Expert Threat Intelligence and Incident Response Specialist

Experienced USMC Veteran with over 14 years in Information Technology/Security, specializing in Incident Response, Forensics, Threat Intelligence, and Offensive Security. Matt Nelson is a 2651 Secure Comms/Intel SysAdmin, offering a wealth of knowledge and expertise in the field.

• Threat Intelligence
• Incident Response
• Forensics
• Offensive Security
• USMC Veteran

taali Follow

Uploaded on Sep 28, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. Threat Intel Capability Kick Start - Matt Nelson

2. Quick Bio USMC Veteran 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence Offensive Security $dayjob = Senior Malware & Threat Intel Analyst $sidejob = AdroitSec LLC Principal/Consultant

3. What well cover.. What Threat Intel is / does Managing Threat Intel Implementing Threat Intel Threat Intel & IR integration Threat Intel sharing

4. What is Threat Intel?

5. What your boss thinks Threat Intel is:

6. What your Threat Intel probably is: Or

7. Business Intelligence Business intelligence (BI) is the set of techniques and tools for the transformation of raw data into meaningful and useful information for business analysis purposes.

8. What is Threat Intel (TI)? (depends on who you ask)

9. Details of the motivations, intent, and capabilities of internal and external threat actors. Threat intelligence includes specifics on the tactics, techniques, and procedures of these adversaries. Threat intelligence's primary purpose is to inform business decisions regarding the risks and implications associated with threats. - Forrester

10. Evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject s response to that menace or hazard. -Gartner

11. Threat Intel (TI) = Strategic: Context Motivations Capabilities Implications Actionable Advice Operational: Context Mechanisms Indicators Tactics Techniques Procedures

12. Aspects of Threat Intel Aspects: Outside Inside Inside > Out

13. Sources of Threat Intel Industry Sharing Groups Internal: ISACs (Ag, IT, Financial, etc.) Logs Government Network US-CERT, FBI, etc. Endpoints Org to Org partnerships Malware Analysis Vendors (data / analysis) Phishing Emails Open Source Past incidents

14. Threat Data or Threat Intel?

15. Threat Data Indicators of Compromise IPs Hashes Names Etc.. Threat Feeds Etc. IOCs Feeds Etc. .

16. Pyramid of Pain David Bianco

17. Threat Intel Analysis Analysis of: Internal Intel Threat Data External Intel Analysts analyze Automation and analytics can increase effectiveness IOCs Feeds Etc. Analysis

18. What differentiates Threat Intel / Data? CONTEXT

19. Context (via analysis) Target victim(s) Size Victim type Targeted or Spray Malware Custom or commodity Other orgs Target vertical Tools/Tactics/Procedures Intent of attack Passwords/Credentials Configurations Remove context and it is just data

20. Caveat: External Analysis Supplemental Still requires analysis Application of context

21. What Threat Intel Does Situational Awareness

22. Situational Awareness Strategic: Risk Management Vulnerability Management Threat Modeling Tactical: Proactive/Reactive IR Threat Communications Breach Discovery Prevention Detection

23. Managing Threat Intel

24. Day in the life Attack Vector Malware Analysis Incident Response Course of Action Asset Tracking Mitigating Controls Open Source Analysis Email Analysis Executive Briefs Analyst Data Correlation SIEM Shared Threat Intelligence Attacker TTPs Protocol Analysis H/T: ThreatConnect

25. Threat Intel Platform (TIP) Organization of threat data Contextualize threat data Draw relationships Historical Perspective Automate in parallel with other tools

26. Threat Intel Platform (TIP) Open Source: Commercial: CRITs ThreatConnect Soltra ThreatStream MANTIS RecordedFuture Etc. Etc.

27. Implementing Threat Intel

28. Threat Intel as Component/Program Component of bigger strategy Parallel/Integral to other capabilities Place it properly Threat Intel could be it s own Program

29. Detection & Response Network OSINT Firewall IPS/IDS Threat Research Web Gateway Threat Intel Program SIEM External Intelligence Services HIDs/HIPs Anti-Virus DLP ISACs Governance / Resistance Endpoint

30. Implementing Threat Intel Define the goals of TI for the organization. Define how you will leverage TI to accomplish those goals. Make it Actionable Realize that threat TI is 80% internal 20% external (relative to your business)

31. Actionable Intelligence Analysis Know your: Assets Infrastructure Personnel Business operations Weaknesses/Entry Points

32. Actionable Intelligence Analysis Know: How to apply threat intel (or not) Where to apply (capabilities) How & who to communicate to May not be a technical application

33. Actionable Intelligence Application (Tactical) Apply to Infrastructure: SIEM/Log Management Network Security Monitoring Firewalls Proxies Mail Gateways Training/Communication

34. Actionable Intelligence Application (Strategic) Apply to security program: Org Threat Modeling Risk Management Security Planning

35. Integration: Threat Intel & Incident Response

36. "A shiny threat intel capability without a mature IR capability is like putting a big ole fancy spoiler on a stock 4 cyl Dodge Neon. - @mattnels

38. Proactive vs. Reactive IR Hunting for breaches / incidents / anomalies Identifying avenues of attack and addressing Detecting shifts of attack

39. Ops Security reviews Identity mgmt Security design/reqs Vuln Mgmt Security Operations Policy Risk Management Security program design Compliance Reporting Audit Plan Resist IR Detect Analysis Verification Containment Remediation CSIRT Visibility SIEM/Logs Network Hosts Threat Intel IR

40. Active Cyber Defense Model Threat Intelligence Consumption Threat & Environment Manipulation Asset Classification and Security Monitoring Incident Response Source: RecordedFuture.com Robert Lee

41. TI/IR Focal Points Logs Focal points: Logs Network Endpoint Threat Intel Network Endpoint Threat Intel

42. Kill Chain & Focal Points Threat Intel Network Endpoint Delivery Exploitation C2 Exfiltration Weaponization Recon Threat Intel Threat Intel Logs

43. Threat Intel Sharing

44. Advantages of Sharing Benevolence: Greater Good Self-Interested: Give some to get some Scope, Relevancy, Context, Breadth, Capabilities

45. Ways to share Vertical/Industry sharing groups ISACs (Ag, IT, Financial, Edu, etc.) Government US-CERT, FBI Infragard, etc. Org to Org partnerships Vendor(s)

46. Sharing Strategy Define a sharing strategy (TLP class) Sanitize Targeted sharing No regurgitation (unique data) Ingestible, concise/clear

47. Wrap-up Define your goals Collect relevant TI Analysis / Context Make Actionable/apply it Share your Intel

48. Questions? Contact info: Email: mattnels@adroitsec.com Twitter: @mattnels