SlideShare a Scribd company logo

Threat Intelligence

Deepak Kumar (D3)
Deepak Kumar (D3)

Threat intelligence is information that informs enterprise defenders of adversarial elements to stop them. It is information that is relevant to the organization, has business value, and is actionable. If you having all data and feeds then data alone isn’t intelligence. #Threat #Intelligence #Forensics #ELK #Forensics #VAPT #SOC #SIEM #Incident #D3pak

Related slideshows

Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
1 of 17
Download to read offline
EVERY CRIME LEAVES A TRAIL OF EVIDENCE D3PAK KUMAR (D3) DIGITAL FORENSICS | CYBER INTELLIGENCE
DISCLAIMER Different organisations are subject to different laws and regulations. This resource is for educational and research purposes only. Do not attempt to violate the law with anything contained here. Neither the author of this material, nor anyone else affiliated in any way, is liable for your actions. Some information from the internet and some of personal experience; doesn’t want to hurt anybody ☺ D3PAK KUMAR (D3) DIGITAL FORENSICS | CYBER INTELLIGENCE
“If you know the enemy and know yourself, you need not fear the result of a hundred battles” - Sun Tzu D3PAK KUMAR (D3) DIGITAL FORENSICS | CYBER INTELLIGENCE
D3PAK KUMAR (D3) DIGITAL FORENSICS | CYBER INTELLIGENCE
• National Security • Critical National Infrastructure • Cyber-Warfare • Computer Crime • Organized Crime • Identity Theft • Extortion • Non-State Actors • Terrorists • Political Activists D3PAK KUMAR (D3) DIGITAL FORENSICS | CYBER INTELLIGENCE Threat & Threat Agents Non-Hostile • Reckless employee • Untrained employee • Partners Hostile • eCrime • Nation-state cyber warrior • Industrial espionage • … Intent: Fun, Theft, Disruption, Reputation, Espionage …
Anything likely to cause damage or danger + Ability to acquire and apply knowledge and skills = Threat Intelligence D3PAK KUMAR (D3) DIGITAL FORENSICS | CYBER INTELLIGENCE
D3PAK KUMAR (D3) DIGITAL FORENSICS | CYBER INTELLIGENCE “Gartner defines threat intelligence as "Threat intelligence is evidence- based knowledge (e.g., context, mechanisms, indicators, implications and action-oriented advice) about existing or emerging menaces or hazards to assets." – Gartner Mail Metadata Malware Phish Spoof Activity Audit activities Click trace TI Sources GeoIP Threat indicators DLP hits Machine infections Information Insight/Analysis Again, What is Threat Intelligence?
Strategic: Broader trends typically meant for a non technical audience Tactical: Outlines of tactics, techniques, and procedures of threat actors for a more technical audience Operational: Technical details about specific attacks and campaigns Solution Integrate with machine learning that connect dots and provide context on indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs) of threat actor D3PAK KUMAR (D3) DIGITAL FORENSICS | CYBER INTELLIGENCE Threat Intel Categories
D3PAK KUMAR (D3) DIGITAL FORENSICS | CYBER INTELLIGENCE • Phishing Detection • Incident Response Knowledge Base • Vulnerability Prioritisation • Fraud Detection • Forensics RCA (root cause analysis) • Brand Monitoring Use case examples Threat Analysis Collection Processing Analysis & ProductionValidation Dissemination Projection
D3PAK KUMAR (D3) DIGITAL FORENSICS | CYBER INTELLIGENCE What am I trying to protect? Have you identified your crown jewels and how they are both protected and at risk? Do you know who/what you are protecting it from? Do you have a plan for protecting your assets from actors or risk identified?
