Honeycon2014: Mining IoCs from Honeypot data feeds

Introduction IOC Standards V:IOCs mining IOCs Applying IOCs EOF
Mining compromise indicators from Honeypot Systems
Vladimir Kropotov, Vitaly Chetvertakov, Fyodor Yarochkin
HoneyCON 2014
Aﬃlations: Academia Sinica, o0o.nu, chroot.org
Jul 07, 2014, Taipei
Mining compromise indicators from Honeypot Systems Aﬃlations: Academia Sinica, o0o.nu, chroot.org

Outline
Introduction
IOC Standards
V:IOCs
mining IOCs
Applying IOCs
EOF

WHOAMI
Aﬃlations: Academia Sinica, chroot, and a few others Mainly independent
research (not vendor aﬃlated ;-))

WHOAMI:2
Our data sources:
Academia Sinica
Not to be named networks in Russian Federation

Good things to know
Main Assumption: All networks are compromised
The diﬀerence between a good security team and a bad security team is that
with a bad security team you will never know that you’ve been compromised.
Running Honeypots in the parts network gives a team visibility on emerging
threats that your network might face.

HP landscape
HP platforms typically would have very low false/positive ratio. If
your HP is hit, it is most likely a suspicious event.
HP typically should replicate your typical enviroment. We focus
on simulation of both end-user machines and servers/services.

Statistic on end-user compromises
about 40,000,000 internet users in Russia
for every 10,000 server hosts 500 hosts trigger redirects to malicious
content per week
about 20-50 user machines (full AV installed, NAT, FW) get ..aﬀected
many infect .ru IP addresses only (source matters)

Campaigns
r*.ru News ~ 790 000
ne*.com news ~ 590 000
ga*.ru news ~ 490 000
a*f.ru news ~ 330 000
m*.ru news ~ 315 000
v*.ru news ~ 170 000
li*.ru news ~ 170 000
top*s.ru news ~ 140 000

Introduction:terminology
Indicators of Compromise
Indicator of compromise (IOC) in computer forensics is an artifact observed on
network or in operating system that with high conﬁdence indicates a computer
intrusion.
http://en.wikipedia.org/wiki/Indicator_of_compromise

Why Indicators of compromise
Indicators of Compromise help us to answer questions like:
is this document/ﬁle/hash malicious?
is there any past history for this IP/domain?
what are the other similar/related domains/hashes/..?
who is the actor?
am I an APT target?!!;-)
They shorten initial-detection -*to*- detection-automation cycle.

IoCs: old dog - new tricks

A Network compromise case study:
Attackers broke via a web vuln.
Attackers gained local admin access
Attackers created a local user
Attackers started probing other machines for default user ids
Attackers launched tunneling tools – connecting back to C2
Attackers installed RATs to maintain access

IoC Indicators
So what are the compromise indicators here?
Where did attackers come from? (IP)
What vulnerability was exploited? (pattern)
What web backdoor was used? (pattern, hash)
What tools were uploaded? (hashes)
What users were created locally? (username)
What usernames were probed on other machines
Detailed IoCs (unsual port to serve exploit kit, URI pattern,
mime-content, user agent)
Warning: Blind use of IoCs may lead to disaster. (some IoCs are more suitable
for statistical studies)

Where to look for IOCs internally
Outbound Network Traffic
User Activities/Failed Logins
User profile folders
Administrative Access
Access from unsual IP addresses
Database IO: excessive READs
Size of responses of web pages
Unusual access to particular files within Web Application (backdoor)
Unusual port/protocol connections
DNS and HTTP traffic requests
Suspicious Scripts, Executables and Data Files

IoCs (good and bad)
Why we need IOCs? because it makes it easier to systematically describe
knowledge about breaches.
Identifying intrusions is hard
Unfair game:
defender should protect all the assets
attacker only needs to ’poop’ one system.
Identifying targeted, organized intrusions is even harder
Minor anomalous events are important when put together
Seeing global picture is a mast
Details matter
Attribution is hard

