Upload
talha-riaz
View
175
Download
3
Embed Size (px)
Citation preview
Threat
Intelligence +
Security
Monitoring
By : Talha Riaz(AESRG lab)
Benefits from Others Misfortune
Cant Get Ahead of Threat
Threat Already Exists
Idea is to Know at as Early as Possible
Shortening The Window
TI Help to Detect Attacks Earlier
Threat Intelligence Sources
Compromised Devices
Malware Indicators
Reputation
Command and Control Networks
Compromised Devices
Device Communication
Malware Indicators
Malware Analysis
Technical Behavioral Indicator
What is Does v/s What it looks like
Reputation
Dynamic List of IP Addresses
Score System
Challenges of Using TI for SM
Integration of Data
Update rules/alerts/reports
Validation
Revisiting Security Monitoring
Phase 1: Plan
Phase 2: Monitor
Phase 3: Action
Phase : Plan Enumerate
Find Security, Network and server Devices
Scope
Decide which devices are in Scope for Monitoring
Develop Policies
Organizational Policies (which Devices will be monitored and Why)
Device & Alerting Policies (Which data will be collected and how often)
Phase 2: Monitor Collect
Collect alerts and log records based on the policies defined in the Plan phase.
Store Collected data must be stored for future access,
for both compliance and forensics.
Analyze The collected data is analyzed to identify potential
incidents based on alerting policies defined in phase 1.
Phase 3: Action
Validate/Investigate
Action/Escalate
After validating a few alerts you can determine whether
policies must be changed or tuned. Tuning policies must be
a recurring feedback loop rather than a one-time activity
What has Changed..!
Now a days monitoring only for well-
defined static attacks will get you
killed. Tactics change frequently
and malware changes daily.
TI + SM
o As you integrate threat intelligence into your security
o Monitoring (SM) process, you can generate more accurate
o Alerts from your security monitoring platform, lowering
o The signal to noise ratio because the alerts are based on what is actually happening in the wild.
The New SM Process
Threat Intelligence Integrated with
Security Monitoring
Gather Threat Intelligence Profile Adversaries
Who is more Likely to attack you so you can profile their Tactics, Techniques, and Procedures.
Gather Samples
Gather Large amount of data to analyze and define indicators
Analyze Data and Distill Threats Intelligence
After Data aggregation define patterns and Indicators seen in the wild.
Aggregate Security Data
Same as Simple Security Monitoring
Security Analytics
Automate TI Integration
Baseline Environment
Analyze Security Data (N,C,R,T)
Alert
Prioritize Alerts
Deep Collection for forensics
Action
Same as Simple Security Monitoring