Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect Intelligence Research.

Slides:

Advertisements

Similar presentations

3D Tool Examples Dave Breslin Tenable Discussions Forum)

Advertisements

Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect.

Little Used, but Powerful Features with GP Cathy Fregelette, CPA, PMP Practice Manager BroadPoint Technologies September 20, 2012.

Ad Hoc Reporting Ad Hoc Reporting Gene Denny Education Training Supervisor, CIC.

Leveraging Continuous View to Hunt Malware. Why hunt for malware? Scanned services Unauthorized systems Patches Config Unauthorized software Malware Malware.

ESafe Reporter V3.0 eSafe Learning and Certification Program February 2007.

TwtDominator User Guide

SecurityCenter Reporting Nessus Scan Report. SecurityCenter Reports For customers who use Nessus for vulnerability scanning and then move to SecurityCenter,

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

© 2010 – MAD Security, LLC All rights reserved ArmitageArmitage A Power User’s Interface for Metasploit.

Nessus – A Vulnerability Scanning Tool SUNY Technology Conference June 2003.

Lesson 19: Configuring Windows Firewall

Arbor Multi-Layer Cloud DDoS Protection

User Responsibility A “How To” Guide for SecurityCenter.

What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.

SecurityCenter & Palo Alto Configuration Guide. About this Guide This guide provides an overview of how to get the most from Palo Alto firewalls when.

Vulnerability Types And How to Use Them.

Using Iterators in Reports

1 SMTP Transport Configuration SMTP Configurations and Virtual Servers Customizing the SMTP Service.

Ch 8-3 Working with domains and Active Directory.

Correlations, Alarms and Policies

Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.

Malware Hunter How To Guide for SecurityCenter Continuous View™

Using Windows Firewall and Windows Defender

ACL: Introduction & Tutorial

Supplied on \web site. on January 10 th, 2008 Reducing Risk Through Incremental Malware Detection January 2008.

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

MIS Week 6 Site:

Windows 7 Firewall.

Modification of Pktfilter tool 10/9/2015Pktfilter modification - Brad Baker1 Brad Baker CS591 Spring 2007 Term project.

Brad Baker CS591 Spring 2007 Term project 10/15/ Pktfilter modification - Brad Baker.

Tools Menu and Other Concepts Alerts Event Log SLA Management Search Address Space Search Syslog Download NetIIS Standalone Application.

Using Assets with Dashboards A Guide. About this Guide This guide shows how to create, export, and load a dashboard that requires an asset This guide.

IT 456 Seminar 5 Dr Jeffrey A Robinson. Overview of Course Week 1 – Introduction Week 2 – Installation of SQL and management Tools Week 3 - Creating and.

How to configure DNS for a Windows 2000 domain? 1.Start the Install/Remove Programs Control Panel Applet (Start - Settings - Control Panel - Add/Remove.

Security Innovation & Startup. OPEN THREAT EXCHANGE (OTX): THE HISTORY AND FUTURE OF OPEN THREAT INTELLIGENCE COMMUNITY ALIENVAULT OTX.

Module 8: Planning and Troubleshooting IPSec. Overview Understanding Default Policy Rules Planning an IPSec Deployment Troubleshooting IPSec Communications.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.

MIS Week 6 Site:

Troubleshooting Security Issues Lesson 6. Skills Matrix Technology SkillObjective Domain SkillDomain # Monitoring and Troubleshooting with Event Viewer.

1 CHAPTER 3 “Status/Repository”. 2 1.Quotes – Policies Look-up – From the “Community Home Page”, click on this option to view an existing quote or a specific.

Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.

How do I export the Address Book to Excel? The first step is to go to "Address Book Report" under Admin Only menu Choose the fields you want. note that.

1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.

1 1 Cybersecurity : Optimal Approach for PSAPs FCC Task Force on Optimal PSAP Architecture Working Group 1 Final Report December 10 th, 2015.

SecurityCenter & Palo Alto Configuration Guide. About this Guide This guide provides an overview of how to get the most from Palo Alto firewalls when.

Using Find / Update in SecurityCenter Reports A “How To” Guide for SecurityCenter.

Chapter 5 Initial Development of Leads Spring Incident Response & Computer Forensics.

Banner XE Faculty Grade Entry. Accessing Faculty Grade Entry The following browsers are recommended for use with SAIL: (Windows) IE 9.0, IE 10.0, or IE.

American Diploma Project Administrative Site Training.

Palindrome Technologies all rights reserved © 2016 – PG: Palindrome Technologies all rights reserved © 2016 – PG: 1 Peter Thermos President & CTO Tel:

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit.

Player ID Card System Club Administrators Guide February 2016.

American Diploma Project Administrative Site Training New Jersey.

Chapter 13 Network Security Auditing Antivirus Firewalls Authentication Authorization Encryption.