What’s wrong with IoCs
IoCs expire (IP addresses get discovered, cleaned)
Domain names expire
Hash collisions
Benign binaries might be malicious (depending on context)

Good or Bad?
F i l e Name : RasTls . exe
F i l e S i z e : 105 kB
F i l e M o d i f i c a t i o n Date /Time : 2 0 0 9 : 0 2 : 0 9 1 9 : 4 2 : 0 5 + 0 8 : 0 0
F i l e Type : Win32 EXE
MIME Type : a p p l i c a t i o n / o c t e t −stream
Machine Type : I n t e l 386 o r l a t e r , and c o m p a t i b l e s
Time Stamp : 2 0 0 9 : 0 2 : 0 2 1 3 : 3 8 : 3 7 + 0 8 : 0 0
PE Type : PE32
L i n k e r V e r s i o n : 8 . 0
Code S i z e : 49152
I n i t i a l i z e d Data S i z e : 57344
U n i n i t i a l i z e d Data S i z e : 0
Entry P o i n t : 0 x3d76
OS V e r s i o n : 4 . 0
Image V e r s i o n : 0 . 0
Subsystem V e r s i o n : 4 . 0
Subsystem : Windows GUI
F i l e V e r s i o n Number : 1 1 . 0 . 4 0 1 0 . 7
Product V e r s i o n Number : 1 1 . 0 . 4 0 1 0 . 7
F i l e OS : Windows NT 32− b i t
Object F i l e Type : E x e c u t a b l e a p p l i c a t i o n
Language Code : E n g l i s h (U . S . )
C h a r a c t e r Set : Windows , L a t i n 1
Company Name : Symantec C o r p o r a t i o n
F i l e D e s c r i p t i o n : Symantec 8 0 2 . 1 x S u p p l i c a n t
F i l e V e r s i o n : 1 1 . 0 . 4 0 1 0 . 7
I n t e r n a l Name : d o t 1 x t r a y

It really depends on context
RasTls . DLL
RasTls . DLL . msc
RasTls . exe
http://msdn.microsoft.com/en-us/library/ms682586(v=VS.85).aspx
Dynamic-Link Library Search Order

IOC representations
Multiple standards have been created to facilitate IOC exchanges.
Madiant: OpenIOC
Mitre: STIX (Structured Threat Information Expression), CyBOX
(CyberObservable Expression)
Mitre: CAPEC, TAXII
IODEF (Incident Object Description Format)

Standards: OpenIOC
OpenIOC - Mandiant-backed eﬀort for unform representation of IOC (now
FireEye) http://www.openioc.org/

OpenIOCs
D i g i t a l Appendices / Appendix G ( D i g i t a l ) − IOCs$ l s
0c7c902c −67f8 −479c−9f44 −4d985106365a . i o c 6bd24113 −2922−4d25
ad521068−6f18 −4ab1−899c−11007a18ec73 . i o c
12 a40bf7 −4834−49b0−a419−6abb5fe2b291 . i o c 70 b5be0c−8a94−44b4
af5f65fc −e1ca −45db−88b1−6ccb7191ee6a . i o c
2106 f0d2−a260 −4277−90ab−edd3455e31fa . i o c 7c739d52−c669−4d51
Appendix G IOCs README. pdf
26213db6−9d3b−4a39−abeb −73656acb913e . i o c 7 d2eaadf−a5ff −4199
c32b8af3 −28d0−47d3−801f−a2c2b0129650 . i o c
2 bff223f −9e46−47a7−ac35−d35f8138a4c7 . i o c 7 f9a6986−f00a −4071
c71b3305 −85e5−4d51−b07c−ff227181fb5a . i o c
2 fc55747 −6822−41d2−bcc1 −387fc1b2e67b . i o c 806 beff3 −7395−492e
c7fa2ea5 −36d5−4a52−a6cf−ddc2257cb6f9 . i o c
32b168e6−dbd6−4d56−ba2f −734553239 e f e . i o c 84 f04df2 −25cd−4f59
d14d5f09 −9050−4769−b00d−30fce9e6eb85 . i o c
3433dad8 −879e−40d9−98b3−92ddc75f0dcd . i o c 8695bb5e−29cd−41b9
d1c65316−cddd−4d9c−8efe −c539aa5965c0 . i o c
3e01b786−fe3a −4228−95fa−c3986e2353d6 . i o c 86 e9b8ec −7413−453bMining compromise indicators from Honeypot Systems Aﬃlations: Academia Sinica, o0o.nu, chroot.org

