from 0 to hero
play

From 0 to Hero Actionable Threat Intelligence Raffaele Di Taranto - PowerPoint PPT Presentation

Nov 17, 2023 •432 likes •873 views

From 0 to Hero Actionable Threat Intelligence Raffaele Di Taranto Vito Lucatorto Our Journey in CTI : Problems & Solutions in Critical Infrastructure Vito Lucatorto Cyber Security Engineer @ FS Holding Experience in Banking

  1. From 0 to Hero Actionable Threat Intelligence Raffaele Di Taranto – Vito Lucatorto Our Journey in CTI : Problems & Solutions in Critical Infrastructure

  2. Vito Lucatorto • Cyber Security Engineer @ FS Holding • Experience in Banking companies • Passionate about Threat Intelligence, APT and Aviation World • Hunter about new cyber defense and cyber attack techniques • Watchwords: Automate all, be curious, cooperate vitolucatorto@gmail.com https://www.linkedin.com/in/vlucatorto/ 1/41

  3. Raffaele Di Taranto • Cyber Security Engineer @ FS Holding • MSc Computer Eng @ Turin Politecnico • Experience in Defence companies • In love with Cyber Security • OffSec 4 fun and study: OSCP, ECPPT • Watchwords: explore cyber at 360°, go deeper in securing architectures, monitor and automate where possible raf.ditaranto@gmail.com https://www.linkedin.com/in/rditaranto/ 2/41

  4. Threat Intelligence: what is it? Context Informed decisions Tactics Knowledge of the «threat» Attack prevention Resources 3/41

  5. Threat Intelligence Idea How our friends see us How society see us Just to be clear … this is our myth How we see ourselves 4/41

  6. Threat Intelligence as a Process Hypotesis Feedback Collect Dissemination Processing Analysis 5/41

  7. Operational Threat Intelligence Ongoing cyberattacks, events and campaigns Incident response teams insights on attacks Speed up processes and make informed decisions 6/41

  8. Operational Threat Intelligence Output Indicators of Compromise (IoC) 7/41

  9. Operational Threat Intelligence Output • Indicators of Compromise represents technical « clues » Financial Data IP address of the presence of a malicious actor URL Domain • More reliable are the clues, Certificate less waste of time in security monitoring Email src Filename Email subject MD5 • Contextualize the data SHA1 SHA256 8/41

  10. Operational Threat Intelligence in SOC RTSM Team TI IR SDM Team Team Team MA Team 9/41

  11. Bla bla bla … Where Is the experience? 10/41

  12. Our Big Farm >83.000 Employees >15 Companies >106.182 Monitored IoCs Dati aggiornati al 08/07/2020 11/41

  13. Tons of IoC… Manual Malware Analysis Team PREVENTION Manual Threat Hunting TECHNOLOGIES Team Manual Closint Feed THREAT INTELLIGENCE PLATFORM 12/41

  14. Grow UP! Defend the companies Give value at single IoC Avoid false positives Improve Incident Response Automate and define all processes 13/41

  15. Mind the Gap • IoC produced by various Teams not standardized 3 • Taxonomies not unified • No IoC decay 1 • IoC prevented not harmonical neither automatic • False positive management only in post-detection phase 5 GAP 4 • Basic TIP with SIEM integration • IoC enrichment not present 0 • Manual IoC distribution process 2 14/41

  16. Choose a Threat Intelligence Platform 3 MISP 1 5 GAP 4 0 2 15/41

  17. Choose a Threat Intelligence Platform PRO + Various data import modes + Tag management + Organizations management + API Availability + IoC Decay feature + Sighthing + Whitlisting Support but NO SLA - Time-consuming customizations - Experimental 3° parties integrations - MISP CONS 16/41

  18. Improve the FORCE 3 MISP 1 5 GAP 4 0 FORCE 2 17/41

  19. Improve the FORCE • Automatic Massive import development differentiated by organization and operating group • Historical Search into Siem • Whitelist-based detection for false positives avoidance • Automatic tag system based on fixed variables or natural language • IoC Enrichment FORCE 18/41

  20. Improve the FORCE - Big Brain at Work IR MA Team Team Upload Check Whitelist Malware Team 4 Upload 3 SOC Team Upload Threat Hunting Team 1 2 19/41

  21. Improve the FORCE - Example of Whitelisting IR MA Team Team Check Whitelist 4 REST API google.ae TO_IDS = FALSE TO_IDS = TRUE 20/41

