slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) PowerPoint Presentation
Download Presentation
Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting)

Loading in 2 Seconds...

play fullscreen
1 / 36

Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) - PowerPoint PPT Presentation


  • 72 Views
  • Uploaded on

Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect Intelligence Research Team (TCIRT) Community Notifications. Slide Sections. Using Address Indicators with SecurityCenter

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting)' - sumi


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Standardized Threat Indicators

  • Tenable Formatted Indicator Export
  • Adversary Analysis (Pivoting)
  • Private and Community Incident Correlation
  • ThreatConnect Intelligence Research Team (TCIRT)
  • Community Notifications
slide sections
Slide Sections
  • Using Address Indicators with SecurityCenter
  • Using File Indicators with SecurityCenter
  • Using Host Indicators with SecurityCenter
  • Using URL Indicators with SecurityCenter
  • Using File Indicators with Nessus
using address indicators with securitycenter
Using Address Indicators with SecurityCenter
  • Step 1 – Export Address Indicators Using Tenable Format
  • Step 2 – Create a Watchlist from Address Indicators
  • Step 3 – Filter Events by Watchlist
  • Step 4 – (Optional) Create Query for 3D Tool
  • Step 5 – Save Asset List of All Addresses
  • Step 6 – Perform Audit Analysis Using Asset List
  • Step 7 – Perform Event Analysis Using Asset List
  • Step 8 – (Optional) Create List of Internal Addresses
  • Step 9 – (Optional) Nessus Audit of Internal Addresses
step 3 filter events by watchlist
Step 3 – Filter Events by Watchlist

Inbound or outbound

If there aren’t events after applying filters there’s no need to continue with further steps.

step 6 perform audit analysis using asset list
Step 6 – Perform Audit Analysis Using Asset List

Recommended Reading – Predicting Attack Paths

step 7 perform event analysis using asset list
Step 7 – Perform Event Analysis Using Asset List

Recommended Reading – Tenable Event Correlation

using file indicators with securitycenter
Using File Indicators with SecurityCenter
  • Step 1 – Export Hashes Using Tenable Format
  • Step 2 – Upload Hashes to Scan Policy
  • Step 3 – Perform a Scan Using Credentials
  • Step 4 – Review Scan Results
  • Step 5 – Save Asset List of Infected Hosts
  • Step 6 – Perform Audit Analysis Using Asset List
  • Step 7 – Perform Event Analysis Using Asset List
  • Step 8 – (Optional) Use Asset List with 3D Tool
step 2 upload hashes to scan policy
Step 2 – Upload Hashes to Scan Policy

Recommended Reading – Malware Detection and Forensics Scan Configuration

step 3 perform a scan using credentials
Step 3 – Perform a Scan Using Credentials

Recommended Reading – Nessus Credential Checks for UNIX and Windows

step 4 review scan results
Step 4 – Review Scan Results

If there aren’t infected hosts there’s no need to continue with further steps.

step 6 perform audit analysis using asset list1
Step 6 – Perform Audit Analysis Using Asset List

Recommended Reading – Predicting Attack Paths

step 7 perform event analysis using asset list1
Step 7 – Perform Event Analysis Using Asset List

Recommended Reading – Tenable Event Correlation

using host indicators with securitycenter
Using Host Indicators with SecurityCenter
  • Step 1 – Filter Events by Host
  • Step 2 – Perform Further Analysis

Recommended Reading – Using Log Correlation Engine to Monitor DNS

step 2 perform further analysis
Step 2 – Perform Further Analysis

See slides for “Using ThreatConnect Address Indicators” steps 5 through 9 if there are events found after applying filters.

Filtering by the domain summary event before saving the asset list will get you a list of only those hosts that performed a DNS lookup for the host indicator.

using url indicators with securitycenter
Using URL Indicators with SecurityCenter
  • Step 1 – Divide Host and Location from URL
  • Step 2 – Filter Events by Host
  • Step 3 – Save Asset List
  • Step 4 – Filter Events by Location
  • Step 5 – Perform Further Analysis
step 2 filter events by host
Step 2 – Filter Events by Host

Use web-access in Type filter

If there aren’t events after applying filters there’s no need to continue with further steps.

Use Host in Syslog Text filter

step 4 filter events by location
Step 4 – Filter Events by Location

Use Asset List in Source Asset filter

If there aren’t events after applying filters there’s no need to continue with further steps.

Use Location in Syslog Text filter

step 5 perform further analysis
Step 5 – Perform Further Analysis

See slides for “Using ThreatConnect Address Indicators” steps 5 through 9 if there are events found after applying filters.

We will be creating a second and final asset list to use for further analysis. Verify the URL is matched correctly by looking at the web-access details in Step 4. Steps 1 through 4 perform an intersection; however, it’s by host.

using file indicators with nessus
Using File Indicators with Nessus
  • Step 1 – Export Hashes Using Tenable Format
  • Step 2 – Use Windows Malware Scan Wizard
  • Step 3 – Perform Scan and Review Results