Standards: Mitre
Mitre CybOX: http://cybox.mitre.org/
https://github.com/CybOXProject/Tools
https://github.com/CybOXProject/openioc-to-cybox Mitre CAPEC:
http://capec.mitre.org/ Mitre STIX: http://stix.mitre.org/ Mitre
TAXII http://taxii.mitre.org/

Mature: stix

Indicators of Compromise
Complex IOCs covering all steps of attack
Dynamic creation of IOCs on the ﬂy
Auto-reload of IOCs, TTLs
Dealing with diﬀerent standards/import export

Exploit pack trace
url ip mime type ref
http://cuba.eanuncios.net/1/zf3z9lr6ac8di6r4kw2r0hu3ee8ad.html 93.189.46.222 text/html http://www.smeysyatu
http://cuba.eanuncios.net/2909620968/1/1399422480.htm 93.189.46.222 text/html http://cuba.eanuncio
http://cuba.eanuncios.net/2909620968/1/1399422480.jar 93.189.46.222 application/java-archive -
http://cuba.eanuncios.net/2909620968/1/1399422480.jar 93.189.46.222 application/java-archive -
http://cuba.eanuncios.net/f/1/1399422480/2909620968/2 93.189.46.222 - -
http://cuba.eanuncios.net/f/1/1399422480/2909620968/2/2 93.189.46.222 - -

Nuclearsploit pack
{ ’ N u c l e a r s p l o i t p a c k ’ : {
’ step1 ’ : {
’ f i l e s ’ : [ ’ w z 3 u 6 s i 8 e 5 l h 7 k 2 t k 5 o x 4 n e 6 d 8 g . html ’ , ’ t 3 f 5 y 9 a 2 b b 3 d l 7 z 8 g c 4 o 6 f . html ’ , ’ z f 3 z 9 l r 6 a c 8 d i 6 r 4 k
’ domains ’ : [ ’ f a t h e r . f e r r e m o v i l . com ’ , ’ t h a i . a l o h a t r a n s l l c . com ’ , ’ cuba . e a n u n c i o s . net ’ , ’ duncan .
’ arguments ’ : [ ] ,
’ d i r e c t o r i e s ’ : [ ’ 1 ’ ] ,
’ ip ’ : [ ’ 9 3 . 1 8 9 . 4 6 . 2 0 1 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 0 3 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 2 2 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 2 4 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 3 3 ’ ] } ,
’ step2 ’ : {
’ f i l e s ’ : [ ’ 1 3 9 9 4 2 2 4 8 0 . htm ’ , ’1 39 97 047 20 . htm ’ , ’1 399 51 34 40 . htm ’ , ’13 99 51 40 40 . htm ’ ,
’1 39 97 73 30 0. htm ’ ] ,
’ domains ’ : [ ’ cuba . e a n u n c i o s . net ’ , ’ duncan . d i s e n o c o r p o r a t i v o . com . ar ’ , ’ homany . c o l l e c t i v e i t . com .
’ d i r e c t o r i e s ’ : [ ’ 2 9 0 9 6 2 0 9 6 8 ’ , ’ 1 ’ , ’507640988 ’ , ’940276731 ’ , ’3957283574 ’ , ’ 9 5 2 2 1 1 7 0 4 ’ ] ,
’ ip ’ : [ ’ 9 3 . 1 8 9 . 4 6 . 2 2 2 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 2 4 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 3 3 ’ ] } ,
’ step3 ’ : {
’ f i l e s ’ : [ ’ 1 3 9 9 4 2 2 4 8 0 . j a r ’ , ’1 39 95 13 44 0. j a r ’ ] ,
’ domains ’ : [ ’ cuba . e a n u n c i o s . net ’ , ’ homany . c o l l e c t i v e i t . com . au ’ ] ,
’ d i r e c t o r i e s ’ : [ ’ 2 9 0 9 6 2 0 9 6 8 ’ , ’ 1 ’ , ’ 9 4 0 2 7 6 7 3 1 ’ ] ,
’ ip ’ : [ ’ 9 3 . 1 8 9 . 4 6 . 2 2 2 ’ , ’ 9 3 . 1 8 9 . 4 6 . 2 2 4 ’ ] } ,
’ step4 ’ : {
’ f i l e s ’ : [ ’ 2 ’ ] ,
’ domains ’ : [ ’ cuba . e a n u n c i o s . net ’ ] ,
’ d i r e c t o r i e s ’ : [ ’ f ’ , ’ 1 ’ , ’1399422480 ’ , ’2909620968 ’ , ’ 2 ’ ] ,
’ ip ’ : [ ’ 9 3 . 1 8 9 . 4 6 . 2 2 2 ’ ] }
}
}

