with STIX, SOAR, MITRE ATT&CK, SANS 6-step IR, The Diamond Model of Intrusion Analysis, Cyber Threat Intelligence, MaGMa Use Case Framework and more
Abstract:
In order to increase their maturity level, SOC organizations frequently introduce intelligence-driven Threat Hunting. Benefits of intel-driven Threat Hunting are:
- True analysis methodology based on hypothesis formulation and testing
- Driven by the consumption of Open Source Intelligence (OSINT) and/or commercial Cyber Threat Intelligence
- In contrast to deep-dive forensic analysis which doesn’t scale across thousands or tens of thousands of endpoints, Threat Hunting is forensic analysis methodology at scale
A common human error when starting an analysis engagement is to begin with improperly evaluated hypotheses. Since a hypothesis represents the very starting point of an analysis, if not formulated with proper care, eventually leads the analysis to a dead end.
These online and free series of 9 training sessions are aimed to help SOC organizations understand the limitation of current SOC analysis methodology and how intel-driven Threat Hunting can complement it to improve their maturity level enormously.
Note: These training sessions build on each other. Although we always start a new session by summarizing the previous session, it might not make sense to join at some later point in time if you haven't been there from the beginning.
- Review current SOC working model
- Complementing by intel-driven Threat Hunting based on the specification of the MaGMa use case framework
- Consumption of Threat Intelligence/feeds (OSINT / commercial)
- ThaiCERT Threat Actor encyclopedia
- AlienVault's Open Threat Exchange (OTX)
- Cyber Threat Intelligence IOC feeds
- Determine relevant adversaries, their capabilities and infrastructure
- Study relevant Threat Reports
- Attack Graph representation with STIX
- The Diamond Model of Intrusion Analysis
- Diamond relationships (Adversary, Infrastructure, Capabilities, Victim)
- Analytic pivoting
- Discover related elements
- Analysis of Competing Hypothesis (ACH)
- Create matrix of competing hypotheses
- Strengthen, weaken or disprove hypotheses based on discovered evidence
- Continue analysis with sustainable hypotheses
- How we implemented intel-driven Threat Hunting in a SOAR tool complemented by a SIEM
Target audience
SOC Managers, SOC Analysts, Forensic Analysts and SOC-related Consultants
Planned sessions:
(CONSOLIDATED: With April 30 class)
(CONSOLIDATED: With April 30 class)
(CONSOLIDATED: With May 28 class)
(CONSOLIDATED: With May 28 class)
(CONSOLIDATED: With June 25 class)
(CONSOLIDATED: With June 25 class)
(CONSOLIDATED: With June 25 class)
(CONSOLIDATED: With June 25 class)
Impressions of previous on-site training classes: