SlideShare a Scribd company logo

SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense

Download as PPTX, PDF
John Bambenek
John Bambenek

Between limited resources and a lack of trained professionals on one hand and the increasing quantity and quality of attacks on the other, securing enterprises and responding to incidents has placed defenders on the losing end of a digital arms race. Even managing the amounts of threat data and open-source intelligence has become a challenge. This talk will cover the possibilities and perils of integrating all the various sources of threat intelligence data to protect an organization. With all the various open-source and paid-source data, simply dumping it all into a firewall or DNS RPZ zone can be problematic. What to do about compromised websites or shared hosting environments? What about DGA domains that use full words and may collide with actual innocent websites? What about how to handle threat data that is lacking in context to make appropriate decisions on its validity and accuracy? This talk will present several case studies in how these problems can be tackled and how using multi-domain analysis can help reduce the risk and maximize the value of automated protection using these types of data.

Internet
1 of 42
John Bambenek VP, Security Research and Intelligence, ThreatSTOP War Stories on Using Automated Threat Intelligence for Defense
About me • SANS ISC Handler • VP of Security Research and Intelligence at ThreatSTOP • Lecturer at the University of Illinois at Urbana-Champaign • Producer of open-source threat feeds • Involved in DNC, DCCC, et al investigations in 2016
The Problem – the “too much” issues • “1,000,000 unfilled cybersecurity jobs” • Too much work and not enough skilled people to do it. • Too much data, no clear prioritization. • Too much manual work to investigate and respond to incidents. • What’s Worth Responding To? What is the Intention of the Attacker? 3
The Problem in Numbers • Average dwell time during a breach: 4-5 months • Percentage of breaches were evidence was in logs: 80+% • These two data points mean that if a SOC knew what to look for and had the tools to respond quickly, a great deal of damage could be mitigated. 4
The Problem Illustrated (from Virustotal) 5
The Reality  There is a much smaller set of actual malware tools, many are used by multiple people.  Problem: How to use this data effectively?  How to manage large data sets to correlate behavior over time? 6
Pyramid of Pain
War Story #1 – Election Hacking • Brief overview of DNC, et al related hacks. • The private sector was “highly confident” of FSB/GRU attribution even before the news was released in the summer of 2016. • We have a long history of APT 28/29 history with a variety of TTPs and other info that allowed not just the responders, but those who verified the work of responders, to make determinations quickly. • And see what they were doing during the French Presidential Election, and some 2018 activity….
Stuff we know now
War Story #1 – Election Hacking • TTP – likes impersonating “vendors”/”partners”. • MIS Department in case of DNC • Using DomainTools Brand Monitor or Farsight Brand Sentry, you can proactively look for impersonation. • WHOIS details also provide clues. 10
WHOIS Registrant Intel • Often actors may re-use registrant information across different campaigns. There may be other indicators too. • Sometimes *even with WHOIS privacy protection* it may be possible to correlate domains and by extension the actor. • Most criminal prosecution in cybercrime is due to an OPSEC fail and the ability to map backwards in time of what the actor did to find that fail that exposes them. 11
War Story #1 – Election Hacking 12 Maltego graph from Motherboard: https://motherboard.vice.com/en_us/article/vvaxy8/evidence-linking- russian-hackers-fancy-bear-to-macron-phishing
War Story #1 – Election Hacking • Trend Micro was looking for domains with “en-marche” in the name and found 4. • En Marche! Said they fed fake information to the adversary. • Contrast with American response. • You COULD hack back here… but why? • There are dangers of deception though. 13
What we can do in 2018? • Because of the shear number of targets, any in-depth attempt to target political or election organizations will be “loud”. • If data is shared (IPs, domains, etc), AND you automatically block them, you can have a good layer of protection. • MS-ISAC, DHS AIS, other…
Malware Configs • Every malware has different configurable items. • Not every configuration item is necessarily valuable for intelligence purposes. Some items may have default values. • Free-form text fields provide interesting data that may be useful for correlation. • Mutex can be useful for correlating binaries to the same actor. • How to get to the identity of someone using Cobalt Strike to attack you? • KEY POINT: Non-operational data is still useful for intelligence purposes. 15
