![Page 1: Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect](https://reader036.vdocuments.us/reader036/viewer/2022062307/5518d1af550346a61f8b5d22/html5/thumbnails/1.jpg)
• Standardized Threat Indicators• Tenable Formatted Indicator Export• Adversary Analysis (Pivoting)• Private and Community Incident Correlation• ThreatConnect Intelligence Research Team
(TCIRT)• Community Notifications
![Page 2: Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect](https://reader036.vdocuments.us/reader036/viewer/2022062307/5518d1af550346a61f8b5d22/html5/thumbnails/2.jpg)
Slide Sections• Using Address Indicators with SecurityCenter• Using File Indicators with SecurityCenter• Using Host Indicators with SecurityCenter• Using URL Indicators with SecurityCenter• Using File Indicators with Nessus
![Page 3: Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect](https://reader036.vdocuments.us/reader036/viewer/2022062307/5518d1af550346a61f8b5d22/html5/thumbnails/3.jpg)
Using Address Indicators with SecurityCenter
• Step 1 – Export Address Indicators Using Tenable Format• Step 2 – Create a Watchlist from Address Indicators• Step 3 – Filter Events by Watchlist• Step 4 – (Optional) Create Query for 3D Tool• Step 5 – Save Asset List of All Addresses• Step 6 – Perform Audit Analysis Using Asset List• Step 7 – Perform Event Analysis Using Asset List• Step 8 – (Optional) Create List of Internal Addresses• Step 9 – (Optional) Nessus Audit of Internal Addresses
![Page 4: Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect](https://reader036.vdocuments.us/reader036/viewer/2022062307/5518d1af550346a61f8b5d22/html5/thumbnails/4.jpg)
Step 1 – Export Address Indicators Using Tenable Format
![Page 5: Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect](https://reader036.vdocuments.us/reader036/viewer/2022062307/5518d1af550346a61f8b5d22/html5/thumbnails/5.jpg)
Step 2 – Create a Watchlist from Address Indicators
![Page 6: Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect](https://reader036.vdocuments.us/reader036/viewer/2022062307/5518d1af550346a61f8b5d22/html5/thumbnails/6.jpg)
Step 3 – Filter Events by Watchlist
Inbound or outbound If there aren’t events after applying filters
there’s no need to continue with further steps.
![Page 7: Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect](https://reader036.vdocuments.us/reader036/viewer/2022062307/5518d1af550346a61f8b5d22/html5/thumbnails/7.jpg)
Step 4 – (Optional) Create Query for 3D Tool
![Page 8: Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect](https://reader036.vdocuments.us/reader036/viewer/2022062307/5518d1af550346a61f8b5d22/html5/thumbnails/8.jpg)
![Page 9: Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect](https://reader036.vdocuments.us/reader036/viewer/2022062307/5518d1af550346a61f8b5d22/html5/thumbnails/9.jpg)
Step 5 – Save Asset List of All Addresses
![Page 10: Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect](https://reader036.vdocuments.us/reader036/viewer/2022062307/5518d1af550346a61f8b5d22/html5/thumbnails/10.jpg)
Step 6 – Perform Audit Analysis Using Asset List
Recommended Reading – Predicting Attack Paths
![Page 11: Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect](https://reader036.vdocuments.us/reader036/viewer/2022062307/5518d1af550346a61f8b5d22/html5/thumbnails/11.jpg)
Step 7 – Perform Event Analysis Using Asset List
Recommended Reading – Tenable Event Correlation
![Page 12: Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect](https://reader036.vdocuments.us/reader036/viewer/2022062307/5518d1af550346a61f8b5d22/html5/thumbnails/12.jpg)
Step 8 – (Optional) Create List of Internal Addresses Only
![Page 13: Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect](https://reader036.vdocuments.us/reader036/viewer/2022062307/5518d1af550346a61f8b5d22/html5/thumbnails/13.jpg)
Step 9 – (Optional) Nessus Audit of Internal Addresses
![Page 14: Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect](https://reader036.vdocuments.us/reader036/viewer/2022062307/5518d1af550346a61f8b5d22/html5/thumbnails/14.jpg)
Using File Indicators with SecurityCenter
• Step 1 – Export Hashes Using Tenable Format• Step 2 – Upload Hashes to Scan Policy• Step 3 – Perform a Scan Using Credentials• Step 4 – Review Scan Results• Step 5 – Save Asset List of Infected Hosts• Step 6 – Perform Audit Analysis Using Asset List• Step 7 – Perform Event Analysis Using Asset List• Step 8 – (Optional) Use Asset List with 3D Tool
![Page 15: Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect](https://reader036.vdocuments.us/reader036/viewer/2022062307/5518d1af550346a61f8b5d22/html5/thumbnails/15.jpg)
Step 1 – Export Hashes Using Tenable Format
![Page 16: Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect](https://reader036.vdocuments.us/reader036/viewer/2022062307/5518d1af550346a61f8b5d22/html5/thumbnails/16.jpg)
Step 2 – Upload Hashes to Scan Policy
Recommended Reading – Malware Detection and Forensics Scan Configuration
![Page 17: Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect](https://reader036.vdocuments.us/reader036/viewer/2022062307/5518d1af550346a61f8b5d22/html5/thumbnails/17.jpg)
Step 3 – Perform a Scan Using Credentials
Recommended Reading – Nessus Credential Checks for UNIX and Windows
![Page 18: Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect](https://reader036.vdocuments.us/reader036/viewer/2022062307/5518d1af550346a61f8b5d22/html5/thumbnails/18.jpg)
Step 4 – Review Scan Results
If there aren’t infected hosts there’s no need to continue with further steps.
