SlideShare a Scribd company logo

Cyber Threat Intelligence

Download as PPTX, PDF
J
James581435

A detailing on threat analysis and the usage and dissemination of intelligence

Technology
1 of 41
Cyber Threat Intelligence MIS 689 Cyber Warfare Capstone Module 4.1
Module Objectives  Fundamental CTI  Exploring & Collecting Hacker Community Data  Exploring AZSecure Hacker Assets Portal: Identifying Threats, Actors, and Targets  CTI Visualization via Tableau (Your Own Analysis)
Fundamental CTI 3
CTI process 4 Phase 1: Intel Planning/Strategy Description: Identify intelligence needs of organization, critical assets, and their vulnerabilities Approaches: threat trending, vulnerability assessments, asset discovery, diamond modelling Phase 2: Data Collection and Aggregation Description: Identify and collect relevant data for threat analytics Data sources: internal network data, external threat feeds, OSINT, human intelligence Phase 3: Threat Analytics Description: Analyze collected data to develop relevant, timely, and actionable intelligence Approaches: malware analysis, event correlation, visualizations, machine learning Phase 4: Intel Usage and Dissemination Description: Mitigate threats and disseminate intelligence Approaches: manual and automated threat responses, intelligence communication standards (e.g., STIX) Four phased CTI Lifecycle We are here
Popular CTI Analytics Analytical Approach Description Examples Value Major Companies Using Summary Statistics High level summary of collected data Number of blocked IP’s, locations of attacks, counts over time Good overview for executives All Event Correlation Analyzes relationships between events Identifying machine sending malicious traffic by checking firewall log Integrates multiple sources of data together (usually internal network) All Reputation Services Identifying the quality of an IP IP “X” has a poor reputation Identify which IP addresses to block Akamai, NSFOCUS, FireEye, AlienVault Malware Analysis Analyzing malicious files on a network Decompiling ransomware Bolster technical cyber- defenses FireEye, AlienVault Anomaly Detection Detecting abnormal behaviors Unusual user logins Detect malicious activity Splunk Forensics Identifying and preserving digital evidence Examining RAM from a malicious system Identifying how an attack occurred LIFARS, Blue Coat, FireEye Machine Learning* Algorithms that can learn from and make predictions on data Classifying malware Automated analysis Splunk, FireEye, Cylance 5 *We will have lectures dedicated to machine learning/data mining
Malware Analysis – Types of Malware Type Description Backdoor Allows an attacker to control the system Botnet Infected computers receive instructions from same Command-and- Control server Downloader Malicious code that exists only to download other malicious code Information-stealing malware Sniffers, keyloggers, password hash grabbers Launcher Malicious program used to launch other malicious programs Rootkit Malware that conceals the existence of other code, usually paired with a backdoor Scareware Frightens a user into buying something Spam-sending malware Attacker rents machine to spammers Worms or Viruses Malicious code that can copy itself and infect additional computers 6
Malware Analysis – Static vs Dynamic 7  Static Analysis – examines malware without running it  Quick and easy, but fails for advanced malware and can miss important behavior  Tools: VirusTotal, strings, disassemblers  Dynamic Analysis – run malware and monitor its effect  Easy, but requires a safe test environment. Not effective on all malware  Tools: RegShot, Process Monitor, Process Hacker, CaptureBAT  RAM Analysis: Mandiant Redline and Volatility
Exploring & Collecting Hacker Community Data (Du et al., IEEE ISI 2018) 8
What are in the underground economy? POS Skimmer Target POS device: Verifone vx510/vx670 Youtube Tutorials Method of Payment: Liberty Reserve ATM Skimmer Accessories Tutorials Blank Credit/Debit Cards (Plastics) Features Sold in batch EMV encoder
Collection Challenges  Anti-crawling measures  IP address blacklisting  User-agent check  User/password authentication & CAPTCHA validation  Denial of service for too many requests  Potential risks of retaliation  Constantly probing underground economy platforms may spook platform owners.  These owners can trace back to us based on network traffic log. Need for secure, intelligent collection capabilities
Hacker Community Platforms Overview Platform Description CTI Value Hacker Forums Message board allowing members to post messages (archived) Key threat actor identification; sharing of hacking tools; indication of access to other hacker communities IRC Plain-text, instant messaging, communication (not archived) Sharing of hacking knowledge and potential target; indication of access to other hacker communities DNMs Markets on Tor that sell illicit goods via cryptocurrency Early indicator for breached companies; in-depth understanding of underground economy Carding Shops Shops selling stolen credit/debit cards and sensitive data Monitoring trafficking of internet fraud industry; precaution of breaches before happen 11 Underlying Mechanism: • Hackers use forums and/or IRC to freely discuss and share Tools, Techniques, and Processes (TTP). • Hackers download tools or navigate to DNMs to purchase exploits. • These tools help hackers conduct cyber-attacks to attain sensitive data such as credit card and SSN. • Finally, hackers load stolen data to DNMs and/or carding shops for financial gain. Table 1. Hacker Community Platform Summary
