SlideShare une entreprise Scribd logo

The Diamond Model for Intrusion Analysis - Threat Intelligence

Télécharger en tant que PPTX, PDF
ThreatConnect
ThreatConnect

Read more here: http://www.threatconnect.com/methodology/diamond_model_of_intrusion_analysis

Technologie
1  sur  14
THE DIAMOND MODEL FOR INTRUSION ANALYSIS: A PRIMER Andy Pendergast © 2014 Cyber Squared Inc. 1
BACKGROUND Why did we make this Diamond thing? ca. 2006… ZOMG APTz!!! Chris Betz As a group of analysts, we needed a systematic, repeatable way to: 1. characterize organized threats 2. consistently track them as they evolve 3. sort one from another 4. and then figure out ways to counter them. Serg © 2014 Cyber Squared Inc. 2
CURRENT USAGE • Cognitive model used by hundreds of Intel, Threat Intel, DFIR analysts • “Foundational” concepts for emerging cyber ontologies/standards/protocols e.g. STIX • Set and Graph theory based model used as the “bones” within systems such as ThreatConnect © 2014 Cyber Squared Inc. 3
DIAMOND 101: EVENTS, EDGES, AND META FEATURES Events=Diamonds Meta-Features • Timestamp • Phase: e.g. Kill-Chain • Result: Success, Failure, etc. • Direction: i2v,i2i, a2i, etc • Methodology: Class of Activity • Resources: Necessary elements to carry out the event. Each Event is characterized by and requires four Core Features (aka nodes, vertices): • • Badguy Persona: email addresses, handles, phone #’s Network Assets • • • • Malware Exploits Hacker Tools Stolen Certs • • • © 2014 Cyber Squared Inc. • • • Personas Network Assets Email Addresses IP Addresses Domain Names Email Addresses Unknowns and Uncertainty Welcome… 4
DIAMOND 101: PIVOTING SCENARIO & DEMO NOTE: I did not limit myself to observables/indicators on my network. I left the victim space in the first pivot to DISCOVER more about the Adversary and his Capabilities and Infrastructure. (4) Domain WHOIS provides registrant (tommy.bibber1234321@ddd.com) (2) Malware contains C2 Domain info.officelatest[.]com (3) C2 domain resolves to IP Address 0606c10388c306f393128237f75e440f 142.91.132.23 (1) Victim Discovers malware: © 2014 Cyber Squared Inc. 5
DIAMOND 121: EXTENDED DIAMOND Social-Political Meta-Feature: A relationship always exists between the adversary and the victim. Intent: You can use well defined Activity Groups to better understand this relationship and infer Intent. Social-Political Meta Feature Technology Meta-Feature: Represents the technology connecting & enabling the capability and infrastructure to operate. Technology Meta Feature © 2014 Cyber Squared Inc. Analyzing underlying technology w/o knowledge of specific infrastructure or capability can reveal malicious activity. 6
DIAMOND 101: ACTIVITY THREADS Incident 4 Incident 33 Incident Incident 1 Incident 2 Working with the Cyber Kill-Chain™: Leveraging the Meta Features allows grouping of events into ordered, causal chains of activity separated by phases. Vertical Correlation: IR Process of identifying causal events in an Activity Thread. Directed Arcs allow for “looping” events through phases. Hypothesis generation is supported (note the dashed-diamond in Incident 2). Threat 2 Threat 1 © 2014 Cyber Squared Inc. Horizontal Correlation: Correlations between Activity Threads (Incidents here) can be made to enable grouping. 7
DIAMOND 201: CREATING ACTIVITY GROUPS Activity Group: common/similar malicious events, adversary processes, and threads. TYPICALLY used initially to identify a common Adversary. But not limited to this. Some Other Examples: Trending Intent Deduction Adversary Capabilities and Infrastructure Cross-Capability Identification Adversary Campaign Knowledge Gap Identification Automated Mitigation Recommendation Common Capability Development Deduction Center of Gravity Identification © 2014 Cyber Squared Inc. 8
