sharing threat intelligence & playbooks speaker... · operationalizing att&ck 8 criteria 1...
TRANSCRIPT
© Copyright Fortinet Inc. All rights reserved.
Sharing Threat Intelligence & Playbooks
Success Stories & Traditional Challenges
Derek Manky, Chief of Security Insights
2
CTI Initiatives
Industry – Collaboration & Innovation Enterprise – Threat Research
3
CTI Initiatives
Law Enforcement & Government - Attribution CERT - Disruption
Challenge 1 - Attribution
Attribution: MITRE ATT&CK and Adversary Playbooks
5
Too much noise!
Counter intelligence
Resource intensive top
Technical adoption of STIXv2 platform
Skills gap
ChallengesAutomation, Real Time Collaboration,
Vetting • ToughTTPs
• ChallengingTools
• ModerateNetwork/Host Artifacts
• SimpleDomain Names
• EasyIP Addresses
• TrivialHash Values
6
$61M of funds stolen in
3 month period through
Business Email Compromise
$100k - $10M+ USD
transactions through
payment diversion
61 days
of information reviewed
35-50% payment to money laundering
on funds transferred through service
(high amount, high risk); local and overseas
4 main players, including
kingpin, laundering manager,
hacker head, and forger
Largest group
was hacking
group
Many more
involved in
laundering network
Fortinet & INTERPOL: Project Knightrider
7
Threat Actor PlaybookThe complete collection of tools,
techniques, and steps that adversaries
goes through to complete their cyber
mission..
8
Operationalizing ATT&CK
8
Criteria
1
Collection
2
Analysis
3
Investigation
4
Dissemination
5
Determine if candidates meet
minimum baseline for inclusion.
Fortinet research
Hunting via yara rules
Samples in ST3/VT/OSINT
Understand the motives &
distribution of the threat actors
Analysis and research against
MITRE ATT&CK
Reversing for baseline discovery
Maltego analysis
OSINT of network IOC's and
hashes to cluster families
Stage internal playbook viewer via
STIX
Early partner sharing
Public release
Playbook – Creation Process
9
Fortinet Blog/TLR (Quarterly)
Playbook Viewer
STIXv2 Files – GitHub
Lightboard Video
Presentation
Playbook Package Emotet – Jack of all Trades
10
Execution PersistenceDefensive Evasion
Discovery Collection ExfiltrationCommand
Control
Exploitation for client
Execution
Third-Party Software
User Execution
Registry Run Keys/
Start Folder
Rundll32
DLL Search Order
Hijacking
Code Signing
Masquerading
File and Directory Discovery
Query Registry
Data from Local
System
Data Encryption
Commonly Used Port
Standard Application
Layer Protocol
Remote File Copy
The Month of August 2018 Goblin Panda
Intrusion Set
3 Campaigns
184 Indicators
12 Vulnerabilities
64 Attack Patterns
Targets
Various Interests in
Southeast Asia
(Information Collection)
Remote Access Tool
NewCore RAT
Malicious DLL via Side
loading
Modify Registry
System Information Discovery
Screen Capture
Custom Cryptographic
Protocol
Remote Access Tools
11
Execution PersistenceDefensive Evasion
DiscoveryLateral
MovementExfiltration
Command
Control
Command-Line
Interface
Compiled HTML File
Mshta
User Execution
Scripting
PowerShell
Registry Run Keys
Disabling Security
Tools
Masquerading
File Deletion
Modify Registry
System Information
System Network Configuration
Discovery
Remote File Copy
Exfiltration over command and
Control
Commonly Used Port
Standard Application
Layer Protocol
Remote File Copy
May 2018 to December 2018Silence Group
Intrusion Set
5 Campaigns
436 Indicators
15 Vulnerabilities
86 Attack
Patterns
Targets
Banks & Banking
Infrastructure
4 Modules
Main Module
Proxy Module
Monitor Module
ATM Module
12
Execution PersistenceDefensive Evasion
Discovery Collection ExfiltrationCommand
Control
User Execution
Service Execution
Registry Run Keys
Modify Registry
Deobfuscate Files or
Information
Virtualization Sandbox Evasion
New Service
Peripheral Device
Discovery
Process Discovery
Data Staging
Automated Exfiltration
Custom Command and
Control Protocol
Custom Cryptographic
Protocol
Remote File Copy
January 2019 to March 2019Zegost(Yet Another Panda)
Intrusion Set
1 Campaigns
1432 Indicators
0 Vulnerabilities
28 Attack Patterns
Targets
In this case the malware was
focused on a Chinese
government agency
Malware
Data Collection (Processes?)
