SlideShare a Scribd company logo

NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty McDougal,

Download as PPTX, PDF
North Texas Chapter of the ISSA
North Texas Chapter of the ISSA

Monty McDougal, Cyber Engineering Fellow, Intelligence, Information and Services, Raytheon Advanced Persistent Threat Life Cycle Management This presentation will cover the full Advanced Persistent Threat (APT) Life Cycle and Management of the resulting intrusions. It will cover both what the APTs are doing as attackers and what we as defenders should be doing for both the APT Mission Flows and the Computer Network Defense (CND) Mission Flows.

Internet
1 of 18
April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 1 2015 NTX-ISSA Cyber Security Conference (Spring) Copyright © 2015 Raytheon Company. All rights reserved. Advanced Persistent Threat (APT) Life Cycle Management
April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 2 APT Life Cycle SOC Analyst investigates alert & raises Security Incident. 7 Remediation team carries out actions and closes incident. 8 User’s machine passed to the Forensics Lab for analysis. Malware Lab generates new IOCs. 9 Threat Fusion Teams conducts attribution analysis on Attack Group; tasks probes with new signature and behaviours; and informs external partners (depending on policy). 10 ALERT Correlated Events 6 User/Machine/IP (AD Log Entry) Browsing History HTTP Request DNS Requests Proxy Log Entries Netflow Log Entries Collected by Network Probe: From devices within Network: 4 APT compromises supplier website / sends email attachment to an internal user. 1 User visits compromised website and/or opens infected attachment. 2 Software downloaded to User’s machine Regular successful connections to camouflaged C2 domain FTP connections over non- standard port 3 Automated Data Analysis Reveals Behaviours: 5 Beaconing Unknown Software Downloaded Camouflaged C2 Domain Invalid Port/Protocol Combination DNS Requests contain keywords SOC Tier ISOC Tier II+ Advanced Persistent Threat(s)
April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 3 Typical APT Primary Mission Flows • Recon / Plan • Attack Phase • Initial Infection • Command & Control • Internal Pivot / Escalation • Data Prep and Exfill • Improve Trade-Craft / Data Analysis - Update Knowledge Base Recon / Plan Attack Phase Initial Infection Command & Control Internal Pivot / Escalation Data Prep and Exfill Improve Trade-Craft / Data Analysis Knowledge Base
April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 4 Recon / Plan • Attackers - Open Source Collection and Target Identification - Attack and Command & Control (C2) Domain Setup / Registration - C2 Framework Development (Usually Custom)  Persistence and Stealth  Reverse Shell Access (On Beacon) Primary Goal • Defenders - Open Source Foot Printing - Understand How Attackers See You - Information Sharing and Open Source Intel Collection on Attackers / Tools / Underground Sites - Prepare Defensive Controls  Training for all, more for High-Value / High-Exposure Users  Canaries / Miss-Information – to Detect / Mislead Attackers  Update Defensive Controls… w/ Intel from Above
April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 5 Attack Phase • Attackers - Gain initial foothold once attack code is executed - Prepare and package 0-Day or N-Day Exploits - Embed customized exploit and payload (no previous signatures) - Make sure attack is not detected by conventional detection tools - Utilize Previous Research to Attack Likely Targets via Spear- Phishing and/or Water-Hole Attack - Gain initial foothold once attack code is executed • Defenders - Hopefully have pre-deployed defenses against these attacks - Advanced Anti-Malware for Email / Web (behavioral analysis) - Sensors Configured To Alert / Log to SIEM - Updated AV, Patching, Limited Admin, and Other Controls - Disrupting or Limiting Egress Traffic - Good Intel to Pre-Blacklist / Pre Gray-Listing C2 domains is effective
April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 6 Initial Infection / Command & Control (C2) • Attackers - Ride the “Initial Infection” (reverse shell) into the enterprise  Usually done near real-time (the initial attack is not usually persistent) - Escalation of initial foothold via installation of one or more Command and Control (C2) binaries that beacon out and wait for instructions / reverse shell - Get additional login credentials and beacon hosts - “A Team” and “B Team” hand-off • Defenders - Defenders quickly to triage this initial access and prevent C2 client installations - Disruption of this C2 (and Initial Infection) is highly valuable when achievable - Good credential management, limiting admin rights, and multi-factor auth help greatly (as does restricting or not enabling RDP) - Heuristically looking for unusual login times, unusual RDP use, or “beacon tells” - White-Listing of known executables does wonders to prevent this stage - Don’t let servers connect to the internet unless to a White-List site - Backdoors and side-doors into your network need to be defended
April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 7 Internal Pivot / Escalation • Attackers - At this point the “B Team” (collection specialists) are usually in control of the operation  Attackers use RDP over the Web C2 as it beacons out  Will often use previously compromised credentials to move between hosts and look for data (traffic will fan out from these C2 client hosts) - Escalate credentials and look for pivot points between networks - Sometimes the “B Team” asks the “A Team” to further enable their access… - Attackers will identify data and systems for exfill • Defenders - Good credential management, limiting admin rights, and multi- factor auth help greatly (as does restricting or not enabling RDP) - Heuristically looking for unusual login times / “beacon tells” / unusual uses of RDP / unusual data movements (volumes, types of data)
April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 8 Data Prep and Exfill • Attackers - Attackers will collect data and move it to a host for exfill  Of note these hosts are usually not the originally compromised host nor one of the C2 client hosts or first-hops off that host - Data will be in encrypted archive (often RAR, sometimes ZIP) - When enough data has been collected it will be sent back to the attacker via FTP, Email, HTTP/HTTPS (including web email) are their favorite protocols - Often the remote endpoint is not a previously used domain - Any intermediary files / tools will be securely deleted from host • Defenders - Watch for uncharacteristic file types (RAR, ACE, GZIP, etc.) - Heuristic watch for unusual data collection points / transfers (internal hosts) - Watch for large bundled data transfers out of your network
April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 9 Improve Trade-Craft / Data Analysis (APT) • Attackers - Receives data (new external host) and sends to home base for analysis - Attackers extract the archive(s) and analyze the data - Data analysis yields collection requirements to be executed - Attackers will track and monitor C2 beacon hosts and come back in and re-infect if your IT staff gets too good at finding their C2 hosts  If they lose access they will restart the recon / attack phase - Attackers use their previous Intel of network info, download personnel lists / email addresses, identified admin and admin hosts, dumped AD / SAM files, documented / identified key information flows / information brokers to facilitate and plan future attacks • Defenders - Defenders have limited options in this phase - Innovation, unpredictable / evolving defenses help
