SlideShare uma empresa Scribd logo

Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defend Against Cyber Attacks

Chi En (Ashley) Shen
Chi En (Ashley) Shen

Speaker: Ashley Shen, Zha0

Apresentações e oratória
1 de 73
Baixar para ler offline
Catching the Golden Snitch Leveraging Threat Intelligence Platforms to Defend Against Cyber Attacks
 ashley@teamt5.org • Malware analysis, malicious document detection, advanced persistence threat research • Tracking several cyber espionage groups for years • Tracking new operations, TTP of APT groups
 zha0@teamt5.org • 7+ years experience on Reverse Engineering • 5+ years experience on malware analysis • Sandbox, Exploit research • APT research
•  Available Products in each phase  Available TIP Products •  Some takeaways •  What do we fear about cyber threat?  Why do we need Cyber Threat Intelligence? •  Main features of TIP  Aggregation, Analysis, Action •  Story Begins  Pitfalls of Correlation  New activities of Menupass group
INTRODUCTION
State Secrete (Political, Economic, Defense) National Security Business Intellectual Property Customer Data Personal identifiable Data Privacy
• However…… Cyber Espionage Attacks Hacktivism Attacks
Cyber Espionage Cyber Crime • Breaches happens everyday
• Data leaked everyday.. Personal identifiable Data Privacy
• New breaches happens everyday • New indicators disclosed everyday • New vulnerabilities disclosed everyday • About 18 new CVE vulnerabilities disclosed everyday in 2015 • Totally 6419 CVE vulnerabilities disclosed in 2015 • Advanced Persistent Threat • Targeting your Achilles' heel
• Knowledge about adversaries and their motivations, intentions, and methods that is collected, analyzed, and disseminated in ways that help security and business staff at all levels protect the critical assets of the enterprise. Jon Friedman et al, 2015, Definitive Guide to Cyber Threat Intelligence
Ref: iThome
「關於一銀事件, 看完台灣新聞後, 目前我知道這 起盜領案是由一銀內鬼看色情郵件和用XP Ping 8.8.8.8 ,然後愛用Adidas和愛吃黑嘉麗軟糖的嫌 犯可以把錢拿走,再去宜蘭買捷安特吃白鯧魚, 被捕之後說要上廁所再去看醫生,而且你們有沒 有發現, 安德魯居然有張明星臉!」
• Anunak: APT against financial institutions - Group-IB and Fox-IT • This report describes the details and type of operations carried out by an organized criminal group from Russia that focuses on financial industry.
• How to aggregate all the data from different sources? (Open source intelligence, Incident Response, Community, Customers, Exchange Platform) • How to manage all the information for better analysis? • How to analysis these data, co-relate incidents to campaigns?
• What is the most significant threat to me? • How to aggregate these cyber threat intelligence with internal data? • How to share and do intelligence exchange?
THREAT INTELLIGENCE PLATFORM
Threat Intelligence Platform
• To support research and tailored threat intelligence program • Simply defined, TIP include three main features:
• Aggregating internal & external data: • Data from own surface and external sources • The most important source of relevant threat data of an organization is your own attack surface.
• TTP = Tactics, Techniques, and Procedures • Targeted Attack Reconnaissance • Scanbox example
• Supporting different input sources: • Samples input • Incident Respond Data • Different Logs? • Intelligence Feed • Indicators input • Spreadsheet? • Structured Language • Structured Threat Information Expression (STIX from MITRE)
• Data management • Intelligence requirement – How to answer questions? • BE careful with “Details” • Data Structure, Data Base • Exchange Restriction • Traffic Light Protocol (TLP)
• The core feature of TIP • Triaging data priority • Data Prioritization • Customization • Focusing on real threat, generating high-fidelity information • Validation • Analyst assessment • Turning information into actionable intelligence • Timely, Accurate, Relevant
• Malware analysis • Static analysis: manual reversing, Yara database, AntiVirus detection • Dynamic: manual tracing and triggering, automated sandboxes • Automate technically processing as much as possible (sandbox, Yara..etc) • Identify code family, C&C servers, languages, possible victim, possible adversary • Exploit analysis • disclosed vulnerabilities, 0 days • Delivery method analysis • Social Engineering • Waterhole attacks • Lateral movement
