Threat Intelligence Field of Dreams

1. Company Confidential Powered by Building a Threat Intelligence Field of Dreams 05.12.2016

2. Company Confidential James Carder CISO | VP LogRhythm Labs Greg Foss Global Security Operations Team Lead

3. Operationalizing Threat Intelligence Making Threat Intelligence Useful

4. Company Confidential Defining Threat Intelligence “Evidence-based knowledge, including context, mechanisms, indicators, implications and ACTIONABLE advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard” - Gartner

5. Company Confidential • Documents (e.g., FBI flash reports) • Blogs, emails • RSS feeds • CSV and text files • STIX • Open IOC • Malware samples • Packet capture • Forensic artifacts (files, email) Actionable data types Intel Reports Indicators of Compromise Raw Data Types • User Behaviors • Endpoint Behaviors • Network Behaviors Your Own Data

6. Company Confidential Operationalizing Threat Intelligence Indicators of Compromise (IOC) are automatically searched Changes to external threat environment immediate detected Provides analyst context around incident, event, threat, campaign • Historical knowledge as well to chain related attacks Reconnaissance & Planning Initial Compromise Command & Control Lateral Movement Target Attainment Exfiltration Corruption Disruption

7. OSINT Open Source Intelligence Gathering

8. Company Confidential Open Source Intelligence Gathering Open Source Intelligence (OSINT) in the simplest of terms is locating, and analyzing publically (open) available sources of information. The key component here is that this intelligence gathering process has a goal of producing current and relevant information that is valuable to either an attacker or competitor. For the most part, OSINT is more than simply performing web searches using various sources. - http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines#OSINT

9. Company Confidential OSINT • Offensive and Defensive • Manual – In Depth Analysis of the target entity or individual(s) • Automated – High level analysis of metadata • Operationalize, Integrate, and Automate OSINT analysis FTW • Define goals – what to analyze, why, how, outputs, etc. • Indicators of Compromise • Data to feedback loops into defensive tools • Research • Attribution • Actors, victims, servers, locations, samples, etc.

10. Company Confidential OSINT OPSEC (Manual) • OPSEC : Operational Security • The target cannot know your organization is actively investigating them… • Use a USB-bootable Linux image such as Tails – non-persistent • Run both TOR and a VPN (commercial or use cloud systems) • Virtual Private Servers (VPS) located in other countries • Pay for services using bitcoin and/or pre-paid gift cards • Regardless of solution – understand the service’s logging policy, check for warrant canaries, and know your rights…

11. Company Confidential Why TOR and VPN? TOR != VPN TOR = Randomizer VPN = Tunnel Honestly… Not a big deal unless you’re planning to do illegal things – Which you should not be doing anyways...

12. Company Confidential OSINT OPSEC (Automated – Corporate) • Register a Linux Amazon EC2 box (free tier) with no elastic IP • Purchase a Dyn DNS account – for dynamic DNS registration • Establish a PPTP VPN tunnel to the EC2 system(s) • Perform investigative analysis from these cloud-hosted systems and / or local boxes with proper precautions in place • Proxy traffic through and use SSH port forwarding to access services • Following the completion of the analysis, reboot the system. • By default, AWS will assign a new IP unless you use an elastic IP • Reconfigure the tunnels and DNS as necessary (automate this)

13. Company Confidential Automating OSINT and Response Domain Tools Passive Total VirusTotal Cisco AMP ThreatGRID Netflow / IDS Firewalls Proxy Endpoint SIEM API SecOps Infrastructure

14. Company Confidential Manual OSINT Analysis • Goal-Oriented • Define specific target and understand the data you wish to obtain • Technical – Accounts, Servers, Services, Software, Integrations • Social – Social Media, Photography, Wish Lists, Email • Physical – Address, Home IP Address, Business, Footprint • Logical – Network, Operational Intelligence, Where, When

15. Company Confidential A Few OSINT Tools • Maltego • Transforms! • Passive Total • Threat Intel and Maltego API! • Domain Tools IRIS • Whois History, Pivot off of data points (email, address, phone, etc.) • Shodan • The network search engine – everything from open VNC services to C2’s • Facebook / Linkedin / Spokeo / Pipl / etc. • Create fake accounts and use API integrations to automate searches

