Presentation is loading. Please wait.

Presentation is loading. Please wait.

Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect.

Published byGraham Aspen Modified over 10 years ago

Similar presentations

Presentation on theme: "Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect."— Presentation transcript:

1 Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect Intelligence Research Team (TCIRT) Community Notifications

2 Slide Sections Using Address Indicators with SecurityCenter Using File Indicators with SecurityCenter Using Host Indicators with SecurityCenter Using URL Indicators with SecurityCenter Using File Indicators with Nessus

3 Using Address Indicators with SecurityCenter Step 1 – Export Address Indicators Using Tenable Format Step 2 – Create a Watchlist from Address Indicators Step 3 – Filter Events by Watchlist Step 4 – (Optional) Create Query for 3D Tool Step 5 – Save Asset List of All Addresses Step 6 – Perform Audit Analysis Using Asset List Step 7 – Perform Event Analysis Using Asset List Step 8 – (Optional) Create List of Internal Addresses Step 9 – (Optional) Nessus Audit of Internal Addresses

4 Step 1 – Export Address Indicators Using Tenable Format

5 Step 2 – Create a Watchlist from Address Indicators

6 Step 3 – Filter Events by Watchlist Inbound or outbound If there arent events after applying filters theres no need to continue with further steps.

7 Step 4 – (Optional) Create Query for 3D Tool

8

9 Step 5 – Save Asset List of All Addresses

10 Step 6 – Perform Audit Analysis Using Asset List Recommended Reading – Predicting Attack PathsPredicting Attack Paths

11 Step 7 – Perform Event Analysis Using Asset List Recommended Reading – Tenable Event CorrelationTenable Event Correlation

12 Step 8 – (Optional) Create List of Internal Addresses Only

13 Step 9 – (Optional) Nessus Audit of Internal Addresses

14 Using File Indicators with SecurityCenter Step 1 – Export Hashes Using Tenable Format Step 2 – Upload Hashes to Scan Policy Step 3 – Perform a Scan Using Credentials Step 4 – Review Scan Results Step 5 – Save Asset List of Infected Hosts Step 6 – Perform Audit Analysis Using Asset List Step 7 – Perform Event Analysis Using Asset List Step 8 – (Optional) Use Asset List with 3D Tool

15 Step 1 – Export Hashes Using Tenable Format

16 Step 2 – Upload Hashes to Scan Policy Recommended Reading – Malware Detection and Forensics Scan ConfigurationMalware Detection and Forensics Scan Configuration

17 Step 3 – Perform a Scan Using Credentials Recommended Reading – Nessus Credential Checks for UNIX and WindowsNessus Credential Checks for UNIX and Windows

18 Step 4 – Review Scan Results If there arent infected hosts theres no need to continue with further steps.

19 Step 5 – Save Asset List of Infected Hosts

20 Recommended Reading – Predicting Attack PathsPredicting Attack Paths Step 6 – Perform Audit Analysis Using Asset List

21 Step 7 – Perform Event Analysis Using Asset List Recommended Reading – Tenable Event CorrelationTenable Event Correlation

22 Step 8 – (Optional) Use Asset List with 3D Tool

23

24 Using Host Indicators with SecurityCenter Step 1 – Filter Events by Host Step 2 – Perform Further Analysis Recommended Reading – Using Log Correlation Engine to Monitor DNSUsing Log Correlation Engine to Monitor DNS

25 Step 1 – Filter Events by Host

26 Step 2 – Perform Further Analysis See slides for Using ThreatConnect Address Indicators steps 5 through 9 if there are events found after applying filters. Filtering by the domain summary event before saving the asset list will get you a list of only those hosts that performed a DNS lookup for the host indicator.

27 Using URL Indicators with SecurityCenter Step 1 – Divide Host and Location from URL Step 2 – Filter Events by Host Step 3 – Save Asset List Step 4 – Filter Events by Location Step 5 – Perform Further Analysis

28 Step 1 – Divide Host and Location from URL

29 Step 2 – Filter Events by Host Use Host in Syslog Text filter Use web-access in Type filter If there arent events after applying filters theres no need to continue with further steps.