  22. Improve the FORCE - Big Brain at Work IR MA Team Team Upload IoC Enrichment Check Whitelist Malware Analyst 5 Team 4 Automatic Tag 6 Upload 3 SOC Team Upload Threat Hunting Team 1 2 21/41

  23. Improve the FORCE - Example of Automatic Tag Automatic Tag 6 URSNIF APT28 22/41

  24. Improve the FORCE - Big Brain at Work IR MA Team Team Upload IoC Enrichment Check Whitelist Malware Analyst 5 Team 4 Automatic Tag 6 Upload 3 SOC Team 7 9 8 Upload Threat Hunting SOC Team Team Malware 1 2 Playground 23/41

  25. Improve the FORCE - Example of Share knowledge SDM Team Sandbox System Vendor 1 COMING SOON 9 REST API AV System Vendor 2 Sample Malware Proxy AntiSpam Navigazione Company Group 24/41

  26. Explore the Farm DOMINO EFFECT MISP 3 1 5 GAP 4 0 FORCE 2 35/41

  27. Explore the Farm - Prevention SDM Team curl -k -X POST -H "Content-Type: application/json" -H TO_IDS = TRUE "Authorization: apitoken" -d '{"returnFormat": "json", "type": {"OR": ["url"]}, "published":true, "to_ids":true, "enforceWarninglist": 1, "includeEventTags":1, "tags": {"NOT": ["Only Detection"]}, "includeDecayScore": 1, "excludeDecayed":1,"modelOverrides": {"threshold": 1},"decayingModel": [21]}' https://misp/attributes/restSearch > /tmp/json/mispUrlBase 1 Sec System Vendor1 List http://realmalicious.com/bad.php ... *//realmalicious.com/bad.php 2 ... Data processing and normalization Sec System Vendor2 List 26/41

  28. Explore the Farm - Prevention SDM Team TO_IDS = TRUE REST API FIREWALL, WAF & PROXY 3 1 2 Web exposed IoC lists OTHER COMPANIES SEC/ICT TEAMS Data processing and normalization 27/41

  29. Explore the Farm - Detection RTSM IR Team Team Metadata normalization Automated scheduled data preparation for SIEM ingestion IoC Data Enrichment ACTION 28/41

  30. Explore the Farm - Detection RTSM IR Team Team TO_IDS = TRUE 1 3 TI Automated Import 2 Data processing and normalization 29/41

  31. Explore the Farm – Focus on SIEM RTSM IR Team Team IoC type : url IoC campaign: lokibot IoC source : MA team IoC Threat type : malware IoC date : 26/09/2020 IoC list match IoC value : http://realmalicious.com/bad.php url : http://realmalicious.com/bad.php domain : realmalicious.com ip src : 10.10.10.5 Sep 27 12:22:22 proxy1 CEF:0|webnavig| url=http://realmalicious.com/bad.php src_ip=10.10.10.5 src_port=6734 Sep 27 12:22:22 fw1 CEF:0|fwinternet| domain=realmalicious.com uri=bad.php srv=80 sip=10.10.10.5 sport=6734 30/41

  32. Explore the Farm - Detection RTSM IR Team Team Metadata normalization Automated scheduled data preparation for SIEM ingestion IoC Data Enrichment ACTION RETROACTION Register IoC sightings Real Time correlation rules for IoC detection and report sighting via API to MISP DOMINO EFFECT

  33. Explore the Farm - Detection RTSM IR Team Team TO_IDS = TRUE TO_IDS = TRUE 1 3 4 TI Automated ALERT: IoC SOC Team Detected Import 2 5 IoC sighting Data processing and normalization 32/41

  34. Explore the Farm - Detection RTSM IR Team Team 4 ALERT: IoC SOC Team Detected 5 IoC sighting curl -d "{\"source\":\"SIEM\", \"values\":" http://realmalicious.com/bad.php "}" -H "Authorization: apitoken" -H "Accept: application/json" -H "Content-type: application/json" -k -X POST "https://misp/sightings/add 33/41

  35. Winnie the Pooh is a threat actor

  36. Destroy the diamond… DOMINO EFFECT MISP 3 1 DIAMOND 5 GAP 4 0 FORCE 2 35/41 39/41

  37. Destroy the diamond… IoCs are NOT forevah ! SINCE 01/01/2015 http://realmalicious.com/bad.php • When URL is no more malicious? • Waste of resources preventing it nowaday ? • And if you have 100 billions sculptured on sec techs? 36/41

