objective
• Case overview
– blackhole & APT case illustrating gap
between OPS for malware vs. APT
• Moving toward success
– Visibility, Intelligence, Response™
– Outcome-based metrics for MalOPS / APT
@j_j_thompson
• Hoosier native, Hawkeye alum
• Former EY smoke jumping team (OCA)
• ISC2 Indy, CISSP
• (2) x RTW
• 1.5M amex pts, 30K aa miles last month
• Quadrupling size of SOC!!!!
• Entrepreneur, husband, father. Infosec, cybercrime, intelligence & management
consultant. Into mountaineering, hunting, fishing, shooting, photo & tactical gear.
Don't blink.
case 2 - apt
• Case overview
– blackhole & APT case illustrating gap
between OPS for malware vs. APT
• Moving toward success
– Visibility, Intelligence, Response™
– Outcome-based metrics™ for MalOPS / APT
THIS IS CALLED HACKING
0. demand Wiift? what’s in it for them? To be Promoted to a cyber Warfare unit? To make Money? To be famous? You tell me. What did your last risk assessment show would be valuable to ___ based on _____ (scenarios)? THIS IS
PART OF WHAT A RISK ASSESSMENT DOES.
THIS IS APT
case 1 - malware
• Case overview
– blackhole & APT case illustrating gap
between OPS for malware vs. APT
• Moving toward success
– Visibility, Intelligence, Response™
– Outcome-based metrics™ for MalOPS / APT
From bromium.com
THIS IS CALLED MALWARE
case 1a - malware
• Palo detected bh2*.jar
• Policy in place, grab machine, analyze.
SLA: 15m
• Ran redline, gmer, sophos, kaspersky, …
• Re-built user’s machine
• Wish list?
case 1b - malware
• AL detected bh2*.jar
• Alerted local IT, ran AV, nothing.
• 2 hr spent on packet analysis proving not
a FP
• Local team asks us not to send tickets
• Local team unplugs AL
• Wish list?
case 2 - apt
• Alerted by FBI
• Kernel level, blackout on HDD timeline
• Compromised accounts and points of
persistence
• Known data exfil, visualized via netflow
• Massive response effort boatloads of IOCs
to success and beyond
– Visibility, Intelligence, Response™
• How do you detect malware? APT?
• What is the context around it that changes the
approach?
• How do you respond appropriately based on
threat, adversary, and data at risk?
– Outcome-based metrics for MalOPS / APT
• Measure only if it will result in an action or change
of strategy
response
Sanitized excerpts from Rook’s SOC Threat Classifications Table more obtained at www.rooksecurity.com
response
CATEGORY of THREAT DATA CLASSIFICATION of TARGET
INTEL on ATTACKER
INCIDENT PRIORITIZATION & COMMUNICATION
CASE: SEA targeted probe to sensitive server
Outcome-based metrics
• Measure only if it will result in an action or change
of strategy
ASK questions
@j_j_thompson rooksecurity.com [email protected] 888.712.9531