Adversary Detection Pipelines: Finally Making Your Threat Intel Useful - Xena Olsen (Shmoocon 2020)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

all right we're gonna start with a main event please welcome Xena and talk about adversary detection pipelines [Applause] good morning how's the volume good good good thank you so much for showing up this morning I know that there's a million and one better things to do like I don't know get eggs or coffee or whatever so thank you for being here in person and just a brief disclaimer this on a scale of DEFCON to blackhat this is more on the black hat range of information so just FYI so that you get an idea of what to expect and so that you know you're in the right place adversary detection pipelines you know Olson cyber threat intelligence and I am cheerio on the Twitter's and that's ch3 3 r10 feel free to tweet away just nice stuff though ok so this is for the lawyers I'm not here representing my company at all in any way shape or form and I'm not speaking on behalf of them and I'm on my individual capacity so I'm gonna start out with a very brief conversation about pain points background information as to some some baseline information that would be a good idea to know before engaging this particular project and then some approaches and methods some ideas that might be helpful from speaking with a lot of different people and doing a ton of research and other things that I can't talk about publicly and then just what it is and how to do it basically so I did a I did a talk at the RSA I did a session and there happened to be someone from Microsoft in my audience and when I was sharing information they're like oh but wait wait wait you know because they have such an amazing security team so this talk is not for them like they have tools beyond Excel like I am trying to present a methodology and information that pretty much anyone can use you don't need advanced scripting skills you don't need to be a kung-fu anything really you just use critical thinking and Excel so that is my goal with this so it's not for the Microsoft's of the world just FYI so some of the pain points that I've heard people talk about with cyber threat intelligence is basically it's not timely so they get stuff that's like really old and that's been expired a long time ago or it was only malicious for a short amount of time and then the sock gets alerts on it and they're like why is it bad and they're like well we don't really know and then the information or contextual information for the various rocks and stuff that are alerting on it that doesn't have all the information that they need so that's one of the issues that cyber threat intelligence faces in enterprise or companies in general outdated of course more platforms so sometimes with some of the sake analysts that I speak with they don't like switching between so many different platforms like it's it's not necessarily in their workflow so you need to be able to work with the tools that they currently work with and to tailor a program and intelligence around that that's what I'm recommending instead of trying to get involved with behavioral modification of an entire sock right that's the salaat that'll take a lot of time so baby steps and then the other thing is irrelevant so if your I know so let's say you're pulling in like a bunch of hashes right and like the hashes have absolutely nothing to do with anything and you're just pulling hashes in because you're pulling hashes right like that's completely irrelevant and not necessarily very useful so my goal with this talk is to talk about internal data so that you can leverage it for your threat intelligence the other thing is cyber threat intelligence analysts sometimes they use a lot of public reports there's nothing wrong with that but when you focus all of your effort and energy on let's say fin 7 you know off of Caitie nickles talked yesterday and you don't look at your internal attack data that can leave some gaps and some holes so for instance let's say what was it this year earlier this year they're like oh ransomware is bad whatever right and then you look at your internal attack data and you're like we're not even hardly getting any ransomware like what is this what are they talking about you know and you build out your program and you're like ransomware rinse and we're rinse and we're and then the thing is you're not really necessarily being attacked by that there's just an example right you're being attacked with other stuff and there's gaps and holes regarding that but it's a blind spot so what I'm saying is looking at the internal attacks that you're seeing coming at your particular organization will be helpful with understanding where you're at in the threat threat landscape and then of course also to looking at your verticals so for instance I'm with the financial services company or even some of my other part-time jobs that I have as well and being aware of the various attacks that are coming at it back in the day when I ran a business I would I didn't have the official title of cyber threat intelligence analyst I had business so as a business owner I kept up to date with the various attacks that not only I was getting internally but also what my colleagues are seeing as well and then I would educate my particular clients on that so kind of taking the same ideas and methodologies that I used in my business for 15 years and applying that in enterprise at scale the other thing is a red team so I love our I love red team they're amazing they're they're so smart and highly skilled but sometimes some red team's speaking with other CTI analysts and people in other organizations they like to go for the fancy hacks right like mr. robot and some of those really fancy ones that you're like wow like this would probably never happen like just the possibility of it happening is very slim so you know emulating mr. robot attacks