April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 10 Typical CND Primary Mission Flows • Collect Sensor Data • Data Ingest • Analytics and Alerting • SOC Operations • Incident Response • Analysis and Data Fusion • Improve Trade-Craft / KB - Update Sensors / Active Defense - Update Knowledge Base / Manage Threat & Risk Sensors: Client & Gateway Data Ingest Analytics and Alerting SOC Operations Incident Response Analysis and Data Fusion Improve Trade-Craft / KB Knowledge Base
April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 11 Collect Sensor Data / Data Ingest • Attackers - Improving Trade-Craft to evade sensors - Attackers will look for side door / back door not being watched - Attackers test packages against your AVs / IDSes to avoid detection • Defenders - Sensors will block some of the attacks on your network (good Intel helps) - Network choke points used to watch the traffic crossing them - Watch ingress / egress traffic (egress may be of higher value) - Lock and watch any side doors / back doors to your network - Log / ingest as much as possible / practical to analytics / SIEMs - Perform as much full packet / netflow capture as possible - Collect at the perimeter of the network and at “crown jewels” of your network
April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 12 Analytics and Alerting • Attackers - Use low and slow / fragmented attacks to avoid detection - Attempt to overload your sensors with data and/or false positives to make the analysis and alerting more difficult to process • Defenders - Collect as much data as you can process and store, but focus on the most critical alerts first - The value of your analytics & alerting will be a direct function of:  The tools you are using  The value added Intel / signatures you generate internally, you buy, or you get from your friends and family network  The timeliness and accuracy of your alerts to the SOC - Running internally developed tools in addition to commercial tools likely will add additional value - A thorough understanding of the “normal baseline” helps for identifying “anomalies”
April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 13 SOC Operations • Attackers - Attackers have limited activities during CND Mission Flow / SOC Operations - Will target SOC users to be able to understand / watch your defenses • Defenders - Standup of a dedicated SOC is essential to counter sophisticated threats  Need solutions that address business and off hours  Many of the APTs will not be working your business hours or will target attacks just before normal working hours end - SOC staff training is important as the SOC ends up being the first responders and decides how the alerts are processed  Escalate alerts, filter out obvious noise, cleanup obvious attacks - Reporting and measuring of SOC effectiveness is critical to management support and improvement in operation - Improving “cycle time” for all SOC functions is critical
April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 14 Analysis and Data Fusion • Attackers - Attackers have limited activities during Analysis and Data Fusion - Many APTs are however improving their Trade-Craft to combat these functions by being more sophisticated in their C2 use • Defenders - Analysis and data fusion is critical to an advanced SOC - Internal Analysis of malware, indicators, and threats  Extraction of C2 resources, analysis, and signature generation  Analysis and OSINT on attackers for predictive purposes  Tracking of campaigns by threat actors, understanding of who in your org is being targeted and how/why  Updating internal defenses from all above - External coordination of malware, indicators, and threats  Sourcing indicator data from open, commercial, and friends/family sources  Managing how / what you will share with others
April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 15 Improve Trade-Craft / KB (Defenders) • Attackers - Attackers Trade-Craft is improved in their attack lifecycle • Defenders - Implement lessons learned and do root cause analysis - Migrate defense from reactive to proactive and try get in front of the attackers with strong analysis and information sharing functions  Exploit open source, commercial, and industry data feeds - Continuously strive to improve efficiencies in defensive operations  Drive dwell time to zero (as a goal)  Automate the things that can be automated  Provide updated training to your defenders and your end users - Keep intel on attackers, attacks, threats, and targets current - Your network is not static – make sure your defenses are not
April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 16 Questions?
April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 17 Presenter Bio Monty D. McDougal is a Raytheon Intelligence, Information and Services (IIS) Cyber Engineering Fellow. He has worked for Raytheon for the last 16+ years performing tasks ranging from programming to system administration and has an extensive web development / programming background spanning 18+ years. His work has included development/integration / architecture / accreditation work on numerous security projects for multiple government programs, internal and external security / wireless assessments, DCID 6/3 compliant web-based single sign-on solutions, PL-4 Controlled Interfaces (guards), reliable human review processes, audit log reduction tools, mail bannering solutions, and several advanced anti-malware IRADs / products / patents. Monty holds the following major degrees and certifications: BBA in Computer Science / Management (double major) from Angelo State University, MS in Network Security from Capitol College, CISSP, ISSEP, ISSAP, GCFE, GAWN-C, GSEC, and serves on the SANS Advisory Board. Monty has previously held the GCIH, GCFA, GREM, GCUX, and GCWN certifications. Monty is also the author of the Windows Forensic Toolchest (WFT). E-mail: Monty_D_McDougal@raytheon.com <mug shot>
April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 18 Abstract Advanced Persistent Threat (APT) Life Cycle Management This presentation will cover the full Advanced Persistent Threat (APT) Life Cycle and Management of the resulting intrusions. It will cover both what the APTs are doing as attackers and what we as defenders should be doing for both the APT Mission Flows and the Computer Network Defense (CND) Mission Flows. The APT Mission Flows cover: Recon / Plan, Attack Phase, Initial Infection, Command and Control, Internal Pivot / Escalation, Data Prep and Exfill, Improve Trade-Craft / Data Analysis The Computer Network Defense (CND) Mission Flows cover: Collect Sensor Data, Data Ingest, Analytics and Alerting, SOC Operations, Incident Response, Analysis and Data Fusion, Improve Trade-Craft / KB

Recommended

Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Yuval Sinay, CISSP, C|CISO
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)mmubashirkhan
 
Advanced Persistent Threat
Advanced Persistent ThreatAdvanced Persistent Threat
Advanced Persistent ThreatAmmar WK
 
Advanced persistent threats(APT)
Advanced persistent threats(APT)Advanced persistent threats(APT)
Advanced persistent threats(APT)Network Intelligence India
 
Analysing Ransomware
Analysing RansomwareAnalysing Ransomware
Analysing RansomwareNapier University
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementMayur Nanotkar
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
zero day exploits
zero day exploitszero day exploits
zero day exploitsAdv. Prashant Mali ♛ [Bsc(Phy),MSc(Comp Sci), CCFP,CISSA,LLM]
 

Recommended

Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Yuval Sinay, CISSP, C|CISO
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)mmubashirkhan
 
Advanced Persistent Threat
Advanced Persistent ThreatAdvanced Persistent Threat
Advanced Persistent ThreatAmmar WK
 
Advanced persistent threats(APT)
Advanced persistent threats(APT)Advanced persistent threats(APT)
Advanced persistent threats(APT)Network Intelligence India
 
Analysing Ransomware
Analysing RansomwareAnalysing Ransomware
Analysing RansomwareNapier University
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementMayur Nanotkar
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
zero day exploits
zero day exploitszero day exploits
zero day exploitsAdv. Prashant Mali ♛ [Bsc(Phy),MSc(Comp Sci), CCFP,CISSA,LLM]
 
STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015
STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015
STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015Priyanka Aash
 
Honeypot and deception
Honeypot and deceptionHoneypot and deception
Honeypot and deceptionmilad saber
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & BuildSameer Paradia
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021Adam Shostack
 
Types of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsTypes of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsLearningwithRayYT
 
Threat Hunting Platforms (Collaboration with SANS Institute)
Threat Hunting Platforms (Collaboration with SANS Institute)Threat Hunting Platforms (Collaboration with SANS Institute)
Threat Hunting Platforms (Collaboration with SANS Institute)Sqrrl
 
Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploit
Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploitExploit access root to kernel 2.6.32 2.6.36 privilege escalation exploit
Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploitCarlos Eduardo
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachAnchises Moraes
 
Introduction to QRadar
Introduction to QRadarIntroduction to QRadar
Introduction to QRadarPencilData
 
PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPrime Infoserv
 
Petya Ransomware
Petya RansomwarePetya Ransomware
Petya RansomwareSiemplify
 
Cloud Security
Cloud SecurityCloud Security
Cloud SecurityAWS User Group Bengaluru
 
Honeypot ss
Honeypot ssHoneypot ss
Honeypot ssKajal Mittal
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessSirius
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Realizing the Full Potential of Cloud-Native Application Security
Realizing the Full Potential of Cloud-Native Application SecurityRealizing the Full Potential of Cloud-Native Application Security
Realizing the Full Potential of Cloud-Native Application SecurityOry Segal
 
HONEYPOTS: Definition, working, advantages, disadvantages
HONEYPOTS: Definition, working, advantages, disadvantagesHONEYPOTS: Definition, working, advantages, disadvantages
HONEYPOTS: Definition, working, advantages, disadvantagesamit kumar
 
INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONSylvain Martinez
 
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersIntroduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersOllie Whitehouse
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Dan Morrill
 

More Related Content

What's hot

STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015
STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015
STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015Priyanka Aash
 
Honeypot and deception
Honeypot and deceptionHoneypot and deception
Honeypot and deceptionmilad saber
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & BuildSameer Paradia
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021Adam Shostack
 
Types of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsTypes of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsLearningwithRayYT
 
Threat Hunting Platforms (Collaboration with SANS Institute)
Threat Hunting Platforms (Collaboration with SANS Institute)Threat Hunting Platforms (Collaboration with SANS Institute)
Threat Hunting Platforms (Collaboration with SANS Institute)Sqrrl
 
Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploit
Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploitExploit access root to kernel 2.6.32 2.6.36 privilege escalation exploit
Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploitCarlos Eduardo
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachAnchises Moraes
 
Introduction to QRadar
Introduction to QRadarIntroduction to QRadar
Introduction to QRadarPencilData
 
PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPrime Infoserv
 
Petya Ransomware
Petya RansomwarePetya Ransomware
Petya RansomwareSiemplify
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessSirius
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Realizing the Full Potential of Cloud-Native Application Security
Realizing the Full Potential of Cloud-Native Application SecurityRealizing the Full Potential of Cloud-Native Application Security
Realizing the Full Potential of Cloud-Native Application SecurityOry Segal
 
HONEYPOTS: Definition, working, advantages, disadvantages
HONEYPOTS: Definition, working, advantages, disadvantagesHONEYPOTS: Definition, working, advantages, disadvantages
HONEYPOTS: Definition, working, advantages, disadvantagesamit kumar
 
INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONSylvain Martinez
 

What's hot (20)

STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015
STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015
STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015
 
Honeypot and deception
Honeypot and deceptionHoneypot and deception
Honeypot and deception
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & Build
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
 
Types of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsTypes of Threat Actors and Attack Vectors
Types of Threat Actors and Attack Vectors
 
Threat Hunting Platforms (Collaboration with SANS Institute)
Threat Hunting Platforms (Collaboration with SANS Institute)Threat Hunting Platforms (Collaboration with SANS Institute)
Threat Hunting Platforms (Collaboration with SANS Institute)
 
Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploit
Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploitExploit access root to kernel 2.6.32 2.6.36 privilege escalation exploit
Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploit
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for Beginners
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data Breach
 
Introduction to QRadar
Introduction to QRadarIntroduction to QRadar
Introduction to QRadar
 
PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security Solution
 
Petya Ransomware
Petya RansomwarePetya Ransomware
Petya Ransomware
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Honeypot ss
Honeypot ssHoneypot ss
Honeypot ss
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Realizing the Full Potential of Cloud-Native Application Security
Realizing the Full Potential of Cloud-Native Application SecurityRealizing the Full Potential of Cloud-Native Application Security
Realizing the Full Potential of Cloud-Native Application Security
 
