Hiding in Plain Sight: Protect Against Bad Hashes

2

Presenters

Dave Meltzer, Chief Research Officer,

Tripwire

Dayne Cantu, Sr. Systems Engineer, Federal Team Lead,

Tripwire

3

What Happens When You Receive an IoC?

4

Guidance For ActionNIST SP800-150 Draft

5

Headed Towards Standards

6

But Not There Yet…E-mail is the most common source of indicators today

7

Advanced Malware Identification – Identify advanced threats on high risk assets through integration to malware analytics services and appliances using sandbox technology

Monitoring for Peer & Community Sourced IoCs – Automate the forensics investigation and proactive monitoring on high risk assets of indicators of compromise sourced from industry peers and community sources

Monitoring for Commercial Threat Intelligence Service IoCs – Automate the forensics investigation and proactive monitoring on high risk assets of indicators of compromise sourced from tailored commercial threat intelligence services

Use Cases for Threat Intelligence

Use Case 1: Monitoring for Commercial Threat Intelligence Services IoCs

!

THREATDETECTED!

3

NEW INDICATORS1

Search forensics data for previous existence of indicator. Start monitoring for indicator in all new changes.

2

Drive workflow to investigateand remediate system.

4

Threat Intelligence

Provider

Use Case 2: Monitoring for Peer and Community Sourced IoCs

!

THREATDETECTED!

4

IndicatorsFeed

2

Search forensics data for previous existence of indicator. Start monitoring for indicator in all new changes.

3

EnterpriseTAXII Server

PeerTAXII Server

Open Source IntelligenceTAXII Server

ISAC CommunityTAXII Server

Drive workflow to investigateand remediate system.

5

Indicators Feed1Local File Sources

(Flat, CSV, etc)

Use Case 3: Advanced Malware Identification

Next Generation Threat Prevention

Tripwire Enterprise

Agent NEW BINARYFOUND

1

SEND FILE/HASHFOR ANALYSIS

2

!

THREATDETECTED!

3

NEW ADVANCED

THREAT DETECTED

4

Drive workflow to investigateand remediate system.

5

UPDATE THREATPREVENTION RULES

6

Real-time blocking of command & control, exfiltration, and further infections.

7

Cloud or Appliance Sandbox Analytics

11

12

13

14

15

Tripwire Technology Alliance Partner EcosystemANALYTICS & SIEM IT SERVICE MANAGEMENT NERC ALLIANCE NETWORK

NETWORK SECURITY

PLATFORM PARTNERS

SECURITY COMMUNITY PARTNERS

IDENTITY MANAGEMENT

THREAT INTELLIGENCE

tripwire.com | @TripwireInc

Thank you