Your SlideShare is downloading. ×
  • Like
  • Save
Kyle Maxwell "Open Source Threat Intelligence"
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Kyle Maxwell "Open Source Threat Intelligence"


Organizations can no longer rely purely on general, preventive controls. Instead, defenders must continually adapt to their adversaries, including using threat intelligence as appropriate. This talk …

Organizations can no longer rely purely on general, preventive controls. Instead, defenders must continually adapt to their adversaries, including using threat intelligence as appropriate. This talk will examine a number of tools and sources of "open source" intelligence (OSINT) focusing on network indicators, malware, and threat actor tracking. We will also look at how to extend and integrate these tools and sources with existing common technologies for already-stressed incident response teams.

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Open Source Threat Intelligence Kyle R Maxwell (@kylemaxwell) Senior Researcher, Verizon RISK Team
  • 2. 2Copyright 2013 Verizon Communications Before we begin… All trademarks belong to their respective owners. No association with any other organizations, sites, or projects is implied. And all opinions are my own.
  • 3. What are we talking about?
  • 4. 4Copyright 2013 Verizon Communications Breaking it down Open Source Threat Intelligence • Publicly available data from overt sources • Distinct from open-source software • But all software discussed today is FLOSS • Non-asset, non-vulnerability • In VERIS A4 terms: actor and action • Not investigation-focused but can support it • True intel is product of data and analysis • Generalizing slightly here to include raw-ish data • Focus on broadly gathering data, tools for analysis CISPA and other political or legislative issues are out-of-scope for this talk
  • 5. 5Copyright 2013 Verizon Communications Breaches happen quickly but get discovered slowly Phase Duration
  • 6. 6Copyright 2013 Verizon Communications Organizations don’t discover breaches internally
  • 7. Threat Data Sources
  • 8. 8Copyright 2013 Verizon Communications Collective Intelligence Framework • REN-ISAC project • Sucks in feeds of IOCs from public and private sources • Focuses on lower end of “pyramid of pain” • Exports data to infrastructure or supports lookup during response David J. Bianco
  • 9. 9Copyright 2013 Verizon Communications CIF query types Searches cif -q cif -q Feeds cif -q infrastructure/malware -c 50 CLI and RESTful API
  • 10. 10Copyright 2013 Verizon Communications OSINT IOCs • • AlienVault • • CleanMX • Emerging Threats • Forensic Artifacts • Nothink • Shadowserver • Spamhaus Among others… Image by Jeremy Vandel Used under license
  • 11. 11Copyright 2013 Verizon Communications Passive DNS • ISC DNSDB • BFK edv-consulting • Virustotal ;; bailiwick: ;; count: 2 ;; first seen: 2013-04-04 19:55:24 -0000 ;; last seen: 2013-04-04 19:55:24 -0000 IN A ;; bailiwick: ;; count: 2 ;; first seen: 2013-04-05 01:59:40 -0000 ;; last seen: 2013-04-05 01:59:40 -0000 IN A Historical records of actual DNS responses
  • 12. 12Copyright 2013 Verizon Communications Malware data VirusTotal • Sine qua non for existing public data • Search by hash, URL, domain, or other indicators • Includes passive DNS related to malware callouts • Additional data including feeds of recent samples and indicators • Part of Shadowserver Foundation • Large repository of malware samples of all types • 3 TB of data, indexed and searchable • Distributed via BitTorrent
  • 13. Threat Actor Tracking
  • 14. 14Copyright 2013 Verizon Communications What’s a threat actor? From VERIS: Entities that cause or contribute to an incident are referred to as “threat actors”. There can be more than one actor involved in any particular incident, and their actions can be malicious or non- malicious, intentional or unintentional, causal or contributory. VERIS recognizes three primary categories of threat actors – External, Internal, and Partner. Not THAT kind of threat actor! (Gary Oldman, public domain image)
  • 15. 15Copyright 2013 Verizon Communications • • • Twitter (particularly via the API or RSS) • Pastebin (e.g. @pastebindorks) • Google Alerts are particularly useful for monitoring specific actors Threat actor sources Defacements and incidents Social Media
  • 16. 16Copyright 2013 Verizon Communications Storing raw data BYODB Web tools • Use APIs and scripting languages (Python) • Store in document database (MongoDB) • Highly flexible but requires a bit more effort • Evernote • Feedly • ifttt • Delicious Impossible to do properly without automation
  • 17. Analysis
  • 18. 18Copyright 2013 Verizon Communications Maltego Write local transforms to assist in enriching your data Canari platform simplifies the process of development and deployment
  • 19. 19Copyright 2013 Verizon Communications Malformity Written principally by Keith Gilbert (VZ RISK) MALware transFORMs and ent[ITY]ities
  • 20. 20Copyright 2013 Verizon Communications Malformity Simplifies basic analysis and research
  • 21. 21Copyright 2013 Verizon Communications Dynamic malware analysis using Virtualbox. Takes screenshots, integrates with Virustotal, exposes an API, and is written in Python. Local repositories and analysis Cuckoo Sandbox Basic database for storing samples from the command line. Think of this as your “working set”. malwarehouse VxCage Larger, more complete database with a RESTful API interface. Think of this as your complete historical repository.
  • 22. 22Copyright 2013 Verizon Communications • Give context to indicators (CybOX) and other data ( • TTPs • Exploitation targets • Campaigns • Courses of Action [COA] • OpenIOC originally produced by Mandiant under Apache 2 license ( • Similar to CybOX from MITRE ( • Capture stateful properties (file hashes, IPs, HTTP GET, registry keys and values) Threat intel standards STIX OpenIOC and CybOX
  • 23. 23Copyright 2013 Verizon Communications General threat analysis Threat intelligence and actors Indicators of Compromise Use a wiki with defined templates like those from Scott Roberts for keeping profile data on specific threat actors. Link back to your document repository (e.g. in MongoDB). • Artifacts • Exploits • Intrusion sets • Third-party intelligence • Threat actors Pull feeds from CIF or similar tools into your SIEM. Organizations without an existing deployment may want to look into OSSIM to get started. Not a lot of open-source tools for sweeping hosts broadly. pyioc is one example: This is where a lot of the heavy lifting occurs.
  • 24. 24Copyright 2013 Verizon Communications How can you collaborate? Use standards Trust groups Software development • OpenIOC / CybOX • STIX (builds on CybOX) • Not “open source”, strictly speaking • But do good work and keep some of it in the public • Can be significant and targeted boost • FLOSS projects depend on the community • Github is a great place to get started • Not just developers: use case feedback, docs, etc! Threat actors talk to each other. We have to do the same.
  • 25. 25Copyright 2013 Verizon Communications Thanks to great people doing great work David J Bianco (@davidjbianco) Jeff Bryner (@p0wnlabs) Keith Gilbert (@digital4rensics) Claudio Guarnieri (@botherder) Andrew Macpherson (@andrewmohawk) J-Michael Roberts (@forensication) Scott Roberts (@sroberts) Alessandro Tanasi (@jekil) Wes Young (@barely3am) Image by woodleywonderworks Used under license
  • 26. 26Copyright 2013 Verizon Communications Future Directions • Threat actor tracking in particular is relatively nascent in the public domain • Lots of attention on getting better at sharing low-end IOCs • Determine and detect TTPs (machine learning?) Image by Neil Kremer Used under license Want to talk more? @kylemaxwell