  38. In Practice 1 http://realmalicious.com/bad.php t 0 ts 0 Sighting to 2 MISP t 0 t 1 ts 0 ts 1 3 IoC time is over t 0 ts 1 37/41

  39. …Propagate the news SDM RTSM Team Team REST API FIREWALL, WAF & PROXY 1 3 Automated email 2 OTHER COMPANIES SEC/ICT TEAMS Processing Decayed IoCs Data feed http://realmalicious.com/bad.php 38/41

  40. From Train to Rocket DOMINO EFFECT 3 MISP 1 MARS DIAMOND 5 GAP 4 0 FORCE 2 39/41

  41. From Train to Rocket • Integrated Dashboard & report system • TLP-based IoC visibility for different roles • Incident full prioritization • Threat data feeds supply input for threat intelligence, but by themselves are not threat intelligence • COLLABORATION ! MARS 40/41

  42. THANK YOU …QUESTIONS?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Hero's Journey (and YOU are the Hero!) The Healing Power of Telling Your Story Jeff Bell

The Hero's Journey (and YOU are the Hero!) The Healing Power of Telling Your Story Jeff Bell

The Hero's Journey (and YOU are the Hero!) The Healing Power of Telling Your Story Jeff Bell Alison Dotson Shala Nicely Stuart Ralph The elevator pitch Musical Chairs Groups of 2-3 People you dont know! Todays Tale Criteria to

556 views • 39 slides
Standard 2-point Opposition: Hero Opponent 4-point Opposition Hero Opponent 1

Standard 2-point Opposition: Hero Opponent 4-point Opposition Hero Opponent 1

Standard 2-point Opposition: Hero Opponent 4-point Opposition Hero Opponent 1 Opponent 2 Opponent 3 American Beauty by Alan Ball Lester (+ Ricky) Carolyn (+ real estate king) (deposed king-trickster)

381 views • 24 slides
Hero Acquisitions Limited (subsidiary of HSS Hire Group plc) Q3 17 Results Agenda Hero

Hero Acquisitions Limited (subsidiary of HSS Hire Group plc) Q3 17 Results Agenda Hero

Hero Acquisitions Limited (subsidiary of HSS Hire Group plc) Q3 17 Results Agenda Hero Acquisitions Limited Q3 17 Steve Ashmore, CEO John Gill, CEO Strategic progress Headlines Steve Bailey, Interim CFO Paul Quested, CFO Q3 17 Results

392 views • 17 slides
REQUEST TO INCREASE CONTRACT FOR HIGHWAY EMERGENCY RESPONSE OPERATOR (HERO) PROGRAM Terry G.

REQUEST TO INCREASE CONTRACT FOR HIGHWAY EMERGENCY RESPONSE OPERATOR (HERO) PROGRAM Terry G.

REQUEST TO INCREASE CONTRACT FOR HIGHWAY EMERGENCY RESPONSE OPERATOR (HERO) PROGRAM Terry G. McCoy, P.E. TxDOT Austin District 6/28/2018 HERO Program Update 6/28/18 HERO Program Performance-based contract awarded to SERCO September 2017

198 views • 5 slides
Dimension Reduction for Classification Alfred O. Hero Dept. EECS, Dept BME, Dept. Statistics

Dimension Reduction for Classification Alfred O. Hero Dept. EECS, Dept BME, Dept. Statistics

Dimension Reduction for Classification Alfred O. Hero Dept. EECS, Dept BME, Dept. Statistics University of Michigan - Ann Arbor hero@eecs.umich.edu http://www.eecs.umich.edu/~hero BIRS, July. 2005 1. The manifold supporting data sample 2.

