This document discusses strategies for taking a more proactive "blitzing" approach to network defense. It recommends gathering intelligence on attackers through monitoring social media, pastebins, Google alerts and more. It also suggests deceiving attackers through honeypots and misinformation while closely monitoring systems. The goal is to shorten attackers' time on the network through increased detection, delay and disruption techniques.

1. Blitzing with your Defense
Adjusting your strategy to hit
attackers on their blind side Ben Jackson
Mayhemic Labs
BeaCon 2013

2. Outline
• Background
• Developing Intelligence
• Information
– Receiving
– Gathering
– Sharing
• Active Defense
• Tying it together

3. But first about me…
http://www.funsted.com/pdata/t/l-1725.jpghttp://www.funsted.com/pdata/t/l-1725.jpg

4. Normal InfoSec
Professional by day…
Thoughts expressed here
are neither the opinions or
beliefs of my employer.

5. SOC
Light is green,
network is clean!

6. Incident Response
Looks like they were
running Java 6…

7. https://farm5.staticflickr.com/4101/4793807817_69c95f6342_b.jpg
Crazy Researcher by Night…

8. Locational Privacy

9. Malware

10. https://farm9.staticflickr.com/8148/7695709198_8f8113e3f8_b.jpg
“Other”

11. Background
Or… “Why we are totally screwed…”

12. Disclaimer
• You can’t do this if you’re not passionate
– Tom Brady does not look at football as a 9-5
job
• Blitzing is a different way to look at
defense, but it is not a cure all
– If you’re not patching, you’re still doomed
• Every defense requires fundamentals
– If your defense can’t run and tackle, your blitz
isn’t going to be very effective

13. We’re in a “prevent defense”
“A prevent defense is an American
football defensive alignment... the goal of
which is to prevent the opposing offense
from completing a long pass...” –
Wikipedia

14. Prevent Defenses don’t work
• We can’t prevent 100% of the time
• Attackers are completely OK with gaining
a few yards at time
• Occasionally, the defense will still give up
the “big play”
– RSA, Comodo, Bit9, Broncos vs Ravens,
etc…
• We’re giving up yardage to burn time
– Only we don’t have a clock we can run out

15. Incident Response Model
• Preparation
• Identification
• Containment
• Eradication
• Recovery
• Lessons Learned
Patrick Kral, Incident Handler's Handbook, SANS Institute Reading Room, 2011

16. Changes, kind of…
• Incident Response model is geared toward
handing incidents as separate events
• Once the fire is out, it’s business as usual
• Good for handling viruses, isolated
compromises, and casual attackers
• Less than ideal for handling determined
attackers

17. Changes, kind of…
• Incident Response model still works
– Learn it, live it, love it
• However, the game has changed
– Wider awareness is needed
• Incidents may be Independent or Linked

18. The baddies have a model
too…
• Intrusion Kill Chain
– “Intelligence-Driven Computer Network
Defense Informed by Analysis of Adversary
Campaigns and Intrusion Kill Chains”
(Hutchins, Cloppert, and Amin 2010)
• Describes the steps of an adversary to
gain access to the target network

19. Intrusion Kill Chain
• Reconnaissance
• Weaponization
• Delivery
• Exploitation
• Installation
• Command and Control (C2)
• Actions on Objectives

20. Attacker Free Time
Fight or
Flight
Preparation Identification Containment Eradication Recovery
Recon
Weaponization
Delivery
Exploitation
Installation
C&C
Objectives
The Incident Tango
Time

21. But it’s never that simple...
Attacker FreeTime
Fight or
Flight
Preparation Identification Containment Eradication Recovery
Recon
Weaponization
Delivery
Exploitation
Installation
C&C
Objectives
Attacker FreeTime
Fight or
Flight
Preparation Identification Containment Eradication Recovery
Recon
Weaponization
Delivery
Exploitation
Installation
C&C
Objectives
Attacker FreeTime
Preparation Identification Contain
Recon
Weaponization
Delivery
Exploitation
Installation
C&C
Object
Attacker FreeTime
Fight or
Flight
Preparation Identification Containment Eradication Recovery
Recon
Weaponization
Delivery
Exploitation
Installation
C&C
Objectives
Attacker FreeTime
Fight or
Flight
Preparation Identification Containment Eradication Recovery
Recon
Weaponization
Delivery
Exploitation
Installation
C&C
Objectives
Time

22. Blitzing
• We need to
– Learn Bad Actors’ Tactics, Techniques and
Procedures
– Tie multiple incidents into a cohesive picture
– Feed that back into the existing IR model
– Shorten, or eliminate, the attacker’s free time

23. Developing
Intelligence
They know about you, learn about them

24. Data to Intelligence
• Everyone is talking about intelligence
• Unfortunately most people don’t know
what intelligence is
• IOCs? IP Addresses? FQDNs? MD5s?
– Data, Data, Data, Data
• Intelligence = Data + Analysis

25. Data to Intelligence
(Star Wars Model)
• Princess Leia steals plans for Death Star
• Rebel Alliance analysts review plans and
find exhaust port vulnerability (Not Shown)
• Luke, R2D2, Han, and Chewbacca blow
up Death Star

