SlideShare a Scribd company logo

Automated IOC Detection and Response through Seamless Orchestration.pdf

M
Mohammad Febri

Modern organizations are facing the severe challenge of effectively countering threats and mitigating Indicators of Compromise (IOCs) within their network environments. The increasing complexity and volume of cyber threats has highlighted the urgency of building robust mechanisms to block specific IOCs independently. While some organizations have adopted Endpoint Detection and Response (EDR) systems, these solutions often have limitations and require manual processes to collect and examine IOCs from multiple sources. These operational barriers prevent organizations from achieving a proactive and efficient defense posture, an obstacle that is particularly important due to the critical role that IOC blocking plays in containing the spread of threats and limiting potential damage. Hence, the need for a solution that orchestrates automated IOC blocking, utilizing tools such as AlienVault Open Threat Exchange (OTX), VirusTotal, CrowdStrike, and Slack. In this presentation, we examine the importance of automated IOC blocking and its potential to strengthen network security, while highlighting the critical role that these tools play in mitigating evolving cyber threats.

Technology
1 of 20
Download to read offline
Mohammad Febri, Akshantula Neha November 5, 2023 IDSECCONF2023, Primakara University Bali Cyber Harmony: Automated IOC Detection and Response through Seamless Orchestration
Introduction Akshantula Neha Software Development Engineer in Test at Halodoc Woman in cybersecurity from the National Institute of Engineering, Mysuru, India ISC2 Certified in Cybersecurity Mohammad Febri Sr. Engineering Manager at Halodoc Cybersecurity researcher and open-source contributor CEH, OSCP, GCIH
Resources Materials: ● OTX AlienVault ● VirusTotal ● Crowdstrike ● Slack Slide: ● Slidesgo
Table of contents Background 01 04 03 Demo Summary 02 05 Details Future Works
01 Background
Problem Statements ❏ Indicator of compromise (IOC) are improving all the time. ❏ The IOCs must be analyzed and takes time. ❏ Relying on outdated data. Objectives ❏ Establish and improve the security posture for the organization. ❏ Create automated threat detection and response. ❏ Provide up to data and real-time alerting.
02 Details
2.1 Flow
2.2.1. Code: Collect IOC from OTX
2.2.2. Code: Analyse IOC using VirusTotal
2.2.3. Code: Block IOCs using EDR *Tools options: 1. EDR, 2. Firewall, 3. DLP, 4. etc
2.2.4. Send notifications as Reports
03 Demo
04 Summary
18390 Total IOC from Alienvault Collection 590 Total IOCs blocked 587 Total hashes blocked Results 3 Total domain blocked
Pros and Cons Pros Cons Implement this ● Automated analysis and programmatically block. ● Allocate time to focus other. ● Leveraging updated IOCs. ● Human prone error during analysis is avoided ● API limitation from VirusTotal. ● Need to maintain regularly (pipeline, key/token, repo, etc). Not Implement This ● IOCs less related to organisation may be analysed and added. ● No need to integrate other tools ● Manual analysis which involves traditional blocking approach. ● Spending some time. ● IOCs not up to date. ● May involve human prone error during analysis.
FAQ Q: Can we add IOCs from other resources? A: Absolutely, as long as there is a IOC standardisation format. Q: Is it required to manually run the script every time? A: The existing scripts run periodically via automation job through jenkins. We may configure it daily or real-time for sure. Q: Will IOCs be stored? If yes, for how long? A: Crowdstrike continues to block the IOCS as long as they are available. Q: What will happen if the API exceed the limit? A: Unfortunately, the rate limit will error. However, we can started to consider rate limit monitoring, caching mechanism, prioritize request, or upgrade the plan. Q:Any details or description provided by OTX AlienVault on IOCs? A: Yes, descriptions are provided by AlienVault and can be customized as needed.
05 Future Works
What Next? Adjust Adjust if any improvements are required. For instance threshold, type of IOCs IOA Started to consider the Indicator of Attack (IOA) AI Utilise AI to identify the traffic anomaly, malicious behaviour/ pattern, etc 01 02 03
CREDITS: This presentation template was created by Slidesgo, and includes icons by Flaticon, and infographics & images by Freepik Thanks! Any questions? Let’s connect with us on Linkedin: ● https://www.linkedin.com/in/mohammadfebriramadlan/ ● https://www.linkedin.com/in/akshantula-neha-55859922b/