HONEYPOTS: Definition, working, advantages, disadvantages
HONEYPOTS: Definition, working, advantages, disadvantagesHONEYPOTS: Definition, working, advantages, disadvantages
HONEYPOTS: Definition, working, advantages, disadvantages
 
INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATION
 

Viewers also liked

Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersIntroduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersOllie Whitehouse
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Dan Morrill
 
APT 28 :Cyber Espionage and the Russian Government?
APT 28 :Cyber Espionage and the Russian Government?APT 28 :Cyber Espionage and the Russian Government?
APT 28 :Cyber Espionage and the Russian Government?anupriti
 
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?festival ICT 2016
 
Persistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsPersistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsSameer Thadani
 
Introduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismIntroduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismGlobal Micro Solutions
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?btpsec
 
ShadyRAT: Anatomy of targeted attack
ShadyRAT: Anatomy of targeted attackShadyRAT: Anatomy of targeted attack
ShadyRAT: Anatomy of targeted attackVladyslav Radetsky
 
Ethical Hacking & Network Security
Ethical Hacking & Network Security Ethical Hacking & Network Security
Ethical Hacking & Network Security Lokender Yadav
 
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...Knowledge Group
 
Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsPeter Wood
 
EC-Council Certified Ethical Hacker (CEH) v9 - Hackers are here. Where are you?
EC-Council Certified Ethical Hacker (CEH) v9 - Hackers are here. Where are you?EC-Council Certified Ethical Hacker (CEH) v9 - Hackers are here. Where are you?
EC-Council Certified Ethical Hacker (CEH) v9 - Hackers are here. Where are you?ITpreneurs
 
From Couch To Career In 80 Hours
From Couch To Career In 80 HoursFrom Couch To Career In 80 Hours
From Couch To Career In 80 HoursRob Fuller
 
Metasploit magic the dark coners of the framework
Metasploit magic the dark coners of the frameworkMetasploit magic the dark coners of the framework
Metasploit magic the dark coners of the frameworkRob Fuller
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at youRob Fuller
 

Viewers also liked (20)

Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersIntroduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)
 
APT 28 :Cyber Espionage and the Russian Government?
APT 28 :Cyber Espionage and the Russian Government?APT 28 :Cyber Espionage and the Russian Government?
APT 28 :Cyber Espionage and the Russian Government?
 
DamballaOverview
DamballaOverviewDamballaOverview
DamballaOverview
 
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
 
Persistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsPersistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent Threats
 
Introduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismIntroduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivism
 
APT Webinar
APT WebinarAPT Webinar
APT Webinar
 
Modelo apt 1
Modelo apt 1Modelo apt 1
Modelo apt 1
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
 
ShadyRAT: Anatomy of targeted attack
ShadyRAT: Anatomy of targeted attackShadyRAT: Anatomy of targeted attack
ShadyRAT: Anatomy of targeted attack
 
Pentesting with Metasploit
Pentesting with MetasploitPentesting with Metasploit
Pentesting with Metasploit
 
Ethical Hacking & Network Security
Ethical Hacking & Network Security Ethical Hacking & Network Security
Ethical Hacking & Network Security
 
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
 
Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent Threats
 
EC-Council Certified Ethical Hacker (CEH) v9 - Hackers are here. Where are you?
EC-Council Certified Ethical Hacker (CEH) v9 - Hackers are here. Where are you?EC-Council Certified Ethical Hacker (CEH) v9 - Hackers are here. Where are you?
EC-Council Certified Ethical Hacker (CEH) v9 - Hackers are here. Where are you?
 
CEHV9
CEHV9CEHV9
CEHV9
 
From Couch To Career In 80 Hours
From Couch To Career In 80 HoursFrom Couch To Career In 80 Hours
From Couch To Career In 80 Hours
 
Metasploit magic the dark coners of the framework
Metasploit magic the dark coners of the frameworkMetasploit magic the dark coners of the framework
Metasploit magic the dark coners of the framework
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at you
 

Similar to NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty McDougal,

network-management Web base.ppt
network-management Web base.pptnetwork-management Web base.ppt
network-management Web base.pptAssadLeo1
 
Information Security: Advanced SIEM Techniques
Information Security: Advanced SIEM TechniquesInformation Security: Advanced SIEM Techniques
Information Security: Advanced SIEM TechniquesReliaQuest
 
Mailjet Security Presentation 2017
Mailjet Security Presentation 2017Mailjet Security Presentation 2017
Mailjet Security Presentation 2017Mailjet
 
CIA-Triad-Presentation.pdf
CIA-Triad-Presentation.pdfCIA-Triad-Presentation.pdf
CIA-Triad-Presentation.pdfBabyBoy55
 
PLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
PLNOG 8: Merike Kaeo - Guide to Building Secure InfrastructuresPLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
PLNOG 8: Merike Kaeo - Guide to Building Secure InfrastructuresPROIDEA
 
Preparing for the Cybersecurity Renaissance
Preparing for the Cybersecurity RenaissancePreparing for the Cybersecurity Renaissance
Preparing for the Cybersecurity RenaissanceCloudera, Inc.
 