DIAMOND 201: CREATING ACTIVITY GROUPS Steps to Create an Activity Group 1. Define the Problem Define the Problem: “I want to define a common adversary behind 2. Feature Selection events and threats using similarities in infrastructure and capabilities.” 3. Create 4. Grow 5. Analysis 6. Redefine But watch out Alice…rabbit holes Other ways this may manifest: What makes APT1 activity APT1?, What makes Rocra malwareRed October and not someone else? Does PoisonIvy, PlugX, 9002 = the same APT? Feature Selection: Define what combination of elements (Ips, Domains, Malware, Processes) are criteria for grouping and select your data set(s) to search for this criteria. Criteria can be confidence weighted. © 2014 Cyber Squared Inc. 9
DIAMOND 201: CREATING ACTIVITY GROUPS Create: The feature selection you chose can be used cognitively for clustering or it can be applied in a group creation function. © 2014 Cyber Squared Inc. Grow: Once created, the Activity Groups can be grown by iterating the group creation function over newly available data. 10
DIAMOND 201: CREATING ACTIVITY GROUPS Analysis: Now that we have a healthy Activity Group, growing as things change; I can fill knowledge gaps, define new problems like: Trending: How has an adversary’s activity changed over time and what is the current vector to infer future change? Intent Deduction: What is the intent of the adversary? Adversary Capabilities and Infrastructure: What is the complete set of observed capabilities and infrastructure of the adversary? Cross-Capability Identification: Which capabilities have been used by multiple adversaries? Adversary Campaign Knowledge Gap Identification: What are the organization’s knowledge gaps across an adversary’s campaign? Automated Mitigation Recommendation: When an event is detected which adversary is behind the event and what action can/should be taken? Common Capability Development Deduction: Which capabilities show evidence of common authors/developers? Center of Gravity Identification: Which resources and processes are the most common and critical to an activity and/or campaign? Or… Redefine: through knowledge learned I may want to go back and revisit my grouping function. © 2014 Cyber Squared Inc. 11
ADVANCED DIAMOND: ACTIVITY-ATTACK GRAPHS FOR MITIGATION Attack Graphs identify and enumerate paths an adversary could take. They are exhaustive. Activity Threads define paths an adversary has taken. If you overlay what could happen with what has happened you get an Activity-Attack Graph. Key Benefits: It highlights attacker preferences alongside possible alternative paths. Enable better Mitigation Strategies by mitigating current threat and taking into account reactions or alternate adversary tactics. © 2014 Cyber Squared Inc. 12
USE WITH THE CYBER KILL CHAIN™ Highly Complementary, How? Activity-Attack Graph Single Activity Thread CYBER KILL CHAIN™ Coarse of Action Matrix Activity Group Detect Deny Victim 2 Disrupt Degrade Deceive Destroy Recon Delivery Exploitation C2 Actions on Obj Victim 1 © 2014 Cyber Squared Inc. 13
CONCLUSIONS This is just a Sergio’s Summary: http://www.activeresponse.org/wp-content/uploads/2013/07/diamond_summary.pdf primer, learn Full Paper: http://www.threatconnect.com/files/uploaded_files/The_Diamond_Model_of_Intrusion_Analysis.pdf Full Paper on DTIC: http://www.dtic.mil/get-tr-doc/pdf?AD=ADA586960 more here: Also, look out for an upcoming full SANS CTI Course based on the Diamond and the Kill-Chain. THANK YOU Special thanks to Sergio and Chris for being Super Heroes. Also to the entire Cyber Squared team for their constant support and assistance. Andy Pendergast, apendergast@threatconnect.com © 2014 Cyber Squared Inc. 14

