Download - Threat Intelligence with Open Source tools Cornerstones of Trust 2014 @jaimeblasco @santiagobassett
Threat Intelligencewith Open Source tools
Cornerstones of Trust 2014
@jaimeblasco@santiagobassett
Presenters
JAIME BLASCODirector AlienVault Labs
Security Researcher Malware Analyst
Incident Response
SANTIAGO BASSETTSecurity Engineer
OSSIM / OSSECNetwork Security
Logs Management
The attacker’s advantage
• They only need to be successful once
• Determined, skilled and often funded adversaries
• Custom malware, 0days, multiple attack vectors, social engineering
• Persistent
The defender’s disadvantage
• They can’t make a mistake• Understaffed, jack of all trades, underfunded• Increasing complex IT infrastructure:– Moving to the cloud– Virtualization– Bring your own device
• Prevention controls fail to block everything• Hundreds of systems and vulnerabilities to
patch
What is Threat Intelligence?
• Information about malicious actors
• Helps you make better decisions about defense
• Examples: IP addresses, Domains, URL’s, File Hashes, TTP’s, victim’s industries, countries..
State of the art
• Most sharing is unstructured & human-to-human
• Closed groups
• Actual standards require knowledge, resources and time to integrate the data
How to use Threat Intelligence
• Detect what my prevention technologies fail to block
• Security planning, threat assessment
• Improves incident response / Triage
• Decide which vulnerabilities should I patch first
The Threat Intelligence Pyramid of Pain
Standards & Tools
• IODEF: Incident Object Description Exchange Format
• MITRE:– STIX: Structured Threat Information eXpression– TAXXII: Trusted Automated eXchange of Indicator
Information – MAEC, CAPEC, CyBOX
• CIF: Collective Intelligence Framework
Collective Intelligence Framework
Collecting malwareSome malware tracking sites:• http://malc0de.com/rss• http://www.malwareblacklist.com/mbl.xml• http://www.malwaredomainlist.com/hostslist/mdl.xml• http://vxvault.siri-urz.net/URL_List.php• http://urlquery.net• http://support.clean-mx.de/clean-mx/xmlviruses.php
Some Open Source malware crawlers:• Maltrieve: https://github.com/technoskald/maltrieve• Ragpicker: https://code.google.com/p/malware-crawler/
Collecting malware
Other malware collection tools
Dionaea honeypot: • http://dionaea.carnivore.it/
Thug Honeyclient – Drive by download attacks:• https://github.com/buffer/thug • Emulates browsers functionality (activeX
controls and plugins)
Analyzing malware
Yara: Flexible, human-readable rules for identifying malicious streams.
Can be used to analyze:• files• memory (volatility)• network streams.
private rule APT1_RARSilent_EXE_PDF { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1"
strings: $winrar1 = "WINRAR.SFX" wide ascii $winrar2 = ";The comment below contains SFX script commands" wide ascii $winrar3 = "Silent=1" wide ascii
$str1 = /Setup=[\s\w\"]+\.(exe|pdf|doc)/ $str2 = "Steup=\"" wide ascii condition: all of ($winrar*) and 1 of ($str*)}
Analyzing malware
Cuckoo Sandbox: Used for automated malware analysis.
• Traces Win32 API calls• Files created, deleted and downloaded• Memory dumps of malicious processes• Network traffic pcaps
Analyzing malware
Sandbox – CIF integration
In our example: hxxp://www.garyhart.com, domain
CIF External feed example
Thank you!!@jaimeblascob
@santiagobassett