Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)
description
Transcript of Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)
![Page 1: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.fdocuments.in/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/1.jpg)
• Standardized Threat Indicators• Indicator Export• Adversary Analysis (Pivoting)• Private and Community Incident Correlation• ThreatConnect Intelligence Research Team
(TCIRT)• Community Notifications
![Page 2: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.fdocuments.in/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/2.jpg)
Slide Sections• Using Address Indicators with SecurityCenter• Using File Indicators with SecurityCenter• Using Host Indicators with SecurityCenter• Using URL Indicators with SecurityCenter• Using File Indicators with Nessus
![Page 3: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.fdocuments.in/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/3.jpg)
Using Address Indicators with SecurityCenter
• Step 1 – Extract Address Indicators• Step 2 – Create a Watchlist from Address Indicators• Step 3 – Filter Events by Watchlist• Step 4 – (Optional) Create Query for 3D Tool• Step 5 – Save Asset List of All Addresses• Step 6 – Perform Audit Analysis Using Asset List• Step 7 – Perform Event Analysis Using Asset List• Step 8 – (Optional) Create List of Internal Addresses• Step 9 – (Optional) Nessus Audit of Internal Addresses
![Page 4: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.fdocuments.in/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/4.jpg)
Step 1 – Extract Address Indicators
![Page 5: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.fdocuments.in/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/5.jpg)
Step 2 – Create a Watchlist from Address Indicators
![Page 6: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.fdocuments.in/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/6.jpg)
Step 3 – Filter Events by Watchlist
Inbound or outbound
![Page 7: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.fdocuments.in/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/7.jpg)
Step 4 – (Optional) Create Query for 3D Tool
![Page 8: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.fdocuments.in/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/8.jpg)
![Page 9: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.fdocuments.in/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/9.jpg)
Step 5 – Save Asset List of All Addresses
![Page 10: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.fdocuments.in/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/10.jpg)
Step 6 – Perform Audit Analysis Using Asset List
Recommended Reading – Predicting Attack Paths
![Page 11: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.fdocuments.in/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/11.jpg)
Step 7 – Perform Event Analysis Using Asset List
Recommended Reading – Tenable Event Correlation
![Page 12: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.fdocuments.in/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/12.jpg)
Step 8 – (Optional) Create List of Internal Addresses Only
![Page 13: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.fdocuments.in/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/13.jpg)
Step 9 – (Optional) Nessus Audit of Internal Addresses
![Page 14: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.fdocuments.in/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/14.jpg)
Using File Indicators with SecurityCenter
• Step 1 – Extract Hashes• Step 2 – Upload Hashes to Scan Policy• Step 3 – Perform a Scan Using Credentials• Step 4 – Review Scan Results• Step 5 – Save Asset List of Infected Hosts• Step 6 – Perform Audit Analysis Using Asset List• Step 7 – Perform Event Analysis Using Asset List• Step 8 – (Optional) Use Asset List with 3D Tool
![Page 15: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.fdocuments.in/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/15.jpg)
Step 1 – Extract Hashes
![Page 16: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.fdocuments.in/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/16.jpg)
Step 2 – Upload Hashes to Scan Policy
![Page 17: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.fdocuments.in/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/17.jpg)
Step 3 – Perform a Scan Using Credentials
Recommended Reading – Nessus Credential Checks for UNIX and Windows
![Page 18: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.fdocuments.in/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/18.jpg)
Step 4 – Review Scan Results
![Page 19: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.fdocuments.in/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/19.jpg)
Step 5 – Save Asset List of Infected Hosts
![Page 20: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.fdocuments.in/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/20.jpg)
Recommended Reading – Predicting Attack Paths
Step 6 – Perform Audit Analysis Using Asset List
![Page 21: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.fdocuments.in/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/21.jpg)
Step 7 – Perform Event Analysis Using Asset List
Recommended Reading – Tenable Event Correlation
![Page 22: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.fdocuments.in/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/22.jpg)
Step 8 – (Optional) Use Asset List with 3D Tool
![Page 23: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.fdocuments.in/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/23.jpg)
![Page 24: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.fdocuments.in/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/24.jpg)
Using Host Indicators with SecurityCenter
• Step 1 – Filter Events by Host• Step 2 – Perform Further Analysis
Recommended Reading – Using Log Correlation Engine to Monitor DNS
![Page 25: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.fdocuments.in/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/25.jpg)
Step 1 – Filter Events by Host
![Page 26: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.fdocuments.in/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/26.jpg)
Step 2 – Perform Further Analysis
See slides for “Using ThreatConnect Address Indicators” steps 5 through 9
Filtering by the domain summary event before saving the asset list will get you a list of only those hosts that performed a DNS lookup for the host indicator.
![Page 27: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.fdocuments.in/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/27.jpg)
Using URL Indicators with SecurityCenter
• Step 1 – Divide Host and Location from URL • Step 2 – Filter Events by Host• Step 3 – Save Asset List• Step 4 – Filter Events by Location• Step 5 – Perform Further Analysis
![Page 28: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.fdocuments.in/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/28.jpg)
Step 1 – Divide Host and Location from URL
![Page 29: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.fdocuments.in/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/29.jpg)
Step 2 – Filter Events by Host
Use Host in Syslog Text filter
Use web-access in Type filter
![Page 30: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.fdocuments.in/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/30.jpg)
Step 3 – Save Asset List
![Page 31: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.fdocuments.in/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/31.jpg)
Step 4 – Filter Events by Location
Use Location in Syslog Text filter
Use Asset List in Source Asset filter
![Page 32: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.fdocuments.in/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/32.jpg)
Step 5 – Perform Further Analysis
See slides for “Using ThreatConnect Address Indicators” steps 5 through 9
We will be creating a second and final asset list to use for further analysis. Verify the URL is matched correctly by looking at the web-access details in Step 4. Steps 1 through 4 perform an intersection; however, it’s by host.
![Page 33: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.fdocuments.in/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/33.jpg)
Using File Indicators with Nessus
• Step 1 – Extract Hashes• Step 2 – Use Windows Malware Scan Wizard• Step 3 – Perform Scan and Review Results
![Page 34: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.fdocuments.in/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/34.jpg)
Step 1 – Extract Hashes
![Page 35: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.fdocuments.in/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/35.jpg)
Step 2 – Use Windows Malware Scan Wizard
![Page 36: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.fdocuments.in/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/36.jpg)
Step 3 – Perform Scan and Review Results