Threat Intelligence with Open Source tools Cornerstones of

Slides:

Advertisements

Similar presentations

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.

Advertisements

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Mike Goffin and Wesley Shields Approved for Public Release; Distribution Unlimited. Case Number

The Most Analytical and Comprehensive Defense Network in a Box.

Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.

“White Hat Anonymity”: Current challenges security researchers face preforming actionable OSINT Christopher R. Barber, CISSP, C|EHv7 Threat Analyst Solutionary.

Copyright 2011 Trend Micro Inc. Trend Micro Web Security- Overview.

SESSION 9 THE INTERNET AND THE NEW INFORMATION NEW INFORMATIONTECHNOLOGYINFRASTRUCTURE.

Mike Goffin Who am I? Mike Goffin Lead DeveloperProject Manager Senior Cyber Security Research Engineer The MITRE Corporation.

IBM Security Network Protection (XGS)

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks.

* The Role of Threat Intelligence and Layered Security for Intrusion Prevention in the Post-Target Breach Era Ted Gruenloh Director of Operations Sentinel.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

Copyright Justin C. Klein HECTOR Security Intelligence Platform Developed for: University of Pennsylvania School of Arts & Science.

Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.

3-Protecting Systems Dr. John P. Abraham Professor UTPA.

Smart Protection Network Kelvin Liu AVP, Core Tech Development.

1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center for Security Monitoring.

Security Innovation & Startup. OPEN THREAT EXCHANGE (OTX): THE HISTORY AND FUTURE OF OPEN THREAT INTELLIGENCE COMMUNITY ALIENVAULT OTX.

Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel,

Chapter 5: Implementing Intrusion Prevention

Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.

Alert Logic Provides a Fully Managed Security and Compliance Solution Based in the Cloud, Powered by the Robust Microsoft Azure Platform MICROSOFT AZURE.

Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.

Application of Machine Learning and Crowdsourcing to Detection of Cyber Threats Jaime G. Carbonell Eugene Fink Mehrbod Sharifi.

November 19, 2008 CSC 682 Use of Virtualization to Thwart Malware Written by: Ryan Lehan Presented by: Ryan Lehan Directed By: Ryan Lehan Produced By:

Bill Jensen Bashar Kachachi Session Code: SIA309.

Synchronized Security Revolutionizing Advanced Threat Protection

Sky Advanced Threat Prevention

IT Computer Security JEOPARDY RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.

Computer Security By Duncan Hall.

NATIONAL CYBER SECURITY GOVERNANCE & EMERGING CYBER SECURITY THREATS

Cyber Security in the Post-AV Era Amit Mital Chief Technology Officer General Manager, Emerging Endpoints Business Unit.

IS3220 Information Technology Infrastructure Security

CNIT 125: Honeypot and Malware Presentation Alan Wennersten Jeffrey Tom.

©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.

©2015 Check Point Software Technologies Ltd. 1 Website Watering Holes Endpoints are at risk in numerous ways, especially when social engineering is applied.

ECAT 4.1 – Rule Your Endpoints What’s New Customer Overview.

Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.

How to Make Cyber Threat Intelligence Actionable

Palindrome Technologies all rights reserved © 2016 – PG: Palindrome Technologies all rights reserved © 2016 – PG: 1 Peter Thermos President & CTO Tel:

Artificial Intelligence. Real Threat Prevention.

Windows Vista Configuration MCTS : Internet Explorer 7.0.

Tripwire Threat Intelligence Integrations. 2 Threat Landscape by the Numbers Over 390K malicious programs are found every day AV-Test.org On day 0, only.

Proactive Incident Response

Sophos Central for partners and customers: overview and new features

Abusing 3rd-Party Services For Command And Control

Hurricanes, Earthquakes, and Threat Intelligence

Cisco Defense Orchestrator

Critical Security Controls

A lustrum of malware network communication: Evolution & insights

Real-time protection for web sites and web apps against ATTACKS

Deep Dive into the Blue VCU Infosec Team.

Jon Peppler, Menlo Security Channels

Cyber Threat Intelligence Sharing Standards-based Repository

2018 Real Cisco Dumps IT-Dumps

CIS 333Competitive Success/tutorialrank.com

CIS 333 Education for Service-- tutorialrank.com.

Download Cisco Exam Dumps - Valid Cisco Question Answers - Dumpsprofessor.com

Free 2018 Cisco Questions-Cisco Dumps PDF Cisco Dumps

Cyber Security 2017 Trends and Start Ups.

11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

Secure once, run anywhere Simplify your security with Sophos

12/6/2018 Honeypot ICT Infrastructure Sashan

CIPSEC Framework components: XL-SIEM

Technology Convergence

Microsoft Data Insights Summit

Presentation transcript:

Threat Intelligence with Open Source tools Cornerstones of

Presenters JAIME BLASCO Director AlienVault Labs Security Researcher Malware Analyst Incident Response SANTIAGO BASSETT Security Engineer OSSIM / OSSEC Network Security Logs Management

The attacker’s advantage They only need to be successful once Determined, skilled and often funded adversaries Custom malware, 0days, multiple attack vectors, social engineering Persistent

The defender’s disadvantage They can’t make a mistake Understaffed, jack of all trades, underfunded Increasing complex IT infrastructure: – Moving to the cloud – Virtualization – Bring your own device Prevention controls fail to block everything Hundreds of systems and vulnerabilities to patch

What is Threat Intelligence? Information about malicious actors Helps you make better decisions about defense Examples: IP addresses, Domains, URL’s, File Hashes, TTP’s, victim’s industries, countries..

State of the art Most sharing is unstructured & human-to- human Closed groups Actual standards require knowledge, resources and time to integrate the data

How to use Threat Intelligence Detect what my prevention technologies fail to block Security planning, threat assessment Improves incident response / Triage Decide which vulnerabilities should I patch first

The Threat Intelligence Pyramid of Pain

Standards & Tools IODEF: Incident Object Description Exchange Format MITRE: – STIX: Structured Threat Information eXpression – TAXXII: Trusted Automated eXchange of Indicator Information – MAEC, CAPEC, CyBOX CIF: Collective Intelligence Framework

Collective Intelligence Framework

Collecting malware Some malware tracking sites: Some Open Source malware crawlers: Maltrieve: Ragpicker:

Collecting malware

Other malware collection tools Dionaea honeypot: Thug Honeyclient – Drive by download attacks: Emulates browsers functionality (activeX controls and plugins)

Analyzing malware Yara: Flexible, human-readable rules for identifying malicious streams. Can be used to analyze: files memory (volatility) network streams. private rule APT1_RARSilent_EXE_PDF { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $winrar1 = "WINRAR.SFX" wide ascii $winrar2 = ";The comment below contains SFX script commands" wide ascii $winrar3 = "Silent=1" wide ascii $str1 = /Setup=[\s\w\"]+\.(exe|pdf|doc)/ $str2 = "Steup=\"" wide ascii condition: all of ($winrar*) and 1 of ($str*) }

Analyzing malware Cuckoo Sandbox: Used for automated malware analysis. Traces Win32 API calls Files created, deleted and downloaded Memory dumps of malicious processes Network traffic pcaps

Analyzing malware

Sandbox – CIF integration In our example: hxxp:// domain

CIF External feed example