In this Black Hills Information Security webcast John breakdowns why he hates threat intelligence… Again…
But, he breaks down some of the cool new projects that are focusing on durable threat intelligence. This is key because many intel feeds are nothing more than domains, hashes, and IP addresses. However, with durable threat intel, we see attack techniques that are highly effective, yet are not as easy to block.
For example, application allow listing abuse, connection profiles (RITA!), PowerShell encoding are all examples of detects you can use that are not specific to a point in time attack methodology.
John also shares some very cool open source projects that are approaching attacks in this way using ELK.
Join the Black Hills Information Security Discord discussion server — https://discord.gg/aHHh3u5
Slides for this webcast can be found here: https://www.blackhillsinfosec.com/wp-content/uploads/2020/09/SLIDES_Durable_Ephemeral_Threat_Intel_Strand.pdf
0:00 – Be Excellent to Each Other
1:06 – Threat Intel: A Useless Rant
7:38 – Pyramid of Pain
10:55 – You Got Another String Coming
14:56 – Conversation With a Pompous John
19:10 – Hacking Ain’t Easy
22:21 – ATT&CK Bingo™
24:33 – Emulation for Iteration
27:35 – Some Open Source Tools
32:03 – Threat Emulation Warning
36:59 – MITRE Scorecard
45:49 – A Bit of Perspective
48:02 – DeTT&CT
48:48 – Sigma
52:29 – Atomic Threat Coverage
55:02 – PlumHound
55:39 – RITA
56:50 – Honeypots
58:21 – Question Time
1:07:52 – Breaking Down the Gates
Check out our Cyber Range, not just a place to work through challenges and play, but also an open direct/hands-on training environment.