452 views • 31 slides
LEADERSHIP LESSONS FROM THE AGILE MANIFESTO @ANJUAN A hero ventures forth from the world of

LEADERSHIP LESSONS FROM THE AGILE MANIFESTO @ANJUAN A hero ventures forth from the world of

LEADERSHIP LESSONS FROM THE AGILE MANIFESTO @ANJUAN A hero ventures forth from the world of common day into a region of supernatural wonder: fabulous forces are there encountered and a decisive victory is won: the hero comes back from

969 views • 37 slides
Inference and Signal Processing for Networks ALFRED O. HERO III Depts. EECS, BME, Statistics

Inference and Signal Processing for Networks ALFRED O. HERO III Depts. EECS, BME, Statistics

Inference and Signal Processing for Networks ALFRED O. HERO III Depts. EECS, BME, Statistics University of Michigan - Ann Arbor http://www.eecs.umich.edu/~hero Students : Clyde Shih , Jose Costa Neal Patwari, Derek Justice, David Barsic Eric

673 views • 22 slides
The Heros Journey The Heros Journey the hero's journey, is the common template of stories

The Heros Journey The Heros Journey the hero's journey, is the common template of stories

The Heros Journey The Heros Journey the hero's journey, is the common template of stories that involves a hero who goes on an adventure to a new world, and in a decisive crisis wins a victory, and then comes home changed or transformed.

419 views • 9 slides
Hopkinton School District FY 19 Budget Presentation To Be a Hero Tuesday, December 5, 2017

Hopkinton School District FY 19 Budget Presentation To Be a Hero Tuesday, December 5, 2017

Hopkinton School District FY 19 Budget Presentation To Be a Hero Tuesday, December 5, 2017 Maple Street School Cafeteria To Be a Hero u Public service u Contribute to the well being of others u Driven by a mission of care

555 views • 27 slides
From Zero to AI Hero Presented by: Kevin

From Zero to AI Hero Presented by: Kevin

W4 Test Analytics, AI/ ML Wednesday, October 2nd, 2019 11:30 AM From Zero to AI Hero Presented by: Kevin Pyles

691 views • 28 slides
Modeling, prediction and diagnosis for network security Alfred Hero University of Michigan 1.

Modeling, prediction and diagnosis for network security Alfred Hero University of Michigan 1.

Modeling, prediction and diagnosis for network security Alfred Hero University of Michigan 1. Network monitoring and tomography 2. Science of security: opportunities 3. Concluding remarks Alfred Hero NSF-IARPA SOS Workshop Nov 2008 1.

432 views • 18 slides
Hero Group UiS, 15.3.2019, MENPRA Eva-Maria Grtner Eva-Maria Grtner Master of Cultural

Hero Group UiS, 15.3.2019, MENPRA Eva-Maria Grtner Eva-Maria Grtner Master of Cultural

Hero Group UiS, 15.3.2019, MENPRA Eva-Maria Grtner Eva-Maria Grtner Master of Cultural Studies Master of Management (public sector) Further education in Interdisciplinary Counselling Working in Hero with innovation and

392 views • 12 slides
Hero Acquisitions Limited (subsidiary of HSS Hire Group plc) H1 FY16 Results Agenda Hero

Hero Acquisitions Limited (subsidiary of HSS Hire Group plc) H1 FY16 Results Agenda Hero

Hero Acquisitions Limited (subsidiary of HSS Hire Group plc) H1 FY16 Results Agenda Hero Acquisitions Limited H1 FY16 John Gill, CEO John Gill, CEO Strategic progress Highlights Steve Bailey, Interim CFO Steve Bailey, Interim CFO H1

699 views • 22 slides
Hero Acquisitions A subsidiary of HSS Hire Group plc Investor Presentation July 2017 Disclaimer

Hero Acquisitions A subsidiary of HSS Hire Group plc Investor Presentation July 2017 Disclaimer

0 Hero Acquisitions A subsidiary of HSS Hire Group plc Investor Presentation July 2017 Disclaimer This presentation has been prepared by Hero Acquisitions Limited and/or its subsidiaries and affiliates (HSS). The informat ion contained in

622 views • 43 slides
0-to-hero 07/10 Mentors <> 07/10 Sessions Me Kernel

0-to-hero 07/10 Mentors <> 07/10 Sessions Me Kernel

0-to-hero 07/10 Mentors <> 07/10 Sessions Me Kernel developer(Windows/Linux/Own)/Microarchitecture geek (Intel)/Security Researcher (Lenovo, Microsoft, Mysql, Python etc.)/ Software Engineer Architect/Hardware Engineer (FPGA, ASIC,

300 views • 12 slides
Adventures of our BN hero Compact representation for 1. Nave Bayes probability

Adventures of our BN hero Compact representation for 1. Nave Bayes probability

Readings: K&F: 4.5, 12.2, 12.3, 12.4 Kalman Filters Switching Kalman Filter Graphical Models 10708 Carlos Guestrin Carnegie Mellon University November 20 th , 2006 Adventures of our BN hero Compact representation for 1.