30 Step 3 – Save Asset List

31 Step 4 – Filter Events by Location Use Location in Syslog Text filter Use Asset List in Source Asset filter If there arent events after applying filters theres no need to continue with further steps.

32 Step 5 – Perform Further Analysis See slides for Using ThreatConnect Address Indicators steps 5 through 9 if there are events found after applying filters. We will be creating a second and final asset list to use for further analysis. Verify the URL is matched correctly by looking at the web-access details in Step 4. Steps 1 through 4 perform an intersection; however, its by host.

33 Using File Indicators with Nessus Step 1 – Export Hashes Using Tenable Format Step 2 – Use Windows Malware Scan Wizard Step 3 – Perform Scan and Review Results

34 Step 1 – Export Hashes Using Tenable Format

35 Step 2 – Use Windows Malware Scan Wizard

36 Step 3 – Perform Scan and Review Results

Download ppt "Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect."

Similar presentations

What’s New in Fireware XTM v11.3.2

What’s New in Fireware XTM v11.3.2
3D Tool Examples Dave Breslin (@ Tenable Discussions Forum)

3D Tool Examples Dave Breslin Tenable Discussions Forum)
Setting up an E-XL A Step by Step Tutorial Engineering Consultants Group, Inc.

Setting up an E-XL A Step by Step Tutorial Engineering Consultants Group, Inc.
Leveraging Continuous View to Hunt Malware. Why hunt for malware? Scanned services Unauthorized systems Patches Config Unauthorized software Malware Malware.

Leveraging Continuous View to Hunt Malware. Why hunt for malware? Scanned services Unauthorized systems Patches Config Unauthorized software Malware Malware.
ESafe Reporter V3.0 eSafe Learning and Certification Program February 2007.

ESafe Reporter V3.0 eSafe Learning and Certification Program February 2007.
Supplied on \web site. on January 10 th, 2008 Customer Security Management Reducing Internet fraud June 1 st, 2008 eSAC Walk Thru © Copyright Prevx Limited.

Supplied on \web site. on January 10 th, 2008 Customer Security Management Reducing Internet fraud June 1 st, 2008 eSAC Walk Thru © Copyright Prevx Limited.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
SecurityCenter Reporting Nessus Scan Report. SecurityCenter Reports For customers who use Nessus for vulnerability scanning and then move to SecurityCenter,

SecurityCenter Reporting Nessus Scan Report. SecurityCenter Reports For customers who use Nessus for vulnerability scanning and then move to SecurityCenter,
Security Audit Principles and Practices Chapter 11.

Security Audit Principles and Practices Chapter 11.
Nessus – A Vulnerability Scanning Tool SUNY Technology Conference June 2003.

Nessus – A Vulnerability Scanning Tool SUNY Technology Conference June 2003.
User Responsibility A “How To” Guide for SecurityCenter.

User Responsibility A “How To” Guide for SecurityCenter.
What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.

What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.
SecurityCenter & Palo Alto Configuration Guide. About this Guide This guide provides an overview of how to get the most from Palo Alto firewalls when.

SecurityCenter & Palo Alto Configuration Guide. About this Guide This guide provides an overview of how to get the most from Palo Alto firewalls when.
Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.

Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
Vulnerability Types And How to Use Them.

Vulnerability Types And How to Use Them.
Security Guidelines and Management

Security Guidelines and Management
Mastering Windows Network Forensics and Investigation Chapter 14: Other Audit Events.

Mastering Windows Network Forensics and Investigation Chapter 14: Other Audit Events.
Maintaining Host Security Logs.  Security logs are invaluable for verifying whether the host's defenses are operating properly.  Another reason to maintain.

Maintaining Host Security Logs.  Security logs are invaluable for verifying whether the host's defenses are operating properly.  Another reason to maintain.
Using Iterators in Reports

Using Iterators in Reports

Similar presentations

Ads by Google