© Copyright Fortinet Inc. All rights reserved.

Sharing Threat Intelligence & Playbooks

Success Stories & Traditional Challenges

Derek Manky, Chief of Security Insights

2

CTI Initiatives

Industry – Collaboration & Innovation Enterprise – Threat Research

3

CTI Initiatives

Law Enforcement & Government - Attribution CERT - Disruption

Challenge 1 - Attribution

Attribution: MITRE ATT&CK and Adversary Playbooks

5

Too much noise!

Counter intelligence

Resource intensive top

Technical adoption of STIXv2 platform

Skills gap

ChallengesAutomation, Real Time Collaboration,

Vetting • ToughTTPs

• ChallengingTools

• ModerateNetwork/Host Artifacts

• SimpleDomain Names

• EasyIP Addresses

• TrivialHash Values

6

$61M of funds stolen in

3 month period through

Business Email Compromise

$100k - $10M+ USD

transactions through

payment diversion

61 days

of information reviewed

35-50% payment to money laundering

on funds transferred through service

(high amount, high risk); local and overseas

4 main players, including

kingpin, laundering manager,

hacker head, and forger

Largest group

was hacking

group

Many more

involved in

laundering network

Fortinet & INTERPOL: Project Knightrider

7

Threat Actor PlaybookThe complete collection of tools,

techniques, and steps that adversaries

goes through to complete their cyber

mission..

8

Operationalizing ATT&CK

8

Criteria

1

Collection

2

Analysis

3

Investigation

4

Dissemination

5

Determine if candidates meet

minimum baseline for inclusion.

Fortinet research

Hunting via yara rules

Samples in ST3/VT/OSINT

Understand the motives &

distribution of the threat actors

Analysis and research against

MITRE ATT&CK

Reversing for baseline discovery

Maltego analysis

OSINT of network IOC's and

hashes to cluster families

Stage internal playbook viewer via

STIX

Early partner sharing

Public release

Playbook – Creation Process

9

Fortinet Blog/TLR (Quarterly)

Playbook Viewer

STIXv2 Files – GitHub

Lightboard Video

Presentation

Playbook Package Emotet – Jack of all Trades

10

Execution PersistenceDefensive Evasion

Discovery Collection ExfiltrationCommand

Control

Exploitation for client

Execution

Third-Party Software

User Execution

Registry Run Keys/

Start Folder

Rundll32

DLL Search Order

Hijacking

Code Signing

Masquerading

File and Directory Discovery

Query Registry

Data from Local

System

Data Encryption

Commonly Used Port

Standard Application

Layer Protocol

Remote File Copy

The Month of August 2018 Goblin Panda

Intrusion Set

3 Campaigns

184 Indicators

12 Vulnerabilities

64 Attack Patterns

Targets

Various Interests in

Southeast Asia

(Information Collection)

Remote Access Tool

NewCore RAT

Malicious DLL via Side

loading

Modify Registry

System Information Discovery

Screen Capture

Custom Cryptographic

Protocol

Remote Access Tools

11

Execution PersistenceDefensive Evasion

DiscoveryLateral

MovementExfiltration

Command

Control

Command-Line

Interface

Compiled HTML File

Mshta

User Execution

Scripting

PowerShell

Registry Run Keys

Disabling Security

Tools

Masquerading

File Deletion

Modify Registry

System Information

System Network Configuration

Discovery

Remote File Copy

Exfiltration over command and

Control

Commonly Used Port

Standard Application

Layer Protocol

Remote File Copy

May 2018 to December 2018Silence Group

Intrusion Set

5 Campaigns

436 Indicators

15 Vulnerabilities

86 Attack

Patterns

Targets

Banks & Banking

Infrastructure

4 Modules

Main Module

Proxy Module

Monitor Module

ATM Module

12

Execution PersistenceDefensive Evasion

Discovery Collection ExfiltrationCommand

Control

User Execution

Service Execution

Registry Run Keys

Modify Registry

Deobfuscate Files or

Information

Virtualization Sandbox Evasion

New Service

Peripheral Device

Discovery

Process Discovery

Data Staging

Automated Exfiltration

Custom Command and

Control Protocol

Custom Cryptographic

Protocol

Remote File Copy

January 2019 to March 2019Zegost(Yet Another Panda)

Intrusion Set

1 Campaigns

1432 Indicators

0 Vulnerabilities

28 Attack Patterns

Targets

In this case the malware was

focused on a Chinese

government agency

Malware

Data Collection (Processes?)