• Correlating C2 infrastructure in different attacks (operation tracking) • Domains, IP co-relations • Known malicious C2 • Compromised machines • Web hosting servers, VPS servers • Passive DNS • WHOIS information analysis
• Identify possible targets • Campaign Code • Decoy • Language • Theme • Targeted Data
• Identify targeted data • What do actors interested in? • Example: Phishing (Accounts & Password) • Example: Python Downloader from Hangover Team
• Identify adversary, actors, origin • Language • Tools • C2 infrastructure • Identify motivations, intentions • Cooperation relationship between different groups • Sharing tools? • Working together in same attacks?
• Analyst skills • Technical Skills • Malware Analysis • TTP Analysis • Language • Background, International Relations • Tradecraft, Criminal, Cyberspace • Analytic & Critical Thinking • Discovery ability
• “中華航空電子機票” (probably Elirks) • DreamMail, FoxMail Phishing (Probably Taidoor) • Password “flowerdance” (probably Menupass)
• Pivoting among data- modelings • Search, Filter, Facet, Cluster • Tag, Comment, Classify, Score • Visualization, Timeline, Maltego • Collaboration
• Exchange • Structure Language • STIX and CybOX • Sharing Program • TAXII • Reports • Basic report (Firewalls/IT Staff) • Malwares, Indicators of Compromise (Hashes, C&C) • Advance report • TTP • Adversary • Trend, outlook • Visualization
Research Real Case The New Activities of Menupass group
• In 2013, we observed an Email sample which were supposedly targeting Japan victim.
• Poison Ivy is a public available RAT which has remained popular and effective for about 11 years after its lastest releas. • Special Characteristic of the sample: • Password: keaidestone • ID: 2013/05/15-40
• Finding related samples • ImpHash • Launcher, Dropper • C2 • Specialties of malware samples (Yara Hunting) • OSINT
• By now, we have gathered 360+ Samples of this group • More than 800+ indicators of Menupass group • Related OSINT Data: • 2011 Symentec – Inside a Back Door Attack • 2013 FireEye – POISON IVY: Assessing Damage and Extracting Intelligence • 2016 Cylance – Operation Dust Storm
• Clustering sample data found that their earliest movement can be dated back to 2007.
• We found other tools used by Menupass group by C2 correlation and clustering Yara Rule analysis. • Poison Ivy • PlugX • Gh0st • EvilGrab • SPIVY (New) • Poison Ivy Connection Password: • PlugX Connection Password:
• Delivery • Spear-phishing Email with fabricated document file • Attachment file with download link
• Decoy document • Tailored content in decoy document
• Attachment file of instruction to “exploit” yourself.
• 500+ C2 domains & IPs • Favor of Dynamic DNS & Virtual Private Servers. • PubYun • ChangeIP.com • No-IP • FreeDNS • Dyn.com • Oray ( )
Region, Timeframe, Visibility
Products Available
HP ArcSight ($) IBM QRadar ($) Cisco Source Fire AMP ($) AlienVault (FREE /$) CHT EyeQuila ($) Google Rapid Response (FREE) Mandiant RedLine/MIR (FREE / $) Guidance EnCase Cyber Security ($) Verint XecProbe ($) Carbon Black ($) Falcon Host ($) Mandiant + Fireeye + iSIGHT Partners ($) iDEFENSE ($) Dell SecureWorks ($) CrowdStrike ($) LookingGlass ($)
Maltego (FREE / $) DomainTools IRIS ($) ThreatCrowd (FREE) PassiveTotal (FREE / $) FireEye MVX ($) Damballa ($) Lastline ($) ThreatTrack ($) ThreatGRID ($) Cuckoo (FREE) Threat Connect (FREE/ $) MISP (FREE) MITRE CRITS (Free) IBM X-Force ($) EclecticIQ Platform ($) ThreatScap ($) STIX (FREE) TAXII (FREE) CybOX (FREE) TAXII (FREE) Libtaxii TAXII Library (FREE) Yeti TAXII Server (FREE)
• Community driven threat intelligence platform • Every instance of ThreatConnect includes access to Public Cloud Common Community. • Provide API, Threat Connect Marketplace
• Malware information sharing platform • Storing and sharing Indicators of compromise (IP, domain, hashes) • Open source platform model (available on Github) • Sharing information between MISP instances
Conclusion
• Cyber Threat Intelligence provides researched and analyzed knowledge about adversaries to help quickly adapt to an ever- changing threat landscape. • The most important source of relevant threat data of an organization is your own attack surface. • Threat Intelligence Platform fusing internal and external sources, facilitating analysis and support your actions.
Q&A

