standardized threat indicators indicator export adversary analysis (pivoting)
DESCRIPTION
Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect Intelligence Research Team (TCIRT) Community Notifications. Slide Sections. Using Address Indicators with SecurityCenter - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.vdocuments.net/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/1.jpg)
• Standardized Threat Indicators• Indicator Export• Adversary Analysis (Pivoting)• Private and Community Incident Correlation• ThreatConnect Intelligence Research Team
(TCIRT)• Community Notifications
![Page 2: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.vdocuments.net/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/2.jpg)
Slide Sections• Using Address Indicators with SecurityCenter• Using File Indicators with SecurityCenter• Using Host Indicators with SecurityCenter• Using URL Indicators with SecurityCenter• Using File Indicators with Nessus
![Page 3: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.vdocuments.net/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/3.jpg)
Using Address Indicators with SecurityCenter
• Step 1 – Extract Address Indicators• Step 2 – Create a Watchlist from Address Indicators• Step 3 – Filter Events by Watchlist• Step 4 – (Optional) Create Query for 3D Tool• Step 5 – Save Asset List of All Addresses• Step 6 – Perform Audit Analysis Using Asset List• Step 7 – Perform Event Analysis Using Asset List• Step 8 – (Optional) Create List of Internal Addresses• Step 9 – (Optional) Nessus Audit of Internal Addresses
![Page 4: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.vdocuments.net/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/4.jpg)
Step 1 – Extract Address Indicators
![Page 5: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.vdocuments.net/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/5.jpg)
Step 2 – Create a Watchlist from Address Indicators
![Page 6: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.vdocuments.net/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/6.jpg)
Step 3 – Filter Events by Watchlist
Inbound or outbound
![Page 7: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.vdocuments.net/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/7.jpg)
Step 4 – (Optional) Create Query for 3D Tool
![Page 8: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.vdocuments.net/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/8.jpg)
![Page 9: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.vdocuments.net/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/9.jpg)
Step 5 – Save Asset List of All Addresses
![Page 10: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.vdocuments.net/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/10.jpg)
Step 6 – Perform Audit Analysis Using Asset List
Recommended Reading – Predicting Attack Paths
![Page 11: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.vdocuments.net/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/11.jpg)
Step 7 – Perform Event Analysis Using Asset List
Recommended Reading – Tenable Event Correlation
![Page 12: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.vdocuments.net/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/12.jpg)
Step 8 – (Optional) Create List of Internal Addresses Only
![Page 13: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.vdocuments.net/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/13.jpg)
Step 9 – (Optional) Nessus Audit of Internal Addresses
![Page 14: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.vdocuments.net/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/14.jpg)
Using File Indicators with SecurityCenter
• Step 1 – Extract Hashes• Step 2 – Upload Hashes to Scan Policy• Step 3 – Perform a Scan Using Credentials• Step 4 – Review Scan Results• Step 5 – Save Asset List of Infected Hosts• Step 6 – Perform Audit Analysis Using Asset List• Step 7 – Perform Event Analysis Using Asset List• Step 8 – (Optional) Use Asset List with 3D Tool
![Page 15: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.vdocuments.net/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/15.jpg)
Step 1 – Extract Hashes
![Page 16: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.vdocuments.net/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/16.jpg)
Step 2 – Upload Hashes to Scan Policy
![Page 17: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.vdocuments.net/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/17.jpg)
Step 3 – Perform a Scan Using Credentials
Recommended Reading – Nessus Credential Checks for UNIX and Windows
![Page 18: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.vdocuments.net/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/18.jpg)
Step 4 – Review Scan Results
![Page 19: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.vdocuments.net/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/19.jpg)
Step 5 – Save Asset List of Infected Hosts
![Page 20: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.vdocuments.net/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/20.jpg)
Recommended Reading – Predicting Attack Paths
Step 6 – Perform Audit Analysis Using Asset List
![Page 21: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.vdocuments.net/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/21.jpg)
Step 7 – Perform Event Analysis Using Asset List
Recommended Reading – Tenable Event Correlation
![Page 22: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.vdocuments.net/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/22.jpg)
Step 8 – (Optional) Use Asset List with 3D Tool
![Page 23: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.vdocuments.net/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/23.jpg)
![Page 24: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.vdocuments.net/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/24.jpg)
Using Host Indicators with SecurityCenter
• Step 1 – Filter Events by Host• Step 2 – Perform Further Analysis
Recommended Reading – Using Log Correlation Engine to Monitor DNS
![Page 25: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.vdocuments.net/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/25.jpg)
Step 1 – Filter Events by Host
![Page 26: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.vdocuments.net/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/26.jpg)
Step 2 – Perform Further Analysis
See slides for “Using ThreatConnect Address Indicators” steps 5 through 9
Filtering by the domain summary event before saving the asset list will get you a list of only those hosts that performed a DNS lookup for the host indicator.
![Page 27: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.vdocuments.net/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/27.jpg)
Using URL Indicators with SecurityCenter
• Step 1 – Divide Host and Location from URL • Step 2 – Filter Events by Host• Step 3 – Save Asset List• Step 4 – Filter Events by Location• Step 5 – Perform Further Analysis
![Page 28: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.vdocuments.net/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/28.jpg)
Step 1 – Divide Host and Location from URL
![Page 29: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.vdocuments.net/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/29.jpg)
Step 2 – Filter Events by Host
Use Host in Syslog Text filter
Use web-access in Type filter
![Page 30: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.vdocuments.net/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/30.jpg)
Step 3 – Save Asset List
![Page 31: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.vdocuments.net/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/31.jpg)
Step 4 – Filter Events by Location
Use Location in Syslog Text filter
Use Asset List in Source Asset filter
![Page 32: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.vdocuments.net/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/32.jpg)
Step 5 – Perform Further Analysis
See slides for “Using ThreatConnect Address Indicators” steps 5 through 9
We will be creating a second and final asset list to use for further analysis. Verify the URL is matched correctly by looking at the web-access details in Step 4. Steps 1 through 4 perform an intersection; however, it’s by host.
![Page 33: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.vdocuments.net/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/33.jpg)
Using File Indicators with Nessus
• Step 1 – Extract Hashes• Step 2 – Use Windows Malware Scan Wizard• Step 3 – Perform Scan and Review Results
![Page 34: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.vdocuments.net/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/34.jpg)
Step 1 – Extract Hashes
![Page 35: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.vdocuments.net/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/35.jpg)
Step 2 – Use Windows Malware Scan Wizard
![Page 36: Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting)](https://reader036.vdocuments.net/reader036/viewer/2022062501/56815fab550346895dcea59c/html5/thumbnails/36.jpg)
Step 3 – Perform Scan and Review Results