Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Place for Analysis of competing hypotheses (ACH) in Cyber Threat intelligence (CTI) Applications and Evolution.

Published byAlvin McGee Modified over 6 years ago

Similar presentations

Presentation on theme: "A Place for Analysis of competing hypotheses (ACH) in Cyber Threat intelligence (CTI) Applications and Evolution."— Presentation transcript:

1 A Place for Analysis of competing hypotheses (ACH) in Cyber Threat intelligence (CTI) Applications and Evolution

2 Senior Threat Intelligence Analyst
Caitlin HueY Senior Threat Intelligence Analyst EclecticIQ

3 Agenda What is ACH Traditional uses of ACH ACH in CTI Use Case
Structuring ACH Evolution of ACH Conclusion

4 ACH: Analysis of Competing Hypotheses
Analyst tradecraft Evaluate consistencies and inconsistencies See an alternative view(s) Produce a more confident hypothesis – one hypothesis will score stronger that the rest (H1, H2, H3) based on available evidence

5 ACH Applied Traditional ACH: Analysts operating over several “INTs” have relied on a way to effectively test data coming from multiple sources and producers in order to measure evidence against them. Place in CTI: Producers and consumers of cyber threat intelligence have largely relied on ACH to evaluate data and analyze it on the basis of identifying attribution, patterns, and more.

6 Traditional Uses of ACH
Evaluate a range of hypotheses against a set of evidence Weigh evidence against each hypothesis Calculate score of how individual pieces of evidence proves or disproves a hypothesis Enhanced use of the “Analyst Comment” Confidence in something increases after conducting ACH

7 Place for ACH in CTI ACH conducted in CTI is different from traditional applications Types of evidence Qualify evidence Facilitate intelligence sharing in a structured way

8

9 USE Case

10 Gorgon Group Report: Roma225 Campaign

11 Using Models to Expand What We Know
?? Gorgon Group Phishing s impersonating a senior partner in a major Brazilian law firm Leveraged Duck DNS PowerPoint add-in document (.ppa extension) armed with auto-open VBA macro code Blogspot hosted web page downloaded by mshta.exe MSHTA.exe RevengeRAT payload Italian Automotive Sector

12 Looking at the Evidence
H1: Gorgon Group is behind Roma225 H2: Gorgon Group is not behind Roma225 H1 H2 RevengeRAT Is Not Exclusively Used by Gorgon Group + Dynamic DNS Service Does Not Align with Gorgon Group Infrastructure - Gorgon Group Did Not Use Blogger Service in Previous Campaigns - - MSHTA.exe Not Used by Gorgon Group Before Sophistication: Novice to Practitioner Gorgon Group Unlikely to Repeat OPSEC mistake For ACH to work, you must have hypotheses are mutually exclusive: for one to be true, the other one is false. Very Inconsistent Inconsistent + Consistent ++ Very Consistent

13 What This Starts to Look Like
Confirmed reality vs a speculative one H1, H2, H3 Changing how we share Hypotheses with the community Making ACH actionable My initial mapping of this campaign is turning less into a confirmed reality – and more into a speculative one. In that I mean, I am trying to bring context to the unknowns and represent these in the same way I am able to represent my initial mapping of this campaign…next slide…

14 How can we involve this core tradecraft into something to structure

15 What Structure Helps to Achieve
See Hypotheses from different sources over time See what the world looks like if Producer A’s hypotheses were true Use structured ACH as a way to expand an organization’s threat hunting around the diamond model To identify all the hypotheses related to a Threat Actor See same/similar evidence used to support different Hypotheses over time

16 What Structure Helps to Achieve (2)
How to maintain changes in hypotheses over time Example: WannaCry Where we can import classic intel  automate Competing hypotheses How to champion one hypothesis and reduce the noise of less-supported hypotheses Metrics as a way to evaluate sources

17 Is ACH Evolving? ACH as a process is cumbersome/lengthy
There is no way to currently receive results from conducting ACH apart from a free text report Track various hypotheses over time Get value from someone else’s ACH process into my own intelligence

18 Questions & Conclusion

Download ppt "A Place for Analysis of competing hypotheses (ACH) in Cyber Threat intelligence (CTI) Applications and Evolution."

Similar presentations

Certificates of Completion Online service by MyEducationPath.com is the directory of MOOC and online courses from different.

Certificates of Completion Online service by MyEducationPath.com is the directory of MOOC and online courses from different.
ACH: Analysis of Competing Hypotheses Presented by: Jingshan Huang.

ACH: Analysis of Competing Hypotheses Presented by: Jingshan Huang.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
Evaluating Hypotheses Chapter 9. Descriptive vs. Inferential Statistics n Descriptive l quantitative descriptions of characteristics.

Evaluating Hypotheses Chapter 9. Descriptive vs. Inferential Statistics n Descriptive l quantitative descriptions of characteristics.
Development of a Theory. Now that I’ve shown that adults cannot hear certain ringtones, did I just make a new scientific theory? 1.Yes 2.No.

Development of a Theory. Now that I’ve shown that adults cannot hear certain ringtones, did I just make a new scientific theory? 1.Yes 2.No.
Lessons Learned in Smart Grid Cyber Security

Lessons Learned in Smart Grid Cyber Security
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
Enhancing the Web With End-User Programming Tak Yeon Lee, Ben Bederson.

Enhancing the Web With End-User Programming Tak Yeon Lee, Ben Bederson.
Title Page This page should contain the title of your project By: Student Name Mrs. Diggs 7 th Grade Language Arts November 21, 2014.

Title Page This page should contain the title of your project By: Student Name Mrs. Diggs 7 th Grade Language Arts November 21, 2014.
© 2010 Oracle Corporation – Proprietary and Confidential.

© 2010 Oracle Corporation – Proprietary and Confidential.
Consistency in Reporting Data Breaches

Consistency in Reporting Data Breaches
LECTURE 5 HYPOTHESIS TESTING EPSY 640 Texas A&M University.

LECTURE 5 HYPOTHESIS TESTING EPSY 640 Texas A&M University.
Scientific Method Earth and Space- 6 th Grade. Scientific Method The scientific method is the only scientific way accepted to back up a theory or idea.

Scientific Method Earth and Space- 6 th Grade. Scientific Method The scientific method is the only scientific way accepted to back up a theory or idea.
Develop your Legal Practice using “Cloud” applications, but … Make sure your data is safe! Tuesday 17 November 2015 The Law Society, London Allan Carton,

Develop your Legal Practice using “Cloud” applications, but … Make sure your data is safe! Tuesday 17 November 2015 The Law Society, London Allan Carton,
AP Statistics Chapter 11 Notes. Significance Test & Hypothesis Significance test: a formal procedure for comparing observed data with a hypothesis whose.

AP Statistics Chapter 11 Notes. Significance Test & Hypothesis Significance test: a formal procedure for comparing observed data with a hypothesis whose.
Some Slides from Art Costa on Effective Questioning Challenge yourself to make thinking skill requirements specific to your students.

Some Slides from Art Costa on Effective Questioning Challenge yourself to make thinking skill requirements specific to your students.
Why Freelance Developers Are Switching To Econtracts

Why Freelance Developers Are Switching To Econtracts
Chapter 1, Section 2 Answers to review for worksheet pages

Chapter 1, Section 2 Answers to review for worksheet pages
Module 10 Hypothesis Tests for One Population Mean

Module 10 Hypothesis Tests for One Population Mean
GALLERIA DIAMOND JSWT AGENDA

GALLERIA DIAMOND JSWT AGENDA

Similar presentations

Ads by Google