Recomendados

Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service
Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud ServiceLet’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service
Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud ServiceChi En (Ashley) Shen
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
 
Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016Tony Cook
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
SANS CTI Summit 2016 Borderless Threat Intelligence
SANS CTI Summit 2016 Borderless Threat IntelligenceSANS CTI Summit 2016 Borderless Threat Intelligence
SANS CTI Summit 2016 Borderless Threat IntelligenceJason Trost
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Spyglass Security
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturityDNIF
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentStefano Maccaglia
 

Recomendados

Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service
Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud ServiceLet’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud Service
Let’s Play Hide and Seek In the Cloud The APT Malwares Favored in Cloud ServiceChi En (Ashley) Shen
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
 
Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016Tony Cook
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
SANS CTI Summit 2016 Borderless Threat Intelligence
SANS CTI Summit 2016 Borderless Threat IntelligenceSANS CTI Summit 2016 Borderless Threat Intelligence
SANS CTI Summit 2016 Borderless Threat IntelligenceJason Trost
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Spyglass Security
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturityDNIF
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentStefano Maccaglia
 
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...PROIDEA
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Danny Akacki
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationRaffael Marty
 
Operationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent ActorsOperationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent ActorsThreatConnect
 
Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...Mark Arena
 
Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...
Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...
Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...Jason Trost
 
Confusion and deception new tools for data protection
Confusion and deception new tools for data protectionConfusion and deception new tools for data protection
Confusion and deception new tools for data protectionPriyanka Aash
 
R-CISC Summit 2016 Borderless Threat Intelligence
R-CISC Summit 2016 Borderless Threat IntelligenceR-CISC Summit 2016 Borderless Threat Intelligence
R-CISC Summit 2016 Borderless Threat IntelligenceJason Trost
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
CTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat IntelligenceCTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat IntelligenceJacklynTsai
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsSpyglass Security
 
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...CODE BLUE
 
Anomali Detect 2016 - Borderless Threat Intelligence
Anomali Detect 2016 - Borderless Threat IntelligenceAnomali Detect 2016 - Borderless Threat Intelligence
Anomali Detect 2016 - Borderless Threat IntelligenceJason Trost
 
David Bianco - Enterprise Security Monitoring
David Bianco - Enterprise Security MonitoringDavid Bianco - Enterprise Security Monitoring
David Bianco - Enterprise Security Monitoringbsidesaugusta
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoJohn Bambenek
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber worldAkash Sarode
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...
Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...
Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...Jason Trost
 
Dreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligenceDreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligencePriyanka Aash
 
Contribution des systèmes d’informations géographiques participatifs à l’amén...
Contribution des systèmes d’informations géographiques participatifs à l’amén...Contribution des systèmes d’informations géographiques participatifs à l’amén...
Contribution des systèmes d’informations géographiques participatifs à l’amén...eAtlas Francophone Afrique de l'Ouest
 
Online Marketing Session 1
Online Marketing Session 1Online Marketing Session 1
Online Marketing Session 1Laura Greer
 

Mais conteúdo relacionado

Mais procurados

Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...PROIDEA
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Danny Akacki
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationRaffael Marty
 
Operationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent ActorsOperationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent ActorsThreatConnect
 
Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...Mark Arena
 
Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...
Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...
Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...Jason Trost
 
Confusion and deception new tools for data protection
Confusion and deception new tools for data protectionConfusion and deception new tools for data protection
Confusion and deception new tools for data protectionPriyanka Aash
 
R-CISC Summit 2016 Borderless Threat Intelligence
R-CISC Summit 2016 Borderless Threat IntelligenceR-CISC Summit 2016 Borderless Threat Intelligence
R-CISC Summit 2016 Borderless Threat IntelligenceJason Trost
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
CTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat IntelligenceCTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat IntelligenceJacklynTsai
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsSpyglass Security
 
