Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Threat Intelligence Field of Dreams

919 views

Published on

Threat Intelligence is by far one of the most over-used buzz words in the security industry. Many professionals have very mixed feelings about Threat Intelligence feeds as well. This discussion is around how LogRhythm’s internal security team utilizes Threat Intelligence to operationalize efficiently and streamline Security Operations processes and help improve an organization’s defenses. We will show how you can generate your own Threat Intelligence and create information sharing loops within like industries to fully realize the team's defensive capabilities. On top of the technical aspects around building out a good Threat Intel program, we will discuss how to manage this from a leadership perspective and get buy-in from the top. Most importantly, once these systems are in place, how we can show value to leadership using key performance indicators and leverage this to improve the overall security program.

Published in: Technology
  • DOWNLOAD THAT BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download Full EPUB Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download Full doc Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download PDF EBOOK here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download EPUB Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download doc Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book that can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer that is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story That Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money That the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths that Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Threat Intelligence Field of Dreams

  1. 1. Company Confidential Powered by Building a Threat Intelligence Field of Dreams 05.12.2016
  2. 2. Company Confidential James Carder CISO | VP LogRhythm Labs Greg Foss Global Security Operations Team Lead
  3. 3. Operationalizing Threat Intelligence Making Threat Intelligence Useful
  4. 4. Company Confidential Defining Threat Intelligence “Evidence-based knowledge, including context, mechanisms, indicators, implications and ACTIONABLE advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard” - Gartner
  5. 5. Company Confidential • Documents (e.g., FBI flash reports) • Blogs, emails • RSS feeds • CSV and text files • STIX • Open IOC • Malware samples • Packet capture • Forensic artifacts (files, email) Actionable data types Intel Reports Indicators of Compromise Raw Data Types • User Behaviors • Endpoint Behaviors • Network Behaviors Your Own Data
  6. 6. Company Confidential Operationalizing Threat Intelligence Indicators of Compromise (IOC) are automatically searched Changes to external threat environment immediate detected Provides analyst context around incident, event, threat, campaign • Historical knowledge as well to chain related attacks Reconnaissance & Planning Initial Compromise Command & Control Lateral Movement Target Attainment Exfiltration Corruption Disruption
  7. 7. OSINT Open Source Intelligence Gathering
  8. 8. Company Confidential Open Source Intelligence Gathering Open Source Intelligence (OSINT) in the simplest of terms is locating, and analyzing publically (open) available sources of information. The key component here is that this intelligence gathering process has a goal of producing current and relevant information that is valuable to either an attacker or competitor. For the most part, OSINT is more than simply performing web searches using various sources. - http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines#OSINT
  9. 9. Company Confidential OSINT • Offensive and Defensive • Manual – In Depth Analysis of the target entity or individual(s) • Automated – High level analysis of metadata • Operationalize, Integrate, and Automate OSINT analysis FTW • Define goals – what to analyze, why, how, outputs, etc. • Indicators of Compromise • Data to feedback loops into defensive tools • Research • Attribution • Actors, victims, servers, locations, samples, etc.
  10. 10. Company Confidential OSINT OPSEC (Manual) • OPSEC : Operational Security • The target cannot know your organization is actively investigating them… • Use a USB-bootable Linux image such as Tails – non-persistent • Run both TOR and a VPN (commercial or use cloud systems) • Virtual Private Servers (VPS) located in other countries • Pay for services using bitcoin and/or pre-paid gift cards • Regardless of solution – understand the service’s logging policy, check for warrant canaries, and know your rights…
  11. 11. Company Confidential Why TOR and VPN? TOR != VPN TOR = Randomizer VPN = Tunnel Honestly… Not a big deal unless you’re planning to do illegal things – Which you should not be doing anyways...
