Hiding in Plain Sight: Protect Against Bad Hashes
2
Presenters
Dave Meltzer, Chief Research Officer,
Tripwire
Dayne Cantu, Sr. Systems Engineer, Federal Team Lead,
Tripwire
3
What Happens When You Receive an IoC?
4
Guidance For ActionNIST SP800-150 Draft
5
Headed Towards Standards
6
But Not There Yet…E-mail is the most common source of indicators today
7
Advanced Malware Identification – Identify advanced threats on high risk assets through integration to malware analytics services and appliances using sandbox technology
Monitoring for Peer & Community Sourced IoCs – Automate the forensics investigation and proactive monitoring on high risk assets of indicators of compromise sourced from industry peers and community sources
Monitoring for Commercial Threat Intelligence Service IoCs – Automate the forensics investigation and proactive monitoring on high risk assets of indicators of compromise sourced from tailored commercial threat intelligence services
Use Cases for Threat Intelligence
Use Case 1: Monitoring for Commercial Threat Intelligence Services IoCs
!
THREATDETECTED!
3
NEW INDICATORS1
Search forensics data for previous existence of indicator. Start monitoring for indicator in all new changes.
2
Drive workflow to investigateand remediate system.
4
Threat Intelligence
Provider
Use Case 2: Monitoring for Peer and Community Sourced IoCs
!
THREATDETECTED!
4
IndicatorsFeed
2
Search forensics data for previous existence of indicator. Start monitoring for indicator in all new changes.
3
EnterpriseTAXII Server
PeerTAXII Server
Open Source IntelligenceTAXII Server
ISAC CommunityTAXII Server
Drive workflow to investigateand remediate system.
5
Indicators Feed1Local File Sources
(Flat, CSV, etc)
Use Case 3: Advanced Malware Identification
Next Generation Threat Prevention
Tripwire Enterprise
Agent NEW BINARYFOUND
1
SEND FILE/HASHFOR ANALYSIS
2
!
THREATDETECTED!
3
NEW ADVANCED
THREAT DETECTED
4
Drive workflow to investigateand remediate system.
5
UPDATE THREATPREVENTION RULES
6
Real-time blocking of command & control, exfiltration, and further infections.
7
Cloud or Appliance Sandbox Analytics
11
12
13
14
15
Tripwire Technology Alliance Partner EcosystemANALYTICS & SIEM IT SERVICE MANAGEMENT NERC ALLIANCE NETWORK
NETWORK SECURITY
PLATFORM PARTNERS
SECURITY COMMUNITY PARTNERS
IDENTITY MANAGEMENT
THREAT INTELLIGENCE
tripwire.com | @TripwireInc
Thank you
Top Related