Data Collection Overview: Hacker Forums Ransomware description Ransomw are code Poster information Figure 1. An example of a hacker forum member sharing ransomware code
Data Collection Overview: IRC Figure 2. An example of hackers sharing links containing illegal contents Figure 3. An example of an IRC user demanding hacking service
Data Collection Overview: DNM Figure 4. An example of a product listing page on DNM
Data Collection Overview: Carding Shop Figure 5. An example of listing page on carding shop Information of one card for carders Card Type
AZSecure Data Collection Overview In our hacker community data collection, we successfully collected 102 platforms for a total of 43,981,647 records.  51 hacker forums,  13 IRC channels,  12 DNMs  26 carding shops 16 Platform # of Platforms # of Records Languages Forums 51 forums 32,266,852 posts English/ Russian/ Arabic IRC 13 channels 2,791,120 lines of conversation English DNM 12 markets 249,597 listings English/ Russian/ French Carding Shops 26 shops 8,674,078 listings English Table 2. Hacker Community Data Collection Summary
Data Integration and Visualization 17 Figure 6. (a) scorecard of active and expired cards, (b) locations, (3) search, sort, and filter functions, and (d) frequency of cards based on zip code Figure 7. (a) frequency of cards per shop, (b) banks of stolen cards, (c) average card prices, (d) filter capabilities, and (e) card issuers with most stolen cards
Exploring AZSecure Hacker Assets Portal: Identifying Threats, Actors, and Targets (Samtani, et al., JMIS, 34(4), 2017) 18
19 Forum post with source code to exploit Mozilla Firefox 3.5.3 Tutorial on how to create malicious documents Forum post with BlackPOS malware attachment. Hackers and Hacker Assets Hacker Asset Examples
Introduction – Hacker Asset Examples 20 Figure 1. Forum post with source code to create botnets Figure 2. Forum post with BlackPOS malware attachment Figure 3. Tutorial on how to create malicious documents
AZSecure Hacker Assets Portal System Design and Features Web Hosting and Access Data Collection and Analytics System Functionalities System Analytics Latent Dirichlet Allocation (LDA) and Support Vector Machine (SVM) Analytics 987 tutorials, 15,576 source code, and 14,851 attachments Browsing Searching VirusTotal Malware Analysis Cyber Threat Intelligence Dashboard Downloading Figure 5. AZSecure Hacker Assets Portal System Design and Features
22 AZSecure Hacker Assets Portal – Data Testbed Forum Language Date Range # of Posts # of Members # of source code # of attachments # of tutorials OpenSC English 02/07/2005-02/21/2016 124,993 6,796 2,590 2,349 628 Xeksec Russian 07/07/2007- 9/15/2015 62,316 18,462 2,456 - 40 Ashiyane Arabic 5/30/2003 – 9/24/2016 34,247 6,406 5,958 10,086 80 tuts4you English 6/10/2006 – 10/31/2016 40,666 2,539 - 2,206 38 exelab Russian 8/25/2008 – 10/27/2016 328,477 13,289 4,572 - 628 Total: - 02/07/2005- 10/31/2016 590,699 47,492 15,576 14,851 987
23 AZSecure Hacker Assets Portal – Data Mining Approach Algorithm Accuracy Precision Recall F1 SVM 98.20 96.36 98.20 98.28 k-Nearest Neighbor 64.00 83.47 64.00 72.24 Naïve Bayes 86.00 88.57 86.00 87.26 Decision Tree 82.60 86.41 82.60 84.42 Asset Analysis and Evaluations Data Collection and Pre-Processing Forum Identification Obfuscated Crawling and Parsing Subset creation and data pre- processing Perplexity and Inter-rater Reliability Support Vector Machine (SVM) Latent Dirichlet Allocation (LDA) Benchmark Classifiers Evaluations Evaluations Cleaned Code Posts Cleaned Attachment Posts Cleaned Tutorial Posts
Hacker Assets Portal V2.0 – Overview 24 (a) Home page, linking to (b & c) Assets, (d) Dashboard, and (e) Malware Families: (b) Assets page, linking to Source Code and Attachments (c) Source Code page; sortable by asset name, exploit type, date, etc. (d) Dashboard for drill-down analysis of hackers & assets over time (e) Malware Families, for depicting relationships among assets over time (Crypter Family shown)
Searching, Sorting & Browsing Hacker Assets 25 (a) Searching (b) Sorting (c) Browsing (e) Browsing: Raw Code (d) Browsing: Asset metadata and forum link
Cyber Threat Intelligence (CTI) Dashboard 26
Cyber Threat Intelligence (CTI) Example – Bank Exploits 27 1. Filtering on 2014, when BlackPOS was posted, shows assets and threat actors at that time. 2. Filtering the actor who posted BlackPOS reveals that he posts other bank exploits (e.g., Zeus). • Provides intelligence on which hacker to monitor. 1 2
