Threat Hunting with Cyber Kill Chain

•

5 gostaram•427 visualizações

Suwitcha Musijaral CISSP,CISA,GWAPT,SNORTCP

My talk on Threat Hunting using Cyber Kill Chain model

Tecnologia

Threat Hunting using
Cyber Kill Chain Model
Suwitcha Musijaral

About me
System engineer - Mainframe,
Windows NT Server, UNIX
System V, C programmer
Security Engineer - IDS/
IPS,WAF,ADC,SSL,NAC
CISSP,CISA,GWAPT,
SnortCP, failed OSCP test.
SecurityArchitect - tenable

Red vs Blue
https://en.wikipedia.org/wiki/Blue_Man_Group
https://www.pop-addiction.com/pt-pt/produto/hellboy-hellboy-in-bprd-tee-funko-pop-vinyl-ﬁgure/

Cyber Kill Chain
Publish in 2011 by
Lockheed Martin Corp (8
years ago)
US Military Process
Find,Fix,Trace,Target,
Engage and
Assess(F2T2EA)
https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf

https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf

LM Cyber Kill chain
Reconnaissance Weaponisation Delivery
Exploitation
InstallationCommand & ControlAction

Reconnaissance
source: https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/

Detect Reconnaissance
Suspicious access to corporate web site
country/region/time
High volume on some pages
https://haveibeenpwned.com/DomainSearch
7 days before weaponised (Tenable Research)

Weaponised
https://support.umbrella.com/hc/en-us/articles/235911828-Newly-Seen-Domains-Security-Category

Weaponised
https://www.ﬂashpoint-intel.com/blog/wipro-threat-actors-active-since-2015/

Detecting Weaponised
Research + Research
Security Community
Exploit-db
Twitter
Zero day exploit?
https://en.wikipedia.org/wiki/Sun_Tzu#/media/File:Bamboo_book_-_binding_-_UCR.jpg

Detecting Delivery
Understand role of each
technology
Know technology
limitation
No silver bullet!

Exploitation
https://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html

Exploitation
https://www.cnet.com/news/equifaxs-hack-one-year-later-a-look-back-at-how-it-happened-and-whats-changed/

Detecting Exploitation
https://security.stackexchange.com/questions/68327/what-do-shellshock-attacks-look-like-in-system-logs

Detecting Exploitation
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
https://www.ﬁreeye.com/blog/threat-research/2018/07/malicious-powershell-detection-via-machine-learning.html

Detecting Exploitation
http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html

Installation
https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html

Installation
https://www.tenable.com/blog/tenable-research-advisory-axis-camera-app-malicious-package-distribution-weakness

Device Secure boot
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-secureboot

Detect Installation
https://www.cisco.com/c/dam/en/us/products/collateral/security/ﬁreamp-endpoints/datasheet-c78-733181.docx/_jcr_content/renditions/datasheet-c78-733181_1.jpg

Command & Control
https://blog.talosintelligence.com/2017/05/wannacry.html

Command & Control
https://blog.talosintelligence.com/2017/07/the-medoc-connection.html

Detecting C&C
https://isc.sans.edu/suspicious_domains.html#search

Action
https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html

Action
https://www.darknet.org.uk/2016/09/det-data-exﬁltration-toolkit/

Action
https://blogs.akamai.com/2017/09/introduction-to-dns-data-exﬁltration.html

Detecting Action
https://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/enterprise-network-security/white-paper-c11-736595.html

MITRE ATT&CK
https://attack.mitre.org/resources/enterprise-introduction/

AT&T Cyber Kill Chain
https://www.alienvault.com/blogs/security-essentials/the-internal-cyber-kill-chain-model

Indicator of Compromise
https://blog.talosintelligence.com/2017/05/wannacry.html#more

Mais conteúdo relacionado

Mais procurados

How to implement NIST cybersecurity standards in my organization

Exigent Technologies LLC

Organizations are suffering from cyber fatigue, with too many alerts, too many technologies, and not enough people. Many security operations center (SOC) teams are underskilled and overworked, making it extremely difficult to streamline operations and decrease the time it takes to detect and remediate security incidents. Addressing these challenges requires a shift in the tactics and strategies deployed in SOCs. But building an effective SOC is hard; many companies struggle first with implementation and then with figuring out how to take their security operations to the next level. Read to learn: --Advantages and disadvantages of different SOC models --Tips for leveraging advanced analytics tools --Best practices for incorporating automation and orchestration --How to boost incident response capabilities, and measure your efforts --How the NIST Cybersecurity Framework and CIS Controls can help you establish a strong foundation Start building your roadmap to a next-generation SOC.

