Follow along as we spin the Threat Report Roulette Wheel and provide rapid fire responses to how we would create actionable takeaways from the publicly available, TLP: White Threat Reports. Pick up some tips and tricks to up your game!
Threat Report Roulette will not discuss normal (BAU) CTI actions, such as searching the logs for hits on the IOCs or entering the IOCs into a Threat Intelligence Platform (TIP) or other alerting platform. Instead, the participants will focus on pivoting, TTPs, and how they would take the contents in the Threat Report to the NEXT LEVEL! When the Panelists respond to the threat reports, they are operating under the assumption that they performed the preliminary analysis and deemed the threat report relevant to their environment. The purpose of this assumption is to decrease the amount of debate on whether or not something is relevant to get to the part of the analysis that involves extracting actionable takeaways. 🤜💥🤛
- Spin the Threat Report Roulette Wheel - Link
- Moderator calls on Participant.
- Participant is in the Hot Seat:
- 15 seconds to organize their thoughts.
- 1-5 minutes to share their thoughts on how they would get value out of the report.
- Panelists' input:
- 3-5 minutes to share their insights as a group. Quick commentary that is short, sweet, rapid-fire, direct, and to the point!
- Rinse & Repeat!
- Academic Article - An Empirical Assessment of Endpoint Detection and Response Systems against Advanced Persistent Threats Attack Vectors by George Karantzas and Constantinos Patsakis - Link
- BC Security #1 - XLS Entanglement by Hubbl3 - Link
- BC Security #2 - Overview of Empire 4.0 and C# by CX01N - Link
- DEF CON 18 - PowerShell omfg... with David Kennedy and Josh Kelley - Link
- SANS Resource shared during Threat Report Roulette - Disrupting the Empire: Identifying PowerShell Empire C2 Activity by Michael C. Long II - Link
- Sigma Rule: Empire PowerShell Launch Parameters - Link
- Sigma Rule: Empire PowerShell UAC Bypass - Link
- Sigma Rule: Empire UserAgent URI Combo - Link
- CISA #1 - Chinese State-Sponsored Cyber Operations: Observed TTPs - Link
- CISA #2 - Malware Analysis Report - Cobalt Strike Beacon - Link
- CISA #3 - Malware Targeting Pulse Secure Devices - Link
- CISA #3.1 - Exploitation of Pulse Secure Connect Secure Vulnerabilities - Updated 7/21/21 - Link
- CISA #4 - CISA Analysis: FY2020 Risk and Vulnerability Assessments - July 2021 - Link
- CISA #4.1 - Risk and Vulnerability Assessment (RVA) Mapped to The MITRE ATT&CK Framework - Infographic - Link
- ESET Threat Report T1 2021 - Link
- FBI Flash #1 - Conti Ransomware Attacks Impact Healthcare and First Responder Networks - Link
- FBI Flash #2 - APT Actors Exploiting Fortinet Vulnerabilities to Gain Access for Malicious Activity - Link
- FIREEYE #1 - Cyber Threats to the Financial Services and Insurance Industries - Link
- FIREEYE #2 - Smoking Out a DARKSIDE Affiliate's Supply Chain Software Compromise by Tyler McLellan, Robert Dean, Justin Moore, Nick Harbour, Mike Hunhoff, Jared Wilson, and Jordan Nuce - Link
- MYSTERY - MICROSOFT - BazaCall: Phony call centers lead to exfiltration and ransomware by Microsoft 365 Defender Threat Intelligence Team - Link
- WizardSpider using legitimate services as cloak of invisibility by William Thomas - Link
- Palo Alto Networks Unit 42 - Tweet on #Bazaloader with IOCs - Tweet Link & IOCs Link
- Red Canary - What is normal? Profiling System32 binaries to detect DLL Search Order Hijacking by Michael Haag and Shane Welcher - Link
- SCYTHE - Threat Thursday
- BSides SATX Talk - Operationalizing Purple Team by Jorge Orchilles - Link
- Conti Ransomware by Jorge Orchilles - Link
- Evading Defenses with ISO files like NOBELIUM - Link
- Top Ransomware TTPs by Jorge Orchilles - Link
- SECURELIST - Black Kingdom ransomware by Marc Rivero - Link