D3PAK KUMAR (D3) DIGITAL FORENSICS | CYBER INTELLIGENCE Internally Generated Analysis • IOC hunters – Vendor • End Point Protection • Security Operation • Vulnerability Management Information Sharing • Sectoral – Financial services, public sector • Geographic – local CERT • NIS Directive Organisation Specific • Your “Organisation” information • Social media • Boards • Dark web • Customer or organisation phishing campaigns Generic External • Open source • Subscription based - X-Force, Digital Shadows, Deepsight • Raw e.g. XSS, JSON, TXT • Indicators of compromise (IOCs) • Tactics techniques and procedures TTPs Operational Information & Intel Feeds
D3PAK KUMAR (D3) DIGITAL FORENSICS | CYBER INTELLIGENCE TLP – Traffic Light Protocol What is TLP? A set of designations to ensure that sensitive information is shared with the correct audience and that the recipient (s) understand if and how the information can be disseminated. Who Uses TLP? US-CERT, public and private sector organizations within: US, Australia, Canada, Finland, France, Germany, Hungary, India, Italy, Japan, Netherlands, New Zealand, Norway, Sweden, Switzerland and the United Kingdom.
Threat Intel Platform (TIP) Open Source: • CRITs • Soltra • MANTIS • MISP • OTX etc PS: Only for educational purposes For More: 1. https://github.com/hslatman/awesome-threat-intelligence 2. https://www.senki.org/operators-security-toolkit/open-source-threat-intelligence-feeds/
D3PAK KUMAR (D3) DIGITAL FORENSICS | CYBER INTELLIGENCE HELK : Enabling Advanced Analytics Capabilities Hunting ELK (Elasticsearch, Logstash, Kibana) : https://github.com/Cyb3rWard0g/HELK
D3PAK KUMAR (D3) DIGITAL FORENSICS | CYBER INTELLIGENCE Kill Chain Analysis MITRE ATT&CK MATRIX Recon Weaponise Delivery Exploitation Installation C2 Actions & Objectives ➢ Task: Identify the Attackers’ Step by Step Process ➢ Goal: Disrupting Attackers’ operations ▪ Motivation ▪ Preparation ▪ Configuration ▪ Packaging ▪ Mechanism of Delivery ▪ Infection Vector ▪ Technical or human? ▪ Applications affected ▪ Method & Characteristics ▪ Persistence ▪ Characteristic s of change ▪ Acquiring additional components ▪ Communication between victim & adversary ▪ What the adversary does when they have control of the system MITRE ATT&CK: ▪ Active Scanning ▪ Passive Scanning ▪ Determine Domain & IP Address Space ▪ Analyze Third-Party IT Footprint MITRE ATT&CK: ▪ Malware ▪ Scripting ▪ Service Execution MITRE ATT&CK: ▪ Spearphishing Attachment/Link ▪ Exploit Public- Facing Application ▪ Supply Chain Compromise MITRE ATT&CK: ▪ Local Job Scheduling ▪ Scripting ▪ Rundll32 MITRE ATT&CK: ▪ Application Shimming ▪ Hooking ▪ Login Items MITRE ATT&CK: ▪ Data Obfuscation ▪ Domain Fronting ▪ Web Service MITRE ATT&CK: ▪ Email Collection ▪ Data from Local System/Network Share
USE CASE : IP Theft o Employee Resigned o Joined New Company o Data theft o Type of data (pdf, xlsx) o Browser history cleared o No data in Recycle bin o Formatted USB ✓ Forensics Imaging (Physical If required) ✓ Timeline ✓ Machine (Laptop/Desktop) : User info (SID) ✓ Data Recovery (Specific data formats) ✓ Mail Check (pst,ost, lotus etc) ✓ SIEM/DLP logs (Data copied) ✓ Firewall (3rd party URL data uploaded) D3PAK KUMAR (D3) DIGITAL FORENSICS | CYBER INTELLIGENCE Q U E S T I O N A N S W E R
D3pak@Protonmail.com Resources : D3pakblog.wordpress.com D3PAK KUMAR (D3) DIGITAL FORENSICS | CYBER INTELLIGENCE Thank You