Redirect (example)
http://mysimuran.ru/forum/kZsjOiDMFb/
http://mysimuran.ru/forum/kZsjOiDMFb/js.js?4231
http://c.hit.ua/hit?i=59278&g=0&x=2
http://f-wake.browser-checks.info:28001/d1x/3/87475b26a521024ce78d7ea73164140a/http%3A%2F%2Fagency.accordinga.pw%2Fremain%2Funknown.h

Redirect Example
{ ’ 2 8 0 0 1 ’ : {
’ step1 ’ : {
’ d i r e c t o r i e s ’ : [ ’ forum ’ , ’ kZsjOiDMFb ’ , ’ epygFrFsoU ’ ] ,
’ f i l e s ’ : [ ’ ’ ] ,
’ ip ’ : [ ’ 8 9 . 1 1 1 . 1 7 8 . 3 3 ’ ] ,
’ domains ’ : [ ’ mysimuran . ru ’ ] } ,
’ step2 ’ : {
’ d i r e c t o r i e s ’ : [ ’ forum ’ , ’ kZsjOiDMFb ’ , ’ epygFrFsoU ’ , ’kJXshWOMNC’ ] ,
’ arguments ’ : [ ’ 4 2 3 1 ’ , ’7697 ’ , ’9741 ’ ] ,
’ f i l e s ’ : [ ’ j s . j s ’ , ’ c n t . html ’ ] ,
’ ip ’ : [ ’ 8 9 . 1 1 1 . 1 7 8 . 3 3 ’ ] ,
’ domains ’ : [ ’ mysimuran . ru ’ ] } ,
’ step3 ’ : {
’ d i r e c t o r i e s ’ : [ ] ,
’ arguments ’ : [ ’ i ’ , ’ g ’ , ’ x ’ ] ,
’ f i l e s ’ : [ ’ h i t ’ ] ,
’ ip ’ : [ ’ 8 9 . 1 8 4 . 8 1 . 3 5 ’ ] ,
’ domains ’ : [ ’ c . h i t . ua ’ ] } ,
’ step4 ’ : {
’ d i r e c t o r i e s ’ : [ ’ d1x ’ , ’ 3 ’ , ’87475 b26a521024ce78d7ea73164140a ’ , ’ d36eb1fc80ebe9df515d043be1557
’ f i l e s ’ : [ ’ h t t p%3A%2F%2Fagency . a c c o r d i n g a . pw%2Fremain%2Funknown . html%3Fmods%3D8%26i d%3D26 ’ ,
’ ip ’ : [ ’ 4 6 . 2 5 4 . 1 6 . 2 0 9 ’ ] ,
’ domains ’ : [ ’ f−wake . browser−c h e c k s . i n f o ’ , ’ a−o p r z a y . browser−c h e c k s . pw ’ ] }
}
}

