how an ioc can lead to another
play

HOW AN IOC CAN LEAD TO ANOTHER? Sad Kadhi TheHive Project Automate - PowerPoint PPT Presentation

Jan 26, 2024 •356 likes •443 views

BEERUMP 17 / 2017-06-22 TLP:WHITE HOW AN IOC CAN LEAD TO ANOTHER? Sad Kadhi TheHive Project Automate bulk observable analysis through a REST API Can be queried Web UI Analyzers can be developed in any programming language that

  1. BEERUMP 17 / 2017-06-22 TLP:WHITE HOW AN IOC CAN LEAD TO ANOTHER? Saâd Kadhi 
 TheHive Project

  2. ▸ Automate bulk observable analysis through a REST API ▸ Can be queried Web UI ▸ Analyzers can be developed in any programming language that is supported by Linux ▸ Two-way MISP integration ▸ While originally created for Blue Teams, Cortex can be useful for Red Teams too

  3. ARCHITECTURE CORTEX FRONTEND BACKEND REST 
 HTTP HTTP REST 
 APIS APIS A A A A ANALYZERS STORAGE

  4. 23 ANALYZERS (AND MORE ARE COMING) FORTIGUARD URL PASSIVETOTAL HIPPOCAMPE MAXMIND SPLUNK SEARCH CATEGORY GOOGLE SAFE CIRCL PSSL CIRCL PDNS JOE SANDBOX CUCKOO BROWSING MISP SEARCH VIRUSTOTAL DNSDB VMRAY MCAFEE ATD DOMAINTOOLS ABUSE FINDER YARA IRMA FIREHOL PHISHING FILEINFO NESSUS FAME WHOISXMLAPI INITIATIVE OUTLOOK MSG OTXQUERY PHISHTANK INTELMQ FIREEYE AX PARSER HYBRID ANALYSIS

  5. Alert Alert Sources 
 Feeders (SIEM, email, …) Raise alerts Analyze observables s e s a c s t t r n o e p v x e E l l o P Enrich events Additional analyzers Search observables within MISP events Analyzers Expansion Modules

  6. LET’S GET TO WORK ▸ In February, numerous Polish FIs were infected after visiting the Polish Supervision Authority (www[.]knf[.]gov[.]pl) -> Watering hole attack -> Custom EK with exploits stolen from Neutrino & RIG ▸ Later on, it was found that other websites were used to carry the same attack: Comisión Nacional Bancaria y de Valores (MX), Banco República (UY) ▸ https://badcyber.com/several-polish-banks-hacked- information-stolen-by-unknown-attackers/

  7. HOW CAN AN IOC LEAD TO ANOTHER? ▸ IOC = www[.]knf[.]gov[.]pl ▸ How can we pivot to find other IOCs (that are less brittle maybe?) knf[.]gov[.]pl MISP Search 1 event hxxp://knf.gov.pl/DefaultDesign/Layouts/ knf[.]gov[.]pl VirusTotal KNF2013/resources/accordian-src.js? ver=11 d4616f9706403a0d5a2f9a872 VirusTotal 47/61 6230a4693e4c95c58df5c753c cc684f1d3542e2 Galaxy Lazarus Group, Target sap[.]misapor[.]ch MISP Search Finance

  8. GET THE SOFTWARE ▸ Cortex is available under an AGPL license ▸ Can be installed using RPM, DEB, Docker image, binary package or built from the source code ▸ Pre-requisites: Linux with JRE 8+, Chrome, Firefox, IE (11), and a decent computer ▸ https://thehive-project.org/

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lead Abatement for Workers Course 1 Learning Objectives In this section you will learn:

Lead Abatement for Workers Course 1 Learning Objectives In this section you will learn:

Chapter 1 Lead Abatement for Workers Course 1 Learning Objectives In this section you will learn: What lead is Why lead was used Where lead is found today How you can be exposed to lead About the lead paint problem in the

1.07k views • 103 slides
Arranger, Organising Participant & Joint Lead Manager Joint Lead Manager Joint Lead Manager

Arranger, Organising Participant & Joint Lead Manager Joint Lead Manager Joint Lead Manager

SKYCITY Offer of Fixed Rate Entertainment Seven Year Bonds Group Limited August 2015 Arranger, Organising Participant & Joint Lead Manager Joint Lead Manager Joint Lead Manager Joint Lead Manager Important Information A Product

449 views • 25 slides
Ad-Hoc Networking Project PM Liaison: Mathilde Technical Lead: Jim Research Lead: Megan Design

Ad-Hoc Networking Project PM Liaison: Mathilde Technical Lead: Jim Research Lead: Megan Design

Ad-Hoc Networking Project PM Liaison: Mathilde Technical Lead: Jim Research Lead: Megan Design Lead: Jordan Document Lead: Whitney Last Time Excited to move ahead Meeting with Ko Brainstorming Session Picking an area to work with and