More Related Content

Threat Intelligence

  • 1. EVERY CRIME LEAVES A TRAIL OF EVIDENCE D3PAK KUMAR (D3) DIGITAL FORENSICS | CYBER INTELLIGENCE
  • 2. DISCLAIMER Different organisations are subject to different laws and regulations. This resource is for educational and research purposes only. Do not attempt to violate the law with anything contained here. Neither the author of this material, nor anyone else affiliated in any way, is liable for your actions. Some information from the internet and some of personal experience; doesn’t want to hurt anybody ☺ D3PAK KUMAR (D3) DIGITAL FORENSICS | CYBER INTELLIGENCE
  • 3. “If you know the enemy and know yourself, you need not fear the result of a hundred battles” - Sun Tzu D3PAK KUMAR (D3) DIGITAL FORENSICS | CYBER INTELLIGENCE
  • 4. D3PAK KUMAR (D3) DIGITAL FORENSICS | CYBER INTELLIGENCE
  • 5. • National Security • Critical National Infrastructure • Cyber-Warfare • Computer Crime • Organized Crime • Identity Theft • Extortion • Non-State Actors • Terrorists • Political Activists D3PAK KUMAR (D3) DIGITAL FORENSICS | CYBER INTELLIGENCE Threat & Threat Agents Non-Hostile • Reckless employee • Untrained employee • Partners Hostile • eCrime • Nation-state cyber warrior • Industrial espionage • … Intent: Fun, Theft, Disruption, Reputation, Espionage …
  • 6. Anything likely to cause damage or danger + Ability to acquire and apply knowledge and skills = Threat Intelligence D3PAK KUMAR (D3) DIGITAL FORENSICS | CYBER INTELLIGENCE
  • 7. D3PAK KUMAR (D3) DIGITAL FORENSICS | CYBER INTELLIGENCE “Gartner defines threat intelligence as "Threat intelligence is evidence- based knowledge (e.g., context, mechanisms, indicators, implications and action-oriented advice) about existing or emerging menaces or hazards to assets." – Gartner Mail Metadata Malware Phish Spoof Activity Audit activities Click trace TI Sources GeoIP Threat indicators DLP hits Machine infections Information Insight/Analysis Again, What is Threat Intelligence?
  • 8. Strategic: Broader trends typically meant for a non technical audience Tactical: Outlines of tactics, techniques, and procedures of threat actors for a more technical audience Operational: Technical details about specific attacks and campaigns Solution Integrate with machine learning that connect dots and provide context on indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs) of threat actor D3PAK KUMAR (D3) DIGITAL FORENSICS | CYBER INTELLIGENCE Threat Intel Categories
  • 9. D3PAK KUMAR (D3) DIGITAL FORENSICS | CYBER INTELLIGENCE • Phishing Detection • Incident Response Knowledge Base • Vulnerability Prioritisation • Fraud Detection • Forensics RCA (root cause analysis) • Brand Monitoring Use case examples Threat Analysis Collection Processing Analysis & ProductionValidation Dissemination Projection
  • 10. D3PAK KUMAR (D3) DIGITAL FORENSICS | CYBER INTELLIGENCE What am I trying to protect? Have you identified your crown jewels and how they are both protected and at risk? Do you know who/what you are protecting it from? Do you have a plan for protecting your assets from actors or risk identified?
  • 11. D3PAK KUMAR (D3) DIGITAL FORENSICS | CYBER INTELLIGENCE Internally Generated Analysis • IOC hunters – Vendor • End Point Protection • Security Operation • Vulnerability Management Information Sharing • Sectoral – Financial services, public sector • Geographic – local CERT • NIS Directive Organisation Specific • Your “Organisation” information • Social media • Boards • Dark web • Customer or organisation phishing campaigns Generic External • Open source • Subscription based - X-Force, Digital Shadows, Deepsight • Raw e.g. XSS, JSON, TXT • Indicators of compromise (IOCs) • Tactics techniques and procedures TTPs Operational Information & Intel Feeds
  • 12. D3PAK KUMAR (D3) DIGITAL FORENSICS | CYBER INTELLIGENCE TLP – Traffic Light Protocol What is TLP? A set of designations to ensure that sensitive information is shared with the correct audience and that the recipient (s) understand if and how the information can be disseminated. Who Uses TLP? US-CERT, public and private sector organizations within: US, Australia, Canada, Finland, France, Germany, Hungary, India, Italy, Japan, Netherlands, New Zealand, Norway, Sweden, Switzerland and the United Kingdom.
  • 13. Threat Intel Platform (TIP) Open Source: • CRITs • Soltra • MANTIS • MISP • OTX etc PS: Only for educational purposes For More: 1. https://github.com/hslatman/awesome-threat-intelligence 2. https://www.senki.org/operators-security-toolkit/open-source-threat-intelligence-feeds/
  • 14. D3PAK KUMAR (D3) DIGITAL FORENSICS | CYBER INTELLIGENCE HELK : Enabling Advanced Analytics Capabilities Hunting ELK (Elasticsearch, Logstash, Kibana) : https://github.com/Cyb3rWard0g/HELK
  • 15. D3PAK KUMAR (D3) DIGITAL FORENSICS | CYBER INTELLIGENCE Kill Chain Analysis MITRE ATT&CK MATRIX Recon Weaponise Delivery Exploitation Installation C2 Actions & Objectives ➢ Task: Identify the Attackers’ Step by Step Process ➢ Goal: Disrupting Attackers’ operations ▪ Motivation ▪ Preparation ▪ Configuration ▪ Packaging ▪ Mechanism of Delivery ▪ Infection Vector ▪ Technical or human? ▪ Applications affected ▪ Method & Characteristics ▪ Persistence ▪ Characteristic s of change ▪ Acquiring additional components ▪ Communication between victim & adversary ▪ What the adversary does when they have control of the system MITRE ATT&CK: ▪ Active Scanning ▪ Passive Scanning ▪ Determine Domain & IP Address Space ▪ Analyze Third-Party IT Footprint MITRE ATT&CK: ▪ Malware ▪ Scripting ▪ Service Execution MITRE ATT&CK: ▪ Spearphishing Attachment/Link ▪ Exploit Public- Facing Application ▪ Supply Chain Compromise MITRE ATT&CK: ▪ Local Job Scheduling ▪ Scripting ▪ Rundll32 MITRE ATT&CK: ▪ Application Shimming ▪ Hooking ▪ Login Items MITRE ATT&CK: ▪ Data Obfuscation ▪ Domain Fronting ▪ Web Service MITRE ATT&CK: ▪ Email Collection ▪ Data from Local System/Network Share
  • 16. USE CASE : IP Theft o Employee Resigned o Joined New Company o Data theft o Type of data (pdf, xlsx) o Browser history cleared o No data in Recycle bin o Formatted USB ✓ Forensics Imaging (Physical If required) ✓ Timeline ✓ Machine (Laptop/Desktop) : User info (SID) ✓ Data Recovery (Specific data formats) ✓ Mail Check (pst,ost, lotus etc) ✓ SIEM/DLP logs (Data copied) ✓ Firewall (3rd party URL data uploaded) D3PAK KUMAR (D3) DIGITAL FORENSICS | CYBER INTELLIGENCE Q U E S T I O N A N S W E R
  • 17. D3pak@Protonmail.com Resources : D3pakblog.wordpress.com D3PAK KUMAR (D3) DIGITAL FORENSICS | CYBER INTELLIGENCE Thank You