureBangladesh Network Operators Group
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
 
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...AlienVault
 
IOCs for modern threat landscape-slideshare
IOCs for modern threat landscape-slideshareIOCs for modern threat landscape-slideshare
IOCs for modern threat landscape-slideshareSai Kesavamatham
 
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, TripwireMITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, TripwireMITRE - ATT&CKcon
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!MITRE ATT&CK
 
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...CODE BLUE
 
State of the ATT&CK - ATT&CKcon Power Hour
State of the ATT&CK - ATT&CKcon Power HourState of the ATT&CK - ATT&CKcon Power Hour
State of the ATT&CK - ATT&CKcon Power HourAdam Pennington
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE - ATT&CKcon
 
SAMT 2009 Johan Oomen
SAMT 2009 Johan OomenSAMT 2009 Johan Oomen
SAMT 2009 Johan OomenJohan Oomen
 
EuropeanaTECH Conference ~ Distributed Community Empowerment
EuropeanaTECH Conference ~ Distributed Community EmpowermentEuropeanaTECH Conference ~ Distributed Community Empowerment
EuropeanaTECH Conference ~ Distributed Community EmpowermentJohan Oomen
 

Weitere ähnliche Inhalte

Was ist angesagt?

No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
The New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise AssessmentThe New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise AssessmentInfocyte
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) MITRE ATT&CK
 
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...MITRE - ATT&CKcon
 
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE - ATT&CKcon
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudMITRE ATT&CK
 
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...MITRE - ATT&CKcon
 
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...Chi En (Ashley) Shen
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Confusion and deception new tools for data protection
Confusion and deception new tools for data protectionConfusion and deception new tools for data protection
Confusion and deception new tools for data protectionPriyanka Aash
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
 
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...AlienVault
 
IOCs for modern threat landscape-slideshare
IOCs for modern threat landscape-slideshareIOCs for modern threat landscape-slideshare
IOCs for modern threat landscape-slideshareSai Kesavamatham
 
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, TripwireMITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, TripwireMITRE - ATT&CKcon
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!MITRE ATT&CK
 
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...CODE BLUE
 
State of the ATT&CK - ATT&CKcon Power Hour
State of the ATT&CK - ATT&CKcon Power HourState of the ATT&CK - ATT&CKcon Power Hour
State of the ATT&CK - ATT&CKcon Power HourAdam Pennington
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE - ATT&CKcon
 

Was ist angesagt? (20)

No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
The New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise AssessmentThe New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise Assessment
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?)
 
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
 
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - December
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
 
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
 
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
Confusion and deception new tools for data protection
Confusion and deception new tools for data protectionConfusion and deception new tools for data protection
Confusion and deception new tools for data protection
 
Hunt down the evil of your infrastructure
Hunt down the evil of your infrastructureHunt down the evil of your infrastructure
Hunt down the evil of your infrastructure
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
 
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
 
IOCs for modern threat landscape-slideshare
IOCs for modern threat landscape-slideshareIOCs for modern threat landscape-slideshare
IOCs for modern threat landscape-slideshare
 
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, TripwireMITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!
 
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
 
State of the ATT&CK - ATT&CKcon Power Hour
State of the ATT&CK - ATT&CKcon Power HourState of the ATT&CK - ATT&CKcon Power Hour
State of the ATT&CK - ATT&CKcon Power Hour
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
 

Andere mochten auch

SAMT 2009 Johan Oomen
SAMT 2009 Johan OomenSAMT 2009 Johan Oomen
SAMT 2009 Johan OomenJohan Oomen
 
EuropeanaTECH Conference ~ Distributed Community Empowerment
EuropeanaTECH Conference ~ Distributed Community EmpowermentEuropeanaTECH Conference ~ Distributed Community Empowerment
EuropeanaTECH Conference ~ Distributed Community EmpowermentJohan Oomen
 
Inside Papyrus Webrepository - Technology Innovation Brochure by ISIS Papyrus...
Inside Papyrus Webrepository - Technology Innovation Brochure by ISIS Papyrus...Inside Papyrus Webrepository - Technology Innovation Brochure by ISIS Papyrus...
Inside Papyrus Webrepository - Technology Innovation Brochure by ISIS Papyrus...ISIS Papyrus Software
 
TOPdesk, SEE what's new - SEE 2016
TOPdesk, SEE what's new - SEE 2016TOPdesk, SEE what's new - SEE 2016
TOPdesk, SEE what's new - SEE 2016TOPdesk
 