Recommandé

Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingCrowdStrike
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligencemohamed nasri
 

Recommandé

Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingProactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond AlertingCrowdStrike
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligencemohamed nasri
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceMarlabs
 
cyber-security-reference-architecture
cyber-security-reference-architecturecyber-security-reference-architecture
cyber-security-reference-architectureBirendra Negi ☁️
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceZaiffiEhsan
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Cybersecurity & Project Management
Cybersecurity & Project ManagementCybersecurity & Project Management
Cybersecurity & Project ManagementFernando Montenegro
 
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKMITRE ATT&CK
 
ATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open SourceATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open SourceMITRE ATT&CK
 
Threat Hunting on AWS using Azure Sentinel
Threat Hunting on AWS using Azure SentinelThreat Hunting on AWS using Azure Sentinel
Threat Hunting on AWS using Azure SentinelAshwin Patil, GCIH, GCIA, GCFE
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar UsersSqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar UsersSqrrl
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
Introduction to QRadar
Introduction to QRadarIntroduction to QRadar
Introduction to QRadarPencilData
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security StrategyAndrew Byers
 
Threat Intelligence Workshop
Threat Intelligence WorkshopThreat Intelligence Workshop
Threat Intelligence WorkshopPriyanka Aash
 
Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA RulesLionel Faleiro
 
Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Dragos, Inc.
 
SEC 572 Entire Course NEW
SEC 572 Entire Course NEWSEC 572 Entire Course NEW
SEC 572 Entire Course NEWshyamuopiv
 

Contenu connexe

Tendances

Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceMarlabs
 
cyber-security-reference-architecture
cyber-security-reference-architecturecyber-security-reference-architecture
cyber-security-reference-architectureBirendra Negi ☁️
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceZaiffiEhsan
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Cybersecurity & Project Management
Cybersecurity & Project ManagementCybersecurity & Project Management
Cybersecurity & Project ManagementFernando Montenegro
 
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKMITRE ATT&CK
 
ATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open SourceATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open SourceMITRE ATT&CK
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar UsersSqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar UsersSqrrl
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
Introduction to QRadar
Introduction to QRadarIntroduction to QRadar
Introduction to QRadarPencilData
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security StrategyAndrew Byers
 
Threat Intelligence Workshop
Threat Intelligence WorkshopThreat Intelligence Workshop
Threat Intelligence WorkshopPriyanka Aash
 

Tendances (20)

Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
cyber-security-reference-architecture
cyber-security-reference-architecturecyber-security-reference-architecture
cyber-security-reference-architecture
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
Cybersecurity & Project Management
Cybersecurity & Project ManagementCybersecurity & Project Management
Cybersecurity & Project Management
 
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CK
 
ATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open SourceATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open Source
 
Threat Hunting on AWS using Azure Sentinel
Threat Hunting on AWS using Azure SentinelThreat Hunting on AWS using Azure Sentinel
Threat Hunting on AWS using Azure Sentinel
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar UsersSqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar Users
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 
Introduction to QRadar
Introduction to QRadarIntroduction to QRadar
Introduction to QRadar
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
 
Threat Intelligence Workshop
Threat Intelligence WorkshopThreat Intelligence Workshop
Threat Intelligence Workshop
 
Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA Rules
 

Similaire à The Diamond Model for Intrusion Analysis - Threat Intelligence

Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Dragos, Inc.
 
SEC 572 Entire Course NEW
SEC 572 Entire Course NEWSEC 572 Entire Course NEW
SEC 572 Entire Course NEWshyamuopiv
 
Deliverables Step-12 SLA 3-5 pages
Deliverables Step-12 SLA 3-5 pages Deliverables Step-12 SLA 3-5 pages
Deliverables Step-12 SLA 3-5 pages LinaCovington707
 
NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)April Mardock CISSP
 
DevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
DevSecCon Asia 2017 Pishu Mahtani: Adversarial ModellingDevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
DevSecCon Asia 2017 Pishu Mahtani: Adversarial ModellingDevSecCon
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial EmulationScott Sutherland
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscapeyohansurya2
 
Road map for actionable threat intelligence
Road map for actionable threat intelligenceRoad map for actionable threat intelligence
Road map for actionable threat intelligenceabhisheksinghcs
 
Adaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber AttacksAdaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber AttacksJermund Ottermo
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfslametarrokhim1
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalPriyanka Aash
 
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...Kevin Moran
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfssuser4237d4
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfssuser4237d4
 