Cyber Threat Intelligence (CTI) Example – Crypters 1. Filtering on a specific time point (highest peak): 2. Filtering on a specific asset (crypters, a key technology for Ransomware) 3. Filtering a specific crypter author (Cracksman) shows the trends and types of assets he posted. 28 1 2 3
Cyber Threat Intelligence (CTI) Example – Mobile Malware 1. Filtering for 2016 mobile malware shows assets and threat actors at that time. 2. Filtering on a specific actor (BH-HACKER) allows us to see the assets posted. 29 1 2
CTI Data Exploration & Visualization via Tableau (Your Own Analysis) 30
Tableau Background  Tableau is a powerful data visualization software.  Capable of creating various interactive visualizations from a multitude of data sources.  Tableau is a commercial software, but is available to students for free.  Download from (http://www.tableau.com/academic/students)  Tableau is primarily a drag-and-drop software. 31
Data Sources and Types of Visualizations  Tableau can connect to variety of data sources, including:  Local files – Excel, text, Access  Traditional databases – SQL Server, MySQL, Oracle, PostgreSQL, DB2  Cloud technologies – Amazon Aurora, EMR, Redshift, BigQuery  Big Data Technologies – Hadoop, Hive, Spark SQL  Tableau can create a variety of visualizations including:  Basic bar and line charts (e.g., temporal, box plots, etc.)  Geospatial analysis  Word clouds  Treemaps  Network analysis, although there are better tools for this (e.g., Gephi)!  These visualizations can be combined into interactive dashboards.  Can later be published online or shared easily. 32
Tableau Interface  Dimensions  Data fields that cannot be aggregated  Qualitative values (such as names, dates, or geographical data)  Measures  Data fields that can be measured, aggregated, or used for math operations  Numeric, quantitative values 33 Worksheet Tabs Plot types Data • Blue: discrete data • Green: continuous data Format/ Encode Drag-n-drop https://onlinehelp.tableau.com/current/pro/desktop/en-us/datafields_typesandroles.htm
Walkthrough Example: NFL Sports Analytics  The data used in this example is an Excel spreadsheet about NFL Offensive players from 1999-2013. It contains:  ~40,000 rows of data  Player information (physically measurable traits, birthplace, college attended)  Positions played  Wins achieved in career 34
Connecting to a Data Source  We will have to connect to a data source to start making visualizations. 1. Since our data is in an Excel workbook, we will select that. 2. Second, we will join two of the sheets in the workbook such that we can get access to a larger set of data. Drag the “Unique players” and “Zip codes” sheets to the right. Select the “Inner” join option. 3. We will join the sheets based on zip code. 35 1 2 2 3
Creating a Bar Chart  Suppose we want to know which major college conferences have most combined wins since 1999. 1. First, drag the “Conference” dimension into the “Rows” bar, and the “College Wins” into the columns. Hit the drop down on the “College Wins” and select “Sum.” 2. Second, select bar chart on the right hand side. 3. To add a little bit of color, drag the “Conference” into the “Color” mark. 36 1 3 2
Creating a Word Cloud  Suppose now we want to get a general sense of the most popular conferences in terms of player enrollment is concerned. A word cloud is a great way to visually represent this. 1. First, switch the “Marks” option to “Text”. 2. Second, drag the “Conference” dimension into the “Text” marks box. 1. Then drag the “Conference” dimension into the “Size” marks box. 2. Adjust the measurement on this by hitting the drop down and selecting “Measure (Count)” 37 2 1
Creating a Geospatial Visualization  Consider now that we are interested in the birthplaces of all of the NFL players.  We can easily create a map representation. 1. Drag the “Longitude” dimension to columns, and “Latitude” dimension to the rows. Select the map visualization. 2. Add in some color by dragging the “Birth Zip Code” into the “Color” Marks. 38 1 2
Combining Visualizations into a Dashboard  To tell a more comprehensive story, we can create a dashboard combining all of the visualizations.  Simply open a dashboard view and start dragging sheets into the dashboard.  You can format and add filters into the dashboard as you wish. 39
Further Examples  It is useful to explore other Tableau visualizations to get ideas.  https://public.tableau.com/s/gallery contains many great visualizations. 40 Endangered Safari US Flights Delayed by Precipitation Domestic Violence in Spain
Tableau Resources  Gallery of Tableau visualizations:  https://public.tableau.com/s/gallery  Tableau training videos:  http://www.tableau.com/learn/training  Sample Tableau data sources:  https://public.tableau.com/s/resources  Reference book:  Tableau Your Data!: Fast and Easy Visual Analysis with Tableau Software. Daniel Murray, 2nd edition, 2015.  Available online through UA Library  Companion materials: http://tableauyourdata.com/downloads/ 41

