Professional Documents
Culture Documents
Pros Cons
No confidence in
results
We can do better!
Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2
Enterprise Security Monitoring
Threat Intelligence
Business
Technical Data
Data
Intelligence
Direction
Dissemenation Collection
Analysis
Contain Observe
Validated Alerts
Validate Compare
Response Detection
Captain, I do not
believe that to be
the correct use of
the term.
Raw
Data
Facts
Expert
Analysis
Intelligence!
≠
Copyright © 2014, FireEye, Inc. All rights reserved. | CONFIDENTIAL 10
The Pyramid of Pain
Network/Host
Unfortunately, they are extremely Artifacts
susceptible to change (even accidentally).
Domain Names
Hashes are probably the least useful type of
IP Addresses
indicators.
Hash Values
MD5
5f6ce162c4b5516670d5a8f1f8f4e57b
SHA1
C8d4c389beaff88811f8fab1965519fce74ffd8a
SHA256
ad690662a1faf97dc41387b73f8fd3415d64f9b0ce66db3e9134385d94e0c01b
Tools
VPNs, Tor, open proxies all make it trivial to
Network/Host
change your IP. Artifacts
Tools
Domains require pre-registration and
Network/Host
(usually) a fee, but there are ways around Artifacts
this.
Domain Names
Dynamic DNS providers even help
IP Addresses
automate the adversary’s update process
with helpful APIs. Hash Values
Network/Host
On hosts, look for files & directories, registry Artifacts
objects, mutexes, memory strings […]
Domain Names
On the network, check for distinctive
IP Addresses
transaction values, especially protocol
errors or just misinterpretations. Hash Values
If you see the same tool over and over, you TTPs
eventually get really good at detecting it. Tools
Network/Host
No matter what incidental changes they Artifacts
make, your detection mechanisms can
deal with them. Domain Names
IP Addresses
To continue, they need a new tool. With
testing & training time, that’s a real victory! Hash Values
Network/Host
Retraining is probably the hardest thing you Artifacts
can do once, let alone continually.
Domain Names
This becomes so expensive that they have
IP Addresses
to question their commitment to attacking
you. Win! Hash Values
David J. Bianco
David.Bianco@mandiant.com
@DavidJBianco
detect-respond.blogspot.com