IOCs

IOCs3

IOCs viz

IOCs viz(02)

IOCs viz(3)

IOCs viz(4)

IOCs viz(5)

Sourcing External IOCs
CIF - https:
//code.google.com/p/collective-intelligence-framework/
feeds (with scrappers):

Sourcing External IOCs
feed your scrappers:
https://zeustracker.abuse.ch/blocklist.php?download=badips
http://malc0de.com/database/
https://reputation.alienvault.com/reputation.data . . .
VT intelligence

Sourcing IOCs Internally
honeypot feeds
log analysis
traﬃc analysis

Extracting IoCs from HTTP traﬃc caps
01/14/13 06:57 PM 178.238.141.19 (url1) application/x-java-archive
01/14/13 06:57 PM 178.238.141.19 (url2) application/x-java-archive
01/14/13 06:57 PM 178.238.141.19 (url3) application/octet-stream

Use honeypots
Running honeypots gives enormous advantage in detecting emerging
threats
Stategically placing honeypots is extemely important

HPfeeds, Hpfriends and more

HPFeeds Architecture

HPFeeds API in nutshell:
import pygeoip
import hpfeeds
import json
HOST=’ broker ’
PORT = 20000
CHANNELS= [ ’ geoloc . events ’ ]
IDENT=’ i d e n t ’
SECRET=’ s e c r e t ’
g i = pygeoip . GeoIP ( ’ GeoLiteCity . dat ’ )
hpc = hpfeeds . new(HOST, PORT, IDENT , SECRET)
msg = { ’ l a t i t u d e ’ : g i . record_by_addr ( ip ) [ ’ l a t i t u d e ’ ] ,
’ l o n g i t u d e ’ : g i . record_by_addr ( ip ) [ ’ l o n g i t u d e ’ ] ,
’ type ’ : ’ honeypot ␣ h i t ’ }
hpc . p u b l i s h (CHANNELS, json . dumps(msg ))

hpfeeds integration
HPFEEDS works with glastopf out of the box
Kippo (module provided http://github.com/disaster/kippo/)

NTP probe collector

HPFeeds and honeymap

HPFeeds indexing
HPFeed custom broker: writes indicators into ElasticSearch.
Could be automatically reused by other security tools

HPfeeds and post processing
Aside from analyzing HP events post-processing can mine interesting things:

Content analysis:
Hosting domains: over 300~ unique domain names:
a c v i l l a . ucoz . com . bengos
a c v i l l a . ucoz . com . gradina
a c v i l l a . ucoz . com . s
a d e l i n u . ucoz . ro . bo
a d i s o r . webs . com . bnc2
adryanb . i . was . in
andyakamusic . a l t e r v i s t a . org . wp
a n g e l f i r e . com . komales88 . gosh
a n g e l f i r e . com . komales88 . psybnc
a n g e l f i r e . com . l u k y l u s . rh
a n g e l l o v e . ucoz . net .
apropo . ucoz . net .2
apropo . ucoz . net . comp
apropo . ucoz . net . psy
apropo . ucoz . net . psycomp
apropo . ucoz . net . s s l
apropo . ucoz . net . s s l lMining compromise indicators from Honeypot Systems Aﬃlations: Academia Sinica, o0o.nu, chroot.org

