3. $ cat disclaimer.txt
“The opinions expressed in this presentation
are those of the speaker and do not necessarily
reflect those of past, present employers,
partners or customers.”
TrueSec
3
7. Me? Breached?
• In 66% of investigated incidents, detection
was a matter of months or even more
• 69% of data breaches are discovered by
third parties
(Source:Verizon DBIR 2012)
TrueSec
7
10. IOC
“In computer forensics, an Indicator of
Compromise is an artefact observed on a
network or in operating system that with high
confidence indicates a computer intrusion.”
(Source: wikipedia.org)
TrueSec
10
12. Classification
• Tag your events with “classification” info
• Help you to build better detection schemes
attack, reconnaissance, scan, auth_success, auth_fail,
firewall_allow, firewall_drop, etc
info, warning, error, critical, emergency
TrueSec
12
13. “Active” Lists
• Temporary or suspicious information to
track and dynamically updated
• Examples:
Contractors, Admins,Terminated Accounts,
Countries (GeoIP)
• If grep(/$USER/, @ADMINS) { ... }
TrueSec
13
18. DNS
• No DNS, no Internet!
• Can help to detect data exfiltration,
communications with CC (malwares)
• Alert on any traffic to untrusted DNS
• Allow only local DNS as resolvers
• Investigate for suspicious domains
• Track suspicious requests (TXT)
TrueSec
18
19. HTTP
• HTTP is the new TCP
• Investigate for suspicious domains
• Inspect HTTPS
(Check with your legal dept before playing
MitM!)
• Search for interesting hashes
TrueSec
19
20. SMTP
•
• Track outgoing emails
• Investigate for suspicious domains
Because it remains the 1st infection path!
TrueSec
20
28. $ cat disclaimer2.txt
“Data are provided for ‘free’ but the right to us
can be restricted to specific conditions (ex:
cannot be re-used for commercial applications).
Always read carefull the terms of use. Some
services require prior registration and use of
APIs”
TrueSec
28
29. OSINT
“Set of techniques to conduct regular
reviews and/or continuous monitoring over
multiple sources, including search engines,
social networks, blogs,
comments, underground
forums, blacklists/whitelists
and so on. “
TrueSec
29
30. OSINT
• Think “out of the box”!
• What identify you on the Internet?
• Domain names
• IP addresses
• Brand
• Monitor them!
TrueSec
30
33. URLs
•
Google SafeBrowsing
use Net::Google::SafeBrowsing2;
use Net::Google::SafeBrowsing2:::Sqlite;
my gsb = Net::Google::SafeBrowsing2-new(
key = “xxx”,
storage = Net::Google::SafeBrowsing2::Sqlite-new(file =
“google.db”)
);
$gsb-update();
my $match = $gsb-lookup(url = “http://evil.com”);
if ($match eq MALWARE) { ... }
TrueSec
33
34. Hashes
• http://blog.didierstevens.com/2013/05/03/
virustotal-searching-and-submitting/
• Example from Python:
import virustotal
api = virustotal.VirusTotalAPI(MYAPIKEY)
print api.get_file_report(resource=99017f6eebbac24f351415dd410d522d)
{report: [2010-04-13 23:28:27, {nProtect: ,
CAT-QuickHeal: ,
McAfee: Generic.dx!rkx,
TheHacker: Trojan/VB.gen,
VirusBuster: ,
NOD32: a variant of Win32/Qhost.NTY,
F-Prot: , Symantec: ,
Norman: ,
a-squared: Trojan.Win32.VB!IK, ...}],
permalink: http://www.virustotal.com/file-scan/report.html?id=a8...,
result: 1}
TrueSec
34
35. IP Reputation
• http://isc.sans.edu/api/ip/50.46.90.187
• Example received in XML:
ip
number50.46.90.187/number
count186/count
attacks27/attacks
maxdate2013-10-26/maxdate
mindate2013-08-30/mindate
updated2013-10-27 04:34:04/updated
country/country
as5650/as
asname
FRONTIER-FRTR - Frontier Communications of America, Inc.
/asname
network50.32.0.0/12/network
comment/
/ip
TrueSec
35
42. Conclusions
• Know your environment
• You have plenty of useful (big)data
• Free software can help you (but the project is
not free)
• To do good defensive security, know your enemy!
(learn how bad guys work)
TrueSec
42