Where to get Malware • Everyone uses Virustotal • You can buy a malware feed… • Better is to mine your spam / e-mail for attacks. • This is the targeted malware no one can sell you. • Eliminate malware seen by VT (other sources), that is unique • Who are the repeat visitors? Advanced attackers need to go low and slow... 16
Sample DarkComet Data • Key: CampaignID Value: Guest16 • Key: Domains Value: 06059600929.ddns.net:1234 • Key: FTPHost Value: • Key: FTPKeyLogs Value: • Key: FTPPassword Value: • Key: FTPPort Value: • Key: FTPRoot Value: • Key: FTPSize Value: • Key: FTPUserName Value: • Key: FireWallBypass Value: 0 • Key: Gencode Value: 3yHVnheK6eDm • Key: Mutex Value: DC_MUTEX-W45NCJ6 • Key: OfflineKeylogger Value: 1 • Key: Password Value: • Key: Version Value: #KCMDDC51# 17
Sample njRat config • Key: Campaign ID Value: 1111111111111111111 • Key: Domain Value: apolo47.ddns.net • Key: Install Dir Value: UserProfile • Key: Install Flag Value: False • Key: Install Name Value: svchost.exe • Key: Network Separator Value: |'|'| • Key: Port Value: 1177 • Key: Registry Value Value: 5d5e3c1b562e3a75dc95740a35744ad0 • Key: version Value: 0.6.4 18
All the fields… • ActivateKeylogger,ActiveXKey,ActiveXStartup,AddToRegistry,AntiKillProcess,BypassUAC,CONNECTION _TIME,Campaign,ChangeCreationDate,ClearAccessControl,ClearZoneIdentifier,ConnectDelay,Custom RegKey,CustomRegName,CustomRegValue,DELAY_CONNECT,DELAY_INSTALL,Date,DebugMsg,Domain ,EnableDebugMode,EnableMessageBox,EncryptionKey,Error,ExeName,FTPDirectory,FTPHost,FTPInter val,FTPKeyLogs,FTPPassword,FTPPort,FTPRoot,FTPServer,FTPSize,FTPUser,FireWallBypass,FolderNam e,Gencode,GoogleChromePasswords,Group,HKCU,HKLM,HideFile,ID,INSTALL,INSTALL_TIME,Injection ,InstallDir,InstallDirectory,InstallFileName,InstallFlag,InstallFolder,InstallMessageBox,InstallMessageTi tle,InstallName,JAR_EXTENSION,JAR_FOLDER,JAR_NAME,JAR_REGISTRY,JRE_FOLDER,KeyloggerBacks pace=Delete,KeyloggerEnableFTP,KillAVG2012- 2013,MPort,MeltFile,MessageBoxButton,MessageBoxIcon,MsgBoxText,MsgBoxTitle,Mutex,NICKNAM E,NetworkSeparator,OS,OfflineKeylogger,Origin,P2PSpread,PLUGIN_EXTENSION,PLUGIN_FOLDER,Pas sword,Perms,Persistance,Port,PreventSystemSleep,PrimaryDNSServer,ProcessInjection,RECONNECTI ON_TIME,REGKeyHKCU,REGKeyHKLM,RegistryValue,RequestElevation,RestartDelay,RetryInterval,Run OnStartup,SECURITY_TIMES,ServerID,SetCriticalProcess,StartUpName,StartupPolicies,TI,TimeOut,US BSpread,UseCustomDNS,VBOX,VMWARE,Version,_raw,_time,adaware,ahnlab,baidu,bull,clam,comod o,compile_date,date_hour,date_mday,date_minute,date_month,date_second,date_wday,date_year, date_zone,escan,eventtype,fprot,fsecure,gdata,host,ikarus,immunet,imphash,index,k7,linecount,ma gic,malw,mc,mcshield,md5,nano,norman,norton,outpost,panda,product,proex,prohac,quickheal,rat_ name,resys,run_date,section_,section_.BSS,section_.DATA,section_.IDATA,section_.ITEXT,section_.R DATA,section_.RELOC,section_.RSRC,section_.TEXT,section_.TLS,section_AKMBCZMH,section_BSS,sec tion_CODE,section_DATA,section_ELTQHVWF,section_VDOJLYFM,section_YRKCHNMU,sha1,sha256,s ource,sourcetype,splunk_server,splunk_server_group,spybot,super,tag,tag::eventtype,taskmgr,times _submitted,timestamp,trend,uac,unique_sources,unthreat,vendor,vipre,windef,wire © Fidelis Cybersecurity. All rights reserved. 19
War Story #2 – Understanding Locky • Locky uses combination of static domains and a DGA for C2. • Has an affiliate program. • Seems to heavily favor necurs for delivery (but not exclusively) 20
War Story #2 – Understanding Locky 21
War Story #2 – Understanding Locky • We know there is a close relationship between necurs and Locky. (What about specific affiliates?) • We can see it’s likely Locky operator runs C2 infrastructure on behalf of affiliates. • This can inform prosecutorial decisions or potential “hack back” operatiors (i.e. stealing encryption keys) 22
Using DNS to Track the Adversary • Only certain ways you can contact a C2 server: • Static IP / Hostname Lists • Proxied C2s • Dynamic DNS • Fast Flux / Double Flux Networks • Domain Generation Algorithms • Tor / i2p hidden services 23
Domain Generation Algorithms  Usually a complex math algorithm to create pseudo-random but predictable domain names.  Now instead of a static list, you have a dynamic list of hundreds or thousands of domains and adversary only needs to have a couple registered at a time.  Can search for “friendly” registrars to avoid suspension. 24
Reverse Engineering DGAs  Many blog posts about reversing specific DGAs, Johannes Bader has the most online at his blog:  Johannesbader.ch  No real shortcuts except working through IDA/Debugger and reversing the function.  Look for functions that iterate many times.  There will be at least a function to generate the domains and a function to connect to all of them to find the C2.  As with all reverse engineering, be aware of obfuscation and decoy code meant to deceive you.
Types of DGAs  Almost all DGAs use some time of “Seed”.  Types:  Date-based  Static seed  Dynamic seed  Seed has to be globally consistent so all victims use the same one at the same time.
Feed generation on DGAs • sjuemopwhollev.co.uk,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13 • meeeqyblgbussq.info,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13 • ntjqyqhqwcwost.com,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13, • nvtvqpjmstuvju.net,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13 • olyiyhprjuwrsl.biz,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13 • sillomslltbgyu.ru,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13 • gmqjihgsfulcau.org,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13, • From here you could easily feed this into RPZ or other technology to protect your organization.
DGA surveillance  Pre-generate all domains 2 days before to 2 days in future.  Pipe all those domains into adnshost using parallel to limit the number of lines.  Able to process over 700,000 domains inside 10 minutes (and I’m not done optimizing). • parallel -j4 --max-lines=3500 --pipe adnshost -a -f < $list-of-domains | fgrep -v nxdomain >> $outputfile
New Matsnu domains registered
What to do with this data? • With IP addresses, you can just block them at the firewall. • Inbound **AND** outbound traffic. • If you control DNS, you control the endpoint. Use a DNS Firewall! • Which means you can limit what the device can talk to in order to prevent exploitation or command-and-control. • DNS is on everything… even IoT devices!
What is a DNS Firewall? • Uses RPZ (Response Policy Zones) or the Microsoft equivalent. • Response Policy Zones are zone files you put into your DNS resolver that can block, redirect, or alert on specific queries. • Can flag on: • Specific hostname, domain, or TLD (i.e. www.google.com or *.ru) • The resolved IP address • The authoritative nameserver hostnames used • The authoritative nameserver IP addresses used
Block Bad Neighborhoods • There are many networks you can be pretty sure they are “always” safe (i.e. CDNs). • There are many networks you can treat as completely malicious (i.e. bullet proof hosters). • Some countries you may not have (or want) to talk to. • ITAR/OFAC • Why should your MRI machine talk to a Russian IP?
War Story #3 – Operation Tovar • One of the first modern successful ransomware attacks. • Was able to proactively monitor all new registrations for domains, mine registrant details, and ultimately get quicker to look at proxies. • This not only allowed us to grind to get to an indictment of Evgeniy Bogachev, but also to retrieve the private encryption keys so people could get their files back. • Was able to do a bulk takedown and shut the whole system down. 33
Tracking Malware Functions • We have tools to correlate IP addresses, domains, registration information, malware families, malware configs… • What about specific functions or portions of code? • The more we can correlate, the more we can get visibility into how code is shared, developed, and the ecosystem behind it. 34
FIRST IDA Plugin • Developed by Cisco Talos: https://github.com/vrtadmin/FIRST- plugin-ida • In essence, ties a database into IDA so you can search for functions that exist elsewhere to find code level relationships. • Presentation: https://www.botconf.eu/wp- content/uploads/2016/11/PR11-Function-Identification-and- Recovery-Signature-Tool-Villegas.pdf 35
FIRST IDA Plugin 36
War Story #4 - Wannacry • We all know Wannacry, worm-based ransomware using disclosed exploits (Thanks NSA!). • Very quickly we noticed that the payment infrastructure was not sound (and neither was NotPetya) • What’s the point of cryptographic ransomware if you aren’t getting paid? (Made only about $100k USD) 37
War Story #4 - Wannacry 38 From Costin Raiu twitter, 40 byte code reuse from Lazarus backdoor
War Story #4 - Wannacry • 40 bytes of code were identical to a Lazarus Group (DPRK) backdoor used in 2015. • Found by “spot checking” and memory. • This is not ideal • Not found anywhere else. • Inconclusive but suggests DPRK (since proven). • We NEED to figure out a way to make this a database search problem, not a tribal lore in analyst’s mind problem. 39
Last Key Point • Ending this talk with WannaCry and NotPetya was intentional. • Most of the techniques here are useful for crime. • Increasingly, however, APT is using crime tools as “obfuscation”. • WannaCry and NotPetya (if we’re right) are precursors to future APT attacks using criminals tools. • What if our research leads to a kinetic response? • We need to get the above right to disambiguate their intentions and to find investigate leads and potential weaknesses (hack back?) 40
Solution • Lots of us are all working on the same problems independently, we need to be working together more and sharing data. • Sharing data isn’t to contribute more to “admiring the problem”. Need to block stuff. • Back to Pyramid of Pain, block as much as you can as low as you can to focus limited people/resources on ”what’s left”. 41
Questions? John Bambenek / @bambenek jbambenek@threatstop.com