Recommended

Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure DevelopmentBosnia Agile
 
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...Amélie Gyrard
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSEric Smalling
 
Vulnerability Detection Based on Git History
Vulnerability Detection Based on Git HistoryVulnerability Detection Based on Git History
Vulnerability Detection Based on Git HistoryKenta Yamamoto
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive softwareAlan Tatourian
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSEric Smalling
 
Singapore International Cyberweek 2020
Singapore International Cyberweek 2020Singapore International Cyberweek 2020
Singapore International Cyberweek 2020Abhik Roychoudhury
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerSteve Poole
 

Recommended

Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure DevelopmentBosnia Agile
 
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...Amélie Gyrard
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSEric Smalling
 
Vulnerability Detection Based on Git History
Vulnerability Detection Based on Git HistoryVulnerability Detection Based on Git History
Vulnerability Detection Based on Git HistoryKenta Yamamoto
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive softwareAlan Tatourian
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSEric Smalling
 
Singapore International Cyberweek 2020
Singapore International Cyberweek 2020Singapore International Cyberweek 2020
Singapore International Cyberweek 2020Abhik Roychoudhury
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerSteve Poole
 
Automated Cloud-Native Incident Response with Kubernetes and Service Mesh
Automated Cloud-Native Incident Response with Kubernetes and Service MeshAutomated Cloud-Native Incident Response with Kubernetes and Service Mesh
Automated Cloud-Native Incident Response with Kubernetes and Service MeshMatt Turner
 
Why monitoring is an analytics problem
Why monitoring is an analytics problemWhy monitoring is an analytics problem
Why monitoring is an analytics problemPhillip Liu
 
Microservices and Devs in Charge: Why Monitoring is an Analytics Problem
Microservices and Devs in Charge: Why Monitoring is an Analytics ProblemMicroservices and Devs in Charge: Why Monitoring is an Analytics Problem
Microservices and Devs in Charge: Why Monitoring is an Analytics ProblemSignalFx
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive softwareAlan Tatourian
 
5WCSQ - Quality Improvement by the Real-Time Detection of the Problems
5WCSQ - Quality Improvement by the Real-Time Detection of the Problems5WCSQ - Quality Improvement by the Real-Time Detection of the Problems
5WCSQ - Quality Improvement by the Real-Time Detection of the ProblemsTakanori Suzuki
 
Application of Data Mining Techniques for Improving Continuous Integration
Application of Data Mining Techniques for Improving Continuous IntegrationApplication of Data Mining Techniques for Improving Continuous Integration
Application of Data Mining Techniques for Improving Continuous IntegrationDr. Amarjeet Singh
 
In-kernel Analytics and Tracing with eBPF for OpenStack Clouds
In-kernel Analytics and Tracing with eBPF for OpenStack CloudsIn-kernel Analytics and Tracing with eBPF for OpenStack Clouds
In-kernel Analytics and Tracing with eBPF for OpenStack CloudsPLUMgrid
 
Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itSecurity BSides London
 
Resume_Thoota_Phani (2)
Resume_Thoota_Phani (2)Resume_Thoota_Phani (2)
Resume_Thoota_Phani (2)Phani Thoota
 
Software Security: In the World of Cloud & CI-CD
Software Security: In the World of Cloud & CI-CDSoftware Security: In the World of Cloud & CI-CD
Software Security: In the World of Cloud & CI-CDOWASP Delhi
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
 
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case StudyFinding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case StudyDevOps.com
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source WayBlack Duck by Synopsys
 