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...CODE BLUE
 
Anomali Detect 2016 - Borderless Threat Intelligence
Anomali Detect 2016 - Borderless Threat IntelligenceAnomali Detect 2016 - Borderless Threat Intelligence
Anomali Detect 2016 - Borderless Threat IntelligenceJason Trost
 
David Bianco - Enterprise Security Monitoring
David Bianco - Enterprise Security MonitoringDavid Bianco - Enterprise Security Monitoring
David Bianco - Enterprise Security Monitoringbsidesaugusta
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoJohn Bambenek
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber worldAkash Sarode
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...
Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...
Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...Jason Trost
 
Dreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligenceDreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligencePriyanka Aash
 

Mais procurados (20)

Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
 
Operationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent ActorsOperationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent Actors
 
Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...
 
Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...
Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...
Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...
 
Confusion and deception new tools for data protection
Confusion and deception new tools for data protectionConfusion and deception new tools for data protection
Confusion and deception new tools for data protection
 
R-CISC Summit 2016 Borderless Threat Intelligence
R-CISC Summit 2016 Borderless Threat IntelligenceR-CISC Summit 2016 Borderless Threat Intelligence
R-CISC Summit 2016 Borderless Threat Intelligence
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
CTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat IntelligenceCTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat Intelligence
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark Arts
 
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
 
Anomali Detect 2016 - Borderless Threat Intelligence
Anomali Detect 2016 - Borderless Threat IntelligenceAnomali Detect 2016 - Borderless Threat Intelligence
Anomali Detect 2016 - Borderless Threat Intelligence
 
David Bianco - Enterprise Security Monitoring
David Bianco - Enterprise Security MonitoringDavid Bianco - Enterprise Security Monitoring
David Bianco - Enterprise Security Monitoring
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using Crypto
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
 
Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...
Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...
Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...
 
Dreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligenceDreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat Intelligence
 

Destaque

Contribution des systèmes d’informations géographiques participatifs à l’amén...
Contribution des systèmes d’informations géographiques participatifs à l’amén...Contribution des systèmes d’informations géographiques participatifs à l’amén...
Contribution des systèmes d’informations géographiques participatifs à l’amén...eAtlas Francophone Afrique de l'Ouest
 
Online Marketing Session 1
Online Marketing Session 1Online Marketing Session 1
Online Marketing Session 1Laura Greer
 
Plan de contingencia municipalidad de tumbes
Plan de contingencia municipalidad de tumbesPlan de contingencia municipalidad de tumbes
Plan de contingencia municipalidad de tumbesRomario Correa Aguirre
 
Blog madison
Blog madison Blog madison
Blog madison Madison
 
Dream of a Lex Entrepreneur: project to create a market niche law firm
Dream of a Lex Entrepreneur: project to create a market niche law firmDream of a Lex Entrepreneur: project to create a market niche law firm
Dream of a Lex Entrepreneur: project to create a market niche law firmJC Verdades dos Santos
 
US/Panama Business Council- Why Panama
US/Panama Business Council- Why PanamaUS/Panama Business Council- Why Panama
US/Panama Business Council- Why PanamaPorts-To-Plains Blog
 
Presentacion De La Empresa 10 De Mayo De 2010
Presentacion De La Empresa 10 De Mayo De 2010Presentacion De La Empresa 10 De Mayo De 2010
Presentacion De La Empresa 10 De Mayo De 2010juanignaciogarcia
 
Software medico o científico
Software medico o científico Software medico o científico
Software medico o científico scortadm
 
Kinect Hacks for Dummies
Kinect Hacks for DummiesKinect Hacks for Dummies
Kinect Hacks for DummiesTomoto Washio
 
Trucos De Revista Photoshop Cs (Anuncio Cocacola, Taza...)
Trucos De Revista Photoshop Cs (Anuncio Cocacola, Taza...)Trucos De Revista Photoshop Cs (Anuncio Cocacola, Taza...)
Trucos De Revista Photoshop Cs (Anuncio Cocacola, Taza...)edudacosta.foto
 
chronopharmacology credit seminar by Pankaj.N.Kapgate
chronopharmacology credit seminar by Pankaj.N.Kapgate chronopharmacology credit seminar by Pankaj.N.Kapgate
chronopharmacology credit seminar by Pankaj.N.Kapgate pankajkap147
 
Empaque, Envase y Embalaje
Empaque, Envase y EmbalajeEmpaque, Envase y Embalaje
Empaque, Envase y EmbalajeDugley Padilla
 

Destaque (20)

Contribution des systèmes d’informations géographiques participatifs à l’amén...
Contribution des systèmes d’informations géographiques participatifs à l’amén...Contribution des systèmes d’informations géographiques participatifs à l’amén...
Contribution des systèmes d’informations géographiques participatifs à l’amén...
 