Recommended

THOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesTHOTCON - The War over your DNS Queries
THOTCON - The War over your DNS Queries
John Bambenek
 
HITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's ConsumersHITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
John Bambenek
 
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
John Bambenek
 
HITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceHITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat Intelligence
John Bambenek
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at Scale
John Bambenek
 
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSThotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
John Bambenek
 
PHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat IntelligencePHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat Intelligence
John Bambenek
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using Crypto
John Bambenek
 

Recommended

THOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesTHOTCON - The War over your DNS Queries
THOTCON - The War over your DNS Queries
John Bambenek
 
HITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's ConsumersHITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
John Bambenek
 
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
John Bambenek
 
HITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceHITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat Intelligence
John Bambenek
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at Scale
John Bambenek
 
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSThotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
John Bambenek
 
PHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat IntelligencePHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat Intelligence
John Bambenek
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using Crypto
John Bambenek
 
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
EC-Council
 
Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing Felonies
John Bambenek
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To Noise
Andrew Morris
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CanSecWest
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Andrew Morris
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
Stephan Borosh
 
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Andrew Morris
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the Internet
Andrew Morris
 
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanAre your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
EC-Council
 
Mo and Tao 魔与道
Mo and Tao 魔与道Mo and Tao 魔与道
Mo and Tao 魔与道
Austin Chou
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot Attacks
Greg Foss
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
Christopher Gerritz
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement Detection
Greg Foss
 
Incident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceIncident Response for the Work-from-home Workforce
Incident Response for the Work-from-home Workforce
Christopher Gerritz
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSH
Andrew Morris
 
Adversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsAdversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The Pros
Justin Warner
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Priyanka Aash
 
Fade from Whitehat... to Black
Fade from Whitehat... to BlackFade from Whitehat... to Black
Fade from Whitehat... to Black
Beau Bullock
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
Zoltan Balazs
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
Priyanka Aash
 
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Santiago Bassett
 

More Related Content

What's hot

DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
EC-Council
 
Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing Felonies
John Bambenek
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To Noise
Andrew Morris
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CanSecWest
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Andrew Morris
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
Stephan Borosh
 
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Andrew Morris
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the Internet
Andrew Morris
 
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanAre your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
EC-Council
 
Mo and Tao 魔与道
Mo and Tao 魔与道Mo and Tao 魔与道
Mo and Tao 魔与道
Austin Chou
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot Attacks
Greg Foss
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
Christopher Gerritz
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement Detection
Greg Foss
 
Incident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceIncident Response for the Work-from-home Workforce
Incident Response for the Work-from-home Workforce
Christopher Gerritz
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSH
Andrew Morris
 
Adversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsAdversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The Pros
Justin Warner
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Priyanka Aash
 
Fade from Whitehat... to Black
Fade from Whitehat... to BlackFade from Whitehat... to Black
Fade from Whitehat... to Black
Beau Bullock
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
Zoltan Balazs
 

What's hot (20)

DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
 
Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing Felonies
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To Noise
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the Internet
 
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanAre your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
 
Mo and Tao 魔与道
Mo and Tao 魔与道Mo and Tao 魔与道
Mo and Tao 魔与道
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot Attacks
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement Detection
 
Incident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceIncident Response for the Work-from-home Workforce
Incident Response for the Work-from-home Workforce
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSH
 
Adversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The ProsAdversarial Post-Ex: Lessons From The Pros
Adversarial Post-Ex: Lessons From The Pros
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
Fade from Whitehat... to Black
Fade from Whitehat... to BlackFade from Whitehat... to Black
Fade from Whitehat... to Black
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
 

Similar to SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense

Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
Priyanka Aash
 
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Santiago Bassett
 
Microsegmentation from strategy to execution
Microsegmentation from strategy to executionMicrosegmentation from strategy to execution
Microsegmentation from strategy to execution
AlgoSec
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
EC-Council
 
Automation Attacks At Scale
Automation Attacks At ScaleAutomation Attacks At Scale
Automation Attacks At Scale
Mayank Dhiman
 
The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.
Teri Radichel
 
MISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
MISP Summit 2018: Barncat: Using MISP for Bulk Malware SurveillanceMISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
MISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
John Bambenek
 
The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsThe Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security Analytics
Demetrio Milea
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
Michael Gough
 