Recommended

Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
 
Internet Relay Chat Forensics
Internet Relay Chat ForensicsInternet Relay Chat Forensics
Internet Relay Chat Forensics
IJSRD
 
The artificial reality of cyber defense
The artificial reality of cyber defenseThe artificial reality of cyber defense
The artificial reality of cyber defense
DATA SECURITY SOLUTIONS
 
Hacking Presentation
Hacking PresentationHacking Presentation
Hacking Presentation
Animesh Behera
 
Cap gemini pitch
Cap gemini pitchCap gemini pitch
Cap gemini pitch
Nicolas Consigny
 
Modern Malware and Threats
Modern Malware and ThreatsModern Malware and Threats
Modern Malware and Threats
MarketingArrowECS_CZ
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
WAJAHAT IQBAL
 
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networksCe hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Mehrdad Jingoism
 

Recommended

Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
 
Internet Relay Chat Forensics
Internet Relay Chat ForensicsInternet Relay Chat Forensics
Internet Relay Chat Forensics
IJSRD
 
The artificial reality of cyber defense
The artificial reality of cyber defenseThe artificial reality of cyber defense
The artificial reality of cyber defense
DATA SECURITY SOLUTIONS
 
Hacking Presentation
Hacking PresentationHacking Presentation
Hacking Presentation
Animesh Behera
 
Cap gemini pitch
Cap gemini pitchCap gemini pitch
Cap gemini pitch
Nicolas Consigny
 
Modern Malware and Threats
Modern Malware and ThreatsModern Malware and Threats
Modern Malware and Threats
MarketingArrowECS_CZ
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
WAJAHAT IQBAL
 
Ce hv8 module 03 scanning networks
Ce hv8 module 03 scanning networksCe hv8 module 03 scanning networks
Ce hv8 module 03 scanning networks
Mehrdad Jingoism
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
Ethical hacking at warp speed
Ethical hacking at warp speedEthical hacking at warp speed
Ethical hacking at warp speed
Sreejith.D. Menon
 
Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9
Geoff Pesimo
 
Cisel1 d
Cisel1 dCisel1 d
Cisel1 d
chandu_sai
 
Road map for actionable threat intelligence
Road map for actionable threat intelligenceRoad map for actionable threat intelligence
Road map for actionable threat intelligence
abhisheksinghcs
 
Literature survey on peer to peer botnets
Literature survey on peer to peer botnetsLiterature survey on peer to peer botnets
Literature survey on peer to peer botnets
Acad
 
Bro Policy Assignment
Bro Policy AssignmentBro Policy Assignment
Bro Policy Assignment
Tara Hardin
 
Ce hv8 module 04 enumeration
Ce hv8 module 04 enumerationCe hv8 module 04 enumeration
Ce hv8 module 04 enumeration
Mehrdad Jingoism
 
Super1
Super1Super1
Super1
neelakanteswarreddy
 
Ceh certified ethical hacker
Ceh certified ethical hackerCeh certified ethical hacker
Ceh certified ethical hacker
bestip
 
Automation Attacks At Scale
Automation Attacks At ScaleAutomation Attacks At Scale
Automation Attacks At Scale
Mayank Dhiman
 
Tracing Back The Botmaster
Tracing Back The BotmasterTracing Back The Botmaster
Tracing Back The Botmaster
IJERA Editor
 
Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12
Laura Arrigo
 
Modern malware and threats
Modern malware and threatsModern malware and threats
Modern malware and threats
Martin Holovský
 
Intro2 malwareanalysisshort
Intro2 malwareanalysisshortIntro2 malwareanalysisshort
Intro2 malwareanalysisshort
Vincent Ohprecio
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
Katie Nickels
 
Understanding the Threat Landscape by SOPHOS
Understanding the Threat Landscape by SOPHOSUnderstanding the Threat Landscape by SOPHOS
Understanding the Threat Landscape by SOPHOS
Netpluz Asia Pte Ltd
 
