Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016

679 views

Published on

In the presentation that threat intel vendors do not want you to see, open source and internal data meets home grown resources to produce actionable threat intelligence that your organization can leverage to stop the bad guys. This presentation discusses and shows examples of using what your already have to bootstrap this capability using existing data management platforms with open and flexible schemas to ease identification of advanced threats. Specific topics covered include the advantages of using open and flexible platforms that can be molded into a data repository, a case tracking system, an indicator database, and more. By analyzing this data organizations can discovery trends across attacks that help them understand their adversaries. An example nosql schema will be release to help attendees create their own implementations.

Published in: Technology

Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016

  1. 1. Deploying a Shadow Threat Intel Capability: Understanding YOUR Adversaries without Expensive Security Tools @grecs NovaInfosec.com
  2. 2. Disclaimer Opinions expressed are solely my own and do not express the views or opinions of my employers. NovaInfosec.com@grecs,Deploying a Shadow Threat Intel Capability
  3. 3. 20 Yrs Industry 16 Yrs Infosec 5 Yrs SOC
  4. 4. NovaInfosec.com@grecs,Deploying a Shadow Threat Intel Capability
  5. 5. BACKGROUND NovaInfosec.com@grecs,Deploying a Shadow Threat Intel Capability
  6. 6. Background Requirements Deploying a Shadow Threat Intel Capability NovaInfosec.com@grecs, SOC
  7. 7. Background Evernote as a Solution Deploying a Shadow Threat Intel Capability NovaInfosec.com@grecs,
  8. 8. Background Definition NovaInfosec.com@grecs,Deploying a Shadow Threat Intel Capability “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” Sun Tzu, from the "The Art of War”
  9. 9. Background Definition NovaInfosec.com@grecs,Deploying a Shadow Threat Intel Capability “Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard.” Rob McMillan, Gartner
  10. 10. Background Definition NovaInfosec.com@grecs,Deploying a Shadow Threat Intel Capability “Actionable information you can use to detect or stop the bad guys.” grecs, The Real World
  11. 11. Data Background Definition Intel “An Introduction to Cyber Intelligence” – Rob Lee“The Pyramid of Pain” - David Bianco Data
  12. 12. Background Why Create Internally NovaInfosec.com@grecs, “When your threat intel solution is feeling more like a threat intel problem…” - @JohnLaTwC Deploying a Shadow Threat Intel Capability
  13. 13. Background Why Create Internally NovaInfosec.com@grecs, Universe of External Threat Data/Intel Your Organization (intel you need) Reality Ideal Take Threat Intel In-House Deploying a Shadow Threat Intel Capability
  14. 14. Background Why Create Internally NovaInfosec.com@grecs,Deploying a Shadow Threat Intel Capability
  15. 15. STEPS NovaInfosec.com@grecs,Deploying a Shadow Threat Intel Capability
  16. 16. Steps 1. Get the Basics First NovaInfosec.com@grecs,Deploying a Shadow Threat Intel Capability BlackhillsInfosec.com
  17. 17. Steps 2. Identify the Team NovaInfosec.com@grecs,Deploying a Shadow Threat Intel Capability
  18. 18. Steps 2. Identify the Team NovaInfosec.com@grecs,Deploying a Shadow Threat Intel Capability
  19. 19. Steps 3. Pick an Analysis Framework
  20. 20. Steps 3. Pick an Analysis Framework NovaInfosec.com@grecs,Deploying a Shadow Threat Intel Capability
  21. 21. Steps 3. Pick an Analysis Framework NovaInfosec.com@grecs,Deploying a Shadow Threat Intel Capability WeaponizeRecon Deliver Exploit Install C2 Position Access AoO
  22. 22. Steps 4. Choose a Threat Intelligence Platform NovaInfosec.com@grecs, • Anton Chuvakin – Collect TI Data – Retain TI for Analysis – Normalize, Enrich, and Link Collected Data – Search & Query Interface – Distribute / Disseminate Data • ThreatConnect – Aggregate (OSINT, commercial, shared, …) – Analyze (flexible relationships, pivot-able) – Act (do stuff with all that data) Deploying a Shadow Threat Intel Capability
  23. 23. Steps 4. Choose a Threat Intelligence Platform NovaInfosec.com@grecs,Deploying a Shadow Threat Intel Capability
