Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life use-cases.

FIREEYE. THREAT INTEL. WHAT
DOES IT MEAN. USE-CASES
WORLD WIDE.
May, 2018

©2018 FireEye | Private & Confidential
2
Threat Intelligence IS ?
▶ Out of the box solution;
▶ Will solve all your needs;
▶ Feed keeps running and is protecting your organization from Day 1;
▶ You are immune to cyber attacks;
▶ World is perfect

3
Threat Intelligence IS NOT
▶ Out of the box solution;
▶ Will solve all your needs;
▶ Feed keeps running and is protecting your organization from Day 1;
▶ You are immune to cyber attacks;
▶ World is perfect

THREAT INTELLIGENCE IN A NUTSHELL
◆What is Threat Intelligence?
▶ It is a proactive, forward-looking means of qualifying threats poised to disrupt your
business based on the intents, tools and tactics of the attacker. A high-fidelity,
comprehensive intelligence delivers visibility beyond the typical attack lifecycle,
adding context and priority to global threats before, during and after an attack. It
helps mitigate risk, bolster incident response, and enhance your overall security
ecosystem. It allows you to predict attack and refocus your attention on what
matters most to your business.

5
Intelligence Lifecycle
▶ IR Collection, Prioritization for further research and collection
▶ Research and Collection;
▶ Analysis and processing of discovered data;
▶ Analysis and production to customers;
▶ Dissemination and Revision of the data;
2
1
3
4
5

IR Collection, Prioritization for further research and collection
▶ Customer
– Generates/Provides you with the data
▶ Analysts at CTI/Customer
– Based on threats landscape
▶ Regional SME
– Extremely important for targeted research
▶ Scope of customers for CTI
▶ Industry you represent
1

Research and Collection
▶ Planning
▶ Creating targets
▶ Building sources
▶ Collection
▶ Research
2

Analysis and processing of discovered data
▶ Straightforward based on you type of intel and your consumption model
▶ The third step, processing, is the conversion of collected information into a form
suitable for the production of intelligence. In this process, incoming information is
converted into formats that can be readily used by intelligence analysts in
producing intelligence. Processing may include such activities as translation and
reduction of intercepted messages into written format to permit detailed analysis
and comparison with other information. Other types of processing include video
production, photographic processing, and correlation of information collected by
technical intelligence platforms.
3

Analysis and production to customers
▶ Heading to the internal and maybe external customer from CTI;
▶ FINTEL Creation;
▶ The fourth step, production, is the process of analyzing, evaluating, interpreting,
and integrating raw data and information into finished intelligence products for
known or anticipated purposes and applications. The product may be developed
from a single source or from all-source collection and databases. To be effective,
intelligence production must focus on the consumer's needs. It should be objective,
timely, and most importantly accurate.
4

Dissemination
▶ Heading to the external customer from CTI;
▶ Heading to customers and clients of the provider;
▶ Intelligence can be provided to the consumer in a wide range of formats including
verbal reports, written reports, imagery products, and intelligence databases.
Dissemination can be accomplished through physical exchanges of data and
through interconnected data and communications networks.
5

Threat Intelligence Disciplines
▶ SIGINT
– Signals intelligence—gathered from interception of signals
▶ HUMINT
– Human Intelligence – gathered from a person on the ground.
▶ OSINT
– Open-source intelligence—gathered from open sources.
▶ MASINT
– Measurement and signature intelligence or scientific and technical intelligence
▶ TECHINT, IMINT, CYBERINT, ETC…

12
Targeted audience - consumption
▶ Tactical
– Engineers, NetOps.
▶ Operational
– SOCs.
▶ Operational+/All-in
– Analysts/Researchers,
▶ Strategic
– C and E levels;
SOCs

13
Motivation
▶ APT/Espionage;
▶ eCrime;
▶ Information Operations/Hacktivism;
▶ ICS/SCADA;
Intelligence

14
Latin America Recap.
▶ Interest in compromised credentials for my organization;
▶ No interest in industry peers;
▶ Low readiness from organizations to remediate the threat;
▶ Localized cyber threat ecosystem;
▶ Unsophisticated communication platforms;

15
Latin America Recap. Attackers ecosystem.
▶ Boletos
▶ KL Remota
▶ Contador Dark 2018
▶ BR Chilean Malware
▶ FighterPOS, FlokiBot, and LockPOS

16
Latin America Recap. Attackers ecosystem.
▶ Boletos

17
Latin America Recap. Use-case 1. KL Remota
▶ Popular crimeware tool in Brazilian underground named "Keylogger Remote”
– Likely based on "Spy-Net RAT”

18
Latin America Recap. Use-case 1. KL Remota
▶ 'KL Remota’ + 'KL DNS’
▶ 'KL DNS' is a toolkit which consists
of a malicious script, DNS server,
and phishing pages.

