![Page 1: Operationalizing Threat Intelligence - Hawaiian Telcom · reverse engineering of malware using code analysis Responsible for ... Know yourself, know your enemy, and you shall win](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ee0e423ad6a402d666bf74f/html5/thumbnails/1.jpg)
Operationalizing Threat Intelligence
How to Craft a Program and Operationalize Outcomes
Bryan LeePalo Alto Networks
![Page 2: Operationalizing Threat Intelligence - Hawaiian Telcom · reverse engineering of malware using code analysis Responsible for ... Know yourself, know your enemy, and you shall win](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ee0e423ad6a402d666bf74f/html5/thumbnails/2.jpg)
BRYAN LEE | THREAT RESEARCHER
Expertise in nation state sponsored activity and security operations
Wide range of experiences within NASA ranging from real time monitoring to operational architecture
![Page 3: Operationalizing Threat Intelligence - Hawaiian Telcom · reverse engineering of malware using code analysis Responsible for ... Know yourself, know your enemy, and you shall win](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ee0e423ad6a402d666bf74f/html5/thumbnails/3.jpg)
LIFE THE UNIVERSE EVERYTHING
![Page 4: Operationalizing Threat Intelligence - Hawaiian Telcom · reverse engineering of malware using code analysis Responsible for ... Know yourself, know your enemy, and you shall win](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ee0e423ad6a402d666bf74f/html5/thumbnails/4.jpg)
PROTECT THE INTERNETTHE MISSION
World dominaMake the world a safer place
![Page 5: Operationalizing Threat Intelligence - Hawaiian Telcom · reverse engineering of malware using code analysis Responsible for ... Know yourself, know your enemy, and you shall win](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ee0e423ad6a402d666bf74f/html5/thumbnails/5.jpg)
HUNTERS REVERSERS TOOLS
Experts in hunting and collection of unknown
threats
Experts in complete reverse engineering of malware using code
analysis
Responsible for development of tools and mechanisms in support of the team
![Page 6: Operationalizing Threat Intelligence - Hawaiian Telcom · reverse engineering of malware using code analysis Responsible for ... Know yourself, know your enemy, and you shall win](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ee0e423ad6a402d666bf74f/html5/thumbnails/6.jpg)
Know yourself, know your enemy, and you shall win a hundred battles without loss
-Sun Tzu, The Art of War
![Page 7: Operationalizing Threat Intelligence - Hawaiian Telcom · reverse engineering of malware using code analysis Responsible for ... Know yourself, know your enemy, and you shall win](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ee0e423ad6a402d666bf74f/html5/thumbnails/7.jpg)
What is threat intelligence?
![Page 8: Operationalizing Threat Intelligence - Hawaiian Telcom · reverse engineering of malware using code analysis Responsible for ... Know yourself, know your enemy, and you shall win](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ee0e423ad6a402d666bf74f/html5/thumbnails/8.jpg)
Collection, processing, and storing of adversary and organizational
data
Provide context to threat indicator data to produce assessments relevant to the organization
![Page 9: Operationalizing Threat Intelligence - Hawaiian Telcom · reverse engineering of malware using code analysis Responsible for ... Know yourself, know your enemy, and you shall win](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ee0e423ad6a402d666bf74f/html5/thumbnails/9.jpg)
Understand the adversary
Understand our own environment
Better assess and mitigate risk
![Page 10: Operationalizing Threat Intelligence - Hawaiian Telcom · reverse engineering of malware using code analysis Responsible for ... Know yourself, know your enemy, and you shall win](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ee0e423ad6a402d666bf74f/html5/thumbnails/10.jpg)
ARCHITECTURE PASSIVE DEFENSE
ACTIVE DEFENSE
THREAT INTELLIGENCE OFFENSE
Source: Robert M. Lee, The Sliding Scale of Security
![Page 11: Operationalizing Threat Intelligence - Hawaiian Telcom · reverse engineering of malware using code analysis Responsible for ... Know yourself, know your enemy, and you shall win](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ee0e423ad6a402d666bf74f/html5/thumbnails/11.jpg)
THREAT INTELLIGENCE
ACTIVE DEFENSE THREAT INTELLIGENCE
Countering active threats via monitoring and response
Consumer of threat intelligence
Application of data to threats relevant to the organization
Generate data to fill knowledge gaps for threats
Producer of threat intelligence
Assessment of data to produce new information relevant to the organization and adversaries
![Page 12: Operationalizing Threat Intelligence - Hawaiian Telcom · reverse engineering of malware using code analysis Responsible for ... Know yourself, know your enemy, and you shall win](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ee0e423ad6a402d666bf74f/html5/thumbnails/12.jpg)
Automation
Humans
DataEstablish comprehensive internal and external data streams
Automate collection, processing, and storing of data streams