434 views • 16 slides
Preventing Elevated Blood Lead Levels High Level of Lead in Sindoor in Children Tests find more

Preventing Elevated Blood Lead Levels High Level of Lead in Sindoor in Children Tests find more

Lead in the News Preventing Elevated Blood Lead Levels High Level of Lead in Sindoor in Children Tests find more lead in products Funded by the New Jersey Department of Health Physicians 2 -year old son poisoned by lead in their home

143 views • 13 slides
Keep Lead from Keep Lead from Lurking Lurking Lead Testing and Lead Testing and Healthy

Keep Lead from Keep Lead from Lurking Lurking Lead Testing and Lead Testing and Healthy

Keep Lead from Keep Lead from Lurking Lurking Lead Testing and Lead Testing and Healthy Healthy Homes to Help Prevent Childhood Lead Poisoning Homes to Help Prevent Childhood Lead Poisoning Oct 30, 2019 Recharge for Resilience Conference

397 views • 20 slides
Association between childrens blood lead levels lead Association between children s blood lead

Association between childrens blood lead levels lead Association between children s blood lead

Association between childrens blood lead levels lead Association between children s blood lead levels, lead service lines, and water disinfection, Washington, DC, 1998 - 2006 MJ Brown J Raymond D Homa C Kennedy T Sinks MJ Brown, J Raymond,

192 views • 16 slides
Ad-Hoc Networking Project PM, Liason: Mathilde Technical Lead: Jim Research Lead: Megan Design

Ad-Hoc Networking Project PM, Liason: Mathilde Technical Lead: Jim Research Lead: Megan Design

Ad-Hoc Networking Project PM, Liason: Mathilde Technical Lead: Jim Research Lead: Megan Design Lead: Jordan Document Lead: Whitney The Project Create revolutionary applications/services for ad-hoc car networks Demonstrate and prototype the

379 views • 9 slides
Childhood Lead Poisoning in Ohio 2 Objectives Overview of childhood lead poisoning in Ohio

Childhood Lead Poisoning in Ohio 2 Objectives Overview of childhood lead poisoning in Ohio

1 Childhood Lead Poisoning in Ohio 2 Objectives Overview of childhood lead poisoning in Ohio Provide an overview of the Public Health Lead Investigation Process Bring awareness to funding resources for lead hazard control 3

1.35k views • 71 slides
Lead Localization J U L Y 3 R D 2 0 1 2 MARIANA MOSCOVICH Introduction According to our

Lead Localization J U L Y 3 R D 2 0 1 2 MARIANA MOSCOVICH Introduction According to our

Lead Localization J U L Y 3 R D 2 0 1 2 MARIANA MOSCOVICH Introduction According to our protocol and the University of Florida: All DBS lead locations and lead entry angles were meticulously measured on high-resolution, one-month

419 views • 10 slides
Lead Program Summary Regulation No. 19 The Control of Lead Hazards Rick Fatur Aaron Gutierrez /

Lead Program Summary Regulation No. 19 The Control of Lead Hazards Rick Fatur Aaron Gutierrez /

Lead Program Summary Regulation No. 19 The Control of Lead Hazards Rick Fatur Aaron Gutierrez / Rick Coffin January 14, 2014 1 Childhood Lead Poisoning Lead poisoning is the #1 preventable environmental health threat to children today

761 views • 45 slides
Enhancing Person-Centred Care Co-Lead Very Poor Very Good 2 Co-Lead Co-Lead What is

Enhancing Person-Centred Care Co-Lead Very Poor Very Good 2 Co-Lead Co-Lead What is

Enhancing Person-Centred Care Co-Lead Very Poor Very Good 2 Co-Lead Co-Lead What is person-centredness? care that is respectful of and responsive to individual patient preferences, needs and values, ensuring that patient values guide

468 views • 17 slides
HOW 1. Why I attended today. 2. One thing I want to get out of I LEAD todays workshop. 3. One

HOW 1. Why I attended today. 2. One thing I want to get out of I LEAD todays workshop. 3. One

Network Share with three people: HOW 1. Why I attended today. 2. One thing I want to get out of I LEAD todays workshop. 3. One Way I Lead. 2 logos / url social Follow us! AGENDA 8:45AM HOW I LEAD 9:30AM New Hampshire Women in

1.11k views • 52 slides
Inspecting for Lead-based Paint Chapter 1 Course Overview Lead Inspector Chapter 1

Inspecting for Lead-based Paint Chapter 1 Course Overview Lead Inspector Chapter 1

Inspecting for Lead-based Paint Chapter 1 Course Overview Lead Inspector Chapter 1 Course Overview Course Purpose To train inspectors to identify lead in paint (lead-based paint inspections) dust and soil (clearance

1.97k views • 158 slides
Water Quality Update HIST ORY, RU LES, A ND WAT ER SYST EM RESPONSE Health Effects of Lead

Water Quality Update HIST ORY, RU LES, A ND WAT ER SYST EM RESPONSE Health Effects of Lead