БОГДАН САВЧУК «IoT testing: Manual, Automation and Cyber Security techniques»
БОГДАН САВЧУК «IoT testing: Manual, Automation and Cyber Security techniques»БОГДАН САВЧУК «IoT testing: Manual, Automation and Cyber Security techniques»
БОГДАН САВЧУК «IoT testing: Manual, Automation and Cyber Security techniques»GoQA
 
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case Study
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case StudyAccenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case Study
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case StudyHoneywell
 
From Duke of DevOps to Queen of Chaos - Api days 2018
From Duke of DevOps to Queen of Chaos - Api days 2018From Duke of DevOps to Queen of Chaos - Api days 2018
From Duke of DevOps to Queen of Chaos - Api days 2018Christophe Rochefolle
 
S4x20 Forescout Presentation
S4x20 Forescout Presentation S4x20 Forescout Presentation
S4x20 Forescout Presentation Brian Proctor - GICSP, CISSP, CRISC
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
Certified Deep Learning Specialist (CDLS)
Certified Deep Learning Specialist (CDLS)Certified Deep Learning Specialist (CDLS)
Certified Deep Learning Specialist (CDLS)GICTTraining
 
RumahSehat Enterprise Architecture using TOGAF
RumahSehat Enterprise Architecture using TOGAFRumahSehat Enterprise Architecture using TOGAF
RumahSehat Enterprise Architecture using TOGAFMohammad Febri
 
Cybersecurity and Risk Management Technology
Cybersecurity and Risk Management TechnologyCybersecurity and Risk Management Technology
Cybersecurity and Risk Management TechnologyMohammad Febri
 

More Related Content

Similar to Automated IOC Detection and Response through Seamless Orchestration.pdf

Automated Cloud-Native Incident Response with Kubernetes and Service Mesh
Automated Cloud-Native Incident Response with Kubernetes and Service MeshAutomated Cloud-Native Incident Response with Kubernetes and Service Mesh
Automated Cloud-Native Incident Response with Kubernetes and Service MeshMatt Turner
 
Why monitoring is an analytics problem
Why monitoring is an analytics problemWhy monitoring is an analytics problem
Why monitoring is an analytics problemPhillip Liu
 
Microservices and Devs in Charge: Why Monitoring is an Analytics Problem
Microservices and Devs in Charge: Why Monitoring is an Analytics ProblemMicroservices and Devs in Charge: Why Monitoring is an Analytics Problem
Microservices and Devs in Charge: Why Monitoring is an Analytics ProblemSignalFx
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive softwareAlan Tatourian
 
5WCSQ - Quality Improvement by the Real-Time Detection of the Problems
5WCSQ - Quality Improvement by the Real-Time Detection of the Problems5WCSQ - Quality Improvement by the Real-Time Detection of the Problems
5WCSQ - Quality Improvement by the Real-Time Detection of the ProblemsTakanori Suzuki
 
Application of Data Mining Techniques for Improving Continuous Integration
Application of Data Mining Techniques for Improving Continuous IntegrationApplication of Data Mining Techniques for Improving Continuous Integration
Application of Data Mining Techniques for Improving Continuous IntegrationDr. Amarjeet Singh
 
In-kernel Analytics and Tracing with eBPF for OpenStack Clouds
In-kernel Analytics and Tracing with eBPF for OpenStack CloudsIn-kernel Analytics and Tracing with eBPF for OpenStack Clouds
In-kernel Analytics and Tracing with eBPF for OpenStack CloudsPLUMgrid
 
Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itSecurity BSides London
 
Resume_Thoota_Phani (2)
Resume_Thoota_Phani (2)Resume_Thoota_Phani (2)
Resume_Thoota_Phani (2)Phani Thoota
 
Software Security: In the World of Cloud & CI-CD
Software Security: In the World of Cloud & CI-CDSoftware Security: In the World of Cloud & CI-CD
Software Security: In the World of Cloud & CI-CDOWASP Delhi
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
 
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case StudyFinding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case StudyDevOps.com
 