or or really fancy hacks of like printers and raspberry pies and blah blah blah like that's fine and good but I'm suggesting as well incorporating emulation of the attack data that's specific to your particular organization and the other thing is so the thing that I've found too as a small business owner I pretty much had control over everything and communications with everyone so I didn't really have to worry about being in silos in enterprise it's like every single group has their own little special area and sometimes it's it can be a little bit difficult to foster the communication and relationships between the teams so what what I'm suggesting is that with the timely and actionable intelligence from internal threat data they the teams can have a shared mission so that essentially they can foster collaboration and work together to build out Cerie detection pipelines that works for the particular teams and the business initiatives so it can be a collaborative thing instead of having instead of just having your individual team goals I guess you could say it's more like an overreaching goal for cyber threat intelligence for your particular security department so it's a it's the same thing but looking at it a little bit differently and encouraging collaboration so why aren't people using it a lot of times people think that you are required to know crazy scripting yeah code you have to do all this stuff right or they're like oh well we only have open source I ox and I'm like oh my gosh like you have so much more than just the open source I ox are the free feeds or even the paid threat feeds so the other thing is people think that they should only try to look at the threat actors that are popular you know like the fantasy bears the grim spiders like let's see a bt 33 a PT 34 a PT 10 right but because the internal threat data is not quote-unquote sexy or a bear or a panda or any of those other things or popular or in the news like what sounds better oh yeah you know we were getting attacks by a fancy bear versus yeah we have some TTP's of blah blah blah like so being able to not be ward by the sexy and work with what's internal to your org and it's really easy to start like I said you just need Excel cognitive thinking critical thinking skills and access to your internal attack data so a little bit of background info so that everyone can be kind of on the same page how many CTI analysts do we have in here okay so you guys can like turn so attribution is not the easiest thing in the world to do so when you have all of your internal attack data being able to atribute it to apt ten or eight bt 33 a bt 34 you know fancy bear all of that cosy bear it's not easy it's not easy at all and there are multiple attribution frameworks that you would have to deal with in order to even start approaching the issue of attribution so Jason D jolly he got his PhD and he wrote a dissertation and a book on this so for instance technical attribution recursive traceback there's a whole book like a whole actual like hundreds of pages on this so if you're interested in it I would highly recommend reading it there's forensics forensic attribution so for instance let's say that you want to map back the internal tack data to what other people are seeing in the industry whether a PT 10 or a BT 1 right there are some things that defer would need to do or whatever your team is that does Incident Response and collection of data and these are just some of the items that they would probably need to find or collect for the various attacks or malware that's being sent to your particular organization indirect attribution so this has to do more with dealing with nation-states like in between the jurisdictions of the various countries so it's not it's not easy because the bad guys like to do proxy chaining right so you do one proxy and then you hop to another proxy in the name of the proxy another proxy so even though the IP says it's from Russia it might not be Russia so things like that and then they'd like to hop through nan countries where there is not an like political infrastructure set up in order to handle like engaging extradition of those people and the data as well so Jason D jolly he says basically that there's no single technical attribution technique that's adequate to attribute cyberattacks so even if you got all of the forensic information like you need additional information on top of that so it's a lot and Robert Emily the course author of forensics 578 he said that basically true attribution is kind of time consuming and resource intensive and not everyone in the planet needs to do it like the value add for like private companies to move forward with true attribution might be a little much so what I recommend is using TTP's and that's tactics techniques and procedures and that's basically the how and the what of an attack the other thing is naming structures so you'll see apt 33 and you'll see fancy bearer and you'll see all of these other names for like the same group right and that's because for instance if you look at fire I write they get certain data sets CrowdStrike gets other data sets and both of these companies have different analysts analyzing the information in order to do proper attribution and put it in the right bucket essentially so me as a cyber threat intelligence analyst I don't know what the other analysts saw or didn't see versus what I have in my own data or how they interpret it how they got the got the particular data like how how did they do it and I'm not privy to that information because there's only so many places I can work so because of that that's a lot of cyberthreat intelligence analysts make their internal naming structure because they don't have that extra context that you need in order to properly attribute the attacks that you're getting the other thing is it's like I said earlier very resource-intensive so like if you if you have a larger