  12. 12. Company Confidential OSINT OPSEC (Automated – Corporate) • Register a Linux Amazon EC2 box (free tier) with no elastic IP • Purchase a Dyn DNS account – for dynamic DNS registration • Establish a PPTP VPN tunnel to the EC2 system(s) • Perform investigative analysis from these cloud-hosted systems and / or local boxes with proper precautions in place • Proxy traffic through and use SSH port forwarding to access services • Following the completion of the analysis, reboot the system. • By default, AWS will assign a new IP unless you use an elastic IP • Reconfigure the tunnels and DNS as necessary (automate this)
  13. 13. Company Confidential Automating OSINT and Response Domain Tools Passive Total VirusTotal Cisco AMP ThreatGRID Netflow / IDS Firewalls Proxy Endpoint SIEM API SecOps Infrastructure
  14. 14. Company Confidential Manual OSINT Analysis • Goal-Oriented • Define specific target and understand the data you wish to obtain • Technical – Accounts, Servers, Services, Software, Integrations • Social – Social Media, Photography, Wish Lists, Email • Physical – Address, Home IP Address, Business, Footprint • Logical – Network, Operational Intelligence, Where, When
  15. 15. Company Confidential A Few OSINT Tools • Maltego • Transforms! • Passive Total • Threat Intel and Maltego API! • Domain Tools IRIS • Whois History, Pivot off of data points (email, address, phone, etc.) • Shodan • The network search engine – everything from open VNC services to C2’s • Facebook / Linkedin / Spokeo / Pipl / etc. • Create fake accounts and use API integrations to automate searches
  16. 16. Company Confidential OSINT Tips and Tricks : Shortened URL’s All you need is +
  17. 17. Company Confidential OSINT Tips and Tricks : Shortened URL’s
  18. 18. Company Confidential OSINT Tips and Tricks : Resolve Skype Username to IP
  19. 19. Company Confidential OSINT Tips and Tricks : Resolve Skype Username to IP
  20. 20. Company Confidential OSINT Tips and Tricks : Source Code Search Nerdydata.com
  21. 21. Company Confidential OSINT Tips and Tricks : Source Code Search ;-)
  22. 22. Company Confidential Just scratching the surface…
  23. 23. Case Studies Operationalization of Threat Intel
  24. 24. Company Confidential Case Study: Operationalizing POS Intel from a Threat Report Threat Report SIEM/Analytics Engine Hits, Alarm, Smart Response No Hits, No Alarm, Smart Response Automated Search using Host and Network IOCs and/or BrutPOS behavior in SIEM and on endpoint POS Network • Containment • Acquisition • Analysis • Confirmation • Remediation • Metrics/Reporting
  25. 25. Company Confidential SIEM/Analytics Engine Domain was opened in the last 7 days or registered by known bad…Smart Response Domain is reputable or categorized as good DNS name isn’t recognized or part of known malicious domain lists…Smart Response…check Domain Tools • Containment • Acquisition • Analysis • Confirmation • Remediation • Metrics/Reporting Internet Browsing Internet Case Study: Operationalizing Intel using Third Party Integrations
  26. 26. Company Confidential Case Study: Operationalizing Intel from Internal Behaviors / Baselines Assume credentials are stolen SIEM/Analytics Engine Detect: Network traffic to vl.ff.avast.com & su.ff.avast.com Detect: 128 Bit GUID cba871fa-80c9-48bc-9836- 8df3a7f67145 Identify: Avast AV Single Factor • Containment • Acquisition • Analysis • Confirmation • Remediation • Metrics/Reporting Smart Response: Does IT inventory have anything other than McAfee or ESET? If not, Smart Response into IR
  27. 27. Company Confidential Malware Sandbox e.g. Cuckoo Historical Case Data Analyst e.g. Malware, Forensics External Services e.g. Domain Tools, Virus Total Threat Intelligence e.g. ISACs, Threat Feeds, Flash Reports Offer Services to your friends Collect Intel & Collaborate Vulnerability Intelligence If you build it…they will come…
  28. 28. Company Confidential Is attribution important? • “If you know the enemy and know yourself you need not fear the results of a hundred battles” – Sun Tzu • “All warfare is based on deception. Hence, when we are able to attack we must seem unable, when using our force we must appear inactive, when we are near we must make the enemy believe we are far away, when we are far away we must make him believe we are near” – Sun Tzu
  29. 29. Company Confidential • Who did it? • Why did they do it? • What were they after? • Could we have prevented it? • APT, China • China 5yr plan, don’t know • Research data, intellectual property, I don’t know • No, not without more budget “China stole it, specifically an APT group out of A province. The data was then transferred to person B, located in province C. Then person B sent it to person D in Russia. Once in Russia, the stolen data ended up on person E’s table.” What if attribution was real’ized?
  30. 30. Document Bugging and Web Tracing Tracking people of interest and mapping out their digital footprints
  31. 31. Company Confidential Honey Tokens and Document Bugging Tracking file access, modification, exfiltration, etc… • Use File Integrity Monitoring to track file interactions • Any predefined item, instrumented to generate a unique log • Strings, Drives, Directories, Hashes, ‘employees’