19
Latin America Recap. Use-case 2. Contador Dark 2018
▶ Contador Dark 2018
▶ Distribution via github
▶ Infection vector: hxxps://XXX.githubusercontent.com
▶ TAAR J TeamViewer as a RAT

20
Latin America Recap. Use-case 3. FighterPOS, Floki, LockPOS.
▶ FighterPOS
– Visual Basic-compiled Trojan, but not principally point-of-sale (POS) malware;
– keylogging, downloading and executing files;
– DDoS-module;
– (borrowed some code as usual from "TomPOS” known back in 2014);
▶ Command to download LockPOS executable

21
Latin America Recap. Use-case 3.
▶ Avalance Today

22
Latin America Recap. Use-case 3.
▶ Captain Black

23
Eastern Europe Recap.
▶ Obvious interest in compromised credentials for my organization;
▶ Medium and growing interest in industry peers;
▶ Low readiness from organizations to remediate the threat;
▶ Global cyber threat ecosystem;
▶ Highly sophisticated communication platforms;

24
Use-case 1. Temp.Metastrike/Cobalt
Let’s call it group X has been continuously targeting financial organization in numerous countries.
Ways to hunt it down:
- Botnet emulation;
- Threat hunting;
- Honeypots;
- Endpoint solutions;

25
Use-case 1. Initial stages of delivery and Patch management
ThreadKit Doc Exp Builder:
CVE-2017-0199, Microsoft Office RTF Vuln
CVE-2015-1650, Use-after-free vulnerability in Microsoft Word
CVE-2016-4117, Adobe Flash vulnerability.
CVE-2017-8759, MS Office RTF SOAP WSDL parser code injection vulnerability.
CVE-2017-11882, MS Office Corruption Vulnerability.
CVE-2017-8570, MS Office RCE Vulnerability.
CVE-2018-0802, MS Office Memory Corruption Vulnerability.

26
Use-case 1. Tracking complete campaign
▶ Threat component;
▶ Actor/group attribution;
▶ Botnet/distribution monitoring based on hunting and sensors data;
▶ TTPs analysis
▶ Naming correlation;

27
Use-case 2. Mobile Threat. 1 year ago
Red Alert

28
Launch 2017. Call it soft
▶ Germany: -Post Bank -Commerzbank -ComDirect
▶ Italy: -Intesa Sanpaolo -UBI
▶ Poland: -Raiffeisen Poland
▶ POLAND -Raiffeisen Poland -Bank Pekao -Bank Zachodni WBK -ING Bank -mBank -millenium bank
▶ GERMANY -Post Bank -Commerzbank -ComDirect
▶ FRANCE -Crédit Mutuel -Bankque palatine -Banque Populaire -Ma banque -Lapost bank -Mes Comptes -
Banque -Mes Comptes BNP Paribas
▶ ITALY -Intesa Sanpaolo -UBI
▶ TURKEY -AkBank -Finansbank -Garanti bank -Turkiye Bankasi -HalkBank -VakifBank -YapiKredi -Ziraat bank

29
Red Alert. Today
▶
Italy
Australia
Austria
Belgium
Czech
FRANCE
Germany
Hungary
India
Italy
Latvia
Lithuania
Poland
Netherlands
Switzerland
Spain
Romania
TURKEY
UAE
United Kingdom
United States
Netherlands
Switzerland
Spain
Romania
TURKEY
UAE
United Kingdom
United States

30
Use-case 3. APT28
▶ Usage of Flash exploit CVE-2018-4878
▶ Geography:
– Austria
– Montenegro
– Norway

31
Use-case 3. APT28
▶ The documents observed have had embedded parent Flash movie:
• <dc:date>06.03.2018</dc:date>
– Metadata showing potential creation date
▶ The Flash movie leverages code from the following open-source project as a framework to load the
embedded malicious content:
– hxxps://github.com/XXXXXX/f4player

32
APJ. Recap.
▶ Obvious interest in compromised credentials for my organization;
▶ Medium and growing interest in industry peers;
▶ Rapidly growing readiness from organizations to remediate the threat;
▶ Mostly localized, global-specific cyber threat ecosystem;
▶ Unsophisticated communication platforms;

33
Use-case 1. APJ
▶ Japanese credit card CVVs
▶ 'Mbackup’ Android bot
– call history and SMS;
– record of incoming/outgoing calls;
– QQ, WeChat, Momo, Yixin and YY;

34
Use-case 2. APJ. APT37
▶ Usage of Flash exploit CVE-2018-4878
▶ Geography:
– S. Korea;
– Middle East;
– Japan;
– Vietnam;

35
Use-case 2. APT37 TTPs
▶ Distribution:
– Spear-phishing;
– SWC;
– Torrent file-sharing;
▶ Tools:
– Exfil tools with hard-coded HTTP POST headers;
– Backdoors;
– Wiper;
– Multi-stage downloaders.

36
Thank you!

Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life use-cases.

Recommended

Recommended

More Related Content

Similar to Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life use-cases.

Similar to Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life use-cases. (20)

More from NoNameCon

More from NoNameCon (20)

Recently uploaded

Recently uploaded (20)

Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life use-cases.