organization right and you only have one or two cyber threat intelligence analysts and there's you know 20 30 40 50 thousand people that they have to oversee like making sure like being proactive with the threats that are happening in the landscape like it's a little difficult to keep up with that with short staff essentially and then tradecraft so not only do you need to know all that other stuff I talked about but you also have to be familiar with the politics what's going on in the environment during that particular time in that particular region like the use of various words for specific things like you have to have a better and deep understanding of geopolitics and be up to date with current events I mean that's why if you look at cyber threat intelligence analysts they tend to they tend to sometimes specialize in like Russia or EMEA or Iran or one of those other areas right because it's so much information to keep up-to-date with and to be an expert and be able to speak intelligently about like I'll be the first to say that I am NOT an expert in any of those areas so I go to the people that focus on it and spend all their time like learning the trade craft of the various sectors of the particular area the other thing is attackers can essentially cover their tracks so I think it was a Tim Mauer in cyber mercenaries he also shared that independent hackers can act as like a proxy for nation-states a nation-state will be like hey mr. hacker like can you hack these people on our behalf and so it looks like it might be an independent hacker hacker but it's really nation-state sponsored and for me like I honestly would have a hard time telling the difference so that's the other thing and it the threat actors like to kind of hide in normal traffic and use like commodity malware some of them right so it's like how do you tell the difference between a script kiddie that got a nano core rap for free right versus a nation-state through a doctor that's like huh we're gonna pone them with this so it's it can be difficult I do not have the skill set to tell the difference between that so the other thing so false flags this one it was rumored that it was North Korea then Russia and if you look at a blog by by Talos they have multiple different threat activity groups or threat actors that they think did the Olympic destroyer and really it there still is kind of a big question mark because of the forensic indicators for that and Jake Williams I don't know if he's here but he did a he did a really great black hat talk at blackhat Europe and then he also did Derby con talk as well in 2019 regarding false flags so if you want more in-depth information about that I highly recommend checking out his talks because he's really smart and knows this stuff very well so here's some approach and methods for adversary detection pipelines so what is it it's just a way of packaging your cyber threat intelligence to feed different initiatives within your organization so for instance there's a business focus so that's kind of looking at your 10k and annual reports then there's a security team or security department focus and then there's the CTI team focus and they end up being also a customer of the adversary detection pipelines so business initiatives something that you can do right now if you want is pull up your company's annual report they should be out by now or even the most recent 10k or ten q and in that and there's a management discussion at least on visas where they the managers kind of interpret the information and say where they want to go or things that they want to see happen so when you look at that stuff you can get an idea as a cyber threat intelligence analyst like where the company is heading long term and because it's publicly available that means that if I were a bad guy I would read that and I would look at what type of ishutin accompanies doing and I would target that as well so one one good example I think in visas annual report they said they wanted to build up their POS services to their customers so I would definitely look at like the different teams involved with it the attacks that are being sent to those particular teams that are involved with that particular business initiative I would look at third parties involved with that I would look at the hardware I would look at the software like everything that's involved and that goes into making that initiative happen and be successful I would look at and see how I could provide value to those particular teams so this is just a repeat of that how to support it so hardware controls are their vulnerabilities are their outstanding so not not all companies like patch things right away right I'm not gonna name names so let's say that there's like a really bad vulnerability that's out there that hasn't been patched yet and you're still like I don't know even if it's like 15 or 20 percent that are patched yet like that's that's pretty big so if the company if the growth of the company hinges upon this particular initiative or what they want to do then as a CTI analyst I would look at that and look at any particular vulnerabilities that are nasty that need to be patched quickly that could potentially result in pwnage so these are just some ideas that you guys can use so deliverables looking at the internal attack data so for instance you have the people that receive emails right and then you can understand the various exploits that there's exploits in there what type of malware variants they're getting are they being sent spearfishing campaigns like what is going on are they trying to get them to respond are they trying to do B EC with them things like that like really getting a good idea of what type of attacks are being directed to the particular business units that are involved with that and then also external threat intelligence so this is where the external threat reports come in handy to be able to review and see