Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)
description
Transcript of Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)
• Standardized Threat Indicators• Indicator Export• Adversary Analysis (Pivoting)• Private and Community Incident Correlation• ThreatConnect Intelligence Research Team
(TCIRT)• Community Notifications
Slide Sections• Using Address Indicators with SecurityCenter• Using File Indicators with SecurityCenter• Using Host Indicators with SecurityCenter• Using URL Indicators with SecurityCenter• Using File Indicators with Nessus
Using Address Indicators with SecurityCenter
• Step 1 – Extract Address Indicators• Step 2 – Create a Watchlist from Address Indicators• Step 3 – Filter Events by Watchlist• Step 4 – (Optional) Create Query for 3D Tool• Step 5 – Save Asset List of All Addresses• Step 6 – Perform Audit Analysis Using Asset List• Step 7 – Perform Event Analysis Using Asset List• Step 8 – (Optional) Create List of Internal Addresses• Step 9 – (Optional) Nessus Audit of Internal Addresses
Step 1 – Extract Address Indicators
Step 2 – Create a Watchlist from Address Indicators
Step 3 – Filter Events by Watchlist
Inbound or outbound
Step 4 – (Optional) Create Query for 3D Tool
Step 5 – Save Asset List of All Addresses
Step 6 – Perform Audit Analysis Using Asset List
Recommended Reading – Predicting Attack Paths
Step 7 – Perform Event Analysis Using Asset List
Recommended Reading – Tenable Event Correlation
Step 8 – (Optional) Create List of Internal Addresses Only
Step 9 – (Optional) Nessus Audit of Internal Addresses
Using File Indicators with SecurityCenter
• Step 1 – Extract Hashes• Step 2 – Upload Hashes to Scan Policy• Step 3 – Perform a Scan Using Credentials• Step 4 – Review Scan Results• Step 5 – Save Asset List of Infected Hosts• Step 6 – Perform Audit Analysis Using Asset List• Step 7 – Perform Event Analysis Using Asset List• Step 8 – (Optional) Use Asset List with 3D Tool
Step 1 – Extract Hashes
Step 2 – Upload Hashes to Scan Policy
Step 3 – Perform a Scan Using Credentials
Recommended Reading – Nessus Credential Checks for UNIX and Windows
Step 4 – Review Scan Results
Step 5 – Save Asset List of Infected Hosts
Recommended Reading – Predicting Attack Paths
Step 6 – Perform Audit Analysis Using Asset List
Step 7 – Perform Event Analysis Using Asset List
Recommended Reading – Tenable Event Correlation
Step 8 – (Optional) Use Asset List with 3D Tool
Using Host Indicators with SecurityCenter
• Step 1 – Filter Events by Host• Step 2 – Perform Further Analysis
Recommended Reading – Using Log Correlation Engine to Monitor DNS
Step 1 – Filter Events by Host
Step 2 – Perform Further Analysis
See slides for “Using ThreatConnect Address Indicators” steps 5 through 9
Filtering by the domain summary event before saving the asset list will get you a list of only those hosts that performed a DNS lookup for the host indicator.
Using URL Indicators with SecurityCenter
• Step 1 – Divide Host and Location from URL • Step 2 – Filter Events by Host• Step 3 – Save Asset List• Step 4 – Filter Events by Location• Step 5 – Perform Further Analysis
Step 1 – Divide Host and Location from URL
Step 2 – Filter Events by Host
Use Host in Syslog Text filter
Use web-access in Type filter
Step 3 – Save Asset List
Step 4 – Filter Events by Location
Use Location in Syslog Text filter
Use Asset List in Source Asset filter
Step 5 – Perform Further Analysis
See slides for “Using ThreatConnect Address Indicators” steps 5 through 9
We will be creating a second and final asset list to use for further analysis. Verify the URL is matched correctly by looking at the web-access details in Step 4. Steps 1 through 4 perform an intersection; however, it’s by host.
Using File Indicators with Nessus
• Step 1 – Extract Hashes• Step 2 – Use Windows Malware Scan Wizard• Step 3 – Perform Scan and Review Results
Step 1 – Extract Hashes
Step 2 – Use Windows Malware Scan Wizard
Step 3 – Perform Scan and Review Results