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...Marcin Ludwiszewski
 
The Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence WebinarThe Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence WebinarThreatConnect
 
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013beltface
 
[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defenceOWASP EEE
 
Technical track chris calvert-1 30 pm-issa conference-calvert
Technical track chris calvert-1 30 pm-issa conference-calvertTechnical track chris calvert-1 30 pm-issa conference-calvert
Technical track chris calvert-1 30 pm-issa conference-calvertISSA LA
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 

Similaire à The Diamond Model for Intrusion Analysis - Threat Intelligence (20)

Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Threat Activity Groups - Dragos
Threat Activity Groups - Dragos
 
SEC 572 Entire Course NEW
SEC 572 Entire Course NEWSEC 572 Entire Course NEW
SEC 572 Entire Course NEW
 
Deliverables Step-12 SLA 3-5 pages
Deliverables Step-12 SLA 3-5 pages Deliverables Step-12 SLA 3-5 pages
Deliverables Step-12 SLA 3-5 pages
 
NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)
 
DevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
DevSecCon Asia 2017 Pishu Mahtani: Adversarial ModellingDevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
DevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscape
 
Road map for actionable threat intelligence
Road map for actionable threat intelligenceRoad map for actionable threat intelligence
Road map for actionable threat intelligence
 
Adaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber AttacksAdaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber Attacks
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdf
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
 
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdf
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdf
 
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
 
The Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence WebinarThe Business Benefits of Threat Intelligence Webinar
The Business Benefits of Threat Intelligence Webinar
 
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
 
[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence
 
Technical track chris calvert-1 30 pm-issa conference-calvert
Technical track chris calvert-1 30 pm-issa conference-calvertTechnical track chris calvert-1 30 pm-issa conference-calvert
Technical track chris calvert-1 30 pm-issa conference-calvert
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 

Plus de ThreatConnect

Advanced Threat Hunting - BotConf 2017
Advanced Threat Hunting - BotConf 2017Advanced Threat Hunting - BotConf 2017
Advanced Threat Hunting - BotConf 2017ThreatConnect
 
Save Time and Act Faster with Playbooks
Save Time and Act Faster with PlaybooksSave Time and Act Faster with Playbooks
Save Time and Act Faster with PlaybooksThreatConnect
 
Intelligence driven defense webinar
Intelligence driven defense webinarIntelligence driven defense webinar
Intelligence driven defense webinarThreatConnect
 
Managing Indicator Deprecation in ThreatConnect
Managing Indicator Deprecation in ThreatConnectManaging Indicator Deprecation in ThreatConnect
Managing Indicator Deprecation in ThreatConnectThreatConnect
 
Does a Bear Leak in the Woods?
Does a Bear Leak in the Woods?Does a Bear Leak in the Woods?
Does a Bear Leak in the Woods?ThreatConnect
 
Operationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent ActorsOperationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent ActorsThreatConnect
 
Threat Intelligence is a Journey; Not a Destination
Threat Intelligence is a Journey; Not a DestinationThreat Intelligence is a Journey; Not a Destination
Threat Intelligence is a Journey; Not a DestinationThreatConnect
 
Episode IV: A New Scope
Episode IV: A New ScopeEpisode IV: A New Scope
Episode IV: A New ScopeThreatConnect
 
Open Source Malware Lab
Open Source Malware LabOpen Source Malware Lab
Open Source Malware LabThreatConnect
 
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...ThreatConnect
 
Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!
Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!
Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!ThreatConnect
 
Maltego Webinar Slides
Maltego Webinar SlidesMaltego Webinar Slides
Maltego Webinar SlidesThreatConnect
 
Dollars and Sense of Sharing Threat Intelligence
Dollars and Sense of Sharing Threat IntelligenceDollars and Sense of Sharing Threat Intelligence
Dollars and Sense of Sharing Threat IntelligenceThreatConnect
 

Plus de ThreatConnect (13)

Advanced Threat Hunting - BotConf 2017
Advanced Threat Hunting - BotConf 2017Advanced Threat Hunting - BotConf 2017
Advanced Threat Hunting - BotConf 2017
 