238 views • 22 slides
Euclid Consortium Euclid CSWG - OUSIM Meeting Barcelona, July 9-10 2012 OU-VIS Patrick

Euclid Consortium Euclid CSWG - OUSIM Meeting Barcelona, July 9-10 2012 OU-VIS Patrick

Euclid Consortium Euclid CSWG - OUSIM Meeting Barcelona, July 9-10 2012 OU-VIS Patrick Hudelot (IAP) MSSL (London) CASU (Cambridge) CEA (Saclay) University of Edinburgh Euclid

417 views • 13 slides
Disclosure Ablation and Devices for Atrial Fibrillation SentreHeart/Atricure, Inc Should all

Disclosure Ablation and Devices for Atrial Fibrillation SentreHeart/Atricure, Inc Should all

10/10/19 Disclosure Ablation and Devices for Atrial Fibrillation SentreHeart/Atricure, Inc Should all Patients have Ablation? 1 2 AF PAROXYSMAL PERSISTENT AF LONG STANDING AF . PERMANENT AF . Diagnosis AF Risk Factor Modification 33.5

422 views • 9 slides
DISCOVER WHATS NEW IN VERSION 5.0 OF THE NATIONAL FATALITY REVIEW CASE REPORTING SYSTEM Wed,

DISCOVER WHATS NEW IN VERSION 5.0 OF THE NATIONAL FATALITY REVIEW CASE REPORTING SYSTEM Wed,

DISCOVER WHATS NEW IN VERSION 5.0 OF THE NATIONAL FATALITY REVIEW CASE REPORTING SYSTEM Wed, March 21, 2018 2:00 PM 3:00 PM ET About the National Center for Fatality Review and Prevention The National Center for Fatality Review and

331 views • 18 slides
TeamT5 Introduction Tsai Sung-Ting ( TT ) Global Customers Client / Partner regions Japan,

TeamT5 Introduction Tsai Sung-Ting ( TT ) Global Customers Client / Partner regions Japan,

TeamT5 Introduction Tsai Sung-Ting ( TT ) Global Customers Client / Partner regions Japan, Taiwan, ASEAN, Korea, US 50+ Clients Government agencies Leading CTI Firms Security vendors MSSP Telecom / ISP

374 views • 10 slides
EMPLOYEE ENGAGEMENT MEASUREMENT Adaptive WFO brings to life the employee persona and leverages

EMPLOYEE ENGAGEMENT MEASUREMENT Adaptive WFO brings to life the employee persona and leverages

Adaptive WFO Transformation from To EMPLOYEE EMPLOYEE ENGAGEMENT MEASUREMENT Adaptive WFO brings to life the employee persona and leverages it to empower and drive better performance while improving satisfaction and alignment to the

817 views • 3 slides
Laura Peck, Eleanor Harvill & Shawn Moulton, Abt Associates Society for Research on

Laura Peck, Eleanor Harvill & Shawn Moulton, Abt Associates Society for Research on

Endogenous Subgroup Analysis Using ASPES Laura Peck, Eleanor Harvill & Shawn Moulton, Abt Associates Society for Research on Educational Effectiveness Washington, DC | March 2017 Acknowledgment of Funding ASPES method development is

1.57k views • 110 slides
Spatial Mixing of Coloring Random Graphs Yitong Yin Nanjing University Colorings undirected

Spatial Mixing of Coloring Random Graphs Yitong Yin Nanjing University Colorings undirected

Spatial Mixing of Coloring Random Graphs Yitong Yin Nanjing University Colorings undirected G(V,E) q colors: max-degree: d temporal mixing of Glauber dynamics approximately counting : 2 11/6 or sampling almost uniform proper q

687 views • 21 slides
x HE xdt5 L tz x Cti t t l I titsititz titts t's Ez t.tt more generally simply laced x Lt

x HE xdt5 L tz x Cti t t l I titsititz titts t's Ez t.tt more generally simply laced x Lt

Fibers of Meps to Non negative Totally Spaces Patricia Hersh North Carolina State University 1903.01420 joint work arXiv See with James Davis Ezra Miller A Key Calculation tittz titz Lt X xzLtz Coo f x 3 t z Il tits x HE xdt5 L tz x

444 views • 17 slides

More recommend