Escape the Complexity - Technology Innovation Brochure by ISIS Papyrus Software
Escape the Complexity - Technology Innovation Brochure by ISIS Papyrus SoftwareEscape the Complexity - Technology Innovation Brochure by ISIS Papyrus Software
Escape the Complexity - Technology Innovation Brochure by ISIS Papyrus SoftwareISIS Papyrus Software
 
AMIA Johan Oomen Final
AMIA Johan Oomen FinalAMIA Johan Oomen Final
AMIA Johan Oomen FinalJohan Oomen
 
Spider man
Spider manSpider man
Spider man144103
 
MFW12: Dirk deRoos (IBM)
MFW12: Dirk deRoos (IBM)MFW12: Dirk deRoos (IBM)
MFW12: Dirk deRoos (IBM)Media Perspectives
 
Met kennisbeheer op weg naar service excellence - SEE 2016
Met kennisbeheer op weg naar service excellence - SEE 2016Met kennisbeheer op weg naar service excellence - SEE 2016
Met kennisbeheer op weg naar service excellence - SEE 2016TOPdesk
 
Het servicedesk HR binnen Philadelphia - SEE 2016
Het servicedesk HR binnen Philadelphia - SEE 2016Het servicedesk HR binnen Philadelphia - SEE 2016
Het servicedesk HR binnen Philadelphia - SEE 2016TOPdesk
 
Met kennisbeheer naar service excellence op de supportafdeling van TOPdesk - ...
Met kennisbeheer naar service excellence op de supportafdeling van TOPdesk - ...Met kennisbeheer naar service excellence op de supportafdeling van TOPdesk - ...
Met kennisbeheer naar service excellence op de supportafdeling van TOPdesk - ...TOPdesk
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chainSymantec Brasil
 
Process.gov - Elements of Adaptive Case Management
Process.gov - Elements of Adaptive Case ManagementProcess.gov - Elements of Adaptive Case Management
Process.gov - Elements of Adaptive Case Managementmjpucher
 
Canterbury Tales Review
Canterbury Tales ReviewCanterbury Tales Review
Canterbury Tales ReviewFranklin Local
 
Infographic – Sales Growth: Five proven strategies
Infographic – Sales Growth: Five proven strategiesInfographic – Sales Growth: Five proven strategies
Infographic – Sales Growth: Five proven strategiesMcKinsey on Marketing & Sales
 

Andere mochten auch (18)

SAMT 2009 Johan Oomen
SAMT 2009 Johan OomenSAMT 2009 Johan Oomen
SAMT 2009 Johan Oomen
 
EuropeanaTECH Conference ~ Distributed Community Empowerment
EuropeanaTECH Conference ~ Distributed Community EmpowermentEuropeanaTECH Conference ~ Distributed Community Empowerment
EuropeanaTECH Conference ~ Distributed Community Empowerment
 
Inside Papyrus Webrepository - Technology Innovation Brochure by ISIS Papyrus...
Inside Papyrus Webrepository - Technology Innovation Brochure by ISIS Papyrus...Inside Papyrus Webrepository - Technology Innovation Brochure by ISIS Papyrus...
Inside Papyrus Webrepository - Technology Innovation Brochure by ISIS Papyrus...
 
Doc1
Doc1Doc1
Doc1
 
Protection Equipment in a Power Station
Protection Equipment in a Power StationProtection Equipment in a Power Station
Protection Equipment in a Power Station
 
TOPdesk, SEE what's new - SEE 2016
TOPdesk, SEE what's new - SEE 2016TOPdesk, SEE what's new - SEE 2016
TOPdesk, SEE what's new - SEE 2016
 
Escape the Complexity - Technology Innovation Brochure by ISIS Papyrus Software
Escape the Complexity - Technology Innovation Brochure by ISIS Papyrus SoftwareEscape the Complexity - Technology Innovation Brochure by ISIS Papyrus Software
Escape the Complexity - Technology Innovation Brochure by ISIS Papyrus Software
 
AMIA Johan Oomen Final
AMIA Johan Oomen FinalAMIA Johan Oomen Final
AMIA Johan Oomen Final
 
Spider man
Spider manSpider man
Spider man
 
MFW12: Dirk deRoos (IBM)
MFW12: Dirk deRoos (IBM)MFW12: Dirk deRoos (IBM)
MFW12: Dirk deRoos (IBM)
 
