Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Threat Intelligence Victory Garden

939 views

Published on

Creating, Capturing, and Using your own threat intelligence with open source tools

Published in: Technology
  • The secret to making your dog's problem behaviors disappear. ♥♥♥ https://bit.ly/38b79Wm
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Threat Intelligence Victory Garden

  1. 1. Threat Intelligence By Dave Herrald and Ryan Kovar @Splunk
  2. 2. Disclaimer 2 During the course of this presentation, we may make forward looking statements regarding future events or the expected performance of the company. I often lie. Maybe this is a lie. Wik Alsø wik Alsø alsø wik Wi nøt trei a høliday in Sweden this yër? See the løveli lakes The wøndërful telephøne system And mäni interesting furry animals The characters and incidents portrayed and the names used in this Presentation are fictitious and any similarity to the names, characters, or history of any person is entirely accidental and unintentional. Signed RICHARD M. NIXON Including the majestik møøse A Møøse once bit my Marcus... No realli! He was Karving his initials on the møøse with the sharpened end of an interspace tøøthbrush given him by Svenge – his brother-in-law – a Canadian dentist and star of many Norwegian møvies: "The Høt Hands of an Canadian Dentist", "Fillings of Passion", "The Huge Mølars of Horst Nordfink"... In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. Splunk undertakës no øbligation either to develøp the features or functionality described or to include any such feature or functionality in a future release.
  3. 3. • 17 years of cyber security experience • Current role on Security Practice team focuses on incident/breach response, threat intelligence, and research • Also investigating why printers are so insubordinate ಠ_ಠ 3 Staff Security Strategist Minster of the OODAloopers @meansec # whoami > Ryan Kovar CISSP,MSc(Dist)
  4. 4. -20+ years in IT and security -Information security officer, security architect, pen tester, consultant, SE, system/network engineer -Former SANS Mentor Senior Security Architect Minister of Peace @daveherrald # whoami > Dave Herrald CISSP, GIAC G*, GSE #79
  5. 5. Agenda •Overview •Why •What •How •Done
  6. 6. Overview
  7. 7. Rick Holland Rebekah Brown On the shoulders of SANS giants
  8. 8. http://files.sans.org/summit/Cyber_Threat_Intelligence_Summit_2016/PDFs/You- Got-99-Problems-and-a-Budget-Is-One-Rebekah-Brown.pdf
  9. 9. http://files.sans.org/summit/Cyber_Threat_Intelligence_Summit_2016/PDFs/Threat- Intelligence-Awakens-Rick-Holland.pdf
  10. 10. 12
  11. 11. 13 Tier 1
  12. 12. 14 Writing the book[s]
  13. 13. Nothing. Just broken dreams and tired analysts
  14. 14. Why?
  15. 15. Evangelize
  16. 16. He who is without knowledge of tickets is lacking cyber hygiene. -Sun Cyber Tzu Think
  17. 17. Buying Threat Intelligence is awesome…
  18. 18. Local Threat Intelligence Sources
  19. 19. Overview CYBER What and How?
  20. 20. We use Splunk But you don’t have to!
  21. 21. Use Your Security Awareness Data
  22. 22. Some security awareness data
  23. 23. Zoom plz!
  24. 24. Just Word launching cmd.exe
  25. 25. Suspicion++
  26. 26. Security Awareness Training • “Clicking on Phishing test”==“clicking on Spear Phishing email” • Make your users your canaries in the coal mine • Education helps… make your own targeting list
  27. 27. Decoy document Decoy Docs
  28. 28. https://mice.cs.columbia.edu/getTechreport.php?techreportID=596 Embedded callbacks
  29. 29. Set “Audit Object Access” to Success AND failure
  30. 30. This is cool… But make sure you create whitelists
  31. 31. Decoy Docs and you • Make a file called passwords.docx. Put usernames/passwords in file and leave it inVIP directories. • Put enhanced audit logging on that directory • Insert Web Beacon into document… setup alerting for its callback • Disable (or restrict) honey-users. Setup alerts for their usage.
  32. 32. CHANGES HIS IPs AND DOMAINs Passive DNS
  33. 33. Passive DNS is hard to visualize So here is a camouflaged puppy instead
  34. 34. Passive DNS in Splunk
  35. 35. Passive DNS • Record your DNS data • Find out how adversaries have pivoted by looking at your own data • Hunt in your org using your own data
  36. 36. Google Fooey
  37. 37. Threat Intel Network Endpoints Identity & Context 42 So many vendors. So little time
  38. 38. SOC GOOGLE
  39. 39. Google Fooey and you • Determine what your vendors your security depends upon • Craft Google alerts to notify you of vulnerabilities or compromises • Integrate alerts into your analytical toolkit for automated thingies
  40. 40. Domain Squatting
  41. 41. DNS Twist
  42. 42. dnstwist sans.org -w -g -b -s -m -c -t 100 -d english.dict
  43. 43. Samuel Johnson in the 21st century
  44. 44. DNS Twist and you • Search backward.Then alert in the future • Set a cronjob, run it daily, ingest it into your tool set • Increase risk for important variables • Registered domain • MX records • Newly registered domain
  45. 45. Done
  46. 46. CTI Victory Garden Showcase App
  47. 47. CTI Victory Garden Showcase App Github https://github.com/daveherrald/SA-TI_showcase Splunkbase https://splunkbase.splunk.com/app/3441/
  48. 48. He who is without knowledge of his network is lacking in cyber hygiene. -Sun Cyber Tzu
  49. 49. And then they bought MORE threat intelligence feeds!!!
  50. 50. Takeaways • Dig into your own data • DNStwist your way to visibility • Automate your GoogleFu • Local PassiveDNS is good!!! • Don’t let SAT go to waste • Set decoys and then alert on them
  51. 51. Dave Herrald dherrald@splunk.com @daveherrald Ryan Kovar rkovar@splunk.com @meansec http://blogs.splunk.com/author/rkovar Contact info

×