16. Company Confidential OSINT Tips and Tricks : Shortened URL’s All you need is +

17. Company Confidential OSINT Tips and Tricks : Shortened URL’s

18. Company Confidential OSINT Tips and Tricks : Resolve Skype Username to IP

19. Company Confidential OSINT Tips and Tricks : Resolve Skype Username to IP

20. Company Confidential OSINT Tips and Tricks : Source Code Search Nerdydata.com

21. Company Confidential OSINT Tips and Tricks : Source Code Search ;-)

22. Company Confidential Just scratching the surface…

23. Case Studies Operationalization of Threat Intel

24. Company Confidential Case Study: Operationalizing POS Intel from a Threat Report Threat Report SIEM/Analytics Engine Hits, Alarm, Smart Response No Hits, No Alarm, Smart Response Automated Search using Host and Network IOCs and/or BrutPOS behavior in SIEM and on endpoint POS Network • Containment • Acquisition • Analysis • Confirmation • Remediation • Metrics/Reporting

25. Company Confidential SIEM/Analytics Engine Domain was opened in the last 7 days or registered by known bad…Smart Response Domain is reputable or categorized as good DNS name isn’t recognized or part of known malicious domain lists…Smart Response…check Domain Tools • Containment • Acquisition • Analysis • Confirmation • Remediation • Metrics/Reporting Internet Browsing Internet Case Study: Operationalizing Intel using Third Party Integrations

26. Company Confidential Case Study: Operationalizing Intel from Internal Behaviors / Baselines Assume credentials are stolen SIEM/Analytics Engine Detect: Network traffic to vl.ff.avast.com & su.ff.avast.com Detect: 128 Bit GUID cba871fa-80c9-48bc-9836- 8df3a7f67145 Identify: Avast AV Single Factor • Containment • Acquisition • Analysis • Confirmation • Remediation • Metrics/Reporting Smart Response: Does IT inventory have anything other than McAfee or ESET? If not, Smart Response into IR

27. Company Confidential Malware Sandbox e.g. Cuckoo Historical Case Data Analyst e.g. Malware, Forensics External Services e.g. Domain Tools, Virus Total Threat Intelligence e.g. ISACs, Threat Feeds, Flash Reports Offer Services to your friends Collect Intel & Collaborate Vulnerability Intelligence If you build it…they will come…

29. Company Confidential Is attribution important? • “If you know the enemy and know yourself you need not fear the results of a hundred battles” – Sun Tzu • “All warfare is based on deception. Hence, when we are able to attack we must seem unable, when using our force we must appear inactive, when we are near we must make the enemy believe we are far away, when we are far away we must make him believe we are near” – Sun Tzu

30. Company Confidential • Who did it? • Why did they do it? • What were they after? • Could we have prevented it? • APT, China • China 5yr plan, don’t know • Research data, intellectual property, I don’t know • No, not without more budget “China stole it, specifically an APT group out of A province. The data was then transferred to person B, located in province C. Then person B sent it to person D in Russia. Once in Russia, the stolen data ended up on person E’s table.” What if attribution was real’ized?

31. Document Bugging and Web Tracing Tracking people of interest and mapping out their digital footprints

32. Company Confidential Honey Tokens and Document Bugging Tracking file access, modification, exfiltration, etc… • Use File Integrity Monitoring to track file interactions • Any predefined item, instrumented to generate a unique log • Strings, Drives, Directories, Hashes, ‘employees’

33. Company Confidential File Integrity Monitoring – Built in to Windows Logging

34. Company Confidential Document Bugging – How To • WebBug Background Information: http://ha.ckers.org/webbug.html • WebBug Server: https://bitbucket.org/ethanr/webbugserver • Bugged Files – Is Your Document Telling on You? Daniel Crowley and Damon Smith (Chaos Communication Camp 2015) https://www.youtube.com/watch?v=j5cjFul4ZIc

35. Company Confidential Document Tracking Same tricks used by Marketing / Sales for years. Normally for tracking emails, clicks, downloads, etc. Why loading external images within email is risky…

36. Company Confidential https://github.com/gfoss/misc/tree/master/Bash/webbug Documents can be tracked in the same way as email / web

37. Company Confidential Issues with Document Tracking When a document is opened up offline, it is possible that information will be divulged about the tracking service itself. Be cognizant of this when bugging documents.

