Presented at
THOTCON 0xB (2021) Rescheduled,
Oct. 8, 2021, 2 p.m.
(25 minutes).
I plan on discussing the pain points to threat intel and sharing that this presentation is not for the Microsofts and Targets of the world but instead for the orgs that want to get more value out of their small CTI team. I'll discuss why true attribution is a bad idea for most organizations with real world examples. Then, I will provide real world examples of how TTPs can help an organization better by knowing the What and How (TTPs) versus the Who and Why (true attribution). I'll show examples of how an org can build out an adversary detection pipeline starting with the attack data in their mail and expanding out to the WAF attack data and tickets with the SOC/DFIR. A discussion of mapping MITRE ATT&CK ttps and how to find the specific procedures. Next, there will be real world examples of adversary detection pipelines and how purple team exercises can be run from threat intel specific to the org's attack data. Finally, a discussion of reporting for management/department that is possible as a result of the adversary detection pipelines. Main takeaways: Squeeze more value out of the data you are already collecting, Showing how any organization can leverage threat intel through adversary detection pipelines, regardless of internal skill sets or experience, Heatmaps for threat actor campaign volume, multiple year tracking, delivery rate, click rate, and more used to prioritize Hunt, Red Team, and Blue Team actions with respect to Threat Actor Activity, Intelligence driven hypothesis creation for threat hunting, How to operationalize adversary detection pipelines to enhance red team & purple team activities, particularly to improve adversary emulation/simulation, RELEVANT red team ops, Higher fidelity alerts for the SOC with less false positives.
Presenters:
-
Xena Olsen
SANS Women's Academy graduate, 6 GIAC certifications, MBA IT Management, and D.Sc. Cybersecurity student at Marymount University.
Similar Presentations: