Expert Threat Intelligence and Incident Response Specialist

Slide Note
Embed
Share

Experienced USMC Veteran with over 14 years in Information Technology/Security, specializing in Incident Response, Forensics, Threat Intelligence, and Offensive Security. Matt Nelson is a 2651 Secure Comms/Intel SysAdmin, offering a wealth of knowledge and expertise in the field.


Uploaded on Sep 28, 2024 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. Threat Intel Capability Kick Start - Matt Nelson

  2. Quick Bio USMC Veteran 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence Offensive Security $dayjob = Senior Malware & Threat Intel Analyst $sidejob = AdroitSec LLC Principal/Consultant

  3. What well cover.. What Threat Intel is / does Managing Threat Intel Implementing Threat Intel Threat Intel & IR integration Threat Intel sharing

  4. What is Threat Intel?

  5. What your boss thinks Threat Intel is:

  6. What your Threat Intel probably is: Or

  7. Business Intelligence Business intelligence (BI) is the set of techniques and tools for the transformation of raw data into meaningful and useful information for business analysis purposes.

  8. What is Threat Intel (TI)? (depends on who you ask)

  9. Details of the motivations, intent, and capabilities of internal and external threat actors. Threat intelligence includes specifics on the tactics, techniques, and procedures of these adversaries. Threat intelligence's primary purpose is to inform business decisions regarding the risks and implications associated with threats. - Forrester

  10. Evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject s response to that menace or hazard. -Gartner

  11. Threat Intel (TI) = Strategic: Context Motivations Capabilities Implications Actionable Advice Operational: Context Mechanisms Indicators Tactics Techniques Procedures

  12. Aspects of Threat Intel Aspects: Outside Inside Inside > Out

  13. Sources of Threat Intel Industry Sharing Groups Internal: ISACs (Ag, IT, Financial, etc.) Logs Government Network US-CERT, FBI, etc. Endpoints Org to Org partnerships Malware Analysis Vendors (data / analysis) Phishing Emails Open Source Past incidents

  14. Threat Data or Threat Intel?

  15. Threat Data Indicators of Compromise IPs Hashes Names Etc.. Threat Feeds Etc. IOCs Feeds Etc. .

  16. Pyramid of Pain David Bianco

  17. Threat Intel Analysis Analysis of: Internal Intel Threat Data External Intel Analysts analyze Automation and analytics can increase effectiveness IOCs Feeds Etc. Analysis

  18. What differentiates Threat Intel / Data? CONTEXT

  19. Context (via analysis) Target victim(s) Size Victim type Targeted or Spray Malware Custom or commodity Other orgs Target vertical Tools/Tactics/Procedures Intent of attack Passwords/Credentials Configurations Remove context and it is just data

  20. Caveat: External Analysis Supplemental Still requires analysis Application of context

  21. What Threat Intel Does Situational Awareness

  22. Situational Awareness Strategic: Risk Management Vulnerability Management Threat Modeling Tactical: Proactive/Reactive IR Threat Communications Breach Discovery Prevention Detection

  23. Managing Threat Intel

  24. Day in the life Attack Vector Malware Analysis Incident Response Course of Action Asset Tracking Mitigating Controls Open Source Analysis Email Analysis Executive Briefs Analyst Data Correlation SIEM Shared Threat Intelligence Attacker TTPs Protocol Analysis H/T: ThreatConnect

  25. Threat Intel Platform (TIP) Organization of threat data Contextualize threat data Draw relationships Historical Perspective Automate in parallel with other tools

  26. Threat Intel Platform (TIP) Open Source: Commercial: CRITs ThreatConnect Soltra ThreatStream MANTIS RecordedFuture Etc. Etc.

  27. Implementing Threat Intel

  28. Threat Intel as Component/Program Component of bigger strategy Parallel/Integral to other capabilities Place it properly Threat Intel could be it s own Program

  29. Detection & Response Network OSINT Firewall IPS/IDS Threat Research Web Gateway Threat Intel Program SIEM External Intelligence Services HIDs/HIPs Anti-Virus DLP ISACs Governance / Resistance Endpoint

  30. Implementing Threat Intel Define the goals of TI for the organization. Define how you will leverage TI to accomplish those goals. Make it Actionable Realize that threat TI is 80% internal 20% external (relative to your business)

  31. Actionable Intelligence Analysis Know your: Assets Infrastructure Personnel Business operations Weaknesses/Entry Points

  32. Actionable Intelligence Analysis Know: How to apply threat intel (or not) Where to apply (capabilities) How & who to communicate to May not be a technical application

  33. Actionable Intelligence Application (Tactical) Apply to Infrastructure: SIEM/Log Management Network Security Monitoring Firewalls Proxies Mail Gateways Training/Communication

  34. Actionable Intelligence Application (Strategic) Apply to security program: Org Threat Modeling Risk Management Security Planning

  35. Integration: Threat Intel & Incident Response

  36. "A shiny threat intel capability without a mature IR capability is like putting a big ole fancy spoiler on a stock 4 cyl Dodge Neon. - @mattnels

  37. Proactive vs. Reactive IR Hunting for breaches / incidents / anomalies Identifying avenues of attack and addressing Detecting shifts of attack

  38. Ops Security reviews Identity mgmt Security design/reqs Vuln Mgmt Security Operations Policy Risk Management Security program design Compliance Reporting Audit Plan Resist IR Detect Analysis Verification Containment Remediation CSIRT Visibility SIEM/Logs Network Hosts Threat Intel IR

  39. Active Cyber Defense Model Threat Intelligence Consumption Threat & Environment Manipulation Asset Classification and Security Monitoring Incident Response Source: RecordedFuture.com Robert Lee

  40. TI/IR Focal Points Logs Focal points: Logs Network Endpoint Threat Intel Network Endpoint Threat Intel

  41. Kill Chain & Focal Points Threat Intel Network Endpoint Delivery Exploitation C2 Exfiltration Weaponization Recon Threat Intel Threat Intel Logs

  42. Threat Intel Sharing

  43. Advantages of Sharing Benevolence: Greater Good Self-Interested: Give some to get some Scope, Relevancy, Context, Breadth, Capabilities

  44. Ways to share Vertical/Industry sharing groups ISACs (Ag, IT, Financial, Edu, etc.) Government US-CERT, FBI Infragard, etc. Org to Org partnerships Vendor(s)

  45. Sharing Strategy Define a sharing strategy (TLP class) Sanitize Targeted sharing No regurgitation (unique data) Ingestible, concise/clear

  46. Wrap-up Define your goals Collect relevant TI Analysis / Context Make Actionable/apply it Share your Intel

  47. Questions? Contact info: Email: mattnels@adroitsec.com Twitter: @mattnels

Related


More Related Content