It is well known that computer exploitation will continue to increase in prevalence and sophistication. Computer network attacks and data exfiltrations are most successful when the methods of exploitation traverse the entry and egress vectors that are least expected and least defended in your network. Most of the time, no matter how well your perimeter is guarded, the user still represents the weakest avenue into that network. A clear need exists to better protect data transmitted and received by the user. But what are we to do when signature-based detection has long been defeated and anomaly/heuristic-based detection is not yet where we need it to be? The solution lies in enhancing the defense paradigm via the incorporation of intelligence-based security (Threat Intelligence) in the analysis of threats and discovery of malicious activity affecting your network, data, and your protected clients.
2. Overview
• About Me
• Background
• Understand need and use of Threat
Intelligence
• Construct Threat Intelligence Engine
SUBTITLE/BY LINE
3. Background
• Computer attacks continue to increase in
prevalence and sophistication
• What have we done to meet these threats?
– Signature-Based Detection
– Anomaly/Heurstic-Based Detection
4. Old Methods Have Failed or remain inadequate…
• Signature-Based detection has long failed
– To easy to bypass
– Re-compile, new signature
– Encode, Encrypt, Obfuscate
• Anomaly/Heuristics-based detection is headed in
the right direction… but still has its drawbacks
– Baseline
– Training
– Too Noisy… ‘the boy who cried wolf’
– Too lax… ‘everyone is welcomed!’
5. A New Paradigm is Required!
• What is Intelligence-Based Security (Threat
Intelligence)?
– Many definitions exist
– Avoid the noise
– Simply: amalgamation and analysis of data to produce
Actionable Intelligence regarding a likely threat or attack
• Actionable Intelligence allows us to make a decision
regarding the security of our enterprise
• There is still a difference between threat-data and
threat intelligence
6. How did I arrive at IBS?
• As a defender, I conduct err… research network attacks (truly the
best way to defend is to master exploitation)
• There are times when I need a new, convincing domain (burner-
domain) for the attack
• I’ve found some enterprises may institute additional blocks based
on domains (new domains increase likelihood of attack)
• Thus I’d like to have my domains active for a long period of time
• A few weeks ago, I was shocked to discover I own over 40+ domains
(no big deal… but still… wow!)
• Now if I were to purchase a new domain, I would probably use the
same methods (because it works and I am most familiar with it!)
7. PUNT! Let’s take a look at the Attack Methodology again…
• What are the common phases? (old method
btw)
– Recon (Diverge)
– Scan (Converge)
– Penetration (Converge)
– Maintain Access (Converge)
– Cover Tracks (Diverge)
9. Please Don Your Blue Hat Now…
• You are now the security defender of your
enterprise
• You protect your computers and the network
• A scan reveals the following tools installed on
a machine
– Wireshark, Kismet, Ettercap, ALFA Card drivers,
NetStumbler, Dsniff, Airocrack-ng suite, THC
Hydra, NetworkMiner, etc
• What can we conclude about this system?
10. Convergence of Evidence
• In the previous case, assuming computer
wasn’t breached, we may conclude it is to be
used for wireless and network penetration
• We did this via Convergence of Evidence
– “Evidence from multiple independent sources can
converge into a single, most likely conclusion”
11. Predicting Today and Yester-year’s Threats?
• What strategies to we employ?
– AV?
– IDS?
– IPS?
– Firewalls?
– Blacklists?
– Whitelists?
• And so what of new campaigns with never before
witnessed domains?
• With TI, I’m not concerned with protecting yesterday’s
threats… but tomorrow’s using what I learned today
12. Predicting Tomorrow’s Threats…
• What if you are the defender of the net and
you deploy your protection strategy…
• Given a new domain, never before seen
before, how do we know if it could be
malicious? What conclusions can we make?
tkggvtqvj.org ngzuuazhj.cn ndnroawwps.cn
yqdqyntx.com zjjcnghtssj.com rpyaqstbi.net
uvcaylkgdpg.biz esebr.cc lrrmirop.net
vzcocljtfi.biz jygfwxz.info tpcppmxwv.info
wojpnhwk.cc ayrrajawlx.com ztoohkug.com
plrjgcjzf.net byymd.cc cxtjlsahcy.biz
qegiche.ws uixaky.ws tbjwzo.org
ylktrupygmp.cc weafo.biz bcipb.org
ovdbkbanqw.com qocrpt.ws izcbraikou.org
13. What Can We Learn?
• At one time, most existed
• Could be DGA’s
• Correlation analysis:
– Creation Date: 2009-12-22
– Owner Address: Afilias Array Dublin 24 IE
– Owner Email: “B” or cflicker@live.com
– Owner Phone: +1.2023243000
– Name Server: ns.cwgsh.com, ns.cwgsh.net,
ns.cwgsh.org
• We might have found an Indicator of Compromise
14. Indicators of Compromise
• An Indicator of Compromise (IOC) is an artifact
(group of artifacts) that if observed can yield
knowledge of the presence of
infection/exfiltration
• Via Convergence, understanding the correct
data points can allow us to detect not only the
yesterday’s threats, but predict likelihood of
tomorrow’s attacks
15. Building the TIE
• Data + Analysis Knowledge and Intelligence
• How much Data??? LOTS!!!
• Excalibur calls these DDS (Disparate Data Sources)
• Different Types
• Different Analysis (Offline and Live/Online)
• Reaping/Harvesting
• Converting non-structured into structured data
(normalizing)
• Data Analysis
• Database Programming
19. Special Thanks
• TakeDownCon
• VirusTotal
• Malwr.com
• Mr. Suhail “The Boss”
• Dhia Mohjoub (@DhiaLite)
• Andrew Morris and Animus (@andrew__morris)
• Kevin Cooper (@Imp3rialCooper)
• Dan Gunter