DEF CON 23 - Weston Hecker - goodbye memory scraping malware
DEF CON 23 - Weston Hecker - goodbye memory scraping malwareDEF CON 23 - Weston Hecker - goodbye memory scraping malware
DEF CON 23 - Weston Hecker - goodbye memory scraping malware
Felipe Prado
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard of
Adrian Sanabria
 
AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZeditsRod Soto
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0
Q Fadlan
 
The artificial reality of cyber defense
The artificial reality of cyber defenseThe artificial reality of cyber defense
The artificial reality of cyber defense
DATA SECURITY SOLUTIONS
 
Ready set hack
Ready set hackReady set hack
Ready set hack
GDSCBVCOENM
 
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
Sean Whalen
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
John Ashmead
 
Login cat tekmonks - v4
Login cat tekmonks - v4Login cat tekmonks - v4
Login cat tekmonks - v4
Rohit Kapoor
 
Login cat tekmonks - v4
Login cat tekmonks - v4Login cat tekmonks - v4
Login cat tekmonks - v4
TEKMONKS
 
Offensive Security basics part 1
Offensive Security basics part 1Offensive Security basics part 1
Offensive Security basics part 1
wharpreet
 

Similar to SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense (20)

Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
 
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
 
Microsegmentation from strategy to execution
Microsegmentation from strategy to executionMicrosegmentation from strategy to execution
Microsegmentation from strategy to execution
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
 
Automation Attacks At Scale
Automation Attacks At ScaleAutomation Attacks At Scale
Automation Attacks At Scale
 
The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.
 
MISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
MISP Summit 2018: Barncat: Using MISP for Bulk Malware SurveillanceMISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
MISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
 
The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsThe Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security Analytics
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
DEF CON 23 - Weston Hecker - goodbye memory scraping malware
DEF CON 23 - Weston Hecker - goodbye memory scraping malwareDEF CON 23 - Weston Hecker - goodbye memory scraping malware
DEF CON 23 - Weston Hecker - goodbye memory scraping malware
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard of
 
AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZedits
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0
 
The artificial reality of cyber defense
The artificial reality of cyber defenseThe artificial reality of cyber defense
The artificial reality of cyber defense
 
Ready set hack
Ready set hackReady set hack
Ready set hack
 
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
Login cat tekmonks - v4
Login cat tekmonks - v4Login cat tekmonks - v4
Login cat tekmonks - v4
 
Login cat tekmonks - v4
Login cat tekmonks - v4Login cat tekmonks - v4
Login cat tekmonks - v4
 
Offensive Security basics part 1
Offensive Security basics part 1Offensive Security basics part 1
Offensive Security basics part 1
 

More from John Bambenek

I'm All Up in Your Blockchain - Hunting Down the Nazis
I'm All Up in Your Blockchain - Hunting Down the NazisI'm All Up in Your Blockchain - Hunting Down the Nazis
I'm All Up in Your Blockchain - Hunting Down the Nazis
John Bambenek
 
SANSFIRE - Elections, Deceptions and Political Breaches
SANSFIRE - Elections, Deceptions and Political BreachesSANSFIRE - Elections, Deceptions and Political Breaches
SANSFIRE - Elections, Deceptions and Political Breaches
John Bambenek
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016
John Bambenek
 
Blackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of RansomwareBlackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of Ransomware
John Bambenek
 
IESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John BambenekIESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John Bambenek
John Bambenek
 
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
John Bambenek
 
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
John Bambenek
 
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
John Bambenek
 
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
John Bambenek
 

More from John Bambenek (9)

I'm All Up in Your Blockchain - Hunting Down the Nazis
I'm All Up in Your Blockchain - Hunting Down the NazisI'm All Up in Your Blockchain - Hunting Down the Nazis
I'm All Up in Your Blockchain - Hunting Down the Nazis
 
SANSFIRE - Elections, Deceptions and Political Breaches
SANSFIRE - Elections, Deceptions and Political BreachesSANSFIRE - Elections, Deceptions and Political Breaches
SANSFIRE - Elections, Deceptions and Political Breaches
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016
 
Blackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of RansomwareBlackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of Ransomware
 
IESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John BambenekIESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John Bambenek
 
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
 
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
 
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
 
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
 

Recently uploaded

Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
SEO Article Boost
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
3ipehhoa
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
Javier Lasa
 
Bài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docxBài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docx
nhiyenphan2005
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
Danica Gill
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
GTProductions1
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
Rogerio Filho
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
vmemo1
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
ufdana
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
3ipehhoa
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Brad Spiegel Macon GA
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
3ipehhoa
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
zoowe
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Florence Consulting
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
eutxy
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
Arif0071
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
cuobya
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
CIOWomenMagazine
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
Gal Baras
 

Recently uploaded (20)

Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
 
Bài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docxBài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docx
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 

SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense

  • 1. John Bambenek VP, Security Research and Intelligence, ThreatSTOP War Stories on Using Automated Threat Intelligence for Defense
  • 2. About me • SANS ISC Handler • VP of Security Research and Intelligence at ThreatSTOP • Lecturer at the University of Illinois at Urbana-Champaign • Producer of open-source threat feeds • Involved in DNC, DCCC, et al investigations in 2016
  • 3. The Problem – the “too much” issues • “1,000,000 unfilled cybersecurity jobs” • Too much work and not enough skilled people to do it. • Too much data, no clear prioritization. • Too much manual work to investigate and respond to incidents. • What’s Worth Responding To? What is the Intention of the Attacker? 3
  • 4. The Problem in Numbers • Average dwell time during a breach: 4-5 months • Percentage of breaches were evidence was in logs: 80+% • These two data points mean that if a SOC knew what to look for and had the tools to respond quickly, a great deal of damage could be mitigated. 4
  • 5. The Problem Illustrated (from Virustotal) 5
  • 6. The Reality  There is a much smaller set of actual malware tools, many are used by multiple people.  Problem: How to use this data effectively?  How to manage large data sets to correlate behavior over time? 6
  • 8. War Story #1 – Election Hacking • Brief overview of DNC, et al related hacks. • The private sector was “highly confident” of FSB/GRU attribution even before the news was released in the summer of 2016. • We have a long history of APT 28/29 history with a variety of TTPs and other info that allowed not just the responders, but those who verified the work of responders, to make determinations quickly. • And see what they were doing during the French Presidential Election, and some 2018 activity….
  • 10. War Story #1 – Election Hacking • TTP – likes impersonating “vendors”/”partners”. • MIS Department in case of DNC • Using DomainTools Brand Monitor or Farsight Brand Sentry, you can proactively look for impersonation. • WHOIS details also provide clues. 10
  • 11. WHOIS Registrant Intel • Often actors may re-use registrant information across different campaigns. There may be other indicators too. • Sometimes *even with WHOIS privacy protection* it may be possible to correlate domains and by extension the actor. • Most criminal prosecution in cybercrime is due to an OPSEC fail and the ability to map backwards in time of what the actor did to find that fail that exposes them. 11
  • 12. War Story #1 – Election Hacking 12 Maltego graph from Motherboard: https://motherboard.vice.com/en_us/article/vvaxy8/evidence-linking- russian-hackers-fancy-bear-to-macron-phishing
  • 13. War Story #1 – Election Hacking • Trend Micro was looking for domains with “en-marche” in the name and found 4. • En Marche! Said they fed fake information to the adversary. • Contrast with American response. • You COULD hack back here… but why? • There are dangers of deception though. 13
  • 14. What we can do in 2018? • Because of the shear number of targets, any in-depth attempt to target political or election organizations will be “loud”. • If data is shared (IPs, domains, etc), AND you automatically block them, you can have a good layer of protection. • MS-ISAC, DHS AIS, other…
  • 15. Malware Configs • Every malware has different configurable items. • Not every configuration item is necessarily valuable for intelligence purposes. Some items may have default values. • Free-form text fields provide interesting data that may be useful for correlation. • Mutex can be useful for correlating binaries to the same actor. • How to get to the identity of someone using Cobalt Strike to attack you? • KEY POINT: Non-operational data is still useful for intelligence purposes. 15
  • 16. Where to get Malware • Everyone uses Virustotal • You can buy a malware feed… • Better is to mine your spam / e-mail for attacks. • This is the targeted malware no one can sell you. • Eliminate malware seen by VT (other sources), that is unique • Who are the repeat visitors? Advanced attackers need to go low and slow... 16
  • 17. Sample DarkComet Data • Key: CampaignID Value: Guest16 • Key: Domains Value: 06059600929.ddns.net:1234 • Key: FTPHost Value: • Key: FTPKeyLogs Value: • Key: FTPPassword Value: • Key: FTPPort Value: • Key: FTPRoot Value: • Key: FTPSize Value: • Key: FTPUserName Value: • Key: FireWallBypass Value: 0 • Key: Gencode Value: 3yHVnheK6eDm • Key: Mutex Value: DC_MUTEX-W45NCJ6 • Key: OfflineKeylogger Value: 1 • Key: Password Value: • Key: Version Value: #KCMDDC51# 17