Online Marketing Session 1
Online Marketing Session 1Online Marketing Session 1
Online Marketing Session 1
 
Plan de contingencia municipalidad de tumbes
Plan de contingencia municipalidad de tumbesPlan de contingencia municipalidad de tumbes
Plan de contingencia municipalidad de tumbes
 
Leaders in Science - A/Prof Cecile King
Leaders in Science - A/Prof Cecile KingLeaders in Science - A/Prof Cecile King
Leaders in Science - A/Prof Cecile King
 
Blog madison
Blog madison Blog madison
Blog madison
 
Dream of a Lex Entrepreneur: project to create a market niche law firm
Dream of a Lex Entrepreneur: project to create a market niche law firmDream of a Lex Entrepreneur: project to create a market niche law firm
Dream of a Lex Entrepreneur: project to create a market niche law firm
 
Doc tutorial-c++
Doc tutorial-c++Doc tutorial-c++
Doc tutorial-c++
 
US/Panama Business Council- Why Panama
US/Panama Business Council- Why PanamaUS/Panama Business Council- Why Panama
US/Panama Business Council- Why Panama
 
Tb85 corto
Tb85 cortoTb85 corto
Tb85 corto
 
Power asadero
Power asaderoPower asadero
Power asadero
 
Presentacion De La Empresa 10 De Mayo De 2010
Presentacion De La Empresa 10 De Mayo De 2010Presentacion De La Empresa 10 De Mayo De 2010
Presentacion De La Empresa 10 De Mayo De 2010
 
Top Ten Tips for a Successful ALJ Hearing
Top Ten Tips for a Successful ALJ HearingTop Ten Tips for a Successful ALJ Hearing
Top Ten Tips for a Successful ALJ Hearing
 
Software medico o científico
Software medico o científico Software medico o científico
Software medico o científico
 
Brochure Quality Software
Brochure Quality SoftwareBrochure Quality Software
Brochure Quality Software
 
Kinect Hacks for Dummies
Kinect Hacks for DummiesKinect Hacks for Dummies
Kinect Hacks for Dummies
 
Queratocono
QueratoconoQueratocono
Queratocono
 
Trucos De Revista Photoshop Cs (Anuncio Cocacola, Taza...)
Trucos De Revista Photoshop Cs (Anuncio Cocacola, Taza...)Trucos De Revista Photoshop Cs (Anuncio Cocacola, Taza...)
Trucos De Revista Photoshop Cs (Anuncio Cocacola, Taza...)
 
Plan de desarrollo la guajira 2016 2019 - parte 5 de 5
Plan de desarrollo la guajira 2016 2019 - parte 5 de 5Plan de desarrollo la guajira 2016 2019 - parte 5 de 5
Plan de desarrollo la guajira 2016 2019 - parte 5 de 5
 
chronopharmacology credit seminar by Pankaj.N.Kapgate
chronopharmacology credit seminar by Pankaj.N.Kapgate chronopharmacology credit seminar by Pankaj.N.Kapgate
chronopharmacology credit seminar by Pankaj.N.Kapgate
 
Empaque, Envase y Embalaje
Empaque, Envase y EmbalajeEmpaque, Envase y Embalaje
Empaque, Envase y Embalaje
 

Semelhante a Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defend Against Cyber Attacks

Discover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy LiDiscover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy LiJeremy Li
 
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...Sean Whalen
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and DefenseAndrew McNicol
 
OSINT- Leveraging data into intelligence
OSINT- Leveraging data into intelligenceOSINT- Leveraging data into intelligence
OSINT- Leveraging data into intelligenceDeep Shankar Yadav
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisJason Trost
 
Threat Intelligence Workshop
Threat Intelligence WorkshopThreat Intelligence Workshop
Threat Intelligence WorkshopPriyanka Aash
 