Repost _Healthcare
Repost _HealthcareRepost _Healthcare
Repost _Healthcare
Dr. Rachael Fisher
 
tatget attack
tatget attacktatget attack
tatget attack
Imrana Yari
 
Ethical_Hacking_ppt
Ethical_Hacking_pptEthical_Hacking_ppt
Ethical_Hacking_ppt
Narayanan
 
CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)
Wonjun Hwang
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
Marcus Vechiato
 

More Related Content

Similar to Cyber Threat Intelligence

Ce hv8 module 04 enumeration
Ce hv8 module 04 enumerationCe hv8 module 04 enumeration
Ce hv8 module 04 enumeration
Mehrdad Jingoism
 
Ceh certified ethical hacker
Ceh certified ethical hackerCeh certified ethical hacker
Ceh certified ethical hacker
bestip
 

Similar to Cyber Threat Intelligence (20)

Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Ethical hacking at warp speed
Ethical hacking at warp speedEthical hacking at warp speed
Ethical hacking at warp speed
 
Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9
 
Cisel1 d
Cisel1 dCisel1 d
Cisel1 d
 
Road map for actionable threat intelligence
Road map for actionable threat intelligenceRoad map for actionable threat intelligence
Road map for actionable threat intelligence
 
Literature survey on peer to peer botnets
Literature survey on peer to peer botnetsLiterature survey on peer to peer botnets
Literature survey on peer to peer botnets
 
Bro Policy Assignment
Bro Policy AssignmentBro Policy Assignment
Bro Policy Assignment
 
Ce hv8 module 04 enumeration
Ce hv8 module 04 enumerationCe hv8 module 04 enumeration
Ce hv8 module 04 enumeration
 
Super1
Super1Super1
Super1
 
Ceh certified ethical hacker
Ceh certified ethical hackerCeh certified ethical hacker
Ceh certified ethical hacker
 
Automation Attacks At Scale
Automation Attacks At ScaleAutomation Attacks At Scale
Automation Attacks At Scale
 
Tracing Back The Botmaster
Tracing Back The BotmasterTracing Back The Botmaster
Tracing Back The Botmaster
 
Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12
 
Modern malware and threats
Modern malware and threatsModern malware and threats
Modern malware and threats
 
Intro2 malwareanalysisshort
Intro2 malwareanalysisshortIntro2 malwareanalysisshort
Intro2 malwareanalysisshort
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
 
Understanding the Threat Landscape by SOPHOS
Understanding the Threat Landscape by SOPHOSUnderstanding the Threat Landscape by SOPHOS
Understanding the Threat Landscape by SOPHOS
 
Repost _Healthcare
Repost _HealthcareRepost _Healthcare
Repost _Healthcare
 
tatget attack
tatget attacktatget attack
tatget attack
 
Ethical_Hacking_ppt
Ethical_Hacking_pptEthical_Hacking_ppt
Ethical_Hacking_ppt
 

Recently uploaded

CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)
Wonjun Hwang
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc
 
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
panagenda
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
panagenda
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
DianaGray10
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
FIDO Alliance
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
FIDO Alliance
 

Recently uploaded (20)

CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
 
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxCyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
الأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهالأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهله
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development Companies
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 

