threat intelligence + secuirity monitoring
TRANSCRIPT
![Page 1: Threat Intelligence + Secuirity Monitoring](https://reader033.vdocuments.us/reader033/viewer/2022051318/58ecb18d1a28ab27618b4669/html5/thumbnails/1.jpg)
Threat
Intelligence +
Security
Monitoring
By : Talha Riaz(AESRG lab)
![Page 2: Threat Intelligence + Secuirity Monitoring](https://reader033.vdocuments.us/reader033/viewer/2022051318/58ecb18d1a28ab27618b4669/html5/thumbnails/2.jpg)
Benefits from Others Misfortune
Cant Get Ahead of Threat
Threat Already Exists
Idea is to Know at as Early as Possible
![Page 3: Threat Intelligence + Secuirity Monitoring](https://reader033.vdocuments.us/reader033/viewer/2022051318/58ecb18d1a28ab27618b4669/html5/thumbnails/3.jpg)
Shortening The Window
TI Help to Detect Attacks Earlier
![Page 4: Threat Intelligence + Secuirity Monitoring](https://reader033.vdocuments.us/reader033/viewer/2022051318/58ecb18d1a28ab27618b4669/html5/thumbnails/4.jpg)
Threat Intelligence Sources
Compromised Devices
Malware Indicators
Reputation
Command and Control Networks
![Page 5: Threat Intelligence + Secuirity Monitoring](https://reader033.vdocuments.us/reader033/viewer/2022051318/58ecb18d1a28ab27618b4669/html5/thumbnails/5.jpg)
Compromised Devices
Device Communication
![Page 6: Threat Intelligence + Secuirity Monitoring](https://reader033.vdocuments.us/reader033/viewer/2022051318/58ecb18d1a28ab27618b4669/html5/thumbnails/6.jpg)
Malware Indicators
Malware Analysis
Technical Behavioral Indicator
What is Does v/s What it looks like
![Page 7: Threat Intelligence + Secuirity Monitoring](https://reader033.vdocuments.us/reader033/viewer/2022051318/58ecb18d1a28ab27618b4669/html5/thumbnails/7.jpg)
Reputation
Dynamic List of IP Addresses
Score System
![Page 8: Threat Intelligence + Secuirity Monitoring](https://reader033.vdocuments.us/reader033/viewer/2022051318/58ecb18d1a28ab27618b4669/html5/thumbnails/8.jpg)
Challenges of Using TI for SM
Integration of Data
Update rules/alerts/reports
Validation
![Page 9: Threat Intelligence + Secuirity Monitoring](https://reader033.vdocuments.us/reader033/viewer/2022051318/58ecb18d1a28ab27618b4669/html5/thumbnails/9.jpg)
Revisiting Security Monitoring
Phase 1: Plan
Phase 2: Monitor
Phase 3: Action
![Page 10: Threat Intelligence + Secuirity Monitoring](https://reader033.vdocuments.us/reader033/viewer/2022051318/58ecb18d1a28ab27618b4669/html5/thumbnails/10.jpg)
![Page 11: Threat Intelligence + Secuirity Monitoring](https://reader033.vdocuments.us/reader033/viewer/2022051318/58ecb18d1a28ab27618b4669/html5/thumbnails/11.jpg)
Phase : Plan Enumerate
Find Security, Network and server Devices
Scope
Decide which devices are in Scope for Monitoring
Develop Policies
Organizational Policies (which Devices will be monitored and Why)
Device & Alerting Policies (Which data will be collected and how often)
![Page 12: Threat Intelligence + Secuirity Monitoring](https://reader033.vdocuments.us/reader033/viewer/2022051318/58ecb18d1a28ab27618b4669/html5/thumbnails/12.jpg)
Phase 2: Monitor Collect
Collect alerts and log records based on the policies defined in the Plan phase.
Store Collected data must be stored for future access,
for both compliance and forensics.
Analyze The collected data is analyzed to identify potential
incidents based on alerting policies defined in phase 1.
![Page 13: Threat Intelligence + Secuirity Monitoring](https://reader033.vdocuments.us/reader033/viewer/2022051318/58ecb18d1a28ab27618b4669/html5/thumbnails/13.jpg)
Phase 3: Action
Validate/Investigate
Action/Escalate
After validating a few alerts you can determine whether
policies must be changed or tuned. Tuning policies must be
a recurring feedback loop rather than a one-time activity
![Page 14: Threat Intelligence + Secuirity Monitoring](https://reader033.vdocuments.us/reader033/viewer/2022051318/58ecb18d1a28ab27618b4669/html5/thumbnails/14.jpg)
What has Changed..!
Now a days monitoring only for well-
defined static attacks will get you
killed. Tactics change frequently
and malware changes daily.
![Page 15: Threat Intelligence + Secuirity Monitoring](https://reader033.vdocuments.us/reader033/viewer/2022051318/58ecb18d1a28ab27618b4669/html5/thumbnails/15.jpg)
TI + SM
o As you integrate threat intelligence into your security
o Monitoring (SM) process, you can generate more accurate
o Alerts from your security monitoring platform, lowering
o The signal to noise ratio because the alerts are based on what is actually happening in the wild.
![Page 16: Threat Intelligence + Secuirity Monitoring](https://reader033.vdocuments.us/reader033/viewer/2022051318/58ecb18d1a28ab27618b4669/html5/thumbnails/16.jpg)
The New SM Process
Threat Intelligence Integrated with
Security Monitoring
![Page 17: Threat Intelligence + Secuirity Monitoring](https://reader033.vdocuments.us/reader033/viewer/2022051318/58ecb18d1a28ab27618b4669/html5/thumbnails/17.jpg)
![Page 18: Threat Intelligence + Secuirity Monitoring](https://reader033.vdocuments.us/reader033/viewer/2022051318/58ecb18d1a28ab27618b4669/html5/thumbnails/18.jpg)
Gather Threat Intelligence Profile Adversaries
Who is more Likely to attack you so you can profile their Tactics, Techniques, and Procedures.
Gather Samples
Gather Large amount of data to analyze and define indicators
Analyze Data and Distill Threats Intelligence
After Data aggregation define patterns and Indicators seen in the wild.
![Page 19: Threat Intelligence + Secuirity Monitoring](https://reader033.vdocuments.us/reader033/viewer/2022051318/58ecb18d1a28ab27618b4669/html5/thumbnails/19.jpg)
Aggregate Security Data
Same as Simple Security Monitoring
![Page 20: Threat Intelligence + Secuirity Monitoring](https://reader033.vdocuments.us/reader033/viewer/2022051318/58ecb18d1a28ab27618b4669/html5/thumbnails/20.jpg)
Security Analytics
Automate TI Integration
Baseline Environment
Analyze Security Data (N,C,R,T)
Alert
Prioritize Alerts
Deep Collection for forensics
![Page 21: Threat Intelligence + Secuirity Monitoring](https://reader033.vdocuments.us/reader033/viewer/2022051318/58ecb18d1a28ab27618b4669/html5/thumbnails/21.jpg)
Action
Same as Simple Security Monitoring