4 posts tagged with "risk"

TL;DR​

Previous blogs:

• https://jstnk9.github.io/jstnk9/blog/TIBER-EU-ES-Threat-Intelligence-Series-01
• https://jstnk9.github.io/jstnk9/blog/TIBER-EU-ES-Red-Team-Series-01

This is the last entry related to TIBER-EU and TIBER-ES. So far we have seen the processes related to Threat Intelligence and Red Team. Now it is the turn to learn about the Blue Team process, which, unlike the last two, is the Entity Blue Team itself. This team can be outsourced or belong to Entity itself, and its objective is to detect and defend the Entity business in case of an attack.

During the implementation of TIBER-EU, the Blue Team is not aware that any penetration test will be performed, so they must be able to detect the attacks performed by the Red Team provider. Subsequently, they must generate reports relating the Red Team's attacks to the Blue Team's findings.

As I did in the previous case, I have developed some cases in the The Hive tool so that blue team teams can import them quickly and know the different actions that they have to carry out, thus allowing the use of the Task logs to document and attach everything that they carry out on the test.

The developed cases contemplate all the phases that TIBER-EU mentions in its documentation, in addition I have also included good practices and ways of facing some phases.

The fact of using The Hive is due to the following reasons:

• Allows to merge cases
• Can be integrated with MISP
• Can be integrated with Cortex and its analyzers
• Case templates can be created

GitHub project: https://github.com/jstnk9/TIBER-Cases

TL;DR​

Previous blog: https://jstnk9.github.io/jstnk9/blog/TIBER-EU-ES-Threat-Intelligence-Series-01

After posting the first post in relation to TIBER-EU/ES from the point of view of the threat intelligence provider, now is the time to talk about the figure of the red team provider.

The purpose of the red team provider is to execute the final security test on the Entity. This execution will be supported by an extensive analysis previously carried out by the threat intelligence team where, among other cases, different scenarios are provided that should be executed, all of them with the perspective of a real attacker. Additionally, as we saw in the previous blog, the threat intelligence team provides a series of flags for the red team to obtain during its execution, thus motivating the execution.

As I did in the previous case, I have developed some cases in the The Hive tool so that red team teams can import them quickly and know the different actions that they have to carry out, thus allowing the use of the Task logs to document and attach everything that they carry out on the test.

The developed cases contemplate all the phases that TIBER-EU mentions in its documentation, in addition I have also included good practices and ways of facing some phases.

The fact of using The Hive is due to the following reasons:

• Allows to merge cases
• Can be integrated with MISP
• Can be integrated with Cortex and its analyzers
• Case templates can be created

GitHub project: https://github.com/jstnk9/TIBER-Cases

TL;DR​

After the Bank of Spain (BDE) published the TIBER-ES guide adapted to the national territory in January 2022, I was thinking about the complexity that in some cases it would entail for Threat Intelligence and Red Team providers to give this service to financial entities.

For this reason, I wanted to carry out a development so that the Threat Intelligence teams speed up their work through predefined cases of the famous platform used in the world of CTI called The Hive.

The developed cases contemplate all the phases that TIBER-EU mentions in its documentation, in addition I have also included good practices and ways of facing some phases.

The fact of using The Hive is due to the following reasons:

• Allows to merge cases
• Can be integrated with MISP
• Can be integrated with Cortex and its analyzers
• Case templates can be created

GitHub project: https://github.com/jstnk9/TIBER-Cases

TL;DR​

Thanks to threat modeling, a strategic view of the main threats can be given in order to focus prioritization efforts on those points where the greatest risk may exist.

From a Cyber Threat Intelligence vision, the focus is on the identification of actors and events along with the TTPs and Tradecraft used in them, thus relating it to the activity of our organization.

The model has an advantage in that it can be as flexible as we want, which helps to adapt to our intelligence needs.