Cyber Threat Intelligence

  • 1. Cyber Threat Intelligence MIS 689 Cyber Warfare Capstone Module 4.1
  • 2. Module Objectives  Fundamental CTI  Exploring & Collecting Hacker Community Data  Exploring AZSecure Hacker Assets Portal: Identifying Threats, Actors, and Targets  CTI Visualization via Tableau (Your Own Analysis)
  • 4. CTI process 4 Phase 1: Intel Planning/Strategy Description: Identify intelligence needs of organization, critical assets, and their vulnerabilities Approaches: threat trending, vulnerability assessments, asset discovery, diamond modelling Phase 2: Data Collection and Aggregation Description: Identify and collect relevant data for threat analytics Data sources: internal network data, external threat feeds, OSINT, human intelligence Phase 3: Threat Analytics Description: Analyze collected data to develop relevant, timely, and actionable intelligence Approaches: malware analysis, event correlation, visualizations, machine learning Phase 4: Intel Usage and Dissemination Description: Mitigate threats and disseminate intelligence Approaches: manual and automated threat responses, intelligence communication standards (e.g., STIX) Four phased CTI Lifecycle We are here
  • 5. Popular CTI Analytics Analytical Approach Description Examples Value Major Companies Using Summary Statistics High level summary of collected data Number of blocked IP’s, locations of attacks, counts over time Good overview for executives All Event Correlation Analyzes relationships between events Identifying machine sending malicious traffic by checking firewall log Integrates multiple sources of data together (usually internal network) All Reputation Services Identifying the quality of an IP IP “X” has a poor reputation Identify which IP addresses to block Akamai, NSFOCUS, FireEye, AlienVault Malware Analysis Analyzing malicious files on a network Decompiling ransomware Bolster technical cyber- defenses FireEye, AlienVault Anomaly Detection Detecting abnormal behaviors Unusual user logins Detect malicious activity Splunk Forensics Identifying and preserving digital evidence Examining RAM from a malicious system Identifying how an attack occurred LIFARS, Blue Coat, FireEye Machine Learning* Algorithms that can learn from and make predictions on data Classifying malware Automated analysis Splunk, FireEye, Cylance 5 *We will have lectures dedicated to machine learning/data mining
  • 6. Malware Analysis – Types of Malware Type Description Backdoor Allows an attacker to control the system Botnet Infected computers receive instructions from same Command-and- Control server Downloader Malicious code that exists only to download other malicious code Information-stealing malware Sniffers, keyloggers, password hash grabbers Launcher Malicious program used to launch other malicious programs Rootkit Malware that conceals the existence of other code, usually paired with a backdoor Scareware Frightens a user into buying something Spam-sending malware Attacker rents machine to spammers Worms or Viruses Malicious code that can copy itself and infect additional computers 6
  • 7. Malware Analysis – Static vs Dynamic 7  Static Analysis – examines malware without running it  Quick and easy, but fails for advanced malware and can miss important behavior  Tools: VirusTotal, strings, disassemblers  Dynamic Analysis – run malware and monitor its effect  Easy, but requires a safe test environment. Not effective on all malware  Tools: RegShot, Process Monitor, Process Hacker, CaptureBAT  RAM Analysis: Mandiant Redline and Volatility
  • 8. Exploring & Collecting Hacker Community Data (Du et al., IEEE ISI 2018) 8
  • 9. What are in the underground economy? POS Skimmer Target POS device: Verifone vx510/vx670 Youtube Tutorials Method of Payment: Liberty Reserve ATM Skimmer Accessories Tutorials Blank Credit/Debit Cards (Plastics) Features Sold in batch EMV encoder
  • 10. Collection Challenges  Anti-crawling measures  IP address blacklisting  User-agent check  User/password authentication & CAPTCHA validation  Denial of service for too many requests  Potential risks of retaliation  Constantly probing underground economy platforms may spook platform owners.  These owners can trace back to us based on network traffic log. Need for secure, intelligent collection capabilities
  • 11. Hacker Community Platforms Overview Platform Description CTI Value Hacker Forums Message board allowing members to post messages (archived) Key threat actor identification; sharing of hacking tools; indication of access to other hacker communities IRC Plain-text, instant messaging, communication (not archived) Sharing of hacking knowledge and potential target; indication of access to other hacker communities DNMs Markets on Tor that sell illicit goods via cryptocurrency Early indicator for breached companies; in-depth understanding of underground economy Carding Shops Shops selling stolen credit/debit cards and sensitive data Monitoring trafficking of internet fraud industry; precaution of breaches before happen 11 Underlying Mechanism: • Hackers use forums and/or IRC to freely discuss and share Tools, Techniques, and Processes (TTP). • Hackers download tools or navigate to DNMs to purchase exploits. • These tools help hackers conduct cyber-attacks to attain sensitive data such as credit card and SSN. • Finally, hackers load stolen data to DNMs and/or carding shops for financial gain. Table 1. Hacker Community Platform Summary