Met kennisbeheer op weg naar service excellence - SEE 2016
Met kennisbeheer op weg naar service excellence - SEE 2016Met kennisbeheer op weg naar service excellence - SEE 2016
Met kennisbeheer op weg naar service excellence - SEE 2016
 
Het servicedesk HR binnen Philadelphia - SEE 2016
Het servicedesk HR binnen Philadelphia - SEE 2016Het servicedesk HR binnen Philadelphia - SEE 2016
Het servicedesk HR binnen Philadelphia - SEE 2016
 
Met kennisbeheer naar service excellence op de supportafdeling van TOPdesk - ...
Met kennisbeheer naar service excellence op de supportafdeling van TOPdesk - ...Met kennisbeheer naar service excellence op de supportafdeling van TOPdesk - ...
Met kennisbeheer naar service excellence op de supportafdeling van TOPdesk - ...
 
งานบวชปากเซ
งานบวชปากเซงานบวชปากเซ
งานบวชปากเซ
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chain
 
Process.gov - Elements of Adaptive Case Management
Process.gov - Elements of Adaptive Case ManagementProcess.gov - Elements of Adaptive Case Management
Process.gov - Elements of Adaptive Case Management
 
Canterbury Tales Review
Canterbury Tales ReviewCanterbury Tales Review
Canterbury Tales Review
 
Infographic – Sales Growth: Five proven strategies
Infographic – Sales Growth: Five proven strategiesInfographic – Sales Growth: Five proven strategies
Infographic – Sales Growth: Five proven strategies
 

Ähnlich wie David Bianco - Enterprise Security Monitoring

RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington
 
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKPennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKAdam Pennington
 
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Robert Brandel
 
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...Cloudera, Inc.
 
The Internal Signs of Compromise
The Internal Signs of CompromiseThe Internal Signs of Compromise
The Internal Signs of CompromiseFireEye, Inc.
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
Big Data Analytics to Enhance Security
Big Data Analytics to Enhance SecurityBig Data Analytics to Enhance Security
Big Data Analytics to Enhance SecurityData Science Thailand
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityAPNIC
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session Splunk
 
Symantec Webinar | How to ďťżDetect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to ďťżDetect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to ďťżDetect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to ďťżDetect Targeted Ransomware with MITRE ATT&CKSymantec
 
Big Data For Threat Detection & Response
Big Data For Threat Detection & ResponseBig Data For Threat Detection & Response
Big Data For Threat Detection & ResponseHarry McLaren
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansChristopher Korban
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromPROIDEA
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Adam Pennington
 
Continuous Monitoring Deck
Continuous Monitoring DeckContinuous Monitoring Deck
Continuous Monitoring DeckBrian Fennimore
 
CrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdStrike
 
WHOIS Database for Incident Response & Handling
WHOIS Database for Incident Response & HandlingWHOIS Database for Incident Response & Handling
WHOIS Database for Incident Response & HandlingAPNIC
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...CODE BLUE
 

Ähnlich wie David Bianco - Enterprise Security Monitoring (20)

RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
 
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKPennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
 
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
 
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
 
The Internal Signs of Compromise
The Internal Signs of CompromiseThe Internal Signs of Compromise
The Internal Signs of Compromise
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 
Big Data Analytics to Enhance Security
Big Data Analytics to Enhance SecurityBig Data Analytics to Enhance Security
Big Data Analytics to Enhance Security
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session
 
Symantec Webinar | How to ďťżDetect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to ďťżDetect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to ďťżDetect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to ďťżDetect Targeted Ransomware with MITRE ATT&CK
 
Big Data For Threat Detection & Response
Big Data For Threat Detection & ResponseBig Data For Threat Detection & Response
Big Data For Threat Detection & Response
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin Nystrom
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
 
Continuous Monitoring Deck
Continuous Monitoring DeckContinuous Monitoring Deck
Continuous Monitoring Deck
 
CrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the Indicator
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
 
WHOIS Database for Incident Response & Handling
WHOIS Database for Incident Response & HandlingWHOIS Database for Incident Response & Handling
WHOIS Database for Incident Response & Handling
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
 

Mehr von bsidesaugusta

Ron Martin - Human Shields for your Network
Ron Martin - Human Shields for your NetworkRon Martin - Human Shields for your Network
Ron Martin - Human Shields for your Networkbsidesaugusta
 
