Co Speaker: Cheryl Biswas Talk Description: How about this: a blue team talk given by red teamers. But here’s our rationale - your best defence right now is a strategic offence. The rules of the game have changed and we need to get defence up to speed. We’ll show you what the key elements are in a good defence strategy; what you can and need to be using to full advantage. We’ll talk about the new “buzzwords” and how they apply: visibility; patterns; big data. There’s a whole lotta data to wrangle, and you aren’t seeing the whole picture if you aren’t doing things right. Threat intel is about getting the big picture as it applies to you. You’ll learn the importance of context and prioritization so that you can manipulate intel feeds to do your bidding. And then we’ll take things further and talk about hunting the adversary, using an update on proven methodologies. We’ll show you how to understand your data, correlate threats and pin point attacks. Attendees will leave with a new understanding of the resources they have on hand, and how to leverage those into an Adaptive Proactive Defense Strategy.

1. Blue Team Reboot

2. ● Security Consultant - Researcher
● Twitter: @haydnjohnson
● Talks: BsidesTO, Circle City Con, BsidesLV, SecTor
● Offsec, Purple Team, Gym??
● Big 4 experience
● http://www.slideshare.net/HaydnJohnson
Haydn Johnson

3. Cheryl Biswas
● Security researcher/analyst Threat Intel
● APTs, Mainframes, ICS SCADA, Shadow IT, StarTrek
● BSidesLV, Circle City, BSidesT0, SecTor, Hackfest, TiaraCon
● https://whitehatcheryl.wordpress.com
● Twitter: @3ncr1pt3d

4. DISCLAIMER: The views represented
here are solely our own and not those of
our employers, past or present, or
future.

5. Blue Team
Reboot

6. Props to DarkReading
This started with a webinar for DarkReading on Threat
Intel and how to use it effectively. We received some
great feedback, a lot of interest, and built upon it for
HackFest.
Our Webinar:
https://webinar.darkreading.com/2492?keycode=SBX
&cid=smartbox_techweb_upcoming_webinars_8.500
000620

7. What We Will Cover
All. That. DATA
Logging towards Alerts
Threat Intel
Visibility
Context
Pinpointing an Attack
Kill Chains & OODA Loops

8. Terminology
IOC - Indicator of Compromise - Domain, IP
address, URL
IOA - Indicator of Attack
COA - Course of Action - What can we do to prevent,
mitigate, detect, EG - Implement a block on an
email address
TTP - Tactics, Techniques, and Procedures

9. Your Take-Away Lootbag
What it is
Relevance
Example cases
Tools & software applicable

10. LOGGING

11. LOGS: First Line of Defence

12. Logs
CIA
Confidentiality
Integrity
Availability

13. WHO’S IN
YOUR
NETWORK?

14. Web Application Logs
Knock Knock
Who was there?
The first place to
detect
scanners
recon
data scraping

15. Firewall Logs
Ingress | Egress
Websites | Email | FTP
End Point

16. Host Logs
Whitelisting applications - KNOWN GOOD
Execution of Macros
Terminal Commands executed
Time of logins
Average use

17. Network Logs
Internal traffic
Domain connections
Internal Scanning
https://www.sans.org/reading-room/whitepapers/logging/importance-
logging-traffic-monitoring-information-security-1379
2003

19. Big Data
A Little Talk About ...

20. So. Much. Data
Crown
Jewels
Relevance
Asset
Management

21. Create A Baseline
Have a starting place
Known traffic
Known good
Regular review
Know Your Normal

22. Just Say NO!!!
Macros: Disable
Adobe Anything: I can’t even
PowerShell: Are you worthy?
Admin for all - ORLY?

24. Deny on open Macros!

25. @InvokeThreatGuy
https://github.com/invokethreatguy/DC416October?files=1

26. Wait!
Who’s the
all-powerful admin here?

27. Tools / Software
Carbon Black / Bit9
SysMon
Log-MD
WireShark
https://www.wireshark.org/
https://msdn.microsoft.com/en-us/library/windows/desktop/dd408124(v=vs.85).aspx
http://www.darkoperator.com/blog/2014/8/8/sysinternals-sysmon
http://log-md.com/
http://brakeingsecurity.blogspot.ca/2015/10/2015-042-logmd-more-malware-archaeology.html

28. Logs to Alerts!

29. VISIBILITY
Visibility:
What’s in
your sights

30. CONTEXT
Context
I haz
meaning?

31. Bad Alerts

32. Help! Too Many!

33. Good Alerts

34. Timely

35. Relevant

36. Context

37. Actionable

38. Good Alerts
Give enough information to correlate
Understand all you can from the one log
Actionable
Standard procedures for each for IR team
Time is NOT on your side

39. Example Time
Workstation 2 Workstation

40. A: Lateral Movement
@raffertylaura | @haydnjohnson
https://www.youtube.com/watch?v=KO68mbk9-
OU&list=PL02T0JOKYEq52plvmxiJ1cSbwUgHHvP7H&index=8

41. Windows Event Log

42. Runs PowerShell

43. Connects to Web Server

44. Threat
Intel

45. Threat Intel: What it Ain’t
Threat actor information
Campaigns
Indicators of
Compromise (IOCs)
Identify known threats
Exploitation in the wild

46. Threat intel: What it is
A product from
collection, processing,
exploitation, analysis
dissemination and
feedback of
information.