Save Time and Act Faster with Playbooks
Save Time and Act Faster with PlaybooksSave Time and Act Faster with Playbooks
Save Time and Act Faster with Playbooks
 
Intelligence driven defense webinar
Intelligence driven defense webinarIntelligence driven defense webinar
Intelligence driven defense webinar
 
Managing Indicator Deprecation in ThreatConnect
Managing Indicator Deprecation in ThreatConnectManaging Indicator Deprecation in ThreatConnect
Managing Indicator Deprecation in ThreatConnect
 
Does a Bear Leak in the Woods?
Does a Bear Leak in the Woods?Does a Bear Leak in the Woods?
Does a Bear Leak in the Woods?
 
Operationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent ActorsOperationalizing Threat Intelligence to Battle Persistent Actors
Operationalizing Threat Intelligence to Battle Persistent Actors
 
Threat Intelligence is a Journey; Not a Destination
Threat Intelligence is a Journey; Not a DestinationThreat Intelligence is a Journey; Not a Destination
Threat Intelligence is a Journey; Not a Destination
 
Episode IV: A New Scope
Episode IV: A New ScopeEpisode IV: A New Scope
Episode IV: A New Scope
 
Open Source Malware Lab
Open Source Malware LabOpen Source Malware Lab
Open Source Malware Lab
 
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
 
Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!
Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!
Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!
 
Maltego Webinar Slides
Maltego Webinar SlidesMaltego Webinar Slides
Maltego Webinar Slides
 
Dollars and Sense of Sharing Threat Intelligence
Dollars and Sense of Sharing Threat IntelligenceDollars and Sense of Sharing Threat Intelligence
Dollars and Sense of Sharing Threat Intelligence
 