БОГДАН САВЧУК «IoT testing: Manual, Automation and Cyber Security techniques»
БОГДАН САВЧУК «IoT testing: Manual, Automation and Cyber Security techniques»БОГДАН САВЧУК «IoT testing: Manual, Automation and Cyber Security techniques»
БОГДАН САВЧУК «IoT testing: Manual, Automation and Cyber Security techniques»GoQA
 
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case Study
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case StudyAccenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case Study
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case StudyHoneywell
 
From Duke of DevOps to Queen of Chaos - Api days 2018
From Duke of DevOps to Queen of Chaos - Api days 2018From Duke of DevOps to Queen of Chaos - Api days 2018
From Duke of DevOps to Queen of Chaos - Api days 2018Christophe Rochefolle
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
Certified Deep Learning Specialist (CDLS)
Certified Deep Learning Specialist (CDLS)Certified Deep Learning Specialist (CDLS)
Certified Deep Learning Specialist (CDLS)GICTTraining
 

Similar to Automated IOC Detection and Response through Seamless Orchestration.pdf (20)

Automated Cloud-Native Incident Response with Kubernetes and Service Mesh
Automated Cloud-Native Incident Response with Kubernetes and Service MeshAutomated Cloud-Native Incident Response with Kubernetes and Service Mesh
Automated Cloud-Native Incident Response with Kubernetes and Service Mesh
 
Why monitoring is an analytics problem
Why monitoring is an analytics problemWhy monitoring is an analytics problem
Why monitoring is an analytics problem
 
Microservices and Devs in Charge: Why Monitoring is an Analytics Problem
Microservices and Devs in Charge: Why Monitoring is an Analytics ProblemMicroservices and Devs in Charge: Why Monitoring is an Analytics Problem
Microservices and Devs in Charge: Why Monitoring is an Analytics Problem
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive software
 
5WCSQ - Quality Improvement by the Real-Time Detection of the Problems
5WCSQ - Quality Improvement by the Real-Time Detection of the Problems5WCSQ - Quality Improvement by the Real-Time Detection of the Problems
5WCSQ - Quality Improvement by the Real-Time Detection of the Problems
 
Application of Data Mining Techniques for Improving Continuous Integration
Application of Data Mining Techniques for Improving Continuous IntegrationApplication of Data Mining Techniques for Improving Continuous Integration
Application of Data Mining Techniques for Improving Continuous Integration
 
In-kernel Analytics and Tracing with eBPF for OpenStack Clouds
In-kernel Analytics and Tracing with eBPF for OpenStack CloudsIn-kernel Analytics and Tracing with eBPF for OpenStack Clouds
In-kernel Analytics and Tracing with eBPF for OpenStack Clouds
 
Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know it
 
Resume_Thoota_Phani (2)
Resume_Thoota_Phani (2)Resume_Thoota_Phani (2)
Resume_Thoota_Phani (2)
 
Software Security: In the World of Cloud & CI-CD
Software Security: In the World of Cloud & CI-CDSoftware Security: In the World of Cloud & CI-CD
Software Security: In the World of Cloud & CI-CD
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
 
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case StudyFinding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source Way
 
БОГДАН САВЧУК «IoT testing: Manual, Automation and Cyber Security techniques»
БОГДАН САВЧУК «IoT testing: Manual, Automation and Cyber Security techniques»БОГДАН САВЧУК «IoT testing: Manual, Automation and Cyber Security techniques»
БОГДАН САВЧУК «IoT testing: Manual, Automation and Cyber Security techniques»
 
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case Study
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case StudyAccenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case Study
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case Study
 
From Duke of DevOps to Queen of Chaos - Api days 2018
From Duke of DevOps to Queen of Chaos - Api days 2018From Duke of DevOps to Queen of Chaos - Api days 2018
From Duke of DevOps to Queen of Chaos - Api days 2018
 
