threat intelligence field of dreams

CompanyConfidential

Poweredby

BuildingaThreatIntelligenceFieldofDreams

05.12.2016

CompanyConfidential

James CarderCISO | VP LogRhythm Labs

Greg FossGlobal Security Operations

Team Lead

OperationalizingThreatIntelligenceMakingThreatIntelligenceUseful

CompanyConfidential

DefiningThreatIntelligence

“Evidence-basedknowledge,includingcontext,mechanisms,indicators,implicationsandACTIONABLEadviceaboutanexistingoremergingmenaceorhazardtoassetsthatcanbeusedtoinformdecisionsregardingthe

subject’sresponsetothatmenaceorhazard”- Gartner

CompanyConfidential

• Documents(e.g.,FBIflashreports)• Blogs,emails• RSSfeeds

• CSVandtextfiles• STIX• OpenIOC

• Malwaresamples• Packetcapture• Forensicartifacts(files,email)

Actionabledatatypes

IntelReports

IndicatorsofCompromise

RawDataTypes

• UserBehaviors• EndpointBehaviors• NetworkBehaviors

YourOwnData

CompanyConfidential

OperationalizingThreatIntelligence

IndicatorsofCompromise(IOC)areautomaticallysearched

Changestoexternalthreatenvironmentimmediatedetected

Providesanalystcontextaroundincident,event,threat,campaign• Historicalknowledgeaswelltochainrelatedattacks

Reconnaissance&Planning

InitialCompromise

Command&Control

LateralMovement

TargetAttainment

ExfiltrationCorruptionDisruption

OSINTOpenSourceIntelligenceGathering

CompanyConfidential

OpenSourceIntelligenceGathering

OpenSourceIntelligence(OSINT)inthesimplestoftermsislocating,andanalyzingpublically(open)availablesourcesofinformation.Thekeycomponenthereisthatthisintelligencegatheringprocesshasagoalofproducingcurrentandrelevantinformationthatisvaluabletoeitheranattackerorcompetitor.Forthemostpart,OSINTismorethansimplyperformingwebsearchesusingvarioussources.

- http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines#OSINT

CompanyConfidential

OSINT

• OffensiveandDefensive• Manual– InDepthAnalysisofthetargetentityorindividual(s)• Automated– Highlevelanalysisofmetadata• Operationalize,Integrate,andAutomateOSINTanalysis FTW• Definegoals– whattoanalyze,why,how,outputs,etc.

• IndicatorsofCompromise• Datatofeedbackloopsintodefensivetools• Research

• Attribution• Actors,victims,servers,locations,samples,etc.

CompanyConfidential

OSINTOPSEC(Manual)

• OPSEC:OperationalSecurity• Thetargetcannotknowyourorganizationisactivelyinvestigatingthem…

• UseaUSB-bootableLinuximagesuchasTails– non-persistent• RunbothTORandaVPN(commercialorusecloudsystems)• VirtualPrivateServers(VPS)locatedinothercountries• Payforservicesusingbitcoinand/orpre-paidgiftcards• Regardlessofsolution– understandtheservice’sloggingpolicy,

checkforwarrantcanaries,andknowyourrights…

CompanyConfidential

WhyTORandVPN?

TOR!=VPN

TOR=Randomizer

VPN=Tunnel

Honestly…Notabigdealunlessyou’replanningtodoillegalthings– Whichyoushouldnotbedoinganyways...

CompanyConfidential

OSINTOPSEC(Automated– Corporate)

• RegisteraLinuxAmazonEC2box(freetier)withnoelasticIP• PurchaseaDyn DNSaccount– fordynamicDNSregistration• EstablishaPPTPVPNtunneltotheEC2system(s)• Performinvestigativeanalysisfromthesecloud-hostedsystems

and/orlocalboxeswithproperprecautionsinplace• ProxytrafficthroughanduseSSHportforwardingtoaccessservices

• Followingthecompletionoftheanalysis,rebootthesystem.• Bydefault,AWSwillassignanewIPunlessyouuseanelasticIP• ReconfigurethetunnelsandDNSasnecessary(automatethis)

CompanyConfidential

AutomatingOSINTandResponse

DomainTools

PassiveTotal

VirusTotal

CiscoAMPThreatGRID

Netflow /IDS

Firewalls

Proxy

Endpoint

SIEM

API SecOps Infrastructure

CompanyConfidential

ManualOSINTAnalysis

• Goal-Oriented• Definespecifictargetandunderstandthedatayouwishtoobtain

• Technical – Accounts,Servers,Services,Software,Integrations• Social – SocialMedia,Photography,WishLists,Email• Physical – Address,HomeIPAddress,Business,Footprint• Logical – Network,OperationalIntelligence,Where,When

CompanyConfidential

AFewOSINTTools

• Maltego• Transforms!

