Threat Intel Sharing: Deciphering the APTs secret

handshakes

Adam LangeMark Manglicmot

1

2

Adam Lange & Mark Manglicmot

• Senior Consultant at Delta Risk LLC

• CISM, GCIA, GSEC, GCIH, CEH, Sec+,

• Advanced threat consulting &

counter APT team building for Fortune 500’s, federal gov, and allied governments

• Senior Consultant in Ernst & Young’s Advanced Security Center

• CISSP, GCIH, CEH, Sec+,

• Advanced threat, Incident Response, & SOC consulting

@MGManglicmot@LangeSecurity

3

The Data Doesn’t lie!

Past habits can help predict future behavior

By analyzing data-trends over time, Target could tell a 15 yr old girl was pregnant before her family knew

The Problems Defenders FaceAdvanced Adversaries evolve faster than we can

There is no delineation between routine incidents and incidents that may be APT activity

Industry improvements are being made all the time and integration into government operations tends to lag behind

We don’t have all the processes, tools and understanding to take on APT actors

5

Demystifying Threat IntelEveryone has it!

6

The Role of Intel Major driver to catch the top tier of threat

Detection Prevention Response

Types of Intel Behavioral Indicators

7

APT is bad stuff APT makes up 20% of workload

80% is “garbage” What is the difference? There is no “APT differentiation analyst”

Targets industries whose intellectual property provides a strategic advantage for the attacker

Intelligence on APT actors comes from three major areas: Internally derived Commercially purchased Sharing partners

8

A Quick Look at the Adversaries

9

APT

Cyber Crime

Hacktivists

Script kiddies, college kids, others

Strategic Gains

Financial Gains

Sociopolitical Gains

Thrill of the exploit,Learning the systemGeneric mayhem

Top 20% -- High impact

The good news is that because they tend to repeat attacks with recycled tactics, organizations can trend their behavior over time

Bottom 80% -- Lower impact

They don’t trend well, so mitigate and move on

Sophistication vs Intel

Patching

Firewalls

IDS/IPSNetwork Traffic

Analysis

Honeynets

High QualityForensics and

Incident Reporting

DDOSMitigation

DeceptionOperations

Behavior/EventCapture/Analysis

HIPS

HIGH

LOW

Atta

cker

Kno

wle

dge

and

Tech

nolo

gy

Defense Sophistication

PasswordGuessing

PasswordCracking

VulnerabilityExploitation

SessionHijacking

Backdoors

SniffersAnd Spoofing

Stealth andAnti-Audit

Technologies

DDoS andDistributedAttack tools

AdvancedScanning

Tools

BinaryEncryption

THESE ATTACKS REQUIRE MORE SOPHISTICATED, BEHAVIORAL,EVENT, AND INFORMATION BASED TOOLS TO DETECT

MOST OF THESE ATTACKS CAN BE IDENTIFIED USING TRADITIONAL RULE-BASED TECHNOLOGIES

No intel – Actors have OPSEC

Plenty of intel – attackers talk too much

No intel – Hacks of opportunity

Lockheed Martin PerspectiveThis paper was published back in 2011 and was the cornerstone of many advances in the DIB.

This model and its implications can be studied in depth to understand how to counter advanced adversaries

Mandiant: APT1The first major civilian expose on a state sponsored group. It reveals APT1 TTPs and C2 infrastructure.

It provided actionable intelligence for every organization to leverage.

It is likely that APT1 is going to start over in several organizations, however for some orgs it appears that APT1 is conducting business as usual.

NOTE: What we really liked about this report was the appendices – they contained all the TECHNICAL INDICATORS needed to actually do something about the threat.

13

Malware.lu based in Luxembourg, was able to do some additional deep dives into APT1 Activity.

Much of this may be illegal to do in the US. The report is worth taking a look at.

Who? What do they want? How do they attack?

14

Industry CompetitorStrategic InterestInnovatorCultural Threat

Various Ways to Model Adversaries

15

16

An Advanced Adversary Model Full spectrum cyber operations

More targeted & tactical indicators

Ability to correlate seemingly disparate activities

Metrics and strategic trends

17

How most defenses work Detection is somewhere in the middle of an

attackers operation Look for one or so indicators to stop discrete

attack, but the campaign continues

18

19

Defensive Campaigns Two types of Defensive Campaigning

Adversary-Based Campaign Event-Driven Campaign

What do each of these have in common?

An event begins and ends at some point

An adversary operation begins at ends at some point

Now, I suddenly realize that the initial attack is NOT success for them, so it’s not failure for me. I have TIME to do something about it…

Elements of ‘Good’ Intel Tactical

Timeliness <48hrs IP FQDN File Hash

Strategic Trends Vectors Patches/Updates Profiles

20

The Government Common complaint: “Its all classified” The good news: It doesn’t really matter Look at intel from a SIGINT perspective Tries to share as it can

21http://en.wikipedia.org/wiki/List_of_intelligence_gathering_disciplines

Industry Methods

22

Collective Intelligence FrameworkSOCK Puppets

OpenIOC

23

24

Account Link URI Win Kernel HookAddress Linux Package UNIX File Win Kernel

MemoryUNIX Network Route Entry Win Mailslot

Artifact Mutex UNIX PipeWin Memory Page Region

Code Network Route UNIX Process Win Mutex

CustomNetwork Connection

UNIX User Account

Win Network Route Entry

DNS Cache Network Flow UNIX VolumeWin Network Share

DNS Query Network Packet User Account Win Pipe

DNS RecordNetwork Route Entry User Session Win Prefetch

Device Network Subnet Volume Win ProcessDisk PDF File WhoIS Win Registry Key

Disk Partition PipeWin Computer Account Win Semaphore

Email Message PortWind Critical Selection Win Service

File Process Win Driver Win System

GUI Dialogbox Win Event LogWin System Restore

GUI Semaphore Win Event Win Task

GUI Window SocketWin Executable File Win Thread

HTTP Session Socket Address Win File Win User AccountLibrary System Win Handle Win Volume

     Win Waitable Timer

      X509 

25

26

How reliable is it?Analysis of Competing Hypothesis

27

Intel & SOC/CERT Integration

28

Threat Intel

RTAInvestigatio

nDigital

ForensicsATA

Countermeasures

Learning & sharing: Where to start Start small

Look in the mirror Friends (Real, not imaginary) Read!

Get involved ISAC’s Local FBI office (InfraGard) Join the online communities

29

What are the next steps? Try to understand who is interested in you Not always necessary to get 100% attribution Understand that once your are targeted by

APT, you will forever be on their target cycle list

Continue to iterate: That’s what the APT does Shorten the Kill Chain

30

What You’ll Gain Ask the right questions…generate the right metrics

“We had 27 ‘incidents’ this month” Trends

These guys only attack us when we do some conference

Group X only attacks when specific 0-days are published

Group Y is only active between these hours Group Z never attacks during “insert country”

holidays (i.e Cinco de Mayo)

31

Impacts Work smarter, not harder Improves efficiency Drives targeted investment Ultimately improves security, and protects

the business

32

“By leveraging threat intelligence, you can tactically and strategically campaign against the APT and defend your

business.”

Thanks for you time

33

Questions?Follow us on Twitter!

@LangeSecurity@MGManglicmot