NTXISSACSC2 - Kid Proofing the Internet of Things by Monty McDougal
NTXISSACSC2 - Kid Proofing the Internet of Things by Monty McDougalNTXISSACSC2 - Kid Proofing the Internet of Things by Monty McDougal
NTXISSACSC2 - Kid Proofing the Internet of Things by Monty McDougalNorth Texas Chapter of the ISSA
 
AlienVault MSSP Overview - A Different Approach to Security for MSSP's
AlienVault MSSP Overview - A Different Approach to Security for MSSP'sAlienVault MSSP Overview - A Different Approach to Security for MSSP's
AlienVault MSSP Overview - A Different Approach to Security for MSSP'sAlienVault
 
Remote Log Analytics Using DDS, ELK, and RxJS
Remote Log Analytics Using DDS, ELK, and RxJSRemote Log Analytics Using DDS, ELK, and RxJS
Remote Log Analytics Using DDS, ELK, and RxJSSumant Tambe
 
Protect the data - Cyber security - Breaches - Brand/Reputation
Protect the data - Cyber security - Breaches - Brand/ReputationProtect the data - Cyber security - Breaches - Brand/Reputation
Protect the data - Cyber security - Breaches - Brand/ReputationPa Al
 
Network Security & Ethical Hacking
Network Security & Ethical HackingNetwork Security & Ethical Hacking
Network Security & Ethical HackingSripati Mahapatra
 
technical-information-gathering-slides.pdf
technical-information-gathering-slides.pdftechnical-information-gathering-slides.pdf
technical-information-gathering-slides.pdfMarceloCunha571649
 
Webinar 2.1 - Network protection and devices.pptx
Webinar 2.1 - Network protection and devices.pptxWebinar 2.1 - Network protection and devices.pptx
Webinar 2.1 - Network protection and devices.pptxRoyMurillo4
 
First 2015 szatmary-eric_defining-and-measuring-capability-maturity_20150625
First 2015 szatmary-eric_defining-and-measuring-capability-maturity_20150625First 2015 szatmary-eric_defining-and-measuring-capability-maturity_20150625
First 2015 szatmary-eric_defining-and-measuring-capability-maturity_20150625pladott1
 
Port of seattle security presentation david morris
Port of seattle security presentation david morrisPort of seattle security presentation david morris
Port of seattle security presentation david morrisEmily2014
 
The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsThe Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsDemetrio Milea
 
Catch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkCatch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkDefCamp
 
Cloud monitoring - An essential Platform Service
Cloud monitoring - An essential Platform ServiceCloud monitoring - An essential Platform Service
Cloud monitoring - An essential Platform ServiceSoumitra Bhattacharyya
 

Similar to NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty McDougal, (20)

network-management Web base.ppt
network-management Web base.pptnetwork-management Web base.ppt
network-management Web base.ppt
 
Information Security: Advanced SIEM Techniques
Information Security: Advanced SIEM TechniquesInformation Security: Advanced SIEM Techniques
Information Security: Advanced SIEM Techniques
 
Mailjet Security Presentation 2017
Mailjet Security Presentation 2017Mailjet Security Presentation 2017
Mailjet Security Presentation 2017
 
CIA-Triad-Presentation.pdf
CIA-Triad-Presentation.pdfCIA-Triad-Presentation.pdf
CIA-Triad-Presentation.pdf
 
PLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
PLNOG 8: Merike Kaeo - Guide to Building Secure InfrastructuresPLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
PLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
 
Preparing for the Cybersecurity Renaissance
Preparing for the Cybersecurity RenaissancePreparing for the Cybersecurity Renaissance
Preparing for the Cybersecurity Renaissance
 
NTXISSACSC2 - Kid Proofing the Internet of Things by Monty McDougal
NTXISSACSC2 - Kid Proofing the Internet of Things by Monty McDougalNTXISSACSC2 - Kid Proofing the Internet of Things by Monty McDougal
NTXISSACSC2 - Kid Proofing the Internet of Things by Monty McDougal
 
AlienVault MSSP Overview - A Different Approach to Security for MSSP's
AlienVault MSSP Overview - A Different Approach to Security for MSSP'sAlienVault MSSP Overview - A Different Approach to Security for MSSP's
AlienVault MSSP Overview - A Different Approach to Security for MSSP's
 
Remote Log Analytics Using DDS, ELK, and RxJS
Remote Log Analytics Using DDS, ELK, and RxJSRemote Log Analytics Using DDS, ELK, and RxJS
Remote Log Analytics Using DDS, ELK, and RxJS
 
Protect the data - Cyber security - Breaches - Brand/Reputation
Protect the data - Cyber security - Breaches - Brand/ReputationProtect the data - Cyber security - Breaches - Brand/Reputation
Protect the data - Cyber security - Breaches - Brand/Reputation
 
Network Security & Ethical Hacking
Network Security & Ethical HackingNetwork Security & Ethical Hacking
Network Security & Ethical Hacking
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cycle
 
technical-information-gathering-slides.pdf
technical-information-gathering-slides.pdftechnical-information-gathering-slides.pdf
technical-information-gathering-slides.pdf
 
Webinar 2.1 - Network protection and devices.pptx
Webinar 2.1 - Network protection and devices.pptxWebinar 2.1 - Network protection and devices.pptx
Webinar 2.1 - Network protection and devices.pptx
 
First 2015 szatmary-eric_defining-and-measuring-capability-maturity_20150625
First 2015 szatmary-eric_defining-and-measuring-capability-maturity_20150625First 2015 szatmary-eric_defining-and-measuring-capability-maturity_20150625
First 2015 szatmary-eric_defining-and-measuring-capability-maturity_20150625
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
 
Port of seattle security presentation david morris
Port of seattle security presentation david morrisPort of seattle security presentation david morris
Port of seattle security presentation david morris
 
The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsThe Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security Analytics
 
Catch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkCatch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your network
 
Cloud monitoring - An essential Platform Service
Cloud monitoring - An essential Platform ServiceCloud monitoring - An essential Platform Service
Cloud monitoring - An essential Platform Service
 

More from North Texas Chapter of the ISSA

Ntxissacsc5 gold 4 beyond detection and prevension remediation
Ntxissacsc5 gold 4 beyond detection and prevension remediationNtxissacsc5 gold 4 beyond detection and prevension remediation
Ntxissacsc5 gold 4 beyond detection and prevension remediationNorth Texas Chapter of the ISSA
 
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...North Texas Chapter of the ISSA
 
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1North Texas Chapter of the ISSA
 
Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul
Ntxissacsc5 purple 4-threat detection using machine learning-markszewczulNtxissacsc5 purple 4-threat detection using machine learning-markszewczul
Ntxissacsc5 purple 4-threat detection using machine learning-markszewczulNorth Texas Chapter of the ISSA
 