- Additional Resource: Dragos - Threat Intelligence and the Limits of Malware Analysis by Joe Slowik - Link
- SpecterOps - Certified Pre-Owned by Will Schroeder and Lee Christensen - Link
- BlackHat USA 2021 Briefing - Certified Pre-Owned: Abusing Active Directory Certificate Services by Will Schroeder and Lee Christensen - Link
- The DFIR Report #1 - IcedID and Cobalt Strike vs Antivirus - Link
- Cyborg Security - Ransomware: Hunting for Inhibiting System Backup or Recovery - Link
- Identify when CobaltStrike is spawning a shell without parameters (Process Hollowing) by Dan Lussier - Link
- Sigma Rule: Quick Execution of a Series of Suspicious Commands - Link
- MITRE Cyber Analytics Repository - CAR-2013-04-002: Quick execution of a series of suspicious commands - Link
- The DFIR Report #2 - Sodinokibi (aka REvil) Ransomware - Link
- Detection Tweet by Vadim Khrykov @DarkMatter23 - Link
- Detection Ideas Repo by Vadim Khrykov @DarkMatter23 - Link
- Run and RunOnce Registry Keys - Link
Christopher Russell is the Head of Information Security for tZERO Group Inc. He has a Masters Degree in Cybersecurity and numerous certifications and experience in cloud security, endpoint detection and response, SIEM and blockchain. He is a combat Veteran of the US Army, where he was a human intelligence (HUMINT) collector who graduated from the Defense Language Institute, for Arabic.
Karan Aditya Ghoshal is a CTI Analyst at a Big Four cybersecurity firm. He is currently pursuing his Bachelors in Computer Science Engineering at Manav Rachna University.
Will Thomas is a security researcher at Cyjax, a UK-based Cyber Threat Intelligence vendor. In his spare time, he offers his OSINT skills to work missing persons cases with the NCPTF and is a board member of the Curated Intelligence trust group. Will graduated with a BSc (Hons) in Computer and Information Security from the University of Plymouth.
Xena Olsen is a Senior Cybersecurity Analyst at a Fortune 500 Company. She is a graduate of SANS Women’s Academy with eight GIAC certifications, an MBA in IT management, and a doctoral student in cybersecurity at Marymount University.
The Blind Hacker is an InfoSec enthusiast, mentor, coach, pentester, hacker, and more. He regularly mentors online through streams and online communities. He frequently volunteers time on workplace development for others, gives resume reviews, job advice, and coaches people into the roles they want with mock interviews. As a person with a disability, or who is differently-abled, he has never let it slow him down.
Danny Henderson Jr. is a USAF veteran who is now an expat working as a Senior Cybersecurity Analyst at SecureWorks in Romania. He is a graduate of Capitol Technology University with MSc in Cyber and Information Security, six GIAC certifications in DFIR and Offensive Security.
Jorge Orchilles is the Chief Technology Officer of SCYTHE, co-creator of the C2 Matrix project, and author of the Purple Team Exercise Framework. He is a SANS Certified Instructor and the author of Security 564: Red Team Exercises and Adversary Emulation.
Ricky Banda is a Incident Commander for the Amazon Security Incident Response Team. He is a SANS MSISE Graduate Student, with over a dozen industry certifications and featured author in Tribe of Hackers: Blue Team Edition. He has over a decade of experience in Security Operations and Incident Response working in both Public and Private sectors.
Xena Olsen is a Senior Cybersecurity Analyst at a Fortune 500 Company. She is a graduate of SANS Women’s Academy with eight GIAC certifications, an MBA in IT management, and a doctoral student in cybersecurity at Marymount University.
-
Thank you to BlueTeamVillage for hosting us, DEF CON, the participants, and the people that provided the Threat Reports, Security Research and More that made this panel possible! <3