  • 12. Data Collection Overview: Hacker Forums Ransomware description Ransomw are code Poster information Figure 1. An example of a hacker forum member sharing ransomware code
  • 13. Data Collection Overview: IRC Figure 2. An example of hackers sharing links containing illegal contents Figure 3. An example of an IRC user demanding hacking service
  • 14. Data Collection Overview: DNM Figure 4. An example of a product listing page on DNM
  • 15. Data Collection Overview: Carding Shop Figure 5. An example of listing page on carding shop Information of one card for carders Card Type
  • 16. AZSecure Data Collection Overview In our hacker community data collection, we successfully collected 102 platforms for a total of 43,981,647 records.  51 hacker forums,  13 IRC channels,  12 DNMs  26 carding shops 16 Platform # of Platforms # of Records Languages Forums 51 forums 32,266,852 posts English/ Russian/ Arabic IRC 13 channels 2,791,120 lines of conversation English DNM 12 markets 249,597 listings English/ Russian/ French Carding Shops 26 shops 8,674,078 listings English Table 2. Hacker Community Data Collection Summary
  • 17. Data Integration and Visualization 17 Figure 6. (a) scorecard of active and expired cards, (b) locations, (3) search, sort, and filter functions, and (d) frequency of cards based on zip code Figure 7. (a) frequency of cards per shop, (b) banks of stolen cards, (c) average card prices, (d) filter capabilities, and (e) card issuers with most stolen cards
  • 18. Exploring AZSecure Hacker Assets Portal: Identifying Threats, Actors, and Targets (Samtani, et al., JMIS, 34(4), 2017) 18
  • 19. 19 Forum post with source code to exploit Mozilla Firefox 3.5.3 Tutorial on how to create malicious documents Forum post with BlackPOS malware attachment. Hackers and Hacker Assets Hacker Asset Examples
  • 20. Introduction – Hacker Asset Examples 20 Figure 1. Forum post with source code to create botnets Figure 2. Forum post with BlackPOS malware attachment Figure 3. Tutorial on how to create malicious documents
  • 21. AZSecure Hacker Assets Portal System Design and Features Web Hosting and Access Data Collection and Analytics System Functionalities System Analytics Latent Dirichlet Allocation (LDA) and Support Vector Machine (SVM) Analytics 987 tutorials, 15,576 source code, and 14,851 attachments Browsing Searching VirusTotal Malware Analysis Cyber Threat Intelligence Dashboard Downloading Figure 5. AZSecure Hacker Assets Portal System Design and Features
  • 22. 22 AZSecure Hacker Assets Portal – Data Testbed Forum Language Date Range # of Posts # of Members # of source code # of attachments # of tutorials OpenSC English 02/07/2005-02/21/2016 124,993 6,796 2,590 2,349 628 Xeksec Russian 07/07/2007- 9/15/2015 62,316 18,462 2,456 - 40 Ashiyane Arabic 5/30/2003 – 9/24/2016 34,247 6,406 5,958 10,086 80 tuts4you English 6/10/2006 – 10/31/2016 40,666 2,539 - 2,206 38 exelab Russian 8/25/2008 – 10/27/2016 328,477 13,289 4,572 - 628 Total: - 02/07/2005- 10/31/2016 590,699 47,492 15,576 14,851 987
  • 23. 23 AZSecure Hacker Assets Portal – Data Mining Approach Algorithm Accuracy Precision Recall F1 SVM 98.20 96.36 98.20 98.28 k-Nearest Neighbor 64.00 83.47 64.00 72.24 Naïve Bayes 86.00 88.57 86.00 87.26 Decision Tree 82.60 86.41 82.60 84.42 Asset Analysis and Evaluations Data Collection and Pre-Processing Forum Identification Obfuscated Crawling and Parsing Subset creation and data pre- processing Perplexity and Inter-rater Reliability Support Vector Machine (SVM) Latent Dirichlet Allocation (LDA) Benchmark Classifiers Evaluations Evaluations Cleaned Code Posts Cleaned Attachment Posts Cleaned Tutorial Posts
  • 24. Hacker Assets Portal V2.0 – Overview 24 (a) Home page, linking to (b & c) Assets, (d) Dashboard, and (e) Malware Families: (b) Assets page, linking to Source Code and Attachments (c) Source Code page; sortable by asset name, exploit type, date, etc. (d) Dashboard for drill-down analysis of hackers & assets over time (e) Malware Families, for depicting relationships among assets over time (Crypter Family shown)
  • 25. Searching, Sorting & Browsing Hacker Assets 25 (a) Searching (b) Sorting (c) Browsing (e) Browsing: Raw Code (d) Browsing: Asset metadata and forum link
  • 26. Cyber Threat Intelligence (CTI) Dashboard 26
  • 27. Cyber Threat Intelligence (CTI) Example – Bank Exploits 27 1. Filtering on 2014, when BlackPOS was posted, shows assets and threat actors at that time. 2. Filtering the actor who posted BlackPOS reveals that he posts other bank exploits (e.g., Zeus). • Provides intelligence on which hacker to monitor. 1 2
  • 28. Cyber Threat Intelligence (CTI) Example – Crypters 1. Filtering on a specific time point (highest peak): 2. Filtering on a specific asset (crypters, a key technology for Ransomware) 3. Filtering a specific crypter author (Cracksman) shows the trends and types of assets he posted. 28 1 2 3
  • 29. Cyber Threat Intelligence (CTI) Example – Mobile Malware 1. Filtering for 2016 mobile malware shows assets and threat actors at that time. 2. Filtering on a specific actor (BH-HACKER) allows us to see the assets posted. 29 1 2
  • 30. CTI Data Exploration & Visualization via Tableau (Your Own Analysis) 30