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptxNtxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptxNorth Texas Chapter of the ISSA
 
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowiczNtxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowiczNorth Texas Chapter of the ISSA
 
Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins
Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higginsNtxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins
Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higginsNorth Texas Chapter of the ISSA
 
Ntxissacsc5 blue 6-securityawareness-laurianna_callaghan
Ntxissacsc5 blue 6-securityawareness-laurianna_callaghanNtxissacsc5 blue 6-securityawareness-laurianna_callaghan
Ntxissacsc5 blue 6-securityawareness-laurianna_callaghanNorth Texas Chapter of the ISSA
 
Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeq
Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeqNtxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeq
Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeqNorth Texas Chapter of the ISSA
 
Ntxissacsc5 blue 3-shifting from incident to continuous response bill white
Ntxissacsc5 blue 3-shifting from incident to continuous response bill whiteNtxissacsc5 blue 3-shifting from incident to continuous response bill white
Ntxissacsc5 blue 3-shifting from incident to continuous response bill whiteNorth Texas Chapter of the ISSA
 
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomey
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomeyNtxissacsc5 blue 2-herding cats and security tools-harold_toomey
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomeyNorth Texas Chapter of the ISSA
 

More from North Texas Chapter of the ISSA (20)

Purple seven-ntxissacsc5 walcutt
Purple seven-ntxissacsc5 walcuttPurple seven-ntxissacsc5 walcutt
Purple seven-ntxissacsc5 walcutt
 
Ntxissacsc5 yellow 7 protecting the cloud with cep
Ntxissacsc5 yellow 7 protecting the cloud with cepNtxissacsc5 yellow 7 protecting the cloud with cep
Ntxissacsc5 yellow 7 protecting the cloud with cep
 
Ntxissacsc5 gold 4 beyond detection and prevension remediation
Ntxissacsc5 gold 4 beyond detection and prevension remediationNtxissacsc5 gold 4 beyond detection and prevension remediation
Ntxissacsc5 gold 4 beyond detection and prevension remediation
 
Ntxissacsc5 gold 1 mimecast e mail resiliency
Ntxissacsc5 gold 1 mimecast e mail resiliencyNtxissacsc5 gold 1 mimecast e mail resiliency
Ntxissacsc5 gold 1 mimecast e mail resiliency
 
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
 
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
 
Ntxissacsc5 yellow 1-beginnerslinux bill-petersen
Ntxissacsc5 yellow 1-beginnerslinux bill-petersenNtxissacsc5 yellow 1-beginnerslinux bill-petersen
Ntxissacsc5 yellow 1-beginnerslinux bill-petersen
 
Ntxissacsc5 red 6-diy-pentest-lab dustin-dykes
Ntxissacsc5 red 6-diy-pentest-lab dustin-dykesNtxissacsc5 red 6-diy-pentest-lab dustin-dykes
Ntxissacsc5 red 6-diy-pentest-lab dustin-dykes
 
Ntxissacsc5 red 1 &amp; 2 basic hacking tools ncc group
Ntxissacsc5 red 1 &amp; 2 basic hacking tools ncc groupNtxissacsc5 red 1 &amp; 2 basic hacking tools ncc group
Ntxissacsc5 red 1 &amp; 2 basic hacking tools ncc group
 
Ntxissacsc5 purple 5-insider threat-_andy_thompson
Ntxissacsc5 purple 5-insider threat-_andy_thompsonNtxissacsc5 purple 5-insider threat-_andy_thompson
Ntxissacsc5 purple 5-insider threat-_andy_thompson
 
Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul
Ntxissacsc5 purple 4-threat detection using machine learning-markszewczulNtxissacsc5 purple 4-threat detection using machine learning-markszewczul
Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul
 
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptxNtxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
 
Ntxissacsc5 purple 1-eu-gdpr_patrick_florer
Ntxissacsc5 purple 1-eu-gdpr_patrick_florerNtxissacsc5 purple 1-eu-gdpr_patrick_florer
Ntxissacsc5 purple 1-eu-gdpr_patrick_florer
 
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowiczNtxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz
 
Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins
Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higginsNtxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins
Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins
 
Ntxissacsc5 blue 6-securityawareness-laurianna_callaghan
Ntxissacsc5 blue 6-securityawareness-laurianna_callaghanNtxissacsc5 blue 6-securityawareness-laurianna_callaghan
Ntxissacsc5 blue 6-securityawareness-laurianna_callaghan
 
Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeq
Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeqNtxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeq
Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeq
 
Ntxissacsc5 blue 3-shifting from incident to continuous response bill white
Ntxissacsc5 blue 3-shifting from incident to continuous response bill whiteNtxissacsc5 blue 3-shifting from incident to continuous response bill white
Ntxissacsc5 blue 3-shifting from incident to continuous response bill white
 
Ntxissacsc5 blue 4-the-attack_life_cycle_erich_mueller
Ntxissacsc5 blue 4-the-attack_life_cycle_erich_muellerNtxissacsc5 blue 4-the-attack_life_cycle_erich_mueller
Ntxissacsc5 blue 4-the-attack_life_cycle_erich_mueller
 
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomey
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomeyNtxissacsc5 blue 2-herding cats and security tools-harold_toomey
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomey
 

Recently uploaded

Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsMonica Sydney
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfJOHNBEBONYAP1
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtrahman018755
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge GraphsEleniIlkou
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样ayvbos
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...gajnagarg
 
Power point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria IuzzolinoPower point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria Iuzzolinonuriaiuzzolino1
 
Microsoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck MicrosoftMicrosoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck MicrosoftAanSulistiyo
 
PowerDirector Explination Process...pptx
PowerDirector Explination Process...pptxPowerDirector Explination Process...pptx
PowerDirector Explination Process...pptxgalaxypingy
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasDigicorns Technologies
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsMonica Sydney
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查ydyuyu
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdfMatthew Sinclair
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirtrahman018755
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查ydyuyu
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdfMatthew Sinclair
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Roommeghakumariji156
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoilmeghakumariji156
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样ayvbos
 

Recently uploaded (20)

Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
Power point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria IuzzolinoPower point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria Iuzzolino
 
Microsoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck MicrosoftMicrosoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck Microsoft
 
PowerDirector Explination Process...pptx
PowerDirector Explination Process...pptxPowerDirector Explination Process...pptx
PowerDirector Explination Process...pptx
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 

NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty McDougal,

  • 1. April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 1 2015 NTX-ISSA Cyber Security Conference (Spring) Copyright © 2015 Raytheon Company. All rights reserved. Advanced Persistent Threat (APT) Life Cycle Management
  • 2. April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 2 APT Life Cycle SOC Analyst investigates alert & raises Security Incident. 7 Remediation team carries out actions and closes incident. 8 User’s machine passed to the Forensics Lab for analysis. Malware Lab generates new IOCs. 9 Threat Fusion Teams conducts attribution analysis on Attack Group; tasks probes with new signature and behaviours; and informs external partners (depending on policy). 10 ALERT Correlated Events 6 User/Machine/IP (AD Log Entry) Browsing History HTTP Request DNS Requests Proxy Log Entries Netflow Log Entries Collected by Network Probe: From devices within Network: 4 APT compromises supplier website / sends email attachment to an internal user. 1 User visits compromised website and/or opens infected attachment. 2 Software downloaded to User’s machine Regular successful connections to camouflaged C2 domain FTP connections over non- standard port 3 Automated Data Analysis Reveals Behaviours: 5 Beaconing Unknown Software Downloaded Camouflaged C2 Domain Invalid Port/Protocol Combination DNS Requests contain keywords SOC Tier ISOC Tier II+ Advanced Persistent Threat(s)
  • 3. April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 3 Typical APT Primary Mission Flows • Recon / Plan • Attack Phase • Initial Infection • Command & Control • Internal Pivot / Escalation • Data Prep and Exfill • Improve Trade-Craft / Data Analysis - Update Knowledge Base Recon / Plan Attack Phase Initial Infection Command & Control Internal Pivot / Escalation Data Prep and Exfill Improve Trade-Craft / Data Analysis Knowledge Base
  • 4. April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 4 Recon / Plan • Attackers - Open Source Collection and Target Identification - Attack and Command & Control (C2) Domain Setup / Registration - C2 Framework Development (Usually Custom)  Persistence and Stealth  Reverse Shell Access (On Beacon) Primary Goal • Defenders - Open Source Foot Printing - Understand How Attackers See You - Information Sharing and Open Source Intel Collection on Attackers / Tools / Underground Sites - Prepare Defensive Controls  Training for all, more for High-Value / High-Exposure Users  Canaries / Miss-Information – to Detect / Mislead Attackers  Update Defensive Controls… w/ Intel from Above
  • 5. April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 5 Attack Phase • Attackers - Gain initial foothold once attack code is executed - Prepare and package 0-Day or N-Day Exploits - Embed customized exploit and payload (no previous signatures) - Make sure attack is not detected by conventional detection tools - Utilize Previous Research to Attack Likely Targets via Spear- Phishing and/or Water-Hole Attack - Gain initial foothold once attack code is executed • Defenders - Hopefully have pre-deployed defenses against these attacks - Advanced Anti-Malware for Email / Web (behavioral analysis) - Sensors Configured To Alert / Log to SIEM - Updated AV, Patching, Limited Admin, and Other Controls - Disrupting or Limiting Egress Traffic - Good Intel to Pre-Blacklist / Pre Gray-Listing C2 domains is effective
  • 6. April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 6 Initial Infection / Command & Control (C2) • Attackers - Ride the “Initial Infection” (reverse shell) into the enterprise  Usually done near real-time (the initial attack is not usually persistent) - Escalation of initial foothold via installation of one or more Command and Control (C2) binaries that beacon out and wait for instructions / reverse shell - Get additional login credentials and beacon hosts - “A Team” and “B Team” hand-off • Defenders - Defenders quickly to triage this initial access and prevent C2 client installations - Disruption of this C2 (and Initial Infection) is highly valuable when achievable - Good credential management, limiting admin rights, and multi-factor auth help greatly (as does restricting or not enabling RDP) - Heuristically looking for unusual login times, unusual RDP use, or “beacon tells” - White-Listing of known executables does wonders to prevent this stage - Don’t let servers connect to the internet unless to a White-List site - Backdoors and side-doors into your network need to be defended
  • 7. April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 7 Internal Pivot / Escalation • Attackers - At this point the “B Team” (collection specialists) are usually in control of the operation  Attackers use RDP over the Web C2 as it beacons out  Will often use previously compromised credentials to move between hosts and look for data (traffic will fan out from these C2 client hosts) - Escalate credentials and look for pivot points between networks - Sometimes the “B Team” asks the “A Team” to further enable their access… - Attackers will identify data and systems for exfill • Defenders - Good credential management, limiting admin rights, and multi- factor auth help greatly (as does restricting or not enabling RDP) - Heuristically looking for unusual login times / “beacon tells” / unusual uses of RDP / unusual data movements (volumes, types of data)
  • 8. April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 8 Data Prep and Exfill • Attackers - Attackers will collect data and move it to a host for exfill  Of note these hosts are usually not the originally compromised host nor one of the C2 client hosts or first-hops off that host - Data will be in encrypted archive (often RAR, sometimes ZIP) - When enough data has been collected it will be sent back to the attacker via FTP, Email, HTTP/HTTPS (including web email) are their favorite protocols - Often the remote endpoint is not a previously used domain - Any intermediary files / tools will be securely deleted from host • Defenders - Watch for uncharacteristic file types (RAR, ACE, GZIP, etc.) - Heuristic watch for unusual data collection points / transfers (internal hosts) - Watch for large bundled data transfers out of your network
  • 9. April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 9 Improve Trade-Craft / Data Analysis (APT) • Attackers - Receives data (new external host) and sends to home base for analysis - Attackers extract the archive(s) and analyze the data - Data analysis yields collection requirements to be executed - Attackers will track and monitor C2 beacon hosts and come back in and re-infect if your IT staff gets too good at finding their C2 hosts  If they lose access they will restart the recon / attack phase - Attackers use their previous Intel of network info, download personnel lists / email addresses, identified admin and admin hosts, dumped AD / SAM files, documented / identified key information flows / information brokers to facilitate and plan future attacks • Defenders - Defenders have limited options in this phase - Innovation, unpredictable / evolving defenses help
