Page 33 - Cyber Warnings
P. 33
has malware analysts and threat researchers on staff to track and develop mitigations for newly
discovered threats. Having threat intelligence available to your security team enables them to be
proactive and hunt out threats that current security solutions may be blind to.
Some examples of leveraging Threat Intelligence can include but are not limited to:
● Checking for compromised email accounts belonging to your org or business partners
● Blocking web and email access for phishing and typo-squat domains
● Searching logs for malicious domains or URLs that are not being blocked
● Consuming feeds for compromised websites and blocking or limiting access
● Monitoring suspicious domain registrations and pre-emptively blocking
● Tracing web based malware infections back to the source network or website
● Generating custom intrusion detection signatures
● Checking for evidence of TTPs within your environment
● Looking for Lateral Movement activity
These are just a few ways security operations teams can leverage threat intelligence and
mitigate the impact of detection gaps when they arise.
Another use of threat intelligence would be to replay packet captures that test the effectiveness
of signature based security appliances with known malicious traffic samples. This can be done
using open source tools like tcpreplay and publicly available pcaps.
Some sources for malicious pcap samples include:
http://www.malware-traffic-analsyis.net
http://threatglass.com/
http://www.pcapr.net/
http://contagiodump.blogspot.com/2013/04/collection-of-pcap-files-from-malware.html
By establishing a threat intelligence program, organizations can join the hunt and enable their
security operations teams to proactively find and mitigate threats before detection gaps are
exploited.
About the Author
Josh Gomez
Senior Security Researcher for Anomali, a provider of market leading
threat intelligence platforms. He has more than15 years experience in
the networking and information security industries. Prior to Anomali,
Josh was a senior member of FireEye Labs where he specialized in
the research and detection of exploit kits, malvertising and crimeware. He has also developed
AV/IDS/IPS detections for Symantec and led security operations at a large Fortune 500 retailer.
33 Cyber Warnings E-Magazine November 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