Optimizing Security Operations: 5 Keys to Success

Sirius

Security Strategy and Tactic with Cyber Threat Intelligence (CTI)

Priyanka Aash

Security operations center 5 security controls

AlienVault

Cyber Threat Hunting Workshop

Digit Oktavianto

With the development of the MITRE ATT&CK framework and its categorization of adversary activity during the attack cycle, understanding what to hunt for has become easier and more efficient than ever. However, organizations are still struggling to understand how they can prioritize the development of hunt hypothesis, assess their current security posture, and develop the right analytics with the help of ATT&CK. Even though there are several ways to utilize ATT&CK to accomplish those goals, there are only a few that are focusing primarily on the data that is currently being collected to drive the success of a hunt program. This presentation shows how organizations can benefit from mapping their current visibility from a data perspective to the ATT&CK framework. It focuses on how to identify, document, standardize and model current available data to enhance a hunt program. It presents an updated ThreatHunter-Playbook, a Kibana ATT&CK dashboard, a new project named Open Source Security Events Metadata known as OSSEM and expands on the “data sources” section already provided by ATT&CK on most of the documented adversarial techniques.

MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...

MITRE - ATT&CKcon

kill-chain-presentation-v3

Shawn Croswell

Introduction to MITRE ATT&CK

Arpan Raval

In our webinar “What is Threat Hunting and why do you need it?" we discussed the folowing key points: 1. What Threat hunting is. 2. Why it is becoming so popular and what kinds of attacks are making it necessary. 3. What the challenges are. 4. Threat Hunting and Investigation services for attacks. 5. Case studies. Find out more on https://www.pandasecurity.com/business/adaptive-defense/?utm_source=slideshare&utm_medium=social&utm_content=SM_EN_WEB_adaptive_defense&track=180715

What is Threat Hunting? - Panda Security

Panda Security

Threat hunting 101 by Sandeep Singh

OWASP Delhi

Cyber kill chain

Ankita Ganguly

Secure Coding and Threat Modeling

Miriam Celi, CISSP, GISP, MSCS, MBA

BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz

Christopher Gerritz

The Information Security Community on LinkedIn, with the support of Cybereason, conducted a comprehensive online research project to gain more insight into the state of threat hunting in security operation centers (SOCs). When the 330 cybersecurity and IT professionals were asked what keeps them up at night, many comments revolved around a central theme of undetected threats slipping through an organization’s defenses. Many responses included “unknown” and “advanced” when describing threats, indicating the respondents understand the challenges and fear those emerging threats. Read the full report here.

Threat Hunting Report

Morane Decriem

SIEM and Threat Hunting

n|u - The Open Security Community

Threat hunting for Beginners

SKMohamedKasim

Talking about Next-Gen Security Operation Center for IDNIC+APJII as representative from IDSECCONF. People-Centric SOC requires lot of investment on human in terms of quantity and quality, unfortunately, (good) IT security people are getting rare these days. Organisation need to put their investments more on technology, as in Industry 4.0, machines are getting more advanced to support Human on doing continuous and repetitive task. Moving from “traditional” to next-gen SOC require proper plan, thats what this talk was about.

Next-Gen security operation center

Muhammad Sahputra

Recently, NTT published the Global Threat Intelligence Report 2016 (GTIR). This year’s report focused both on the changes in threat trends and on how security organizations around the world can use the kill chain to help defend the enterprise. Turning threat intelligence data from multiple sources into actionable, contextual information is a challenge faced by many organizations today. The Global Threat Intelligence Platform provides increased efficiency, reduces risks and focuses on global coverage with accurate and up-to-date threat intelligence. This presentation was given at Carnegie Mellon University by Kenji Takahashi, VP of Product Management, Security at NTT Innovation Institute.

Global Cyber Threat Intelligence

NTT Innovation Institute Inc.

MITRE ATT&CK framework

Bhushan Gurav

Maturity Model of Security Disciplines

Florian Roth

Mais procurados (20)

How to implement NIST cybersecurity standards in my organization

Optimizing Security Operations: 5 Keys to Success

Security Strategy and Tactic with Cyber Threat Intelligence (CTI)

Security operations center 5 security controls

Cyber Threat Hunting Workshop

MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...

kill-chain-presentation-v3

Introduction to MITRE ATT&CK

What is Threat Hunting? - Panda Security

Threat hunting 101 by Sandeep Singh

Cyber kill chain

Secure Coding and Threat Modeling

BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz

Threat Hunting Report

SIEM and Threat Hunting

Threat hunting for Beginners

Next-Gen security operation center

Global Cyber Threat Intelligence

MITRE ATT&CK framework

Maturity Model of Security Disciplines

Semelhante a Threat Hunting with Cyber Kill Chain

Co Speaker: Cheryl Biswas Talk Description: How about this: a blue team talk given by red teamers. But here’s our rationale - your best defence right now is a strategic offence. The rules of the game have changed and we need to get defence up to speed. We’ll show you what the key elements are in a good defence strategy; what you can and need to be using to full advantage. We’ll talk about the new “buzzwords” and how they apply: visibility; patterns; big data. There’s a whole lotta data to wrangle, and you aren’t seeing the whole picture if you aren’t doing things right. Threat intel is about getting the big picture as it applies to you. You’ll learn the importance of context and prioritization so that you can manipulate intel feeds to do your bidding. And then we’ll take things further and talk about hunting the adversary, using an update on proven methodologies. We’ll show you how to understand your data, correlate threats and pin point attacks. Attendees will leave with a new understanding of the resources they have on hand, and how to leverage those into an Adaptive Proactive Defense Strategy.

Blue team reboot - HackFest

Haydn Johnson

A reading of the IBM Research 5-in-5 2018 Edition

Pietro Leo

A long time ago, in a galaxy far far away, AV was invented. Then firewalls and IDS and SIEM and NAC and DLP and on and on. With all these products, it seems like a career in information security is really more about managing tools than defeating a galactic empire of hackers and miscreants. But like the Rebel Alliance, you can take back your enterprise, because many of our existing monitoring systems and network devices also have security functionality. Moreover, there are many excellent open source applications that work just as well as commercial ones.

Ending the Tyranny of Expensive Security Tools

SolarWinds

Ending the Tyranny of Expensive Security Tools

Michele Chubirka

Stanford Cybersecurity January 2009

Jason Shen

Detection of webshells in compromised perimeter assets using ML algorithms

Rod Soto

Network security specialist Catherine Paquetl fills you in on advanced threat protection that integrates real-time contextual awareness, intelligent security automation and superior performance with industry-leading network intrusion prevention, Sourcefire. ABOUT THE PRESENTER Catherine Paquet, CCSI, CCNP Security, CCNP Routing and Switching, is a network security specialist. She began her internetworking career as a LAN manager, then MAN manager, and eventually became a nationwide WAN manager with the Department of National Defence. Paquet lectures around the world on security topics, including firewalls, VPNs, intrusion prevention, identity systems, email and Web security, and router and switch security. During her spare time, she authors Cisco Press books, and she volunteers as a network security analyst to nonprofit organizations. Paquet attended the Royal Military College Saint-Jean (Canada) and holds an MBA in Management Information Systems (MIS) from York University.

