Mark Arena - Cyber Threat Intelligence #uisgcon9

Cyber Threat Intelligence
What is it and how can we collect and produce
it?
By Mark Arena
Menya zavut Mark
Proprietary and Confidential Information – Copyright© 2013 – All Rights Reserved

What is intelligence?

• NOT James Bond (it would be cool though…
wouldn’t it?)
• NOT secret data, espionage or spying

Intelligence is…
• Intelligence is taking what you have (data) and using
your knowledge, skills and experience to characterize
what is:
– Fact
– Probable/not probable
• In both the past and the future
• Communicating the output of this process to
decision makers (people who decide where the
$money get spent) in your organization.
• Some examples!

FACT: Microsoft has reported a vulnerability in Internet
Explorer that is currently being used in targeted
attacks.
PROBABLITY: It is likely that as Microsoft has released a
Microsoft Fix it solution, that other attackers will
attempt to discover the specifics of the vulnerability
and seek to create exploits for it.

FACT: iDefense reported a vulnerability to Microsoft
that an anonymous researcher found (i.e. it was not
discovered being exploited in the wild by bad guys).
PROBABILITY: Microsoft has released an update for
Internet Explorer that fixes this and other
vulnerabilities. It is not likely that attackers will attempt
to exploit this vulnerability given an official new version
of Internet Explorer has been released.

What does this mean to us as IT
security professionals?
• I should focus my efforts to patch
vulnerabilities that are being actively
exploited in the wild.
• What more information can I find about the
first mentioned Microsoft vulnerability?


What does this tell us?
• CVE-2013-3893 was being used in targeted attacks
against Japanese targets.
• According to open source reports, the same hacker
group who was behind these attacks was linked to
previous attacks against the Bit9 security company
that was used to target the US financial sector.
• The hacker group is highly likely motivated by cyber
espionage.

So I’m a possible target, now
what?
• What data do you have access to in your
organization that could inform you whether
you had been compromised by this group or
not?
• What data should you proactively collect to be
able to see if you were a target or not?


What do you need to do?
• The ability to see from both the network perspective and end
point (computer) perspective what has happened in the past.
• To be able to use this information proactively to identify
abnormalities and attack upon them.
• It’s unlikely as a security professional that you’ll be able to
block everything malicious that happens in your organization
but you may be able to reduce the amount of time it takes to
detect an intrusion thereby reducing the damage.


Data collection
• Passive DNS
– Packet capture on port 53 to collect DNS requests and
answers
– Python script to mine DNS requests and answers from a
PCAP:
http://mmishou.wordpress.com/2010/04/13/passive-dnsmining-from-pcap-with-dpkt-python/
• Netflow
• HTTP GET/POST requests
• End point monitoring
– http://www.immunityinc.com/products-eljefe.shtml

• IDS Sensors
• Other logs


Data collection from the Internet
•
•
•
•
•
•

Google!
Maltego (great visual open source intelligence gathering tool)
VirusTotal
ThreatExpert
DomainTools
Did I mention Google? 


Data correlation
• Try to get all this data collection into a single
point that you can monitor and query
• I personally like to use Splunk
• Logstash looks like somewhat open source
alternative to Splunk although I haven’t used
it

How do I understand what security threats
are affecting my organization?
• One of the biggest resources that will help you understand
the type of threats your organization is facing is looking at
what has been blocked through anti-virus scanners, email
filtering, etc.
• Looking at the blocked items and try to ascertain whether the
item blocked is linked to a cyber espionage, hacktivist or
cyber crime group.
• Understanding the attackers motivation is key to what
measures you will need to put in replace to reduce the risk
from this attacking group

Who are you protecting your
organization against?
• You are protecting your organization NOT
from malware but from the bad guys using the
malware, exploits etc.
• Having an effective intelligence process will
give you understanding how the bad guys
operate!


Know your enemy
• Sun Tzu was a Chinese general, military strategist,
and author of The Art of War, an immensely
influential ancient Chinese book on military strategy
(ref: Wikipedia)
• “It is said that if you know your enemies and know
yourself, you will not be imperiled in a hundred
battles; if you do not know your enemies but do
know yourself, you will win one and lose one; if you
do not know your enemies nor yourself, you will be
imperiled in every single battle.”

Attacker motivations
• Cyber Espionage
– Motivated to steal information such as executive
communications, intellectual property (source code) etc.
– Techniques include spear-phishing, water-holing websites.
• Cyber Crime
– Motivated by money! Do whatever is needed to get more
money and more victims.
– Techniques include mass spamming, compromises
websites to host exploit kits to exploit visitors


Attacker motivations – 2
• Hacktivism
– Politically motivated
– Techniques include ‘doxing’, website
defacements, denial of service attacks.


Final Thoughts
• You are an IT security manager for an
Ukrainian Bank
• What information would you prefer to hear
and which one is intelligence?
• Which information would give you more
insight into how the bad guy works and how
to defend against them?

Final Thoughts
1.

A competitor bank passed you a malware sample that connects to
ukrainebankingupdate.com on HTTP port 80 with MD5
5f4dcc3b5aa765d61d8327deb882cf99

2.

In September 2013 a competitor bank in Ukraine was targeted by a
group we call “Zed group”. They typically:
–
–
–
–
–
–

Drop files named zed.exe on compromised systems
Target Ukranian banks in order to create bank accounts in order to receive and process
laundered money
Sending targeted email to people involved in the creation of new accounts with
Microsoft Excel (.xls) attachments that contain exploits
The exploit used by the group are publically known (CVE-2012-1847) and hasbeen
patched already by Microsoft.
Based on the use of known and patched vulnerabilities, it is highly likely that this group
does not possess new and unpatched Microsoft Excel exploits (0days)
The malware the group uses contains a number of different user agent strings but
typically uses Afraid.org (free name server hosting) to host their malware command
and control domain names.


Discussion and questions
• What is your organization targeted with and
by whom?


Mark Arena - Cyber Threat Intelligence #uisgcon9

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (7)

Similar to Mark Arena - Cyber Threat Intelligence #uisgcon9

Similar to Mark Arena - Cyber Threat Intelligence #uisgcon9 (20)

More from UISGCON

More from UISGCON (20)

Recently uploaded

Recently uploaded (20)

Mark Arena - Cyber Threat Intelligence #uisgcon9

Editor's Notes