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...REVULN
 
Continuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiContinuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiAllanGray11
 
Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent ThreatsESET
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationSatria Ady Pradana
 
Extending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWSExtending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWSFidelis Cybersecurity
 
ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011Xavier Mertens
 
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghCyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghOWASP Delhi
 
IT security for all. Bootcamp slides
IT security for all. Bootcamp slidesIT security for all. Bootcamp slides
IT security for all. Bootcamp slidesWallarm
 
TakeDownCon Rocket City: “White Hat Anonymity”: Current challenges security r...
TakeDownCon Rocket City: “White Hat Anonymity”: Current challenges security r...TakeDownCon Rocket City: “White Hat Anonymity”: Current challenges security r...
TakeDownCon Rocket City: “White Hat Anonymity”: Current challenges security r...EC-Council
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedSteve Lodin
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysisCharles Lim
 

Semelhante a Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defend Against Cyber Attacks (20)

Discover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy LiDiscover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy Li
 
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and Defense
 
OSINT- Leveraging data into intelligence
OSINT- Leveraging data into intelligenceOSINT- Leveraging data into intelligence
OSINT- Leveraging data into intelligence
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
 
Threat Intelligence Workshop
Threat Intelligence WorkshopThreat Intelligence Workshop
Threat Intelligence Workshop
 
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
 
Continuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiContinuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash Barai
 
Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent Threats
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
What is Ethical Hacking?
What is Ethical Hacking? What is Ethical Hacking?
What is Ethical Hacking?
 
Ready set hack
Ready set hackReady set hack
Ready set hack
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming Operation
 
Extending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWSExtending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWS
 
ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011
 
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghCyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
 
IT security for all. Bootcamp slides
IT security for all. Bootcamp slidesIT security for all. Bootcamp slides
IT security for all. Bootcamp slides
 
TakeDownCon Rocket City: “White Hat Anonymity”: Current challenges security r...
TakeDownCon Rocket City: “White Hat Anonymity”: Current challenges security r...TakeDownCon Rocket City: “White Hat Anonymity”: Current challenges security r...
TakeDownCon Rocket City: “White Hat Anonymity”: Current challenges security r...
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - Submitted
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysis
 

Último

BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024eCommerce Institute
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Vipesco
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Chameera Dedduwage
 
Presentation on Engagement in Book Clubs
Presentation on Engagement in Book ClubsPresentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubssamaasim06
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Kayode Fayemi
 
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...Pooja Nehwal
 
George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024eCommerce Institute
 
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyCall Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyPooja Nehwal
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxraffaeleoman
 
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Delhi Call girls
 
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxNikitaBankoti2
 
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdfCTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdfhenrik385807
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Hasting Chen
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaKayode Fayemi
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesPooja Nehwal
 
Mathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptxMathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptxMoumonDas2
 
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...henrik385807
 
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, YardstickSaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardsticksaastr
 
Microsoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AIMicrosoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AITatiana Gurgel
 

Último (20)

BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
 
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)
 
Presentation on Engagement in Book Clubs
Presentation on Engagement in Book ClubsPresentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubs
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
 
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
 
George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024
 
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyCall Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
 
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
 
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
 
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdfCTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
 
Mathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptxMathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptx
 
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
 
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, YardstickSaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
 
Microsoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AIMicrosoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AI
 

Catching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defend Against Cyber Attacks