if there's any mention because sometimes when you're going through reports they they have like a little sentence or a little mention here and there and to be honest that's kind of saved that's helped me in my day-to-day where I question oh that's not a big deal oh well why do I feel it's not a big deal or why do I think that so I use a little bit of the structured analytic techniques with the thoughts that I'm having in order to dive into stuff and when you do that sometimes you can find compromised fenders before they're on board on to your system things like that we're just asking a few extra questions and looking at things with critical thinking and the structured analytic techniques by Richards Heuer is definitely helpful and I highly recommend it so the internal security team initiatives so it depends on your org structure right so you can have a cybersecurity department and then of course you have your red team you have your defer you have your sock you have your project management like whatever whatever you have in your security team each team has different goals that they have to meet for the year so what what would be helpful is understanding where they want to be in a year from now and then finding out how you can contribute to that so an example would be lets say red team they're like okay for 2020 we want to run six emulation exercises and one simulation exercise and you're like okay cool so as a CTI analyst first of all what's the difference between emulation and simulation right emulation is basically copying the TTP's of the threat actor and using that within your environment and then simulation is using a tool that one of your threat actors uses and kind of testing how that is within the environment or being being attacked at the environment so with that I would look at the various internal threat data a threat activity groups and then I would prioritize them and then provide red team with the top six threat actors to emulate for the past you know year or quarter so that they can do that and build that out over the year because it's not running emulation exercises aren't you know they can't just like look at it and then like run it automatically like they have to plan it they have to set stuff up right I'm not a red teamer so I don't know everything that goes into it I just know that it's definitely time-consuming and they can't just like oh well you know emulate these TTP's in this red activity group and they can't just go do it so helping them with planning and getting them information so that they can build out their program and meet their goals that they set for that year is helpful and that was just one example and then of course metrics as well so operational environment let's see Scott J Roberts and he wrote he wrote a blog and he's done a ton of stuff if you are interested in cyber threat intelligence at all Scott J Roberts is an awesome person to consume all of his data and then the other person Brian P chyme he is actually a forester right now and he wrote a really great paper on threat intelligence planning so I took the information from both of those people some of my business ideas and then or experience and then put it in here regarding the operational environment and things that would be helpful for you to understand prior to building out the adversary detection pipeline so for instance understanding attacks if they come external to internal and then also internal to external reviewing the threat actors that have historically targeted your particular organization if you have that information reviewing cognitive biases and logical fallacies so that's how that's kind of how people are like wow how did you do that where did you find that information and really it was just by asking questions of like why I was thinking a certain way and then finding supporting information to refute my hypothesis essentially but there's whole books on it I don't need to go into it definitely check out Richards you're on that one and the other thing that I found was really helpful is reviewing all of the previous information from past cyber threat intelligence analysts so I kind of get an idea of what went well what they want what they don't want and then here's some data collection requirement ideas and this is from Rebecca Brown and Robert M Lee from the CTI sands survey and if you get a chance reading all of those sand surveys are actually exceedingly helpful that's how I got a lot of these ideas to be honest and that's how I look at trends over time and get an idea of where people are going and what they're doing and what they're looking into for instance there's a threat hunting survey and they said that they're moving towards looking at their internal attack data and so as a cyber threat intelligence analyst that makes me think how can i package the information that I'm collecting or that I have to be valuable to the threat hunting teams because they're trending that way towards using internal attack data so here's just some ideas looking at internal tickets the wofe attacks email analysis endpoint IDs you already know this because you're here so the other thing is when you're prioritizing threat activity groups to pass off to other groups you know for instance the red team example they want to do six emulation exercises if you're tracking I don't know let's say 20 activity groups how do you narrow down the 20 groups to 6 right it's like you have intent capability and opportunity which is a definition of a threat so intent they already have the intent because they're sending you it's based all here of your internal attack data that you're building this off of your email so you already have it intent right capabilities so if they're sending you a motet and they're sending you trick bot and both of them are blocked how do you prioritize which one of those is more I guess you could say important right for the TTP is associated with that particular