  • 10. April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 10 Typical CND Primary Mission Flows • Collect Sensor Data • Data Ingest • Analytics and Alerting • SOC Operations • Incident Response • Analysis and Data Fusion • Improve Trade-Craft / KB - Update Sensors / Active Defense - Update Knowledge Base / Manage Threat & Risk Sensors: Client & Gateway Data Ingest Analytics and Alerting SOC Operations Incident Response Analysis and Data Fusion Improve Trade-Craft / KB Knowledge Base
  • 11. April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 11 Collect Sensor Data / Data Ingest • Attackers - Improving Trade-Craft to evade sensors - Attackers will look for side door / back door not being watched - Attackers test packages against your AVs / IDSes to avoid detection • Defenders - Sensors will block some of the attacks on your network (good Intel helps) - Network choke points used to watch the traffic crossing them - Watch ingress / egress traffic (egress may be of higher value) - Lock and watch any side doors / back doors to your network - Log / ingest as much as possible / practical to analytics / SIEMs - Perform as much full packet / netflow capture as possible - Collect at the perimeter of the network and at “crown jewels” of your network
  • 12. April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 12 Analytics and Alerting • Attackers - Use low and slow / fragmented attacks to avoid detection - Attempt to overload your sensors with data and/or false positives to make the analysis and alerting more difficult to process • Defenders - Collect as much data as you can process and store, but focus on the most critical alerts first - The value of your analytics & alerting will be a direct function of:  The tools you are using  The value added Intel / signatures you generate internally, you buy, or you get from your friends and family network  The timeliness and accuracy of your alerts to the SOC - Running internally developed tools in addition to commercial tools likely will add additional value - A thorough understanding of the “normal baseline” helps for identifying “anomalies”
  • 13. April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 13 SOC Operations • Attackers - Attackers have limited activities during CND Mission Flow / SOC Operations - Will target SOC users to be able to understand / watch your defenses • Defenders - Standup of a dedicated SOC is essential to counter sophisticated threats  Need solutions that address business and off hours  Many of the APTs will not be working your business hours or will target attacks just before normal working hours end - SOC staff training is important as the SOC ends up being the first responders and decides how the alerts are processed  Escalate alerts, filter out obvious noise, cleanup obvious attacks - Reporting and measuring of SOC effectiveness is critical to management support and improvement in operation - Improving “cycle time” for all SOC functions is critical
  • 14. April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 14 Analysis and Data Fusion • Attackers - Attackers have limited activities during Analysis and Data Fusion - Many APTs are however improving their Trade-Craft to combat these functions by being more sophisticated in their C2 use • Defenders - Analysis and data fusion is critical to an advanced SOC - Internal Analysis of malware, indicators, and threats  Extraction of C2 resources, analysis, and signature generation  Analysis and OSINT on attackers for predictive purposes  Tracking of campaigns by threat actors, understanding of who in your org is being targeted and how/why  Updating internal defenses from all above - External coordination of malware, indicators, and threats  Sourcing indicator data from open, commercial, and friends/family sources  Managing how / what you will share with others
  • 15. April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 15 Improve Trade-Craft / KB (Defenders) • Attackers - Attackers Trade-Craft is improved in their attack lifecycle • Defenders - Implement lessons learned and do root cause analysis - Migrate defense from reactive to proactive and try get in front of the attackers with strong analysis and information sharing functions  Exploit open source, commercial, and industry data feeds - Continuously strive to improve efficiencies in defensive operations  Drive dwell time to zero (as a goal)  Automate the things that can be automated  Provide updated training to your defenders and your end users - Keep intel on attackers, attacks, threats, and targets current - Your network is not static – make sure your defenses are not
  • 16. April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 16 Questions?
  • 17. April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 17 Presenter Bio Monty D. McDougal is a Raytheon Intelligence, Information and Services (IIS) Cyber Engineering Fellow. He has worked for Raytheon for the last 16+ years performing tasks ranging from programming to system administration and has an extensive web development / programming background spanning 18+ years. His work has included development/integration / architecture / accreditation work on numerous security projects for multiple government programs, internal and external security / wireless assessments, DCID 6/3 compliant web-based single sign-on solutions, PL-4 Controlled Interfaces (guards), reliable human review processes, audit log reduction tools, mail bannering solutions, and several advanced anti-malware IRADs / products / patents. Monty holds the following major degrees and certifications: BBA in Computer Science / Management (double major) from Angelo State University, MS in Network Security from Capitol College, CISSP, ISSEP, ISSAP, GCFE, GAWN-C, GSEC, and serves on the SANS Advisory Board. Monty has previously held the GCIH, GCFA, GREM, GCUX, and GCWN certifications. Monty is also the author of the Windows Forensic Toolchest (WFT). E-mail: Monty_D_McDougal@raytheon.com <mug shot>
  • 18. April 24-25, 2015 2015 NTX-ISSA Cyber Security Conference (Spring) 18 Abstract Advanced Persistent Threat (APT) Life Cycle Management This presentation will cover the full Advanced Persistent Threat (APT) Life Cycle and Management of the resulting intrusions. It will cover both what the APTs are doing as attackers and what we as defenders should be doing for both the APT Mission Flows and the Computer Network Defense (CND) Mission Flows. The APT Mission Flows cover: Recon / Plan, Attack Phase, Initial Infection, Command and Control, Internal Pivot / Escalation, Data Prep and Exfill, Improve Trade-Craft / Data Analysis The Computer Network Defense (CND) Mission Flows cover: Collect Sensor Data, Data Ingest, Analytics and Alerting, SOC Operations, Incident Response, Analysis and Data Fusion, Improve Trade-Craft / KB