SLIDE 1
- bjective
- Case overview
– blackhole & APT case illustrating gap between OPS for malware vs. APT
- Moving toward success
How MalOPS Changes the Game for SECOPS and APT objective Case - - PowerPoint PPT Presentation
How MalOPS Changes the Game for SECOPS and APT objective Case - - PowerPoint PPT Presentation
How MalOPS Changes the Game for SECOPS and APT objective Case overview blackhole & APT case illustrating gap between OPS for malware vs. APT Moving toward success Visibility, Intelligence, Response Outcome-based metrics
SLIDE 2
SLIDE 3
@j_j_thompson
- Hoosier native, Hawkeye alum
- Former EY smoke jumping team (OCA)
- ISC2 Indy, CISSP
- (2) x RTW
- 1.5M amex pts, 30K aa miles last month
- Quadrupling size of SOC!!!!
- Entrepreneur, husband, father. Infosec, cybercrime, intelligence & management
- consultant. Into mountaineering, hunting, fishing, shooting, photo & tactical gear.
Don't blink.
SLIDE 4
definitions – see next slide
- APT
- Hacking
- Malware
SLIDE 5
case 2 - apt
- Case overview
– blackhole & APT case illustrating gap between OPS for malware vs. APT
- Moving toward success
– Visibility, Intelligence, Response™ – Outcome-based metrics™ for MalOPS / APT
THIS IS CALLED HACKING
SLIDE 6
- 0. demand
Wiift? what’s in it for them? To be Promoted to a cyber Warfare unit? To make Money? To be famous? You tell me. What did your last risk assessment show would be valuable to ___ based on _____ (scenarios)? THIS IS PART OF WHAT A RISK ASSESSMENT DOES.
THIS IS APT
SLIDE 7
case 1 - malware
- Case overview
– blackhole & APT case illustrating gap between OPS for malware vs. APT
- Moving toward success
– Visibility, Intelligence, Response™ – Outcome-based metrics™ for MalOPS / APT
From bromium.com THIS IS CALLED MALWARE
SLIDE 8
case 1a - malware
- Palo detected bh2*.jar
- Policy in place, grab machine, analyze.
SLA: 15m
- Ran redline, gmer, sophos, kaspersky, …
- Re-built user’s machine
- Wish list?
SLIDE 9
case 1b - malware
- AL detected bh2*.jar
- Alerted local IT, ran AV, nothing.
- 2 hr spent on packet analysis proving not
a FP
- Local team asks us not to send tickets
- Local team unplugs AL
- Wish list?
SLIDE 10
case 2 - apt
- Alerted by FBI
- Kernel level, blackout on HDD timeline
- Compromised accounts and points of
persistence
- Known data exfil, visualized via netflow
- Massive response effort boatloads of IOCs
SLIDE 11
to success and beyond
– Visibility, Intelligence, Response™
- How do you detect malware? APT?
- What is the context around it that changes the
approach?
- How do you respond appropriately based on
threat, adversary, and data at risk?
– Outcome-based metrics for MalOPS / APT
- Measure only if it will result in an action or change
- f strategy
SLIDE 12
Visibility, Intelligence, Response™
SLIDE 13
intelligence
SLIDE 14
response
SLIDE 15
response
SLIDE 16
response
Sanitized excerpts from Rook’s SOC Threat Classifications Table more obtained at www.rooksecurity.com
SLIDE 17
response
CATEGORY of THREAT DATA CLASSIFICATION
- f TARGET
INTEL on ATTACKER
INCIDENT PRIORITIZATION & COMMUNICATION
CASE: SEA targeted probe to sensitive server
SLIDE 18
Outcome-based metrics
- Measure only if it will result in an action or change
- f strategy
SLIDE 19