Content analysis:
Tools, Scanners
20120211233926_http___www_freewebs_com_westcoste_php_zip
20120211234012_http___www_freewebs_com_westcoste_php_tar_gz
20120213081741_http___www_freewebs_com_westcoste_php_zip
20121217032335_http___r_o_o_t_hi2_ro_scanner_php_jpg
20130306173911 _http___botiphp_go_ro_rdp_tgz
20111006193700 _http___system_arhive_do_am_scanner_web_jpg
20120204145752_http___www_click4me_home_ro_scanbun_zip
20120407032809_http___XxLx2010_hi2_ro_XxLxScan_zip
20120424100124 _http___pragu_webs_com_Scanner_History_tgz
20120424104136 _http___qiss_ucoz_de_scanptvasy_jpg
20120701095229_http___haXers_Webs_Com_Scanner_gosh_tgz
20121006034334 _http___system_comule_com_scanner_gosh_jpg
20121212214201_http___procesed_do_am_NGS_scan_CScan_tgz

Content analysis:
Exploits:
20121122231601 _http___system_comule_com_exploit_e_jpg
20121122231632 _http___system_comule_com_exploit_e_tgz
20140510104703 _http___treeball_tripod_com_ex_tgz
20140527103805 _http___treeball_tripod_com_ex_tgz
. . .
−rwxr−xr−x danam1/danam1 2275 2012−04−03 05:38 x/do . c
−rwxr−xr−x danam1/danam1 6910 2012−04−03 05:42 x/me. c
−rwxr−xr−x danam1/danam1 6554 2012−04−03 00:29 x/ab . c
−rwxr−xr−x danam1/danam1 4709 2012−04−03 00:08 x/new . c
−rwxr−xr−x danam1/danam1 10300 2012−04−03 00:53 x/new
drwxr−xr−x danam1/danam1 0 2012−03−29 22:58 x/x86/
−rwxr−xr−x danam1/danam1 5538 2012−03−29 22:16 x/x86/newx86
−rwxr−xr−x danam1/danam1 11302 2012−03−29 22:16 x/x86/newx86
drwxr−xr−x danam1/danam1 0 2012−03−29 22:45 x /2011/

Tools for Dynamic Detection of IOC
Snort (everyone knows, SourceFire is just outside ;-))
Yara + yara-enabled tools
Moloch
Splunk/Log search (they are also here :p)
roll-your-own:p

Applying IOCs to your detection process
moloch moloch moloch :)

Moloch
Moloch is awesome:

Open-source tools
OpenIOC manipulation
https://github.com/STIXProject/openioc-to-stix
https://github.com/tklane/openiocscripts
Mantis Threat Intelligence Framework
https://github.com/siemens/django-mantis.git Mantis supports
STIX/CybOX/IODEF/OpenIOC etc via importers:
https://github.com/siemens/django-mantis-openioc-importer
Search splunk data for IOC indicators:
https://github.com/technoskald/splunk-search
Our framework: http://github.com/fygrave/iocmap/

iocmap

MISP
http://www.secure.edu.pl/pdf/2013/D2_1530_A_Socha.pdf
https://github.com/MISP

Tools for Dynamic Detection
Moloch
Moloch supports Yara (IOCs can be directly applied)
Moloch has awesome tagger plugin:
# tagger . so
# p r o v i d e s a b i l i t y to import t e x t f i l e s with IP and/ or hostn
# i n t o a sensor that would cause autotagging of a l l matching
p l u g i n s=tagger . so
t a g g e r I p F i l e s=b l a c k l i s t , tag , tag , tag . . .
taggerDomainFiles=domainbasedblacklists , tag , tag , tag

Moloch plugins
Moloch is easily extendable with your own plugins
https://github.com/fygrave/moloch_zmq - makes it easy to
integrate other things with moloch via zmq queue pub/sub or push/pull model

Moloch ZMQ example
CEP-based analysis of network-traﬃc (using ESPER):
https://github.com/fygrave/clj-esptool/
( esp : add " c r e a t e ␣ context ␣SegmentedBySrc␣ p a r t i t i o n ␣by␣ s r c ␣fro
WebDataEvent" )
( esp : add " context ␣SegmentedBySrc␣ s e l e c t ␣ src , ␣ r a t e (30) ␣ as ␣ ra
avg ( r a t e (30)) ␣ as ␣ avgRate ␣from␣WebDataEvent . win : time (30) ␣ havi
r a t e (30) ␣<␣avg ( r a t e (30)) ␣∗␣ 0.75 ␣ output ␣ snapshot ␣ every ␣60␣ sec
( future −c a l l s t a r t −counting )

