How MalOPS Changes the Game

for SECOPS and APT

objective

• Case overview

– blackhole & APT case illustrating gap

between OPS for malware vs. APT

• Moving toward success

– Visibility, Intelligence, Response™

– Outcome-based metrics for MalOPS / APT

@j_j_thompson

• Hoosier native, Hawkeye alum

• Former EY smoke jumping team (OCA)

• ISC2 Indy, CISSP

• (2) x RTW

• 1.5M amex pts, 30K aa miles last month

• Quadrupling size of SOC!!!!

• Entrepreneur, husband, father. Infosec, cybercrime, intelligence & management

consultant. Into mountaineering, hunting, fishing, shooting, photo & tactical gear.

Don't blink.

definitions – see next slide

• APT

• Hacking

• Malware

case 2 - apt

• Case overview

– blackhole & APT case illustrating gap

between OPS for malware vs. APT

• Moving toward success

– Visibility, Intelligence, Response™

– Outcome-based metrics™ for MalOPS / APT

THIS IS CALLED HACKING

0. demand Wiift? what’s in it for them? To be Promoted to a cyber Warfare unit? To make Money? To be famous? You tell me. What did your last risk assessment show would be valuable to ___ based on _____ (scenarios)? THIS IS

PART OF WHAT A RISK ASSESSMENT DOES.

THIS IS APT

case 1 - malware

• Case overview

– blackhole & APT case illustrating gap

between OPS for malware vs. APT

• Moving toward success

– Visibility, Intelligence, Response™

– Outcome-based metrics™ for MalOPS / APT

From bromium.com

THIS IS CALLED MALWARE

case 1a - malware

• Palo detected bh2*.jar

• Policy in place, grab machine, analyze.

SLA: 15m

• Ran redline, gmer, sophos, kaspersky, …

• Re-built user’s machine

• Wish list?

case 1b - malware

• AL detected bh2*.jar

• Alerted local IT, ran AV, nothing.

• 2 hr spent on packet analysis proving not

a FP

• Local team asks us not to send tickets

• Local team unplugs AL

• Wish list?

case 2 - apt

• Alerted by FBI

• Kernel level, blackout on HDD timeline

• Compromised accounts and points of

persistence

• Known data exfil, visualized via netflow

• Massive response effort boatloads of IOCs

to success and beyond

– Visibility, Intelligence, Response™

• How do you detect malware? APT?

• What is the context around it that changes the

approach?

• How do you respond appropriately based on

threat, adversary, and data at risk?

– Outcome-based metrics for MalOPS / APT

• Measure only if it will result in an action or change

of strategy

Visibility, Intelligence, Response™

intelligence

response

response

response

Sanitized excerpts from Rook’s SOC Threat Classifications Table more obtained at www.rooksecurity.com

response

CATEGORY of THREAT DATA CLASSIFICATION of TARGET

INTEL on ATTACKER

INCIDENT PRIORITIZATION & COMMUNICATION

CASE: SEA targeted probe to sensitive server

Outcome-based metrics

• Measure only if it will result in an action or change

of strategy

ASK questions

@j_j_thompson rooksecurity.com jj@rookconsulting.com 888.712.9531