threat intelligence with open source tools - cornerstones of trust 2014
DESCRIPTION
Threat Intelligence has become increasingly important as the number and severity of threats is growing continuously. We live in an era where our prevention technologies are not enough anymore, antivirus products fail to detect new or sophisticated pieces of malware, our firewalls and perimeter defenses are easily bypassed and the attacker’s techniques are growing in complexity. In this new landscape, sharing threat intelligence has become a key component to mitigate cyber-attacks. In this session we will define what Threat Intelligence is and discuss how to collect and integrate threat intelligence from public sources. In addition, we’ll demonstrate how to build your own Threat Intelligence data using Open Source tools such as sandboxes, honeypots, sinkholes and other publicly available tools. The industry’s reticence to share information about attack vectors gives the adversary a huge advantage. Using Threat Intelligence we can reduce this advantage and enable preventative response. We will guide you through the different standards (OpenIOC, STIX, MAEC, OTX, IODEF…) to describe and share cyber intelligence, as well as Open Source Frameworks such as CIF (Collective Intelligence Framework) that allows you to combine different threat sources. One of the biggest problems with Threat Intelligence is finding out how to take advantage of the data you have to actually improve the detection/prevention capabilities in your environment. We will describe how to leverage Threat Intelligence to detect threats and provide defenses, and we will focus on how to use Open Source Tools (Suricata, OSSIM, OSSEC, Bro, Yara…) to get the most of your Threat Intelligence. Presenters: Jaime Blasco and Santiago Bassett Cornerstones of Trust 2014: https://www.cornerstonesoftrust.comTRANSCRIPT
![Page 1: Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014](https://reader034.vdocument.in/reader034/viewer/2022042715/559a9e871a28abfb088b4640/html5/thumbnails/1.jpg)
Threat Intelligencewith Open Source tools
Cornerstones of Trust 2014
@jaimeblasco@santiagobassett
![Page 2: Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014](https://reader034.vdocument.in/reader034/viewer/2022042715/559a9e871a28abfb088b4640/html5/thumbnails/2.jpg)
Presenters
JAIME BLASCODirector AlienVault Labs
Security Researcher Malware Analyst
Incident Response
SANTIAGO BASSETTSecurity Engineer
OSSIM / OSSECNetwork Security
Logs Management
![Page 3: Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014](https://reader034.vdocument.in/reader034/viewer/2022042715/559a9e871a28abfb088b4640/html5/thumbnails/3.jpg)
The attacker’s advantage
• They only need to be successful once
• Determined, skilled and often funded adversaries
• Custom malware, 0days, multiple attack vectors, social engineering
• Persistent
![Page 4: Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014](https://reader034.vdocument.in/reader034/viewer/2022042715/559a9e871a28abfb088b4640/html5/thumbnails/4.jpg)
The defender’s disadvantage
• They can’t make a mistake
• Understaffed, jack of all trades, underfunded
• Increasing complex IT infrastructure:
– Moving to the cloud
– Virtualization
– Bring your own device
• Prevention controls fail to block everything
• Hundreds of systems and vulnerabilities to patch
![Page 5: Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014](https://reader034.vdocument.in/reader034/viewer/2022042715/559a9e871a28abfb088b4640/html5/thumbnails/5.jpg)
What is Threat Intelligence?
• Information about malicious actors
• Helps you make better decisions about defense
• Examples: IP addresses, Domains, URL’s, File Hashes, TTP’s, victim’s industries, countries..
![Page 6: Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014](https://reader034.vdocument.in/reader034/viewer/2022042715/559a9e871a28abfb088b4640/html5/thumbnails/6.jpg)
State of the art
• Most sharing is unstructured & human-to-human
• Closed groups
• Actual standards require knowledge, resources and time to integrate the data
![Page 7: Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014](https://reader034.vdocument.in/reader034/viewer/2022042715/559a9e871a28abfb088b4640/html5/thumbnails/7.jpg)
How to use Threat Intelligence
• Detect what my prevention technologies fail to block
• Security planning, threat assessment
• Improves incident response / Triage
• Decide which vulnerabilities should I patch first
![Page 8: Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014](https://reader034.vdocument.in/reader034/viewer/2022042715/559a9e871a28abfb088b4640/html5/thumbnails/8.jpg)
The Threat Intelligence Pyramid of Pain
![Page 9: Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014](https://reader034.vdocument.in/reader034/viewer/2022042715/559a9e871a28abfb088b4640/html5/thumbnails/9.jpg)
Standards & Tools
• IODEF: Incident Object Description Exchange Format
• MITRE:– STIX: Structured Threat Information eXpression
– TAXXII: Trusted Automated eXchange of Indicator Information
– MAEC, CAPEC, CyBOX
• CIF: Collective Intelligence Framework
![Page 10: Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014](https://reader034.vdocument.in/reader034/viewer/2022042715/559a9e871a28abfb088b4640/html5/thumbnails/10.jpg)
Collective Intelligence Framework
![Page 11: Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014](https://reader034.vdocument.in/reader034/viewer/2022042715/559a9e871a28abfb088b4640/html5/thumbnails/11.jpg)
Collecting malware
Some malware tracking sites:
• http://malc0de.com/rss
• http://www.malwareblacklist.com/mbl.xml
• http://www.malwaredomainlist.com/hostslist/mdl.xml
• http://vxvault.siri-urz.net/URL_List.php
• http://urlquery.net
• http://support.clean-mx.de/clean-mx/xmlviruses.php
Some Open Source malware crawlers:
• Maltrieve: https://github.com/technoskald/maltrieve
• Ragpicker: https://code.google.com/p/malware-crawler/
![Page 12: Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014](https://reader034.vdocument.in/reader034/viewer/2022042715/559a9e871a28abfb088b4640/html5/thumbnails/12.jpg)
Collecting malware
![Page 13: Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014](https://reader034.vdocument.in/reader034/viewer/2022042715/559a9e871a28abfb088b4640/html5/thumbnails/13.jpg)
Other malware collection tools
Dionaea honeypot:
• http://dionaea.carnivore.it/
Thug Honeyclient – Drive by download attacks:
• https://github.com/buffer/thug
• Emulates browsers functionality (activeXcontrols and plugins)
![Page 14: Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014](https://reader034.vdocument.in/reader034/viewer/2022042715/559a9e871a28abfb088b4640/html5/thumbnails/14.jpg)
Analyzing malware
Yara: Flexible, human-readable rules for identifying malicious streams.
Can be used to analyze:
• files
• memory (volatility)
• network streams.
private rule APT1_RARSilent_EXE_PDF {meta:
author = "AlienVault Labs"info = "CommentCrew-threat-apt1"
strings:$winrar1 = "WINRAR.SFX" wide ascii$winrar2 = ";The comment below contains SFX
script commands" wide ascii$winrar3 = "Silent=1" wide ascii
$str1 = /Setup=[\s\w\"]+\.(exe|pdf|doc)/$str2 = "Steup=\"" wide ascii
condition:all of ($winrar*) and 1 of ($str*)
}
![Page 15: Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014](https://reader034.vdocument.in/reader034/viewer/2022042715/559a9e871a28abfb088b4640/html5/thumbnails/15.jpg)
Analyzing malware
Cuckoo Sandbox: Used for automated malware analysis.
• Traces Win32 API calls
• Files created, deleted and downloaded
• Memory dumps of malicious processes
• Network traffic pcaps
![Page 16: Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014](https://reader034.vdocument.in/reader034/viewer/2022042715/559a9e871a28abfb088b4640/html5/thumbnails/16.jpg)
Analyzing malware
![Page 17: Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014](https://reader034.vdocument.in/reader034/viewer/2022042715/559a9e871a28abfb088b4640/html5/thumbnails/17.jpg)
Sandbox – CIF integration
In our example: hxxp://www.garyhart.com, domain
![Page 18: Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014](https://reader034.vdocument.in/reader034/viewer/2022042715/559a9e871a28abfb088b4640/html5/thumbnails/18.jpg)
CIF External feed example
![Page 19: Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014](https://reader034.vdocument.in/reader034/viewer/2022042715/559a9e871a28abfb088b4640/html5/thumbnails/19.jpg)
Thank you!!
@jaimeblascob
@santiagobassett