![Page 19: Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect](https://reader036.vdocuments.us/reader036/viewer/2022062307/5518d1af550346a61f8b5d22/html5/thumbnails/19.jpg)
Step 5 – Save Asset List of Infected Hosts
![Page 20: Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect](https://reader036.vdocuments.us/reader036/viewer/2022062307/5518d1af550346a61f8b5d22/html5/thumbnails/20.jpg)
Recommended Reading – Predicting Attack Paths
Step 6 – Perform Audit Analysis Using Asset List
![Page 21: Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect](https://reader036.vdocuments.us/reader036/viewer/2022062307/5518d1af550346a61f8b5d22/html5/thumbnails/21.jpg)
Step 7 – Perform Event Analysis Using Asset List
Recommended Reading – Tenable Event Correlation
![Page 22: Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect](https://reader036.vdocuments.us/reader036/viewer/2022062307/5518d1af550346a61f8b5d22/html5/thumbnails/22.jpg)
Step 8 – (Optional) Use Asset List with 3D Tool
![Page 23: Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect](https://reader036.vdocuments.us/reader036/viewer/2022062307/5518d1af550346a61f8b5d22/html5/thumbnails/23.jpg)
![Page 24: Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect](https://reader036.vdocuments.us/reader036/viewer/2022062307/5518d1af550346a61f8b5d22/html5/thumbnails/24.jpg)
Using Host Indicators with SecurityCenter
• Step 1 – Filter Events by Host• Step 2 – Perform Further Analysis
Recommended Reading – Using Log Correlation Engine to Monitor DNS
![Page 25: Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect](https://reader036.vdocuments.us/reader036/viewer/2022062307/5518d1af550346a61f8b5d22/html5/thumbnails/25.jpg)
Step 1 – Filter Events by Host
![Page 26: Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect](https://reader036.vdocuments.us/reader036/viewer/2022062307/5518d1af550346a61f8b5d22/html5/thumbnails/26.jpg)
Step 2 – Perform Further Analysis
See slides for “Using ThreatConnect Address Indicators” steps 5 through 9 if there are events found after applying filters.
Filtering by the domain summary event before saving the asset list will get you a list of only those hosts that performed a DNS lookup for the host indicator.
![Page 27: Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect](https://reader036.vdocuments.us/reader036/viewer/2022062307/5518d1af550346a61f8b5d22/html5/thumbnails/27.jpg)
Using URL Indicators with SecurityCenter
• Step 1 – Divide Host and Location from URL • Step 2 – Filter Events by Host• Step 3 – Save Asset List• Step 4 – Filter Events by Location• Step 5 – Perform Further Analysis
![Page 28: Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect](https://reader036.vdocuments.us/reader036/viewer/2022062307/5518d1af550346a61f8b5d22/html5/thumbnails/28.jpg)
Step 1 – Divide Host and Location from URL
![Page 29: Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect](https://reader036.vdocuments.us/reader036/viewer/2022062307/5518d1af550346a61f8b5d22/html5/thumbnails/29.jpg)
Step 2 – Filter Events by Host
Use Host in Syslog Text filter
Use web-access in Type filter If there aren’t events after applying filters there’s no need to continue with further steps.
![Page 30: Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect](https://reader036.vdocuments.us/reader036/viewer/2022062307/5518d1af550346a61f8b5d22/html5/thumbnails/30.jpg)
Step 3 – Save Asset List
![Page 31: Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect](https://reader036.vdocuments.us/reader036/viewer/2022062307/5518d1af550346a61f8b5d22/html5/thumbnails/31.jpg)
Step 4 – Filter Events by Location
Use Location in Syslog Text filter
Use Asset List in Source Asset filter
If there aren’t events after applying filters there’s no need to continue with further steps.
![Page 32: Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect](https://reader036.vdocuments.us/reader036/viewer/2022062307/5518d1af550346a61f8b5d22/html5/thumbnails/32.jpg)
Step 5 – Perform Further Analysis
See slides for “Using ThreatConnect Address Indicators” steps 5 through 9 if there are events found after applying filters.
We will be creating a second and final asset list to use for further analysis. Verify the URL is matched correctly by looking at the web-access details in Step 4. Steps 1 through 4 perform an intersection; however, it’s by host.
![Page 33: Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect](https://reader036.vdocuments.us/reader036/viewer/2022062307/5518d1af550346a61f8b5d22/html5/thumbnails/33.jpg)
Using File Indicators with Nessus
• Step 1 – Export Hashes Using Tenable Format• Step 2 – Use Windows Malware Scan Wizard• Step 3 – Perform Scan and Review Results
![Page 34: Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect](https://reader036.vdocuments.us/reader036/viewer/2022062307/5518d1af550346a61f8b5d22/html5/thumbnails/34.jpg)
Step 1 – Export Hashes Using Tenable Format
![Page 35: Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect](https://reader036.vdocuments.us/reader036/viewer/2022062307/5518d1af550346a61f8b5d22/html5/thumbnails/35.jpg)
Step 2 – Use Windows Malware Scan Wizard
![Page 36: Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect](https://reader036.vdocuments.us/reader036/viewer/2022062307/5518d1af550346a61f8b5d22/html5/thumbnails/36.jpg)
Step 3 – Perform Scan and Review Results