Water Quality Update HIST ORY, RU LES, A ND WAT ER SYST EM RESPONSE Health Effects of Lead Lead serves no useful purpose in the human body, and its presence can lead to toxic effects. In children, lead exposure can result in: Behavior

314 views • 9 slides
Preparing Travel Managers to Lead the Change Becky Kopidlansky, Change Champion Lead Andi

Preparing Travel Managers to Lead the Change Becky Kopidlansky, Change Champion Lead Andi

Preparing Travel Managers to Lead the Change Becky Kopidlansky, Change Champion Lead Andi Smetana, Project Manager Tom Thieding, Communication Lead Agenda Change Transition and Reactions Individual Commitment Curve Communicating Change

335 views • 31 slides
A movement for a better future. The he lead lead-up up to 2012 to 2012 was as chaotic.

A movement for a better future. The he lead lead-up up to 2012 to 2012 was as chaotic.

A movement for a better future. The he lead lead-up up to 2012 to 2012 was as chaotic. haotic. Ho How d w do o we tac e tackle kle the str the stress, ess, anx anxiety iety and depression of todays busy life? Spot the ear Spot

448 views • 25 slides
Mission Thread Market (MTM): A Faster, Cheaper, Better Path to Netcentricity (A JITC - W2GOG

Mission Thread Market (MTM): A Faster, Cheaper, Better Path to Netcentricity (A JITC - W2GOG

World Wide Consortium for the Grid (W2COG) Institute: Assured Value-of-Information-Service (V oIS) across a networked enterprise Better networked capability - faster, and cheaper - through adaptive collaborative, value-focused, architecture,

452 views • 17 slides
Inverse Reinforcement Learning CS 294-112: Deep Reinforcement Learning Sergey Levine Todays

Inverse Reinforcement Learning CS 294-112: Deep Reinforcement Learning Sergey Levine Todays

Inverse Reinforcement Learning CS 294-112: Deep Reinforcement Learning Sergey Levine Todays Lecture 1. So far: manually design reward function to define a task 2. What if we want to learn the reward function from observing an expert, and

650 views • 33 slides
Internationalisation at Home good ideas and curriculum innovation IAH Symposium Brisbane,

Internationalisation at Home good ideas and curriculum innovation IAH Symposium Brisbane,

Internationalisation at Home good ideas and curriculum innovation IAH Symposium Brisbane, Australia 26 October 2012 Associate Professor Betty Leask Australian National Teaching Fellow University of South Australia AUSTRALIA

554 views • 22 slides
image motion 2 Tues. Feb. 6, 2018 1 Overview of Today Abstract computational problem: how to

image motion 2 Tues. Feb. 6, 2018 1 Overview of Today Abstract computational problem: how to

COMP 546 Lecture 8 image motion 2 Tues. Feb. 6, 2018 1 Overview of Today Abstract computational problem: how to estimate the local image velocity ? Solution based on V1 motion detectors 2 Intensity changes in XY

710 views • 33 slides
Porting Tizen:Common to open source hardware devices Philippe Coval

Porting Tizen:Common to open source hardware devices Philippe Coval

Porting Tizen:Common to open source hardware devices Philippe Coval <https://wiki.tizen.org/wiki/User:Pcoval> Leon Anavi <https://wiki.tizen.org/wiki/User:Leon> Agenda Definitions Tizen:Common Open Source Hardware

263 views • 23 slides
CPSC 121: Models of Computation Convert sequences to and from explicit formulas that describe

CPSC 121: Models of Computation Convert sequences to and from explicit formulas that describe

Pre-Class Learning Goals By the start of class, you should be able to CPSC 121: Models of Computation Convert sequences to and from explicit formulas that describe the sequence. Convert sums to and from summation/ notation.

296 views • 14 slides
Integer Set Coalescing Sven Verdoolaege INRIA and KU Leuven January 19, 2015 January 19, 2015

Integer Set Coalescing Sven Verdoolaege INRIA and KU Leuven January 19, 2015 January 19, 2015

January 19, 2015 1 / 27 Integer Set Coalescing Sven Verdoolaege INRIA and KU Leuven January 19, 2015 January 19, 2015 2 / 27 Outline Introduction and Motivation 1 Polyhedal Model The need for coalescing Traditional Coalescing

1.24k views • 107 slides
Counting Affine Calculator and Applications Sven Verdoolaege Team ALCHEMY, INRIA Saclay, France

Counting Affine Calculator and Applications Sven Verdoolaege Team ALCHEMY, INRIA Saclay, France

April 3, 2011 1 / 23 Counting Affine Calculator and Applications Sven Verdoolaege Team ALCHEMY, INRIA Saclay, France Sven.Verdoolaege@inria.fr April 3, 2011 April 3, 2011 2 / 23 Outline Introduction 1 2 Basic Concepts and Operations

828 views • 65 slides

More recommend