Detecting DGA botnets (moloch)
Easy with our plugin. ;-)
we want to label any IP addresses as ’suspicious’
if they are generating more than X DNS packets per minute with rcode != 0

Other Sources of IOCs
ioc bucket:
http://iocbucket.com
Public blacklists/trackers could also be used as source:
https:
//zeustracker.abuse.ch/blocklist.php?download=ipblocklist
https:
//zeustracker.abuse.ch/blocklist.php?download=domainblocklist
Eset IOC repository
https://github.com/eset/malware-ioc
more coming?

Tools: IoC lookup service
show me all the entries similar to this IOC
We implemented a whois service for IOC look-ups
whois −h ioc −api . host . com a t t r i b u t e : value+a t t r i b u t e : value
We can return results in various formats: Snort, Yara, OpenIOC (ask for your
favourite)

Tools: Use YARA
r u l e susp_params_in_url_kind_of_fileless_bot_drive_by
{
meta :
date = " o c t ␣ 2013 "
d e s c r i p t i o n = " Landing ␣ hxxp : / / j d a t a s t o r e l a m e . i n f o / indexm . html ␣␣ 0 4 . 1 0 . 2 0 1 3 ␣ 1 3 : 1 4 ␣␣ 1 0 8 . 6
d e s c r i p t i o n 1 = "␣ Java ␣ S p l o i t ␣ hxxp : / / j d a t a s t o r e l a m e . i n f o /054 RIwj ␣␣␣␣␣"
s t r i n g s :
$ s t r i n g 0 = " h t t p "
$ s t r i n g 1 = " indexm . html "
$ s t r i n g 2 = " 054 RI "
c o n d i t i o n :
a l l o f them
}

Use snort to catch suspicious traﬃc:
# many plugX d e p l o y m e n t s c o n n e c t to g o o g l e DNS when not i n use
a l e r t t c p ! $DNS_SERVERS any −> 8 . 8 . 8 . 8 53 ( msg : "APT␣ p o s s i b l e ␣ PlugX ␣ Google ␣DNS␣TCP
p o r t ␣53␣ c o n n e c t i o n ␣ attempt " ; c l a s s t y p e : misc−a c t i v i t y ; s i d : 5 0 0 0 0 0 1 1 2 ;
r e v : 1 ; )

GRR: Google Rapid Response:
Other nice application of IoCs:
http://code.google.com/p/grr/
Hunting IOC artifacts with GRR

GRR: Creating rules

GRR: hunt in progress

Conclusion
Most of the tools shown here are opensource.
Either developed, contributed by me or by other good guys.
HP nodes are good source of compromise indicators
IoCs should be used with great-care. You need to know what you are
doing. ;-)
IoCs are getting easier to integrate with oﬀ-shelf security products
(no product advertisements here ;-))

Things to share
We are very interested in data-sharing
Academia Sinica: we run anonymized IoC feed services (openioc XML
format)
Academia Sinica: we have custom HPFeeds brokers to facilitate data
sharing
Academia Sinica: we run our own passive DNS
We are very interested in new data sources and can help you to run
analysis platforms: (big data, time series analysis of network ﬂows, DNS
traﬃc, HTTP, IoC based pattern match, APK analysis).
Everything is free and open-source. Talk to us :)

Questions
Questions?
Comments?
@fygrave (fy@iis.sinica.edu.tw)

Honeycon2014: Mining IoCs from Honeypot data feeds

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (7)

Similar to Honeycon2014: Mining IoCs from Honeypot data feeds

Similar to Honeycon2014: Mining IoCs from Honeypot data feeds (20)

More from F _

More from F _ (11)

Recently uploaded

Recently uploaded (20)

Honeycon2014: Mining IoCs from Honeypot data feeds