47. Reducing False Positives
IOC Validation
Alert Tuning from IOCs
https://quadrantsec.com/about/blog/the_false_positives_of_threat_intelligence/

48. Threat Reports
Is it relevant to business?
Could it have an impact?
Are there IOCs?
COA for prevention, detection, mitigation
KEY CRITERIA

49. Threat Report - Example
Landing Page
Downloader URL
C2 traffic

50. Threat Report - Example 2
http://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-campaign-
evolves-adds-japan-target-list/

51. Threat Report - Example 2
C2 via blogs
Hard coded tags
http://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-campaign-
evolves-adds-japan-target-list/

52. Threat Report - Example 2
Downloader
C2

53. Threat Report - Example 2
http://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-campaign-
evolves-adds-japan-target-list/

54. Threat Report - Example 2

55. Threat Report - Example 2
IOCs - MD5
Not strong but can
put in place fast!

56. THREAT
CORRELATION
Combining Data and Threat intel

57. The 4 C’s
Collect
Consolidate
Control
Communicate

58. Visibility
Take a big picture view
Know what’s going on from
end to end
Cuz you don’t know what you
don’t know

59. Context
Look for the patterns

60. So you can find the anomalies

61. How to Play With Data
Not what you got but how you use it
Ask the right questions - get the right answers
What have we been missing?

62. Security Analytics - Example
The Game Changers
Machine Learning
Analytics
IAM

63. BIG DATA - TOOLS
OpenSoc - Cisco
RITA - Real Intelligence Threat Analysis
BreakoutDetection R package - Twitter
http://opensoc.github.io/
RITA - http://www.blackhillsinfosec.com/?page_id=4417
https://github.com/twitter/BreakoutDetection

64. Pinpointing an Attack
Identification of malicious-ness

65. Detecting an attack - Visibility & Patterns
Known Good
Alerts
Investigation
Lessons learned
http://www.scmagazine.com/five-tips-to-detect-contain-and-control-cyber-threats/article/467856/

66. Detecting an attack
Preparation
Identification
Containment
Eradication
Recovery
Lessons Learned
SANS IR Steps!

67. Cyber Kill Chain +
Extended Version

68. Lockheed Martin Cyber Kill Chain
“The seven steps of the Lockheed Martin Cyber Kill
Chain® enhance visibility into an attack and
enrich an analyst’s understanding of an
adversary’s tactics, techniques and procedures.”
http://cyber.lockheedmartin.com/solutions/cyber-
kill-chain

69. Cyber Kill Chain
1. Reconnaissance
2.Weaponization
3.Delivery
4.Exploitation
5.Installation
6.Command & Control
7.Action on Objectives

70. Cyber Kill Chain Extended
7 - Actions on
Objectives
Internal Kill
Chain
Target
Manipulation
Kill Chain
http://www.seantmalone.com/docs/us-16-Malone-
Using-an-Expanded-Cyber-Kill-Chain-Model-to-
Increase-Attack-Resiliency.pdf

71. Cyber Kill Chain Extended
Map & understanding specific systems
Subvert target systems & business processes
Raise Attackers Cost

72. OODA LOOP
Attackers
Observe Orient Decide Act

73. Your Blue Team Fighter Pilots
Goose Maverick

74. OODA Loop - for the defender
Practice
Be ready to change direction
Take Action

75. Relevance
Use to actively identify security controls
People Process Procedures
Identify Gaps
Confirm assumptions
Tune

76. Visibility on Blind Spots
Looking at each step allows a methodical
approach to defense.
Reduces Bias and Blind spots.
Can lead to Threat Hunting

77. Example Time
Attachments

78. Malicious Attachments
https://github.com/carnal0wnage/malicious_file_maker

79. Malicious Attachments

80. Malicious Attachments
Test your email filters
Understand which attachments come through
Build | refine | controls

81. Malicious Attachments
Send various types of malicious attachments via
multiple sources
How many emails does it take to block a sender?
What types of attachments generate alerts?

82. Go hunting

83. In summary
LOGS
ALERTS
THREAT INTEL
CORRELATION
CYBER KILL CHAIN
PROACTIVE=

84. Take awaysAKA - what you should remember

85. Total success!
❖Be proactive
❖Back2Basics
❖Visibility
❖Context

86. ❖Test it
❖Look for it
❖Patterns
❖Anomalies
Total success!

87. Thank You!
Any questions?
Feel free to reach out to us later!
@haydnjohnson @3ncr1pt3d