Building Up Network Security: Intrusion Prevention and Sourcefire

Global Knowledge Training

CyberSecurity - UH IEEE Presentation 2015-04

Kyle Lai

Cyber Hacking & Security - IEEE - Univ of Houston 2015-04

Kyle Lai

Perimeter Defense in a World Without Walls

Dan Houser

[NCTU] [CCCA] Network Security II

Xatierlike Lee

Mike Miller Resume 2016 - Ver 2

Mike Miller

They need either one Manually easy or Hard 1. Go to dnschecker.org input "www.motionborg.com" · Go through the text records (A, AAAA, CNAME, MX, NS, PTR, SRV, SOA, TXT, CAA) In a word document copy and paste the information (Blue Text) of all the Text Record information 2. Use Sam Spade to get more information about the network, what ever you find put it in the word document as well. Sam Spade Video (If you do not like this video Google Sam Spade Footprinting) Manually-Hard 3. Use Command Prompt: Run Traceroute on www.motionborg.com to get more details see document here 4. Use Command Prompt to Use nslookup see document here They need either Manyally Hard or Easy. I had done the Manually-Hard 3. Use Command Prompt: Run Traceroute on www.motionborg.com to get more details see document here 4. Use Command Prompt to Use nslookup see document here Useful Links https://kb.intermedia.net/article/682 https://kb.intermedia.net/Article/819 Use this links and try to find out some answers and prepare some matter to this. · Is the site www.motionborg.com secure with SSL? is the site vulnerable to script injection attacks? · Look at the source code does anything stand out to you? · What did you find out about the network? · Are other networks connected to it? · Is it a Linux or Windows server · Based on your findings what are some vulnerabilities · Note: It is really easy to get stuck in the Matrix, do not dive to in-depth - just the surface of gathering information. Tracert www.motionborg.com Then run the command : nslookup motionborg.com Next run nslookup motionborg.com B.ROOT-SERVERS.NET Next run nslookup motionborg.com m.gtld-servers.net Next run : -q=CNAME motionborg.com ns35.domaincontrol.com Is the site www.motionborg.com secure with SSL? Not secure : is the site vulnerable to script injection attacks? No https://suip.biz/?act=sqlmap · Look at the source code does anything stand out to you? No · What did you find out about the network? · Is it a Linux or Windows server Linux Based on your findings what are some vulnerabilities https://www.scu.edu/is/secure/resources-and-information/ssl-vulnerabilities-/ They need either one Manually easy or Hard 1. Go to dnschecker.org input "www.motionborg.com" · Go through the text records (A, AAAA, CNAME, MX, NS, PTR, SRV, SOA, TXT, CAA) In a word document copy and paste the information (Blue Text) of all the Text Record information 2. Use Sam Spade to get more information about the network, what ever you find put it in the word document as well. Sam Spade Video (If you do not like this video Google Sam Spade Footprinting) Manually-Hard 3. Use Command Prompt: Run Traceroute on www.motionborg.com to get more details see document here 4. Use Command Prompt to Use nslookup see document here They need either Manyally Hard or Easy. I had done the Manually-Hard 3. Use Command Prompt: Run Traceroute on www.motionborg.com to get more details see document here 4. Use Command P.

They need either one Manually easy or Hard1. Go to dnschecker..docx

randymartin91030

Intrusion Techniques

Festival Software Livre

【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】

Hacks in Taiwan (HITCON)

Industrial Cyber Security - EVF 2019 Alexandre Darcherif

Alexandre Darcherif

theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf

Gabriel Mathenge

Full disclosure-vulnerabilities

slideseces

Full disclosure-vulnerabilities

slideseces

Infrastructure Attacks - The Next generation, ESET LLC

Infosec Europe

Semelhante a Threat Hunting with Cyber Kill Chain (20)