System Checks (Sandbox?)

Execution Guardrails

File Deletion

Indictor Removal on Host

Masquerading

Query Registry

Security Software Discovery

System Information Discovery

System Network Connections

Discovery

Data from Local

System

Input Capture

Video Capture

Data Encryption

Uncommonly Used Port

User

Awareness

SIEM

SIEM

UEBA

SIEM

Endpoint

UEBA

Endpoint

UEBA

SIEM

Protection

Detection/Forensics

UEBA

SIEM

SIEM

SIEM

SIEM

Seg FW

UEBA

Endpoint

UEBA

SIEM

UEBA

UEBA

Firewall Egress

IPS Botnet Inspection

IPS Botnet Inspection

13

Execution PersistenceDefensive Evasion

CollectionCommand & Control

Emotet

Powershell

User Execution

Service Execution

New Service

Scripting

Masquerading

Process Injection

Email Collection

Remote File Copy

Standard Application

Layer Protocol

Intrusion Set

1 Campaigns

15 Indicators

0 Vulnerabilities

12 Attack Patterns

October 2019

Targets

Initially - Financial Sectors

Today – Most private and

public sectors

Payloads

Banking Trojans

Dropping others

AZORult

IcedID

ZeuS

Panda

Trickbot

Initial Access

SpearphishingAttachment

Commonly Used Port

14

Orangeworm Attack—Mitre Attack TTPs

Initial Execution PersistencePrivilege

EscalationDefensive Evasion

Credentials Access

DiscoveryLateral

MovementCollection Exfiltration

Command Control

Service Execution

New ServiceRemote

File Copy

System Network Configuration

Discovery

Data Encoding

Timestamp

Command-Line

Interface

Rundll32

File and Directory Discovery

Network Share

Discover

Account Discovery

Password Policy

Discovery

System Information

Configuration

Windows Admin Shares

cmd.exe /c start /b "" rundll32.exe "C:\WINDOWS\system32\wmiamgmt.dll"

ControlTrace—Embedding -k DcomLaunch

Service Name: WmiApSrvEx

Display Name: WMI Performance Adapter Extension

Path to executable: %System%\{malware name}.exe

Start-up type: Automatic

CreateFile(“\\x.x.x.x\C$\windows\system32\csrss.exe”,...);

cmd.exe/c ‘ipconfig/all”2>nul

cmd.exe/c ‘systeminfo”2>nul

cmd.exe/c ‘netaccounts”” 2>nul

cmd.exe/c ‘netshare” 2nul

cmd.exe/c ‘netusers” 2>nul

cmd.Exe /U /c dir /s /a c:\>> “C:\windows\TEMP\[RANDOM].tmp”2>2

15

16

Challenge 2 – Shrinking TTB

Real Time Sharing Platform with STIXv2 and ATT&CK Mapping

18

Evolving Attack Capabilities: Threat Landscape

COMPOUNDED CYBERCRIME

CRIME SERVICES ENABLERS

Consulting

AffiliatesCriminal

OrganizationsSales, Licensing,

MaintenancePartnerships

Affiliate Programs

FakeAV / Ransomware / Botnets

Bank

Accounts

Credentials

& Data

Digital Real

Estate

Money MulesAccounts Receivable

Botnet RentalsInstalls / Spam /

SEO / DDoS

HostingInfections / Drop Zones

Management

Quality AssuranceCrypters / Packers

Scanners

CRIMEWARE PRODUCERS

Source Code

Junior

Developers

Copy & paste

Senior

Developers

Exploits Packers Special

Platforms

Mobile

Victims

19

Automated STIXv2 PlatformCTA is the industry’s first formally organized group of cybersecurity practitioners that work together in good faith to share threat

information and improve global defenses against advanced cyber adversaries; ultimately, protecting customers in real-time.

CTA SHARED PLATFORM

20

With project

Magellan, we will

introduce a holistic

data graph

produced by our

membership

providing a

powerful snapshot

into IOC lifecycles.

Playbook Development - Project Magellan

21

Magellan: Easy to use STIX 2 bundle builder

Reducing the

STIX 2 learning

curve

Increasing the

understanding of

our threat

intelligence by

providing STIX

object

visualizations and

automated JSON

construction

Speeds up the sharing process

22

Actionable intelligence in networks

Top down approach vs. pyramid

Sharing of advanced intelligence

Collaboration on vetted data

Calls to Action