Provide access to human analysts for assessment
![Page 13: Operationalizing Threat Intelligence - Hawaiian Telcom · reverse engineering of malware using code analysis Responsible for ... Know yourself, know your enemy, and you shall win](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ee0e423ad6a402d666bf74f/html5/thumbnails/13.jpg)
Ad-hoc analysisBasic data collection
No automation
Basic frameworkMapped data sources
Some automation
Documented frameworkMapped and vetted sources
Full automationHuman interdiction available
Stage One Stage Two Stage Three
![Page 14: Operationalizing Threat Intelligence - Hawaiian Telcom · reverse engineering of malware using code analysis Responsible for ... Know yourself, know your enemy, and you shall win](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ee0e423ad6a402d666bf74f/html5/thumbnails/14.jpg)
Threat intelligence is not a silver bullet
![Page 15: Operationalizing Threat Intelligence - Hawaiian Telcom · reverse engineering of malware using code analysis Responsible for ... Know yourself, know your enemy, and you shall win](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ee0e423ad6a402d666bf74f/html5/thumbnails/15.jpg)
Case study:Sofacy
![Page 16: Operationalizing Threat Intelligence - Hawaiian Telcom · reverse engineering of malware using code analysis Responsible for ... Know yourself, know your enemy, and you shall win](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ee0e423ad6a402d666bf74f/html5/thumbnails/16.jpg)
Russian based Espionage motivated
Multi-year operationAlso known asFancy BearAPT28Pawn StormSTRONTIUMSednit
Sofacy
![Page 17: Operationalizing Threat Intelligence - Hawaiian Telcom · reverse engineering of malware using code analysis Responsible for ... Know yourself, know your enemy, and you shall win](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ee0e423ad6a402d666bf74f/html5/thumbnails/17.jpg)
XTunnelAzzyKomplexSofacyCarberpXAgentXSQWERDealersChoiceAssociated tools
![Page 18: Operationalizing Threat Intelligence - Hawaiian Telcom · reverse engineering of malware using code analysis Responsible for ... Know yourself, know your enemy, and you shall win](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ee0e423ad6a402d666bf74f/html5/thumbnails/18.jpg)
DealersChoice
Used phishing attacks targeting multiple industry verticals
Phishing emails contained legitimate
looking Microsoft Word documents
Two versions discovered, both using Flash exploits to install
malware
Used a specific registry key native to Microsoft
Office to maintain persistence
![Page 19: Operationalizing Threat Intelligence - Hawaiian Telcom · reverse engineering of malware using code analysis Responsible for ... Know yourself, know your enemy, and you shall win](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ee0e423ad6a402d666bf74f/html5/thumbnails/19.jpg)
Assess target priorities
Understand technological risk
Evaluate defensive measures
Do we have Flash in our environment? What is our patch level?
Are we able to neutralize at multiple stages of the attack life cycle?
Are we amongst the targeted industries?
![Page 20: Operationalizing Threat Intelligence - Hawaiian Telcom · reverse engineering of malware using code analysis Responsible for ... Know yourself, know your enemy, and you shall win](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ee0e423ad6a402d666bf74f/html5/thumbnails/20.jpg)
The Sofacy group, also known as Fancy Bear, APT28, Pawn Storm, STRONTIUM, and Sednit, has recently been discovered using a tool called DealersChoice to target multiple industry verticals via phishing attacks
DealersChoice appears to be delivered via Microsoft Word documents containing embedded malicious Adobe Flash files. Three users have received these emails
Our organization currently has 1,250 installations of Adobe Flash, with a 33% patch rate to the current version. Two of the three targeted victims were not patched.
Network perimeter as well as endpoint protections have been deployed
![Page 21: Operationalizing Threat Intelligence - Hawaiian Telcom · reverse engineering of malware using code analysis Responsible for ... Know yourself, know your enemy, and you shall win](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ee0e423ad6a402d666bf74f/html5/thumbnails/21.jpg)
If there is no struggle, there is no progress
-Frederick Douglass
![Page 22: Operationalizing Threat Intelligence - Hawaiian Telcom · reverse engineering of malware using code analysis Responsible for ... Know yourself, know your enemy, and you shall win](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ee0e423ad6a402d666bf74f/html5/thumbnails/22.jpg)
Understand the difference
Get the best talent
Some is better than none
Threat data is not threat intelligenceAutomation alone is not the answerThreat intelligence is not all or nothing
Rethink security
The case for intelligence driven operations
![Page 24: Operationalizing Threat Intelligence - Hawaiian Telcom · reverse engineering of malware using code analysis Responsible for ... Know yourself, know your enemy, and you shall win](https://reader036.vdocuments.us/reader036/viewer/2022081607/5ee0e423ad6a402d666bf74f/html5/thumbnails/24.jpg)
24