• PassiveTotal• ThreatIntelandMaltego API!

• DomainToolsIRIS• Whois History,Pivotoffofdatapoints(email,address,phone,etc.)

• Shodan• Thenetworksearchengine– everythingfromopenVNCservicestoC2’s

• Facebook/Linkedin /Spokeo /Pipl /etc.• CreatefakeaccountsanduseAPIintegrationstoautomatesearches

CompanyConfidential

OSINTTipsandTricks:ShortenedURL’s

Allyouneedis+

CompanyConfidential

OSINTTipsandTricks:ShortenedURL’s

CompanyConfidential

OSINTTipsandTricks:ResolveSkypeUsernametoIP

CompanyConfidential

OSINTTipsandTricks:ResolveSkypeUsernametoIP

CompanyConfidential

OSINTTipsandTricks:SourceCodeSearch

Nerdydata.com

CompanyConfidential

OSINTTipsandTricks:SourceCodeSearch

;-)

CompanyConfidential

Justscratchingthesurface…

CaseStudiesOperationalizationofThreatIntel

CompanyConfidential

CaseStudy:OperationalizingPOSIntelfromaThreatReport

ThreatReport

SIEM/AnalyticsEngine

Hits,Alarm,SmartResponse

NoHits,NoAlarm,SmartResponse

AutomatedSearchusingHostandNetworkIOCsand/or

BrutPOSbehavior inSIEMandonendpoint

POSNetwork

• Containment• Acquisition• Analysis• Confirmation• Remediation• Metrics/Reporting

CompanyConfidential

SIEM/AnalyticsEngine

Domainwasopenedinthelast7daysor

registeredbyknownbad…SmartResponse

Domainisreputableorcategorizedasgood

DNSnameisn’trecognizedorpartofknownmaliciousdomainlists…Smart

Response…checkDomainTools

• Containment• Acquisition• Analysis• Confirmation• Remediation• Metrics/Reporting

InternetBrowsing

Internet

CaseStudy:OperationalizingIntelusingThirdPartyIntegrations

CompanyConfidential

CaseStudy:OperationalizingIntelfromInternalBehaviors/Baselines

Assumecredentialsare

stolen

SIEM/AnalyticsEngine

Detect:Networktraffictovl.ff.avast.com &su.ff.avast.com

Detect: 128BitGUIDcba871fa-80c9-48bc-9836-

8df3a7f67145

Identify:Avast AV

SingleFactor

• Containment• Acquisition• Analysis• Confirmation• Remediation• Metrics/Reporting

SmartResponse:Does ITinventoryhaveanythingother thanMcAfeeorESET?Ifnot,SmartResponseintoIR

CompanyConfidential

MalwareSandboxe.g.Cuckoo

Historical CaseData

Analyste.g.Malware,Forensics

External Servicese.g.DomainTools,

VirusTotal

ThreatIntelligencee.g.ISACs,

ThreatFeeds,FlashReports

OfferServicestoyourfriendsCollect Intel&Collaborate Vulnerability Intelligence

Ifyoubuildit…theywillcome…

CompanyConfidential

Isattributionimportant?

• “Ifyouknowtheenemyandknowyourselfyouneednotfeartheresultsofahundredbattles”– SunTzu

• “Allwarfareisbasedondeception.Hence,whenweareabletoattackwemustseemunable,whenusingourforcewemustappearinactive,whenwearenearwemustmaketheenemybelievewearefaraway,whenwearefarawaywemustmakehimbelievewearenear”– SunTzu

CompanyConfidential

• Whodidit?• Whydidtheydoit?• Whatweretheyafter?• Couldwehavepreventedit?

• APT,China• China5yrplan,don’tknow• Researchdata,intellectual

property, Idon’tknow• No,notwithoutmore

budget

“Chinastoleit,specificallyanAPTgroupoutofAprovince.ThedatawasthentransferredtopersonB,locatedinprovinceC.ThenpersonBsentittopersonDinRussia.OnceinRussia,thestolendataendeduponpersonE’stable.”

Whatifattributionwasreal’ized?

DocumentBuggingandWebTracingTrackingpeopleofinterestandmappingouttheirdigitalfootprints

CompanyConfidential

HoneyTokensandDocumentBugging

Tracking file access, modification, exfiltration, etc…

• Use File Integrity Monitoring to track file interactions

• Any predefined item, instrumented to generate a unique log

• Strings, Drives, Directories, Hashes, ‘employees’

CompanyConfidential

File Integrity Monitoring – Built in to Windows Logging

CompanyConfidential

DocumentBugging– HowTo

• WebBug Background Information:

http://ha.ckers.org/webbug.html

• WebBug Server:

https://bitbucket.org/ethanr/webbugserver

• Bugged Files – Is Your Document Telling on You?