38. Company Confidential Issues with Document Tracking Visiting the site directly Dead giveaway that something phishy is up…

39. Company Confidential Issues with Document Tracking You may even get your domain flagged This can hinder your tracking ability Ensure that you check regularly…

40. Company Confidential Taking it a step further… • Honeybadger, Flash, Java, Client Side Code If you are able to execute code on the endpoint, you can uncover the true location, regardless of proxy

41. Company Confidential No help in court… • Evidence obtained via webbugs, tracing, or similar forms of tracking may not be admissible in court, as this could be considered entrapment. • FBI Case – Operation Torpedo • https://www.wired.com/2014/08/operation_torpedo/

42. Company Confidential Legalities of Document Bugging • Is it spying? • Can you really get in trouble for tracking your own things? • All boils down to intent…very grey area.

43. Company Confidential Bugged Documents In Practice Reverse Phishing

44. Company Confidential He was even kind enough to complete the form and send it back!

45. Company Confidential Bugged Documents – In Practice Capture The Flag – LogRhythmChallenge.com

46. Company Confidential In Practice Bugging the CTF instructions…

47. Company Confidential Bugged Documents – In Practice “We need your slides 9-months ahead of time for this industry-leading cyber security event” – Random Conference

48. Company Confidential USB Drop – Security Awareness Case Study

49. Company Confidential Building a Believable Campaign USB Human Interface Device (HID) attacks are too obvious. A dead giveaway that the target just compromised their system. + Expensive. http://hakshop.myshopify.com/products/usb-rubber-ducky-deluxe?variant=353378649

50. Company Confidential Building a Believable Campaign Use realistic files with somewhat realistic data Staged approach to track file access and exploitation

51. Company Confidential README.doc

52. Company Confidential Tracking File Access Bugged document opened within the corporate network? Correlate access logs with network flow analysis to find the victim

53. Company Confidential Who Opened The File?

54. Company Confidential Competitive-Business-Analysis.xlsm

55. Company Confidential PowerShell Macro

56. Company Confidential PowerShell Prompt PowerShell Empire – Invoke-Prompt

57. Company Confidential Step 1 – Compress PowerShell Script

58. Company Confidential Step 2 – Build the Macro and Inject PowerShell Script

59. Company Confidential Step 3 - Customize the Macro

60. Company Confidential Step 4 - Profit Send an email when the Macro is run… Use a bogus email (unlike I did here) – I know, I know. Bad OpSec.

61. Company Confidential

62. Company Confidential Toolscalculator.exe

63. Company Confidential Yep… They ran it “Nobody’s going to run an executable from some random USB” -- Greg

64. Company Confidential Now we have our foothold… Fortunately they didn’t run this as an admin

67. Company Confidential Macro Attack Detection

68. Company Confidential Malware Beaconing

69. Company Confidential Conclusion • Developing and leveraging actionable OSINT data can help operationalize Threat Intelligence • Develop a cyclical Threat Intelligence ecosystem and implement automated responses to known threats • Take proactive measures by laying traps and various flags that will notify the SOC to anomalous activity • Use active defense techniques to learn more about the adversary and attempt to gain attribution • Understand the shortcomings of attribution and document bugging to avoid common pitfalls • Communicate across various departments and coordinate defensive efforts

70. Company Confidential James Carder James.Carder@LogRhythm.com CISO | VP LogRhythm Labs Greg Foss Greg.Foss@LogRhythm.com Global Security Operations Team Lead Thank You!

Threat Intelligence Field of Dreams

Threat Intelligence Field of Dreams

Recommended

More Related Content

What's hot

What's hot(20)

Viewers also liked

Viewers also liked(20)

Similar to Threat Intelligence Field of Dreams

Similar to Threat Intelligence Field of Dreams(20)

More from Greg Foss

More from Greg Foss(10)

Recently uploaded

Recently uploaded(20)

Threat Intelligence Field of Dreams