threat activity group I couldn't come up with a good answer to that so then I moved on to opportunity and I was like okay I think I'm making some headway here and with opportunity I look at my perception of the attackers knowledge of my particular environment so an example of this right let's say that your particular organization whitelist Google Drive and Google Docs okay and let's say that you're getting attacks or emails with malicious links to Google Drive which has a Google Doc and you know essentially if someone clicked on it you could execute that on your particular endpoint right so that's one level okay so they they may or may not know they may have gotten lucky you know so then I take it one step further and I look at if they're sending it to like a service account you know like info at company comm like that's easy to find or someone on like the annual reports that I suggested reading or the 10ks or any of the publicly published information if they're using or scraping that information and then sending attacks to those particular individuals that is another like well you know anyone could get that but if they're sending it to people within your particular organization that are not easy to OSINT and then take that a step further your internal organ stencil essay they send it to an admin admin assistant and then they spoof that it's coming from their boss or their boss's boss I'd say that that's a higher likelihood that they have a good idea of what's going on and they somehow have access to some sort of internal structure that I had to you know look up right so I'm gonna rate that particular threat a little bit higher than someone just sending it to info at company org and you know it's blocked right so those are things to think about as you're building this out and packaging the data to other teams so how do you make TTP's how do you build out a threat library how do you even start doing that well I was gonna do a brief explanation and and like a very brief training but luckily recently Adam Pennington and Katie Nichols came out with the training at miter attack and they pretty much go over all of it and I honestly could not do a better job than them so I'm gonna refer you to their training materials it's they're very robust they go into great detail as far as how to pull out the behaviors and the information that you have and to create a storyline and they do such a great job and I highly recommend that if you just google miter attack training it'll it'll pull up for you and I highly recommend looking at that so threat grouping in action I wanted to make it as easy as possible and not ask defer to pretty much change everything they do whether it's their collection or methodologies or whatever and so I decided to look at the malicious email campaigns coming into the organization first and starting with one thing I know it sounds simple but starting with one thing and understanding that and building that out understanding the TTP's and capability and then looking at the infrastructure and then looking at the victim because I'm not gonna after all of the analysis is complete you know if you are familiar with the diamond model I would be assigning after what after multiple instances of a similar type of campaign I would assign a threat activity group to it so I leave I leave adversary out of it and I just look at the capability which is TTP's the infrastructure which would be something like like the IPE or them using Google Docs or MailChimp or SendGrid or things like that right and then also the victimology and then phase two you can correlate it with the the D for ticket Sauk tickets and laughs data is well so if you do decide to go down this route Robert Emily recommends allowing flexibility with your naming structure so if you are gonna call them like a bt 33 and you have like 20 30 different thread activity groups for me it's hard to remember all of that you know like 1 4 5 2 3 1 4 3 2 like I after a while of juggling all the different thread activity groups I just I forget so what I did is I pulled up this it's pretty straightforward I went to a hacker name generator you don't have to do that and this is pretty straight forward I would be I personally would be able to remember like wire Omega guard 0 Delta like these are a little bit easier for me to relate to and to remember and to understand and like track that within my own memory so and then the other thing is when you're prepping reports for the various teams christian parade ace i don't know if you've seen this talk but i highly recommend it it's from the sand CTI summit 2017 and he gives you writing tips and a lot of these you can save yourself a lot of pain by implementing some of this so that you present the information in a way that people can actually consume it and understand so for instance of having a title having a summary having key points I know it sounds really really simplistic but honestly sometimes having things that are simple and easy to understand and not convoluted with a lot of complicated words is better I'm a doctoral student but just because I'm a doctoral student doesn't mean that I can't create things that are easily accessible for other people to consume right I leave the academic speak for academic stuff if that makes sense so we're finally at the meat and taters ever Siri detection pipelines so I actually Joshua Stevens he did a talk at RSA and 2015 and he broke it down into structured for data that the threat hunting team would need so I'm like okay well then for the adversary detection pipelines breaking it down into structured and then unstructured so structured would be known threats known TTP's known I ox a kind of real-time analysis something that either the sock would do or let's say the threat the sock has an enrichment of of like threat activity or even your threat hunting group and they're like oh let's let's do some structured threat hunting and