Daniel Crowley and Damon Smith (Chaos Communication Camp 2015)

https://www.youtube.com/watch?v=j5cjFul4ZIc

CompanyConfidential

DocumentTracking

Same tricks used by Marketing / Sales for years. Normally for tracking emails, clicks, downloads, etc.

Why loading external images within email is risky…

CompanyConfidentialhttps://github.com/gfoss/misc/tree/master/Bash/webbug

Documentscanbetrackedinthesamewayasemail/web

CompanyConfidential

IssueswithDocumentTracking

When a document is opened up offline, it is possible that information will be divulged about the tracking service itself. Be cognizant of this when bugging documents.

CompanyConfidential

IssueswithDocumentTracking

Visiting the site directly

Dead giveaway that something phishy is up…

CompanyConfidential

IssueswithDocumentTracking

You may even get your domain flagged

This can hinder your tracking ability

Ensure that you check regularly…

CompanyConfidential

Takingitastepfurther…• Honeybadger, Flash, Java, Client Side Code

If you are able to execute code on the endpoint, you can uncover the true location, regardless of proxy

CompanyConfidential

Nohelpincourt…

• Evidenceobtainedviawebbugs,tracing,orsimilarformsoftrackingmaynotbeadmissibleincourt,asthiscouldbeconsideredentrapment.• FBICase– OperationTorpedo• https://www.wired.com/2014/08/operation_torpedo/

CompanyConfidential

LegalitiesofDocumentBugging

• Isitspying?• Canyoureallygetintroublefortrackingyourownthings?• Allboilsdowntointent…verygreyarea.

CompanyConfidential

BuggedDocumentsInPractice

ReversePhishing

CompanyConfidential

Hewasevenkindenoughtocompletetheformandsenditback!

CompanyConfidential

BuggedDocuments– InPractice

CaptureTheFlag– LogRhythmChallenge.com

CompanyConfidential

InPractice

BuggingtheCTFinstructions…

CompanyConfidential

BuggedDocuments– InPractice

“Weneedyourslides9-monthsaheadoftimeforthisindustry-leadingcybersecurityevent”– RandomConference

CompanyConfidential

USBDrop– SecurityAwarenessCaseStudy

CompanyConfidential

BuildingaBelievableCampaign

USBHumanInterfaceDevice(HID)attacksaretooobvious.Adeadgiveawaythatthetargetjustcompromisedtheirsystem.+Expensive.

http://hakshop.myshopify.com/products/usb-rubber-ducky-deluxe?variant=353378649

CompanyConfidential

BuildingaBelievableCampaign

Userealisticfileswithsomewhatrealisticdata

Stagedapproachtotrackfileaccessandexploitation

CompanyConfidential

README.doc

CompanyConfidential

TrackingFileAccess

Buggeddocumentopenedwithinthecorporatenetwork?

Correlateaccesslogswithnetworkflowanalysistofindthevictim

CompanyConfidential

WhoOpenedTheFile?

CompanyConfidential

Competitive-Business-Analysis.xlsm

CompanyConfidential

PowerShellMacro

CompanyConfidential

PowerShellPrompt

PowerShellEmpire– Invoke-Prompt

CompanyConfidential

Step1– CompressPowerShellScript

CompanyConfidential

Step2– BuildtheMacroandInjectPowerShellScript

CompanyConfidential

Step3-CustomizetheMacro

CompanyConfidential

Step4- Profit

SendanemailwhentheMacroisrun…

Useabogusemail(unlikeIdidhere)– Iknow,Iknow.BadOpSec.

CompanyConfidential

CompanyConfidential

Tools\calculator.exe

CompanyConfidential

Yep…Theyranit

“Nobody’sgoingtorunanexecutablefromsomerandomUSB”-- Greg

CompanyConfidential

Nowwehaveourfoothold…

Fortunatelytheydidn’trunthisasanadmin

CompanyConfidential

CompanyConfidential

CompanyConfidential

MacroAttackDetection

CompanyConfidential

MalwareBeaconing

CompanyConfidential

Conclusion

• DevelopingandleveragingactionableOSINTdatacanhelpoperationalizeThreatIntelligence

• DevelopacyclicalThreatIntelligenceecosystemandimplementautomatedresponses toknownthreats

• Takeproactivemeasuresbylayingtrapsandvariousflagsthatwillnotify theSOCtoanomalousactivity

• Useactivedefensetechniques tolearnmoreabouttheadversaryandattempttogainattribution

• Understandtheshortcomings ofattributionanddocumentbugging toavoidcommonpitfalls

• Communicateacrossvariousdepartmentsandcoordinatedefensiveefforts

CompanyConfidential

James CarderJames.Carder@LogRhythm.com

CISO | VP LogRhythm Labs

Greg FossGreg.Foss@LogRhythm.com

Global Security Operations Team Lead

Thank You!