Incorporating Threat Intelligence into Your Enterprise Communications Systems

Solomon Sonya

Overview

• About Me• Background• Understand need and use of Threat

Intelligence• Construct Threat Intelligence Engine

SUBTITLE/BY LINE

Background

• Computer attacks continue to increase in prevalence and sophistication

• What have we done to meet these threats?– Signature-Based Detection

– Anomaly/Heurstic-Based Detection

Old Methods Have Failed or remain inadequate…

• Signature-Based detection has long failed– To easy to bypass– Re-compile, new signature– Encode, Encrypt, Obfuscate

• Anomaly/Heuristics-based detection is headed in the right direction… but still has its drawbacks– Baseline– Training– Too Noisy… ‘the boy who cried wolf’– Too lax… ‘everyone is welcomed!’

A New Paradigm is Required!

• What is Intelligence-Based Security (Threat Intelligence)?– Many definitions exist– Avoid the noise– Simply: amalgamation and analysis of data to produce

Actionable Intelligence regarding a likely threat or attack

• Actionable Intelligence allows us to make a decision regarding the security of our enterprise

• There is still a difference between threat-data and threat intelligence

How did I arrive at IBS?• As a defender, I conduct err… research network attacks (truly the best way to

defend is to master exploitation)

• There are times when I need a new, convincing domain (burner-domain) for the attack

• I’ve found some enterprises may institute additional blocks based on domains (new domains increase likelihood of attack)

• Thus I’d like to have my domains active for a long period of time

• A few weeks ago, I was shocked to discover I own over 40+ domains (no big deal… but still… wow!)

• Now if I were to purchase a new domain, I would probably use the same methods (because it works and I am most familiar with it!)

PUNT! Let’s take a look at the Attack Methodology again…

• What are the common phases? (old method btw)– Recon (Diverge)– Scan (Converge)– Penetration (Converge)– Maintain Access (Converge)– Cover Tracks (Diverge)

Briefly – Common Tools

• Recon (Diverge)

• Scanning (Converge)– Nmap Superscan? Nessus Nexpose Nikto…

• Penetration (Converge)– Armitage Metasploit CobaltStrike SET…

• Etc…

Please Don Your Blue Hat Now…

• You are now the security defender of your enterprise

• You protect your computers and the network• A scan reveals the following tools installed on

a machine– Wireshark, Kismet, Ettercap, ALFA Card drivers,

NetStumbler, Dsniff, Airocrack-ng suite, THC Hydra, NetworkMiner, etc

• What can we conclude about this system?

Convergence of Evidence

• In the previous case, assuming computer wasn’t breached, we may conclude it is to be used for wireless and network penetration

• We did this via Convergence of Evidence– “Evidence from multiple independent sources can

converge into a single, most likely conclusion”

Predicting Today and Yester-year’s Threats?

• What strategies to we employ?– AV?– IDS?– IPS?– Firewalls?– Blacklists?– Whitelists?

• And so what of new campaigns with never before witnessed domains?

• With TI, I’m not concerned with protecting yesterday’s threats… but tomorrow’s using what I learned today

Predicting Tomorrow’s Threats…

• What if you are the defender of the net and you deploy your protection strategy…

• Given a new domain, never before seen before, how do we know if it could be malicious? What conclusions can we make?

tkggvtqvj.org ngzuuazhj.cn ndnroawwps.cn yqdqyntx.com zjjcnghtssj.com rpyaqstbi.net uvcaylkgdpg.biz esebr.cc lrrmirop.net vzcocljtfi.biz jygfwxz.info tpcppmxwv.info wojpnhwk.cc ayrrajawlx.com ztoohkug.com plrjgcjzf.net byymd.cc cxtjlsahcy.biz qegiche.ws uixaky.ws tbjwzo.org ylktrupygmp.cc weafo.biz bcipb.org ovdbkbanqw.com qocrpt.ws izcbraikou.org

What Can We Learn?

• At one time, most existed• Could be DGA’s• Correlation analysis:– Creation Date: 2009-12-22– Owner Address: Afilias Array Dublin 24 IE– Owner Email: “B” or cflicker@live.com– Owner Phone: +1.2023243000– Name Server: ns.cwgsh.com, ns.cwgsh.net,

ns.cwgsh.org• We might have found an Indicator of Compromise

Indicators of Compromise

• An Indicator of Compromise (IOC) is an artifact (group of artifacts) that if observed can yield knowledge of the presence of infection/exfiltration

• Via Convergence, understanding the correct data points can allow us to detect not only the yesterday’s threats, but predict likelihood of tomorrow’s attacks

Building the TIE

• Data + Analysis Knowledge and Intelligence• How much Data??? LOTS!!!• Excalibur calls these DDS (Disparate Data Sources)• Different Types• Different Analysis (Offline and Live/Online)• Reaping/Harvesting• Converting non-structured into structured data

(normalizing)• Data Analysis• Database Programming

Reaping Gotcha’s

• Non-structured (everyone is different)

Analyze the Site

• Understand how to automate the requests

Demo

Be ware… Live Demo Gremlin…

http://logout.hu/dl/upc/2011-06/230806_gremlin_in_my_computer-lyvind_berget.jpg, Retrieved 17 Sep 13

Special Thanks

• TakeDownCon• VirusTotal• Malwr.com• Mr. Suhail “The Boss”• Dhia Mohjoub (@DhiaLite)• Andrew Morris and Animus (@andrew__morris)• Kevin Cooper (@Imp3rialCooper)• Dan Gunter

Contact Me

• Solomon Sonya• excaliburtie@gmail.com• @Carpenter1010