26. Data to Intelligence
Easy
• What are we seeing?
• How did we see it?
Hard
• What does it do?
• What is it after?
#$@&
• Why is it after that?
• Who is behind it?
Data
Intel

27. Developing Intelligence
• Intelligence is hard work
– Long days looking like a conspiracy nut
– A single piece of data can ruin weeks of work
• Needs to be an on-going, internal,
process
– No one knows your network better than you
– Threat actors will change on a regular basis
• Once you become proficient, it’s worth it’s
weight in gold

28. Using Your Data
It works for the NSA, and it can work for you…

29. Here! Have some Data!
• Data for intelligence is being sent to your
company every day
• Every attack, successful or not, results in
data
– IP addresses, C2 servers, phishing themes,
etc.
• Most attackers do not have good OPSEC
– They’re lazy
– Use this against them
– “OPSEC For Hackers” - thegrugq

30. Start busting out of Silos
• Start extracting data out of your SIEM,
IDS, AV Solution, or other security devices
– Learn how to script
• Start correlating and forming timelines
– Did that IP address probe the same server
today and last week? Odd…
• Pay attention to attack methods and start
looking for patterns
– Humans still beat machines for pattern
recognition

31. Five Different Attacks?
Attack #1 Attack #2 Attack #3 Attack #4 Attack #5
Type e-Mail Social
Media
e-Mail e-Mail Watering Hole
Source IP W.X.Y.Z A.B.C.D H.I.J.K L.M.N.O L.M.N.O
Targets Group A Group A Group B Various Various
Exploit CVE-X-Y CVE-X-N CVE-X-N CVE-X-Z Various
C&C abcdef.com qrstuv.com ijklmnop.com puppy.com abcdef.com

32. Or One Persistent Attack?
Attack #1 Attack #2 Attack #3 Attack #4 Attack #5
Type e-Mail Social
Media
e-Mail e-Mail Watering Hole
Source IP W.X.Y.Z A.B.C.D H.I.J.K L.M.N.O L.M.N.O
Targets Group A Group A Group B Various Various
Exploit CVE-X-Y CVE-X-N CVE-X-N CVE-X-Z Various
C&C abcdef.com qrstuv.com ijklmnop.com puppy.com abcdef.com
Attacker Attacker A Attacker A Attacker A Attacker B? Attacker A

33. Gathering Data
Embrace being the Nosy Neighbor on the Internet

34. IRC
• Certain groups still love to hang out in IRC
• Do not… Do NOT IRC from devices or
networks that can be traced back to you
– Groups of bad actors often love privacy –
Embrace it, but don’t tempt fate
• Due to the nature of IRC, groups can be
harder to infiltrate
– Smaller the group, the more trusted it is.

35. Social Media
• Certain groups love to discuss their
exploits on Social Media
– Some groups use this as advertising
• Find out who’s talking about you and why
– Then find out who’s talking to them and why
• Much easier to easier to monitor people
than IRC

36. Pastebin
• A wretched hive of scum and villainy
– …therefore a great source for data
• Groups often will post dumps of stolen
data here for easy access
– Look for yours
• Has a subscription service that will alert
when posts are made with key words
– Or you can roll your own monitoring system

37. Google Alerts
• Google knows everything about everyone
– Leverage this to your advantage
• Does have a high false positive rate, but
will yield occasional nuggets of beautiful
data

38. Things to look for
• Company name
• Company Twitter Handles/Hashtags
• Domain Names
• IP addresses
• e-Mail addresses
• Names of Company Leadership
• Terms that the people you are monitoring
talk about

39. Deep Undercover
• Interacting with bad actors is dangerous
– And on shaky legal ground as well
• Sometimes you will attract attention just
being a fly on the wall
• Developing a believable “legend” for your
persona is necessary
• Need an identity?
– http://namegenerator.in

40. Cover Identities
• Cover identities cannot be created, only
grown
– An account set up last week looks suspicious
• Tending a garden takes time and effort
• If you start today, you may have a
believable identity in a few months
– Years? Even more believable
• Always have multiple identities “good to
go”

41. Quick Tips for Believability
• LinkedIn
– Research colleges, majors, student life
• Facebook
– Find friends, create pictures and events
• Twitter
– Tweet on an appropriate schedule
• A college student in LA is not going to tweet
between 9 and 5 in Boston
• Never, ever, cross contaminate accounts

42. Early Warning
• Cover identities are not just for James
Bond type stuff
• Creating fake employees can give you an
early warning for someone looking into
your company
– Legitimate and Illegitimate
• Set up a fake work identities as well and
see who pokes at them

43. Data Sharing
Don’t be a hoarder…

44. Data Sharing
• Knowing as much as you can during an
incident is key
• Sharing with peers can make a difference
– Time to detection
– Situational awareness
– Targeted vs Untargeted
• Sharing means giving and receiving
– Produce and consume

45. Unorganized Informal
Communities
• Never underestimate the power of
networking
– Introverted geeks, this means you
• Numerous communities in the local area
– BeanSec
– GraniteSec
– MassHackers
– Local chapters of National Organizations

46. Organized Informal
Communities
• Closed communities that are designed to
share information
– Mostly mailing lists
• Don’t call them, they’ll call you
– Again, networking…
• Can be great sources, but depends widely
on the community
– Also a can be a bear to get into

47. Infragard
• Partnership between the FBI and private
sector
• Good networking opportunities
– Get to know your fellow geeks
• Private Secure Portal
• Have recently started releasing DHS Joint
Indicator Bulletins to members
– Quality?

