Threat

Intelligence +

Security

Monitoring

By : Talha Riaz(AESRG lab)

Benefits from Others Misfortune

Cant Get Ahead of Threat

Threat Already Exists

Idea is to Know at as Early as Possible

Shortening The Window

TI Help to Detect Attacks Earlier

Threat Intelligence Sources

Compromised Devices

Malware Indicators

Reputation

Command and Control Networks

Compromised Devices

Device Communication

Malware Indicators

Malware Analysis

Technical Behavioral Indicator

What is Does v/s What it looks like

Reputation

Dynamic List of IP Addresses

Score System

Challenges of Using TI for SM

Integration of Data

Update rules/alerts/reports

Validation

Revisiting Security Monitoring

Phase 1: Plan

Phase 2: Monitor

Phase 3: Action

Phase : Plan Enumerate

Find Security, Network and server Devices

Scope

Decide which devices are in Scope for Monitoring

Develop Policies

Organizational Policies (which Devices will be monitored and Why)

Device & Alerting Policies (Which data will be collected and how often)

Phase 2: Monitor Collect

Collect alerts and log records based on the policies defined in the Plan phase.

Store Collected data must be stored for future access,

for both compliance and forensics.

Analyze The collected data is analyzed to identify potential

incidents based on alerting policies defined in phase 1.

Phase 3: Action

Validate/Investigate

Action/Escalate

After validating a few alerts you can determine whether

policies must be changed or tuned. Tuning policies must be

a recurring feedback loop rather than a one-time activity

What has Changed..!

Now a days monitoring only for well-

defined static attacks will get you

killed. Tactics change frequently

and malware changes daily.

TI + SM

o As you integrate threat intelligence into your security

o Monitoring (SM) process, you can generate more accurate

o Alerts from your security monitoring platform, lowering

o The signal to noise ratio because the alerts are based on what is actually happening in the wild.

The New SM Process

Threat Intelligence Integrated with

Security Monitoring

Gather Threat Intelligence Profile Adversaries

Who is more Likely to attack you so you can profile their Tactics, Techniques, and Procedures.

Gather Samples

Gather Large amount of data to analyze and define indicators

Analyze Data and Distill Threats Intelligence

After Data aggregation define patterns and Indicators seen in the wild.

Aggregate Security Data

Same as Simple Security Monitoring

Security Analytics

Automate TI Integration

Baseline Environment

Analyze Security Data (N,C,R,T)

Alert

Prioritize Alerts

Deep Collection for forensics

Action

Same as Simple Security Monitoring