  32. 32. Company Confidential File Integrity Monitoring – Built in to Windows Logging
  33. 33. Company Confidential Document Bugging – How To • WebBug Background Information: http://ha.ckers.org/webbug.html • WebBug Server: https://bitbucket.org/ethanr/webbugserver • Bugged Files – Is Your Document Telling on You? Daniel Crowley and Damon Smith (Chaos Communication Camp 2015) https://www.youtube.com/watch?v=j5cjFul4ZIc
  34. 34. Company Confidential Document Tracking Same tricks used by Marketing / Sales for years. Normally for tracking emails, clicks, downloads, etc. Why loading external images within email is risky…
  35. 35. Company Confidential https://github.com/gfoss/misc/tree/master/Bash/webbug Documents can be tracked in the same way as email / web
  36. 36. Company Confidential Issues with Document Tracking When a document is opened up offline, it is possible that information will be divulged about the tracking service itself. Be cognizant of this when bugging documents.
  37. 37. Company Confidential Issues with Document Tracking Visiting the site directly Dead giveaway that something phishy is up…
  38. 38. Company Confidential Issues with Document Tracking You may even get your domain flagged This can hinder your tracking ability Ensure that you check regularly…
  39. 39. Company Confidential Taking it a step further… • Honeybadger, Flash, Java, Client Side Code If you are able to execute code on the endpoint, you can uncover the true location, regardless of proxy
  40. 40. Company Confidential No help in court… • Evidence obtained via webbugs, tracing, or similar forms of tracking may not be admissible in court, as this could be considered entrapment. • FBI Case – Operation Torpedo • https://www.wired.com/2014/08/operation_torpedo/
  41. 41. Company Confidential Legalities of Document Bugging • Is it spying? • Can you really get in trouble for tracking your own things? • All boils down to intent…very grey area.
  42. 42. Company Confidential Bugged Documents In Practice Reverse Phishing
  43. 43. Company Confidential He was even kind enough to complete the form and send it back!
  44. 44. Company Confidential Bugged Documents – In Practice Capture The Flag – LogRhythmChallenge.com
  45. 45. Company Confidential In Practice Bugging the CTF instructions…
  46. 46. Company Confidential Bugged Documents – In Practice “We need your slides 9-months ahead of time for this industry-leading cyber security event” – Random Conference
  47. 47. Company Confidential USB Drop – Security Awareness Case Study
  48. 48. Company Confidential Building a Believable Campaign USB Human Interface Device (HID) attacks are too obvious. A dead giveaway that the target just compromised their system. + Expensive. http://hakshop.myshopify.com/products/usb-rubber-ducky-deluxe?variant=353378649
  49. 49. Company Confidential Building a Believable Campaign Use realistic files with somewhat realistic data Staged approach to track file access and exploitation
  50. 50. Company Confidential README.doc
  51. 51. Company Confidential Tracking File Access Bugged document opened within the corporate network? Correlate access logs with network flow analysis to find the victim
  52. 52. Company Confidential Who Opened The File?
  53. 53. Company Confidential Competitive-Business-Analysis.xlsm
  54. 54. Company Confidential PowerShell Macro
  55. 55. Company Confidential PowerShell Prompt PowerShell Empire – Invoke-Prompt
  56. 56. Company Confidential Step 1 – Compress PowerShell Script
  57. 57. Company Confidential Step 2 – Build the Macro and Inject PowerShell Script
  58. 58. Company Confidential Step 3 - Customize the Macro
  59. 59. Company Confidential Step 4 - Profit Send an email when the Macro is run… Use a bogus email (unlike I did here) – I know, I know. Bad OpSec.
  60. 60. Company Confidential
  61. 61. Company Confidential Toolscalculator.exe
  62. 62. Company Confidential Yep… They ran it “Nobody’s going to run an executable from some random USB” -- Greg
  63. 63. Company Confidential Now we have our foothold… Fortunately they didn’t run this as an admin
  64. 64. Company Confidential
  65. 65. Company Confidential
  66. 66. Company Confidential Macro Attack Detection
  67. 67. Company Confidential Malware Beaconing
  68. 68. Company Confidential Conclusion • Developing and leveraging actionable OSINT data can help operationalize Threat Intelligence • Develop a cyclical Threat Intelligence ecosystem and implement automated responses to known threats • Take proactive measures by laying traps and various flags that will notify the SOC to anomalous activity • Use active defense techniques to learn more about the adversary and attempt to gain attribution • Understand the shortcomings of attribution and document bugging to avoid common pitfalls • Communicate across various departments and coordinate defensive efforts
  69. 69. Company Confidential James Carder James.Carder@LogRhythm.com CISO | VP LogRhythm Labs Greg Foss Greg.Foss@LogRhythm.com Global Security Operations Team Lead Thank You!

×