Not Big Data, AnyData
Not Big Data, AnyData Not Big Data, AnyData
Not Big Data, AnyData bsidesaugusta
 
Eyeing the Onion
Eyeing the OnionEyeing the Onion
Eyeing the Onionbsidesaugusta
 
Security Onion: peeling back the layers of your network in minutes
Security Onion: peeling back the layers of your network in minutesSecurity Onion: peeling back the layers of your network in minutes
Security Onion: peeling back the layers of your network in minutesbsidesaugusta
 
Paul Coggin - Digital Energy BPT (Basic Persistent Threat)
Paul Coggin - Digital Energy BPT (Basic Persistent Threat)Paul Coggin - Digital Energy BPT (Basic Persistent Threat)
Paul Coggin - Digital Energy BPT (Basic Persistent Threat)bsidesaugusta
 

Mehr von bsidesaugusta (6)

Ron Martin - Human Shields for your Network
Ron Martin - Human Shields for your NetworkRon Martin - Human Shields for your Network
Ron Martin - Human Shields for your Network
 
EMET
EMETEMET
EMET
 
Not Big Data, AnyData
Not Big Data, AnyData Not Big Data, AnyData
Not Big Data, AnyData
 
Eyeing the Onion
Eyeing the OnionEyeing the Onion
Eyeing the Onion
 
Security Onion: peeling back the layers of your network in minutes
Security Onion: peeling back the layers of your network in minutesSecurity Onion: peeling back the layers of your network in minutes
Security Onion: peeling back the layers of your network in minutes
 
Paul Coggin - Digital Energy BPT (Basic Persistent Threat)
Paul Coggin - Digital Energy BPT (Basic Persistent Threat)Paul Coggin - Digital Energy BPT (Basic Persistent Threat)
Paul Coggin - Digital Energy BPT (Basic Persistent Threat)
 

KĂźrzlich hochgeladen

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel AraĂşjo
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 

KĂźrzlich hochgeladen (20)

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 

David Bianco - Enterprise Security Monitoring

  • 1. PRESENTED BY: Š Mandiant Corporation. All rights reserved. Enterprise Security Monitoring Comprehensive Intel-Driven Detection David J. Bianco David.Bianco@mandiant.com BSIDES AUGUSTA 14 SEPTEMBER, 2013
  • 2. Š Mandiant Corporation. All rights reserved. First there was… 2
  • 3. Š Mandiant Corporation. All rights reserved. Then there was… 3
  • 4. Š Mandiant Corporation. All rights reserved. Now there is… 4 Enterprise Security Monitoring (ESM)
  • 5. Š Mandiant Corporation. All rights reserved. Enterprise Security Monitoring 5 ESM
  • 6. Š Mandiant Corporation. All rights reserved.   Increased visibility across the entire organization   Get more value out of existing systems   Data aggregation is “hunter friendly”   Better organization around:   Detection platform coverage   Detection planning   General   Threat-specific   Prioritization of detection resources   Quicker, more accurate incident detection and response   Leverage your detection/response infra as an offensive capability Benefits of Enterprise Security Monitoring 6
  • 7. Š Mandiant Corporation. All rights reserved. Intel Lifecycle 7 Research AnalyzeConclude
  • 8. Š Mandiant Corporation. All rights reserved. Detection Process 8 Observe Compare Alert Validate
  • 9. Š Mandiant Corporation. All rights reserved. Response Cycle 9 Contain InvestigateRemediate
  • 10. Š Mandiant Corporation. All rights reserved. Intel-Driven Operations Process 10 Research AnalyzeConclude Observe Compare Alert Validate Contain InvestigateRemediate Indicators Alerts Intel DB Detect DB Respond DB Feedback Feedback
  • 11. Š Mandiant Corporation. All rights reserved. Intel-Driven Detection 11 Enterprise Security Monitor Intel NSM / IDS Detection Processing Sigs Intel Analysts Alerts&Queries Firewalls Routers Switches OS Logs App Logs Proxy Logs Web Logs Antivirus HIDS/HIPS Other Enterprise Data
  • 12. Š Mandiant Corporation. All rights reserved. What is an indicator? 12 A piece of information that points to a certain conclusion
  • 13. Š Mandiant Corporation. All rights reserved. What it is not 13 ≠
  • 14. Š Mandiant Corporation. All rights reserved. Common Indicator Data Types 14 IPv4 Address Domain / FQDN Hash (MD5, SHA1) URL Transaction Element (User- Agent, MTA) File Name / Path Mutex Registry Value User Name Email Address
  • 15. Š Mandiant Corporation. All rights reserved. Indicator Characteristics 15 Extractable Can I find this indicator in my data? Purposeful To what use will I put this indicator? Actionable If I find this indicator in my data, can I do something with that information?
  • 16. Š Mandiant Corporation. All rights reserved. Attribution •  Who/what is responsible for this activity? Detection •  If this event happens, I want to know about it. Profiling •  What are the targeting parameters for this threat? Prediction •  Given the current state, what can I expect from this threat in the future? Indicator Purposes 16
  • 17. Š Mandiant Corporation. All rights reserved. The Kill Chain 17 Reconaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives “a systematic process to target and engage an adversary to create desired effects.” Source: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Hutchins, Cloppert, Amin, http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf (Last checked August 2013)
  • 18. Š Mandiant Corporation. All rights reserved. Mandiant Attack Lifecycle Diagram 18
  • 19. Š Mandiant Corporation. All rights reserved. The Pyramid of Pain 19
  • 20. Š Mandiant Corporation. All rights reserved. I don’t have a cool name for this. “Bed of Nails”? 20 Reconaissance Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives
  • 21. Š Mandiant Corporation. All rights reserved.   What scenarios do we need to be able to detect?   What are our options for detecting them?   What are the strengths and weaknesses of our detection program today?   What is our detection stance against specific actors?   What is our overall plan for detection across our enterprise? Intel-Driven Detection Planning 21
  • 22. Š Mandiant Corporation. All rights reserved. What scenarios do we need to be able to detect? 22 Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4-addr Weaponization • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr
  • 23. Š Mandiant Corporation. All rights reserved. Detection Options - Snort 23 Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4-addr Weaponization • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr
  • 24. Š Mandiant Corporation. All rights reserved. Detection Options - HIPS 24 Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4-addr Weaponization • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr
  • 25. Š Mandiant Corporation. All rights reserved. Detection Options - MIR 25 Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4-addr Weaponization • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr
  • 26. Š Mandiant Corporation. All rights reserved. Score Card: Use of Available Indicators 26 Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4-addr Weaponization • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr
  • 27. Š Mandiant Corporation. All rights reserved. Score Card: Pyramid Effectiveness of Indicators 27 Reconaissance • File - Name • File • URI - URL • HTTP - GET • HTTP - User Agent String • URI - Domain Name • Address - e-mail • Address - ipv4-addr Weaponization • File • File - Path • URI - URL Delivery • Behavior • File - Full Path • File - Name • File • URI - URL • HTTP - POST • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Behavior • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Hash - SSDEEP • Address - e-mail • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr
  • 28. Š Mandiant Corporation. All rights reserved. Score Card: Effectiveness Against APT-π 28 Reconaissance • URI – Domain Name • Address - ipv4-addr Weaponization Delivery • Email Header - Subject • Email Header - X- Mailer • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - e-mail • Address - ipv4-addr Exploitation • Win Registry Key • File - Name • File • URI - URL • Streetname - McAfee • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - cidr • Address - ipv4-addr Installation • Code - Binary_Code • Win Process • Win Registry Key • File - Full Path • File - Name • File • File - Path • URI - URL • HTTP - GET • HTTP - User Agent String • Streetname - McAfee • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr Command & Control (C2) • Behavior • Win Process • Win Registry Key • File • URI - URL • HTTP - GET • HTTP - POST • HTTP - User Agent String • URI - Domain Name • Hash - MD5 • Address - e-mail • Address - ipv4-addr Actions on Objectives • Behavior • Win Registry Key • Win Service • File - Full Path • File - Name • File • File - Path • URI - URL • Streetname - Sophos • URI - Domain Name • Hash - MD5 • Hash - SHA1 • Address - ipv4-addr
  • 29. Š Mandiant Corporation. All rights reserved. Enterprise Detection Plan 29
  • 30. Š Mandiant Corporation. All rights reserved.   NSM:IDS :: ESM:NSM   Collect and aggregate across your entire enterprise   Increased visibility   Maximum use of resources   Better for “hunting”   Organize intel for for better program insights   Big improvements in detection & response capabilities for minimal investment   Smart detection makes for frustrated adversaries! Summary 30
  • 31. Š Mandiant Corporation. All rights reserved. Questions? 31 David J. Bianco David.Bianco@mandiant.com detect-respond.blogspot.com