  • 31. Tableau Background  Tableau is a powerful data visualization software.  Capable of creating various interactive visualizations from a multitude of data sources.  Tableau is a commercial software, but is available to students for free.  Download from (http://www.tableau.com/academic/students)  Tableau is primarily a drag-and-drop software. 31
  • 32. Data Sources and Types of Visualizations  Tableau can connect to variety of data sources, including:  Local files – Excel, text, Access  Traditional databases – SQL Server, MySQL, Oracle, PostgreSQL, DB2  Cloud technologies – Amazon Aurora, EMR, Redshift, BigQuery  Big Data Technologies – Hadoop, Hive, Spark SQL  Tableau can create a variety of visualizations including:  Basic bar and line charts (e.g., temporal, box plots, etc.)  Geospatial analysis  Word clouds  Treemaps  Network analysis, although there are better tools for this (e.g., Gephi)!  These visualizations can be combined into interactive dashboards.  Can later be published online or shared easily. 32
  • 33. Tableau Interface  Dimensions  Data fields that cannot be aggregated  Qualitative values (such as names, dates, or geographical data)  Measures  Data fields that can be measured, aggregated, or used for math operations  Numeric, quantitative values 33 Worksheet Tabs Plot types Data • Blue: discrete data • Green: continuous data Format/ Encode Drag-n-drop https://onlinehelp.tableau.com/current/pro/desktop/en-us/datafields_typesandroles.htm
  • 34. Walkthrough Example: NFL Sports Analytics  The data used in this example is an Excel spreadsheet about NFL Offensive players from 1999-2013. It contains:  ~40,000 rows of data  Player information (physically measurable traits, birthplace, college attended)  Positions played  Wins achieved in career 34
  • 35. Connecting to a Data Source  We will have to connect to a data source to start making visualizations. 1. Since our data is in an Excel workbook, we will select that. 2. Second, we will join two of the sheets in the workbook such that we can get access to a larger set of data. Drag the “Unique players” and “Zip codes” sheets to the right. Select the “Inner” join option. 3. We will join the sheets based on zip code. 35 1 2 2 3
  • 36. Creating a Bar Chart  Suppose we want to know which major college conferences have most combined wins since 1999. 1. First, drag the “Conference” dimension into the “Rows” bar, and the “College Wins” into the columns. Hit the drop down on the “College Wins” and select “Sum.” 2. Second, select bar chart on the right hand side. 3. To add a little bit of color, drag the “Conference” into the “Color” mark. 36 1 3 2
  • 37. Creating a Word Cloud  Suppose now we want to get a general sense of the most popular conferences in terms of player enrollment is concerned. A word cloud is a great way to visually represent this. 1. First, switch the “Marks” option to “Text”. 2. Second, drag the “Conference” dimension into the “Text” marks box. 1. Then drag the “Conference” dimension into the “Size” marks box. 2. Adjust the measurement on this by hitting the drop down and selecting “Measure (Count)” 37 2 1
  • 38. Creating a Geospatial Visualization  Consider now that we are interested in the birthplaces of all of the NFL players.  We can easily create a map representation. 1. Drag the “Longitude” dimension to columns, and “Latitude” dimension to the rows. Select the map visualization. 2. Add in some color by dragging the “Birth Zip Code” into the “Color” Marks. 38 1 2
  • 39. Combining Visualizations into a Dashboard  To tell a more comprehensive story, we can create a dashboard combining all of the visualizations.  Simply open a dashboard view and start dragging sheets into the dashboard.  You can format and add filters into the dashboard as you wish. 39
  • 40. Further Examples  It is useful to explore other Tableau visualizations to get ideas.  https://public.tableau.com/s/gallery contains many great visualizations. 40 Endangered Safari US Flights Delayed by Precipitation Domestic Violence in Spain
  • 41. Tableau Resources  Gallery of Tableau visualizations:  https://public.tableau.com/s/gallery  Tableau training videos:  http://www.tableau.com/learn/training  Sample Tableau data sources:  https://public.tableau.com/s/resources  Reference book:  Tableau Your Data!: Fast and Easy Visual Analysis with Tableau Software. Daniel Murray, 2nd edition, 2015.  Available online through UA Library  Companion materials: http://tableauyourdata.com/downloads/ 41

Editor's Notes

  1. The Data Mining slide needs to have a system diagram, testbed, and validation results – some significant details to lend credibility.
  2. The Data Mining slide needs to have a system diagram, testbed, and validation results – some significant details to lend credibility. Benchmarking in this fashion is a commonly accepted evaluation practice in computer science and related domains.
  3. Please add one slide illustrating how the hacker assets can help SFS students and other professionals in gaining knowledge about proactive threat intelligence and future defense. Illustrate actual utilities for good guys via some examples. The Malware example needs to show how for cyber defense. You can select and download but so what? What do I learn to defend my assets, e.g., types of vulnerability, system?