The document discusses the challenges of cybersecurity, emphasizing the advantages attackers have over defenders due to resource constraints and the complexity of IT environments. It outlines the importance of threat intelligence in improving security measures, incident response, and vulnerability management. Additionally, it introduces various standards and tools, such as IODEF and MITRE frameworks, for malware tracking and analysis.

1. Cornerstones of Trust 2014
Threat Intelligence
with Open Source tools
@jaimeblasco
@santiagobassett

2. Presenters
JAIME BLASCO
Director AlienVault Labs
Security Researcher
Malware Analyst
Incident Response
SANTIAGO BASSETT
Security Engineer
OSSIM / OSSEC
Network Security
Logs Management

3. The attacker’s advantage
• They only need to be successful once
• Determined, skilled and often funded adversaries
• Custom malware, 0days, multiple attack vectors,
social engineering
• Persistent

4. The defender’s disadvantage
• They can’t make a mistake
• Understaffed, jack of all trades, underfunded
• Increasing complex IT infrastructure:
– Moving to the cloud
– Virtualization
– Bring your own device
• Prevention controls fail to block everything
• Hundreds of systems and vulnerabilities to
patch

5. What is Threat Intelligence?
• Information about malicious actors
• Helps you make better decisions about
defense
• Examples: IP addresses, Domains, URL’s, File
Hashes, TTP’s, victim’s industries, countries..

6. State of the art
• Most sharing is unstructured & human-to-human
• Closed groups
• Actual standards require knowledge,
resources and time to integrate the data

7. How to use Threat Intelligence
• Detect what my prevention technologies fail
to block
• Security planning, threat assessment
• Improves incident response / Triage
• Decide which vulnerabilities should I patch
first

8. The Threat Intelligence Pyramid of
Pain

9. Standards & Tools
• IODEF: Incident Object Description Exchange
Format
• MITRE:
– STIX: Structured Threat Information eXpression
– TAXXII: Trusted Automated eXchange of Indicator
Information
– MAEC, CAPEC, CyBOX
• CIF: Collective Intelligence Framework

10. Collective Intelligence Framework

11. Collecting malware
Some malware tracking sites:
• http://malc0de.com/rss
• http://www.malwareblacklist.com/mbl.xml
• http://www.malwaredomainlist.com/hostslist/mdl.xml
• http://vxvault.siri-urz.net/URL_List.php
• http://urlquery.net
• http://support.clean-mx.de/clean-mx/xmlviruses.php
Some Open Source malware crawlers:
• Maltrieve: https://github.com/technoskald/maltrieve
• Ragpicker: https://code.google.com/p/malware-crawler/

12. Collecting malware

13. Other malware collection tools
Dionaea honeypot:
• http://dionaea.carnivore.it/
Thug Honeyclient – Drive by download attacks:
• https://github.com/buffer/thug
• Emulates browsers functionality (activeX
controls and plugins)

14. Analyzing malware
Yara: Flexible, human-readable rules for identifying
malicious streams.
Can be used to analyze:
• files
• memory (volatility)
• network streams.
private rule APT1_RARSilent_EXE_PDF {
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$winrar1 = "WINRAR.SFX" wide ascii
$winrar2 = ";The comment below contains SFX
script commands" wide ascii
$winrar3 = "Silent=1" wide ascii
$str1 = /Setup=[sw"]+.(exe|pdf|doc)/
$str2 = "Steup="" wide ascii
condition:
all of ($winrar*) and 1 of ($str*)
}

15. Analyzing malware
Cuckoo Sandbox: Used for automated malware
analysis.
• Traces Win32 API calls
• Files created, deleted and downloaded
• Memory dumps of malicious processes
• Network traffic pcaps

16. Analyzing malware

17. Sandbox – CIF integration
In our example: hxxp://www.garyhart.com, domain

18. CIF External feed example

19. Thank you!!
@jaimeblascob
@santiagobassett