  • 1. Catching the Golden Snitch Leveraging Threat Intelligence Platforms to Defend Against Cyber Attacks
  • 2.  ashley@teamt5.org • Malware analysis, malicious document detection, advanced persistence threat research • Tracking several cyber espionage groups for years • Tracking new operations, TTP of APT groups
  • 3.  zha0@teamt5.org • 7+ years experience on Reverse Engineering • 5+ years experience on malware analysis • Sandbox, Exploit research • APT research
  • 4. •  Available Products in each phase  Available TIP Products •  Some takeaways •  What do we fear about cyber threat?  Why do we need Cyber Threat Intelligence? •  Main features of TIP  Aggregation, Analysis, Action •  Story Begins  Pitfalls of Correlation  New activities of Menupass group
  • 6. State Secrete (Political, Economic, Defense) National Security Business Intellectual Property Customer Data Personal identifiable Data Privacy
  • 7. • However…… Cyber Espionage Attacks Hacktivism Attacks
  • 8. Cyber Espionage Cyber Crime • Breaches happens everyday
  • 9. • Data leaked everyday.. Personal identifiable Data Privacy
  • 10. • New breaches happens everyday • New indicators disclosed everyday • New vulnerabilities disclosed everyday • About 18 new CVE vulnerabilities disclosed everyday in 2015 • Totally 6419 CVE vulnerabilities disclosed in 2015 • Advanced Persistent Threat • Targeting your Achilles' heel
  • 11. • Knowledge about adversaries and their motivations, intentions, and methods that is collected, analyzed, and disseminated in ways that help security and business staff at all levels protect the critical assets of the enterprise. Jon Friedman et al, 2015, Definitive Guide to Cyber Threat Intelligence
  • 12.
  • 14.
  • 15. 「關於一銀事件, 看完台灣新聞後, 目前我知道這 起盜領案是由一銀內鬼看色情郵件和用XP Ping 8.8.8.8 ,然後愛用Adidas和愛吃黑嘉麗軟糖的嫌 犯可以把錢拿走,再去宜蘭買捷安特吃白鯧魚, 被捕之後說要上廁所再去看醫生,而且你們有沒 有發現, 安德魯居然有張明星臉!」
  • 16. • Anunak: APT against financial institutions - Group-IB and Fox-IT • This report describes the details and type of operations carried out by an organized criminal group from Russia that focuses on financial industry.
  • 17.
  • 18. • How to aggregate all the data from different sources? (Open source intelligence, Incident Response, Community, Customers, Exchange Platform) • How to manage all the information for better analysis? • How to analysis these data, co-relate incidents to campaigns?
  • 19. • What is the most significant threat to me? • How to aggregate these cyber threat intelligence with internal data? • How to share and do intelligence exchange?
  • 22. • To support research and tailored threat intelligence program • Simply defined, TIP include three main features:
  • 23.
  • 24. • Aggregating internal & external data: • Data from own surface and external sources • The most important source of relevant threat data of an organization is your own attack surface.
  • 25. • TTP = Tactics, Techniques, and Procedures • Targeted Attack Reconnaissance • Scanbox example
  • 26. • Supporting different input sources: • Samples input • Incident Respond Data • Different Logs? • Intelligence Feed • Indicators input • Spreadsheet? • Structured Language • Structured Threat Information Expression (STIX from MITRE)
  • 27.
  • 28. • Data management • Intelligence requirement – How to answer questions? • BE careful with “Details” • Data Structure, Data Base • Exchange Restriction • Traffic Light Protocol (TLP)
  • 29.
  • 30. • The core feature of TIP • Triaging data priority • Data Prioritization • Customization • Focusing on real threat, generating high-fidelity information • Validation • Analyst assessment • Turning information into actionable intelligence • Timely, Accurate, Relevant
  • 31. • Malware analysis • Static analysis: manual reversing, Yara database, AntiVirus detection • Dynamic: manual tracing and triggering, automated sandboxes • Automate technically processing as much as possible (sandbox, Yara..etc) • Identify code family, C&C servers, languages, possible victim, possible adversary • Exploit analysis • disclosed vulnerabilities, 0 days • Delivery method analysis • Social Engineering • Waterhole attacks • Lateral movement
  • 32. • Correlating C2 infrastructure in different attacks (operation tracking) • Domains, IP co-relations • Known malicious C2 • Compromised machines • Web hosting servers, VPS servers • Passive DNS • WHOIS information analysis