see what we can find as far as like I don't know if you've ever done boss of the sock and how they have like the Windows event ID and then you have to like track badness and stuff like that let's say you wanted to have that this is what structured structured data would be and then unstructured as well and that's the undefined threat and new TTP's so so now once we have a basic understanding of all of that I'm gonna go back up through so I went top-down and then I'm gonna go bottom-up now so we're gonna start at the CTI team initiatives and what do I mean by that basically when you get all of the data I compile it in a way to where I get a broad view of what's going on I get all of the data and I attract trends over time right just handing this data to like the sock or D for one of those people they'll be like oh that's that's great like what do I focus on it just looks like a bunch of lines and numbers like what should I care about what should I not care about so here's something that you can do for your email campaigns you can look at the campaign volume and this is tracking you know individual threats over time the volume the delivery and then also to the clicked and so when you get that over time it gives you a really good idea over either you have issues with your controls or they're really good at bypassing it right so ensuring that the various attacks that end up getting delivered that all of that stuff is patched prioritizing that looking into the various departments and teams that are being attacked by that any specific tailored information that they know to your particular organization and being aware of that over time you can even do a campaign campaign heat map so with this you get the delivery rates of the various to read activity groups that you found so some of the things that you can do as a CTI analyst is you know such and such a TT PS that are associated with such and such a threat activity group they're going to be active coming up let's see override right so override is going to be let's see if I can circle it so override is going to be active in november/december so what I would do leading up to that time knowing that those particular sort activity groups are going to be active as I would try to find any information that I have or don't have regarding any changes and TTP's what other people are talking about see if there is a change in the infrastructure just get a good understanding of what's coming down the pipeline and being a little bit more proactive the other thing is leveraging the mitre attack Navigator so you can put all of these various TTP's in there and you can see what's overlapping between the various read activity groups and the you can print that out and have a good a good starting point to dive into looking at the controls or what's going on with that I mean obviously if you're working with email the attack data and the email to begin with there's going to be a lot of either spearfishing attachment or spearfishing you were up right so you got that so that's out of the way but then all the rest of the purple looking at the other purple like why are they attacking that particular Purple's the overlap on here what what is it about that that is popular with the various red activity groups that you have so as a cyber threat intelligence analyst I would have the broad picture of what's going on with that right and then here's the malware variant TTP's I found trekking tracking the very smell where that you get over time even though there's you know it might be blocked or whatever just having a good understanding of how the trends are shifting as far as the attacks that are coming to your organization so what helps me is like if I have a good baseline or a good understanding of what's going on in here now and what we're being sent when there's news articles out there that are related to that like a new capability or a new way of the threat activity group sending sending the particular badness or a new module that they added to the malware it gives me a heads-up to either let the teams know and mobilize it you know work on suggesting something be patched anything to improve the security defenses of the org so that's what I use this for and then this is just another way to look at it if you don't like colors or maps there's this and then the unstructured adversary detection line pipelines so for me well I what I do is I try to look at the threat activity groups the areas that they're attacking the people that they're going after and this gives me you know the people who click the most for instance if you have an internal fishing program understanding the people that click the most is kind of a good idea because then you can see oh these people are clicking the most and they're getting the most attacks by such and such an activity group mm-hmm maybe I should increase the UBA score so user behavior analysis if you have that right so these are just things to consider and me I just I understand the big picture and then the next steps are packaging it for other teams so throughout actor dossiers I take the threat activity groups and I package it and I have multiple variations so I have ones that go to management right ones that go to two other teammates is suggestion and then ones for the actual internal CTI team so for instance let's say you have a coworker and there's more than just one person on the CTI team and they really love tradecraft and they love the history and they love to see the attacks trending over time then I would make that for the particular analysts so that they can have that contextual information whereas red team they'll be like I don't care about all of that I just want to know about the most recent like attacks right they'd be like delete all of that I don't care so here's just an example and I try to be specific with the procedures in the event the threat hunting team wants to use it and here's the finished