48. My thoughts on DHS Advisories
in 140 Characters…

49. ISACs
• Information Sharing and Analysis Centers
• Formal communities set up within your
vertical
– Finance, Energy, State Governments, Health,
Higher Education, and More
• The communities vary wildly between
ISACs
• Usually not free, but worth it

50. Advanced Cyber Security
Center
• Multi-vertical ISAC
• Weekly meetings on threat evaluation and
information sharing
• Young, but growing
• Again, not free

51. Active Defense
Embrace your home field advantage…

52. Always calling the same play
• We always use the same tools
– Firewall, IDS, Anti-Virus, Windows, RHEL
• Attackers know this
– They’ve adapted their methods
• Defense has stayed stagnant while
offense has continued to develop new
tools
– HD Moore’s law by Josh Corman
• “Casual Attacker power grows at the rate of
Metasploit”

53. Active Defense is NOT…
• Hacking Back
– Questionable Legality
• Attribution
– The rabbit hole always goes deeper
• Retaliation
– Don’t fight angry
• Counterstrikes
– You’re not going to eliminate the problem

54. Active Defense is…
• Delay
– Slow them down
• Deception
– Where’s the data?
• Detection
– Find them
• Disruption
– Deny access

55. Why Active Defense?
• Increasing attacker cost
– The bad actors will either move on or the
people pulling the strings may get another
“hired gun”
• Mind games
– If the bad actors think everything is a trap,
they’ll be overly cautious
• It’s an uncommonly used tactic

56. Delay
• Use Honeypots
– Internally facing only
– Double edged sword
• Run additional services on underutilized
servers
– If the bad actors are looking for SQL servers,
give them SQL servers

57. Deceive
• Put “interesting” files on open shares
– “Corporate_Forecast_1H2014.doc”
• Complete with a web bug that calls to a offsite
server
– “Customer DB Backup.zip”
• 12GB Zip file with a 36 alphanumeric password
• Fake databases
– http://fakenamegenerator.com

58. Detect
• Monitor your systems that delay and
deceive
– Like a hawk on amphetamines
• Establish “Motion Sensors”
– Route a few network segments to a tarpit
• Keep an eye on your “traditional” alerting
systems as well

59. Disrupt
• Find them and destroy them!
– Or not..
• Monitoring intruders can be a good source
of tactics, techniques, and procedures
– And keep your IR staff consuming large
amounts of antacids
– It is very, very, very risky

60. Would you like to know more?
• Offensive Countermeasures Training
– Paul Asadorian and John Strand
• Active Defense Harbinger Distribution
– Bootable Linux Distribution with all kinds of
“Active Defense” goodies
– http://sf.net/projects/adhd/

61. Putting it all together
…with bailing wire and duct tape

62. Putting it all together
• All of these techniques are useless
– Until you start feeding them back into the
traditional incident response model
• Feeding intelligence back into the Incident
Response loop shortens attacker free time
• For example…

63. To the WABAC machine!
• April-July 2012
• Noticeable increase in Malware spam
lures
– Verizon, American and United Airlines, USPS,
PayPal, Facebook
• Widespread reports across the Internet
– Not targeted against a single individual,
company, or vertical

64. Click this link, will ya?

65. Common Threads
• A large majority of the spam runs had
commonalities
– All same “kind” of lure
– Similar lists of targets
– All using the Blackhole Exploit kit
– Similar URL structure on lures
– Mostly pushing Zeus
• There were other runs that were different

66. Smoking Gun…
• The exploit kits invariably included two
styles of URLs:
http://ip.address/showthread.php?t=<16 hexadecimal digits>
http://ip.address/page.php?p=<16 hexadecimal digits>

67. Achievement Unlocked
• Conclusion: Single group of bad actors
behind campaign
• Adjusted defenses to locate URLs with
“page.php” and “showthread.php” with hex
strings
– Some false positives
• Was able to detect malware spam runs
often before they were reported

68. Turns out we were right…
• Trend Micro “Blackhole Exploit Kit: A Spam
Campaign, Not a Series of Individual
Spam Runs”
• Released July 12th, 2012
• Reached similar conclusions
• Campaign started to sputter after that...

69. Conclusion
• You are the best tool to defend your
network
– Get passionate
• Stop thinking about threats and start
worrying about actors
• Stop being nice and start playing “dirty”
• Learn who is talking about you, where,
and why

70. Questions?
Please fill out your evaluation sheets!

71. Contact Information
• Ben Jackson
• e-Mail: bbj@mayhemiclabs.com
• Twitter: @innismir
• Web/Code: http://mayhemiclabs.com