S4x20 Forescout Presentation
S4x20 Forescout Presentation S4x20 Forescout Presentation
S4x20 Forescout Presentation
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
Certified Deep Learning Specialist (CDLS)
Certified Deep Learning Specialist (CDLS)Certified Deep Learning Specialist (CDLS)
Certified Deep Learning Specialist (CDLS)
 

More from Mohammad Febri

RumahSehat Enterprise Architecture using TOGAF
RumahSehat Enterprise Architecture using TOGAFRumahSehat Enterprise Architecture using TOGAF
RumahSehat Enterprise Architecture using TOGAFMohammad Febri
 
Cybersecurity and Risk Management Technology
Cybersecurity and Risk Management TechnologyCybersecurity and Risk Management Technology
Cybersecurity and Risk Management TechnologyMohammad Febri
 
OWASP Risk Rating Management
OWASP Risk Rating ManagementOWASP Risk Rating Management
OWASP Risk Rating ManagementMohammad Febri
 
Cloud Security: Securing The Invisible Thing
Cloud Security: Securing The Invisible ThingCloud Security: Securing The Invisible Thing
Cloud Security: Securing The Invisible ThingMohammad Febri
 
STRIDE: Digging Vulnerability by Threat Modelling
STRIDE: Digging Vulnerability by Threat ModellingSTRIDE: Digging Vulnerability by Threat Modelling
STRIDE: Digging Vulnerability by Threat ModellingMohammad Febri
 
Hacktoberfest Mozilla Indonesia 2020
Hacktoberfest Mozilla Indonesia 2020Hacktoberfest Mozilla Indonesia 2020
Hacktoberfest Mozilla Indonesia 2020Mohammad Febri
 
Leadership Skills - Communication in Organization
Leadership Skills - Communication in OrganizationLeadership Skills - Communication in Organization
Leadership Skills - Communication in OrganizationMohammad Febri
 
CDEF - Security Incident Handling and Response
CDEF - Security Incident Handling and ResponseCDEF - Security Incident Handling and Response
CDEF - Security Incident Handling and ResponseMohammad Febri
 
Vooya Passion Playground 2021 - Journey in Cybersecurity
Vooya Passion Playground 2021 - Journey in CybersecurityVooya Passion Playground 2021 - Journey in Cybersecurity
Vooya Passion Playground 2021 - Journey in CybersecurityMohammad Febri
 
Security Architecture: 3 Lines of Defense
Security Architecture: 3 Lines of DefenseSecurity Architecture: 3 Lines of Defense
Security Architecture: 3 Lines of DefenseMohammad Febri
 

More from Mohammad Febri (10)

RumahSehat Enterprise Architecture using TOGAF
RumahSehat Enterprise Architecture using TOGAFRumahSehat Enterprise Architecture using TOGAF
RumahSehat Enterprise Architecture using TOGAF
 
Cybersecurity and Risk Management Technology
Cybersecurity and Risk Management TechnologyCybersecurity and Risk Management Technology
Cybersecurity and Risk Management Technology
 
OWASP Risk Rating Management
OWASP Risk Rating ManagementOWASP Risk Rating Management
OWASP Risk Rating Management
 
Cloud Security: Securing The Invisible Thing
Cloud Security: Securing The Invisible ThingCloud Security: Securing The Invisible Thing
Cloud Security: Securing The Invisible Thing
 
STRIDE: Digging Vulnerability by Threat Modelling
STRIDE: Digging Vulnerability by Threat ModellingSTRIDE: Digging Vulnerability by Threat Modelling
STRIDE: Digging Vulnerability by Threat Modelling
 
Hacktoberfest Mozilla Indonesia 2020
Hacktoberfest Mozilla Indonesia 2020Hacktoberfest Mozilla Indonesia 2020
Hacktoberfest Mozilla Indonesia 2020
 
Leadership Skills - Communication in Organization
Leadership Skills - Communication in OrganizationLeadership Skills - Communication in Organization
Leadership Skills - Communication in Organization
 