  • 18. Sample njRat config • Key: Campaign ID Value: 1111111111111111111 • Key: Domain Value: apolo47.ddns.net • Key: Install Dir Value: UserProfile • Key: Install Flag Value: False • Key: Install Name Value: svchost.exe • Key: Network Separator Value: |'|'| • Key: Port Value: 1177 • Key: Registry Value Value: 5d5e3c1b562e3a75dc95740a35744ad0 • Key: version Value: 0.6.4 18
  • 19. All the fields… • ActivateKeylogger,ActiveXKey,ActiveXStartup,AddToRegistry,AntiKillProcess,BypassUAC,CONNECTION _TIME,Campaign,ChangeCreationDate,ClearAccessControl,ClearZoneIdentifier,ConnectDelay,Custom RegKey,CustomRegName,CustomRegValue,DELAY_CONNECT,DELAY_INSTALL,Date,DebugMsg,Domain ,EnableDebugMode,EnableMessageBox,EncryptionKey,Error,ExeName,FTPDirectory,FTPHost,FTPInter val,FTPKeyLogs,FTPPassword,FTPPort,FTPRoot,FTPServer,FTPSize,FTPUser,FireWallBypass,FolderNam e,Gencode,GoogleChromePasswords,Group,HKCU,HKLM,HideFile,ID,INSTALL,INSTALL_TIME,Injection ,InstallDir,InstallDirectory,InstallFileName,InstallFlag,InstallFolder,InstallMessageBox,InstallMessageTi tle,InstallName,JAR_EXTENSION,JAR_FOLDER,JAR_NAME,JAR_REGISTRY,JRE_FOLDER,KeyloggerBacks pace=Delete,KeyloggerEnableFTP,KillAVG2012- 2013,MPort,MeltFile,MessageBoxButton,MessageBoxIcon,MsgBoxText,MsgBoxTitle,Mutex,NICKNAM E,NetworkSeparator,OS,OfflineKeylogger,Origin,P2PSpread,PLUGIN_EXTENSION,PLUGIN_FOLDER,Pas sword,Perms,Persistance,Port,PreventSystemSleep,PrimaryDNSServer,ProcessInjection,RECONNECTI ON_TIME,REGKeyHKCU,REGKeyHKLM,RegistryValue,RequestElevation,RestartDelay,RetryInterval,Run OnStartup,SECURITY_TIMES,ServerID,SetCriticalProcess,StartUpName,StartupPolicies,TI,TimeOut,US BSpread,UseCustomDNS,VBOX,VMWARE,Version,_raw,_time,adaware,ahnlab,baidu,bull,clam,comod o,compile_date,date_hour,date_mday,date_minute,date_month,date_second,date_wday,date_year, date_zone,escan,eventtype,fprot,fsecure,gdata,host,ikarus,immunet,imphash,index,k7,linecount,ma gic,malw,mc,mcshield,md5,nano,norman,norton,outpost,panda,product,proex,prohac,quickheal,rat_ name,resys,run_date,section_,section_.BSS,section_.DATA,section_.IDATA,section_.ITEXT,section_.R DATA,section_.RELOC,section_.RSRC,section_.TEXT,section_.TLS,section_AKMBCZMH,section_BSS,sec tion_CODE,section_DATA,section_ELTQHVWF,section_VDOJLYFM,section_YRKCHNMU,sha1,sha256,s ource,sourcetype,splunk_server,splunk_server_group,spybot,super,tag,tag::eventtype,taskmgr,times _submitted,timestamp,trend,uac,unique_sources,unthreat,vendor,vipre,windef,wire © Fidelis Cybersecurity. All rights reserved. 19
  • 20. War Story #2 – Understanding Locky • Locky uses combination of static domains and a DGA for C2. • Has an affiliate program. • Seems to heavily favor necurs for delivery (but not exclusively) 20
  • 21. War Story #2 – Understanding Locky 21
  • 22. War Story #2 – Understanding Locky • We know there is a close relationship between necurs and Locky. (What about specific affiliates?) • We can see it’s likely Locky operator runs C2 infrastructure on behalf of affiliates. • This can inform prosecutorial decisions or potential “hack back” operatiors (i.e. stealing encryption keys) 22
  • 23. Using DNS to Track the Adversary • Only certain ways you can contact a C2 server: • Static IP / Hostname Lists • Proxied C2s • Dynamic DNS • Fast Flux / Double Flux Networks • Domain Generation Algorithms • Tor / i2p hidden services 23
  • 24. Domain Generation Algorithms  Usually a complex math algorithm to create pseudo-random but predictable domain names.  Now instead of a static list, you have a dynamic list of hundreds or thousands of domains and adversary only needs to have a couple registered at a time.  Can search for “friendly” registrars to avoid suspension. 24
  • 25. Reverse Engineering DGAs  Many blog posts about reversing specific DGAs, Johannes Bader has the most online at his blog:  Johannesbader.ch  No real shortcuts except working through IDA/Debugger and reversing the function.  Look for functions that iterate many times.  There will be at least a function to generate the domains and a function to connect to all of them to find the C2.  As with all reverse engineering, be aware of obfuscation and decoy code meant to deceive you.
  • 26. Types of DGAs  Almost all DGAs use some time of “Seed”.  Types:  Date-based  Static seed  Dynamic seed  Seed has to be globally consistent so all victims use the same one at the same time.
  • 27. Feed generation on DGAs • sjuemopwhollev.co.uk,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13 • meeeqyblgbussq.info,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13 • ntjqyqhqwcwost.com,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13, • nvtvqpjmstuvju.net,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13 • olyiyhprjuwrsl.biz,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13 • sillomslltbgyu.ru,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13 • gmqjihgsfulcau.org,Domain used by Cryptolocker - Flashback DGA for 13 Aug 2015,2015-08-13, • From here you could easily feed this into RPZ or other technology to protect your organization.