Dernier

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 

Dernier (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 

The Diamond Model for Intrusion Analysis - Threat Intelligence

  • 1. THE DIAMOND MODEL FOR INTRUSION ANALYSIS: A PRIMER Andy Pendergast © 2014 Cyber Squared Inc. 1
  • 2. BACKGROUND Why did we make this Diamond thing? ca. 2006… ZOMG APTz!!! Chris Betz As a group of analysts, we needed a systematic, repeatable way to: 1. characterize organized threats 2. consistently track them as they evolve 3. sort one from another 4. and then figure out ways to counter them. Serg © 2014 Cyber Squared Inc. 2
  • 3. CURRENT USAGE • Cognitive model used by hundreds of Intel, Threat Intel, DFIR analysts • “Foundational” concepts for emerging cyber ontologies/standards/protocols e.g. STIX • Set and Graph theory based model used as the “bones” within systems such as ThreatConnect © 2014 Cyber Squared Inc. 3
  • 4. DIAMOND 101: EVENTS, EDGES, AND META FEATURES Events=Diamonds Meta-Features • Timestamp • Phase: e.g. Kill-Chain • Result: Success, Failure, etc. • Direction: i2v,i2i, a2i, etc • Methodology: Class of Activity • Resources: Necessary elements to carry out the event. Each Event is characterized by and requires four Core Features (aka nodes, vertices): • • Badguy Persona: email addresses, handles, phone #’s Network Assets • • • • Malware Exploits Hacker Tools Stolen Certs • • • © 2014 Cyber Squared Inc. • • • Personas Network Assets Email Addresses IP Addresses Domain Names Email Addresses Unknowns and Uncertainty Welcome… 4
  • 5. DIAMOND 101: PIVOTING SCENARIO & DEMO NOTE: I did not limit myself to observables/indicators on my network. I left the victim space in the first pivot to DISCOVER more about the Adversary and his Capabilities and Infrastructure. (4) Domain WHOIS provides registrant (tommy.bibber1234321@ddd.com) (2) Malware contains C2 Domain info.officelatest[.]com (3) C2 domain resolves to IP Address 0606c10388c306f393128237f75e440f 142.91.132.23 (1) Victim Discovers malware: © 2014 Cyber Squared Inc. 5
  • 6. DIAMOND 121: EXTENDED DIAMOND Social-Political Meta-Feature: A relationship always exists between the adversary and the victim. Intent: You can use well defined Activity Groups to better understand this relationship and infer Intent. Social-Political Meta Feature Technology Meta-Feature: Represents the technology connecting & enabling the capability and infrastructure to operate. Technology Meta Feature © 2014 Cyber Squared Inc. Analyzing underlying technology w/o knowledge of specific infrastructure or capability can reveal malicious activity. 6
  • 7. DIAMOND 101: ACTIVITY THREADS Incident 4 Incident 33 Incident Incident 1 Incident 2 Working with the Cyber Kill-Chain™: Leveraging the Meta Features allows grouping of events into ordered, causal chains of activity separated by phases. Vertical Correlation: IR Process of identifying causal events in an Activity Thread. Directed Arcs allow for “looping” events through phases. Hypothesis generation is supported (note the dashed-diamond in Incident 2). Threat 2 Threat 1 © 2014 Cyber Squared Inc. Horizontal Correlation: Correlations between Activity Threads (Incidents here) can be made to enable grouping. 7
  • 8. DIAMOND 201: CREATING ACTIVITY GROUPS Activity Group: common/similar malicious events, adversary processes, and threads. TYPICALLY used initially to identify a common Adversary. But not limited to this. Some Other Examples: Trending Intent Deduction Adversary Capabilities and Infrastructure Cross-Capability Identification Adversary Campaign Knowledge Gap Identification Automated Mitigation Recommendation Common Capability Development Deduction Center of Gravity Identification © 2014 Cyber Squared Inc. 8
  • 9. DIAMOND 201: CREATING ACTIVITY GROUPS Steps to Create an Activity Group 1. Define the Problem Define the Problem: “I want to define a common adversary behind 2. Feature Selection events and threats using similarities in infrastructure and capabilities.” 3. Create 4. Grow 5. Analysis 6. Redefine But watch out Alice…rabbit holes Other ways this may manifest: What makes APT1 activity APT1?, What makes Rocra malwareRed October and not someone else? Does PoisonIvy, PlugX, 9002 = the same APT? Feature Selection: Define what combination of elements (Ips, Domains, Malware, Processes) are criteria for grouping and select your data set(s) to search for this criteria. Criteria can be confidence weighted. © 2014 Cyber Squared Inc. 9
  • 10. DIAMOND 201: CREATING ACTIVITY GROUPS Create: The feature selection you chose can be used cognitively for clustering or it can be applied in a group creation function. © 2014 Cyber Squared Inc. Grow: Once created, the Activity Groups can be grown by iterating the group creation function over newly available data. 10
  • 11. DIAMOND 201: CREATING ACTIVITY GROUPS Analysis: Now that we have a healthy Activity Group, growing as things change; I can fill knowledge gaps, define new problems like: Trending: How has an adversary’s activity changed over time and what is the current vector to infer future change? Intent Deduction: What is the intent of the adversary? Adversary Capabilities and Infrastructure: What is the complete set of observed capabilities and infrastructure of the adversary? Cross-Capability Identification: Which capabilities have been used by multiple adversaries? Adversary Campaign Knowledge Gap Identification: What are the organization’s knowledge gaps across an adversary’s campaign? Automated Mitigation Recommendation: When an event is detected which adversary is behind the event and what action can/should be taken? Common Capability Development Deduction: Which capabilities show evidence of common authors/developers? Center of Gravity Identification: Which resources and processes are the most common and critical to an activity and/or campaign? Or… Redefine: through knowledge learned I may want to go back and revisit my grouping function. © 2014 Cyber Squared Inc. 11
  • 12. ADVANCED DIAMOND: ACTIVITY-ATTACK GRAPHS FOR MITIGATION Attack Graphs identify and enumerate paths an adversary could take. They are exhaustive. Activity Threads define paths an adversary has taken. If you overlay what could happen with what has happened you get an Activity-Attack Graph. Key Benefits: It highlights attacker preferences alongside possible alternative paths. Enable better Mitigation Strategies by mitigating current threat and taking into account reactions or alternate adversary tactics. © 2014 Cyber Squared Inc. 12
  • 13. USE WITH THE CYBER KILL CHAIN™ Highly Complementary, How? Activity-Attack Graph Single Activity Thread CYBER KILL CHAIN™ Coarse of Action Matrix Activity Group Detect Deny Victim 2 Disrupt Degrade Deceive Destroy Recon Delivery Exploitation C2 Actions on Obj Victim 1 © 2014 Cyber Squared Inc. 13
  • 14. CONCLUSIONS This is just a Sergio’s Summary: http://www.activeresponse.org/wp-content/uploads/2013/07/diamond_summary.pdf primer, learn Full Paper: http://www.threatconnect.com/files/uploaded_files/The_Diamond_Model_of_Intrusion_Analysis.pdf Full Paper on DTIC: http://www.dtic.mil/get-tr-doc/pdf?AD=ADA586960 more here: Also, look out for an upcoming full SANS CTI Course based on the Diamond and the Kill-Chain. THANK YOU Special thanks to Sergio and Chris for being Super Heroes. Also to the entire Cyber Squared team for their constant support and assistance. Andy Pendergast, apendergast@threatconnect.com © 2014 Cyber Squared Inc. 14

Notes de l'éditeur

  1. We needed a way to systematically characterize organized threats, consistently track them as they evolve, sort one from another, and then figure out ways to counter them.This doesn’t just work on APT
  2. Meta Features are very important for describing the relationships between events, esp in activity threads (incidents)The model accepts unknowns and uncertainty. Uncertainty will be represented as knowledge gaps. Pivoting provides a way to discover unknowns. Uncertainty is allowed through confidence rating of each Edge and each Meta-Feature within the Event. This allows for knowledge gaps, that can be addressed with hypothesis generation to attempt to fill the gaps or activity groupings that group similar activity so that inferences can be made.
  3. Live TC Demo as I move through the pivots…The Diamond model provides a powerful framework for Analytic Pivoting in the course of analysis.It is the typically the first, and one of the most powerful, applications analysts will use. It is actually how the Diamond was discovered. Adversaries could be tracked as they change/evolve their infrastructure and capabilities if at least one node of it’s grouped/clustered set of associated nodes (or associated methodologies/sub-graphs)In this pivoting scenario looks the Diamond shown should be seen as a sort of “Hyper-Diamond” as it is a set of grouped events, e.g. Activity Group, vs a single event for simplification.
  4. Understanding the Social-Political axis can allow you to predict attack targets and motivations. It can also allow you to make yourself a less attractive target
  5. Purple lines represent arcs correlating similar or identical nodes across activity threads/events (Horizontal Correlation). Blue lines are arcs/directed edges representing sequenced, causal relationship between events in an activity thread (Vertical Correlation). Incident 2 has some unknown and allows for hypothesis creationHypothesis generation and testing:
  6. Don’t stick on this slide too long other than to point out there are really cool things you can do with machine learning/automated actions based on rules that fire on indicators grouped in a given activity group. This is like Amazon, except with defensive action vs shopping; your APT get’s a custom experience with your defenses based on your knowledge of their past behavior.
  7. Feature selection is still an informed art as much it is a science, and is why experience is valuable and data scientists get paid so much. You will go down rabbit holes. Learn from it and crawl back out. Intrusion Set Quiz:If I say there is a group that tends to be the first observed in the wild with the latest 0-day, drop PI, shift to Hydraq/9002 once they gain access, move laterally to target network admin types and then shift to logging in via legitimately via stolen VPN creds to conduct action on objective what group am I talking about?If I say there is a group who appears to originate out of Shanghai, uses a variety of base64/mod-base64 encoded C2 messages on thirdparty website, who am I talking about?Some more…
  8. These look familiar right?
  9. Single Activity Thread, the set of Activity Threads from an Activity Group, or most comprehensively an Activity-Attack Graph, can be used to populate KILL CHAIN CoA Matrix. Activity Groups with capabilities and infrastructure can better represent the limits of those capabilities for CoA consideration.They can also be weighted in terms of observed favored or tendency of usage by the adversary for the same purpose.