CDEF - Security Incident Handling and Response
CDEF - Security Incident Handling and ResponseCDEF - Security Incident Handling and Response
CDEF - Security Incident Handling and Response
 
Vooya Passion Playground 2021 - Journey in Cybersecurity
Vooya Passion Playground 2021 - Journey in CybersecurityVooya Passion Playground 2021 - Journey in Cybersecurity
Vooya Passion Playground 2021 - Journey in Cybersecurity
 
Security Architecture: 3 Lines of Defense
Security Architecture: 3 Lines of DefenseSecurity Architecture: 3 Lines of Defense
Security Architecture: 3 Lines of Defense
 

Recently uploaded

Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 

Recently uploaded (20)

Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 

Automated IOC Detection and Response through Seamless Orchestration.pdf

  • 1. Mohammad Febri, Akshantula Neha November 5, 2023 IDSECCONF2023, Primakara University Bali Cyber Harmony: Automated IOC Detection and Response through Seamless Orchestration
  • 2. Introduction Akshantula Neha Software Development Engineer in Test at Halodoc Woman in cybersecurity from the National Institute of Engineering, Mysuru, India ISC2 Certified in Cybersecurity Mohammad Febri Sr. Engineering Manager at Halodoc Cybersecurity researcher and open-source contributor CEH, OSCP, GCIH
  • 3. Resources Materials: ● OTX AlienVault ● VirusTotal ● Crowdstrike ● Slack Slide: ● Slidesgo
  • 6. Problem Statements ❏ Indicator of compromise (IOC) are improving all the time. ❏ The IOCs must be analyzed and takes time. ❏ Relying on outdated data. Objectives ❏ Establish and improve the security posture for the organization. ❏ Create automated threat detection and response. ❏ Provide up to data and real-time alerting.
  • 9. 2.2.1. Code: Collect IOC from OTX
  • 10. 2.2.2. Code: Analyse IOC using VirusTotal
  • 11. 2.2.3. Code: Block IOCs using EDR *Tools options: 1. EDR, 2. Firewall, 3. DLP, 4. etc
  • 15. 18390 Total IOC from Alienvault Collection 590 Total IOCs blocked 587 Total hashes blocked Results 3 Total domain blocked
  • 16. Pros and Cons Pros Cons Implement this ● Automated analysis and programmatically block. ● Allocate time to focus other. ● Leveraging updated IOCs. ● Human prone error during analysis is avoided ● API limitation from VirusTotal. ● Need to maintain regularly (pipeline, key/token, repo, etc). Not Implement This ● IOCs less related to organisation may be analysed and added. ● No need to integrate other tools ● Manual analysis which involves traditional blocking approach. ● Spending some time. ● IOCs not up to date. ● May involve human prone error during analysis.
  • 17. FAQ Q: Can we add IOCs from other resources? A: Absolutely, as long as there is a IOC standardisation format. Q: Is it required to manually run the script every time? A: The existing scripts run periodically via automation job through jenkins. We may configure it daily or real-time for sure. Q: Will IOCs be stored? If yes, for how long? A: Crowdstrike continues to block the IOCS as long as they are available. Q: What will happen if the API exceed the limit? A: Unfortunately, the rate limit will error. However, we can started to consider rate limit monitoring, caching mechanism, prioritize request, or upgrade the plan. Q:Any details or description provided by OTX AlienVault on IOCs? A: Yes, descriptions are provided by AlienVault and can be customized as needed.
  • 19. What Next? Adjust Adjust if any improvements are required. For instance threshold, type of IOCs IOA Started to consider the Indicator of Attack (IOA) AI Utilise AI to identify the traffic anomaly, malicious behaviour/ pattern, etc 01 02 03
  • 20. CREDITS: This presentation template was created by Slidesgo, and includes icons by Flaticon, and infographics & images by Freepik Thanks! Any questions? Let’s connect with us on Linkedin: ● https://www.linkedin.com/in/mohammadfebriramadlan/ ● https://www.linkedin.com/in/akshantula-neha-55859922b/