  • 28. DGA surveillance  Pre-generate all domains 2 days before to 2 days in future.  Pipe all those domains into adnshost using parallel to limit the number of lines.  Able to process over 700,000 domains inside 10 minutes (and I’m not done optimizing). • parallel -j4 --max-lines=3500 --pipe adnshost -a -f < $list-of-domains | fgrep -v nxdomain >> $outputfile
  • 29. New Matsnu domains registered
  • 30. What to do with this data? • With IP addresses, you can just block them at the firewall. • Inbound **AND** outbound traffic. • If you control DNS, you control the endpoint. Use a DNS Firewall! • Which means you can limit what the device can talk to in order to prevent exploitation or command-and-control. • DNS is on everything… even IoT devices!
  • 31. What is a DNS Firewall? • Uses RPZ (Response Policy Zones) or the Microsoft equivalent. • Response Policy Zones are zone files you put into your DNS resolver that can block, redirect, or alert on specific queries. • Can flag on: • Specific hostname, domain, or TLD (i.e. www.google.com or *.ru) • The resolved IP address • The authoritative nameserver hostnames used • The authoritative nameserver IP addresses used
  • 32. Block Bad Neighborhoods • There are many networks you can be pretty sure they are “always” safe (i.e. CDNs). • There are many networks you can treat as completely malicious (i.e. bullet proof hosters). • Some countries you may not have (or want) to talk to. • ITAR/OFAC • Why should your MRI machine talk to a Russian IP?
  • 33. War Story #3 – Operation Tovar • One of the first modern successful ransomware attacks. • Was able to proactively monitor all new registrations for domains, mine registrant details, and ultimately get quicker to look at proxies. • This not only allowed us to grind to get to an indictment of Evgeniy Bogachev, but also to retrieve the private encryption keys so people could get their files back. • Was able to do a bulk takedown and shut the whole system down. 33
  • 34. Tracking Malware Functions • We have tools to correlate IP addresses, domains, registration information, malware families, malware configs… • What about specific functions or portions of code? • The more we can correlate, the more we can get visibility into how code is shared, developed, and the ecosystem behind it. 34
  • 35. FIRST IDA Plugin • Developed by Cisco Talos: https://github.com/vrtadmin/FIRST- plugin-ida • In essence, ties a database into IDA so you can search for functions that exist elsewhere to find code level relationships. • Presentation: https://www.botconf.eu/wp- content/uploads/2016/11/PR11-Function-Identification-and- Recovery-Signature-Tool-Villegas.pdf 35
  • 37. War Story #4 - Wannacry • We all know Wannacry, worm-based ransomware using disclosed exploits (Thanks NSA!). • Very quickly we noticed that the payment infrastructure was not sound (and neither was NotPetya) • What’s the point of cryptographic ransomware if you aren’t getting paid? (Made only about $100k USD) 37
  • 38. War Story #4 - Wannacry 38 From Costin Raiu twitter, 40 byte code reuse from Lazarus backdoor
  • 39. War Story #4 - Wannacry • 40 bytes of code were identical to a Lazarus Group (DPRK) backdoor used in 2015. • Found by “spot checking” and memory. • This is not ideal • Not found anywhere else. • Inconclusive but suggests DPRK (since proven). • We NEED to figure out a way to make this a database search problem, not a tribal lore in analyst’s mind problem. 39
  • 40. Last Key Point • Ending this talk with WannaCry and NotPetya was intentional. • Most of the techniques here are useful for crime. • Increasingly, however, APT is using crime tools as “obfuscation”. • WannaCry and NotPetya (if we’re right) are precursors to future APT attacks using criminals tools. • What if our research leads to a kinetic response? • We need to get the above right to disambiguate their intentions and to find investigate leads and potential weaknesses (hack back?) 40
  • 41. Solution • Lots of us are all working on the same problems independently, we need to be working together more and sharing data. • Sharing data isn’t to contribute more to “admiring the problem”. Need to block stuff. • Back to Pyramid of Pain, block as much as you can as low as you can to focus limited people/resources on ”what’s left”. 41
  • 42. Questions? John Bambenek / @bambenek jbambenek@threatstop.com