Presentation is loading. Please wait.

Presentation is loading. Please wait.

Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect Intelligence Research.

Published byHarriet Clarke Modified over 9 years ago

Similar presentations

Presentation on theme: "Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect Intelligence Research."— Presentation transcript:

1 Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect Intelligence Research Team (TCIRT) Community Notifications

2 Slide Sections Using Address Indicators with SecurityCenter Using File Indicators with SecurityCenter Using Host Indicators with SecurityCenter Using URL Indicators with SecurityCenter Using File Indicators with Nessus

3 Using Address Indicators with SecurityCenter Step 1 – Extract Address Indicators Step 2 – Create a Watchlist from Address Indicators Step 3 – Filter Events by Watchlist Step 4 – (Optional) Create Query for 3D Tool Step 5 – Save Asset List of All Addresses Step 6 – Perform Audit Analysis Using Asset List Step 7 – Perform Event Analysis Using Asset List Step 8 – (Optional) Create List of Internal Addresses Step 9 – (Optional) Nessus Audit of Internal Addresses

4 Step 1 – Extract Address Indicators

5 Step 2 – Create a Watchlist from Address Indicators

6 Step 3 – Filter Events by Watchlist Inbound or outbound

7 Step 4 – (Optional) Create Query for 3D Tool

8

9 Step 5 – Save Asset List of All Addresses

10 Step 6 – Perform Audit Analysis Using Asset List Recommended Reading – Predicting Attack PathsPredicting Attack Paths

11 Step 7 – Perform Event Analysis Using Asset List Recommended Reading – Tenable Event CorrelationTenable Event Correlation

12 Step 8 – (Optional) Create List of Internal Addresses Only

13 Step 9 – (Optional) Nessus Audit of Internal Addresses

14 Using File Indicators with SecurityCenter Step 1 – Extract Hashes Step 2 – Upload Hashes to Scan Policy Step 3 – Perform a Scan Using Credentials Step 4 – Review Scan Results Step 5 – Save Asset List of Infected Hosts Step 6 – Perform Audit Analysis Using Asset List Step 7 – Perform Event Analysis Using Asset List Step 8 – (Optional) Use Asset List with 3D Tool

15 Step 1 – Extract Hashes

16 Step 2 – Upload Hashes to Scan Policy

17 Step 3 – Perform a Scan Using Credentials Recommended Reading – Nessus Credential Checks for UNIX and WindowsNessus Credential Checks for UNIX and Windows

18 Step 4 – Review Scan Results

19 Step 5 – Save Asset List of Infected Hosts

20 Recommended Reading – Predicting Attack PathsPredicting Attack Paths Step 6 – Perform Audit Analysis Using Asset List

21 Step 7 – Perform Event Analysis Using Asset List Recommended Reading – Tenable Event CorrelationTenable Event Correlation

22 Step 8 – (Optional) Use Asset List with 3D Tool

23

24 Using Host Indicators with SecurityCenter Step 1 – Filter Events by Host Step 2 – Perform Further Analysis Recommended Reading – Using Log Correlation Engine to Monitor DNSUsing Log Correlation Engine to Monitor DNS

25 Step 1 – Filter Events by Host

26 Step 2 – Perform Further Analysis See slides for “Using ThreatConnect Address Indicators” steps 5 through 9 Filtering by the domain summary event before saving the asset list will get you a list of only those hosts that performed a DNS lookup for the host indicator.

27 Using URL Indicators with SecurityCenter Step 1 – Divide Host and Location from URL Step 2 – Filter Events by Host Step 3 – Save Asset List Step 4 – Filter Events by Location Step 5 – Perform Further Analysis

28 Step 1 – Divide Host and Location from URL

29 Step 2 – Filter Events by Host Use Host in Syslog Text filter Use web-access in Type filter

30 Step 3 – Save Asset List

31 Step 4 – Filter Events by Location Use Location in Syslog Text filter Use Asset List in Source Asset filter

32 Step 5 – Perform Further Analysis See slides for “Using ThreatConnect Address Indicators” steps 5 through 9 We will be creating a second and final asset list to use for further analysis. Verify the URL is matched correctly by looking at the web-access details in Step 4. Steps 1 through 4 perform an intersection; however, it’s by host.

33 Using File Indicators with Nessus Step 1 – Extract Hashes Step 2 – Use Windows Malware Scan Wizard Step 3 – Perform Scan and Review Results

34 Step 1 – Extract Hashes

35 Step 2 – Use Windows Malware Scan Wizard

36 Step 3 – Perform Scan and Review Results

Download ppt "Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect Intelligence Research."

Similar presentations

3D Tool Examples Dave Breslin (@ Tenable Discussions Forum)

3D Tool Examples Dave Breslin Tenable Discussions Forum)
Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect.

Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect.
Little Used, but Powerful Features with GP Cathy Fregelette, CPA, PMP Practice Manager BroadPoint Technologies September 20, 2012.

Little Used, but Powerful Features with GP Cathy Fregelette, CPA, PMP Practice Manager BroadPoint Technologies September 20, 2012.
Ad Hoc Reporting Ad Hoc Reporting Gene Denny Education Training Supervisor, CIC.

Ad Hoc Reporting Ad Hoc Reporting Gene Denny Education Training Supervisor, CIC.
Leveraging Continuous View to Hunt Malware. Why hunt for malware? Scanned services Unauthorized systems Patches Config Unauthorized software Malware Malware.

Leveraging Continuous View to Hunt Malware. Why hunt for malware? Scanned services Unauthorized systems Patches Config Unauthorized software Malware Malware.
ESafe Reporter V3.0 eSafe Learning and Certification Program February 2007.

ESafe Reporter V3.0 eSafe Learning and Certification Program February 2007.
TwtDominator User Guide

TwtDominator User Guide
SecurityCenter Reporting Nessus Scan Report. SecurityCenter Reports For customers who use Nessus for vulnerability scanning and then move to SecurityCenter,

SecurityCenter Reporting Nessus Scan Report. SecurityCenter Reports For customers who use Nessus for vulnerability scanning and then move to SecurityCenter,
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
© 2010 – MAD Security, LLC All rights reserved ArmitageArmitage A Power User’s Interface for Metasploit.

© 2010 – MAD Security, LLC All rights reserved ArmitageArmitage A Power User’s Interface for Metasploit.
Nessus – A Vulnerability Scanning Tool SUNY Technology Conference June 2003.

Nessus – A Vulnerability Scanning Tool SUNY Technology Conference June 2003.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
Arbor Multi-Layer Cloud DDoS Protection

Arbor Multi-Layer Cloud DDoS Protection
User Responsibility A “How To” Guide for SecurityCenter.

User Responsibility A “How To” Guide for SecurityCenter.
What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.

What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.
SecurityCenter & Palo Alto Configuration Guide. About this Guide This guide provides an overview of how to get the most from Palo Alto firewalls when.

SecurityCenter & Palo Alto Configuration Guide. About this Guide This guide provides an overview of how to get the most from Palo Alto firewalls when.
Vulnerability Types And How to Use Them.

Vulnerability Types And How to Use Them.
Using Iterators in Reports

Using Iterators in Reports
1 SMTP Transport Configuration SMTP Configurations and Virtual Servers Customizing the SMTP Service.

1 SMTP Transport Configuration SMTP Configurations and Virtual Servers Customizing the SMTP Service.
Ch 8-3 Working with domains and Active Directory.

Ch 8-3 Working with domains and Active Directory.

Similar presentations

Ads by Google