Blue team reboot - HackFest

A reading of the IBM Research 5-in-5 2018 Edition

Ending the Tyranny of Expensive Security Tools

Stanford Cybersecurity January 2009

Detection of webshells in compromised perimeter assets using ML algorithms

Building Up Network Security: Intrusion Prevention and Sourcefire

CyberSecurity - UH IEEE Presentation 2015-04

Cyber Hacking & Security - IEEE - Univ of Houston 2015-04

Perimeter Defense in a World Without Walls

[NCTU] [CCCA] Network Security II

Mike Miller Resume 2016 - Ver 2

They need either one Manually easy or Hard1. Go to dnschecker..docx

Intrusion Techniques

【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】

Industrial Cyber Security - EVF 2019 Alexandre Darcherif

theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf

Full disclosure-vulnerabilities

Infrastructure Attacks - The Next generation, ESET LLC

Último

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

Created by Mozilla Research in 2012 and now part of Linux Foundation Europe, the Servo project is an experimental rendering engine written in Rust. It combines memory safety and concurrency to create an independent, modular, and embeddable rendering engine that adheres to web standards. Stewardship of Servo moved from Mozilla Research to the Linux Foundation in 2020, where its mission remains unchanged. After some slow years, in 2023 there has been renewed activity on the project, with a roadmap now focused on improving the engine’s CSS 2 conformance, exploring Android support, and making Servo a practical embeddable rendering engine. In this presentation, Rakhi Sharma reviews the status of the project, our recent developments in 2023, our collaboration with Tauri to make Servo an easy-to-use embeddable rendering engine, and our plans for the future to make Servo an alternative web rendering engine for the embedded devices industry. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://ossna2024.sched.com/event/1aBNF/a-year-of-servo-reboot-where-are-we-now-rakhi-sharma-igalia

A Year of the Servo Reboot: Where Are We Now?

Igalia

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

FWD Group - Insurer Innovation Award 2024

The Digital Insurer

ICT role in 21st century education and its challenges

rafiqahmad00786416

Automating Google Workspace (GWS) & more with Apps Script

wesley chun

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

AXA XL - Insurer Innovation Award Americas 2024

The Digital Insurer

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

MadyBayot

Webinar Recording: https://www.panagenda.com/webinars/why-teams-call-analytics-is-critical-to-your-entire-business Nothing is as frustrating and noticeable as being in an important call and being unable to see or hear the other person. Not surprising then, that issues with Teams calls are among the most common problems users call their helpdesk for. Having in depth insight into everything relevant going on at the user’s device, local network, ISP and Microsoft itself during the call is crucial for good Microsoft Teams Call quality support. To ensure a quick and adequate solution and to ensure your users get the most out of their Microsoft 365. But did you know that ‘bad calls’ are also an excellent indicator of other problems arising? Precisely because it is so noticeable!? Like the canary in the mine, bad calls can be early indicators of problems. Problems that might otherwise not have been noticed for a while but can have a big impact on productivity and satisfaction. Join this session by Christoph Adler to learn how true Microsoft Teams call quality analytics helped other organizations troubleshoot bad calls and identify and fix problems that impacted Teams calls or the use of Microsoft365 in general. See what it can do to keep your users happy and productive! In this session we will cover - Why CQD data alone is not enough to troubleshoot call problems - The importance of attributing call problems to the right call participant - What call quality analytics can do to help you quickly find, fix-, and prevent problems - Why having retrospective detailed insights matters - Real life examples of how others have used Microsoft Teams call quality monitoring to problem shoot problems with their ISP, network, device health and more.

Why Teams call analytics are critical to your entire business

panagenda

GenAI Risks & Security Meetup 01052024.pdf

lior mazor

A Beginners Guide to Building a RAG App Using Open Source Milvus

Zilliz

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

Architecting Cloud Native Applications

WSO2

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Edi Saputra

Scalable LLM APIs for AI and Generative AI Application Development Ettikan Karuppiah, Director/Technologist - NVIDIA Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...

apidays

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on the deployment of external web forms using Jotform for Bonterra Impact Management. This solution can be customized to your organization’s needs and deployed to support the common use cases below: - Intake and consent - Assessments - Surveys - Applications - Program registration Interested in deploying web form automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Jeffrey Haguewood

Threat Hunting with Cyber Kill Chain

1. Threat Hunting using Cyber Kill Chain Model Suwitcha Musijaral

2. About me System engineer - Mainframe, Windows NT Server, UNIX System V, C programmer Security Engineer - IDS/ IPS,WAF,ADC,SSL,NAC CISSP,CISA,GWAPT, SnortCP, failed OSCP test. SecurityArchitect - tenable

4. Red vs Blue https://en.wikipedia.org/wiki/Blue_Man_Group https://www.pop-addiction.com/pt-pt/produto/hellboy-hellboy-in-bprd-tee-funko-pop-vinyl-ﬁgure/

5. Cyber Kill Chain Publish in 2011 by Lockheed Martin Corp (8 years ago) US Military Process Find,Fix,Trace,Target, Engage and Assess(F2T2EA) https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf

7. https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf

8. LM Cyber Kill chain Reconnaissance Weaponisation Delivery Exploitation InstallationCommand & ControlAction

9. Reconnaissance

10. Reconnaissance

11. Reconnaissance source: https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/

12. Detect Reconnaissance Suspicious access to corporate web site country/region/time High volume on some pages https://haveibeenpwned.com/DomainSearch 7 days before weaponised (Tenable Research)

13. Detect Reconnaissance Suspicious access to corporate web site country/region/time High volume on some pages https://haveibeenpwned.com/DomainSearch

14. LM Cyber Kill chain Reconnaissance Weaponisation Delivery Exploitation InstallationCommand & ControlAction

15. Weaponised

16. Weaponised https://support.umbrella.com/hc/en-us/articles/235911828-Newly-Seen-Domains-Security-Category

17. Weaponised https://www.ﬂashpoint-intel.com/blog/wipro-threat-actors-active-since-2015/

18. Detecting Weaponised Research + Research Security Community Exploit-db Twitter Zero day exploit? https://en.wikipedia.org/wiki/Sun_Tzu#/media/File:Bamboo_book_-_binding_-_UCR.jpg

19. Detecting Weaponised

20. LM Cyber Kill chain Reconnaissance Weaponisation Delivery Exploitation InstallationCommand & ControlAction

21. Delivery

22. Delivery

23. Detecting Delivery Understand role of each technology Know technology limitation No silver bullet!

24. Detecting Delivery

25. LM Cyber Kill chain Reconnaissance Weaponisation Delivery Exploitation InstallationCommand & ControlAction

26. Exploitation https://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html

27. Exploitation https://www.cnet.com/news/equifaxs-hack-one-year-later-a-look-back-at-how-it-happened-and-whats-changed/

28. Detecting Exploitation https://security.stackexchange.com/questions/68327/what-do-shellshock-attacks-look-like-in-system-logs

29. Detecting Exploitation https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing https://www.ﬁreeye.com/blog/threat-research/2018/07/malicious-powershell-detection-via-machine-learning.html

30. Detecting Exploitation http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html

31. LM Cyber Kill chain Reconnaissance Weaponisation Delivery Exploitation InstallationCommand & ControlAction

32. Installation https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html

33. Installation https://www.tenable.com/blog/tenable-research-advisory-axis-camera-app-malicious-package-distribution-weakness

34. Device Secure boot https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-secureboot

35. Detect Installation https://www.cisco.com/c/dam/en/us/products/collateral/security/ﬁreamp-endpoints/datasheet-c78-733181.docx/_jcr_content/renditions/datasheet-c78-733181_1.jpg

36. LM Cyber Kill chain Reconnaissance Weaponisation Delivery Exploitation InstallationCommand & ControlAction

37. Command & Control https://blog.talosintelligence.com/2017/05/wannacry.html

38. Command & Control https://blog.talosintelligence.com/2017/07/the-medoc-connection.html

39. Detecting C&C https://isc.sans.edu/suspicious_domains.html#search

40. LM Cyber Kill chain Reconnaissance Weaponisation Delivery Exploitation InstallationCommand & ControlAction

41. Action https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html

42. Action https://www.darknet.org.uk/2016/09/det-data-exﬁltration-toolkit/

43. Action https://blogs.akamai.com/2017/09/introduction-to-dns-data-exﬁltration.html

44. Detecting Action https://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/enterprise-network-security/white-paper-c11-736595.html

45. Detecting Action

46. LM Cyber Kill chain Reconnaissance Weaponisation Delivery Exploitation InstallationCommand & ControlAction

47. MITRE ATT&CK https://attack.mitre.org/resources/enterprise-introduction/

48. AT&T Cyber Kill Chain https://www.alienvault.com/blogs/security-essentials/the-internal-cyber-kill-chain-model

49. Indicator of Compromise https://blog.talosintelligence.com/2017/05/wannacry.html#more

50. Thank you suwitcha@gmail.com

Threat Hunting with Cyber Kill Chain

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a Threat Hunting with Cyber Kill Chain

Semelhante a Threat Hunting with Cyber Kill Chain (20)

Último

Último (20)

Threat Hunting with Cyber Kill Chain