Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Cornerstones of Trust 2014 
Threat Intelligence 
with Open Source tools 
@jaimeblasco 
@santiagobassett
Presenters 
JAIME BLASCO 
Director AlienVault Labs 
Security Researcher 
Malware Analyst 
Incident Response 
SANTIAGO BASS...
The attacker’s advantage 
• They only need to be successful once 
• Determined, skilled and often funded adversaries 
• Cu...
The defender’s disadvantage 
• They can’t make a mistake 
• Understaffed, jack of all trades, underfunded 
• Increasing co...
What is Threat Intelligence? 
• Information about malicious actors 
• Helps you make better decisions about 
defense 
• Ex...
State of the art 
• Most sharing is unstructured & human-to-human 
• Closed groups 
• Actual standards require knowledge, ...
How to use Threat Intelligence 
• Detect what my prevention technologies fail 
to block 
• Security planning, threat asses...
The Threat Intelligence Pyramid of 
Pain
Standards & Tools 
• IODEF: Incident Object Description Exchange 
Format 
• MITRE: 
– STIX: Structured Threat Information ...
Collective Intelligence Framework
Collecting malware 
Some malware tracking sites: 
• http://malc0de.com/rss 
• http://www.malwareblacklist.com/mbl.xml 
• h...
Collecting malware
Other malware collection tools 
Dionaea honeypot: 
• http://dionaea.carnivore.it/ 
Thug Honeyclient – Drive by download at...
Analyzing malware 
Yara: Flexible, human-readable rules for identifying 
malicious streams. 
Can be used to analyze: 
• fi...
Analyzing malware 
Cuckoo Sandbox: Used for automated malware 
analysis. 
• Traces Win32 API calls 
• Files created, delet...
Analyzing malware
Sandbox – CIF integration 
In our example: hxxp://www.garyhart.com, domain
CIF External feed example
Thank you!! 
@jaimeblascob 
@santiagobassett
Upcoming SlideShare
Loading in …5
×

Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014

16,641 views

Published on

Threat Intelligence has become increasingly important as the number and severity of threats is growing continuously. We live in an era where our prevention technologies are not enough anymore, antivirus products fail to detect new or sophisticated pieces of malware, our firewalls and perimeter defenses are easily bypassed and the attacker’s techniques are growing in complexity. In this new landscape, sharing threat intelligence has become a key component to mitigate cyber-attacks.

In this session we will define what Threat Intelligence is and discuss how to collect and integrate threat intelligence from public sources. In addition, we’ll demonstrate how to build your own Threat Intelligence data using Open Source tools such as sandboxes, honeypots, sinkholes and other publicly available tools.

The industry’s reticence to share information about attack vectors gives the adversary a huge advantage. Using Threat Intelligence we can reduce this advantage and enable preventative response. We will guide you through the different standards (OpenIOC, STIX, MAEC, OTX, IODEF…) to describe and share cyber intelligence, as well as Open Source Frameworks such as CIF (Collective Intelligence Framework) that allows you to combine different threat sources.

One of the biggest problems with Threat Intelligence is finding out how to take advantage of the data you have to actually improve the detection/prevention capabilities in your environment. We will describe how to leverage Threat Intelligence to detect threats and provide defenses, and we will focus on how to use Open Source Tools (Suricata, OSSIM, OSSEC, Bro, Yara…) to get the most of your Threat Intelligence.