System Checks (Sandbox?)
Execution Guardrails
File Deletion
Indictor Removal on Host
Masquerading
Query Registry
Security Software Discovery
System Information Discovery
System Network Connections
Discovery
Data from Local
System
Input Capture
Video Capture
Data Encryption
Uncommonly Used Port
User
Awareness
SIEM
SIEM
UEBA
SIEM
Endpoint
UEBA
Endpoint
UEBA
SIEM
Protection
Detection/Forensics
UEBA
SIEM
SIEM
SIEM
SIEM
Seg FW
UEBA
Endpoint
UEBA
SIEM
UEBA
UEBA
Firewall Egress
IPS Botnet Inspection
IPS Botnet Inspection
13
Execution PersistenceDefensive Evasion
CollectionCommand & Control
Emotet
Powershell
User Execution
Service Execution
New Service
Scripting
Masquerading
Process Injection
Email Collection
Remote File Copy
Standard Application
Layer Protocol
Intrusion Set
1 Campaigns
15 Indicators
0 Vulnerabilities
12 Attack Patterns
October 2019
Targets
Initially - Financial Sectors
Today – Most private and
public sectors
Payloads
Banking Trojans
Dropping others
AZORult
IcedID
ZeuS
Panda
Trickbot
Initial Access
SpearphishingAttachment
Commonly Used Port
14
Orangeworm Attack—Mitre Attack TTPs
Initial Execution PersistencePrivilege
EscalationDefensive Evasion
Credentials Access
DiscoveryLateral
MovementCollection Exfiltration
Command Control
Service Execution
New ServiceRemote
File Copy
System Network Configuration
Discovery
Data Encoding
Timestamp
Command-Line
Interface
Rundll32
File and Directory Discovery
Network Share
Discover
Account Discovery
Password Policy
Discovery
System Information
Configuration
Windows Admin Shares
cmd.exe /c start /b "" rundll32.exe "C:\WINDOWS\system32\wmiamgmt.dll"
ControlTrace—Embedding -k DcomLaunch
Service Name: WmiApSrvEx
Display Name: WMI Performance Adapter Extension
Path to executable: %System%\{malware name}.exe
Start-up type: Automatic
CreateFile(“\\x.x.x.x\C$\windows\system32\csrss.exe”,...);
cmd.exe/c ‘ipconfig/all”2>nul
cmd.exe/c ‘systeminfo”2>nul
cmd.exe/c ‘netaccounts”” 2>nul
cmd.exe/c ‘netshare” 2nul
cmd.exe/c ‘netusers” 2>nul
cmd.Exe /U /c dir /s /a c:\>> “C:\windows\TEMP\[RANDOM].tmp”2>2
15
16
Challenge 2 – Shrinking TTB
Real Time Sharing Platform with STIXv2 and ATT&CK Mapping
18
Evolving Attack Capabilities: Threat Landscape
COMPOUNDED CYBERCRIME
CRIME SERVICES ENABLERS
Consulting
AffiliatesCriminal
OrganizationsSales, Licensing,
MaintenancePartnerships
Affiliate Programs
FakeAV / Ransomware / Botnets
Bank
Accounts
Credentials
& Data
Digital Real
Estate
Money MulesAccounts Receivable
Botnet RentalsInstalls / Spam /
SEO / DDoS
HostingInfections / Drop Zones
Management
Quality AssuranceCrypters / Packers
Scanners
CRIMEWARE PRODUCERS
Source Code
Junior
Developers
Copy & paste
Senior
Developers
Exploits Packers Special
Platforms
Mobile
Victims
19
Automated STIXv2 PlatformCTA is the industry’s first formally organized group of cybersecurity practitioners that work together in good faith to share threat
information and improve global defenses against advanced cyber adversaries; ultimately, protecting customers in real-time.
CTA SHARED PLATFORM
20
With project
Magellan, we will
introduce a holistic
data graph
produced by our
membership
providing a
powerful snapshot
into IOC lifecycles.
Playbook Development - Project Magellan
21
Magellan: Easy to use STIX 2 bundle builder
Reducing the
STIX 2 learning
curve
Increasing the
understanding of
our threat
intelligence by
providing STIX
object
visualizations and
automated JSON
construction
Speeds up the sharing process
22
Actionable intelligence in networks
Top down approach vs. pyramid
Sharing of advanced intelligence
Collaboration on vetted data
Calls to Action