  24. 24. Analytics Framework – Input Reserved Tags When What Where Who OSINT DB OSINT DB NVD Exploit-DB Zeus Tracker OSINT DB (no tag -> new) Useful Useless OSINT DB NIST Offensive Sec Abuse.ch Intel Sharing Intel Sharing DIB FS-ISAC Intel Sharing (no tag -> new) Relevant Irrelevant Intel Sharing Company A Company B Company C Log Collect. Logger Web Logs … Logger (no tag -> new) … Logger NovaInfosec … SIEM SIEM Site Lockout File Change SIEM (no tag -> new) Investigating Reviewed SIEM NovaInfosec Source or Who Added/Upd Workflow or State Data Type Priority, Confidence, Rep
  25. 25. Analytics Framework – Analysis Reserved Tags When (!./!) What (]./]) Where (@./@) ^.Who (^./^) Case Tracking Case Tracking High Medium Low ** Case Tracking CAS10000 CAS10001 Case Tracking Inbox Working Closed Case Tracking jsmith acren Indica. DB Indicator DB HVI MVI LVI ** Indicator DB 192.168.2.50 smith@tch.com Indicator DB Suggested Active Inactive Indicator DB jsmith acren Advers. DB Adversary Important Not Important ** Adversary ABC DEF Adversary Proposed Tracking Dormant Adversary jsmith acren Only Tag if Relevant Primary Tags (**) Used to Cross-Ref Source or Who Added/Upd Workflow or State Data Type Priority, Confidence, Rep
  26. 26. Steps 4. Choose a Threat Intelligence Platform NovaInfosec.com@grecs,Deploying a Shadow Threat Intel Capability
  27. 27. Steps 4. Choose a Threat Intelligence Platform NovaInfosec.com@grecs,Deploying a Shadow Threat Intel Capability Attacks (investigations) Indicators Adversaries Relevant Threat Intel Campaigns
  28. 28. Steps 4. Choose a Threat Intelligence Platform NovaInfosec.com@grecs,Deploying a Shadow Threat Intel Capability Attacks Campaigns Adversaries Indicators Pivot
  29. 29. Steps 4. Choose a Threat Intelligence Platform (Indicators) Attack ID Campaign Nm (Adversary Nm) … Attacks (Indicators) (AttackIDs) Campaign Nm Adversary Nm … Campaigns (Indicators) (AttackIDs) (Campaign Nms) Adversary Nm … Adversaries Indicator Attack ID (Campaign Nm) (Adversary Nm) … Indicators
  30. 30. Steps 4. Choose a Threat Intelligence Platform Attack ID Campaign Nm Title Note Tags Attacks Campaign Nm Adversary Nm Note Tags … Campaigns Adversary Nm Note TTPs Tags … Adversaries Indicator Attack ID KC Phase Note Tags Indicators
  31. 31. Steps 4. Choose a Threat Intelligence Platform Indicator Attack ID KC Phase Context Indicators Attack ID Campaign Title Note Attacks Campaign Adversary Note Tags Campaigns Adversary Notes TTPs Tags Adversaries Tags Tags
  32. 32. Steps 4. Choose a Threat Intelligence Platform NovaInfosec.com@grecs, Free (as in puppies) $$$ Adapt TIP threat_note RTIR Deploying a Shadow Threat Intel Capability
  33. 33. Steps 5. Create Data NovaInfosec.com@grecs,Deploying a Shadow Threat Intel Capability
  34. 34. Steps 5. Create Data NovaInfosec.com@grecs,Deploying a Shadow Threat Intel Capability Attack 1 Recon Viper user agent activity Weaponize Deliver leia@rebals.com, obiwan@jedi.com Check out this hilarious vid of me. Exploit help.wmv / CVE-1234-567 Install C2 Position Access AoO X
  35. 35. Steps 5. Create Data NovaInfosec.com@grecs,Deploying a Shadow Threat Intel Capability Attack Recon XXXXX Weaponize Deliver XXXXX Exploit Install XXXXX C2 XXXXX Position Access AoO XXXXX Attack Recon Weaponize XXXXX Deliver XXXXX Exploit Install C2 XXXXX Position XXXXX Access AoO Attack Recon Weaponize XXXXX Deliver XXXXX Exploit Install C2 XXXXX Position XXXXX Access AoO Attack Recon Weaponize XXXXX Deliver XXXXX Exploit Install C2 XXXXX Position XXXXX Access AoO Attack Recon XXXXX Weaponize Deliver XXXXX Exploit Install C2 XXXXX Position Access AoO Attack Recon Weaponize Deliver XXXXX Exploit XXXXX Install C2 XXXXX Position Access AoO XXXXX Attack Recon XXXXX Weaponize Deliver XXXXX Exploit Install XXXXX C2 XXXXX Position Access AoO XXXXX Attack Recon Weaponize Deliver XXXXX Exploit XXXXX Install C2 XXXXX Position Access XXXXX AoO XXXXX Attack Recon Weaponize Deliver XXXXX Exploit Install C2 XXXXX Position Access AoO XXXXX Attack Recon Weaponize XXXXX Deliver Exploit XXXXX Install C2 XXXXX Position Access AoO
  36. 36. Steps 6. Extract Intelligence NovaInfosec.com@grecs,Deploying a Shadow Threat Intel Capability Attack 1 Recon Viper UA Weaponize Deliver leia@rebals.com Exploit help.wmv Install C2 Position Access AoO Attack 5 rebalstube[.]com leia@rebals.com rebalstube[.]com/help tar66.exe 1.2.3.4 Attack 9 tar66.exe 1.2.3.8 livingjedi.xls  1.2.3.9 X O X Campaign: Order66
  37. 37. Conclusion • First, Get the Basics Done • Next, Build Your Own TI Capability • Finally, Supplement with External Intel/Data NovaInfosec.com@grecs,Deploying a Shadow Threat Intel Capability
  38. 38. Thanks & Questions • Twitter @grecs • Website NovaInfosec.com, @novainfosec • Contact http://bit.ly/nispcontact

×