Presenters: Jaime Blasco and Santiago Bassett

Cornerstones of Trust 2014:
https://www.cornerstonesoftrust.com

Published in: Internet
  • Hello! I have searched hard to find a reliable and best research paper writing service and finally i got a good option for my needs as ⇒ www.HelpWriting.net ⇐
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • I’ve personally never heard of companies who can produce a paper for you until word got around among my college groupmates. My professor asked me to write a research paper based on a field I have no idea about. My research skills are also very poor. So, I thought I’d give it a try. I chose a writer who matched my writing style and fulfilled every requirement I proposed. I turned my paper in and I actually got a good grade. I highly recommend ⇒ www.WritePaper.info ⇐
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THE BOOK INTO AVAILABLE FORMAT (New Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THE can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THE is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBOOK .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, CookBOOK, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, EBOOK, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THE Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THE the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THE Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Dating for everyone is here: ♥♥♥ http://bit.ly/2ZDZFYj ♥♥♥
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014

  1. 1. Cornerstones of Trust 2014 Threat Intelligence with Open Source tools @jaimeblasco @santiagobassett
  2. 2. Presenters JAIME BLASCO Director AlienVault Labs Security Researcher Malware Analyst Incident Response SANTIAGO BASSETT Security Engineer OSSIM / OSSEC Network Security Logs Management
  3. 3. The attacker’s advantage • They only need to be successful once • Determined, skilled and often funded adversaries • Custom malware, 0days, multiple attack vectors, social engineering • Persistent
  4. 4. The defender’s disadvantage • They can’t make a mistake • Understaffed, jack of all trades, underfunded • Increasing complex IT infrastructure: – Moving to the cloud – Virtualization – Bring your own device • Prevention controls fail to block everything • Hundreds of systems and vulnerabilities to patch
  5. 5. What is Threat Intelligence? • Information about malicious actors • Helps you make better decisions about defense • Examples: IP addresses, Domains, URL’s, File Hashes, TTP’s, victim’s industries, countries..
  6. 6. State of the art • Most sharing is unstructured & human-to-human • Closed groups • Actual standards require knowledge, resources and time to integrate the data
  7. 7. How to use Threat Intelligence • Detect what my prevention technologies fail to block • Security planning, threat assessment • Improves incident response / Triage • Decide which vulnerabilities should I patch first
  8. 8. The Threat Intelligence Pyramid of Pain
  9. 9. Standards & Tools • IODEF: Incident Object Description Exchange Format • MITRE: – STIX: Structured Threat Information eXpression – TAXXII: Trusted Automated eXchange of Indicator Information – MAEC, CAPEC, CyBOX • CIF: Collective Intelligence Framework
  10. 10. Collective Intelligence Framework
  11. 11. Collecting malware Some malware tracking sites: • http://malc0de.com/rss • http://www.malwareblacklist.com/mbl.xml • http://www.malwaredomainlist.com/hostslist/mdl.xml • http://vxvault.siri-urz.net/URL_List.php • http://urlquery.net • http://support.clean-mx.de/clean-mx/xmlviruses.php Some Open Source malware crawlers: • Maltrieve: https://github.com/technoskald/maltrieve • Ragpicker: https://code.google.com/p/malware-crawler/
  12. 12. Collecting malware
  13. 13. Other malware collection tools Dionaea honeypot: • http://dionaea.carnivore.it/ Thug Honeyclient – Drive by download attacks: • https://github.com/buffer/thug • Emulates browsers functionality (activeX controls and plugins)
  14. 14. Analyzing malware Yara: Flexible, human-readable rules for identifying malicious streams. Can be used to analyze: • files • memory (volatility) • network streams. private rule APT1_RARSilent_EXE_PDF { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $winrar1 = "WINRAR.SFX" wide ascii $winrar2 = ";The comment below contains SFX script commands" wide ascii $winrar3 = "Silent=1" wide ascii $str1 = /Setup=[sw"]+.(exe|pdf|doc)/ $str2 = "Steup="" wide ascii condition: all of ($winrar*) and 1 of ($str*) }
  15. 15. Analyzing malware Cuckoo Sandbox: Used for automated malware analysis. • Traces Win32 API calls • Files created, deleted and downloaded • Memory dumps of malicious processes • Network traffic pcaps
  16. 16. Analyzing malware
  17. 17. Sandbox – CIF integration In our example: hxxp://www.garyhart.com, domain
  18. 18. CIF External feed example
  19. 19. Thank you!! @jaimeblascob @santiagobassett

×