The FOR608: Enterprise-Class Incident Response & Threat Hunting course begins with discussions on current cyber defense concerns, and how incident responders and threat hunters can take a more active role in detection and response. Collaboration within the team and the community are a focus, as we look to incorporate shared knowledge from sources like the MITRE ATT&CK(R) framework. Furthermore, we discuss taking an active defense approach to slow attackers and facilitate detection. Specific to active detection, the use of honeypots, honey tokens, and canaries are covered, along with ways to deploy them opportunistically. This type of tripwire in the network provides defenders and responders needed visibility to find and respond to intrusions quickly.
When a compromise does occur, which is an unfortunate but inevitable truth, we continue the discussion with a focus on the processes and techniques that allow for efficient handling of intrusions. Concepts such as leading the response, managing team members, documenting findings, and communicating with stakeholders are covered in detail. We will introduce the 3 priorities of incident response model that aligns incident response with business requirements. The purpose-built Aurora tool is presented as a collaborative platform for tracking the investigation phases, from initial detection to scoping, containment, indicator development, and remediation.
We continue the day with an examination of key threat intelligence concepts, including developing and implementing threat intelligence internally. External projects MITRE ATT&CK(R) matrix and Sigma are also leveraged. We discuss both MISP and OpenCTI as two comprehensive threat intel platforms for ingesting, tracking, and sharing threat intelligence. A threat intel report on the adversary targeting our example company, Stark Research Labs (SRL), will be presented as we start to look at potential signs of intrusion in the company.
We finish the day by using an alert triggered in our example company network as a pivot point into a potential attack. Triage data collected by company personnel has been processed into a timeline and the data imported into Timesketch. We utilize Timesketch as a powerful platform for scalable and collaborative analysis of forensic data. Best practices for importing timeline data, providing additional field parsing, and enrichment are introduced to help highlight anomalous activity. Later in the class, we also provide techniques to view the same data set with Kibana, which offers additional capabilities, such as creating dashboards for visualizations and saved searches to aid analysis.
- Development of honey tokens for active detection
- Documenting an initial alert in Aurora
- Using OpenCTI to analyze threat reports of actors targeting our example company's industry
- Using Timesketch to analyze a potential breach in the company
- Continue documenting findings in Aurora, which tallies team scores in the FOR608 scoreboard
Incident Response and Threat Hunting in the Enterprise
Managing Large-Scale Response
- Fostering key principles of successful response within the team and organization
- Structuring teams, roles, and responsibilities
- Leading the response
- Managing resources
- Combining incident response and project management disciplines
- Effective documentation and communication for tracking and reporting incidents
- Introduction to Aurora, an incident response documentation platform
Intel-Driven Incident Response
- Understand the importance of cyber threat intelligence in incident response
- Review various sources of threat intelligence and integrating it with the IR process
- Developing and managing intelligence in your organization
- Analysis of the ATT&CK(R) matrix and its importance in mapping out attacker techniques and capabilities
- Using OpenCTI to catalog, organize, and visualize threat actor TTPs
Scalable & Collaborative Analysis with Timesketch
- Using Timesketch to perform deep-dive analysis across multiple hosts with multiple analysts
- Annotate, label, bookmark events of interest to create custom timeline views
- Provide variations on data import allowing for additional field parsing
- Apply analytics and visualizers to assist analysis
- Create stories to convey findings