product you could put your recommendations in there for instance if they're using an IQ Y file and that's not currently blocked making the recommendations to block that and putting that separately or putting that in a report or using it as metrics showing that from doing the various independent research for the CTI team you were able to get such and such a thing blocked and that particular thing was being attacked by this particular a threat activity group so that helps with metrics and that helps management and higher-ups basically confirm your value to the org and that was the talk of metrics and then so your internal security team I already talked about prioritizing the various sort of activity groups so the CTI team they get they get a broad understanding of what's going on in the organization then you prioritize that and package it to the various teams based upon the goals right you don't want to just slam them with a ton of information you want to give them what is actionable what is timely and what's directly relevant to the goals of their various teams or departments and Saucon defer those are some people to have conversations with and sometimes it's nice to find out hey what's worked for you in the past as far as what I've done for you what isn't working would you like this would you not like this what do you want what do you need having those type of conversations are exceedingly helpful so basically you just take the same data and then it's you to copy a copy paste and then you put a brief analysis with it same one if hunt wants to do unstructured unstructured threat hunting for q1 you just narrow down that information provide them the top targeted people or the least or the top you know parts of the the teams or the network or whatever it is that you have set up you know you provide that information to them within a specified time frame not all time because that's just that would be crazy and a lot of that would be too much so you narrow it down to a quarter and the thing that helps too is if they are aware of the known TTP's that are already hitting that particular sector of your network from your email attack data they can have that information as contextual and then know what's already known essentially to find the unknown so they can have a good idea with that the same thing with red just packaging the threat actor dossiers for them in a way that works and Matt Kelly from bisa Chicago he did a great talk on emulation exercises so what I added in to a spreadsheet is basically the historical information because sometimes with the attacks that you're getting via the campaign's like not all of the information is there so correlating the past stuff and the and the present stuff that's going on so that red team can decide you know what type of historical stuff do I want to use since it's missing in the most recent stuff when they're running emulation exercises and then purple teaming if you want a better idea of purple teaming the Central Bank of Ireland actually put out a really great really long research information and like a framework and described a lot of the purple team successes that they've experienced so I would highly recommend checking that out and Eric he is actually the course author of SEK 599 which is defending against advanced adversaries and purple team and he did this in one of his webcasts if you are interested at all in purple team I highly recommend watching any of his stuff and so tracking what the tools the red team needs how blue team detected it and kind of getting a heat map of the various controls and what happened with the emulation and purple team x exercises security team initiatives just creating the reports and helping the managers with metrics and tracking overtime like for instance CT I provided X amount of information towards red team and they were able to successfully emulate an exercise and X amount of controls were either modified or updated or brought on board as a result of this particular emulation exercise so that's something to do and then finally doing cyber threat landscape report so this would be helpful for I guess you could say the managers of your organization to track the purple team operations track how hunt is leveraging the data and how that's been beneficial to your organization any gaps that are occurring and then also to track document communication and procedural shifts as a result of implementing and moving forward with getting more use out of your threat intelligence and business initiatives just looking at the third parties like I said earlier looking at the internal attacks that are happening or being directed towards the people that are specific to the organization with respect to whatever initiatives it is that you find in the annual report 10-k 10-q even with small businesses I used to set yearly goals so I would be aware of that and communicate accordingly to my clients and when you're engaging the various people you have to think of it kind of like prospecting so not everyone is going to be on board so like don't don't get disheartened like just find the people that are interested in working with you and that want the data and focus on those and providing value to those people like you're not going to win everyone but the people that you do win you can make a meaningful change and add value to the organization so basically adversary detection pipelines are analysis of prioritized threats via structured and unstructured formats for an adversary detection pipeline focused on business departmental and CTI initiatives so that is it this is me MBA doctoral student lots of sand certs and if you have any questions feel free to reach out to me on Twitter or now and I have three shirts to give away thank you

Info

Channel: 0xdade

Views: 400

Rating: undefined out of 5

Keywords: shmoocon

Id: vUlTOn8RQXo

Channel Id: undefined

Length: 51min 42sec (3102 seconds)

Published: Thu Mar 12 2020