  • 33. • Identify possible targets • Campaign Code • Decoy • Language • Theme • Targeted Data
  • 34. • Identify targeted data • What do actors interested in? • Example: Phishing (Accounts & Password) • Example: Python Downloader from Hangover Team
  • 35. • Identify adversary, actors, origin • Language • Tools • C2 infrastructure • Identify motivations, intentions • Cooperation relationship between different groups • Sharing tools? • Working together in same attacks?
  • 36. • Analyst skills • Technical Skills • Malware Analysis • TTP Analysis • Language • Background, International Relations • Tradecraft, Criminal, Cyberspace • Analytic & Critical Thinking • Discovery ability
  • 37. • “中華航空電子機票” (probably Elirks) • DreamMail, FoxMail Phishing (Probably Taidoor) • Password “flowerdance” (probably Menupass)
  • 38. • Pivoting among data- modelings • Search, Filter, Facet, Cluster • Tag, Comment, Classify, Score • Visualization, Timeline, Maltego • Collaboration
  • 39.
  • 40. • Exchange • Structure Language • STIX and CybOX • Sharing Program • TAXII • Reports • Basic report (Firewalls/IT Staff) • Malwares, Indicators of Compromise (Hashes, C&C) • Advance report • TTP • Adversary • Trend, outlook • Visualization
  • 41. Research Real Case The New Activities of Menupass group
  • 42. • In 2013, we observed an Email sample which were supposedly targeting Japan victim.
  • 43.
  • 44.
  • 45.
  • 46. • Poison Ivy is a public available RAT which has remained popular and effective for about 11 years after its lastest releas. • Special Characteristic of the sample: • Password: keaidestone • ID: 2013/05/15-40
  • 47. • Finding related samples • ImpHash • Launcher, Dropper • C2 • Specialties of malware samples (Yara Hunting) • OSINT
  • 48.
  • 49.
  • 50. • By now, we have gathered 360+ Samples of this group • More than 800+ indicators of Menupass group • Related OSINT Data: • 2011 Symentec – Inside a Back Door Attack • 2013 FireEye – POISON IVY: Assessing Damage and Extracting Intelligence • 2016 Cylance – Operation Dust Storm
  • 51. • Clustering sample data found that their earliest movement can be dated back to 2007.
  • 52. • We found other tools used by Menupass group by C2 correlation and clustering Yara Rule analysis. • Poison Ivy • PlugX • Gh0st • EvilGrab • SPIVY (New) • Poison Ivy Connection Password: • PlugX Connection Password:
  • 53.
  • 54.
  • 55. • Delivery • Spear-phishing Email with fabricated document file • Attachment file with download link
  • 56. • Decoy document • Tailored content in decoy document
  • 57. • Attachment file of instruction to “exploit” yourself.
  • 58. • 500+ C2 domains & IPs • Favor of Dynamic DNS & Virtual Private Servers. • PubYun • ChangeIP.com • No-IP • FreeDNS • Dyn.com • Oray ( )
  • 59.
  • 60.
  • 62.
  • 64.
  • 65. HP ArcSight ($) IBM QRadar ($) Cisco Source Fire AMP ($) AlienVault (FREE /$) CHT EyeQuila ($) Google Rapid Response (FREE) Mandiant RedLine/MIR (FREE / $) Guidance EnCase Cyber Security ($) Verint XecProbe ($) Carbon Black ($) Falcon Host ($) Mandiant + Fireeye + iSIGHT Partners ($) iDEFENSE ($) Dell SecureWorks ($) CrowdStrike ($) LookingGlass ($)
  • 66. Maltego (FREE / $) DomainTools IRIS ($) ThreatCrowd (FREE) PassiveTotal (FREE / $) FireEye MVX ($) Damballa ($) Lastline ($) ThreatTrack ($) ThreatGRID ($) Cuckoo (FREE) Threat Connect (FREE/ $) MISP (FREE) MITRE CRITS (Free) IBM X-Force ($) EclecticIQ Platform ($) ThreatScap ($) STIX (FREE) TAXII (FREE) CybOX (FREE) TAXII (FREE) Libtaxii TAXII Library (FREE) Yeti TAXII Server (FREE)
  • 67. • Community driven threat intelligence platform • Every instance of ThreatConnect includes access to Public Cloud Common Community. • Provide API, Threat Connect Marketplace
  • 68.
  • 69. • Malware information sharing platform • Storing and sharing Indicators of compromise (IP, domain, hashes) • Open source platform model (available on Github) • Sharing information between MISP instances
  • 70.
  • 72. • Cyber Threat Intelligence provides researched and analyzed knowledge about adversaries to help quickly adapt to an ever- changing threat landscape. • The most important source of relevant threat data of an organization is your own attack surface. • Threat Intelligence Platform fusing internal and external sources, facilitating analysis and support your actions.
  • 73. Q&A