1 / 36

Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting)

Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect Intelligence Research Team (TCIRT) Community Notifications. Slide Sections. Using Address Indicators with SecurityCenter

sumi
Download Presentation

Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Standardized Threat Indicators • Tenable Formatted Indicator Export • Adversary Analysis (Pivoting) • Private and Community Incident Correlation • ThreatConnect Intelligence Research Team (TCIRT) • Community Notifications

  2. Slide Sections • Using Address Indicators with SecurityCenter • Using File Indicators with SecurityCenter • Using Host Indicators with SecurityCenter • Using URL Indicators with SecurityCenter • Using File Indicators with Nessus

  3. Using Address Indicators with SecurityCenter • Step 1 – Export Address Indicators Using Tenable Format • Step 2 – Create a Watchlist from Address Indicators • Step 3 – Filter Events by Watchlist • Step 4 – (Optional) Create Query for 3D Tool • Step 5 – Save Asset List of All Addresses • Step 6 – Perform Audit Analysis Using Asset List • Step 7 – Perform Event Analysis Using Asset List • Step 8 – (Optional) Create List of Internal Addresses • Step 9 – (Optional) Nessus Audit of Internal Addresses

  4. Step 1 – Export Address Indicators Using Tenable Format

  5. Step 2 – Create a Watchlist from Address Indicators

  6. Step 3 – Filter Events by Watchlist Inbound or outbound If there aren’t events after applying filters there’s no need to continue with further steps.

  7. Step 4 – (Optional) Create Query for 3D Tool

  8. Step 5 – Save Asset List of All Addresses

  9. Step 6 – Perform Audit Analysis Using Asset List Recommended Reading – Predicting Attack Paths

  10. Step 7 – Perform Event Analysis Using Asset List Recommended Reading – Tenable Event Correlation

  11. Step 8 – (Optional) Create List of Internal Addresses Only

  12. Step 9 – (Optional) Nessus Audit of Internal Addresses

  13. Using File Indicators with SecurityCenter • Step 1 – Export Hashes Using Tenable Format • Step 2 – Upload Hashes to Scan Policy • Step 3 – Perform a Scan Using Credentials • Step 4 – Review Scan Results • Step 5 – Save Asset List of Infected Hosts • Step 6 – Perform Audit Analysis Using Asset List • Step 7 – Perform Event Analysis Using Asset List • Step 8 – (Optional) Use Asset List with 3D Tool

  14. Step 1 – Export Hashes Using Tenable Format

  15. Step 2 – Upload Hashes to Scan Policy Recommended Reading – Malware Detection and Forensics Scan Configuration

  16. Step 3 – Perform a Scan Using Credentials Recommended Reading – Nessus Credential Checks for UNIX and Windows

  17. Step 4 – Review Scan Results If there aren’t infected hosts there’s no need to continue with further steps.

  18. Step 5 – Save Asset List of Infected Hosts

  19. Step 6 – Perform Audit Analysis Using Asset List Recommended Reading – Predicting Attack Paths

  20. Step 7 – Perform Event Analysis Using Asset List Recommended Reading – Tenable Event Correlation

  21. Step 8 – (Optional) Use Asset List with 3D Tool

  22. Using Host Indicators with SecurityCenter • Step 1 – Filter Events by Host • Step 2 – Perform Further Analysis Recommended Reading – Using Log Correlation Engine to Monitor DNS

  23. Step 1 – Filter Events by Host

  24. Step 2 – Perform Further Analysis See slides for “Using ThreatConnect Address Indicators” steps 5 through 9 if there are events found after applying filters. Filtering by the domain summary event before saving the asset list will get you a list of only those hosts that performed a DNS lookup for the host indicator.

  25. Using URL Indicators with SecurityCenter • Step 1 – Divide Host and Location from URL • Step 2 – Filter Events by Host • Step 3 – Save Asset List • Step 4 – Filter Events by Location • Step 5 – Perform Further Analysis

  26. Step 1 – Divide Host and Location from URL

  27. Step 2 – Filter Events by Host Use web-access in Type filter If there aren’t events after applying filters there’s no need to continue with further steps. Use Host in Syslog Text filter

  28. Step 3 – Save Asset List

  29. Step 4 – Filter Events by Location Use Asset List in Source Asset filter If there aren’t events after applying filters there’s no need to continue with further steps. Use Location in Syslog Text filter

  30. Step 5 – Perform Further Analysis See slides for “Using ThreatConnect Address Indicators” steps 5 through 9 if there are events found after applying filters. We will be creating a second and final asset list to use for further analysis. Verify the URL is matched correctly by looking at the web-access details in Step 4. Steps 1 through 4 perform an intersection; however, it’s by host.

  31. Using File Indicators with Nessus • Step 1 – Export Hashes Using Tenable Format • Step 2 – Use Windows Malware Scan Wizard • Step 3 – Perform Scan and Review Results

  32. Step 1 – Export Hashes Using Tenable Format

  33. Step 2 – Use Windows Malware Scan Wizard

  34. Step 3 – Perform Scan and Review Results

More Related