Microsoft Ignite /1/ :41 PM BRK3249

AdisInsight User Guide July 2015

SQL Database Management

Penetration Testing Reconnaissance 2

Enabling Secure Internet Access with TMG

Configuring Windows Firewall with Advanced Security

Principles of Computer Security

Introduction to DNSWatch

Lesson #10 MCTS Cert Guide Microsoft Windows 7, Configuring Chapter 10 Configuring Network and Firewall Settings.

Risks & Reality Cyber Security Risks & Reality

Exploring Microsoft® Access® 2016 Series Editor Mary Anne Poatsy

Introduction to Systems Security

AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations.

Presentation transcript:

Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect Intelligence Research Team (TCIRT) Community Notifications

Slide Sections Using Address Indicators with SecurityCenter Using File Indicators with SecurityCenter Using Host Indicators with SecurityCenter Using URL Indicators with SecurityCenter Using File Indicators with Nessus

Using Address Indicators with SecurityCenter Step 1 – Extract Address Indicators Step 2 – Create a Watchlist from Address Indicators Step 3 – Filter Events by Watchlist Step 4 – (Optional) Create Query for 3D Tool Step 5 – Save Asset List of All Addresses Step 6 – Perform Audit Analysis Using Asset List Step 7 – Perform Event Analysis Using Asset List Step 8 – (Optional) Create List of Internal Addresses Step 9 – (Optional) Nessus Audit of Internal Addresses

Step 1 – Extract Address Indicators

Step 2 – Create a Watchlist from Address Indicators

Step 3 – Filter Events by Watchlist Inbound or outbound

Step 4 – (Optional) Create Query for 3D Tool

Step 5 – Save Asset List of All Addresses

Step 6 – Perform Audit Analysis Using Asset List Recommended Reading – Predicting Attack PathsPredicting Attack Paths

Step 7 – Perform Event Analysis Using Asset List Recommended Reading – Tenable Event CorrelationTenable Event Correlation

Step 8 – (Optional) Create List of Internal Addresses Only

Step 9 – (Optional) Nessus Audit of Internal Addresses

Using File Indicators with SecurityCenter Step 1 – Extract Hashes Step 2 – Upload Hashes to Scan Policy Step 3 – Perform a Scan Using Credentials Step 4 – Review Scan Results Step 5 – Save Asset List of Infected Hosts Step 6 – Perform Audit Analysis Using Asset List Step 7 – Perform Event Analysis Using Asset List Step 8 – (Optional) Use Asset List with 3D Tool

Step 1 – Extract Hashes

Step 2 – Upload Hashes to Scan Policy

Step 3 – Perform a Scan Using Credentials Recommended Reading – Nessus Credential Checks for UNIX and WindowsNessus Credential Checks for UNIX and Windows

Step 4 – Review Scan Results

Step 5 – Save Asset List of Infected Hosts

Recommended Reading – Predicting Attack PathsPredicting Attack Paths Step 6 – Perform Audit Analysis Using Asset List

Step 7 – Perform Event Analysis Using Asset List Recommended Reading – Tenable Event CorrelationTenable Event Correlation

Step 8 – (Optional) Use Asset List with 3D Tool

Using Host Indicators with SecurityCenter Step 1 – Filter Events by Host Step 2 – Perform Further Analysis Recommended Reading – Using Log Correlation Engine to Monitor DNSUsing Log Correlation Engine to Monitor DNS

Step 1 – Filter Events by Host

Step 2 – Perform Further Analysis See slides for “Using ThreatConnect Address Indicators” steps 5 through 9 Filtering by the domain summary event before saving the asset list will get you a list of only those hosts that performed a DNS lookup for the host indicator.

Using URL Indicators with SecurityCenter Step 1 – Divide Host and Location from URL Step 2 – Filter Events by Host Step 3 – Save Asset List Step 4 – Filter Events by Location Step 5 – Perform Further Analysis

Step 1 – Divide Host and Location from URL

Step 2 – Filter Events by Host Use Host in Syslog Text filter Use web-access in Type filter

Step 3 – Save Asset List

Step 4 – Filter Events by Location Use Location in Syslog Text filter Use Asset List in Source Asset filter

Step 5 – Perform Further Analysis See slides for “Using ThreatConnect Address Indicators” steps 5 through 9 We will be creating a second and final asset list to use for further analysis. Verify the URL is matched correctly by looking at the web-access details in Step 4. Steps 1 through 4 perform an intersection; however, it’s by host.

Using File Indicators with Nessus Step 1 – Extract Hashes Step 2 – Use Windows Malware Scan Wizard Step 3 – Perform Scan and Review Results

Step 1 – Extract Hashes

Step 2 – Use Windows Malware Scan Wizard

Step 3 – Perform Scan and Review Results